Secret Sharing and Statistical Zero Knowledge
Abstract

Characterizations: We obtain an almostcharacterization of access structures for which there are secretsharing schemes with an efficient sharing algorithm (but not necessarily efficient reconstruction). In particular, we show that for every language \(L \in {{\mathbf {SZK}}_{\mathbf {L}}}\) (the class of languages that have statistical zero knowledge proofs with logspace verifiers and simulators), a (monotonized) access structure associated with L has such a secretsharing scheme. Conversely, we show that such secretsharing schemes can only exist for languages in \({\mathbf {SZK}}\).

Constructions: We show new constructions of secretsharing schemes with both efficient sharing and efficient reconstruction for access structures associated with languages that are in \({\mathbf {P}}\), but are not known to be in \({\mathbf {NC}}\), namely BoundedDegree Graph Isomorphism and constantdimensional lattice problems. In particular, this gives us the first combinatorial access structure that is conjectured to be outside \({\mathbf {NC}}\) but has an efficient secretsharing scheme. Previous such constructions (Beimel and Ishai; CCC 2001) were algebraic and numbertheoretic in nature.

Limitations: We also show that universallyefficient secretsharing schemes, where the complexity of computing the shares is a polynomial independent of the complexity of deciding the access structure, cannot exist for all (monotone languages in) \(\mathbf {P}\), unless there is a polynomial q such that \({\mathbf {P}} \subseteq {\mathbf {DSPACE}}(q(n))\).
Keywords
Statistical zero knowledge Secret sharing1 Introduction
Secretsharing [8, 29], a foundational primitive in informationtheoretic cryptography, enables a dealer to distribute shares of a secret to n parties such that only some predefined authorized sets of parties will be able to reconstruct the secret from their shares. Moreover, the shares of any unauthorized set of parties should reveal no information about the secret, even if the parties are computationally unbounded. The (monotone) collection of authorized sets is called an access structure.
We call a secretsharing scheme efficient if both the sharing algorithm (executed by the dealer) and reconstruction algorithm (executed by the parties) run in time polynomial in n. Associating sets \(S \subseteq [n]\) with their characteristic vectors \(x_S \in \{0,1\}^n\), we can define a language \(L_{\mathcal {A}}\) associated with an access structure \(\mathcal {A}\).^{1} Namely, \(L_{\mathcal {A}}\) is simply the set of all \(x_S\) such that \(S \in \mathcal {A}\). For an access structure \(\mathcal {A}\) to have an efficient secret sharing scheme, it must be the case that the language \(L_{\mathcal {A}}\) is computable in polynomial time.
A major open question in informationtheoretic cryptography is:
Q1: Characterize access structures with efficient secretsharing schemes
Indeed, this question has been widely studied [6, 8, 19, 20, 29], culminating with the result of Karchmer and Wigderson [20] who showed efficient secret sharing schemes for various logspace classes.^{2} We refer the reader to Beimel’s excellent survey [4] for more details. In any event, it is wide open whether all of \(\mathbf {mP}\), the class of languages recognized by monotone polynomialsize circuits, has efficient secret sharing schemes.
Restricting the reconstruction algorithm to be a linear function of the shares gives us a special kind of secretsharing scheme called a linear secretsharing scheme. The KarchmerWigderson secret sharing scheme [20] for logspace classes is a linear secretsharing scheme. We also know that linear and even the slightly more general quasilinear schemes [5, 20] cannot exist for access structures outside \(\mathbf {NC}\), the class of languages computable by boolean circuits of polylogarithmic depth. Finally, Beimel and Ishai [5] showed nonlinear secretsharing schemes for two specific access structures associated to algebraic problems (related to computing quadratic residuosity and coprimality) which are in \(\mathbf {P}\) but are believed not to be in \(\mathbf {NC}\).
We will also study secretsharing schemes (which we call semiefficient) where the dealer is efficient, namely runs in time polynomial in n, however the reconstruction algorithm need not be efficient. Aside from their theoretical interest, such secretsharing schemes may find use in scenarios where sharing happens in the present (and thus has to be efficient) but reconstruction happens in a future where computational resources might be cheaper. This also justifies our desire to achieve informationtheoretic (unconditional) security since not only the honest parties, but also the adversary gains more computational resources with time.
Beimel and Ishai [5] show a semiefficient secretsharing scheme for the language of quadratic residuosity modulo a composite, which is believed not to be in \(\mathbf {P}\). However, quite surprisingly, a characterization of access structures with semiefficient secretsharing schemes also appears to be open:
Q2: Characterize access structures with semiefficient secretsharing schemes
As a parenthetical remark, we note that a different interpretation of efficiency is sometimes used in the secretsharing literature. Namely, a secretsharing scheme is termed efficient [9, 11, 21] if the total length of the n shares is polynomial in n. Let us call this notion size efficiency. This makes no reference to the complexity of either the sharing or the reconstruction algorithms. In this work, we use the strong interpretation of efficient, namely where both the sharing and reconstruction algorithms run in time \(\mathsf {poly}(n)\) and that of semiefficient where only the sharing algorithm needs to run in time \(\mathsf {poly}(n)\). We note that either of these two notions is stronger than size efficiency.
It is against this backdrop that we begin our study. Our main contribution is to develop an interactive proof lens to study these questions. As concrete results of this connection, we obtain an almostcharacterization of access structures with semiefficent secretsharing schemes (almost solving Q2), new combinatorial access structures conjectured to lie outside \(\mathbf {NC}\) which have efficient secretsharing schemes (extending [5]), and limitations on an ambitious notion of universally efficient secretsharing. We describe our results in detail below.
1.1 Our Results
Our central tool is a special type of twomessage interactive proof system (that we call Special Interactive Proofs). Roughly speaking, the restriction on the proof system for a language L (aside from the fact that it has two messages) is that the verifier uses a special procedure to accept or reject. In particular, the verifier V on input x and a uniformly random bit b, comes up with a message m to send to the prover. The prover wins (the verifier accepts) if he can guess the bit b, given m. If \(x \in L\), the prover should have a distinguishing (and therefore an accepting) strategy. However, if \(x \notin L\), the verifier messages for bits 0 and 1 should be statistically indistinguishable.
Before we proceed, we must clarify what it means to have a secret sharing scheme for a language L which is not necessarily monotone. We follow the approach of Beimel and Ishai [5] and define a (monotonized) access structure on 2n parties \(\{P_{i,0},P_{i,1}\}_{i\in [n]}\) associated with L (more precisely, \(L\cap \{0,1\}^n\)): for every i, the pair of parties \(\{P_{i,0},P_{i,1}\}\) is in the access structure, as is every set of parties \(\{P_{1,x_1},P_{2,x_2},\ldots ,P_{n,x_n}\}\) for all \(x \in L\). These are the minimal sets that make up the access structure \(\mathcal {A}_L\). Note that the complexity of deciding whether a set \(S \in \mathcal {A}_L\) is precisely the complexity of deciding the language L.
Our research in this direction was motivated by the fact that if, for some language L, \(\mathcal {A}_L\) has a semiefficient secret sharing scheme, then L has a special interactive proof: the verifier simply shares a random bit b according to the sharing algorithm and sends the prover the shares corresponding to the input, and the prover has to guess b. The honest prover runs the reconstruction algorithm, and completeness and soundness are guaranteed by correctness and privacy of the secret sharing scheme, respectively. We then investigated the circumstances under which the converse might also hold. We were able to show the following:
Theorem 1
(Informal). Let L be a language and let \(\mathcal {A}_L\) be the associated access structure. If L has a special interactive proof with a logspace verifier, then \(\mathcal {A}_L\) has a semiefficient secretsharing scheme. Conversely, if \(\mathcal {A}_L\) has a semiefficient secretsharing scheme, then L has a special interactive proof.
