 OK. Thank you for the introduction. I'm Chris, and I'm going to tell you today about low complexity secret sharing schemes. And this is joint work with Andre Bogdanov, Yvalli Shai, and Emmanuel Levy-Ola. OK, so let's start with a really simple warm-up slide. What is a secret sharing scheme? So we have some secret bit. We take it to be 0 or 1. And if we have a more complex secret, we just have more bits, and we do the scheme several times. And somehow, we want to distribute this secret bit to a group of n people so that small coalitions have no access to any information whatsoever, but a sufficiently large coalition is able to reconstruct the secret. And in this talk, we're going to be talking about ramp schemes. That's just a generalization of threshold secret sharing where we may have some sort of gap between the security and the reconstruction thresholds. OK, so let me go a little bit more in depth here about what our specific model is. So we have, of course, the dealer with a secret bit. And this dealer will also have two probability distributions, mu and nu. And these distributions are over sigma to the n. But for now, it's probably best to just think of sigma as being 0 or 1. And so these are distributions over n bit strings. And so the dealer has some secret. And depending on what his secret is, he will sample from one of the two distributions. And it's important to note that the distributions are publicly known and also the correlation between what the secret is and what distribution will be sampled from. So once we've sampled our n bit string, we'll give a bit to each of n parties. And they try to reconstruct by applying some Boolean function to their shares. And the way that we quantify the reconstruction advantage is by the difference of the acceptance probability under the Boolean function f. And this is a slightly non-standard way of looking at the reconstruction advantage. But just the way to think about it is that if we have epsilon equal to 1, then that means we have perfect reconstruction. So we want to have epsilon as large as possible. OK. So this is good. But I haven't told you what distributions we've sampled from. And I haven't said how we get our security. So that's why we introduced this notion of bounded indistinguishability for distributions over at the moment n bit strings. And this is just a generalization of KY's independence. With KY's independence, we require that the KY's marginals be uniform. And KY's indistinguishability is a property of a pair of distributions. And it just states that those very same marginals are identical to each other. So the upshot of this is that we sample our secret shares from distributions mu and nu that are KY's indistinguishable. Then we immediately get our security guarantee because parties of size at most k can not distinguish between the distributions based on the view of their shares. So just to formalize notation and summarize what I've given you so far, we have an nk secret sharing scheme with advantage epsilon. That's nothing but just a pair of KY's indistinguishable distributions mu and nu, and some reconstruction function f that can distinguish between them with some advantage epsilon. So with this ordered pair notation, n is just telling us the number of parties in case our security guarantee. So the main focus of this talk is can we have simple reconstruction functions? And there's a common unhappy theme among many secret sharing schemes that already exist. And that theme is that the reconstruction cannot be done with AC0 circuits, the polynomial size concept of circuits. And just to convince you of this, hopefully, a very, very simple scheme that you might think of is just to use the XOR function and to sample our shares uniformly at random, but just conditioned on the fact that the parity is equal to the secret. But of course, in order to reconstruct, you must compute the parity function, which is not in AC0. And with something like Shamir's secret sharing scheme that requires computing linear functions and some linear algebra, and it's also not possible in AC0. So the first punchline of the talk is that we will be constructing schemes that allow reconstruction in AC0. OK, so I've been talking about how simple can we make these schemes, right? So what is the simplest reconstruction function you might think of? Well, the OR function seems quite simple, right? And of course, the simplest secret shares that we can have are just single bit shares. So what can we do with reconstruction by OR and single bit shares? Well, this is actually related to visual secret sharing, which was introduced by Nora and Shamir in the 90s. And so what is visual secret sharing? Well, our secret in this case is something, some picture like an umbrella or anything, a black and white picture. And what we do is for every pixel in this picture, we will run the secret sharing scheme. And of course, we have some correlation between 0 and 1 and black and white. And once we run our secret sharing, we get shares that look like this. And so if you give people these shares, they look at the image that they've got, which is a secret sharing scheme for every pixel. And they see absolutely nothing in terms of what the image really is. And if we print these shares on overhead transparencies, where you can stack them on a overhead projector, you get to implement the OR function that way. Because if you just stack these transparencies, you'll have a black pixel at a given location exactly when at least one of the pixels in that stack is black. So that's what's very nice about the OR function is it's so simple you can physically implement it just by stacking these transparencies. So if we have an NK secret sharing scheme for OR, what that means is we could get a visual secret sharing scheme where if you stack up the K transparencies, you still get an essentially random image. But when you stack N transparencies, you're able to visually determine what the secret is. And the reason that this is not a perfectly black and white image is just due to the fact that there are some distinguishing advantage of the OR function for the distributions that we use. And it may not be perfect. OK, so let me give you a little bit of background about visual secret sharing. And it turns out that if we require a sharp threshold in these schemes, so if we stack K transparencies, you see nothing. But