Secret Sharing, Slice Formulas, and Monotone Real Circuits

A secret-sharing scheme allows to distribute a secret s among n parties such that only some pre-defined “authorized” sets of parties can reconstruct the secret, and all other “unauthorized” sets learn nothing about s . For over 30 years, it was known that any (monotone) collection of authorized sets can be realized by a secret-sharing scheme whose shares are of size 2 n − o ( n ) and until recently no better scheme was known. In a recent breakthrough, Liu and Vaikuntanathan (STOC 2018) have reduced the share size to 2 0 . 994 n + o ( n ) , and this was further improved by several follow-ups accumulating in an upper bound of 1 . 5 n + o ( n ) (Applebaum and Nir, CRYPTO 2021). Following these advances, it is natural to ask whether these new approaches can lead to a truly sub-exponential upper-bound of 2 n 1 − ε for some constant ε > 0 , or even all the way down to polynomial upper-bounds. In this paper, we relate this question to the complexity of computing monotone Boolean functions by monotone real circuits (MRCs) – a computational model that was introduced by Pudlák (J. Symb. Log., 1997) in the context of proof complexity. We introduce a new notion of “separable” MRCs that lies between monotone real circuits and monotone real formulas (MRFs). As our main results, we show that recent constructions of general secret-sharing schemes implicitly give rise to separable MRCs for general monotone functions of similar complexity, and that some monotone functions (in monotone NP) cannot be computed by sub-exponential size separable MRCs. Interestingly, it seems that proving similar lower-bounds for general MRCs is beyond the reach of current techniques. We use this connection to obtain lower-bounds against a natural family of secret-sharing schemes, as well as new non-trivial upper-bounds for MRCs. Specifically, we conclude that recent approaches for secret-sharing schemes cannot achieve sub-exponential share size and that every monotone function can be realized by an MRC (or even MRF) of complexity 1 . 5 n + o ( n ) . To the best of our knowledge, this is the first improvement over the trivial 2 n − o ( n ) upper-bound. Along the way, we show that the recent constructions of general secret-sharing schemes implicitly give rise to Boolean formulas over slice functions and prove that such formulas can be simulated by separable MRCs of similar size. On a conceptual level, our paper continues the rich line of study that relates the share size of secret-sharing schemes to monotone complexity measures.

[1]  L. Csirmaz Secret sharing and duality , 2019, IACR Cryptol. ePrint Arch..

[2]  Mitsuru Ito,et al.  Secret sharing scheme realizing general access structure , 1989 .

[3]  K. Srinathan,et al.  Alternative Protocols for Generalized Oblivious Transfer , 2008, ICDCN.

[4]  Benny Applebaum,et al.  Upslices, Downslices, and Secret-Sharing with Complexity of 1.5n , 2021, IACR Cryptol. ePrint Arch..

[5]  A. Razborov Communication Complexity , 2011 .

[6]  N. Nisan The communication complexity of threshold gates , 1993 .

[7]  Josh Benaloh,et al.  Generalized Secret Sharing and Monotone Functions , 1990, CRYPTO.

[8]  Ingemar Ingemarsson,et al.  A Construction of Practical Secret Sharing Schemes using Linear Block Codes , 1992, AUSCRYPT.

[9]  Avi Wigderson,et al.  Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation (Extended Abstract) , 1988, STOC.

[10]  Toniann Pitassi,et al.  Lifting Nullstellensatz to monotone span programs over any field , 2018, Electron. Colloquium Comput. Complex..

[11]  Amos Beimel,et al.  The Share Size of Secret-Sharing Schemes for Almost All Access Structures and Graphs , 2020, IACR Cryptol. ePrint Arch..

[12]  Anna Gál,et al.  A Generalization of Spira's Theorem and Circuits with Small Segregators or Separators , 2012, SOFSEM.

[13]  Moni Naor,et al.  Access Control and Signatures via Quorum Secret Sharing , 1998, IEEE Trans. Parallel Distributed Syst..

[14]  Xudong Fu,et al.  Lower bounds on sizes of cutting plane proofs for modular coloring principles , 1996, Proof Complexity and Feasible Arithmetics.

[15]  Benny Applebaum,et al.  On the Power of Amortization in Secret Sharing: d-Uniform Secret Sharing and CDS with Constant Information Rate , 2018, TCC.

[16]  Tamir Tassa,et al.  Generalized oblivious transfer by secret sharing , 2011, Des. Codes Cryptogr..

