Conditional Disclosure of Secrets via Nonlinear Reconstruction
 11 Citations
 3.1k Downloads
Abstract
We present new protocols for conditional disclosure of secrets (CDS), where two parties want to disclose a secret to a third party if and only if their respective inputs satisfy some predicate.

For general predicates \(\mathsf {P}: [N] \times [N] \rightarrow \{0,1\}\), we present two protocols that achieve \(o(N^{1/2})\) communication: the first achieves \(O(N^{1/3})\) communication and the second achieves subpolynomial \(2^{O(\sqrt{\log N \log \log N})} = N^{o(1)}\) communication.

As a corollary, we obtain improved share complexity for forbidden graph access structures. Namely, for every graph on N vertices, there is a secretsharing scheme for N parties in which each pair of parties can reconstruct the secret if and only if the corresponding vertices in G are connected, and where each party gets a share of size \(2^{O(\sqrt{\log N \log \log N})} = N^{o(1)}\).
Prior to this work, the best protocols for both primitives required communication complexity \(\tilde{O}(N^{1/2})\). Indeed, this is essentially the best that all prior techniques could hope to achieve as they were limited to socalled “linear reconstruction”. This is the first work to break this \(O(N^{1/2})\) “linear reconstruction” barrier in settings related to secret sharing. To obtain these results, we draw upon techniques for nonlinear reconstruction developed in the context of informationtheoretic private information retrieval.
We further extend our results to the setting of private simultaneous messages (PSM), and provide applications such as an improved attributebased encryption (ABE) for quadratic polynomials.
Keywords
Private Simultaneous Messages (PSM) Graph Access Structures Attributebased Encryption (ABE) Secret Sharing Scheme Informationtheoretic PIR1 Introduction
Conditional Disclosure of Secrets (CDS). Twoparty conditional disclosure of secrets (CDS) [GIKM00] (c.f. Fig. 1) is a generalization of secret sharing [Sha79, ISN89]: two parties want to disclose a secret to a third party if and only if their respective inputs satisfy some fixed predicate \(\mathsf {P}: [N] \times [N] \rightarrow \{0,1\}\). Concretely, Alice holds x, Bob holds y and in addition, they both hold a secret \(\mu \in \{0,1\}\) (along with some additional private randomness w). Charlie knows both x and y but not \(\mu \); Alice and Bob want to disclose \(\mu \) to Charlie iff \(\mathsf {P}(x,y)=1\). How many bits do Alice and Bob need to communicate to Charlie?
In this work, we address this question in the affirmative, giving two protocols with \(o(N^{1/2})\) communication, including one with subpolynomial \(N^{o(1)}\) communication. Before describing our results in more detail, we need to place this question in a broader context.Do there exist CDS protocols for general predicates \(\mathsf {P}: [N] \times [N] \rightarrow \{0,1\}\) with \(o(N^{1/2})\) communication?
First, the existing exponential gap between upper and lower bounds for CDS is analogous to a longstanding open question in informationtheoretic cryptography, namely, the study of secretsharing schemes for general access structures [ISN89]. For general secretsharing schemes, the best upper bounds on the (individual) share size are exponential in the number of parties n, namely \(2^{\Theta (n)}\), whereas the best lower bounds are nearly linear [Csi97], namely \(\Omega (n/\log n)\) (see Beimel’s survey [Bei11] for more details).
It turns out that we do have a more nuanced understanding of this gap, both for CDS and for secretsharing. This understanding comes from looking at the complexity of the “reconstruction function”: in CDS, this refers to the function that Charlie computes on Alice’s and Bob’s messages to recover \(\mu \), and in secretsharing, the function used to recover the secret from the shares, and by complexity, we refer to the degree of the reconstruction function when expressed as a multivariate polynomial in its inputs, namely Alice’s and Bob’s messages or the shares.
On the Importance of Reconstruction Degree. Most known CDS and secretsharing schemes have linear reconstruction functions (which is necessary for some applications), and for linear reconstruction, the existing upper bounds for both CDS and secretsharing are essentially optimal [BGP95, RPRC16, GKW15]. Therefore, to narrow the exponential gap between upper and lower bounds for CDS, we need to turn to general, nonlinear reconstruction functions, as will be the case for our new CDS protocols.
Starting from the work of Beimel and Ishai, we know of a few specific (artificial) access structures with nonlinear secret sharing schemes (which are unlikely to have efficient linear secret sharing schemes) [BI01, VV15]. More recently, [AARV17] showed a specific (contrived) predicate with a nonlinear CDS scheme that is exponentially more efficient than the best linear CDS scheme. Unfortunately, none of these works yield any techniques that work with general predicates.
Henceforth, instead of referring to general predicates, we will focus on a specific predicate \(\mathbf {INDEX}_n\) where Alice holds a vector \(\mathbf D\in \{0,1\}^n\), Bob holds an index \(i \in [n]\) and the predicate is \(\mathbf D,i \mapsto \mathbf D_i\), namely the ith bit of \(\mathbf D\); that is, Charlie learns the secret \(\mu \) iff \(\mathbf D_i = 1\). It is easy to see that we can derive a CDS protocol for the class of general predicates \(\mathsf {P}: [N] \times [N] \rightarrow \{0,1\}\) – which we denote by \(\mathbf {ALL}_N\) – from one for \(\mathbf {INDEX}_N\), by considering the truth table of the predicate as the database and the input to the predicate as the index. Via this connection, our central open problem reduces to constructing CDS for \(\mathbf {INDEX}_n\) with \(o(\sqrt{n})\) communication. The best known CDS protocol for INDEX (regardless of the reconstruction degree) has communication \(O(\sqrt{n})\); and this protocol indeed has linear reconstruction, for which there is a matching lower bound. More generally, Gay et al. [GKW15] show that any CDS for \(\mathbf {INDEX}_n\) with degree k reconstruction requires communication \(\Omega (n^{\frac{1}{k+1}})\).
1.1 Our Results and Techniques

a CDS protocol with \(O(n^{1/3})\) communication with quadratic reconstruction, which is optimal;

a CDS protocol with \(2^{O(\sqrt{\log n \log \log n})} = n^{o(1)}\) with general reconstruction.
These immediately imply CDS protocols for general predicates \(\mathbf {ALL}_N\) with \(O(N^{1/3})\) communication and quadratic reconstruction, and \(2^{O(\sqrt{\log N \log \log N})} = N^{o(1)}\) and general reconstruction. Our CDS protocols also yield similar improvements for secretsharing schemes for the socalled “forbidden graph access structures” [SS97] via a generic transformation in [BIKK14]; in particular, we present the first schemes that achieve \(o(\sqrt{N})\) share sizes for graphs on N nodes. Overall, this is first work to break the “linear reconstruction” barrier for general predicates in settings related to secret sharing.
To obtain these results, we draw upon techniques for nonlinear reconstruction developed in the context of informationtheoretic private information retrieval (PIR) [CKGS98, WY05, Yek08, Efr09, DGY11, BIKO12, DG15]. Our \(O(n^{1/3})\) protocol exploits partial derivatives of polynomials, whereas our \(2^{O(\sqrt{\log n \log \log n})}\) uses matching vector families [Gro00], first invented in the context of explicit Ramsey graph constructions. While techniques from PIR have been used to improve communication complexity for informationtheoretic cryptography e.g. [BIKK14], we do not know of any work that uses these techniques to improve communication complexity beyond the “linear reconstruction” barrier as we do.
Along the way, we also present new CDS protocols for lowdegree polynomials (testing whether the polynomial evaluates to nonzero), along with an application to a new attributebased encryption (ABE) scheme [SW05, GPSW06] for quadratic functions.
1.2 Our CDS Protocols
As mentioned earlier, our CDS protocols draw upon techniques for nonlinear reconstruction developed in the context of informationtheoretic PIR. Our starting point is a recent work of Beimel, Ishai, Kumaresan and Kushilevitz (BIKK) [BIKK14], showing how to use PIR to improve PSM and informationtheoretic twoparty computation in several different models. While BIKK applies general transformations to variants of PIR, our constructions exploit the techniques used in a PIR in a more nonblackbox manner, and along the way, we improve upon and simplify some of the constructions in BIKK. For this reason, we will first provide an overview of our CDS protocols without referring to PIR, and then explain the connection to PIR after.
CDS for INDEX. Recall that in CDS for \(\mathbf {INDEX}_n\), Alice holds \(\mathbf D\in \{0,1\}^n\), Bob holds \(i \in [n]\) and \(\mu \in \{0,1\}\), and Charlie should learn \(\mu \) iff \(\mathbf D_i = 1\). Intuitively, the protocol proceeds by having Charlie “securely compute” \(\mu \mathbf D_i\), so that if \(\mathbf D_i = 0\), Charlie learns nothing about \(\mu \). To do this, we will relate \(\mu \mathbf D_i\) to some function \(F_{\mathbf D,i}(\cdot )\), which would form part of the construction function.

Alice and Bob share randomness \(\mathbf b,\mathbf c\).

