Upslices, Downslices, and Secret-Sharing with Complexity of \(1.5^n\)

Abstract

A secret-sharing scheme allows to distribute a secret s among n parties such that only some predefined “authorized” sets of parties can reconstruct the secret, and all other “unauthorized” sets learn nothing about s. The collection of authorized/unauthorized sets can be captured by a monotone function \(f:\{0,1\}^n\rightarrow \{0,1\}\). In this paper, we focus on monotone functions that all their min-terms are sets of size a, and on their duals – monotone functions whose max-terms are of size b. We refer to these classes as (a, n)-upslices and (b, n)-downslices, and note that these natural families correspond to monotone a-regular DNFs and monotone \((n-b)\)-regular CNFs. We derive the following results.

1. 1.

   (General downslices) Every downslice can be realized with total share size of \(1.5^{n+o(n)}<2^{0.585 n}\). Since every monotone function can be cheaply decomposed into n downslices, we obtain a similar result for general access structures improving the previously known \(2^{0.637n+o(n)}\) complexity of Applebaum, Beimel, Nir and Peter (STOC 2020). We also achieve a minor improvement in the exponent of linear secrets sharing schemes.

2. 2.

   (Random mixture of upslices) Following Beimel and Farràs (TCC 2020) who studied the complexity of random DNFs with constant-size terms, we consider the following general distribution F over monotone DNFs: For each width value \(a\in [n]\), uniformly sample \(k_a\) monotone terms of size a, where \(\mathbf{k}=(k_1,\ldots ,k_n)\) is an arbitrary vector of non-negative integers. We show that, except with exponentially small probability, F can be realized with share size of \(2^{0.5 n+o(n)}\) and can be linearly realized with an exponent strictly smaller than 2/3. Our proof also provides a candidate distribution for “exponentially-hard” access structure.

We use our results to explore connections between several seemingly unrelated questions about the complexity of secret-sharing schemes such as worst-case vs. average-case, linear vs. non-linear and primal vs. dual access structures. We prove that, in at least one of these settings, there is a significant gap in secret-sharing complexity.

A Omitted Preliminaries

We formally define four different types of “slice access structures” that will be used as key components in our general constructions. Throughout this section, we fix some complete access structure f over n parties. The following definitions were extensively used by [26]. For string \(x,x'\in \{0,1\}^n\), we write \(x\le x'\) if for every \(i\in [n]\), \(x_i\le x'_i\). We let \({\text {wt}}(x)\) denote the Hamming weight of x.

Definition A.1

(Slices and Multislices). For \(a\le b\in [n]\), we define the (a : b)-multislice of f to be the access structure \(F:\{0,1\}^n\rightarrow \{0,1\}\) for which

$$ F(x) = {\left\{ \begin{array}{ll} 0 &{} {if } {\text {wt}}(x)<a \\ f(x) &{} {if } {\text {wt}}(x)\in [a,b] \\ 1 &{} {if } {\text {wt}}(x)>b \end{array}\right. } .$$

We say that F is (a : b, n)-multislice access-structure (or just (a : b, n)-slice) if F is an (a : b)-multislice of some n-party access structure f. An (a : a)-multislice is refereed to as an a-slice.

As already mentioned, our constructions strongly exploit the following fine-grained variants of slice access structures.

Definition A.2

(Upslices). For \(a\in [n]\), we define the a-upslice of f to be the access structure \(F:\{0,1\}^n\rightarrow \{0,1\}\) for which

$$ F(x) = {\left\{ \begin{array}{ll} 0 &{} { {if}} {\text {wt}}(x)<a \\ f(x) &{} { {if}} {\text {wt}}(x)=a \\ 1 \iff \quad \exists x': {\text {wt}}(x')=a, x'\le x, f(x')=1 &{} {if} {\text {wt}}(x)>a \end{array}\right. } .$$

We say that F is an (a, n)-upslice access structure (or just (a, n)-upslice) if F is an (a, n)-upslice of some n-party access structure f.

Observe that F is (a, n)-upslice if and only if all its min-terms are at level a.

Definition A.3

(Downslices). For \(b\in [n]\), we define the b-downslice of f to be the access structure \(F:\{0,1\}^n\rightarrow \{0,1\}\) for which

$$ F(x) = {\left\{ \begin{array}{ll} 0 \iff \exists x': {\text {wt}}(x')=b, x\le x', f(x')=0 &{} {if} {\text {wt}}(x)<b \\ f(x) &{} {if} {\text {wt}}(x)=b \\ 1 &{} {if} {\text {wt}}(x)>b \end{array}\right. } .$$

We say that F is a (b, n)-downslice access structure (or just (b, n)-downslice) if F is a b-slice of some n-party access structure f.

Observe that F is a (b, n)-downslice if and only if all its max-terms are at level b.