Placing Conditional Disclosure of Secrets in the Communication Complexity Universe

In the conditional disclosure of secrets (CDS) problem (Gertner et al. in J Comput Syst Sci, 2000) Alice and Bob, who hold n-bit inputs x and y respectively, wish to release a common secret z to Carol, who knows both x and y, if and only if the input (x, y) satisfies some predefined predicate f. Alice and Bob are allowed to send a single message to Carol which may depend on their inputs and some shared randomness, and the goal is to minimize the communication complexity while providing information-theoretic security. Despite the growing interest in this model, very few lower-bounds are known. In this paper, we relate the CDS complexity of a predicate f to its communication complexity under various communication games. For several basic predicates our results yield tight, or almost tight, lower-bounds of Ω(n)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\Omega (n)$$\end{document} or Ω(n1-ϵ)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\Omega (n^{1-\epsilon })$$\end{document}, providing an exponential improvement over previous logarithmic lower-bounds. We also define new communication complexity classes that correspond to different variants of the CDS model and study the relations between them and their complements. Notably, we show that allowing for imperfect correctness can significantly reduce communication—a seemingly new phenomenon in the context of information-theoretic cryptography. Finally, our results show that proving explicit super-logarithmic lower-bounds for imperfect CDS protocols is a necessary step towards proving explicit lower-bounds against the communication complexity class AMcc\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\text {AM}^{\text {cc}}$$\end{document}, or even AMcc∩co-AMcc\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\text {AM}^{\text {cc}}\cap \text {co-AM}^{\text {cc}}$$\end{document}—a well known open problem in the theory of communication complexity. Thus imperfect CDS forms a new minimal class which is placed just beyond the boundaries of the “civilized” part of the communication complexity world for which explicit lower-bounds are known.


Introduction
Understanding the communication complexity of information-theoretically secure protocols is a fundamental research problem.Despite much effort, we have very little understanding of the communication complexity of even simple cryptographic tasks, and for most models, there are exponentially large gaps between the best known upper-bounds and the best known lower-bounds.In an attempt to simplify the problem, one may try to focus on the most basic settings with a minimal non-trivial number of players (say two or three) and the simplest possible communication pattern (e.g., single message protocols).Different cryptographic tasks have been studied in this minimal setting, including secure computation [17], and non-interactive zero-knowledge proofs [23].In this paper we will focus on what seems to be the simplest task in this model: Conditional Disclosure of Secrets (CDS) [20].3

Conditional Disclosure of Secrets
Consider a pair of computationally unbounded parties, Alice and Bob, each holding an input, x ∈ X and y ∈ Y respectively, to some public predicate f : X × Y → {0, 1}.Alice and Bob also hold a joint secret z (say a single bit) and have access to a joint source of randomness r R ← R. The parties wish to disclose the secret z to a third party, Carol, if and only if the predicate f (x, y) evaluates to 1.To this end, Alice and Bob should each send a single message a = a(x, z; r) and b = b(y, z; r) to Carol.Based on the transcript (a, b) and the inputs (x, y), Carol should be able to recover the secret z if and only if f (x, y) = 1.(Note that Carol is assumed to know x and y.)That is, we require two properties: Correctness: There exists a deterministic decoder algorithm Dec that recovers z from (x, y, a, b) with high probability whenever x, y is a 1-input (i.e., f (x, y) = 1); Privacy: For every fixed 0-input (x, y) (for which the predicate evaluates to 0), regardless of the value of the secret z, the joint distribution of the transcript (a, b), induced by a choice of the shared randomness, is statistically close (up to some small deviation error) to some canonical distribution Sim(x, y).
The main complexity measure of CDS protocols is their communication complexity which is taken to be the total bit-length of the messages a and b. (See Figure 1 for a schematic view and Section A for formal definitions.)Apart from being a natural basic notion, CDS has turned out to be a useful primitive with various applications in the context of private information retrieval (PIR) [20], secure multiparty computation [1,25], secret sharing schemes [14,15,36,31,11,2,29], and attribute-based encryption [7,37].Correspondingly, the communication complexity of CDS was extensively studied in the last few years.