Bob deterministically encodes \(i \in [n]\) as a vector \(\mathbf u_i \in \{0,1\}^\ell \) and sends \(\mathbf m_B^1 := \mu \mathbf u_i + \mathbf b\);
 We construct a function \(F_{\mathbf D,i}\) such thatwhere \(\mathbf y_{\mathbf D,\mathbf b} \in \{0,1\}^\ell \) is completely determined given \(\mathbf D,\mathbf b\) and \(\langle \cdot ,\cdot \rangle \) corresponds to inner product. Note that Charlie can compute \(F_{\mathbf D,i}(\mu \mathbf u_i + \mathbf b)\) given \(\mathbf D,i,\mu \mathbf u_i+\mathbf b\).$$\begin{aligned} \mu \mathbf D_i = F_{\mathbf D,i}(\mu \mathbf u_i + \mathbf b) + \langle \mathbf u_i,\mathbf y_{\mathbf D,\mathbf b} \rangle \end{aligned}$$(1)

In order for Charlie to also “securely” compute \(\langle \mathbf u_i,\mathbf y_{\mathbf D,\mathbf b} \rangle \), Alice sends \(\mathbf m_A^1 := \mathbf y_{\mathbf D,\mathbf b} + \mathbf c\) and Bob sends \(m_B^2 := \langle \mathbf u_i,\mathbf c \rangle \).
 Charlie can now compute \(\mu \mathbf D_i\) (and thus \(\mu \)) given \(\mathbf D,i,(\mathbf m_A^1,\mathbf m_B^1,m_B^2)\) by computing$$F_{\mathbf D,i}(\mathbf m_B^1)  \langle \mathbf u_i, \mathbf m_A^1 \rangle + m_B^2.$$
Note that the total communication is \(O(\ell )\), whereas the complexity of reconstruction is dominated by that of computing \(F_{\mathbf D,i}\). Privacy follows fairly readily from the fact that the joint distribution of \((\mathbf m_A^1,\mathbf m_B^1)\) is uniformly random, and that \(m_B^2\) is completely determined given \((\mathbf m_A^1,\mathbf m_B^1)\) and \(\mu \mathbf D_i\) along with \(\mathbf D,i\).
 Our CDS with \(O(n^{1/3})\) communication uses degree 3 polynomials. Roughly speaking, we encode \(i \in [n]\) as \(\mathbf u_i \in \mathbb F_2^{O(n^{1/3})}\) (i.e., \(\ell =O(n^{1/3})\)) and \(\mathbf D\) as a vector \(\mathbf p\in \mathbb F_2^{O(n)}\) so that \(\mathbf D_i = \langle \mathbf p, \mathbf u_i \otimes \mathbf u_i \otimes \mathbf u_i \rangle \). Then, \(F_{\mathbf D,i}\) is (roughly) defined to beThis means$$ \begin{aligned} F_{\mathbf D,i}(\mu \mathbf u_i + \mathbf b) ={}&\langle \mathbf p,(\mu \mathbf u_i + \mathbf b) \otimes (\mu \mathbf u_i + \mathbf b) \otimes \mathbf u_i \rangle + \langle \mathbf p,(\mu \mathbf u_i + \mathbf b) \otimes \mathbf u_i \otimes (\mu \mathbf u_i + \mathbf b) \rangle \\&+ \langle \mathbf p,\mathbf u_i \otimes (\mu \mathbf u_i + \mathbf b) \otimes (\mu \mathbf u_i + \mathbf b) \rangle \\ \end{aligned} $$where in the last equality, we use the fact that we are working over \(\mathbb F_2\). Using this technique, we can in fact obtain communicationefficient CDS for degree 3 polynomials. Using an additional balancing technique, we can also obtain optimal tradeoffs between the length of Alice’s and Bob’s messages.$$ \begin{aligned} F_{\mathbf D,i}(\mu \mathbf u_i + \mathbf b) ={}&3 \mu \langle \mathbf p, \mathbf u_i \otimes \mathbf u_i \otimes \mathbf u_i \rangle \\&+ \underbrace{2\mu ( \langle \mathbf p, \mathbf u_i \otimes \mathbf u_i \otimes \mathbf b \rangle + \langle \mathbf p, \mathbf u_i \otimes \mathbf b\otimes \mathbf u_i \rangle + \langle \mathbf p, \mathbf b\otimes \mathbf u_i \otimes \mathbf u_i \rangle )}_{=0} \\&+ \underbrace{\langle \mathbf p, \mathbf u_i \otimes \mathbf b\otimes \mathbf b \rangle + \langle \mathbf p, \mathbf b\otimes \mathbf u_i \otimes \mathbf b \rangle + \langle \mathbf p, \mathbf b\otimes \mathbf b\otimes \mathbf u_i \rangle }_{=\langle \mathbf u_i,\mathbf y_{\mathbf D,\mathbf b} \rangle } \\ ={}&\mu \mathbf D_i + \langle \mathbf u_i,\mathbf y_{\mathbf D,\mathbf b} \rangle \end{aligned} $$
 Our CDS with \(2^{O(\sqrt{\log n\log \log n})}\) communication uses a matching vector family, namely a collection of vectors \(\{(\mathbf v_i, \mathbf u_i)\}_{i\in [n]}\) such that all vectors \(\mathbf u_i, \mathbf v_i \in \mathbb Z_6^\ell \) where \(\ell = 2^{O(\sqrt{\log n \log \log n})}\) and:Here, the inner product computations are done mod 6. Such a matching vector family was originally constructed by Grolmusz [Gro00] and improved by Dvir et al. [DGY11]. We omit precise description of \(F_{\mathbf D,i}\) but note that it is closely related to the functions \(G,G'\) defined in Sect. 4 (which are the same as those used in [DG15]). In particular, the PIR in [DG15] matches the following high level description: The user’s queries are \(\mathbf u_i+\mathbf b\) and \(\mathbf b\), the servers’ answers are vectors \(H_{\mathbf D}(\mathbf u_i + \mathbf b)\) and \(H_{\mathbf D}(\mathbf b)\) such that$$\begin{aligned} \langle \mathbf v_i, \mathbf u_i \rangle&= 0, \\ \langle \mathbf v_i, \mathbf u_j \rangle&\in \{1,3,4\} \quad \text {for }i\ne j. \end{aligned}$$We observe that the following relation also holds:$$\begin{aligned} \langle H_{\mathbf D}(\mathbf u_i + \mathbf b), \mathbf u_i \rangle  \langle H_{\mathbf D}(\mathbf b), \mathbf u_i \rangle = \mathbf D_i. \end{aligned}$$(2)from which we may derive \(F_{\mathbf D,i}\). This technique can be further generalized to construction a CDS from any 2server PIR with linear reconstruction.$$\begin{aligned} \underbrace{\langle H_{\mathbf D}(\mu \mathbf u_i + \mathbf b), \mathbf u_i \rangle }_{F_{\mathbf D,i}(\mu \mathbf u_i + \mathbf b)}  \langle \underbrace{H_{\mathbf D}(\mathbf b)}_{\mathbf y_{\mathbf D,\mathbf b}}, \mathbf u_i \rangle = \mu \mathbf D_i. \end{aligned}$$(3)

The user wants to learn \(\mathbf D_i\) instead of \(\mu \mathbf D_i\), and again, \(\mathbf D_i\) is written as an expression related to the same function \(F_{\mathbf D,i}\), but the expression itself is different. (Roughly speaking, this is analogous to the difference between Eqs. 2 and 3 above).

Bob’s message \(\mu \mathbf u_i + \mathbf b\) corresponds roughly to the user’s query to the first server; note that Bob’s message perfectly hides the index i.

