Share Conversion and Private Information Retrieval

by Amos Beimel, Yuval Ishai, Eyal Kushilevitz, and Ilan Orlov

Oded's comments

This paper presents a framework for the construction of (constant-server) PIRs and (constant-query) LDCs, which greatly abstracts and generalizes all known constructions (including the relatively recent breakthrough of Sergei Yekhanin and Klim Efremenko). This framework clarifies some aspects of these mysterious constructions, and also provides better quantitative results.

Unfortunately, the impressive conceptualization is not coupled with a clear exposition, but hopefully this will be improved in future versions. Let me try to provide a high-level descrption of the framework, which consists of a relatively large number of (appealing) steps. Notions that will feature below, but will intensionally remain undefined include "MPC for a function class", XSS (for various X's), and "C-share-conversion" (for a relation $C$).

  1. Constructing $k$-PIR of c-complexity $c(n)$ reduces to constructing $k$-server MPC of complexity $c(n)$ for a function class $F$ of VC at least $n$. [See Thm IV.3 in the paper]
    Thus, we need a class of high VC and a k-server MPC for it. The first is presented in step (2), and the second in step (3), although in applying this framework the design starts in step (3).
  2. For $m$ a product of two primes $p_1 [For sake of elegancy, the class $F(R,h)$ is defined for any ring $R$. I intensionally avoid defining this class here.]
  3. For two rings $R$ (indeed, we shall take $R=Z_m$) and $R'$, and any integer $h$, the construction of a $k$-server MPC of complexity $h \cdot s(R)$ for the class of functions $F(R,h)$, reduces to (i) the construction of a $k$-LSS scheme over $R$ that uses shares of length $s(R)$, and (ii) a $C_S$-share-conversion of the scheme in (i) to a $k$-ASS over $R'$, where LSS (resp., ASS) denote Linear (resp., Additive) Secret Sharing schemes. [Thm IV.2]
    [Indeed, I suggest to replace the pharse "share-conversion of $k$-SS over $R$ to $k$-SS' over $R'$ wrt $C$" by "$C$-share-conversion of $k$-SS over $R$ to $k$-SS' over $R'$". The belated "wrt" is bad...]
  4. Re (3i): An $k$-LSS with $s(R)=O(1)$ always exists [not stated...]
    Re (3ii): For $m$ a product of two primes, there exist a $C$-coversions from a 3-ASS over $Z_m$ to a 3-LSS over $Z_p^b$, for various $(m,p,b)$ triples including $m=6$ and $p=b=2$. [Thm III.5]
    [The relation $C$ used depends on a set $S_m$, and constructing this share-conversion requires using non-standard SS. In contrast, Klim uses a $C_m$-share-conversion of $Z_{m}$ to $Z_2^t$, for $m=2^t-1$, and so he has $m=511 = 2^9-1 = 73 * 7$. Therefore, Klim has 2*73 as the constant in the exponent, whereas you have $2 * 3 = 6$. The fact that your $R'=Z_2^2$ is smaller is much less significant.]
In summary,the contributions of this work are three-fold: (a) generalizing and abstracting the foregoing four-step plan, and specifically the roles of VC, SS, share-conversion, and MPC in it; (b) Finding share-conversions from much smaller rings $R=Z_m$; and (c) obtaining negative results on share conversion.

The original abstract

See proceedings of Complexity 2012; a full version may be posted on ECCC soon.

Back to list of Oded's choices.