if we stack K plus 1, you can tell what the image is. So if we acquire this sharp threshold, then the contrast in our image must vanish exponentially in K. So what that means is eventually it'll be essentially impossible to determine what the secret image is just by looking at it. And a question that we ask is whether we can get a scheme that is secure against as large as K as possible. But we want to get this contrast to be independent of K. We don't want it to have to vanish with K, assuming that we reconstruct with all N parties. So this is why it's a RAMP scheme. We now have a gap between K and N, which are our security and reconstruction thresholds. But our goal is to get constant contrast. And just to rephrase this question in a way that will be helpful later, this is exactly the same thing as asking, how large can we take K so that the OR function is able to distinguish K-wise and distensional distributions with some constant advantage? And we're lucky. There's a very nice way of characterizing exactly when this is possible for a given function. So it's possible to write down the property of being able to distinguish these distributions as a linear program. And if you take the dual of the program, you end up getting essentially a representation of a complexity measure of F called the approximate degree. And this approximate degree is the degree necessary of real-valued polynomials to approximate F to within some constant, usually taken to be 1 third, every input, so in the L infinity sense. And so the exact statement of our primal dual relationship here is that F is epsilon-fooled by K-wise and distensional distributions, meaning for every pair of such distributions it's fooled, exactly when F is not complex in terms of its approximate degree. OK, maybe you aren't familiar with approximate degree, but as a first example, we can discuss the OR function, because this will apply to visual secretionary. And Nissan and SegaD in the 90s, and then later Mark Bund and Justin Taylor, have shown that the epsilon approximate degree of the OR function is on the order of square root of n. So what does this mean? Well, that just means that OR can have a constant distinguishing advantage among these distributions for K as large as root n, but not bigger. So what does this mean? Well, we immediately get a visual secret sharing scheme where if we stack square root of n transparencies, you get nothing that you can distinguish. But if you stack all the transparencies, you can see the image. And already we're able to kind of get a separation between the notions of bounded indistinguishability and bounded independence. By the result of Braverman, we know that polylogarithmic independence is sufficient to fool everything in AC0. But of course, the OR function is an AC0 function. And yet I've just shown you that it can distinguish order root n-wise indistinguishable distributions. And we can make this gap even bigger. The majority function, it's not an AC0 function, but regardless, it is fooled by just a constant amount of independence. Yet by this approximate degree result of Peturi, we know that it can distinguish order n-indistinguishable distributions, or at least some pair of such distributions. OK. So just to take our duality connection and phrase it exactly in terms of secret sharing, we know that we get an NK scheme with a single bit alphabet and reconstruction by the function f, if and only if the epsilon approximate degree of f is bigger than or equal to k. So let me give you a little history of this duality connection. It's been kind of hidden in some works for a while, originally starting with the work of Lineal and Usan in 1990 who studied approximate inclusion and exclusion. And it's kind of popped up under the radar in a couple of other places. But it's never been made very explicit. And it's never been thought about in a cryptographic context. And another nice way of, or another nice feature of writing it down in this way is that we also can immediately learn this connection to a threshold degree. And threshold degree is similar to approximate degree, but it's the degree required to sign represent a Boolean function rather than represent within a constant. And what does threshold degree relate to? Well, it just relates to the schemes where we have perfect reconstruction. So it's like stacking these transparencies and getting the umbrella. And we only have black and white pixels. And finally, another nice feature of this is that we can use this connection to show that the distributions that we need to sample from in our schemes are sampleable with AC0 circuits as well. OK, so I mean, obviously with this kind of connection to approximate degree, we can consult the literature. And we immediately obtain a whole bunch of schemes. I've already told you about the OR and majority ones. There's one for element distinctness. And there's these two here. These are threshold degree bounds. And so we get secret sharing scheme for reconstruction by these functions. And they're perfect reconstruction. And it just follows from these following works immediately. So let me take a couple of minutes now and tell you about a connection to secure multi-party computation. So we have some client inputs X0 and X1. And they're trying to compute this function on their joint inputs. And we want to go beyond honest majority assumption and ask, what if every server is compromised in some way? And it turns out that what I've told you so far has applications to setting the global leakage of a low complexity bit. So what we're going to be talking about is T-secure MPC protocols. And all these are our protocols where our views of the end servers are T-wise indistinguishable. And why are we considering indistinguishability in this sense? Well, unlike in secret sharing, it's essentially impossible to have T-wise independence in these protocols because the servers are allowed to communicate with each other. So a question is, suppose we have a T-secure MPC. Can we say that it is secure against some leakage functions? And the answer is yes, it's secure against a leakage function L as long as the approximate degree of L is less than T. And I'll note that these leakage functions, what I've told you about, only suffice for views where the servers have a view of a single bit. And yes, that's a valid complaint. But at least with functions like or