In PIR, one difficulty lies in jointly computing the quantity corresponding to \(F_{\mathbf D,i}(\mu \mathbf u_i + \mathbf b)\) because no single party knows \(\mathbf D\) and i, whereas this is easy in CDS. In PIR, computing the quantity corresponding to \(\langle \mathbf u_i,\mathbf y_{\mathbf D,\mathbf b} \rangle \) is easy as the server can send \(\mathbf y_{\mathbf D,\mathbf b}\) to the user; in PIR, Alice cannot send \(\mathbf y_{\mathbf D,\mathbf b}\) as is to Charlie as it would leak information about \(\mathbf b\) and thus \(\mu \).
1.3 Our PSM Protocols
We consider the 2party Private Simultaneous Message (PSM) model [FKN94] (c.f. Fig. 1): Alice holds x, Bob holds y and they both share some private randomness. Each of them sends a message to Charlie, upon which Charlie should learn \(\mathsf {P}(x,y)\) for some public function \(\mathsf {P}\) but otherwise learns nothing else about x, y. While the inputs involved in a computation (namely x and y) are not hidden in the CDS setting, they are in PSM and thus this is a harder model to design protocols in.
The state of the art in known constructions is as follows: (i) For informationtheoretic security, the length of both Alice’s message and Bob’s message are both quadratic in the size of the branching program representation of f [FKN94, IK00, IK02]; this holds for both the Boolean and arithmetic settings. (ii) For computational security, the length of Alice’s and Bob’s messages are optimal up to a multiplicative overhead by the security parameter; this is the celebrated Yao’s garbled circuits and requires only oneway functions.
In this work, we describe such a protocol for the class of multivariate polynomials of total degree k, where Alice holds a degreed polynomial \(\mathbf p\) in n variables, Bob holds an input \(\mathbf x\in \mathbb F_q^n\) and Charlie learns \(\mathbf p(\mathbf x)\) and nothing else. In our protocol, Alice sends \(O(n^k)\) bits and Bob sends O(kn) bits. This gives us a protocol for INDEX with degreek reconstruction with the same communication profile, which is nearly optimal (up to the factor of k in Bob’s communication). We refer the reader to Fig. 2 for details.
We also give a PSM for degree 4 polynomials, where the polynomial \(\mathbf p\) (over GF(2)) is public, Alice and Bob hold \(\mathbf x\in \{0,1\}^n\) and \(\mathbf y\in \{0,1\}^n\) respectively, and Charlie gets \(\mathbf p(\mathbf x,\mathbf y)\). This in turn gives a simpler and more direct \(O(\sqrt{N})\) PSM for the predicate \(\mathbf {ALL}_N\), first shown in [BIKK14], along with an explicit bound on the degree of reconstruction. In \(\mathbf {ALL}_N\), there is a public predicate \(\mathsf {P}\), Alice and Bob hold \(\mathbf x\) and \(\mathbf y\) respectively, and Charlie gets \(\mathsf {P}(\mathbf x,\mathbf y)\).
1.4 Discussion
Additional Related Work. We mention some additional related works.
Secret Sharing. The complexity of secret sharing for graphbased access structures was extensively studied in a setting where the edges of the graph represent the only minimal authorized sets, that is, any set of parties that does not contain an edge should learn nothing about the secret. The notion of forbidden graph access structures we study, originally introduced in [SS97], can be viewed as a natural “promise version” of this question, where one is only concerned about sets of size 2. The best upper bound for the total share size for every graph access structure is \(O(N^2/\log N)\) [Bub86, BSGV96, EP97] whereas the best lower bounds are (i) \(\Omega (N \log N)\) for general secretsharing schemes [vD95, BSSV97, Csi05] and (ii) \(\Omega (N^{3/2})\) for linear secretsharing schemes [BGP95].
AttributeBased Encryption. Attributebased encryption (ABE) [SW05, GPSW06] is a new paradigm for publickey encryption that enables finegrained access control for encrypted data. In attributebased encryption, ciphertexts are associated with descriptive values x in addition to a plaintext, secret keys are associated with values y, and a secret key decrypts the ciphertext if and only if \(\mathsf {P}(x,y) = 1\) for some boolean predicate \(\mathsf {P}\). Note that x and y are public given the respective ciphertext and secret key. The security requirement for attributebased encryption enforces resilience to collusion attacks, namely any group of users holding secret keys for different values learns nothing about the plaintext if none of them is individually authorized to decrypt the ciphertext.
In [Wat09], Waters introduced the powerful dual system encryption methodology for building adaptively secure IBE in bilinear groups; this has since been extended to obtain adaptively secure ABE for a large class of predicates [LW10, LOS+10, OT10, LW11, Lew12, OT12]. In recent works [Att14, Wee14] (with extensions in [CGW15]), Attrapadung and Wee presented a unifying framework for the design and analysis of dual system ABE schemes, which decouples the predicate \(\mathsf {P}\) from the security proof. Specifically, the latter work puts forth the notion of predicate encoding, a privatekey, onetime, informationtheoretic primitive similar to conditional disclosure of secrets, and provides a compiler from predicate encoding for a predicate \(\mathsf {P}\) into an ABE for the same predicate using the dual system encryption methodology. Moreover, the parameters in the predicate encoding scheme and in CDS correspond naturally to ciphertext and key sizes in the ABE. In particular, Alice’s message corresponds to the ciphertext, and Bob’s message to the secret key. These applications do require linear construction over \(\mathbb {Z}_q\), where q is the order of the underlying bilinear group. Note that while the parameters for ABE schemes coming from predicate encodings are not necessarily the best known parameters, they do match the stateoftheart in terms of ciphertext and secret key sizes for many predicates such as inner product, index, and readonce formula.

Two questions related to CDS for \(\mathbf {INDEX}_n\): (i) can we realize degree 2 reconstruction and communication \((\mathsf {cc}_A,\mathsf {cc}_B) = (1,\sqrt{n})\) (this would yield the full \((n/t^2,t)\) tradeoff for all t); (ii) how about total communication \(O(n^{1/4})\) and degree 3 reconstruction, and more generally,\(O(n^{\frac{1}{k+1}})\) and degree k reconstruction for \(k \ge 3\)?

Broadcast encryption schemes for n parties with \(O(n^{1/3})\) ciphertext and secret key sizes from bilinear maps, by possibly exploiting our CDS for \(\mathbf {INDEX}_n\) with quadratic reconstruction.

PSM for \(\mathbf {ALL}_N\) with \(o(\sqrt{N})\) total communication.

Secretsharing for general graph access structures with \(N^{3/2}\) total share size, or even \(N^{1+o(1)}\) total share size? A natural starting point would be to extend the connection between CDS and secretsharing for forbidden graph access structures in [BIKK14] to that of general graph access structures.
2 Preliminaries
Notations. We denote by \(s \leftarrow _{\textsc {r}}S\) the fact that s is picked uniformly at random from a finite set S or from a distribution. Throughout this paper, we denote by \(\log \) the logarithm of base 2.
2.1 Conditional Disclosure of Secrets
We recall the notion of conditional disclosure of secrets (CDS), c.f., Fig. 2. The definition we give here is for two parties Alice and Bob and a referee Charlie, where Alice and Bob share randomness w and want to conditionally disclose a secret \(\alpha \) to Charlie. The general notion of conditional disclosure of secrets has first been investigated in [GIKM00]. Twoparty CDS is closely related to the notions of predicate encoding [Wee14, CGW15] and pairing encoding [Att14]; in particular, the latter two notions imply twoparty CDS with linear reconstruction.
Definition 2.1
 (reconstruction.) For all \((x,y) \in \mathscr {X}\times \mathscr {Y}\) such that \(\mathsf {P}(x,y) = 1\), for all \(w \in \mathscr {W}\), and for all \(\alpha \in \mathscr {D}\):$$\begin{aligned} \mathsf {C}(x,y,\mathsf {A}(x,w,\alpha ),\mathsf {B}(y,w,\alpha )) = \alpha \end{aligned}$$
 (privacy.) For all \((x,y) \in \mathscr {X}\times \mathscr {Y}\) such that \(\mathsf {P}(x,y) = 0\), and for all \(\mathsf {C}^* : \{0,1\}^{\mathsf {cc}_\mathsf {A}} \times \{0,1\}^{\mathsf {cc}_\mathsf {B}} \rightarrow \mathscr {D}\),$$ \Pr _{w \leftarrow \mathscr {W}, \alpha \leftarrow _{\textsc {r}}\mathscr {D}}\Bigl [ \mathsf {C}^* \bigl (\mathsf {A}(x,w,\alpha ),\mathsf {B}(y,w,\alpha )\bigr ) = \alpha \Bigr ] \le \frac{1}{\mathscr {D}}$$
Note that the formulation of privacy above with uniformly random secrets is equivalent to standard indistinguishabilitybased formulations.
A useful measure for the complexity of a CDS is the complexity of reconstruction as a function of the outputs of \(\mathsf {A},\mathsf {B}\), as captured by the function \(\mathsf {C}\), with (x, y) hardwired.
Definition 2.2
( \(\mathscr {C}\)reconstruction). Given a set \(\mathscr {C}\) of functions from \(\{0,1\}^{\mathsf {cc}_\mathsf {A}} \times \{0,1\}^{\mathsf {cc}_\mathsf {B}}\) to \(\mathscr {D}\), we say that a CDS \((\mathsf {A},\mathsf {B},\mathsf {C})\) admits \(\mathscr {C}\)reconstruction if for all (x, y) such that \(\mathsf {P}(x,y)=1\), \(\mathsf {C}(x,y,\cdot ,\cdot ) \in \mathscr {C}\).

\(\mathscr {C}_\text {all}\) is the set of all functions from \(\{0,1\}^{\mathsf {cc}_\mathsf {A}} \times \{0,1\}^{\mathsf {cc}_\mathsf {B}} \rightarrow \mathscr {D}\); that is, we do not place any restriction on the complexity of reconstruction. Note that \(\mathscr {C}_\mathrm {all} = \mathscr {D}^{2^{\mathsf {cc}_\mathsf {A}+\mathsf {cc}_B}}\).