Upper bounds
On the positive side, it is known that the CDS complexity of a predicate f is at most linear in the formula complexity of f [20].This result was extended to other (presumably stronger) computational models such as (arithmetic) branching programs [26], and (arithmetic) span programs [5].The latter paper also shows that the CDS complexity of f is at most linear in the complexity of any zero-information Arthur Merlin (ZAM) protocol for f .(The ZAM model, introduced by [23], adds a zero-knowledge property to the standard AM communication complexity model.) 4 In a recent breakthrough, Liu, Vaikuntanathan and Wee [30] showed that the CDS complexity of any predicate f : , improving over the exponential upper-bound of O(2 n/2 ) from [10].Applebaum et al. [3] showed that when the secret is very long (exponential in the size of the domain of the predicate) the overhead per each bit of z can be reduced to O(n); a constant-rate solution (in which the total communication is O(|z|)) was recently given in [2].

The quest for lower bounds
On the lower-bound front much less is known.While we have tight lower bounds for restricted forms of CDS (e.g., when the computations are restricted to linear functions [19,9,12]), only few, relatively weak, lower-bounds are known for general CDS.It is important to note that an insecure solution to the problem has a communication cost of 1 bit! (Let Alice send the secret in the clear regardless of her input.)Hence, any super-constant lower-bound is, in a sense, non-trivial.Indeed, unlike the case of standard communication games for which communication lower-bounds are based on the correctness properties of the protocol, the challenge here is to somehow capture the additional cost of privacy.
The first super-constant lower-bound was proved by Gay, Kerenidis, and Wee [19].
Theorem 1 ([19]).For every predicate f : where R A→B (f ) denotes the one-way randomized communication complexity of f , and CDS(f ) denotes the minimal communication complexity of a CDS protocol for f with privacy and correctness error of 0.1.5 For n-bits predicates, Theorem 1 leads, at best, to a logarithmic lower-bound of Ω(log n).Applebaum et al.. [3] showed that this bound is essentially tight: There are (partial) functions whose randomized communication complexity is exponentially larger than their CDS complexity.They also proved a linear n-bit lower-bound for a random (non-explicit) n-bit predicate f : {0, 1} n × {0, 1} n → {0, 1}.An explicit version of this result was proved by [4].
Theorem 2 ([4]).For every non-degenerate predicate6 f : X × Y → {0, 1} whose largest 0-monochromatic rectangle is of size at most L, where pCDS(f ) denotes the minimal communication complexity of a CDS protocol for f with perfect privacy and perfect correctness.
The theorem is effective for predicates whose communication matrix is rich in zeroes, and at the same time avoids large zero-monochromatic rectangles.In particular, for mod-2 inner product over n-bit inputs, we get a tight lower-bound of n − O(1) and for Set-Intersection a lower-bound of Ω(n).Unfortunately, the theorem is not robust to errors, leaving the imperfect CDS complexity of these predicates wide open.Moreover, for many basic predicates the theorem does not even give logarithmic bounds either due to the lack of many zeroes (e.g., the Not-Equal predicate) or due to the existence of huge zero-rectangles (e.g., the Greater-Than predicate).

This paper
Theorems 1 and 2 provide a very partial picture, and fall short of proving meaningful and robust lower-bounds for many basic predicates, such as Not-equal, Greater-Than, Intersection, and Index. 7We believe that a full understanding of these simple cases is necessary for the more ambitious goal of proving stronger lower bounds.Our goal in this paper is to remedy the situation by providing new lower-bound techniques.Specifically, we enrich our lower-bound toolbox by relating the CDS complexity of a function to its communication complexity under various communication games.Our results provide simple, yet effective, ways to leverage privacy to construct communication protocols.They lead to new lower-bounds for perfect and imperfect CDS protocols, and allow us to establish new results regarding the relations between different variants of the CDS model.

