1 Introduction

For a finite alphabet \(\varSigma \), a distribution \(\mu \) over \(\varSigma ^n\) is k-wise independent if its projection to every k coordinates is uniform. There is a large body of work studying bounded independence, namely, the conditions under which a given function \(f{:}\varSigma ^n \rightarrow \mathrm {\{0,1\}}\) cannot distinguish between any distribution on n bits that is k-wise independent and the uniform distribution with advantage \(\mathrm {\epsilon }\), for various choices of \(\mathrm {\epsilon }\) and k. Classes of functions that are fooled by bounded independence include combinatorial rectangles [23], small-depth circuits [7, 9, 32, 40, 45], and sign polynomials [19, 20], to name a few.

In this work we consider a relaxation of bounded independence that we call bounded indistinguishability. Two distributions \(\mu \) and \(\nu \) over \(\varSigma ^n\) are k-wise indistinguishable if for all subsets \(S \subseteq [n]\) of size k, the projections \(\mu |_S\) and \(\nu |_S\) of \(\mu \) and \(\nu \) to the coordinates in S are identical. For instance, if \(\mu \) (resp., \(\nu \)) is uniform over n-bit strings whose parity is 0 (resp., 1), then \(\mu \) and \(\nu \) are both \((n-1)\)-wise independent and hence are also \((n-1)\)-wise indistinguishable. However, if we let \(\mu '=\mu \circ \mu \) (i.e., a concatenation of two identical copies of \(\mu \)) and similarly \(\nu '=\nu \circ \nu \), then \(\mu '\) and \(\nu '\) are still \((n-1)\)-wise indistinguishable but are not even 2-independent.

Bounded indistinguishability arises naturally in cryptographic applications that involve secret sharing or secure multiparty computation. We will be interested in the complexity of distinguishing between two k-wise indistinguishable distributions.

Definition 1

For \(\mathrm {\epsilon }\in (0,1)\), we say that a function \(f{:}\varSigma ^n \rightarrow \mathrm {\{0,1\}}\) is \(\mathrm {\epsilon }\) -fooled by k -wise indistinguishability if for any two k-wise indistinguishable distributions \(\mu \) and \(\nu \) over \(\varSigma ^n\), \(\left| \Pr [f(\mu )=1] - \Pr [f(\nu )=1]\right| \le \mathrm {\epsilon }\).

Our goal is to understand which functions f are fooled by k-wise indistinguishability. For instance, polylogarithmic independence fools all AC\(^0\) circuits [9]. Is this also the case for polylogarithmic indistinguishability?

We start by observing that over the binary alphabet \(\varSigma = \mathrm {\{0,1\}}\), whether f is fooled by k-wise indistinguishability is closely related to the approximate degree of f, a notion introduced in the seminal work of Nisan and Szegedy [35]. This connection is central to our work so we formalize it next. The \(\mathrm {\epsilon }\)-approximate degree of a function \(f {:} \mathrm {\{0,1\}}^n \rightarrow \mathrm {\{0,1\}}\) is defined to be the smallest degree of a real-valued polynomial \(p {:} \mathrm {\{0,1\}}^n \rightarrow \mathbb {R}\) such that \(|f(x) - p(x)| \le \mathrm {\epsilon }\) for every \(x \in \mathrm {\{0,1\}}^n\).

Theorem 1

For every n, k, \(\mathrm {\epsilon }\in (0,1)\), and \(f{:}\mathrm {\{0,1\}}^n \rightarrow \mathrm {\{0,1\}}\), the following are equivalent:

  1. 1.

    f is not \(\mathrm {\epsilon }\)-fooled by k-wise indistinguishability.

  2. 2.

    The \(\mathrm {\epsilon }/2\)-approximate degree of f is bigger than k.

Proof

It follows from linear programming duality (see for example Sect. 3 in [42] or Theorem 1 in [11]) that 2. is equivalent to the following statement:

  1. 3.

    There exists a function \(g{:} \mathrm {\{0,1\}}^n \rightarrow \mathbb {R}\) such that (i) \(\sum _{x\,\in \,\{0,1\}^{n}} g(x)f(x) > \mathrm {\epsilon }/2\), (ii) \(\sum _{x} \left| g(x)\right| =1\) , and (iii) \(\sum _{x}g(x) \prod _{i\,\in \,S} x_i = 0\) for every set \(S \subseteq [n]\) of size at most k (including the empty set).

We now show that 1. and 3. are equivalent. To see that 1. implies 3., we assume without loss of generality that \(\Pr [f(\mu )=1] - \Pr [f(\nu )=1]>\mathrm {\epsilon }\) and set \(g(x) = \frac{1}{2C}(\mu (x) - \nu (x))\), where C is the statistical distance between \(\mu \) and \(\nu \). The first two requirements for g are immediate. The third requirement follows from k-wise indistinguishability of \(\mu \) and \(\nu \).

To see that 3. implies 1., set \(\mu (x) = 2\max \{g(x),0\}\) and \(\nu (x) = 2\max \{-g(x),0\}\). Since \(\sum g(x) = 0\) and \(\sum |g(x)| = 1\), we have \(\sum \mu (x) = \sum \nu (x) = 1\) and so \(\mu \) and \(\nu \) are probability distributions. Condition (i) implies that \(\Pr [f(\mu ) = 1] - \Pr [f(\nu ) = 1] > \mathrm {\epsilon }\). Finally, by linearity we have that condition (iii) implies that \(\mu \) and \(\nu \) are indistinguishable by k-juntas so they are k-wise indistinguishable.    \(\square \)

As a corollary, we get a similar connection between being non-trivially fooled by bounded indistinguishability and threshold degree, a notion introduced in the classical work of Minsky and Papert [33]. Recall that the threshold degree of a function \(f {:} \mathrm {\{0,1\}}^n \rightarrow \mathrm {\{0,1\}}\) is the smallest degree of a real-valued polynomial \(p z \mathrm {\{0,1\}}^n \rightarrow \mathbb {R}\) such that the sign of p(x) corresponds to f(x) for every \(x \in \mathrm {\{0,1\}}^n\).

Corollary 1

For every nk and \(f{:} \mathrm {\{0,1\}}^n \rightarrow \mathrm {\{0,1\}}\), the following are equivalent:

  1. 1.

    There is a pair of k-wise indistinguishable distributions \(\mu ,\nu \) that are perfectly distinguished by f, namely \(\left| \Pr [f(\mu ) = 1] - \Pr [f(\nu ) = 1]\right| =1\).

  2. 2.

    The threshold degree of f is bigger than k.

Combining the above with known results on approximate degree, we conclude that bounded indistinguishability over \(\varSigma = \mathrm {\{0,1\}}\) behaves very differently from bounded independence. For example, O(1)-wise independence suffices to 1 / 3-fool the OR function on n bits, but \(\varOmega (\sqrt{n})\)-wise indistinguishability is required, due to the corresponding lower bound on the approximate degree of OR [35]. This answers the aforementioned question of whether polylogarithmic indistinguishability fools AC\(^0\) in the negative. A separation of \(\varOmega (n)\) is achieved by the Majority function: O(1)-wise independence suffices to 1 / 3-fool this function [19], but \(\varOmega (n)\)-wise indistinguishability is required by Paturi’s lower bound [38].

We turn to study the case of larger alphabets \(\varSigma \). Here the equivalence with previously studied notions seems to break down. We restrict the attention to alphabets of the form \(\varSigma = \mathrm {\{0,1\}}^s\), viewing the function f as being computed by a circuit with sn input bits. This setting comes up naturally in cryptographic applications, as explained below. But first we remark that, over such larger alphabets, we construct “simple” functions f that are not fooled by k-wise indistinguishability for much larger values of k than what is known for \(\varSigma = \mathrm {\{0,1\}}\). For example, over \(\varSigma = \mathrm {\{0,1\}}^{\mathrm {{poly}}(n)}\) we show that \((n - n/\mathrm {{poly}}\log n)\)-wise indistinguishability does not \((1-2^{-n})\)-fool \(\mathrm {AC}^0\) (Theorem 2), and that 0.99n-wise indistinguishability does not 0.99-fool DNF (Corollary 10). In contrast, over alphabet \(\varSigma = \mathrm {\{0,1\}}\) it is only known that \( \tilde{\varOmega }\left( {n^{{2/3}} } \right) \)-wise indistinguishability does not fool \(\mathrm {AC}^0\) (by work of Aaronson and Shi [2] and Theorem 1).