\(\mathscr {C}_\mathrm {lin}\) is the set of all linear functions over \(\mathbb {Z}_2\) from \(\{0,1\}^{\mathsf {cc}_\mathsf {A}} \times \{0,1\}^{\mathsf {cc}_\mathsf {B}} \rightarrow \mathscr {D}\); that is, we require the reconstruction to be linear as a function of the outputs of \(\mathsf {A}\) and \(\mathsf {B}\) as bit strings (but may depend arbitrarily on x, y). This is the analogue of linear reconstruction in linear secret sharing schemes and is a requirement for the applications to attributebased encryption [Wee14, Att14, CGW15]. Note that \(\mathscr {C}_\mathrm {linear} \le \mathscr {D}^{{\mathsf {cc}_\mathsf {A}+\mathsf {cc}_B}}\) for \(\mathscr {D} \ge 2\).
Remark 2.3
Note that while looking at \(\mathscr {C}\), we consider \(\mathsf {C}(x,y,\cdot ,\cdot )\), which has (x, y) hardwired, and takes an input of total length \(\mathsf {cc}_\mathsf {A}+ \mathsf {cc}_\mathsf {B}\). In particular, it could be that \(\mathsf {C}\) runs in time linear in \(x = y = n\), and yet \(\mathsf {cc}_\mathsf {A}= \mathsf {cc}_\mathsf {B}= O(\log n)\) so \(\mathsf {C}\) has “exponential” complexity w.r.t. \(\mathsf {cc}_\mathsf {A}+ \mathsf {cc}_\mathsf {B}\).
Definition 2.4
(linear CDS). We say that a CDS \((\mathsf {A},\mathsf {B},\mathsf {C})\) is linear if it admits \(\mathscr {C}_\mathrm {lin}\)reconstruction.
2.2 Private Simultaneous Message
Definition 2.5
 (reconstruction.) For all \((x,y) \in \mathscr {X}\times \mathscr {Y}\):$$\begin{aligned} \mathsf {C}(\mathsf {A}(x,w),\mathsf {B}(y,w)) = f(x,y) \end{aligned}$$

(privacy.) There exists a randomized simulator \(\mathsf S\), such that for any \((x,y)\in \mathscr {X}\times \mathscr {Y}\) the joint distribution \((\mathsf {A}(x,w),\mathsf {B}(y,w))\) is perfectly indistinguishable from \(\mathsf S(f(x,y))\), where the distributions are taken over \(w \leftarrow \mathscr {W}\) and the coin tosses of \(\mathsf S\).
2.3 Predicates and Reductions
 Index \(\mathbf {INDEX}_n\): \(\mathscr {X}:= \{0,1\}^n, \mathscr {Y}:= [n]\) andHere, \(\mathbf D_i\) denotes the i’th coordinate of \(\mathbf D\). Note that we can also interpret \(\mathbf D\) as the characteristic vector of a subset of [n].$$\begin{aligned} \mathsf {P}_\mathbf {INDEX}(\mathbf D, i) = 1 \text { iff } \mathbf D_i = 1 \end{aligned}$$
 Multilinear Polynomials \(\mathbf {MPOLY}^{k}_{n_1,\ldots ,n_k}\): \(\mathscr {X}:= \mathbb F_q^{n_1\cdots n_k}, \mathscr {Y}:= \mathbb F_q^{n_1} \times \cdots \times \mathbb F_q^{n_k}\) andThis captures homogeneous multilinear polynomials of total degree k in \(n_1 + \cdots + n_k\) variables over \(\mathbb F_q\); concretely, the variables are encoded as k vectors \(\mathbf x_1,\ldots ,\mathbf x_k\), each monomial is a product of k variables one from each of the k vectors, and \(\mathbf p\) is the vector of coefficients. In addition, our protocols work with inhomogeneous multilinear polynomials as well. Simply observe that any (even nonhomogeneous) multilinear polynomial p in n variables of total degree at most k is captured by the class \(\mathbf {MPOLY}^{k}_{n+1,\ldots ,n+1}\).^{1}$$\begin{aligned} \mathsf {P}_\mathbf {MPOLY}(\mathbf p, (\mathbf x_1,\ldots ,\mathbf x_k)) = 1 \text { iff } \langle \mathbf p, \mathbf x_1 \otimes \cdots \otimes \mathbf x_k \rangle \ne 0 \end{aligned}$$
 All (“worst”) functions \(\mathbf {ALL}_{N}\): a fixed function \(F: [N] \times [N] \rightarrow \{0,1\}, \mathscr {X}= \mathscr {Y}:= [N]\)$$\begin{aligned} \mathsf {P}_\mathbf {ALL}(x,y) = F(x,y) \end{aligned}$$

\(\mathbf {MPOLY}^{k}_{n_1,\ldots ,n_k} \Rightarrow \mathbf {INDEX}_{n_1 \cdots n_k}\). On input \(\mathbf D\in \{0,1\}^n, i \in [n]\) where \(n = \prod _{j=1}^k n_j\), we map i to \((\mathbf e_{i_1},\ldots ,\mathbf e_{i_k})\) so that \(\mathbf e_i = \mathbf e_{i_1} \otimes \cdots \otimes \mathbf e_{i_k}\) and \(\mathbf D\) to \(\mathbf p\); this way, \(\langle \mathbf p,\mathbf e_{i_1} \otimes \cdots \otimes \mathbf e_{i_k} \rangle = \langle \mathbf D,\mathbf e_i \rangle = \mathbf D_i\).

\(\mathbf {INDEX}_{N} \Rightarrow \mathbf {ALL}_{N}\). Fix \(F : [N]\times [N] \rightarrow \{0,1\}\). We use the “truth table” reduction that maps \((x,y) \in [N] \times [N]\) to \(F(x,\cdot ) \in \{0,1\}^N, y \in [N]\).
2.4 Secret Sharing
Secret Sharing for Forbidden Graph Access Structure on N Parties. Consider a graph \(G=(V,E)\), where \(V = N\). Each vertex denotes a party. The sets that can reconstruct the secret are: (1) all sets of 3 or more parties, (2) all pairs of parties that correspond to vertexes that are not adjacent. The access structure is called forbidden graph as each edge indicates a pair of parties who can not jointly reconstruct the secret.
Secret Sharing for Forbidden Bipartite Graph Access Structure on 2N Parties. Consider a graph \(G=(L,R,E)\) where \(L = R = N\). Each vertex denotes a party. The sets that can reconstruct the secret are: (1) all pairs of parties that correspond to vertexes from the same side of the graph; (2) all pairs of parties that correspond to vertexes from different sides that are not adjacent.
Secret Sharing from PSM and CDS. As shown in [BIKK14, Sect. 7], a PSM scheme for \(\mathbf {ALL}_{N}\) where Alice and Bob sends at most \(\ell = \ell (N)\) bits yields secretsharing schemes for every forbidden bipartite graph access structure on 2N nodes where the share size is \(O(\ell )\) bits. This further implies secret sharing schemes for every forbidden graph access structure on 2N nodes where the share size is \(O(\ell \log N)\) bits [BIKK14, Sect. J]. The technique can be generalized to a transformation from a CDS scheme – a weaker object – to a secret sharing scheme for forbidden graph structures.
Theorem 2.6
[BIKK14]. A CDS scheme for \(\mathbf {ALL}_{N+1}\) where Alice and Bob sends at most \(\ell = \ell (N)\) bits yields secret sharing schemes for forbidden bipartite graph access structure on 2N nodes.
Proof

If \((i,j)\in E\), the ith party on the left and the jth party on the right hold \(\mathsf {A}(i,w,\alpha )\), \(\mathsf {B}(j,w,\alpha )\), whose joint distribution is independent from secret \(\alpha \) by the definition of CDS.

The iparty on the left holds \(\mathsf {A}(i,w,\alpha )\). By the definition of CDS, \(\mathsf {A}(i,w,\alpha )\), \(\mathsf {B}(N+1,w,\alpha )\) jointly leak no information about secret \(\alpha \). \(\square \)
3 CDS for Degree2 and 3 Polynomials with Applications to \(\mathbf {INDEX}\) and ABE
In this section, we present CDS for the class of multilinear polynomials \(\mathbf {MPOLY}^{k}_{n_1,\ldots ,n_k}\) of degree \(k=2,3\) in Sects. 3.1 and 3.2, along with applications to \(\mathbf {INDEX}_n\) and ABE in Sects. 3.3 and 3.4.
3.1 Degree2 Polynomials \(\mathbf {MPOLY}^2_{n_1,n_2}\) over \(\mathbb F_q\)
Recall that in \(\mathbf {MPOLY}^2_{n_1,n_2}\) over \(\mathbb F_q\), Alice holds \(\mathbf p\in \mathbb F_q^{n_1n_2}\), Bob holds \((\mathbf x_1,\mathbf x_2) \in \mathbb F_q^{n_1} \times \mathbb F_q^{n_2}\) and \(\mu \in \mathbb F_q\), and Charlie learns \(\mu \) iff \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \rangle \ne 0\). (In Sect. B, we present a protocol for the “negated” setting where Charlie learns \(\mu \) iff \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \rangle = 0\)).