Our proof goes through the notion of partial garbling schemes, defined and studied in the work of Ishai and Wee [18].
Characterizing SemiEfficient SecretSharing. Using Theorem 1, we characterize access structures that have semiefficient secretsharing schemes: we show that all languages in \(\mathbf {SZK}_{\mathbf {L}}\), the class of languages with statistical zero knowledge proof systems [28] where the verifier and simulator run in logspace, have semiefficient secretsharing schemes. This follows from the observation, using a result of Sahai and Vadhan [28], that L has a special interactive proof with a logspace verifier if and only if \(L \in \mathbf {SZK}_{\mathbf {L}}\). Conversely, it is easy to see that if a language L has a semiefficient secretsharing scheme, then \(L \in \mathbf {SZK}\), the class of languages with statistical zero knowledge proof systems with polynomialtime verifier and simulator. Together, this almost characterizes languages with semiefficient secretsharing schemes.
The class \(\mathbf {SZK}_{\mathbf {L}}\), which is contained in \(\mathbf {SZK}\), and hence in \(\mathbf {AM}\cap \mathbf {co}\mathbf {AM}\), contains several problems of both historical and contemporary significance to cryptography, such as Quadratic Residosity, Discrete Logarithm, and the Approximate Closest Vector Problem, as well as other wellstudied problems like Graph Isomorphism. For further details, including those about complete problems and about prospects of basing cryptography on the worstcase hardness of \(\mathbf {SZK}_{\mathbf {L}}\), see [12]. As a result of these containments, our characterization captures as a special case the BeimelIshai secretsharing scheme for the language of quadratic residuosity modulo composites [5].
We also show a version of this theorem for efficient (as opposed to semiefficient) secretsharing schemes. In particular:
Theorem 2
(Informal). Let L be a language and let \(\mathcal {A}_L\) be the associated access structure. If L has a special interactive proof with a logspace verifier and a polynomialtime prover, then \(\mathcal {A}_L\) has an efficient secretsharing scheme. Conversely, if \(\mathcal {A}_L\) has an efficient secretsharing scheme, then L has a special interactive proof with a polynomialtime prover.
Constructions of Efficient SecretSharing Schemes. We show new constructions of efficient secretsharing schemes for languages that are in \(\mathbf {P}\) but are not known to be in \(\mathbf {NC}\), namely BoundedDegree Graph Isomorphism [2, 26], and lattice Shortest and Closest Vector problems in constant dimensions [16, 24]. Our constructions arise from special interactive proofs for these languages together with an application of Theorem 2. In particular, our construction for BoundedDegree Graph Isomorphism gives us the first efficient secretsharing scheme for a combinatorial access structure conjectured to be in \(\mathbf {P}\!\!\setminus \!\!\mathbf {NC}\) (The results of Beimel and Ishai were for algebraic access structures associated to quadratic residuosity modulo primes and coprimality). Moreover, our interactive proofs and secretsharing schemes are simple, natural and easy to describe.
Limitations on Universally Efficient SecretSharing Schemes. Consider secret sharing schemes that are defined not for a given access structure, but uniformly for some class of access structures. The sharing algorithm in such a case gets a description of the access structure, in the form of a circuit or a Turing machine that decides membership in the access structure. Typically, the sharing algorithm runs for as much time as the Turing machine (and therefore as much time as required to decide membership). However, there is no apriori reason why this should be the case. Indeed, one can reasonably require that the sharing algorithm runs in some fixed polynomial time t(n), even though the access structure may take arbitrary polynomial time to decide. (We allow the reconstruction algorithm to run in arbitrary polynomial time to make up for the deficiency of the sharing algorithm). Can such universally efficient secretsharing schemes exist?
Our definition is inspired by the recent progress on (computationally secure) succinct randomized encodings [7, 10, 23, 25]. Indeed, these works show, assuming indistinguishability obfuscation [3, 14], that \(\mathbf {P}\) has computationally secure succinct randomized encoding schemes. One could also reasonably ask: Can such succinct randomized encodings exist unconditionally for all of \(\mathbf {P}\)? It was observed in [7] that this cannot be the case under certain complexitytheoretic assumptions about speeding up nondeterministic algorithms.
Using our interactive proof characterization, we show that unconditionally secure universally efficient secretsharing schemes (and succinct randomized encodings) cannot exist for all languages in \(\mathbf {P}\), unless there is a fixed polynomial q such that \(\mathbf {P}\subseteq \mathbf {DSPACE}(q(n))\) (the class of languages computable by a deterministic singletape Turing machine with q(n) space). We remind the reader that \(\mathbf {P}\ne \mathbf {DSPACE}(q(n))\) for any fixed q, although noncontainment either way is not known.
1.2 Related Work and Open Problems
In this work, we insist on statistical (or unconditional) security from our secretsharing schemes. A number of works relax this to computational security and achieve stronger positive results. Settling for computational security and assuming the existence of oneway functions, Yao [32, 34] showed an efficient secretsharing scheme for all monotone languages in \(\mathbf {P}\) recognized by polynomialsized monotone circuits. We mention that even here, we are far from a characterization as there are monotone languages in \(\mathbf {P}\) that cannot be recognized by polynomialsized monotone circuits [27, 30].
Komargodski, Naor and Yogev [22] also exploit the relaxation to computational security, and show secretsharing schemes for all of monotone \(\mathbf {NP}\), where the sharing algorithm is polynomialtime, and the reconstruction algorithm is polynomialtime given the \(\mathbf {NP}\) witness. Their result relies on strong computational assumptions related to indistinguishability obfuscation [3, 14].
While we show semiefficient secretsharing schemes for monotonized access structures corresponding to all languages in \(\mathbf {SZK}_{\mathbf {L}}\), it remains open to characterize which monotone languages in \(\mathbf {SZK}\) have semiefficient secretsharing schemes. The central difficulty is that even if a language is monotone, there is no reason why the verifier in the SZK proof for the language should inherit monotonicitylike properties (and indeed, this is hard to even define).
2 Preliminaries and Definitions
Notation. Given a set S, we denote by \(2^S\) the set of all subsets of S. Let \(T = (t_1, \dots , t_n)\) and \(B = \{i_1, \dots , i_m\} \subseteq [n]\); \(T_B\) is used to denote the tuple \((t_{i_1}, \dots , t_{i_m})\).
We use languages and Boolean functions interchangeably. Given a language L, we overload L to also denote the corresponding Boolean function, namely, \(L(x) = 0\) if \(x \notin L\) and \(L(x) = 1\) otherwise. Given a randomized algorithm A, we denote by A(x) the random variable arising from running A on x, and by A(x; r) the output when A is run on x with randomness r.
Given a distribution D over a finite set X and an \(x\in X\), we denote by D(x) the probability mass D places on x, and for a subset \(S\subseteq X\), \(D(S) = \sum _{x\in S} D(x)\). \(x\leftarrow D\) indicates that x is a sample drawn according to the distribution D. For a set S, \(x\leftarrow S\) indicates that x is drawn uniformly at random from S.
We use the notion of statistical distance (also called total variation distance or \(\ell _1\) distance) between distributions, defined as follows.
Definition 3
Of particular interest to us is the following relationship of statistical distance to the advantage of any unbounded procedure in distinguishing between two distributions given a uniform prior.
Fact 4
2.1 Complexity Classes
We briefly define the following complexity classes that are referred to frequently in the rest of the paper. To start with, \(\mathbf {P}\) (resp. \(\mathbf {BPP}\)) is the class of languages decidable in deterministic (resp. randomized) polynomial time and \(\mathbf {L}\) is the class of languages decidable in deterministic logarithmic space. \(\mathbf {NC}^k\) is the class of languages decidable by circuits of depth \(O((\log {n})^k)\) (here, n denotes the input length). A language is in \(\mathbf {NC}\) if it is in \(\mathbf {NC}^k\) for some k.
Definition 5