1.1 Secret Sharing Schemes

A secret sharing scheme allows a dealer to share a secret between n parties, so that any k parties learn nothing about the secret from their shares whereas any r parties can reconstruct the secret from their shares. Unlike the case of threshold secret sharing, where \(r=k+1\), we allow a bigger gap between r and k. Such secret sharing schemes are often referred to as ramp schemes.

We are interested in the computational complexity of sharing and (especially) reconstructing secrets. A simple secret sharing scheme for \(k=n-1\) and \(r=n\) shares a bit s into n bits \(s_1,\ldots ,s_n\) that are random subject to the restriction that their parity is s. This scheme cannot be implemented by constant depth circuits (in the class \(\mathrm {AC}^0\)) as reconstruction requires computing the parity of n bits. Other secret sharing schemes, such as Shamir’s [41], employ linear functions over finite fields and suffer from the same limitation.

A pair of k-wise indistinguishable distributions \((\mu , \nu )\), together with a function f that can tell the two distributions apart, can be viewed as a secret sharing scheme for a one-bit secret: Shares of 0 and 1 are samples of \(\mu \) and \(\nu \), respectively, and f is the reconstruction algorithm. Applying this connection together with techniques for sampling by constant-depth circuits, we obtain the following secret sharing scheme in the class \(\mathrm {AC}^0\).

Theorem 2

(Secret sharing in \(\mathrm {AC}^0\) ). Let d be a constant. For every n and \(\delta \) there exist:

  • Sharing in \(\mathrm {AC}^0\): circuits \(S_0, S_1\) of constant depth and size \(\mathrm {{poly}}(n, \log 1/\delta )\) that sample \((n - n/(\log n)^d)\)-wise indistinguishable distributions \(\mu , \nu \) over \(\varSigma ^n\), \(\varSigma = \mathrm {\{0,1\}}^{\mathrm {{poly}}(n)}\),

  • Reconstruction in \(\mathrm {AC}^0\): a circuit R of size \(\mathrm {{poly}}(n)\) and depth \(d+O(1)\) such that \(\Pr [R(\mu ) = 0] \ge 1-\delta \) and \(\Pr [R(\nu ) = 1] \ge 1-\delta \).

Moreover, the circuits \(S_0\), \(S_1\), and R can be constructed deterministically in time polynomial in n and \(\log 1/\delta \).

Theorem 2 gives an explicit construction, but requires that all n parties participate in reconstruction. If one does not insist on a fully explicit construction and settles for a probabilistic construction that fails with negligible probability, the secrecy-recovery gap can be moved to an arbitrary location: In Theorem 13 we obtain an \(\mathrm {AC}^0\) secret sharing scheme that provides secrecy against any \(\sigma n\) parties and allows reconstruction by any \(\rho n\) parties for any pair of constants \(0 \le \sigma < \rho \le 1\) and sufficiently large n.

We obtain several other schemes with incomparable features. If we do not insist on sharing in AC\(^0\) and only require that reconstruction be done in AC\(^0\), then we can achieve similar results with perfect reconstruction (\(\delta = 0\)). This variant builds on Corollary 1 and known results on the threshold degree of DNF [33]. Alternatively, we can strengthen Theorem 2 by allowing an AC\(^0\) sharing algorithm that indicates failure with probability \(\delta \), but otherwise supports perfect reconstruction. In Corollary 10, we improve the reconstruction function complexity to a polynomial-size DNF formula (with terms of size \(O(\log n)\)), at the cost of a small constant reconstruction error and a slightly worse secrecy threshold.

Finally, we complement the above positive results with some negative results, showing limitations of secret reconstruction by disjunctions of juntas (Theorem 17) or small decision trees (Theorem 19). In particular, the negative results imply that the positive result of Corollary 10 for DNF reconstruction does not hold if the secrecy threshold is much closer to n or if the DNF is restricted to have a polynomial-size decision tree.

Techniques. In Sect. 2 we rephrase known results on approximate degree in the language of secret sharing using the connection in Theorem 1. The resulting schemes have \(\mathrm {AC}^0\) reconstruction, but achieve somewhat poor secrecy (\(k \le n^{2/3}\)) and do not come with algorithms for sampling the shares. In Sect. 2.1 we show that the distributions of the shares can be sampled in AC\(^0\). Then, in Sect. 2.2 we give a reduction that trades alphabet size for secrecy, allowing us to derive our main positive results. This reduction makes use of unbalanced disperser graphs. Our negative results, presented in Sect. 2.4, are obtained by reducing the large alphabet to a binary alphabet using a suitable set system, and then using Fourier analysis for obtaining the negative result in the binary case.

Related work. The randomized encoding technique of Applebaum et al. [6] can transform any secret sharing scheme into one where the shares are sampled by circuits in which each output depends on a fixed number of random bits (i.e., in the class \(\mathrm {NC}^0\)), but at the cost of further increasing the complexity of reconstruction. Druk and Ishai [21] and Cramer et al. [16] consider the question of minimizing the circuit size of secret sharing. They construct near-threshold schemes (i.e., with \(r=(1+\epsilon )\cdot k\)) in which sharing and reconstruction can be performed by circuits of size O(n); however, the depth of these circuits is logarithmic in n. The above results left open the existence of nontrivial secret sharing schemes in which reconstruction can be done by constant depth circuits or by other “simple” nonlinear functions, even when the computational complexity of sharing the secret is unbounded.

1.2 Visual Cryptography

Naor and Shamir [34] initiated the study of “visual cryptography” — a method for sharing secrets which allows for a physical implementation using transparencies. It can be phrased as a secret sharing scheme with \(\ell \)-bit shares, where reconstruction proceeds by first applying bitwise-OR to the shares and then applying an approximate threshold function (with constant fractional threshold gap). The bitwise-OR is implemented by physically stacking transparencies, and the approximate threshold function is implemented by visually distinguishing between \(\ell \)-tuples of bits (pixels) that have a low Hamming weight and those that have a high Hamming weight. The ratio between the threshold gap and \(\ell \) is referred to as the contrast.

It is known that the optimal contrast of such visual schemes vanishes exponentially with the secrecy parameter k [30, 34], assuming that one requires sharp threshold reconstruction by any subset of \(r = k + 1\) parties. The latter assumption has been made in all works on visual cryptography we are aware of.

In Sect. 2.3 we give a visual “ramp scheme” that allows a quadratic gap between the secrecy and reconstruction thresholds:

Theorem 3

(Visual Secret Sharing). For every n and r there exists a pair of distributions \(\mu , \nu \) over \(\mathrm {\{0,1\}}^n\) that are \(\varOmega (\sqrt{r})\)-wise indistinguishable so that for every subset \(S \subseteq [n]\) of size r,

$$ \left| \Pr [\mathrm {OR}(\mu |_S) = 1] - \Pr [\mathrm {OR}(\nu |_S) = 1]\right| \ge 0.2. $$

Moreover, \(\mu \) and \(\nu \) are samplable by explicit circuits \(S_0, S_1\) of constant depth and size polynomial in n.

The benefits are a dramatic improvement in contrast, making it independent of k and visually noticeable even for large k, as well as shorter (1-bit) shares and simpler reconstruction. The latter two properties are also achieved by other probabilistic visual schemes from the literature [15, 31]. However, this is the first visual scheme whose (probabilistic) contrast does not vanish exponentially with k. To give a better sense of the achievable parameters, in Appendix A we give some specific parameter choices along with an image demonstrating the level of contrast we achieve.