Alice sends \(\mathbf m_A^1 := \mathbf p'_\mathbf b+ \mathbf c\),

Bob sends \(m_B^2 := \langle \mathbf c,\mathbf x_2 \rangle \)
Theorem 3.1
(CDS for \(\mathbf {MPOLY}^2_{n_1,n_2}\) ). There is a CDS protocol for degree2 polynomials over \(\mathbb F_q\) (shown in Fig. 3) where Alice sends \(n_2\) elements of \(\mathbb F_q\), Bob sends \(n_1+1\) elements of \(\mathbb F_q\) and Charlie applies an \(\mathbb F_q\)linear reconstruction function.
Proof

The joint distribution of \(\mathbf m_B^1\) and \(\mathbf m^1_A\) is uniformly random, since we are using \((\mathbf b,\mathbf c)\) as onetime pads; and

\(m^2_B = \mu \langle \mathbf p, \mathbf x\otimes \mathbf x_2 \rangle  \langle \mathbf p, \mathbf m_B^1 \otimes \mathbf x_2 \rangle + \langle \mathbf m_A^1,\mathbf x_2 \rangle \)
Putting the two together, we can simulate \(\mathbf m_A^1,\mathbf m_B^1\) and \(m_B^2\) given just \(\mathbf x_1,\mathbf x_2, \mathbf p\), \(\mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \rangle \). This finishes the proof. \(\square \)
The total communication is \(\mathsf {cc}_A = n_2\) elements of \(\mathbb F_q\) and \(\mathsf {cc}_B = n_1 + 1\) elements of \(\mathbb F_q\) for a total of \(n_1 + n_2 + 1\). We will use this generalization later in this section to design a CDS protocol for the INDEX functionality with a general communication tradeoff between Alice and Bob.
3.2 Degree 3 Polynomials \(\mathbf {MPOLY}^3_{n_1,n_2,n_3}\) over \(\mathbb F_2\)
In \(\mathbf {MPOLY}^3_{n_1,n_2,n_3}\) over \(\mathbb F_2\), Alice holds \(\mathbf p\in \mathbb F_2^{n_1n_2n_3}\), Bob holds \((\mathbf x_1,\mathbf x_2,\mathbf x_3) \in \mathbb F_2^{n_1} \times \mathbb F_2^{n_2} \times \mathbb F_2^{n_3}\) and \(\mu \in \mathbb F_2\), and Charlie learns \(\mu \) iff \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf x_3 \rangle \ne 0\). In contrast to Sect. 3.1, we can only handle polynomials over \(\mathbb F_2\) here, yet this will be sufficient for our CDS protocol for INDEX in Sect. 3.3.
Theorem 3.2
(CDS for \(\mathbf {MPOLY}^3_{n_1,n_2,n_3}\) ). There is a CDS protocol for degree3 polynomials over \(\mathbb F_2\) (shown in Fig. 4) where Alice sends \(n_1+n_2+n_3\) bits Bob sends \(n_1+n_2+n_3+1\) bits, and Charlie applies a degree2 reconstruction function (over \(\mathbb F_2\)).
Proof

The joint distribution of \(\mathbf m_B^1,\mathbf m_B^2,\mathbf m_B^3\) and \(\mathbf m^1_A\) is uniformly random, since we are using \((\mathbf b_1,\mathbf b_2,\mathbf b_3,\mathbf c)\) as onetime pads;
 The last bit of Bob’s message, namely \(m^4_B\), is uniquely defined given \(\mathbf m_A^1\), \(\mathbf m_B^1,\mathbf m_B^2,\mathbf m_B^3\) and \(\mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf x_3\rangle \). In particular,$$\begin{aligned} m_B^4 ={}&\langle \mathbf c,\mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle \\ ={}&\langle \mathbf m^1_A, \mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle  \langle \mathbf p'_{\mathbf b_1,\mathbf b_2,\mathbf b_3},\mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle \\ ={}&\langle \mathbf m^1_A, \mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle + \mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf x_3 \rangle \\& \langle \mathbf p, \mathbf m_B^1 \otimes \mathbf m_B^2 \otimes \mathbf x_3 + \mathbf m_B^1 \otimes \mathbf x_2 \otimes \mathbf m_B^3 + \mathbf x_1 \otimes \mathbf m_B^2 \otimes \mathbf m_B^3 \rangle \end{aligned}$$
Putting the two together, we can simulate \(\mathbf m_A^1,\mathbf m_B^1,\mathbf m_B^2,\mathbf m_B^3,m_B^4\) given just \(\mathbf x_1,\mathbf x_2,\mathbf x_3, \mathbf p\) and \(\mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf x_3 \rangle \). \(\square \)
Remark 3.3
(Beyond degree 3). For degree d, the above approach yields communication complexity \(O(n^{d2})\), which is no better than \(O(n^{\lceil d/2 \rceil })\) for \(d \ge 4\). To get to \(O(n^{d3})\) with the above approach, we would want to pick a field and a in the field such that \(da^{d1} \ne 0, (d1)a^{d2}, (d2)a^{d3} = 0\). This is impossible since \(a^{d2} = (d1)a^{d2}  a \cdot (d2)a^{d3} = 0\).
3.3 CDS for \(\mathbf {INDEX}_n\)
Recall that in \(\mathbf {INDEX}_n\), Alice holds \(\mathbf D\in \{0,1\}^n\), Bob holds \(i \in [n]\) and \(\mu \in \mathbb F_q\), and Charlie learns \(\mu \) iff \(\mathbf D_i = 1\). We obtain several CDS protocols for \(\mathbf {INDEX}_n\) by combining the reductions in Sect. 2.3 and our CDS protocols from Sects. 3.1 and 3.2.
Theorem 3.4

\((\mathsf {cc}_A, \mathsf {cc}_B) = (\lceil n/t \rceil , t+1)\) and degree1 reconstruction, for \(1 \le t \le n\); and

\((\mathsf {cc}_A, \mathsf {cc}_B) = (\lceil n/t^2 \rceil , 3t+1)\) and degree2 reconstruction, for \(1\le t \le n^{1/3}\).
As a corollary, we obtain a CDS for \(\mathbf {INDEX}_n\) with total communication \(O(n^{1/2})\) and degree1 reconstruction, and one with total communication \(O(n^{1/3})\) and degree2 reconstruction.
We note that the first bullet was already shown in prior works [GKW15], but we provide an alternative, more algebraic construction here.
Proof
The first bullet follows readily from combining the \(\mathbf {MPOLY}^{2}_{n/t,t} \Rightarrow \mathbf {INDEX}_{n}\) reduction in Sect. 2.3 with our CDS for \(\mathbf {MPOLY}^{2}_{n/t,t}\) in Theorem 3.1. This immediately yields a CDS for \(\mathbf {INDEX}_n\) with \((\mathsf {cc}_A,\mathsf {cc}_B) = (n/t, t+1)\) and degree1 reconstruction.
For the second bullet, we start by observing that combining the \(\mathbf {MPOLY}^{3}_{t,t,t} \Rightarrow \mathbf {INDEX}_{t^3}\) reduction in Sect. 2.3 with our CDS for \(\mathbf {MPOLY}^{3}_{t,t,t}\) in Theorem 3.2. This immediately yields a CDS for \(\mathbf {INDEX}_{t^3}\) with \((\mathsf {cc}_A,\mathsf {cc}_B) = (3t, 3t+1)\) and degree2 reconstruction.

Alice breaks up \(\mathbf D\) into \(n/t^3\) databases \(\mathbf D^1,\ldots ,\mathbf D^{n/t^3} \in \{0,1\}^{t^3}\), and runs \(n/t^3\) copies of CDS for \(\mathbf {INDEX}_{t^3}\), each of which incurs O(t) communication.

