 Hi. Okay. So I'm going to tell you about a bunch of results we have about in this thing called the conditional disclosure of secrets. I'm going to start by telling you what it is. So this is the setting we have. So you have this function f on this predicate f on two inputs. It's public. Everyone knows this. And you have three parties. Alice who knows x, one of the inputs to f, Bob who knows y, and Carol who knows both x and y. In addition, Alice and Bob have some shared randomness and a secret s. For now, think of the secret as a single-bit secret s and this randomness. And they each compute one message based on whatever they know and send it to Carol. This is all that happens. And their objective is to do two things. First, if the predicate f evaluates to one on their inputs on x and y, then they're supposed to reveal the secret to Carol. Carol is supposed to be able to recover the secret given just the messages and x and y. On the other hand, if the predicate is zero on x and y, then they want to hide the secret from Carol. And we've formalized this way saying that you can simulate the distribution of the messages without knowing the secret. So if you can simulate it without knowing the secret, that means it can't have much information about the secret. So they want to do these two things. They want to reveal the secret to Carol if and only if the function evaluates to one on the inputs. So each of them knows one part of the input. Yeah. So they want to do this while minimizing the amount of communication they undertake. So this is a measure of complexity in this model. You want to minimize the total amount of communication that happens in the protocol. So this is the model. So what we want to do is we want to study the complexity of different functions in this model. The communication you need to realize different predicates. And oh, yeah. So sometimes we'll also concern ourselves with the amount of randomness used, but the main measure of complexity is the amount of communication. So this is the conditional disclosure of secrets. And why do we want to study this? It turns out it's related to a lot of different things. I won't really have time to go into too many of these things. But perhaps the one of primary importance is its relationship with attribute-based encryption. It has... By itself, it's a very simplified version of attribute-based encryption that gives you a single-time security. But there's more to that, but I won't have time to go into this. The application that I am most interested in is the last one. In a sense, this is a very simplified model of a certain functionality in multiparty computation. And if you want to prove things about multiparty computation in general, if you want to prove bounds, if you want to prove communication bounds, then it's worthwhile to study the simpler model first and maybe you can develop tools that work here and then scale them up to full-fledged multiparty computation. So these are reasons to study this conditional disclosure of secrets. Let me tell you a little bit about what we know so far and broadly. So the best general upper-bound we know for any predicate is due to Leo, Vaikunathan and V, and you'll hear about this in 20 minutes' time or so, where they show that for any predicate F, you can do CDS for it with something like 2 to the square root n communication. So actually, note that it's not even clear that you can do this for every predicate. It's not trivial to do it for any predicate, but it turns out that you can actually do it and you can do it with this many bits of communication. And if your predicate has certain other properties, like if it is computable very efficiently in this model, in Blancing Program or Span programs, then you can do it much faster than this. So these are the best upper bounds we know. And in terms of lower bounds, we know examples of predicates that require log-in bits of communication, predicates on N-bit inputs that require log-in bits of communication. This is due to Gay et al. And these are simple predicates. These are the inner product predicates or something like this. And they also show that these predicates have, if you look at this specific kind of CDS called linear CDS, which means that the reconstruction function that Carol runs is linear in the messages. And this particular restriction is significant because this has strong connections with that unit-based encryption, right? They show that in this particular restriction of CDS, the same predicate, the inner product predicate, for example, has a square root and at least square root and bits of communication complexity. Yeah, so broadly, this is what we know from before. In the rest of my talk, I'll be telling you some of the results we have. We have a collection of results about different aspects of CDS, about different transformations you can do to CDS and some lower bounds and everything. I won't be able to go into all of these in detail, but I will tell you about one of these in detail and I will try to give you some idea of how the others come about. But before I do any of this, I want to present a slightly different view of this problem, slightly different view of CDS, a view that actually helped us arrive at many of the results that we have and will make sense, you'll see. So what I want to do is this. So this is the diagram from earlier, right? The parties and the randomness and everything. And I want to show how this model relates to the statistical difference problem. I'll tell you about that shortly. So you have these guys and I want to concentrate on the distribution of the messages. So fix the x and y for now, fix the input x and y. Now depending on the secret, whether the secret is zero or one, you have different distributions for the messages, right? So you have this randomness r and you're sampling that uniformly at random. And based on that, you get these distributions over the messages. What I want to do is I want to state the properties of CDS, the properties that are acquired of this protocol in terms of properties of these distributions. What do I mean? For example, take the correctness property, right? It says that if the function is one, then you should be able to recover the secret. And this I want to say is the same as saying that if you take an input x, y, which activates the predicate evaluates to one, then these two distributions over the messages, in the two cases, whether when the secret is zero and the secret is one, are far, right? Because if you can retrieve the secret, that means they have to be far because if they were close, then you can't retrieve the secret. And you can see that the other way around also holds with some laws. This is awfully true. And similarly, in the privacy case, if your function value is zero, then by the simple triangle inequality, you can see that the fact that the simulated distribution exists simplifies the two distributions are close. So what is this saying? This is saying that any CDS protocol for this predicate f gives you this where to sample these distributions. And these distributions are sampled in a specific manner, right? So they have these two parts, this MA and MB. And MA is sampled