Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Improved Trade-offs Between Amortization and Download Bandwidth for Linear HSS

Keller Blackwell, Mary Wootters

TL;DR

This work provides a complete, constructive characterization of linear HSS schemes for low-degree multivariate polynomials by linking reconstruction to labelweight codes. By extending the BW23 framework to arbitrary-rate HSS, the authors show that any linear HSS with rate $R$ corresponds to a linear code of the same rate with minimum labelweight at least $dt+1$, and vice versa. Using algebraic-geometry codes, specifically Hermitian and Goppa codes, they achieve near-optimal download rates with significantly improved amortization: Hermitian-code schemes approach the optimal rate $1-\frac{dt}{s}$ up to a $O(s^{-1/3})$ loss while attaining amortization $\ell = s-dt- O(s^{2/3})$, and Goppa-code-based schemes offer practical binary-field constructions with amortization savings $\ell = s-udt$ at the cost of a small rate loss. The results suggest substantial practical improvements in the amortization of linear HSS without large sacrifices in download efficiency, and they highlight the value of structured algebraic-geometric codes over random constructions in this setting.

Abstract

A Homomorphic Secret Sharing (HSS) scheme is a secret-sharing scheme that shares a secret $x$ among $s$ servers, and additionally allows an output client to reconstruct some function $f(x)$ using information that can be locally computed by each server. A key parameter in HSS schemes is download rate, which quantifies how much information the output client needs to download from the servers. Often, download rate is improved by amortizing over $\ell$ instances of the problem, making $\ell$ also a key parameter of interest. Recent work (Fosli, Ishai, Kolobov, and Wootters 2022) established a limit on the download rate of linear HSS schemes for computing low-degree polynomials and constructed schemes that achieve this optimal download rate; their schemes required amortization over $\ell = Ω(s \log(s))$ instances of the problem. Subsequent work (Blackwell and Wootters, 2023) completely characterized linear HSS schemes that achieve optimal download rate in terms of a coding-theoretic notion termed optimal labelweight codes. A consequence of this characterization was that $\ell = Ω(s \log(s))$ is in fact necessary to achieve optimal download rate. In this paper, we characterize all linear HSS schemes, showing that schemes of any download rate are equivalent to a generalization of optimal labelweight codes. This equivalence is constructive and provides a way to obtain an explicit linear HSS scheme from any linear code. Using this characterization, we present explicit linear HSS schemes with slightly sub-optimal rate but with much improved amortization $\ell = O(s)$. Our constructions are based on algebraic geometry codes (specifically Hermitian codes and Goppa codes).

Improved Trade-offs Between Amortization and Download Bandwidth for Linear HSS

TL;DR

This work provides a complete, constructive characterization of linear HSS schemes for low-degree multivariate polynomials by linking reconstruction to labelweight codes. By extending the BW23 framework to arbitrary-rate HSS, the authors show that any linear HSS with rate corresponds to a linear code of the same rate with minimum labelweight at least , and vice versa. Using algebraic-geometry codes, specifically Hermitian and Goppa codes, they achieve near-optimal download rates with significantly improved amortization: Hermitian-code schemes approach the optimal rate up to a loss while attaining amortization , and Goppa-code-based schemes offer practical binary-field constructions with amortization savings at the cost of a small rate loss. The results suggest substantial practical improvements in the amortization of linear HSS without large sacrifices in download efficiency, and they highlight the value of structured algebraic-geometric codes over random constructions in this setting.

Abstract

A Homomorphic Secret Sharing (HSS) scheme is a secret-sharing scheme that shares a secret among servers, and additionally allows an output client to reconstruct some function using information that can be locally computed by each server. A key parameter in HSS schemes is download rate, which quantifies how much information the output client needs to download from the servers. Often, download rate is improved by amortizing over instances of the problem, making also a key parameter of interest. Recent work (Fosli, Ishai, Kolobov, and Wootters 2022) established a limit on the download rate of linear HSS schemes for computing low-degree polynomials and constructed schemes that achieve this optimal download rate; their schemes required amortization over instances of the problem. Subsequent work (Blackwell and Wootters, 2023) completely characterized linear HSS schemes that achieve optimal download rate in terms of a coding-theoretic notion termed optimal labelweight codes. A consequence of this characterization was that is in fact necessary to achieve optimal download rate. In this paper, we characterize all linear HSS schemes, showing that schemes of any download rate are equivalent to a generalization of optimal labelweight codes. This equivalence is constructive and provides a way to obtain an explicit linear HSS scheme from any linear code. Using this characterization, we present explicit linear HSS schemes with slightly sub-optimal rate but with much improved amortization . Our constructions are based on algebraic geometry codes (specifically Hermitian codes and Goppa codes).
Paper Structure (26 sections, 20 theorems, 61 equations, 2 figures, 5 tables)

This paper contains 26 sections, 20 theorems, 61 equations, 2 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Parameters of interest.
  3. Trade-offs between download rate and amortization.
  4. Main Results
  5. Main Contributions.
  6. (1) Characterization of arbitrary-rate linear HSS schemes
  7. (2) Achieving practical trade-off between download rate and amortization parameter.
  8. Technical Overview
  9. Related Work
  10. Organization
  11. Preliminaries
  12. Homomorphic Secret Sharing
  13. Polynomial Function Classes
  14. CNF Sharing
  15. Linear Codes
  16. ...and 11 more sections

Key Result

Theorem 1

Let $\pi = (\mathsf{Share}, \mathsf{Eval}, \mathsf{Rec})$ be a $t$-private, $s$-server linear HSS for $\mathrm{POLY}_{d,m}({\mathbb F})$ with download rate $R$ and amortization parameter $\ell$. Let $G \in \mathbb{F}^{\ell \times (\ell/R)}$ be the matrix that represents $\mathsf{Rec}$ (see Observati

Figures (2)

  • Figure 1: The left (right) plot compares the download rates (amortization parameters) of FIKW22, BW23 with that achieved by Theorem \ref{['thm: hss from hermitian code params']} when $d =t = 2$. The $x$-axis denotes the number of servers and ranges from 1 to 1,000,000 to illustrate the asymptotic convergence of Theorem \ref{['thm: hss from hermitian code params']} to the optimal rate of FIKW22, BW23 at a constant factor less amortization.
  • Figure 2: The left (right) plot compares the download rates (amortization parameters) of FIKW22, BW23 with that achieved by Theorem \ref{['thm: hss from goppa params']} when $d =t = 2$. The $x$-axis represents the number of servers and ranges from 1 to 512. This emphasizes the super-constant amortization savings of Theorem \ref{['thm: hss from goppa params']} at practical parameter regimes relative to FIKW22, BW23, with small concessions to rate.

Theorems & Definitions (50)

  • Definition 1: Labelweight
  • Theorem 1: Linear HSS schemes are equivalent to labelweight codes. (Informal, see Theorem \ref{['thm: main equiv']})
  • Claim 2
  • proof
  • Theorem 3: FIKW22
  • Theorem 4: BW23
  • Theorem 5: BW23
  • Definition 2: HSS
  • Remark 1
  • Definition 3: Linear HSS
  • ...and 40 more