Bob parses his input \(i \in [n]\) as \((j,i') \in [n/t^3] \times [t^3]\) so that \(\mathbf D^j_{i'} = \mathbf D_i\). Then, Bob just needs to send a message for the CDS corresponding to \(\mathbf D^j\) and with input \(i' \in [t^3]\). This means that Bob only sends \(3t + 1\) bits.
Altogether, Alice sends \(\frac{n}{t^3} \cdot 3t\) bits and Bob sends \(3t + 1\) bits. \(\square \)
Remark 3.5
(balancing communication in CDS). The idea of constructing a CDS for \(\mathbf {INDEX}_n\) from n / t copies of CDS for \(\mathbf {INDEX}_t\) works well on any CDS protocol for \(\mathbf {INDEX}\). It’s also implicitly used in the previous \((\mathsf {cc}_A,\mathsf {cc}_B) = (n/t,t+1)\) CDS for \(\mathbf {INDEX}_n\) (e.g. [GKW15]). In general, a CDS protocols for \(\mathbf {INDEX}_n\) with communication complexity \((\mathsf {cc}_A,\mathsf {cc}_B)\) implies CDS protocols for \(\mathbf {INDEX}_n\) with communication communication \((\mathsf {cc}'_A,\mathsf {cc}'_B) = (\lceil \frac{n}{t}\rceil \mathsf {cc}_A(t), \mathsf {cc}_B(t))\) for any \(t\in [n]\).
3.4 AttributeBased Encryption for Degree2 Polynomials
We obtain a new ABE scheme for degree2 polynomials, by essentially combining the framework of Chen, Gay and Wee (CGW) [CGW15] with our CDS schemes for \(\mathbf {MPOLY}^2_{n_1,n_2}\). In the ABE, ciphertexts are associated \(\mathbf p\in \mathbb F_q^{n_1n_2}\), secret keys with \((\mathbf x_1,\mathbf x_2) \in \mathbb F_q^{n_1} \times \mathbb F_q^{n_2}\), and decryption is possible whenever \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \rangle \ne 0\). We obtain an adaptively secure ABE under the standard klinear assumption in primeorder bilinear groups, where ciphertext contains \(O(n_2)\) group elements, and the secret key contains \(O(n_1)\) group elements. This achieves a quadratic savings over the naive approach of encoding degree2 polynomials as an inner product, where the total ciphertext and secret key size will be \(O(n_1n_2)\) group elements.
4 CDS for INDEX from Matching Vector Families
Recall that in \(\mathbf {INDEX}_n\), Alice holds \(\mathbf D\in \{0,1\}^n\), Bob holds \(i \in [n]\) and \(\mu \in \mathbb F_q\), and Charlie learns \(\mu \) iff \(\mathbf D_i = 1\). In this section, we will construct a CDS protocol for \(\mathbf {INDEX}_n\) with communication complexity \(2^{O(\sqrt{\log n\log \log n})}\). The key tool in the construction is matching vector families first constructed by Grolmusz [Gro00] and introduced to cryptography in the context of PIR [Yek08, Efr09, DGY11, DG15].
Lemma 4.1
Such a collection of vectors is known in the literature as a matching vector family; the statement above corresponds to the special case where the underlying modulus is 6. Our CDS for \(\mathbf {INDEX}_n\) uses the above matching vector family in a way similar to the 2server PIR in [DG15].
4.1 CDS for \(\mathbf {INDEX}_n\) with \(n^{o(1)}\) communication

Bob sends \(\mathbf m_B^1 := \mu \mathbf u_i + \mathbf b\) to Charlie.

Charlie knows \(i,\mathbf D\) and \(\mu \mathbf u_i + \mathbf b\) and could therefore compute \(G(\mu )\) and \(G'(\mu )\).

Alice can compute \(G(0) = \sum _j D_j (1)^{\langle \mathbf b, \mathbf v_j \rangle }\) since it does not depend on i. Alice then sends \(m_A^1 = (2\mu 1)G(0)c'\).
 We can write \(G'(0) = \sum _j \langle \mathbf u_i, \mathbf v_j \rangle D_j (1)^{\langle \mathbf b, \mathbf v_j \rangle }\) asAlice would send \(\mathbf m_A^2 := \mathbf c+ (2\mu 1) \sum _j \mathbf v_j D_j (1)^{\langle \mathbf b, \mathbf v_j \rangle }\) and Bob would send \(m_B^2 := \langle \mathbf u_i,\mathbf c \rangle +c'\). Note that we have \((2\mu 1) G'(0)  (2\mu 1) G(0) =  m_A^1 + \langle \mathbf u_i,\mathbf m_A^2 \rangle  m_B^2\).$$\langle \mathbf u_i, \sum _j \mathbf v_j D_j (1)^{\langle \mathbf b, \mathbf v_j \rangle } \rangle $$

Charlie outputs 1 if \((2\mu 1) G'(0)  (2\mu 1) G(0)  G(\mu ) +G'(\mu ) \ne 0\), and 0 otherwise.
Theorem 4.2
There is a CDS protocol for \(\mathbf {INDEX}_n\) (given in Fig. 5) with \(\mathsf {cc}_A, \mathsf {cc}_B = 2^{O(\sqrt{\log n \log \log n})}\).

the joint distribution of \(\mathbf m_B^1,m^1_A,\mathbf m^2_A\) is uniformly random, since we are using \((\mathbf b,\mathbf c,c')\) as onetime pads;

when \(D_i = 0\), we have \((2\mu 1) G'(0)  (2\mu 1) G(0)  G(\mu ) +G'(\mu ) = 0\). This means that \(m_B^2 = \langle \mathbf u_i,\mathbf m_A^2 \rangle  m_A^1  G(\mu ) + G'(\mu )\). Recall that \(G(\mu ),G'(\mu )\) can in turn be computed from \(\mathbf D,i,\mathbf m_B^1\).
Putting these together, we can simulate \(m_A^1,\mathbf m_A^2,\mathbf m_B^1,m_B^2\) given just \(\mathbf D,i\) when \(D_i = 0\).
Comparison with Dvir and Gopi. Dvir and Gopi considered the ring \(\mathbb Z_6[X]/(X^61)\) which has a generator X, but we use \(\mathbb Z_3\) and \(1\) as suggested therein. The definitions of \(G(t),G(t'),c_0,c_1,c_3,c_4\) are the same as those in DG, and the relation in (8) is a simplification of that in DG.
Remark 4.3
(From PIR to CDS). In Sect. 1.2, we informally construct a CDS for \(\mathbf {INDEX}_n\) from any 2server PIR scheme whose reconstruction function has good structure (as in formula (2)). We claimed that [DG15] has similar structure so that the construction is possible.
4.2 Applications to \(\mathbf {ALL}_N\) and SecretSharing
Corollary 1
There exist CDS schemes for \(\mathbf {ALL}_N\) with \(\mathsf {cc}_A = \mathsf {cc}_B = 2^{O(\sqrt{\log N \log \log N})}\).
Corollary 2
There are secret sharing schemes for forbidden graph access structures on N nodes where the share size for each node is \(2^{O(\sqrt{\log N \log \log N})}\) bits and total share size is \(N \cdot 2^{O(\sqrt{\log N \log \log N})} = N^{1 + o(1)}\).
Combining Theorem 4.2 and reduction for \(\mathbf {INDEX}_{N} \Rightarrow \mathbf {ALL}_{N}\) in Sect. 2.3 yields Corollary 1 immediately. Further combining Corollary 1 with the construction of secret sharing schemes for forbidden graph access structures from CDS for \(\mathbf {ALL}\) (Theorem 2.6) yields Corollary 2.
5 PSM for Polynomials with Applications to \(\mathbf {INDEX}\)
5.1 Degreek Polynomials \(\mathbf {MPOLY}^k_{n_1,\ldots ,n_k}\)
We start with a PSM protocol for degreek polynomials, which is “essentially optimal” in the sense that the communication complexity is roughly the same as that for sending the inputs in the clear. Our protocol uses the standard “random shift” technique in informationtheoretic cryptography, but to the best of our knowledge, the protocol has not appeared in the literature.

the shared randomness is \(\mathbf w\in \mathbb F_q^n\) along with a random polynomial g of total degree k;

Alice sends \((\mathbf x',u) := (\mathbf x+\mathbf w,g(\mathbf x+\mathbf w))\); Bob sends the polynomial h where \(h(\mathbf y) := p(\mathbf y\mathbf w)+g(\mathbf y)\); Charlie outputs \(h(\mathbf x')  u\).
Correctness is straightforward. Privacy follows readily from the fact that we can simulate the view of Charlie given \(p(\mathbf x)\) by picking a random \(\mathbf x',h\) and outputting \((\mathbf x',h(\mathbf x')f(\mathbf x)),h\). Alice only sends a polynomial, thus her communication complexity \(\mathsf {cc}_A\) matches the information lower bound.
This warmup PSM relies on the fact that for any degreek polynomial \(p(\mathbf x)\), after shifting the input by a vector \(\mathbf w\), the resulting polynomial \(p(\mathbf x\mathbf w)\) is still a degreek polynomial. This is not true for homogeneous polynomial (e.g. \(\mathbf {MPOLY}^k_{n_1,\ldots ,n_k}\)). Therefore, when we apply the technique from this warmup PSM to \(\mathbf {MPOLY}^k_{n_1,\ldots ,n_k}\), the onetime pad polynomial g is chosen from a class larger than \(\mathbf {MPOLY}^k_{n_1,\ldots ,n_k}\). A naïve solution is to sample random nvariate degreek polynomial g. This makes Alice’s message (\(\ge \frac{(n_1+\ldots +n_k+1)^k}{k!}\) bits) much longer than her input (\(\prod _jn_j\) bits). In order to overcome this difficult and preserve closetooptimal communication complexity, we sample g from a more subtle polynomial class.
Functionality. The functionality \(\mathbf {MPOLY}^k_{n_1,\ldots ,n_k}\) is defined as: Alice holds a homogeneous multilinear polynomial \(\mathbf p\in \mathbb F_q^{n_1\ldots n_k}\) and Bob holds \({\overline{\mathbf {x}}}\mathrel {:=}(\mathbf x_1,\ldots ,\mathbf x_k) \in \mathbb F_q^{n_1}\otimes \ldots \otimes \mathbb F_q^{n_k}\). Charlie learns \(\mathbf p({\overline{\mathbf {x}}}) \mathrel {:=}\langle \mathbf p, \mathbf x_1 \otimes \ldots \otimes \mathbf x_k \rangle \).
Theorem 5.1
There is a PSM protocol for degree k polynomials over \(\mathbb F_q\) (shown in Fig. 6) where Alice sends \(\prod _j(n_j+1)\) elements of \(\mathbb F_q\), Bob sends \(\sum _j n_j + 1\) elements of \(\mathbb F_q\) and Charlie applies a degree\((k+1)\) reconstruction function over \(\mathbb F_q\).
Proof

the joint distribution of \({\overline{\mathbf {m}}}^1_B, h\) is uniformly random, since we are using \(({\overline{\mathbf {b}}}, g)\) as onetime pads;

we have \(m^2_B = h({\overline{\mathbf {m}}}_B)  f({\overline{\mathbf {x}}})\).
Putting the two together, we can simulate \(h, {\overline{\mathbf {m}}}^1_B, m^2_B\) given just \(f({\overline{\mathbf {x}}})\). The reconstruction is of degree \(k+1\). \(\square \)