and, it doesn't really matter so much because you can take an or of bits in any order without changing anything. So anyway, we get a win-win here. And so if a function has low approximate degree, then that's a win for MPC protocols. In the worst case, because it means every MPC protocol that's T-secure for large enough T will be secure against leakage of that function. But on the other hand, if a function has very high approximate degree, we can still be happy because we can get a secret sharing scheme with that function which has a better security guarantee. So of course, the title of the talk is about the complexity of these things. And I've shown you five schemes so far that have reconstruction functions in AC0, or actually four schemes, the majority functions on. So we know that reconstruction's in AC0, but there's another perspective that we could consider here, which is whether or not we can sample the schemes necessary with just AC0 circuits. And it turns out that we can do this. I won't go into the detail so much of how we prove it, but it turns out that if we have a symmetric reconstruction function, we can assume without loss of generality that our distributions in our scheme will be symmetric. And just knowing that makes it quite easy to apply another work of Viola or a co-author and show that these distributions are sampleable in AC0. And for some of the other functions I've told you about that are not symmetric, we can just do a little bit of extra work and show that those schemes also support sampleability in AC0. So it seems like a lot of good news so far, I hope. I mean, we have these schemes, and we have reconstruction in AC0. We have sampling of the shares in AC0. But I'm going to say I'm not satisfied so far. And why am I not satisfied? Well, we still have a polynomial gap between our security and reconstruction thresholds. And we also only have a constant probability of success or a constant probability of failure. So the question is, can we address these two issues without sacrificing the main theme, which is implementation in AC0? And yes, we can do that. Just to skip to the main punchline, if we increase our share lengths from being just single bits to being polynomial length shares, then we can obtain a near-threshold scheme and with only negligible reconstruction error. And it's still all in AC0. So the details of how we exactly get here are outside the scope of this talk. But the way that we do it is using a little bit of graph theory. We use bipartite disperser graphs. What is such a graph? Well, bipartite disperser graphs have n vertices on the left and m vertices on the right. And it's a k epsilon disperser if sufficiently large groups of vertices on the left touch, all but an epsilon fraction of vertices on the right. Very sensitive. So how do we actually apply this to secret sharing? So let's say that we start with some nk scheme l. Could be the one that we have for or that we've already talked about, but anyway, some ramp scheme. And let's say that we have a k epsilon disperser, bipartite disperser g. Then if you read our paper, you can see how we define a new secret sharing scheme called r that's just defined in terms of l and g. And just a hint about how we do this is we have the vertices on the left correspond to the parties in scheme l. And the vertices on the right correspond to parties in scheme r. And anyway, with the way that we define it, we can show that scheme r is a m, 1 minus epsilon, m scheme. So we've already increased our security guarantee to being against linearly sized coalitions, which is an improvement among this, which is probably a polynomial gap. And m are polynomial related as well. And the way that we do this reconstruction is preserved in AC0, but we have to pay something. And the cost for us is that our shares get blown up from being just single bits to being polynomial in the number of parties. And we can do even a little bit better than this. So the last scheme I'll tell you about is that we can have a scheme that is for sharing to m parties. And it has a security guarantee against sigma of m parties. And it can be reconstructed by row m parties. And sigma and row can be any constants you want. You can just pick them. So we can have a scheme that's secure against 49% of the parties, but with 49.1% of the parties, you can reconstruct a secret, at least for sufficiently large m. And our share length here is polynomial. As I told you, it would have to be. And the way that we do this is we use a slight variation of our disperser graphs. And we want disperser graphs that disperse well, but not too well. So maybe that's an interesting idea you haven't heard about. But we were able to define what we need, improve that they exist. And yes, the scheme is still implementable in AC0. And what about the error rate? Well, we can just repeat the scheme as many times as you'd like and take an approximate majority. And just by a turnoff bound, the error rate can become negligible. And the share length will still just be polynomial. OK, so just a few take-home points and open questions. I guess the first take-home is that this duality connection between bounded and distinguished ability and approximate degree gives us a wide range of secret sharing schemes. And they just come immediately out of the approximate degree here. Many of the schemes I've given you are implementable in AC0, not only in terms of reconstruction, but also share sampling. And probably the first major open question here is, can we get a better lower bound on the approximate degree of AC0 functions? And at the moment, the best we have is the element distinctness function has approximate degree order into the 2 thirds. But whether we can do better than that would be a nice thing to know, because that would give us a secret sharing scheme with single bit shares and an even better security guarantee. I've given you a trade-off between the length of our secret shares and our security. But of course, it could be improved. Can we do something better than polynomial length shares and still get the same near-threshold secret sharing? And then lastly, you can ask, what if rather than sampling from perfectly KY's independent distributions, we sample from approximately bounded in a single distributions? But for this, I'll have to refer you to a future work coming soon. So that's it. Thank you very much.