Perfectly-correct CDS and coNP Games
Our first theorem relates the complexity of any perfectly-correct CDS protocol for f to the non-deterministic communication complexity of f 's complement.
where n denotes the total input length of f , and pcCDS(f ) denotes the minimal communication complexity of a CDS protocol for f with perfect correctness and privacy error of 0.1.

Proof idea
To prove the theorem, we first show that the coNP complexity is upper-bounded by the randomness complexity of the CDS, and then prove that one can always assume that the randomness complexity is comparable to the communication complexity via a new sparsification lemma (similar to that of Newman [33]).The first part relies on the following simple observation: In order to convince Alice and Bob that f (x, y) evaluates to zero it suffices to prove that the joint distribution of the CDS messages for zero-secret, (a(x, z = 0; r), b(y, z = 0; r)), induced by a random choice of r, and the joint distribution of the messages for onesecret (a(x, z = 1; r), b(y, z = 1; r)), are not disjoint.A prover can prove this statement by sending to Alice and Bob a pair of strings r 0 and r 1 for which (a(x, z = 0; r 0 ), b(y, z = 0; r 0 )) equals to (a(x, z = 1; r 1 ), b(y, z = 1; r 1 )).(See full version [6] for details.)Despite its simplicity, this theorem is quite powerful.In particular, ignoring the constants in the Omega-notation and the logarithmic loss, the bound provided by Theorem 3 subsumes the lower-bound of Theorem 2 from [4].Indeed, the latter lower-bound is at most the logarithm of the ratio between the zero-mass of f and its largest zero-monochromatic rectangle -a quantity that cannot be larger than the non-deterministic communication complexity of the complement of f (i.e., coNP(f )).Moreover, our new theorem can be applied to predicates that have only few zero entries or to predicates with huge zero-rectangles, for which Theorem 2 becomes meaningless.For example, by plugging-in classical coNP lower-bounds, we settle the complexity of the not-equal predicate with respect to perfectly correct CDS protocols.
Similar tight linear lower-bounds can be obtained for the pcCDS complexity of the Greater-Than predicate, the Set-Intersection predicate, and the Inner-Product predicate.Previously, we had no super-logarithmic lower bounds that tolerate privacy error.(As already mentioned, for Greater-Than and NEQ n , we did not have such bounds even for perfect CDS protocols.)

pcCDS is not closed under complement
Interestingly, the equality function EQ n has a very succinct perfect CDS protocol: Use the shared randomness to sample a pair-wise independent hash function h : {0, 1} n → {0, 1}, and let Alice output h(x) and Bob output h(y) ⊕ z.The protocol has a minimal communication complexity of 2 and randomness complexity of O(n).(The latter can be reduced to O(log n) by using an almost pair-wise independent hash function and settling for a constant privacy error.)This yields a strong separation between the complexity of a predicate and its complement with respect to perfectly-correct perfectly-private CDS protocols (pCDS).
In particular, the classes pCDS and pcCDS are not closed under complement. 8ransformations from CDS protocols for f to its complement were studied in [3].The resulting protocols either introduce a privacy error or suffer from a communication overhead that grows polynomially with the randomness complexity of the original protocol.The NEQ n example shows that at least one of these losses is inherent.

4:6
Placing CDS in the Communication Complexity universe

The benefit of decoding errors
The results of [3] (together with our randomness sparsification lemma) show that imperfect CDS is closed under complement.This general result leads to a polylogarithmic CDS protocol for NEQ n with imperfect privacy and imperfect correctness, providing a surprising separation between general imperfect CDS protocols and ones which have perfect correctness.In fact, it is not hard to directly design a CDS protocol for NEQ n with constant communication, perfect privacy, and constant correctness error.(See the full version [6] for a more general statement.)This leads to the following stronger separation.