Closure under group operation: for any \(f,f' \in \mathscr {F}\), the function \(f+ f'\), defined as \((f+ f')(\mathbf x) = f(\mathbf x) + f'(\mathbf x)\), is in \(\mathscr {F}\) as well;

Closure under input shift: for any \(f\in \mathscr {F}, \mathbf s\in \mathscr {X}\), the function \(f_{\mathbf s}\), defined as \(f_\mathbf s(\mathbf x) = f(\mathbf x\mathbf s)\), is also in \(\mathscr {F}\).
The resulting PSM has nearly optimal communication complexity, \(\mathsf {cc}_A = \log \mathscr {F}\) which matches information theoretical lower bound and \(\mathsf {cc}_B = \log \mathscr {X} + \log \mathscr {D}\) which is higher than the optimal by at most \(\log \mathscr {D}\).
Inner Product. The inner product problem, where Alice and Bod hold \(\mathbf x,\mathbf y\in \mathbb F_p^{n}\) respectively and Charlie learns \(\langle \mathbf x,\mathbf y \rangle \), is an alias of \(\mathbf {MPOLY}^1_n\). Thus there is an efficient PSM protocol for inner product.
Corollary 3
There exists a PSM protocol for inner product with \(\mathsf {cc}_A = \mathsf {cc}_B = n+1\) and degree2 reconstruction.
5.2 Degree4 Functions
Here, we present a PSM for degree 4 functions with linear communication, which we then use to derive a PSM for \(\mathbf {ALL}_N\) in the next section.
Functionality. There is a fixed public function \(\mathbf p\in \mathbb F_q^{n^4}\). Alice holds \(\mathbf x_1,\mathbf x_2\in \mathbb F_q^{n}\) and Bob holds \(\mathbf y_1,\mathbf y_2 \in \mathbb F_q^n\). Charlie learns \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf y_1 \otimes \mathbf y_2 \rangle \).
Theorem 5.2
This is a PSM protocol for degree4 functions over \(\mathbb F_q\) (shown in Fig. 7) where both Alice and Bob send \((4n+3)\) elements of \(\mathbb F_q\) and Charlie applies a degree4 reconstruction function over \(\mathbb F_q\).
Proof

the joint distribution of \(\mathbf m^1_A,\mathbf m^2_A,\mathbf m^1_B,\mathbf m^2_B\) is uniformly random, since we are using \((\mathbf b_1,\mathbf b_2,\mathbf c_1,\mathbf c_2)\) as onetime pads;

a is determined by \(\mathbf p,\mathbf m^1_A,\mathbf m^2_A,\mathbf m^1_B,\mathbf m^2_B\) and \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf y_1 \otimes \mathbf y_2 \rangle \) as \(a = \langle \mathbf p,\mathbf m^1_A\otimes \mathbf m^2_A\otimes \mathbf m^1_B\otimes \mathbf m^2_B \rangle  \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf y_1 \otimes \mathbf y_2 \rangle \). The messages in the underlying PSM for inner product can be simulated given just a.
Putting the two together, we can simulate Charlie’s view, consisting of \(\mathbf m^1_A,\mathbf m^2_A\), \(\mathbf m^1_B,\mathbf m^2_B\) and the messages in PSM for inner product, given \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf y_1 \otimes \mathbf y_2 \rangle \).
The reconstruction is of degree 4. Communication complexity is \(\mathsf {cc}_A = \mathsf {cc}_B = (4n+3) \log q\), each party sends 2n elements as onetime pads of its input, and \(2n+3\) elements for computing the inner product. \(\square \)
5.3 Applications to \(\mathbf {INDEX}_n\) and \(\mathbf {ALL}_N\)
Theorem 5.3
For any integer \(k \ge 1\), there are PSM protocols for \(\mathbf {INDEX}_n\) with: \((\mathsf {cc}_A,\mathsf {cc}_B) = (O(n), k \cdot n^{1/k}+1)\) and degree\((k+1)\) reconstruction.
Note that setting \(k=1\) and \(k=\log n\) yields the folklore constructions described in Fig. 2.
Proof
Theorem 5.4
There are PSM protocols for \(\mathbf {ALL}_N\) with: \((\mathsf {cc}_A,\mathsf {cc}_B) = (\sqrt{N},\sqrt{N})\) and degree4 reconstruction.
Note that such PSM protocols were already shown in [BIKK14] via the use of a 4server PIR; our construction is simpler, and we provide an explicit bound on the complexity of reconstruction.
Proof
The predicate \(\mathbf {ALL}_N\) can be reduced to degree4 function problem defined in Fig. 7.

\(\mathbf p\in \mathbb F_2^{N^2}\) is the true table of the fixed function F, such that for any \(x,y\in [N]\), \(\langle \mathbf p,\mathbf e_x\otimes \mathbf e_y \rangle = F(x,y)\)

Alice holds \(\mathbf x_1 \mathrel {:=}\mathbf e_{i_1} \in \mathbb F_2^{\sqrt{N}}, \mathbf x_2 \mathrel {:=}\mathbf e_{i_2} \in \mathbb F_2^{\sqrt{N}}\) such that \(\mathbf e_{i_1}\otimes \mathbf e_{i_2} = \mathbf e_x\).