1.3 Additional Cryptographic Applications

The above positive results for secret sharing rely on functions f that are not fooled by bounded indistinguishability. Such functions can be used to recover a secret from its shares. We observe that when f is fooled by bounded indistinguishability, this has positive consequences for leakage-resilient cryptography. Concretely, in every implementation of a cryptographic primitive that guarantees local secrecy, in the sense that different values of the underlying secrets induce k-wise indistinguishable distributions of the internal state, leaking the output of f on the internal state does not compromise the secrets.

Therefore all secret sharing schemes with a sufficiently high secrecy parameter k protect the secret against global leakage functions that output few bits, where each output bit has a low approximate degree (significantly smaller than k). More concretely:

Theorem 4

There exists a universal constant C such that the following holds. Let \(\mu ,\nu \) be k-wise indistinguishable distributions over \(\mathrm {\{0,1\}}^n\). Let \(L{:}\{0,1\}^n\rightarrow \{0,1\}^t\) be a leakage function such that the 1 / 3-approximate degree of each of its t outputs is at most d. Then the statistical distance between \(L(\mu )\) and \(L(\nu )\) is bounded by \(\delta \), provided that \(k\ge Cdt(t+\log \frac{1}{\delta })\).

This theorem can be applied to leakage functions whose outputs are computed by small decision trees or disjunctions of small juntas. It can also be applied to establish leakage resilience of protocols for secure multiparty computation and the related object of “private circuits.” See Sects. 3.1 and 3.2 for more details and concrete applications.

Eliminating Selective Failure Attacks. The above applications can be relevant to any \(f{:}\varSigma ^n\rightarrow \mathrm {\{0,1\}}\) that is fooled by bounded indistinguishability. We show that the special case where \(f=\mathrm {OR}\) can be useful for eliminating so-called “selective failure” attacks. A selective failure attack is an attack that makes a computation fail only if the input satisfies some predicate. Such attacks enable an adversary to tamper with the computation and learn a bit of information about the secret input even when the tampering is detected and the output is replaced by an indication of failure. Selective failure attacks arise in different areas of cryptography and are often difficult to protect against.

We propose the following natural methodology for protecting against such attacks. Suppose that the computation of g(w) can be reduced to n sub-computations \(g_1(w_1),\ldots , g_n(w_n)\), where each k of the \(w_i\) jointly hide w. The computation of g via this reduction fails if at least one of the sub-computations fails. Assume further that an adversary tampers with each sub-computation \(g_i\) by choosing an arbitrary function of \(F_i(w_i)\) that determines whether this sub-computation fails. Then, a corollary of Theorem 4 (with \(t=1\) and \(L=\mathrm {OR}\)) is that if \(k\gg \sqrt{n}\) (the approximate degree of OR), then no tampering strategy can significantly correlate the event of failure with w. In the full version [8] we describe a simple concrete application of this methodology to eliminating selective failure attacks in error-detecting coding schemes.

Organization. In Sect. 2 we present our results on secret sharing. In Sect. 2.4 we prove our negative results and in Sect. 3 we give the details of some of the additional cryptographic applications described above. In Appendix D we discuss an approximate notion of bounded indistinguishability.

2 Secret Sharing

In this section we prove our results on secret sharing. Our starting observation is that bounded indistinguishability is closely related to the complexity of secret sharing. Specifically, the distributions \(\mu \) and \(\nu \) over \(\varSigma ^n\) capture the joint distributions of shares obtained by sharing the secrets 0 and 1, respectively. The k-wise indistinguishability of the distributions corresponds to the parties gaining no information from any k shares. However, if bounded indistinguishability does not fool some function \(f{:}\varSigma ^n \rightarrow \mathrm {\{0,1\}}\) we can think of f as the reconstruction function that maps the shares back to the secret.

In this setting it is natural to think of the distinguishing advantage as being close to (and ideally equal to) one. We will be interested in the complexity of the function f as well as the complexity of sampling \(\mu \) and \(\nu \).

A different connection between secret sharing and approximation theory is obtained in the visual cryptography literature [34] (see also [30] and the citations therein). However, it was confined to analyzing the so-called contrast of visual cryptography schemes.

We give next a formal definition of secret sharing for a one-bit secret.Footnote 1

Definition 2

An (n, k, r) bit secret sharing scheme with alphabet \(\varSigma \), reconstruction function \(f{:}\varSigma ^r \rightarrow \mathrm {\{0,1\}}\) and reconstruction advantage \(\alpha \) is a pair of k-wise indistinguishable distributions \(\mu \) and \(\nu \) over \(\varSigma ^n\) such that \(\mu \) and \(\nu \) are k-wise indistinguishable but for every set S of size r we have \(\Pr [f(\mu |_S) = 1] - \Pr [f(\nu |_S) = 1] \ge \alpha \). Here \(\mu |_S\) is the projection of \(\mu \) to the symbols in S, and similarly for \(\nu \). The secret sharing scheme has perfect reconstruction if \(\alpha = 1\). The scheme is explicit if f is explicit and there are explicit algorithms to sample \(\mu \) and \(\nu \).

As mentioned earlier, the distributions \(\mu \) and \(\nu \) are the joint distributions of shares obtained by sharing the secret 0 and 1, respectively. We sometimes omit reference to the alphabet when \(\varSigma = \{0, 1\}\) and omit r from the notation when \(r = n\).

We note that Item 1. in Theorem 1 is equivalent to the assertion that there exists an (nk) bit secret sharing scheme (with \(r=n\) and one-bit shares) with reconstruction function f having reconstruction advantage \(\mathrm {\epsilon }\). Item 1. in Corollary 1 is equivalent to the assertion that there exists a similar scheme with perfect reconstruction.

Theorem 1, combined with the body of works on approximate and threshold degree immediately gives the following consequences.

Corollary 2

The following secret sharing schemes over \(\varSigma =\{0,1\}\) exist:

  1. 1.

    An \((n, \varOmega (\sqrt{\delta n}))\) bit secret sharing scheme with reconstruction by OR with advantage \(1 - \delta \), for any \(\delta \).

  2. 2.

    An \((n, \varOmega (n))\) bit secret sharing scheme with reconstruction by majority with constant advantage.

  3. 3.

    An \((n, \varOmega ((n/\log n)^{2/3})\) bit secret sharing scheme with reconstruction by the element distinctness DNF and constant reconstruction advantage.

  4. 4.

    An \((n, \varOmega (n^{1/3}))\) bit secret sharing scheme with perfect reconstruction by the DNF \(AND_{n^{1/3}} \circ OR_{n^{2/3}}\).

  5. 5.

    An \((n, \varOmega (\sqrt{n}))\) bit secret sharing scheme with perfect reconstruction by some \(\mathrm {AC}^0\) function.

Proof

The schemes follows by Theorem 1 and the following works: 1. by Nisan and Szegedy [35] and refinements by Bun and Thaler [11] (Proposition 14); 2. by Paturi [38]; 3. by Aaronson and Shi [2]; 4. by Minsky and Papert [33]; and 5. by Sherstov [43].

These results show that for an interesting range of parameters, the reconstruction procedure of a secret sharing scheme can be implemented by simple functions, and in particular by constant depth circuits.

Bounded Independence Versus Bounded Indistinguishability. In many secret sharing schemes (e.g., Shamir’s scheme [41] over a field of characteristic 2), the distributions \(\mu \) and \(\nu \) are not only k-wise indistinguishable but also k-wise independent. Such distributions cannot be distinguished by \(\mathrm {AC}^0\) functions and sign polynomials of degree 2 unless k is at most polylogarithmic in n. In contrast, the above examples give examples of k-wise indistinguishable distributions that are distinguishable by such function even when k grows polynomially with n.

Remark 5

Aaronson [1] considers a different relaxation of bounded independence that has a dramatic effect on distinguishability by \(\mathrm {AC}^0\) functions. He considers distributions where for any k bits the probability that those bits take any fixed value is within \(\mathrm {\epsilon }2^{-k}\) of \(2^{-k}\) and gives a family of depth 3 polynomial-size circuit that distinguishes such a distribution from a uniform one with constant advantage for any k and \(\mathrm {\epsilon }=k\cdot \mathrm {{poly}}\log (n)/n\).