[17]  Amos Beimel,et al.  Secret-Sharing Schemes: A Survey , 2011, IWCC.

[18]  Arnold Rosenbloom,et al.  Monotone Real Circuits are More Powerful than Monotone Boolean Circuits , 1997, Inf. Process. Lett..

[19]  G. R. Blakley,et al.  Safeguarding cryptographic keys , 1899, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[20]  Nader H. Bshouty,et al.  Size-Depth Tradeoffs for Algebraic Formulas , 1995, SIAM J. Comput..

[21]  Yvo Desmedt,et al.  Shared Generation of Authenticators and Signatures (Extended Abstract) , 1991, CRYPTO.

[22]  Richard P. Brent,et al.  The Parallel Evaluation of General Arithmetic Expressions , 1974, JACM.

[23]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[24]  Stasys Jukna Combinatorics of Monotone Computations , 1998, Comb..

[25]  Claude E. Shannon,et al.  The Number of Two‐Terminal Series‐Parallel Networks , 1942 .

[26]  Amos Beimel,et al.  Quadratic Secret Sharing and Conditional Disclosure of Secrets , 2021, CRYPTO.

[27]  Vinod Vaikuntanathan,et al.  Towards Breaking the Exponential Barrier for General Secret Sharing , 2017, IACR Cryptol. ePrint Arch..

[28]  Emanuele Viola,et al.  The communication complexity of addition , 2013, Comb..

[29]  Pavel Pudlák,et al.  Lower bounds for resolution and cutting plane proofs and monotone computations , 1997, Journal of Symbolic Logic.

[30]  C. Papadimitriou,et al.  The Complexity of Computing a , 2009 .

[31]  Staffan Ulfberg On lower bounds for circuits and selection , 1999 .

[32]  Ingo Wegener,et al.  Relating Monotone Formula Size and Monotone Depth of Boolean Functions , 1983, Inf. Process. Lett..

[33]  Avi Wigderson,et al.  On span programs , 1993, [1993] Proceedings of the Eigth Annual Structure in Complexity Theory Conference.

[34]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[35]  Vinod Vaikuntanathan,et al.  Breaking the circuit-size barrier in secret sharing , 2018, IACR Cryptol. ePrint Arch..

[36]  Jan Krajícek Interpolation by a Game , 1998, Math. Log. Q..

[37]  Avi Wigderson,et al.  Superpolynomial Lower Bounds for Monotone Span Programs , 1996, Comb..

[38]  Stasys Jukna,et al.  Boolean Function Complexity Advances and Frontiers , 2012, Bull. EATCS.

[39]  Leslie G. Valiant,et al.  Fast Parallel Computation of Polynomials Using Few Processors , 1983, SIAM J. Comput..

[40]  Amos Beimel,et al.  Better secret sharing via robust conditional disclosure of secrets , 2020, Electron. Colloquium Comput. Complex..

[41]  Samuel R. Buss,et al.  Size-Depth Tradeoffs for Boolean Fomulae , 1994, Inf. Process. Lett..

[42]  Shachar Lovett,et al.  Equality alone does not simulate randomness , 2018, Electron. Colloquium Comput. Complex..

[43]  Yuval Ishai,et al.  Protecting data privacy in private information retrieval schemes , 1998, STOC '98.

[44]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization , 2011, Public Key Cryptography.

[45]  Avi Wigderson,et al.  Monotone circuits for connectivity require super-logarithmic depth , 1990, STOC '88.

[46]  Toniann Pitassi,et al.  Communication lower bounds via critical block sensitivity , 2013, STOC.

[47]  Ankit Garg,et al.  Monotone circuit lower bounds from resolution , 2018, Electron. Colloquium Comput. Complex..

[48]  László Csirmaz,et al.  The Size of a Share Must Be Large , 1994, Journal of Cryptology.

[49]  Amos Beimel,et al.  Secret-Sharing Schemes for General and Uniform Access Structures , 2019, IACR Cryptol. ePrint Arch..

[50]  Pavel Pudlák,et al.  A note on monotone real circuits , 2018, Inf. Process. Lett..

[51]  David Chaum,et al.  Multiparty Unconditionally Secure Protocols (Extended Abstract) , 1988, STOC.

[52]  Mitsuru Ito,et al.  Multiple assignment scheme for sharing secret , 1993, Journal of Cryptology.

[53]  Stephen A. Cook,et al.  An Exponential Lower Bound for the Size of Monotone Real Circuits , 1999, J. Comput. Syst. Sci..