Bob holds \(\mathbf y_1 \mathrel {:=}\mathbf e_{i_1} \in \mathbb F_2^{\sqrt{N}}, \mathbf y_2 \mathrel {:=}\mathbf e_{i_2} \in \mathbb F_2^{\sqrt{N}}\) such that \(\mathbf e_{i_1}\otimes \mathbf e_{i_2} = \mathbf e_y\).
Under such reduction, \(\langle \mathbf p, \mathbf x_1\otimes \mathbf x_2\otimes \mathbf y_1\otimes \mathbf y_2 \rangle = \langle \mathbf p, \mathbf e_x\otimes \mathbf e_y \rangle = F(x,y)\). Combining with the PSM protocol for degree4 function in Sect. 5.2, there are PSM protocols for \(\mathbf {ALL}_N\) with \((\mathsf {cc}_A,\mathsf {cc}_B) = O(\sqrt{N},\sqrt{N})\) and degree4 reconstruction.
\(\square \)
Footnotes
 1.
There are two reasons why we work with multilinear polynomials with the tensor product notation: first, it yields a cleaner and more efficient reduction for \(\mathbf {MPOLY}^{k}_{n_1,\ldots ,n_k} \Rightarrow \mathbf {INDEX}_{n_1 \cdots n_k}\) (saving a factor of k), and second, it is easier to work with for our CDS schemes in Sects. 3.1 and 3.2.
 2.
Note that the sums in \(G,G'\) are performed over \(\mathbb Z_3\), whereas the computation in the exponents of \(1\) are performed over \(\mathbb Z_2\). This means that we will treat elements of \(\mathbb Z_6\) (as used in the matching vector family) as elements of \(\mathbb Z_2\) and \(\mathbb Z_3\).
Supplementary material
References
 [AARV17]Applebaum, B., Arkis, B., Raykov, P., Vasudevan, P.N.: Conditional disclosure of secrets: amplification, closure, amortization, lowerbounds, and separations. IACR Cryptology ePrint Archive 2017:164 (2017)Google Scholar
 [ACC+14]Ada, A., Chattopadhyay, A., Cook, S.A., Fontes, L., Koucký, M., Pitassi, T.: The hardness of being private. TOCT 6(1), 1:1–1:24 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
 [Att14]Attrapadung, N.: Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 557–577. Springer, Heidelberg (2014). doi: 10.1007/9783642552205_31 CrossRefGoogle Scholar
 [Bei11]Beimel, A.: Secretsharing schemes: a survey. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 11–46. Springer, Heidelberg (2011). doi: 10.1007/9783642209017_2 CrossRefGoogle Scholar
 [BFG06]Beigel, R., Fortnow, L., Gasarch, W.I.: A tight lower bound for restricted pir protocols. Comput. Complex. 15(1), 82–91 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
 [BGP95]Beimel, A., Gál, A., Paterson, M.: Lower bounds for monotone span programs. In: FOCS, pp. 674–681 (1995)Google Scholar
 [BI01]Beimel, A., Ishai, Y.: On the power of nonlinear secretsharing. In: Proceedings of the 16th Annual IEEE Conference on Computational Complexity, Chicago, Illinois, USA, 18–21 June 2001, pp. 188–202. IEEE Computer Society (2001)Google Scholar
 [BIKK14]Beimel, A., Ishai, Y., Kumaresan, R., Kushilevitz, E.: On the cryptographic complexity of the worst functions. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 317–342. Springer, Heidelberg (2014). doi: 10.1007/9783642542428_14 CrossRefGoogle Scholar
 [BIKO12]Beimel, A., Ishai, Y., Kushilevitz, E., Orlov, I.: Share conversion and private information retrieval. In: Proceedings of the 27th Conference on Computational Complexity, CCC 2012, Porto, Portugal, 26–29 June 2012, pp. 258–268. IEEE Computer Society (2012)Google Scholar
 [BSGV96]Blundo, C., De Santis, A., Gargano, L., Vaccaro, U.: On the information rate of secret sharing schemes. Theor. Comput. Sci. 154(2), 283–306 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
 [BSSV97]Blundo, C., De Santis, A., De Simone, R., Vaccaro, U.: Tight bounds on the information rate of secret sharing schemes. Des. Codes Crypt. 11(2), 107–122 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 [Bub86]Bublitz, S.: Decomposition of graphs and monotone formula size of homogeneous functions. Acta Inf. 23(6), 689–696 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
 [CGW15]Chen, J., Gay, R., Wee, H.: Improved dual system ABE in primeorder groups via predicate encodings. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 595–624. Springer, Heidelberg (2015). doi: 10.1007/9783662468036_20 Google Scholar
 [CK91]Chor, B., Kushilevitz, E.: A zeroone law for boolean privacy. SIAM J. Discrete Math. 4(1), 36–47 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
 [CKGS98]Chor, B., Kushilevitz, E., Goldreich, O., Sudan, M.: Private information retrieval. J. ACM 45(6), 965–981 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
 [Csi97]Csirmaz, L.: The size of a share must be large. J. Cryptol. 10(4), 223–231 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 [Csi05]Csirmaz, L.: Secret sharing schemes on graphs. IACR Cryptology ePrint Archive 2005:59 (2005)Google Scholar
 [DG15]Dvir, Z., Gopi, S.: 2server PIR with subpolynomial communication. In: STOC, pp. 577–584 (2015)Google Scholar
 [DGY11]Dvir, Z., Gopalan, P., Yekhanin, S.: Matching vector codes. SIAM J. Comput. 40(4), 1154–1178 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
 [DPP14]Data, D., Prabhakaran, M.M., Prabhakaran, V.M.: On the communication complexity of secure computation. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 199–216. Springer, Heidelberg (2014). doi: 10.1007/9783662443811_12 CrossRefGoogle Scholar
 [Efr09]Efremenko, K.: 3query locally decodable codes of subexponential length. In: STOC, pp. 39–44 (2009)Google Scholar
 [EP97]Erdös, P., Pyber, L.: Covering a graph by complete bipartite graphs. Discrete Math. 170(1–3), 249–251 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 [FKN94]Feige, U., Kilian, J., Naor, M.: A minimal model for secure computation (extended abstract). In: Leighton, F.T., Goodrich, M.T. (eds.) Proceedings of the TwentySixth Annual ACM Symposium on Theory of Computing, 23–25 May 1994, Montréal, Québec, Canada, pp. 554–563. ACM (1994)Google Scholar
 [GIKM00]Gertner, Y., Ishai, Y., Kushilevitz, E., Malkin, T.: Protecting data privacy in private information retrieval schemes. J. Comput. Syst. Sci. 60(3), 592–629 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
 [GKW15]Gay, R., Kerenidis, I., Wee, H.: Communication complexity of conditional disclosure of secrets and attributebased encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 485–502. Springer, Heidelberg (2015). doi: 10.1007/9783662480007_24 CrossRefGoogle Scholar
 [GPSW06]Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attributebased encryption for finegrained access control of encrypted data. In: ACM Conference on Computer and Communications Security, pp. 89–98 (2006)Google Scholar
 [Gro00]Grolmusz, V.: Superpolynomial size setsystems with restricted intersections mod 6 and explicit ramsey graphs. Combinatorica 20(1), 71–86 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
 [IK97]Ishai, Y., Kushilevitz, E.: Private simultaneous messages protocols with applications. In: ISTCS, pp. 174–184 (1997)Google Scholar
 [IK00]Ishai, Y., Kushilevitz, E.: Randomizing polynomials: a new representation with applications to roundefficient secure computation. In: 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, 12–14 November 2000, Redondo Beach, California, USA, pp. 294–304. IEEE Computer Society (2000)Google Scholar
 [IK02]Ishai, Y., Kushilevitz, E.: Perfect constantround secure computation via perfect randomizing polynomials. In: Widmayer, P., Eidenbenz, S., Triguero, F., Morales, R., Conejo, R., Hennessy, M. (eds.) ICALP 2002. LNCS, vol. 2380, pp. 244–256. Springer, Heidelberg (2002). doi: 10.1007/3540454659_22 CrossRefGoogle Scholar
 [ISN89]Ito, M., Saito, A., Nishizeki, T.: Secret sharing scheme realizing general access structure. Electron. Commun. Jpn (Part III: Fundam. Electron. Sci.) 72(9), 56–64 (1989)MathSciNetCrossRefGoogle Scholar
 [KNR99]Kremer, I., Nisan, N., Ron, D.: On randomized oneround communication complexity. Comput. Complex. 8(1), 21–49 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
 [Lew12]Lewko, A.: Tools for simulating features of composite order bilinear groups in the prime order setting. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 318–335. Springer, Heidelberg (2012). doi: 10.1007/9783642290114_20 CrossRefGoogle Scholar
 [LOS+10]Lewko, A.B., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attributebased encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). doi: 10.1007/9783642131905_4 CrossRefGoogle Scholar
 [LW10]Lewko, A.B., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010). doi: 10.1007/9783642117992_27 CrossRefGoogle Scholar
 [LW11]Lewko, A.B., Waters, B.: Decentralizing attributebased encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 568–588. Springer, Heidelberg (2011). doi: 10.1007/9783642204654_31 CrossRefGoogle Scholar
 [Nay99]Nayak, A.: Optimal lower bounds for quantum automata and random access codes. In: FOCS, pp. 369–377 (1999)Google Scholar
 [OS08]Ostrovsky, R., Skeith III, W.E.: Communication complexity in algebraic twoparty protocols. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 379–396. Springer, Heidelberg (2008). doi: 10.1007/9783540851745_21 CrossRefGoogle Scholar
 [OT10]Okamoto, T., Takashima, K.: Fully secure functional encryption with general relations from the decisional linear assumption. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 191–208. Springer, Heidelberg (2010). doi: 10.1007/9783642146237_11 CrossRefGoogle Scholar
 [OT12]Okamoto, T., Takashima, K.: Adaptively attributehiding (hierarchical) inner product encryption. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 591–608. Springer, Heidelberg (2012). doi: 10.1007/9783642290114_35. Also, Cryptology ePrint Archive, Report 2011/543CrossRefGoogle Scholar
 [RPRC16]Robere, R., Pitassi, T., Rossman, B., Cook, S.A.: Exponential lower bounds for monotone span programs. In: FOCS, pp. 406–415 (2016)Google Scholar
 [Sha79]Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)MathSciNetCrossRefzbMATHGoogle Scholar
 [SS97]Sun, H.M., Shieh, S.P.: Secret sharing in graphbased prohibited structures. In: INFOCOM, pp. 718–724 (1997)Google Scholar
 [SW05]Sahai, A., Waters, B.: Fuzzy identitybased encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). doi: 10.1007/11426639_27 CrossRefGoogle Scholar
 [vD95]van Dijk, M.: On the information rate of perfect secret sharing schemes. Des. Codes Crypt. 6(2), 143–169 (1995)MathSciNetCrossRefzbMATHGoogle Scholar
 [VV15]Vaikuntanathan, V., Vasudevan, P.N.: Secret sharing and statistical zero knowledge. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 656–680. Springer, Heidelberg (2015). doi: 10.1007/9783662487976_27 CrossRefGoogle Scholar
 [Wat09]Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). doi: 10.1007/9783642033568_36 CrossRefGoogle Scholar
 [Wee14]Wee, H.: Dual system encryption via predicate encodings. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 616–637. Springer, Heidelberg (2014). doi: 10.1007/9783642542428_26 CrossRefGoogle Scholar
 [WY05]Woodruff, D.P., Yekhanin, S.: A geometric approach to informationtheoretic private information retrieval. In: CCC, pp. 275–284 (2005)Google Scholar
 [Yek08]Yekhanin, S.: Towards 3query locally decodable codes of subexponential length. J. ACM 55(1), 1:1–1:16 (2008)MathSciNetCrossRefzbMATHGoogle Scholar