520 |
|
|
|a A secret-sharing scheme for a monotone Boolean (access) function F: {0, 1}[superscript n] → {0, 1} is a randomized algorithm that on input a secret, outputs n shares s[subscript 1]., s[subscript n] such that for any (x[subscript 1]., x[subscript n]) ∈ {0, 1}[superscript n] the collection of shares {s[subscript i]: xi = 1} determine the secret if F(x[subscript 1]., x[subscript n]) = 1 and reveal nothing about the secret otherwise. The best secret sharing schemes for general monotone functions have shares of size Θ(2[superscript n]). It has long been conjectured that one cannot do much better than 2[superscript Ω(n)] share size, and indeed, such a lower bound is known for the restricted class of linear secret-sharing schemes. In this work, we refute two natural strengthenings of the above conjecture: First, we present secret-sharing schemes for a family of 2[superscript 2[superscript n/2]] monotone functions over {0, 1}[superscript n] with sub-exponential share size 2[superscript O(√ n log n)]. This unconditionally refutes the stronger conjecture that circuit size is, within polynomial factors, a lower bound on the share size. Second, we disprove the analogous conjecture for non-monotone functions. Namely, we present "non-monotone secret-sharing schemes" for every access function over {0, 1}[superscript n] with shares of size 2[superscript O(√ n log n)]. Our construction draws upon a rich interplay amongst old and new problems in information-theoretic cryptography: from secret-sharing, to multi-party computation, to private information retrieval. Along the way, we also construct the first multi-party conditional disclosure of secrets (CDS) protocols for general functions F: {0, 1}[superscript n]→ {0, 1} with communication complexity 2[superscript O(√ n log n)].
|