knowing just x, and MB is sampled knowing just y. So these are these distributions which can be sampled in this decomposable manner. So a CDS protocol for a predicate f associates with each input x, y. This part of decomposable is sampled by distributions with the property that if f of x, y is one, then these distributions are far. And if f of x, y is zero, then these distributions are close. And now I can talk about the statistical difference problem. The statistical difference problem is the same thing where instead of saying decomposably sampled by distributions, you say efficiently sampled by distributions. You have like short, small circuitry so you can sample these distributions. And this problem has been studied extensively in the past because one of the reasons being that this problem is complete for the class of problems which have statistical zero-knowledge rules. And this connection to the statistical difference problem that CDS has enables us to use a number of techniques that were developed for the statistical difference problem in the study of statistical zero-knowledge proofs to prove results about CDS, to prove results about the communication complexity of CDS. So this is the point of view I want to take, that CDS is somehow statistical zero-knowledge and it relates in this manner to the statistical difference problem. So let me give an example of how this point of view could help us do things. So let me state our first result which is this. So we construct a function, we call it P call, I'll explain why it's called that soon. It's slightly unbalanced in states of the inputs but don't care about that. So this is this predicate P call for which there is a very efficient CDS protocol of like it just takes log and bits. But this function has very high communication complexity, very high communication complexity and also has very high linear CDS complexity which follows from the previous one actually, but by some work big here at all. And this as I will describe shortly, the construction of this problem is inspired by actually uses problems that were used to show article separations between statistical zero-knowledge and some other classes and BBP or even some other classes. And so you basically showing article separations comes down to showing query bones, query complexity bones, and then you use certain techniques to lift these query complexity bones to the communication complexity setting which is what the pattern matrix method comes in. So I'm going to tell you what this function is. I'm going to tell you what this function is and very briefly how this separation comes about. Just to give you an idea of how the statistical difference comes in. So I'm going to tell you what this function is, but to do that I have to introduce a different function first called the collision problem. So the collision problem is defined on Boolean strings of length n log n, take the string of length n log n, and divide it up, you start by dividing it up into blocks of size log n, so n blocks of size log n each. And you take the function hz, so this string is z, you take the function hz which is given whose true table is given by z. So it's a function on log n bits, and each of those blocks, it's this multi-bit function which has log n bits of output, and z is the true table of this function, like hz of i is just the ith block in that, you take this log n bit string as a number from one to one, and take the ith block. And the collision function is defined as follows, it's a promise problem which asks is this function that is defined by the z, is it one to one or is it two to one? This is the problem, so this is the problem. And this problem was used by Arun to show these oracle separations between s, k and other classes. And why was this function used? Well, it is because of the following implication of the properties you have with the zero and one cases. So if you have if the collision function is zero, if the function happens if your ith z happens to be a one to one function, then that implies that you take all the blocks over there, you take all the blocks in z, then all of the all possible values of these blocks occurs exactly once. So if you take a random block and look at it look at its value, this value will be uniformly distributed over zero, one to log n. On the other hand, if if it's just two to one, then half of the possible values of the blocks don't even occur in z. So if you take a random block and look at its value, the distribution of this value will be very far from uniform. And this sort of, so in one case, you're saying the uniform distribution and this distribution of a random block are close or the same, in fact. And in the other case, you are saying they're far. And this sort of property is how it relates to the statistical journalist problems. And this is why it's useful in these cases. But yeah, so this is the this is what you have to remember that if the collision function is zero, then this random block is uniformly distributed. If it is one, then it's far from uniform distributed, right? So this is the collision function. And now I'm going to define the peak all function by by taking this input. So the question function takes this one string as input, right? But I want I want two strings because I want this in our model, there are two inputs to the function. So I want to split this input into two parts. And I'm going to do it in a certain manner. So the function peak all will be defined as the collision function applied to this operator. So it takes this x and y as input. And we're going to do a certain operation that I will describe now. And we're just going to apply the collision function to this the string that comes out of this operation. So what is this operation? It's so you have these two, two inputs x and y, x is of length four and times log n, right? You start by dividing it into small chunks of size four. You have this n log and chunks of size four. And why if you remember was of length two n log n. And what you do is you divide into chunks of size two and interpret these two bits as numbers between one and four. So you have again, you have n log n chunks like this. And you line these up and you use y, the entries of y as pointers into x. So you take the first chunk, you take the third bit, the second bit and so on. And you construct this n log n bit string. So this is, I will call this the indexing operation. This is x indexed by y. And the function we have is simply, so this p call takes x and y as input and applies the collision problem, the collision function to x indexed by y, right? So now I have these two inputs. Earlier I had one input which was just this. Now I have these two inputs. I will be giving one of these to Alice and the other to Bob. Now why did we do this in this peculiar manner? Because it turns out that if you break up functions in this manner, you can, we know how to show communication complexity lower bounds. So this basically works as follows. So Ambinus and Kutin showed a lower bound for what is called the approximate degree of the collision function. And then Shostow showed how you can lift that, lift lower bound on this collision function, on