There is a constant c such that for all n, \(C_n\) has depth at most \(c (\log {n})^k\).

For any input x of length n, \(x\in L \Leftrightarrow C_n(x) = 1\)
\(\mathbf {DSPACE}(p(n))\) is the class of languages decidable by deterministic uring machines running with space p(n). Thus, \(\mathbf {L}\) is the union of \(\mathbf {DSPACE}(c \log {n})\) over all constants c.
Definition 6

\(x\in L \Leftrightarrow M(x) = 1\)

M uses at most p(x) cells on its work tape.
And finally, \(\mathbf {SZK}\) consists of languages that have Statistical Zero Knowledge (SZK) proofs, which are interactive proofs with some additional properties, as described below.
Definition 7

(P, V) is an interactive proof for L with negligible completeness and soundness errors.
 Let (P, V)(x) denote the distribution of transcripts of the interaction between P and V on input x. For any \(x\in L\) of large enough size,$$ d(S(x), (P,V)(x)) \le \mathrm {negl}(x) $$
The above is actually a definition of honestverifier Statistical Zero Knowledge, but we know from [28] that any language with an honestverifier SZK proof also has an SZK proof against cheating verifiers. So this follows as a definition of \(\mathbf {SZK}\) as well. We refer the reader to [31] for extensive definitions and explanations.
\(\mathbf {SZK}_{\mathbf {L}}\) is the same as \(\mathbf {SZK}\), but with the verifier and simulator running with logarithmic space. In this case too, the above definition is only for honest verifiers, but as this would only define a larger class, and we show positive results for this class, we will work with this definition.
2.2 Secret Sharing
Definition 8
(Access Structure). Given a set of parties \(P = \{P_1, \dots , P_n\}\), an access structure \(\mathcal {A}\) is a monotone collection of subsets of P. That is, if \(S \in \mathcal {A}\) and \(T \supseteq S\), then \(T \in \mathcal {A}\).
In the context of a secretsharing scheme, the access structure consists of all subsets of parties that are allowed to reconstruct a secret shared among them. Of course, as the access structure is monotone, it suffices to specify its minimal elements. Along the lines of [5], we associate with every language L an family of access structures \(\{\mathcal {A}_{L,n}\}_{n\in \mathbb {N}}\) where \(\mathcal {A}_{L,n}\) is defined for 2n parties. We will then study the efficiency of secret sharing schemes for access structures in such families as a function of n. As will be evident from the definition below, the complexity of deciding whether a set \(S \in \mathcal {A}_{L,n}\) is exactly the hardness of deciding the language.
Definition 9

\(\forall i: \{P_{i,0}, P_{i,1}\}\in \mathcal {A}_{L,n}\)

\(\forall x\in L\cap \{0,1\}^n: \{P_{1,x_1}, \dots , P_{n,x_n}\}\in \mathcal {A}_{L,n}\)
We use the following definition of secret sharing schemes.
Definition 10

\(S\) is the randomized sharing algorithm that takes as input a secret \(s \in D\) and outputs a sequence of shares \((s_1,s_2,\ldots ,s_n)\); and

\(R\) is the deterministic reconstruction algorithm that takes as input a subset of parties \(B \subseteq [n]\) and the corresponding subset of shares \((s_i)_{i\in B}\) and outputs either a secret s or a special symbol \(\bot \).
 1.
Correctness: For any \(B \in \mathcal {A}\) and any \(s\in D\), the reconstruction algorithm \(R\) works: \({\text {Pr}\left[ R(B, S(s)_B) = s\right] } \ge 1  \epsilon (n)\)
 2.
Privacy: For any \(B \notin \mathcal {A}\) and any \(s,s' \in D\): \(d(S(s)_B, S(s')_B) \le \delta (n)\).
The scheme is said to be semiefficient if \(S\) is computable in poly(n) time, and it is said to be efficient if both \(S\) and \(R\) are computable in poly(n) time.
Unless otherwise specified, the domain of secrets for all schemes we talk about in this work shall be \(\{0,1\}\), which is without loss of generality.
Remark 11
When we talk about access structures associated with promise problems, we require no guarantees from a secret sharing scheme for sets corresponding to inputs that do not satisfy the promise (even though technically they are not part of the associated access structure, and so privacy would otherwise be expected to hold).
While much of the literature on secret sharing schemes studies the size of the shares (and call schemes that produce shares of size \(\mathsf {poly}(n)\) efficient), we use a stronger interpretation of efficiency. Namely, in all our exposition, the sharing algorithm S is required to run in time polynomial in n. Thus, we will not discuss the sizes of the shares produced by the schemes, which is always \(\mathrm {poly}(n)\).
2.3 Partial Randomized Encodings
We use the notion of partial randomized encodings (defined as partial garbling schemes in [18]). They are essentially randomized encodings [17] where part of the input is allowed to be public.
Definition 12
 1.Correctness: \(\forall (x, z) \in \{0,1\}^n\times \{0,1\}^{n'}\):Note that the decoder gets the first half of the input, namely the public part x, in addition to the randomized encoding \(E_{f}(x,z)\).$$\begin{aligned} {\text {Pr}\left[ D_{f}(x, E_{f}(x, z)) = f(x, z)\right] } \ge 1  \epsilon (n) \end{aligned}$$
 2.Privacy: \(\forall x\in \{0,1\}^n\) and \(\forall z_1, z_2\in \{0,1\}^{n'}\):$$\begin{aligned} f(x, z_1) = f(x, z_2) \Rightarrow d(E_{f}(x, z_1), E_{f}(x, z_2)) \le \delta (n) \end{aligned}$$

\((E_{f}, D_{f})\) is local (or locally computable) if \(E_{f}\) can be decomposed into a set of functions \(\{E_{f}^{(i)}(x_i,z)\}_{i\in [x]}\), where \(E_{f}^{(i)}\) depends only on the ith bit of x and on z.