2.1 Sampling the Shares in AC\(^0\)

In this section we show the existence of secret sharing schemes in which sharing the secret can be performed by constant-depth circuits, i.e., in the class \(\mathrm {AC}^0\), and reconstructing the secret can be done by a “simple” function. (As discussed in Sect. 1.1, the problem of minimizing the complexity of sharing alone is much simpler and can be solved via the techniques of [6].)

We start by showing how to sample distributions that are exponentially close to the k-wise indistinguishable distributions corresponding to the schemes we described. In Appendix C we give a refinement that gives distributions that are (exactly) k-wise indistinguishable, i.e., we achieve perfect secrecy.

Theorem 6

For schemes 1. to 4. in Corollary 2 there exist pairs of circuit families of constant depth and size polynomial in n and \(\log (1/\mathrm {\epsilon })\) that sample distributions within statistical distance \(\mathrm {\epsilon }\) of \(\mu \) and \(\nu \), respectively.

We leave the existence of efficient samplers for scheme 5. as an open question.

Note that we can achieve statistical distance \(\mathrm {\epsilon }= 2^{- n^c}\) for any constant c with circuits of size \(\mathrm {{poly}}(n)\). The reason for this loss in statistical distance is that our distributions over the shares have probability masses that may not be powers of two, and so if we want to sample them using random bits we have to incur some slight error.

We now give the proof of this theorem. Our analysis relies on known explicit constructions of “dual polynomials,” i.e., of the function g in Item 3. in Theorem 1. This area of research has been quite active since Špalek [44] gave the first explicit dual polynomial for OR.

Let \(\varGamma \) be a group of permutations acting on [n]. Then \(\varGamma \) also acts on \(\mathrm {\{0,1\}}^n\) by permuting the coordinates. The next claim is immediate.

Claim 7

Let \(\varGamma \) be a group of permutations on [n]. Assume \(f(x) = f(\sigma x)\) for all \(x \in \{0, 1\}^n\) and all \(\sigma \in \varGamma \). If \((\mu , \nu )\) is an (nkr) bit secret sharing scheme with reconstruction function f and advantage \(\alpha \), then so is \((\overline{\mu }, \overline{\nu })\) where

$$\begin{aligned} \overline{\mu }(x) = {{\mathrm{E}}}_{\sigma \sim \varGamma }[\mu (\sigma x)] \quad \text {and}\quad \overline{\nu }(x) = {{\mathrm{E}}}_{\sigma \sim \varGamma }[\nu (\sigma x)]. \end{aligned}$$

In particular, if f is symmetric under permutation of its input coordinates, then the distributions \(\mu \) and \(\nu \) can be assumed to assign the same probability to all strings of the same Hamming weight. These \(n+1\) probabilities can be found in polynomial time by solving a linear program.

Moreover, we argue that in such a case \(\mu \) is \(\mathrm {AC}^0\)-samplable; the same argument applies to \(\nu \). Let \(\mu '\) be the distribution on Hamming weights induced by \(\mu \). To sample from \(\mu \), we first sample a weight \(w \in \{0, \dots , n\}\) from \(\mu '\), then output a random permutation of the string \(1^w0^{n-w}\). Both of these steps can be implemented in \(\mathrm {AC}^0\); cf. [47].

Therefore secret sharing with reconstruction by OR and majority can both be implemented in \(\mathrm {AC}^0\).

A description of the bit sharing scheme for element distinctness can be extracted from the work of Bun and Thaler [12]. They first construct a bit secret sharing scheme for a partial function f whose inputs are strings of length N over an alphabet \(\varSigma \) of size O(N). In the yes inputs of f all symbols are distinct, while in the no inputs all symbols occur exactly twice. Their distributions \(\mu \) and \(\nu \) are supported on strings where m / a symbols occur exactly a times and \((N - m)/b\) symbols occur exactly b times for various choices of mab.

We can represent the input to f as a binary string \(x_1\dots x_N \in (\mathrm {\{0,1\}}^{\varSigma })^N\), where \(x_i\) is an indicator vector for the i-th input symbol of f. Under this representation, f is a partial boolean function from \(\mathrm {\{0,1\}}^{\left| \varSigma \right| \cdot N}\) to \(\mathrm {\{0,1\}}\). By Claim 7 we may assume \(\mu \) and \(\nu \) are invariant over both permutations of the alphabet and permutations of the input positions. Now \(\mu \) and \(\nu \) can be sampled by first sampling (mab) from the marginal distribution, then writing down an arbitrary string with the correct counts, and applying random permutations to both the alphabet and the input positions. All of these steps can be implemented in \(\mathrm {AC}^0\). The bit secret sharing scheme for OR is obtained by projecting the entries of \(\mu \) and \(\nu \) on random subsets of size n, which can also be implemented by sampling a random permutation.

An explicit description of the bit sharing scheme for the Minsky-Papert function can be extracted from the work of O’Donnell and Servedio [37] (Appendix A). They first sample an integer t of magnitude at most \(n^{1/3}\) (even for \(\mu \), odd for \(\nu \)) then choose an independent random string of Hamming weight \((t - i)^2\) in the i-th block. Both steps can be implemented in \(\mathrm {AC}^0\).

2.2 Trading Alphabet Size for Secrecy

We now give a general method of composing secret sharing schemes. We will apply this method to improve the secrecy of the above schemes at the cost of an increase in alphabet size and a slight increase in depth of the reconstruction. Our construction makes use of disperser graphs.

Definition 3

A \(n \times m\) bipartite graph G with left degree d is a \((k,\mathrm {\epsilon })\) disperser if any subset of [n] of size k has at least \((1 - \mathrm {\epsilon })n\) neighbors in [m].

The loss in reconstruction efficiency is related to the degree d of the disperser. So we obtain the best results with Zuckerman’s construction of dispersers with degree linear in \(\log n/\mathrm {\epsilon }\).

Theorem 8

(Theorem 1.9 of [48] with \(\alpha = 1/2\) ). For every constant \(\delta \), and for every n and \(\mathrm {\epsilon }\) there is an explicit \((n^\delta ,\mathrm {\epsilon })\) disperser G with \(d = O(\log n/\mathrm {\epsilon })\) and \(m = \delta n /2\).

We now show how to turn an (nk) secret sharing scheme L over alphabet \(\mathrm {\{0,1\}}\) into a \((m, m - \mathrm {\epsilon }m)\) secret sharing scheme R over alphabet \(\mathrm {\{0,1\}}^n\). The alphabet is actually \(\mathrm {\{0,1\}}^{d'}\) where \(d'\) is the maximum right-hand side degree of the disperser graph. It is possible to obtain \(d'\) close to the average degree nd / m, but in our settings this will always be \(n^{\varOmega (1)}\) and so for simplicity we do not optimize this parameter.

The parties of L and R are associated to the left and right vertices of the bipartite graph respectively. To share a bit in R, first sample shares for L and label each left vertex \(v \in [n]\) by its corresponding share \(s(r) \in \mathrm {\{0,1\}}\). Now for each of the d edges \(e_1, \dots , e_d\) incident to r, choose a bit \(s(e_i)\) at random conditioned on \(s(e_1) \oplus \cdots \oplus s(e_d) = s(r)\). The share s(w) of each right vertex \(w \in [m]\) is the concatenation of the edge-shares s(e) over all its \(\le n\) incident edges e.

To reconstruct, apply the process in reverse: First distribute s(w) for \(w \in [m]\) to its incident edges, then calculate \(s(v), v \in [n]\) as \(s(e_1) \oplus \cdots \oplus s(e_d)\) and output \(f(s(1), \dots , s(n))\), where f is the reconstruction function of L.

Lemma 1

If G is a \((k, \mathrm {\epsilon })\) disperser graph and L is a (nk) secret sharing scheme then R is a \((m, m - \mathrm {\epsilon }m)\) secret sharing scheme with the same reconstruction advantage.

Proof

It is easy to see that the reconstruction advantage is preserved. Next we argue secrecy.