the approximate degree of the collision function, to lower bound on the randomize communication complexity of the p call function, if it is constructed in this manner. And this is why we are splitting it up in this way. And the reason we chose the collision function was because it has the statistical zero-knowledge algorithms that we'll use later. And yeah, so this shows the randomize communication complexity lower bound. And Gay et al showed that this in fact implies a lower bound on the linear CDS complexity. So this is a lower bound part of it. And next I'll show you how what I'll briefly describe a CDS protocol for the speak call function that is very efficient, that is not linear and is much more useless, like logarithmic amount of communication. Which is this. So okay. So this is what you have to do, right? So you have Alice and Bob, Alice has x, Bob has y. And these two implicitly define this x indexed by y string. And we are concerned about the collision function applied to the string. And that involves breaking this up into blocks of size log n. And asking, and remember, so if the collision function was zero, that means that a random block is uniformly distributed. And if it is one, a random block is far from uniformly distributed, right? So what we are going to do is Alice and Bob are going to pick a random i, that is to pick a random block. So there are n blocks, they're going to pick a random block. And they are somehow going to securely communicate the value of that block to Karel, right? And you can do this using what I call private simultaneous messages protocols that I won't have time to talk about now. But basically this is what they do. So they have, they choose a random block here and they securely communicate the value of that block to Karel if the secret is zero. And if the secret is one, they communicate a completely random string of length log n, right? Now if the value of a function was zero, then we said that a random block is uniformly distributed, right? So in both cases, Karel will see the same distribution. But if the value of the function is one, then a random block's value is far from uniform. So in the case s equals zero, this distribution will be far from uniform. And in this case it will be exactly uniform. So it will be far. So in the case where we call this zero, you get these two distributions, two decomposed sample distributions which are exactly the same in this case. And in the case that we call this one, these are far apart. So that gives you correctness. Yeah. So this again shows you the usefulness of considering this this equivalence between CDS and statistical zero-knowledge, right? Because that's where we got the collision function from. We chose it because it has this nice statistical zero-knowledge sysh algorithm. And then we were able to translate it to this setting using this PSMS tool in between. Yeah. So this is about the separation. And so in the time I have left, I'm going to quickly describe the other results we have and maybe tell, maybe say a couple of sentences of these of those. So the next thing we can show is that the complexity of CDS is closed under composition with Boolean formulas. What do I mean? I mean you can take let's say you have predicates f1 to fm, which are serious protocols with communication complexity t1 to tm and randomness complexity rho1 and rhom. Then we show how to construct a CDS protocol for a Boolean formula H composed with all these predicates which has communication complexity and randomness complexity that are polynomial in the in the in the respective in the complexities over here. And it's linear in the size of the Boolean formula. And this again follows from this again you can the construction follows from using the similar transformations that were that were shown for the statistical difference problem by Sahay and Vadan and along with these PSM protocols that I mentioned earlier. Again this follows from looking at this equivalence between CDS and statistical zero knowledge. And the next thing is amplification. So we show how we can take a CDS protocol with certain parameters which has a constant privacy and correctness errors and works for a single good secret and transform it to a CDS for the same predicate with longer secrets and much smaller correctness and privacy errors at the cost of a linear overhead in the communication. So you move you the communication is multiplied by k and this becomes 2 to the minus k. So a certain version of this again follows from what is called the polarization lemma which is which is another transformation for the statistical difference problem. But it turns out that under these settings of parameters you can get something better using glam secret sharing schemes. So these three followed from looking at the connections with statistical zero knowledge. And the others are somewhat different. The next thing we can show is non explicit lower bound for CDS. So like I said earlier the previous known lower bound was was that there was an explicit function that that people show that get I'll show that it requires log and bits of communication. What we can show is a non explicit function. We don't we don't know what function it is but we can show that there exists a function by some counting arguments that requires some linear amount of communication complexity linear number of bits of communication. And yeah this is we basically it's shown by reducing to some existing lower bounds for the private simultaneous messages thing that I mentioned earlier again due to figure clean and now yeah this is we show this lower bound. And the last thing is an amortization theorem where we say that if you have one predicate and a very long secret very very long secret then we show how to construct CDS protocol for this predicate and this secret where the number of bits of communication per secret bit is n. So if you took the best known protocol and repeated it independently for each bit this would be the amount of communication you would incur. But if your secret is long enough then you can do it much better than that. Yeah so this is what we have. We have this collection of results about different aspects of the conditional disclosure of secrets. And yeah so the things they wanted to highlight here are these connections that this seems to have with the statistical difference problem and things that we can do with that. And there are of course questions about whether you can do similar things with other models and like the private simultaneous messages model I was talking about which I did not quite describe. Does that have connections to something else which you can exploit in a similar manner? And also the best known techniques to lower bound this PSM already lower bound CDS that's that's what we did like we reduced the lower bounding CDS to lower bounding this PSM. Whereas it's believed that PSM can be much more expensive than CDS. So this says that if you want to get lower bounds on on this model you need you need new techniques maybe. But yeah so this is what we have and there are other news for improving all of almost all of these that I hope people do. Yeah thanks that's what I had to say.