\((E_{f}, D_{f})\) is perfect if \(\epsilon (n) = \delta (n) = 0\).

\((E_{f}, D_{f})\) is said to be semiefficient if \(E_{f}\) is computable in poly(x, z) time, and it is said to be efficient if both \(E_{f}\) and \(D_{f}\) are computable in poly(x, z) time.
We can extend the above definition to PREs of randomized functions in a natural way. Namely, to construct an \((\epsilon , \delta )\)PRE for a randomized function A(x, z; r), simply construct an \((\epsilon , \delta )\)PRE \((E_{A'}, D_{A'})\) for the deterministic function \(A'(x,(z,r)) = A(x,z;r)\), and take \(E_{A}(x, z)\) to be the random variable \(E_{A'}(x, (z,r))\) when r is chosen uniformly at random, and have \(D_{A}\) be the same as \(D_{A'}\). Note that in \(E_{A'}\), the randomness r used by A is part of the private input. This is crucial, as revealing r along with x and A(x, b; r) could end up revealing b.
We then have the following lemma, whose proof is in Appendix A.
Lemma 13
We also use the following lemma.
Lemma 14
([1, 18]). Every function \(f: \{0,1\}^* \times \{0,1\}^* \rightarrow \{0,1\}^*\) that can be computed in \(\mathbf {L}/\mathrm {poly}\) has efficient perfect locally computable PREs, with encoding in \(\mathbf {NC}^0\) and decoding in \(\mathbf {NC}^2\).
Finally, we abuse notation slightly and define partial randomized encodings for languages (boolean functions) a bit differently, for somewhat technical reasons (instead of calling this object something different).
Definition 15
 1.
Correctness: \(\forall x \in L\) and \(b\in \{0,1\}\): \({\text {Pr}\left[ D_{L}(x, E_{L}(x, b)) = b\right] } \ge 1  \epsilon (x)\).
 2.
Privacy: \(\forall x\notin L\), \(d(E_{L}(x, 0), E_{L}(x, 1)) \le \delta (x)\).
Semiefficiency, efficiency and locality are defined as for general partial randomized encodings.
Lemma 16
([18]). Every language in \(\mathbf {L}/\mathrm {poly}\) has efficient perfect locally computable PREs, with encoding in \(\mathbf {NC}^0\) and decoding in \(\mathbf {NC}^2\).
2.4 Special Interactive Proofs
We define a special type of interactive proof system with two messages. Roughly speaking, the restriction on the proof system (aside from the fact that it has two messages) is that the verifier uses a special procedure to accept or reject. In particular, the verifier V on input x and a uniformly random bit b, comes up with a message m to send to the prover. The prover wins if he can guess the bit b, given m.
Definition 17
 1.
V is a PPT algorithm that takes as input an instance x and a bit b, and outputs a message m; and
 2.
P takes as input the instance x and the verifier message m, and outputs a bit \(b'\).
 1.
Completeness: \(\forall x\in L\), \({\text {Pr}\left[ P(x, V(x, b)) = b\right] } \ge 1  \epsilon (x)\).
 2.
Soundness: \(\forall x\notin L\), and for any \(P^*\), \({\text {Pr}\left[ P^*(x, V(x, b)) = b\right] } \le 1/2 + \delta (x)\).
While the restrictions imposed on these proofs seem rather severe, they turn out to be quite general. In fact, it follows from the work of Sahai and Vadhan [28] that the set of languages with such proofs is exactly the class \(\mathbf {SZK}\). See Theorem 20.
2.5 Statistical Zero Knowledge
Recall that the class \(\mathbf {SZK}\) is the set of languages that have statistical zeroknowledge proofs, and the class \(\mathbf {SZK}_{\mathbf {L}}\) is set of languages that have statistical zeroknowledge proofs where the verifier and the simulator (for a statistically close simulation) both run in logspace.
Definition 18
If \(M_1\) and \(M_2\) are logspace machines, then the language is called \((\epsilon , \delta )\) Statistical Difference for Logspace Machines, or simply \(SD_L\).
Theorem 19
([28]). For every \(\epsilon (n), \delta (n) = 2^{n^{O(1)}}\) such that \(\delta (n) < (1\epsilon (n))^2\), the \((\epsilon , \delta )\)SD problem is complete for \(\mathbf {SZK}\), and the \((\epsilon , \delta )\)\(SD_L\) problem is complete for \(\mathbf {SZK}_{\mathbf {L}}\).
We will use the following theorem which is a slightly stronger version of Theorem 19. We describe the proof (which follows from the proof of Theorem 19 in [28]) in Appendix B for completeness.
Theorem 20
([28]). There exist negligible functions \(\epsilon (n), \delta (n) = n^{\omega (1)}\) such that for any language \(L\in \mathbf {SZK}\), L has an \((\epsilon , \delta )\)special interactive proof system (P, V). Furthermore, if \(L\in \mathbf {SZK}_{\mathbf {L}}\), then the verifier V can be computed in logspace.
Sketch of Proof
For the main statement, we observe that the complete problem for \(\mathbf {SZK}\), namely \((\epsilon , \delta )\)SD, has a simple \((\epsilon /2, \delta /2)\)special interactive proof which works as follows.

The verifier V, on input an instance \((M_0, M_1, 1^n)\) of the SD problem chooses a uniformly random bit b, and outputs a sample from \(M_b^n\); and