For contradiction, assume that L is k-secret but R is not \((n-\mathrm {\epsilon }n)\)-secret. Then there exists a subset \(S \subseteq [m]\) of size \(\le m - \mathrm {\epsilon }m\) such that the parties in S can distinguish shares of 0 from shares of 1. Consider the joint distribution of the shares assigned to all the edges incident to S. If any vertex \(v \in [n]\) has a neighbor outside S, then the edge-shares associated to v’s neighbors inside S are uniformly random and independent of all the other edge-shares incident to S (even conditioned on all the values s(v)). Therefore, the two distributions must be distinguishable even when restricted to those edges whose right vertices have all their neighbors in S. Let T be the set of all such right vertices. Then the shares of S in L are determined by the shares of T in R. By the disperser property of G, T has size at most k, so the shares in T are indistinguishable, contradicting our assumption.

We note that Alon et al. [4] applied a similar construction to amplify the distance of linear error-correcting codes, while Damgård et al. [18] used it (in more general form) for improving the tolerance of multiparty computations. Both these applications make use of dispersers (in fact, expanders) G that are balanced (with \(m = n\)) and of constant degree d. In contrast, we apply it to unbalanced graphs whose left degree is logarithmic in the number of vertices.

If we set \(k = n^\alpha \) for some constant \(\alpha > 0\), we obtain the following consequence. Here \(f \circ XOR_d\) denotes a function that can be computed by composing f by XORs over d inputs.

Theorem 9

Let \(\alpha > 0\) be a constant. Suppose that there exists a \((n, n^\alpha )\) secret sharing scheme with reconstruction function \(f{:}\mathrm {\{0,1\}}^n \rightarrow \mathrm {\{0,1\}}\) over alphabet \(\mathrm {\{0,1\}}\). Then there exists a \((m, (1 - \mathrm {\epsilon })m)\) secret sharing scheme over alphabet \(\mathrm {\{0,1\}}^n\) with reconstruction function of the type \(f \circ XOR_d\) with \(d = O((\log n)/\mathrm {\epsilon })\) and \(m = \varOmega (n^\alpha )\).

We now have all the pieces to prove Theorem 2.

Proof (of Theorem 2)

Instantiate Theorem 9 with Item 4 in Corollary 2. The reconstruction function involves computing parities on \(\mathrm {{poly}}\log n\) bits which can be done in AC\(^0\). To sample the shares efficiently use Theorem 24.

Several other schemes are possible. We highlight the following one in which reconstruction is done by a DNF, although it is not perfect.

Corollary 10

For every constant \(\mathrm {\epsilon }> 0\), there is an explicit \((n, (1 - \mathrm {\epsilon })n)\)-secret sharing scheme with reconstruction error \(\mathrm {\epsilon }\) over the alphabet \(\mathrm {\{0,1\}}^{\mathrm {{poly}}(n)}\) with reconstruction by a \(\mathrm {{poly}}(n)\)-size DNF with terms of size \(O(\log n)\).

Proof

Instantiate Theorem 9 with Item 1 in Corollary 2. The reconstruction function is an OR of \(O((n/\log n)^2)\) XORs of size \(O((\log n)/\mathrm {\epsilon })\), which can be computed by a polynomial-size DNF. The shares can be sampled in AC\(^0\) by Theorem 6.

2.3 Reconstruction by a Subset of the Parties

In this section we give several secret sharing schemes that allow for reconstruction by a subset of the parties. Our starting point is the secret sharing scheme with reconstruction by the OR function.

Claim 11

For every r, \(\delta \), and n there is an explicit \((n, \varOmega (\sqrt{\delta n}), r)\) bit secret sharing scheme with reconstruction by OR with advantage at least \(r/n - \delta \).

Here, by OR we mean the class of OR functions on subsets of r input bits. We will need the following fact which is implicit in the proof of Theorem 1.

Remark 12

Without loss of generality, the distributions \(\mu \) and \(\nu \) can be assumed to have disjoint support.

Proof (of Claim 11)

Let \((\mu , \nu )\) be any (nk) bit sharing scheme for OR with reconstruction advantage \(1 - \delta \). By Remark 12 and Claim 7 we may assume \(\mu \) and \(\nu \) are disjoint and symmetric, so \(\nu (0^n) = 1 - \delta \) and all strings in the support of \(\mu \) have nonzero Hamming weight. For any subset of r parties, the probability that they jointly observe a nonzero entry under \(\nu \) is then at most \(\delta \). By symmetry of \(\mu \), the probability that they observe nonzero entry under \(\mu \) is at least r / n. Therefore \(\Pr [f(\mu ) = 1] - \Pr [f(\nu ) = 1] \ge r/n - \delta \).

If we set \(\delta = r/2n\) we obtain an \((n, \varOmega (\sqrt{r}), r)\) bit secret sharing scheme with reconstruction by OR with advantage \(\delta = r/2n\). In the next result we make this advantage constant.

We now prove Theorem 3, namely the existence of a \((n, \varOmega (\sqrt{r}), r)\) bit secret sharing scheme with reconstruction by OR with constant advantage.

Proof (of Theorem 3)

First we construct a scheme over alphabet \(\{0, 1\}^{1/\delta }\) for \(\delta = 2n/r\) which we assume to be an integer. To share a zero and a one respectively, sample \(1/\delta \) independent shares using the scheme in Claim 11 and give the i-th party the i-th bit from each copy. By the proof of Claim 11 for any \(\varOmega (\sqrt{r})\) parties the OR of their i-th copies of their shares of one and zero evaluate to 1 with probability at least \(1 - (1 - 2\delta )^{1/\delta }\) and at most \(1 - (1 - \delta )^{1/\delta }\), respectively. The difference between these two numbers is always positive and tends to \(1/e - 1/e^2\) as \(1/\delta \) increases.

To reduce the alphabet to binary, we replace each party’s share by the OR of its constituent bits.

If we allow for more complexity in reconstruction and larger shares, the gap between the secrecy and reconstruction parameters can be improved and the reconstruction error can be made negligible.

Theorem 13

For every pair of constants \(0 \le \sigma < \rho \le 1\) and sufficiently large m there exists a \((m, \sigma m, \rho m)\) bit secret sharing scheme with reconstruction by circuits of size polynomial in m and depth 4 and advantage \(1 - 2^{-m^c}\) for any constant c over alphabet \(\varSigma = \mathrm {\{0,1\}}^{\mathrm {{poly}}(m)}\).

To prove Theorem 13, we apply the composition method from Sect. 2.2 using a bipartite graph with the following dispersion properties.

Claim 14

For all constants \(\delta > 0\) and \(0 \le \sigma < \rho \le 1\), and every sufficiently large n there exist numbers \(m = n^{\varOmega (1)}\), \(r \le n\), and \(d = O(\log n)\) and an \(n \times m\) bipartite graph G with left degree d such that

  1. 1.

    For every subset \(S \subseteq [m]\) of size at most \(\sigma m\), the set of vertices in [n] all of whose neighbors are in S has size at most \(r^{\delta }\) (i.e., G is a \((r^\delta , 1 - \sigma )\)-disperser), and

  2. 2.

    For every subset \(R \subseteq [m]\) of size at least \(\rho m\), the set of vertices in [n] all of whose neighbors are in R has size at least r.

We then amplify the reconstruction error in Theorem 3 using the following claim.

Claim 15

For every integer t, if there exists a (mkr) bit secret sharing scheme with reconstruction by size s and depth d circuits and constant advantage over alphabet \(\varSigma \) then there exists a (mkr) bit secret scheme with reconstruction by circuits of size \(st + \mathrm {{poly}}(t)\) and depth \(d + 2\) and advantage \(1 - 2^{-\varOmega (t)}\) over alphabet \(\varSigma ^t\).

Proof (of Theorem 13)

We apply the construction described in Sect. 2.2 to the \((n, \varOmega (\sqrt{r}), r)\) scheme from Theorem 3 and the graph from Claim 14 with \(\delta = 0.49\). Secrecy follows from Theorem 9. Reconstruction proceeds as in Sect. 2.2, except that only those parties in [n] that have received all of their shares participate in the process. By property 2 of Claim 14, if at least \(\rho m\) parties on the right participate in the reconstruction then at least r parties on the left receive all their share and the secret is reconstructed with constant advantage. By Claim 15 with \(t = m^c\), the advantage can be amplified to \(1 - 2^{-m^c}\) as desired.