Corollary 6.
There is an n-bit predicate f for which pcCDS(f ) = Ω(n) and ppCDS(f ) = O (1), where ppCDS(f ) denotes the minimal communication complexity of a CDS protocol for f with perfect privacy and correctness error of 0.1.In particular, ppCDS ⊆ pcCDS.
As pointed to us by Hoteck Wee, Corollary 6 provides a rare example for an informationtheoretic secure protocol that can significantly benefit from a small correctness error.This phenomena seems new in the context of information-theoretic secure cryptography, and is worth further exploration.9

Perfectly-Private CDS and PP Games
Our next goal is to lower-bound the complexity of CDS protocols with correctness errors.We begin with the case of perfectly private protocols.

Theorem 7. For every predicate
where n denotes the total input length of f , and ppCDS(f ) denotes the minimal communication complexity of a CDS protocol for f with perfect privacy and correctness error of 0.1.
The complexity measure PP(f ) essentially corresponds to the sum of the communication complexity and number of private random bits used by a communication protocol that computes f correctly with probability more than 1/2, where shared randomness is not allowed.(See the full version [6] for a formal definition.)The discrepancy method implies that the PP complexity of the mod-2 inner-product predicate IP n is Ω(n) (cf.[28]) and so we get the following.

Corollary 8. Let IP
This is the first linear lower-bound on CDS with imperfect correctness.(Previous arguments fail to achieve such a result even for a non-explicit predicate.)

Proof idea
In order to prove Theorem 7, we turn a ppCDS protocol into a PP protocol.Loosely speaking, the idea is to construct a randomized protocol that accepts the input (x, y) based on collisions between random CDS transcripts that correspond to a zero-secret and random CDS transcripts that correspond to a one-secret.This idea, which was employed in the query setting by [13], leads to the desired result.(Details appear in the full version [6].)

Imperfect CDS, Interactive Proofs, and Zero Knowledge
We move on the most general case of imperfect CDS protocols with both constant privacy error and correctness error.We show that the complexity of such protocols is at least polynomial in the AM communication complexity of f .(The latter class is the communication complexity analogue of Arthur-Merlin proofs.)Theorem 9.There exists some universal constant c > 0, such that for any Boolean function f it holds that where n denotes the total input length of f , and CDS(f ) denotes the minimal communication complexity of a CDS protocol for f with correctness and privacy errors of 0.1.Since (imperfect) CDS is closed under complement (by [3, Theorem 2] and [6, Lemma 1]), it holds that CDS( f ) ≤ poly(CDS(f )), and so we conclude the following.
Corollary 10.There exists some universal constant c > 0, such that for any Boolean function f it holds that where n denotes the total input length of f .

Explicit CDS lower-bounds?
Corollary 10 can be used to show that the CDS complexity of most n-bit predicates must be at least polynomial in n, even when the protocol is imperfect.Unfortunately, it falls short of providing explicit lower-bounds; Finding an explicit function outside AM ∩ coAM is a central open problem in the theory of communication complexity.In fact, AM ∩ coAM forms a minimal class for which no explicit lower-bounds are known [24].Corollary 10 places CDS as a weaker (and perhaps more accessible) target for explicit lower-bounds.

Proof idea
To prove Theorem 9 we show that a CDS protocol can be transformed into a constant-round private-coins interactive-proof.Then, we note that, just like in the computational setting, such interactive proofs can be converted to an AM protocol with polynomial overhead [8,22]. 10The first step is obtained by imitating the standard interactive proof of Graph Nonisomorphism [21].Indeed, the AM protocol constructed in Theorem 9 turns out to satisfy a statistical zeroknowledge property; That is, the view of Alice and Bob can be simulated via a low complexity 2-party randomized protocol.(See the full version [6] for details.)