The prover’s goal is to guess the bit b.
By Fact 4, it follows that the best success probability of any prover in this game is \(\frac{1+d(M_0^n, M_1^n)}{2}\). By the completeness of SD (Theorem 19), we get that \(\mathbf {SZK}\) has \((\epsilon , \delta )\)special interactive proofs for some \(\epsilon (n), \delta (n) = n^{\omega (1)}\).
The proof for \(\mathbf {SZK}_{\mathbf {L}}\) works in exactly the same way, except it is now a concern that the verifier has to first run the SZKcompleteness reduction to obtain an instance of the statistical distance problem \(SD_L\), since it is not guaranteed that the reduction runs in logspace. However, we show that the SahaiVadhan reduction indeed does. We refer the reader to Appendix B for more details.
In fact, the connection between languages with special interactive proofs and \(\mathbf {SZK}\) goes both ways. Namely,
Fact 21
Let \((1  2\epsilon (n))^2 > 2\delta (n)\). If a language L has an \((\epsilon , \delta )\)SIP, then \(L \in \mathbf {SZK}\).
This is because deciding a language L that has an \((\epsilon , \delta )\)SIP (P, V) is the same as deciding whether \((V_{(x, 0)}, V_{(x, 1)}, 1^{r(x)}) \in (2\epsilon , 2\delta )\)SD, where \(V_{(x, b)}(r) = V(x, b; r)\), and \((2\epsilon , 2\delta )\)SD is in \(\mathbf {SZK}\) for \(\epsilon \) and \(\delta \) satisfying the above property.
3 From Zero Knowledge to Secret Sharing and Back
In this section, we show tight connections between languages with special interactive proofs, partial randomized encodings (PRE), and secret sharing schemes. In particular, we show:
Theorem 22
 1.
There are parameters \(\epsilon _1 = O(\epsilon )\) and \(\delta _1 = O(\delta )\) such that L has an \((\epsilon _1, \delta _1)\)special interactive proof (P, V), where the verifier V has a semiefficient, locally computable, \((\epsilon _1,\delta _1)\)PRE.
 2.
There are parameters \(\epsilon _2 = O(\epsilon )\) and \(\delta _2 = O(\delta )\) such that L has a semiefficient, locally computable, \((\epsilon _2, \delta _2)\)PRE.
 3.
There are parameters \(\epsilon _3 = O(\epsilon )\) and \(\delta _3 = O(\delta )\) such that for all n, there is a semiefficient \((\epsilon _3,\delta _3)\)secret sharing scheme under the access structure \(\mathcal {A}_{L,n}\).
We will prove Theorem 22 in Sect. 3.1, and here we state a number of interesting corollaries. The first two corollaries “almost” characterize the languages L whose associated access structure \(\mathcal {A}_{L,n}\) (as defined in Definition 9) has a semiefficient secretsharing scheme. Corollary 23 shows that any language in \(\mathbf {SZK}_{\mathbf {L}}\) has a semiefficient secretsharing scheme. Corollary 24 shows that furthermore, if \(\mathbf {P}/\mathrm {poly}\) has semiefficient, locally computable PREs, then any language in the entire class \(\mathbf {SZK}\) has a semiefficient secretsharing scheme. Moreover, it also says that no language outside \(\mathbf {SZK}\) has semiefficient secretsharing schemes, implying that our characterization is almost tight.
Corollary 23
Let \(\epsilon (n), \delta (n) = n^{\omega (1)}\) be negligible functions. For any language \(L\in \mathbf {SZK}_{\mathbf {L}}\), and for every n, there is a semiefficient \((\epsilon ,\delta )\)secret sharing scheme under the associated access structure \(\mathcal {A}_{L,n}\).
Proof
Theorem 20 asserts that for any \(L\in \mathbf {SZK}_{\mathbf {L}}\), there is an \((\epsilon , \delta )\)special interactive proof (P, V) for some \(\epsilon (n),\delta (n)= n^{\omega (1)}\), where the verifier algorithm V can be computed in logspace. Therefore, by Lemma 14, V has an efficient (and not just semiefficient) perfect, locally computable PRE. Applying Theorem 22 (in particular, that \((1) \Rightarrow (3)\)), there is a semiefficient \((O(\epsilon ), O(\delta ))\)secret sharing scheme for \(\mathcal {A}_{L,n}\).
Corollary 24
Let \(\epsilon (n), \delta (n) = n^{\omega (1)}\) be negligible functions.

Assume that \(\mathbf {P}/\mathrm {poly}\) has semiefficient \((\epsilon , \delta )\)locally computable PREs. Then, for any language \(L\in \mathbf {SZK}\), and for every n, there is a semiefficient \((\epsilon ,\delta )\)secret sharing scheme under the associated access structure \(\mathcal {A}_{L,n}\).

Conversely, if \(\mathcal {A}_{L,n}\) has a semiefficient \((\epsilon , \delta )\)secret sharing scheme, then \(L \in \mathbf {SZK}\).
This follows from the same arguments as Corollary 23, but with the absence of something like Lemma 14 to complete the argument. In fact, one may replace \(\mathbf {P}/\mathrm {poly}\) in Corollary 24 with any complexity class \(\mathbf {C}\) that is closed under the operations involved in the reduction used in the proof of Theorem 36 (while replacing \(\mathbf {SZK}\) with the appropriate \(\mathbf {SZK}_{\mathbf {C}}\)). The converse is true because of Theorem 22 and Fact 21
We also have the following theorem about efficient secret sharing schemes, where both the sharing and reconstruction algorithms run in time polynomial in n. The difference from Theorem 22 is that here, we require the prover in the special interactive proof to be efficient, namely run in time polynomial in n. We view this theorem as an avenue to constructing efficient secret sharing schemes for languages L outside \(\mathbf {L}\): namely, to construct a secretsharing scheme for \(\mathcal {A}_{L,n}\), it suffices to construct special interactive proofs for L wherein the verifier algorithm can be computed in \(\mathbf {L}\).
The proof of Theorem 25 follows directly from that of Theorem 22.
Theorem 25
 1.
There are parameters \(\epsilon _1 = O(\epsilon )\) and \(\delta _1 = O(\delta )\) such that L has an \((\epsilon _1, \delta _1)\)special interactive proof (P, V), where the prover algorithm is computable in polynomial time, and the verifier V has an efficient, locally computable, \((\epsilon _1,\delta _1)\)PRE.
 2.
There are parameters \(\epsilon _2 = O(\epsilon )\) and \(\delta _2 = O(\delta )\) such that L has an efficient, locally computable, \((\epsilon _2, \delta _2)\)PRE.
 3.
There are parameters \(\epsilon _3 = O(\epsilon )\) and \(\delta _3 = O(\delta )\) such that for all n, there is an efficient \((\epsilon _3,\delta _3)\)secret sharing scheme under the access structure \(\mathcal {A}_{L,n}\).
3.1 Proof of the Main Theorem
We prove Theorem 22 by showing that \((1) \Rightarrow (2) \Rightarrow (3) \Rightarrow (1)\).

\(E_{L}(x,b) = E_{V}(x,b)\)

\(D_{L}(x,y) = P(x,D_{V}(x,y))\)
Next, we turn to privacy. Let \(x \notin L\). We will show that \(E_{L}(x,0)\) and \(E_{L}(x,1)\) are statistically close. First, note that by the \(\delta \)soundness of the special interactive proof, we know that the distributions V(x, 0) and V(x, 1) are \(O(\delta )\)close. Now, by Lemma 13 and using the \(\delta \)privacy of the PRE scheme for V, this means that \(E_{V}(x,0)\) and \(E_{V}(x,1)\) are also \(O(\delta )\)close. This demonstrates privacy of our PRE scheme for L.
Since \(E_{L}\) is the same as \(E_{V}\), it is clear that if the PRE scheme \((E_{V},D_{V})\) is locally computable, so is \((E_{L}, D_{L})\). Moreover, if \((E_{V},D_{V})\) is semiefficient, so is \((E_{L}, D_{L})\). Finally, if \((E_{V},D_{V})\) is efficient and the prover P in the special interactive proof is computable in polynomial time, then \((E_{L}, D_{L})\) is also efficient.
\(\mathbf {(2) \Rightarrow (3)}\) . This implication follows from the work of Ishai and Wee [18]. We provide a proof here for completeness.
 Sharing: Let \(s\in \{0,1\}\) be the secret bit to be shared. S(s) works as follows:
 1.
For each i, pick \(s_{i,0}, s_{i,1} \in \{0,1\}\) at random such that \(s_{i,0} \oplus s_{i,1} = s\), and give \(s_{i,b}\) to the party \(P_{i,b}\).
 2.
Select bits \(\{s_0, \dots , s_n\}\) at random such that \(\bigoplus _{i=0}^n s_i = s\). For each \(i\in [n]\), give \(s_i\) to both \(P_{i,0}\) and \(P_{i,1}\).
 3.
Choose a random string r, compute \(\psi _{i,b} \leftarrow E_{L}^{(i)}(b, s_0; r)\) for every \(i\in [n]\) and \(b\in \{0,1\}\), and give \(\psi _{i,b}\) to party \(P_{i,b}\).
 1.
 Reconstruction: Any authorized set \(B\in \mathcal {A}_{L,n}\) reconstructs the secret as follows:

If B contains \(P_{i,0}\) and \(P_{i,1}\) for some i, the secret s can be retrieved as \(s = s_{i,0} \oplus s_{i,1}\).
 If not, then \(B = \{P_{i,x_i}\}\) for some \(x\in L\). This means that between them, the parties contain \(E_{L}(x, s_0; r) = \{E_{L}^{(i)}(x_i, s_0; r)\}_{i\in [n]}\). Outputas the secret.$$ D_{L}(x, E_{L}(x, s_0; r)) \oplus \bigoplus _{i\in [n]} s_i $$

For privacy, there are again two types of sets B that are not present in \(\mathcal {A}_{L,n}\). If there is an i such that the set of parties B does not contain either of \(P_{i,0}\) and \(P_{i,1}\), then B’s shares look completely random due to the absence of any information about \(s_i\). The other case is when \(B = \{P_{i,x_i}\}\) for some \(x\notin L\). In this case, \(d(S(0)_B, S(1)_B)\) is exactly the distance between \(E_{L}(x, 0)\) and \(E_{L}(x, 1)\) due to how the \(s_i\)’s are picked, which is at most \(\delta \) by the privacy of the randomized encoding of L.
It is also easy to see from the definition of \(S\) and \(R\) that if \((E_{L}, D_{L})\) is semiefficient, then so is \((S, R)\); and the same if it is efficient.

The verifier V, on input x and a bit b, outputs \(S(b)_{B_x}\), where \(B_x = \{P_{i,x_i}\}\).

The prover P on input x and the verifier message m, outputs \(R(B_x, m)\), where \(B_x = \{P_{i,x_i}\}\).
V is a PPT algorithm if \((S, R)\) is semiefficient, and P is computable in polynomial time if \((S, R)\) is efficient. Also, V is local because it can be split into the collection \(\{V^{(i)}(x_i, b) = S(b)_{\{P_{i,x_i}\}}\}\), so it serves as its own semiefficient locally computable PRE.
4 Positive Results on Efficient Secret Sharing
In this section we present efficient secret sharing schemes for access structures associated with BoundedDegree Graph NonIsomorphism, Lattice Closest Vector in small dimensions, and CoPrimality. These are obtained by the application of Theorem 25 (in particular, the implication \((1) \Rightarrow (2)\) in the theorem).
Useful throughout this section is the fact that arithmetic over integers (and rational numbers) may be performed in \(\mathbf {NC}^1\) (see [33] for details).
4.1 BoundedDegree Graph NonIsomorphism
Notation. Given an upper triangular matrix \(M \in \{0,1\}^{n\times n}\), denote by G(M) the undirected graph whose adjacency matrix is \((M+M^T)\), and for a symmetric matrix M, the undirected graph whose adjacency matrix is M. The degree of a graph, deg(G), is the maximum degree of any vertex in the graph. If \(G_1\) and \(G_2\) are isomorphic, we denote this as \(G_1 \equiv G_2\).
Definition 26
While Graph (Non)Isomorphism is not known to be in \(\mathbf {P}\), there is a classical polynomial time algorithm known for \(\mathsf {dBDGNI}\) due to Luks [26]. However, it appears to be a long open question whether \(\mathsf {dBDGNI}\) is in \(\mathbf {NC}\) (or even in \(\mathbf {RNC}\)) [2].
Theorem 27
For every constant d and every n, there is an efficient (perfect) secret sharing scheme for the access structure \(\mathcal {A}_{\mathsf {dBDGNI}, n}\). The complexity of the reconstruction algorithm grows as \(n^{O(d)}\), whereas sharing runs in time polynomial in n.
Proof
We prove this by showing a special interactive proof for \(\mathsf {dBDGNI}\) where the verifier runs in logspace (and therefore, has efficient perfect locally computable PREs) and the prover runs in polynomial time. This satisfies statement (1) in Theorem 25, and hence implies the existence of the required secret sharing scheme.

The verifier \(V((M_0, M_1), b)\), on input upper triangular matrices \(M_0, M_1 \in \{0,1\}^{n\times n}\) and bit b, selects a random permutation matrix \(P \in S_n\), and outputs \(P(M_b+M_b^T)P^T\).