Proof (of Claim 14)

We show that a random graph has both properties with nonzero probability. Choose each of the d neighbors of each left vertex independently and uniformly at random. For a fixed set \(S \subseteq [m]\) of size \(\sigma m\), the expected number of left vertices all of whose neighbors are in S equals \(n \sigma ^d\). By the multiplicative Chernoff-Hoeffding bound and a union bound, the probability that there exists a set S and a set of left vertices of size \(2n\sigma ^d\) all of whose neighbors are in S is at most \(2^m \exp (-n \sigma ^d/8)\). By a similar argument, the probability that there exists a set \(R \subseteq [m]\) of size \(\rho m\) such that fewer than \(n \rho ^d/2\) vertices have all their neighbors in R is at most \(2^m \exp (-n \rho ^d/3)\).

We set \(d = \log _{\rho ^\delta /\sigma } (2^{1 + \delta }n^{1 - \delta })\), \(r = (\rho /\sigma )^{d/(1 - \delta )}\), and \(m = \lfloor r^\delta /2\rfloor \). This choice of parameters ensures that \(n \rho ^d/2 = r\), \(2n \sigma ^d = r^{\delta }\), and \(r, m = n^{\varOmega (1)}\). Moreover, both probabilities of interest tend to zero at the rate \(\exp (-\varOmega (r^\delta )) = \exp (-n^{\varOmega (1)})\) so a graph with the desired properties exists for sufficiently large n.

Proof (of Claim 15)

For every pair of constants \(0 \le \ell < h \le 1\), Ajtai [3] shows the existence of a Boolean function family ApxMaj of depth 3 and size polynomial in its input such that ApxMaj accepts all strings of relative Hamming weight at least h and rejects all strings of relative Hamming weight at most \(\ell \). These circuits are made explicit in [46].

Let S be the assumed secret sharing scheme. Choose h and \(\ell \) so that the success probability of reconstructing a one from its shares in S bounds h strictly from above and the failure probability of reconstructing a zero in S bounds \(\ell \) strictly from below. To share a bit, sample k independent copies of shares of S and give the i-th party the i-th bit of each copy. To perform the reconstruction, first apply the reconstruction algorithm for S for each copy, then apply ApxMaj to all k reconstructed bits.

The secrecy of S is inherited by construction. We now analyze the probability of correct reconstruction by r parties. By the multiplicative Chernoff bound, the probability that fewer than hk copies of S reconstruct a one correctly, or that more than \(\ell k\) copies of S reconstruct a zero incorrectly, is \(2^{-\varOmega (k)}\). If this does not happen, ApxMaj correctly recovers the secret bit.

2.4 Limitations

In this section we prove negative results on the existence of secret sharing schemes, or equivalently positive results on functions being fooled by bounded indistinguishability. Our main technical contribution consists of proving negative results that hold even over large alphabets \(\varSigma \). However, we first start with the case \(\varSigma = \mathrm {\{0,1\}}\) because this provides motivation and is useful for larger \(\varSigma \).

In the case \(\varSigma = \mathrm {\{0,1\}}\) we note an upper bound of \(n(1-1/\mathrm {{poly}}\log n)\) on the approximate-degree of AC\(^0\). While it follows from standard Fourier-analytic techniques, we are not aware that it has been observed before. In terms of secret sharing schemes it shows that the secrecy is at most \(n(1-1/\mathrm {{poly}}\log n)\) if reconstruction is to be done in \(\mathrm {AC}^0\).

Claim 16

Every function \(f{:} \mathrm {\{0,1\}}^n \rightarrow \mathrm {\{0,1\}}\) that has a size s depth d circuit has \(n^{-h/2}\)-approximate degree \(n - h\) for \(h = \varOmega _d(n/(\log s)^{d-1} (\log n))\).

Proof

We will work with the function \(F{:} \{-1, 1\}^n \rightarrow \{-1, 1\}\) given by \(F(X) = 1 - 2f((1 + X)/2)\). We construct a polynomial \(P{:} \{-1, 1\}^n \rightarrow \mathbb {R}\) that approximates F pointwise within \(2n^{-h/2}\). Let

$$\begin{aligned} P(X) = \sum \nolimits _{S \subseteq [n], |S| \le n - h} \hat{F}(S) \prod \nolimits _{i \in S} X_i, \end{aligned}$$

where \(\hat{F}(S) = {{\mathrm{E}}}[F(X) \prod _{i \in S} X_i]\) are the Fourier coefficients of F, see e.g. O’Donnell’s book [36] for background.

Håstad [24] shows that \(|\hat{F}(S)| \le 2^{-c |S|/(\log s)^{d - 1}}\), where c is some constant that depends only on d. For every \(X \in \{-1, 1\}^n\),

$$\begin{aligned} \left| F(X) - P(X)\right|&= \Bigl |\sum \nolimits _{S{:} \left| S\right|> n - h} \hat{f}(S) \prod \nolimits _{i \in S} X_i \Bigr | \\&\quad \; \le \sum \nolimits _{S{:} \left| S\right| > n - h} |\hat{f}(S)| \le n^h\cdot 2^{-c (n - h + 1)/(\log s)^{d - 1}}, \end{aligned}$$

which is at most \(2n^{-h/2}\) for \(h = \min \{n/2, cn/4(\log s)^{d - 1} (\log n)\}\).

The following upper bound on the approximate degree of the OR function was obtained by Kahn et al. [29]. The special case \(\delta = 1/3\) was first established by Nisan and Szegedy [35].

Lemma 2

For every n and \(\delta \), the \(\delta \)-approximate degree of OR on n bits is \(O(\sqrt{n \log (1/\delta )})\).

It follows from Theorem 1 that there does not exist a \((n, \omega (\sqrt{n \log (1/\delta )})\) secret sharing scheme over the alphabet \(\mathrm {\{0,1\}}\) with reconstruction by OR and advantage \(\delta \).

We now derive two negative consequences for secret sharing schemes with more complex reconstruction functions and over alphabets of arbitrary size.

Theorem 17

For every \(\varSigma \) of the form \(\mathrm {\{0,1\}}^s\) and all nmdh such that \(h \le n/(3 \ln n \cdot \exp (6 \sqrt{\ln (2m) \cdot \ln d}))\) if \(f{:} \varSigma ^n \rightarrow \mathrm {\{0,1\}}\) is an OR of m functions each of which depends on at most d inputs then there is no \((n, n - h)\) secret sharing scheme with reconstruction function f and advantage 1 / 3.

In particular, Theorem 17 shows that if reconstruction is done by a DNF of size \(m = \mathrm {{poly}}(n)\) and with terms of size \(d = n^{o(1)}\) then the secrecy must be at most \(n-h = n - n^{1-o(1)}\).

The proof of the theorem relies on the following combinatorial claim.

Claim 18

For every N, M, n, m, d, and h such that \(h\ln n, M\ln N + 1 \le n/(3d^M (2m)^{M/N})\) and every collection \(\mathcal {S}\) of m subsets of [n], each of size d, there exists a collection \(\mathcal {T}\) of N subsets of [n] such that

  1. 1.

    for every set \(S \in \mathcal {S}\) there is at least one set \(T \in \mathcal {T}\) such that S is a subset of T, and

  2. 2.

    for every M sets \(T_1, \dots , T_M \in \mathcal {T}\), \(\left| T_1 \cup \dots \cup T_M\right| < n - h\).

Proof (of Theorem 17)

Suppose for contradiction that such a secret sharing scheme S exists. Let \(S_i \subseteq [n]\) be the set of variables in the i-th term of f and \(\mathcal {S} = \{S_1, \dots , S_n\}\). For \(N = \log _d(2m)\), \(M = 2\sqrt{N}\), and sufficiently large n the set system \(\mathcal {T} = \{T_1, \dots , T_N\}\) given by Claim 18 exists. Assign to each term t of f a single set \(T(t) \in \mathcal {T}\) that covers it as guaranteed by Property 1 of the Claim.