CDS vs. SZK
Recall that, by definition, a CDS protocol yields a (distributed mapping) from the input (x, y) and the secret z to a distribution D z over the transcript (a, b) such that the distributions, D 0 and D 1 , are either statistically-close or statistically-far depending on the value of f (x, y).This resembles the Statistical Difference problem [34], which is known to be complete for the computational complexity class SZK (consisting of problems that have interactive proofs that are statistically zero-knowledge).One may therefore hope to prove that in the communication complexity setting CDS complexity is characterized by SZK complexity.As already mentioned, Theorem 9 actually shows that CDS ⊆ SZK, however, we do not know whether the reverse direction holds.Roughly speaking, such a result faces two obstacles.Firstly, the completeness result from [34] has an overhead that depends on the randomness complexity of the protocol, and we do not know how to get rid of this dependency.(In particular, it is not clear how to prove a proper sparsification lemma for SZK without sacrificing the zero-knowledge property.)Secondly, even if the randomness complexity is small, we do not know how to obtain a CDS protocol without allowing some interaction between Alice and Bob.Indeed, in the full version [6] we show that SZK ⊆ CDS where the "prime" version of SZK charges randomness towards the total complexity and the "prime" version of CDS allows short interaction between Alice and Bob.The problem of proving that SZK ⊆ CDS (and therefore SZK = CDS) remains as an interesting open problem.
The results described so far are summarised in Figure 2, which shows the relationship between perfect and imperfect CDS and various measures from communication complexity.In Table 1, we list the current state of knowledge of the various CDS complexities of a number of commonly studied predicates.(See Section 3.)

Asymmetry in CDS and One-Way Communication
We shift gears, and turn to study the communication tradeoffs between Alice's and Bob's messages.Suppose that Alice's message is restricted to a short string of length t A .Can we prove that Bob's message must be very long?We prove such tradeoffs based on the one-way randomized communication complexity of f .Theorem 11.In any perfectly correct 0.1-private CDS protocol for f in which Alice and Bob communicate t A and t B bits respectively and the total input length of the function is n, it holds that: (In fact, the result holds even if one considers one-way randomized protocols that err only over zero inputs.)Recall that Theorem 1 (which is from [19]) shows that the total communication complexity t A + t B is at least logarithmic in (R A→B (f ) + R B→A (f )), which is tight for some predicates [3].Theorem 11 provides a more accurate picture.If the total communication complexity is dominated by t A , then one gets a logarithmic bound, similar to Theorem 1; however, when t A is small (e.g., constant), we get a strong linear lower-bound of

4:9
Concretely, consider the Index n predicate in which Bob holds an n-bit database x ∈ {0, 1} n and Alice holds an index i ∈ [n] (encoded as a string of length log n) and the output is the i-th bit of x.Since R B→A (Index n ) = Ω(n) [27] we get: Corollary 12.In any perfectly correct 0.1-private CDS protocol for Index n in which Alice communicates at most α log n + O(1) bits for some constant 0 ≤ α < 1, the database owner, Bob, must communicate at least Ω(n 1−α ) bits.
Similar results can be obtained for predicates like Greater-Than, Set-Disjointness and Set-Intersection, based on classical lower-bounds for randomized one-way communication complexity (cf.[32,27]).
The Index n predicate plays an role in CDS constructions and applications.First, it is complete for CDS in the sense that any n-bit predicate can be reduced to Index N for N = 2 n .Indeed, the best known general CDS protocols were obtained by improving the pCDS complexity of Index [30].In addition, a CDS for the index function can be viewed as a one-time version of the well-studied notion of Broadcast Encryption, and the lower-bound of Corollary 12 becomes especially appealing under this framework.Details follow.