The prover \(P((M_0, M_1), M)\), checks whether \(G(M) \equiv G(M_0)\). If so, it outputs 0, else 1.
Note that the operation \(P(M+M^T)P^T\) is equivalent to permuting the vertices of the graph G(M) by the permutation P.
Perfect completeness of this protocol follows from the fact that if \(M_0 \not \equiv M_1\), then the verifier’s output M will be such that G(M) is isomorphic to exactly one of \(G(M_0)\) and \(G(M_1)\), and P can identify which by running the algorithm for \(\mathsf {dBDGNI}\) [26].
The protocol is perfectly sound because if \(M_0 \equiv M_1\), then the distribution of the verifier’s output is the same whether \(b = 0\) or 1, and P has probability exactly 1 / 2 of guessing b correctly.
The complexity of the verifier V in the above protocol is that of selecting a random permutation and performing two matrix multiplications, both of which can be done in logspace. Hence by Lemma 14, V has efficient perfect locally computable PREs. The prover P is computable in polynomial time because all the prover does is run the (polynomial time) algorithm for \(\mathsf {dBDGNI}\).
(That the running time of reconstruction algorithm of the resulting secret sharing scheme is \(n^{O(d)}\) can be seen by tracing its dependence on the running time of the algorithm for \(\mathsf {dBDGNI}\)  the one in [26] runs in time \(n^{O(d)}\)  in the proof of Theorem 22.)
4.2 Lattice Closest Vectors
Notation. For a fullrank (over \(\mathbb {Q}\)) matrix \(B\in \mathbb {Z}^{d\times d}\), let \(\Lambda (B)\) denote the integer lattice (of dimension d) whose basis is B, and \(\mathcal {P}(B)\) denote the fundamental parallelepiped of the same lattice (the parallelepiped formed by the column vectors of B and the origin). We denote by \(\mathcal {B}(y, \delta )\) the set of points in the ball of radius \(\delta \) centered at the point y (note that as we work with discretised space and not with \(\mathbb {R}^d\), the number of points in this set is finite).
Given fullrank matrix \(B\in \mathbb {Z}^{d\times d}\), a vector \(y\in \mathbb {Z}^d\), \(\delta \in \mathbb {Z}^+\) and \(\gamma \in [0,1]\), the (decision version of the) gap closest vector problem in d dimensions (\(\mathsf {GapCVP}_{\gamma ,d}\)) asks whether the Euclidean distance of y from (any point in) \(\Lambda (B)\) is at most \((\gamma \delta )\) or at least \(\delta \).
While classical algorithms due to Gauss, and Lenstra, Lenstra and Lovasz (from [24]) show that for any d, \(\mathsf {GapCVP}_{\gamma ,d}\) is in \(\mathbf {P}\) for any \(\gamma \), it is not known to be (and conjectured not to be) in \(\mathbf {NC}\). We are interested in the complement of this problem, as defined below.
Definition 28
The following theorem asserts the existence of efficient secret sharing schemes under access structures associated with the above problem.
Theorem 29
For every c, d, n, and any \(\gamma = \left( 1  \varOmega (\frac{1}{n^c})\right) \), there is an efficient (o(1), o(1))secret sharing scheme under the access structure \(\mathcal {A}_{\mathsf {coGapCVP}_{\gamma ,d}, n}\).
We prove this theorem by constructing a (o(1), o(1))Special Interactive Proof for \(\mathsf {coGapCVP}_{\gamma ,d}\) with a logspace verifier and a poly time prover. As the verifier is computable in logspace, it has efficient perfect locally computable PREs, by Lemma 14. The existence of such an SIP, along with Theorem 25, implies the efficient secret sharing schemes we need. In interest of space, we defer details of the proof to the full version of this paper.
4.3 Coprimality
Efficient secret sharing schemes for noncoprimality and semiefficient ones for quadratic nonresiduosity were shown by Beimel and Ishai [5] as an illustration of the power of nonlinear secret sharing schemes over linear ones. We note that these follow as implications of our Theorem 22 given the existence of SZK proofs for these languages with logspace verifiers (which are indeed known to exist).
We demonstrate here, as an example, the case of NonCoPrimality, which is in \(\mathbf {P}\), but again, as noted in [5], not known to be in \(\mathbf {NC}\).
Definition 30
Theorem 31 asserts the existence of statistically correct, statistically private efficient secret sharing schemes under the access structure associated with \(\mathsf {NCoP}\).
Theorem 31
For every n, there is an efficient \((\epsilon , \delta )\)secret sharing scheme under the access structure \(\mathcal {A}_{\mathsf {NCoP}, n}\) from some \(\epsilon (n), \delta (n) = o(1)\).
Proof
Again, we prove this by demonstrating a (o(1), o(1))SIP for Noncoprimality where the prover is efficient and the verifier has efficient perfect locally computable PREs. This implies what we need, by Theorem 25.

The verifier V takes as input (u, v) and a bit b.

If \(b = 1\), it outputs m random multiples of u modulo v; that is, it picks m random numbers \(\{r_i\}_{i\in [m]} \leftarrow \{0,1\}^{u}\) and outputs \(\{(r_i u) (mod\ v)\}\).

If \(b = 0\), it outputs m random numbers in [v].