Consider the following N-party secret sharing scheme T for OR. To share, first run the secret sharing for S and evaluate each term t of f using the shares as inputs. Then assign each party i in T the OR of all the terms t such that \(T(t) = T_i\). To reconstruct take the OR of all the shares of T. By construction, this equals f evaluated on the shares of S, so T has the same reconstruction advantage as S.

By Property 2 of Claim 18, each collection of M parties of T observes fewer than \(n - h\) shares of S, so T is an (NM) secret sharing scheme. By Lemma 2 T cannot have reconstruction advantage 1 / 3, so neither can S.

Proof (of Claim 18)

We choose the M sets of \(\mathcal {T}\) at random such that each element in [n] is included in each set in \(\mathcal {T}\) independently with probability \(1 - q\) for \(q = (1/d)(1/2m)^{1/N}\). On the one hand, by a union bound, the probability that some set \(S \in \mathcal {S}\) fails to be covered by any set of \(\mathcal {T}\) is at most \(m(qd)^N\), which is at most 1 / 2 by our choice of q. On the other hand, by a union bound, the probability that property 2 is violated is at most

$$\begin{aligned} \left( {\begin{array}{c}N\\ M\end{array}}\right) \cdot \left( {\begin{array}{c}n\\ n-h\end{array}}\right) \cdot \bigl (1 - q^M\bigr )^{n - h}&\le \exp \bigl (M \ln N + h \ln n - (n - h)q^M\bigr ) \\&\le \exp \bigl (M \ln N + h \ln n - (2n/3)q^M\bigr ) \\&\le 1/e \end{aligned}$$

by the assumed inequality. By a union bound, both desired properties are satisfied with probability at least \(1 - 1/2 - 1/e > 0\).

Next we obtain a stronger negative result in the case in which the reconstruction is done by a decision tree.

Theorem 19

Let \(\varSigma = \mathrm {\{0,1\}}^s\). If \(f{:} \varSigma ^n \rightarrow \mathrm {\{0,1\}}\) has a binary decision tree with at most S leaves then there is no \((n, \omega (\sqrt{n \log (S/\mathrm {\epsilon })}))\)-bit secret sharing scheme with reconstruction function f and advantage \(\mathrm {\epsilon }\).

In particular, a secret sharing scheme with constant advantage and whose reconstruction function is a polynomial-size decision tree can only be secure against coalitions of \(O(\sqrt{n \log n})\) parties.

Proof

First assume f is an OR of a subset of literals. If a secret sharing scheme with reconstrcution function f, secrecy parameter \(\omega (\sqrt{n(\log 1/\delta )})\), and advantage \(\delta \) existed, then a scheme with the same parameters would exist for a binary alphabet as each party’s shares can be replaced by the respective OR of the relevant literals, contradicting Lemma 2. By symmetry the same conclusion holds for ANDs of subsets of literals.

If f has a decision tree with \(\le S\) leaves, then we can write f as a sum of at most S ANDs of literals, one for each path in the decision tree that leads to a 1-leaf. This sum is over the reals yet it will always take a boolean value because at most one AND will evaluate to one. If there existed a secret sharing scheme with reconstruction function f, advantage \(\mathrm {\epsilon }\) and the desired properties, by a hybrid argument one of the constituent ANDs would have advantage \(\mathrm {\epsilon }/S\) in the same scheme. Setting \(\delta = \mathrm {\epsilon }/S\) yields the desired conclusion.

3 Additional Cryptographic Applications

In this section we present additional applications of our results on bounded indistinguishability in cryptography. These applications can be viewed as different instances of leakage-resilient cryptography.

The broad goal of leakage-resilient cryptography is to maintain the security of cryptographic primitives even if partial information about their secrets is leaked to an adversary. The type of information being leaked is typically captured by a leakage function \(L{:}\{0,1\}^n\rightarrow \{0,1\}^t\) taken from a leakage class \(\mathcal L\), where the input for L represents the internal (secret) state of the primitive and its output represents the partial information available to the adversary. For simplicity we will start by considering the case of single-bit leakage (i.e., \(t=1\)) and later extend the results to the more general case.

Our motivating observation is that if two possible distributions of secret states are k-wise indistinguishable, and moreover k-wise indistinguishability implies \(\mathcal L\)-indistinguishability, then obtaining leakage-resilience against \(\mathcal L\) reduces to obtaining resilience against k-local leakage, namely the class of all projection functions \(P{:}\{0,1\}^n\rightarrow \{0,1\}^k\). Obtaining provable security against k-local leakage is typically much easier than obtaining provable security against bigger leakage classes, and can be achieved via standard techniques for secret sharing and secure multiparty computation (MPC).

The above observation may be relevant to any cryptographic scheme that maintains a sufficient level of local secrecy. We illustrate its usefulness by presenting applications in the contexts of secret sharing, error detecting codes, and private circuits.

3.1 Leakage-Resilience of Secret Sharing Schemes

The implication \(1. \implies 2.\) in Theorem 1 can be reformulated in the following equivalent way.

Claim 20

Let \(\mu ,\nu \) be k-wise indistinguishable distributions over \(\mathrm {\{0,1\}}^n\). Let \(L{:}\{0,1\}^n\rightarrow \{0,1\}\) be a leakage function whose \(\mathrm {\epsilon }\)-approximate degree is at most k. Then

$$\begin{aligned} \left| \Pr [L(\mu )=1]-\Pr [L(\nu )=1]\right| \le \epsilon . \end{aligned}$$

Claim 20 implies that every (mk) bit secret sharing scheme over \(\varSigma =\mathrm {\{0,1\}}^\ell \) is resilient against leakage functions \(L{:}\mathrm {\{0,1\}}^{m\ell }\rightarrow \mathrm {\{0,1\}}\) whose approximate degree is at most k. The same holds for secret sharing schemes with bigger secrets.

Many secret sharing schemes from the literature are in fact k-wise independent for a large value of k, in the sense that any k bits in \(\mu \) and \(\nu \) are uniformly distributed. This is the case, for instance, for Shamir’s scheme [41] over fields of characteristic 2. In such a case one can appeal to stronger results about bounded independence. For instance, Braverman’s theorem [9] implies resilience to every \(\mathrm {AC}^0\) leakage function L even when k is polylogarithmic in n, whereas the approximate degree of some \(\mathrm {AC}^0\) functions is known to be as big as \(\varOmega (n^{2/3})\). One could also apply similar results in the case of biased k-wise independence, namely \(\mu \) and \(\nu \) are k-wise indistinguishable and moreover every k bits are independently distributed (but may each have a different bias). See, e.g., Lemma 5.2 in [14] for the case of OR distinguishers.

However, there are cases in which it is undesirable or even impossible to guarantee a high level of independence. For instance, when considering secret sharing schemes with special properties, such as ones supporting multiplication, bounded independence may come at a significant price [13, 39]. Alternatively, the shares of a k-wise independent secret sharing scheme may be subject to local encoding or to adversarial tampering, after which they are no longer k-wise independent but are still k-wise indistinguishable.

Finally, we extend Claim 20 to the case of a leakage function L with t output bits. For convenience, we restate Theorem 4 from the Introduction.

Theorem 21

There exists a universal constant C such that the following holds. Let \(\mu ,\nu \) be k-wise indistinguishable distributions over \(\mathrm {\{0,1\}}^n\). Let \(L{:}\{0,1\}^n\rightarrow \{0,1\}^t\) be a leakage function such that the 1 / 3-approximate degree of each of its t outputs is at most d. Then the statistical distance between \(L(\mu )\) and \(L(\nu )\) is bounded by \(\delta \), provided that \(k\ge Cdt(t+\log \frac{1}{\delta })\).