Broadcast Encryption [18]
Suppose that we have a single sender and n receivers.The sender has a private encryption key r and each receiver i ∈ [n] has its own private decryption key k i .All the keys were collectively generated and distributed in an offline phase.In an online phase, the sender gets a message z together with a public list of authorized users y ⊆ [n], represented by an n-bit characteristic vector.The sender should broadcast a ciphertext b = b(y, z; r) to all the receivers (who also know y) so that an authorized receiver will be able to decrypt the ciphertext, and an unauthorized (computationally unbounded) receiver will learn nothing about the message z.The goal is to minimize the length of the ciphertext b, and the length of the keys k i .
Information-theoretic one-time secure Broadcast Encryption turns to be equivalent to the CDS problem with respect to the Index n predicate: Identify the ciphertext with Bob's message b = b(y, z; r) and the i-th key with Alice's message a(i; r). 11The problem can be solved with n-bit ciphertext and 1-bit keys, and with 1-bit ciphertext and n-bit keys.In fact, [19] showed that one can smoothly get any tradeoff as long as the product of the ciphertext length and the key length is n.Corollary 12 shows that when the key-length is sub-logarithmic the ciphertext must be almost linear, confirming a conjecture of Wee [38].

Proof idea (of Theorem 11)
The idea is to let Bob send to Alice a pair of random strings r 0 and r 1 that are mapped to the same Bob's message b under the zero-secret and under the one-secret respectively.Alice then uses the string r z and the secret z to compute a corresponding message a z , and accepts if the zero message a 0 equals to the one message a 1 .Perfect correctness guarantees that Alice will never err on 0-inputs.We further show that, when f (x, y) = 1, Alice accepts with probability which is at least inverse-exponential in her message length (up to a loss that is proportional to the privacy error of the protocol).See the full version [6] for details.
Table 1 The CDS complexity of some simple functions.By definition, an upper-bound in the leftmost column (pCDS) implies an upper-bound in all other columns, and a lower-bound in the rightmost column (CDS) implies a lower-bound in all other columns.All the linear upper-bounds for pCDS follow from the fact that all of these predicates can be computed by a linear-size formula.The logarithmic lower-bounds for CDS follow from Theorem 1 (and the fact that the corresponding predicates have linear randomized one-way communication complexity.)The linear lower-bounds for pcCDS and ppCDS follow from Theorems 3 and 7 respectively.

Conclusion and Open Questions
In this paper we studied the relations between CDS protocols and standard communication complexity games.We established new connections between CDS communication complexity (with perfect and imperfect privacy and correctness) to well-known communication complexity measures for non-deterministic protocols, randomized unbounded-error protocols, and oneway protocols.This leads to new CDS bounds for various simple functions.These results are summarized in Figure 2 and Table 1.
We end by listing the immediate interesting questions left open following our work.

1.
Prove an explicit polynomial lower-bound on (imperfect) CDS complexity.(A natural candidate would be Inner-Product.)

2.
Our current ppCDS lower-bounds are based on PP complexity, which corresponds to discrepancy.Can we derive such bounds on weaker, easier-to-establish, properties?In particular, can we prove non-trivial ppCDS lower-bounds for predicates that have low randomized bounded-error communication complexity like Greater-Than?
3. Unlike all the other communication complexity measures considered here, CDS complexity is not necessarily upper-bounded by the length of the inputs.But we have no super-linear (or even linear with a large constant factor) lower-bounds for even perfect CDS protocols.Can any of the existing lower-bound techniques from communication complexity be used to obtain such bounds?

4.
If not, can this difficulty be explained, perhaps by relating the problem of proving such lower bounds for CDS to more well-studied problems that are still unsolved?

5.
Following the paradigm of lifting query complexity lower bounds to the communication setting, is there a natural query complexity measure that can be lifted to CDS complexity?

6.
One simple predicate that has eluded all our bounds is Set-Disjointness, for which the best (imperfect) CDS protocol we know has O(n) complexity, and the best lower bound we can prove, even for perfect CDS, is Ω(log(n)).Are either of these tight?

Figure 2
Figure 2 As is standard, we use the name of a complexity measure to also denote the class of functions with polylog(n) complexity under the measure.For classes C1 and C2, a solid arrow C1 → C2 indicates that C1 ⊆ C2, and a dashed arrow C1 C2 indicates that C1 ⊆ C2.Red arrows indicate new results from this paper.Blue text indicates classes for which explicit bounds are not known.