The prover P takes as input (u, v) and the verifiers message, which is a set of m numbers \(\{a_i\}_{i\in [m]}\). If \(gcd(\{a_i\}) = 1\), the prover outptus 0, else 1.
The above SIP is complete because if \(gcd(u,v) > 1\), then if \(b = 1\), all multiples of u modulo v will be divisible by gcd(u, v), and the prover will always output 1, and if \(b = 0\), with high probability the gcd of m random numbers in [v] will be 1 and the prover will output 0. It is sound because when \(gcd(u,v) = 1\), the distribution of multiples of u (drawn from a large enough range) modulo v is negligibly close to uniform, and the cases \(b = 0\) and \(b = 1\) are indistinguishable.
The verifier V is computable in \(\mathbf {L}\), as all it does is multiply nbit numbers, and so has efficient perfect locally computable PREs, by Lemma 14. The prover is efficient, as all it has to do is compute the gcd of some numbers.
5 Negative Results on Universally Efficient Secret Sharing
In this section, we show that a natural strengthening of efficient secretsharing, that we call universally efficient secretsharing, cannot exist for all of \(\mathbf {P}\), if for every polynomial t, \(\mathbf {P}\not \subseteq \mathbf {DSPACE}(t(n))\).
Notation. Below, by L we denote both a language in a class \(\mathcal {C}\), and its standard representation as a member of this class, say, for example, as a Turing machine that decides the language in case \(\mathcal {C} = \mathbf {P}\). For a function f that takes two arguments (as f(x, y)), by \(f(x,\cdot )\), we denote f curried with x, that is, the function \(g(y) = f(x,y)\); this extends naturally to the case where f takes more than two arguments.
Definition 32
(Universal Secret Sharing). An \((\epsilon , \delta )\) Universally Efficient Secret Sharing Scheme (USS), or simply a universal secret sharing scheme, for a class of languages \(\mathcal {C}\) over a domain D is a pair of (randomized) algorithms \((S, R)\) such that for any \(L\in \mathcal {C}\) and any n, \((S(L, 1^n, \cdot ), R(L, 1^n, \cdot , \cdot ))\) is an \((\epsilon , \delta )\)secret sharing scheme under the access structure \(A_{L,n}\) over the domain D.
For any polynomial t, a universal secret sharing scheme is said to be tsemiefficient if for any \(L\in \mathcal {C}\), \(S(L, 1^n, \cdot )\) is computable in time t(n). The scheme is said to be tefficient if both \(S(L, 1^n, \cdot )\) and \(R(L, 1^n, \cdot , \cdot )\) are computable in time t(n).
Theorem 33
Let, for all n, \(1  \epsilon (n) > \delta (n)\). If a class of languages \(\mathcal {C}\) has tsemiefficient \((\epsilon , \delta )\)universal secret sharing (USS) schemes, then there exists \(t'\) such that \(t'(n) = O(t(n))\) and \(\mathcal {C} \subseteq \mathbf {DSPACE}(t'(n))\).
Sketch of Proof
Suppose (S, R) is a tsemiefficient \((\epsilon , \delta )\) USS scheme for the class \(\mathcal {C}\). Theorem 33 follows from applying Lemma 34 to each language \(L\in \mathcal {C}\), using the fact that by definition, \((S(L, 1^n, \cdot ), R(L, 1^n, \cdot , \cdot ))\) is an \((\epsilon , \delta )\)secret sharing scheme for \(A_{L,n}\) where the sharing algorithm runs in time t(n).
In particular, Theorem 33 implies that if \(\mathbf {P}\) had a tsemiefficient USS scheme, then it would be contained in \(\mathbf {DSPACE}(t(n))\) for some polynomial t(n).
Lemma 34
Let, for all n, \(1  3\epsilon (n) > 3\delta (n)\). If, for some language L, there is an \((\epsilon , \delta )\)secret sharing scheme \((S, R)\) for \(A_{L,n}\) for all n, where \(S\) runs in time t(n), then \(L \in \mathbf {DSPACE}(t'(n))\), where \(t'(n) = O(t(n))\).
The proof below is adapted from that of a more general statement from [13].
Proof
We start by using Theorem 22 to recognize the existence of an \((\epsilon ', \delta ')\)SIP (P, V) for L where V runs in time t(n), where \(\epsilon ' = 3\epsilon \) and \(\delta ' = 3\delta \) (the constant 3 comes out of the proof of Theorem 22), and we have \(1  \epsilon '(n) > \delta '(n)\).
In order to decide whether \(x\in L\), it is sufficient to determine whether any \(P'\) can guess b given V(x, b) with probability \(\ge (1\epsilon '(x))\) or only \(\le (1/2 + \delta '(x)/2)\). This is equivalent to whether d(V(x, 0), V(x, 1)) is \(\ge (1  \epsilon (x))\) or \(\le \delta (x)\). But d(V(x, 0), V(x, 1)) itself can be computed in space O(t(x)) as follows.
First, for any v of length at most t(x), \({\text{ Pr }_{r}\left[ V(x,b;r) = v\right] }\) can be computed by iterating over the possible values of r – note that \(r \le t(x)\)– and simulating V to see if it outputs v, and counting the number of r’s for which it does. This requires only O(t(x)) space because V can be simulated in this much space, and the count of r’s is at most \(2^{t(x)}\).
Footnotes
 1.
More formally, we have to speak of a family of access structures \(\{\mathcal {A}_n\}_{n\in \mathbb {N}}\), one for every n. We abuse notation slightly and denote \(\mathcal {A}\), consisting of subsets of n parties, as the access structure.
 2.
We use this as a shorthand to say “secret sharing schemes for access structures \(\mathcal {A}\) whose associated language \(L_{\mathcal {A}}\) can be recognized in logspace”.
Notes
Acknowledgments
We thank an anonymous ASIACRYPT reviewer for comments that helped improve the presentation of this paper.
References
 1.Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in \(nc^{0}\). SIAM J. Comput. 36(4), 845–888 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
 2.Arvind, V., Torán, J.: Isomorphism testing: perspective and open problems. Bull. EATCS 86, 66–84 (2005)MathSciNetzbMATHGoogle Scholar
 3.Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 4.Beimel, A.: Secretsharing schemes: a survey. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 11–46. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 5.Beimel, A., Ishai, Y.: On the power of nonlinear secretsharing. IACR Cryptol. ePrint Arch. 2001, 30 (2001)zbMATHGoogle Scholar
 6.Benaloh, J.C., Leichter, J.: Generalized secret sharing and monotone functions. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 27–35. Springer, Heidelberg (1990) Google Scholar
 7.Bitansky, N., Garg, S., Telang, S.: Succinct randomized encodings and their applications. IACR Cryptol. ePrint Arch. 2014, 771 (2014)zbMATHGoogle Scholar
 8.Blakley, G.: Safeguarding cryptographic keys. In: Proceedings of the National Computer Conference, vol. 48, pp. 313–317 (1979)Google Scholar
 9.Blundo, C., De Santis, A., De Simone, R., Vaccaro, U.: Tight bounds on the information rate of secret sharing schemes. Des. Codes Cryptography 11(2), 107–122 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 10.Canetti, R., Holmgren, J., Jain, A., Vaikuntanathan, V.: Indistinguishability obfuscation of iterated circuits and RAM programs. IACR Cryptology ePrint Archive 2014, 769 (2014)zbMATHGoogle Scholar
 11.Csirmaz, L.: The size of a share must be large. J. Cryptology 10(4), 223–231 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 12.Dvir, Z., Gutfreund, D., Rothblum, G. N., Vadhan, S.: On approximating the entropy of polynomial mappings. In: Proceedings of the 2nd Innovations in Computer Science Conference, pp. 460–475 (2011)Google Scholar
 13.Fortnow, L., Lund, C.: Interactive proof systems and alternating timespace complexity. Theor. Comput. Sci. 113(1), 55–73 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
 14.Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)Google Scholar
 15.Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity and a methodology of cryptographic protocol design (extended abstract). In: 27th Annual Symposium on Foundations of Computer Science, Toronto, Canada, 27–29 October 1986, pp. 174–187 (1986)Google Scholar
 16.Greenlaw, R., Hoover, H.J., Ruzzo, W.L.: Limits to Parallel Computation: Pcompleteness Theory. Oxford University Press Inc, New York (1995)zbMATHGoogle Scholar
 17.Ishai, Y., Kushilevitz, E.: Randomizing polynomials: A new representation with applications to roundefficient secure computation. In: FOCS, pp. 294–304 (2000)Google Scholar
 18.Ishai, Y., Wee, H.: Partial garbling schemes and their applications. In: Esparza, J., Fraigniaud, P., Husfeldt, T., Koutsoupias, E. (eds.) ICALP 2014. LNCS, vol. 8572, pp. 650–662. Springer, Heidelberg (2014) Google Scholar
 19.Ito, M., Saio, A., Nishizeki, T.: Multiple assignment scheme for sharing secret. J. Cryptology 6(1), 15–20 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
 20.Karchmer, M., Wigderson, A.: On span programs. In: Proceedings of the Eigth Annual Structure in Complexity Theory Conference, San Diego, CA, USA, May 18–21, 1993, pp. 102–111. IEEE Computer Society (1993)Google Scholar
 21.Karnin, E.D., Greene, J.W., Hellman, M.E.: On secret sharing systems. IEEE Trans. Inf. Theor. 29(1), 35–41 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
 22.Komargodski, I., Naor, M., Yogev, E.: Secretsharing for \(\sf {NP}\). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 254–273. Springer, Heidelberg (2014) Google Scholar
 23.Koppula, V., Lewko, A. B., Waters, B.: Indistinguishability obfuscation for turing machines with unbounded memory. IACR Cryptology ePrint Archive, 2014/925 (2014)Google Scholar
 24.Lenstra Jr., A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
 25.Lin, H., Pass, R.: Succinct garbling schemes and applications. IACR Cryptology ePrint Archive 2014, 766 (2014)Google Scholar
 26.Luks, E.M.: Isomorphism of graphs of bounded valence can be tested in polynomial time. In: FOCS, pp. 42–49 (1980)Google Scholar
 27.Razborov, A.A.: Lower bounds on the monotone complexity of some Boolean functions. Doklady Akademii Nauk SSSR 285, 798–801 (1985)MathSciNetzbMATHGoogle Scholar
 28.Sahai, A., Vadhan, S.P.: A complete problem for statistical zero knowledge. Electron. Colloquium on Comput. Complex. (ECCC) 7(84) (2000)Google Scholar
 29.Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)MathSciNetCrossRefzbMATHGoogle Scholar
 30.Tardos, É.: The gap between monotone and nonmonotone circuit complexity is exponential. Combinatorica 8(1), 141–142 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
 31.Vadhan, S.: A study of statistical zeroknowledge proofs. Ph.D. thesis, Massachusetts Institute of Technology (1999)Google Scholar
 32.Vinod, V., Narayanan, A., Srinathan, K., Pandu Rangan, C., Kim, K.: On the power of computational secret sharing. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 162–176. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 33.Wegener, I.: The Complexity of Boolean Functions. Wiley, New York (1987) zbMATHGoogle Scholar
 34.Yao, A.: Unpublished manuscript (1989). Presented at Oberwolfach and DIMACS WorkshopsGoogle Scholar