Proof

Using an indistinguishability variant of Vazirani’s statistical XOR lemma (cf. [27, Lemma 1]), it suffices to prove that every \(L'{:}\mathrm {\{0,1\}}^n\rightarrow \mathrm {\{0,1\}}\) obtained by taking the parity of a subset of the outputs of L, we have \(\left| \Pr [L'(\mu )=1]-\Pr [L'(\nu ]=1]\right| \le \delta '\) where \(\delta '=\delta \cdot 2^{-t/2}\). Using Lemma 4, the 1 / 3-approximate degree of each such \(L'\) is O(dt) and by Lemma 3 its approximate degree is \(O(dt\log \frac{1}{\delta '})\). Applying Claim 20, \(k=\varOmega (dt(t+\log \frac{1}{\delta }))\) suffices to guarantee that the distinguishing advantage of \(L'\) is bounded by \(\delta '\) as required.

3.2 Private Circuits

We now describe an application of Claim 20 to private circuits, a computational model for leakage-resilient cryptography. We consider the simpler stateless variant of private circuits with encoded inputs and outputs (see, e.g., [28, Sect. 3] and [25, Sect. 4.1]) and privacy with respect to a general leakage class \(\mathcal L\). Informally, such a private circuit is a (possibly randomized) boolean circuit that transforms a randomly encoded input into a randomly encoded output while providing the guarantee that the output of any \(\mathcal L\)-leakage on the n circuit wires reveals essentially nothing about the input. More formally:

Definition 4

( \((\mathcal L,\mathrm {\epsilon })\) -Private Circuit). A private circuit for \(g{:}\{0,1\}^{n_i}\rightarrow \{0,1\}^{n_o}\) is defined by a triple (ICO), where

  • \(I{:}\{0,1\}^{n_i}\rightarrow \{0,1\}^{\hat{n}_i}\) is a randomized input encoder;

  • C is a deterministic or randomized boolean circuit with input \(\hat{w}\in \{0,1\}^{\hat{n}_i}\), output \(\hat{y}\in \{0,1\}^{\hat{n}_o}\), and n wires;

  • \(O{:}\{0,1\}^{\hat{n}_o}\rightarrow \{0,1\}^{n_o}\) is a deterministic output decoder.

For a leakage function \(L{:}\{0,1\}^n\rightarrow \{0,1\}^t\) and \(\mathrm {\epsilon }>0\), we say that (ICO) is an \((L,\mathrm {\epsilon })\) -private implementation of g if the following requirements hold.

  • Correctness: For any input \(w\in \{0,1\}^{n_i}\) we have \(\Pr [O(C(I(w)))=g(w)]=1]\), where the probability is over the randomness of I and (possibly) C.

  • Privacy: For any \(w,w'\in \{0,1\}^{n_i}\), the statistical distance between L(C[I(w)]) and \(L(C[I(w')])\) is at most \(\mathrm {\epsilon }\), where C[x] denotes the (randomized) values of the n wires of C on input x.

For a class \(\mathcal L\) of leakage functions, we say that (ICO) is an \((\mathcal{L},\mathrm {\epsilon })\) -private implementation of g if it is an \((L,\mathrm {\epsilon })\)-private implementation of g for every \(L\in \mathcal L\), and that it is a k-private implementation of g if it is an \((\mathcal{L},0)\)-private implementation of g for the class \(\mathcal L\) of projection functions that output k bits of the input.

Without any requirements on I and O, the above definition can be satisfied by having I compute a leakage-resilient secret sharing of the input which is passed by C directly to the decoder. To rule out such a solution we require the encoder and the decoder to be universal (i.e., depend only on \(n_i,n_o\) and the circuit size of g and not on g itself). Furthermore, we would like the decoder size to be considerably smaller than the circuit size of g. These requirements effectively force C to perform the bulk of the computation in a leakage-resilient manner.

While there are asymptotically efficient constructions of k-private circuits obtained via MPC techniques [17, 25, 28], much less is known about defending against larger leakage classes. We use the connection between approximate degree and bounded indistinguishability to bootstrap from k-private circuits to \((\mathcal L,\mathrm {\epsilon })\)-private circuits for larger classes \(\mathcal L\). More accurately, we show that in many cases k-privacy automatically implies \((\mathcal L,\mathrm {\epsilon })\)-privacy for a large \(\mathcal L\) and negligible \(\mathrm {\epsilon }\). A similar result for a special type of leakage called “noisy leakage” was obtained in [22]. The parameters of the leakage-resilient circuits we obtain via bounded indistinguishability are quite limited, since our approach requires the privacy threshold k to be rather close to the circuit size. An interesting research direction is to obtain better parameters by exploiting additional structural properties of the distributions induced by private circuit constructions.

Combining MPC-based constructions of k-private circuits with known bounds on approximate degree, we obtain the following corollary (see [8] for proof):

Corollary 22

Any NC-function \(g{:}\{0,1\}^{n_i}\rightarrow \{0,1\}^{n_o}\) of circuit size s admits an \((\mathcal{L},2^{-\sigma })\)-private implementation (ICO), where \(|I|=\tilde{O}(s)\), \(|C|=\tilde{O}(s)\), and \(|O|=\tilde{O}(n_o+k)\), for the following choices of \(\mathcal L\), \(\sigma \), and k:

  1. 1.

    \(\mathcal L\) is the class of decision trees of size S, \(k = \sigma \sqrt{s \log (S)}\), and \(\sigma \le \sqrt{s /\log (S)}\).

  2. 2.

    \(\mathcal L\) is the class of read-once DNF (or CNF) formulas, \(k=\sigma s^{1/2}\), and \(\sigma \le s^{1/2}\).

  3. 3.

    \(\mathcal L\) is the entire class AC\(^0\), \(k=\sigma s^c\), and \(\sigma \le s^{1-c}\), assuming that all AC\(^0\) functions on n-bit inputs have a 1/3-approximate degree of \(O(n^{c})\) for some constant \(c<1\).

Extension to Multi-bit Leakage. The above corollary can be extended to leakage functions L with t bits of output by relying on Theorem 4 instead of Claim 20. The general form of the corollary can be obtained by replacing each occurrence of \(\sigma \) with \(\sigma t^2\).

The Case of Disjunctive Leakage. Private circuits that resist disjunctive leakage, namely an OR of an arbitrary subset of wires or their negations, have found applications to constant-round secure two-party computation [26]. While it was shown in [26] that every k-private circuit can be transformed into such a disjunction-resilient circuit with a constant multiplicative overhead to the circuit size, this transformation is nontrivial and has a significant concrete cost. We note that for the purpose of this application it is essential that the encoder be small, and thus Corollary 22 is not useful even for the case of NC circuits.

Instead, we rely on the following corollary of Claim 20 to show that the same k-private circuits to which the transformation from [26] was applied are in fact already resilient against disjunctive leakage.

Claim 23

Let \(\mu ,\nu \) be k-wise indistinguishable distributions over \(\varSigma ^n\) for \(\varSigma =\mathrm {\{0,1\}}^\ell \). Let \(L{:}\{0,1\}^{\ell n} \rightarrow \{0,1\}\) be a disjunctive leakage function. Then

$$\begin{aligned} \left| \Pr [L(\mu )=1]-\Pr [L(\nu )=1]\right| \le 2^{-\varOmega (k/\sqrt{n})}. \end{aligned}$$

Proof

By decomposing L into n disjunctive functions that operate separately on each \(\ell \)-bit symbol, \(L(\mu )\) and \(L(\nu )\) can be written as \(OR(\mu ')\) and \(OR(\nu ')\) (respectively), where \(\mu '\) and \(\nu '\) are k-wise indistinguishable distributions over \(\mathrm {\{0,1\}}^n\). The claim then follows from Claim 20 and the approximate degree of OR.

The k-private circuits employed in [26] are based on MPC protocols that resist a constant fraction of corrupted parties. As such, they have the property that their N wires can be partitioned into n “symbols” in \(\varSigma =\{0,1\}^{N/n}\), such that the wire distributions on different inputs are k-wise indistinguishable over \(\varSigma \) for \(k=\varOmega (n)\). Thus, Claim 23 implies that these k-private circuits achieve a good level of disjunctive resilience without any modification.