Graph-Theoretic Characterization of Noise Capacity of Conditional Disclosure of Secrets

In the Conditional Disclosure of Secrets (CDS) problem, Alice and Bob hold inputs $x\in \mathcal{X}$ and $y\in \mathcal{Y}$ and share a secret. Let $f:\mathcal{X}\times\mathcal{Y}\to{0,1}$ be a function such that the secret is revealed to a third party, Carol, if and only if $f(x,y)=1$. To protect the secret when $f(x,y)=0$, Alice and Bob share a common noise variable unknown to Carol. We study the \emph{noise capacity} of CDS, defined as the maximum number of secret bits that can be securely revealed per noise bit. We first derive necessary and sufficient conditions on $f$, represented by a CDS graph, for the extremal case where the noise capacity equals $1$. We then develop converse bounds on the noise rate for all linear schemes: $\frac{(ρ-1)(d-1)}{ρd-1}$ if $ρ$ is finite, and $\frac{d-1}{d}$ if $ρ$ is infinite, where $ρ$ is the covering parameter of the CDS graph and $d$ is the number of unqualified edges in an unqualified path. Under maximal communication efficiency (message size equals secret size), we refine these bounds by analyzing qualified components and their connections. Achievability is shown for CDS instances with cyclic qualified edges and a single unqualified path. This graph-theoretic framework links noise efficiency limits to the unqualified path distance and covering parameter, providing a systematic method to analyze CDS under arbitrary graph topologies.

💡 Research Summary

The paper investigates the fundamental limits of noise efficiency in the Conditional Disclosure of Secrets (CDS) problem, a basic primitive in secure multiparty computation. In CDS, two parties, Alice and Bob, each hold a private input (x and y) and share a secret S. A publicly known Boolean function f(x, y) determines whether a third party, Carol, should learn S: if f(x, y)=1 the secret must be recoverable, otherwise no information about S may be leaked. To protect the secret when f(x, y)=0, Alice and Bob share a common random variable Z (the “noise”) that is unknown to Carol.

Previous work focused on minimizing the amount of communication (bits transmitted) required to achieve correctness and security. This paper introduces a complementary performance metric called noise capacity C, defined as the supremum of achievable noise rates R_Z = L / L_Z, where L is the number of secret symbols disclosed and L_Z is the number of noise symbols consumed. A noise capacity of 1 means that one bit of noise suffices to securely disclose one bit of secret, which is the theoretical optimum.

The authors model any CDS instance as a bipartite graph G_f = (V, E). The left partition consists of Alice’s message nodes {A₁,…,A_X}, the right partition of Bob’s message nodes {B₁,…,B_Y}. An edge {A_x, B_y} exists exactly for each input pair (x, y) that can occur; the edge is labeled qualified if f(x, y)=1 and unqualified otherwise. This graphical representation captures all structural constraints of the CDS problem.

Maximum noise capacity (C = 1).
The paper first characterizes when the noise capacity reaches its maximum. It introduces the notions of an internal qualified edge (a qualified edge that lies inside an unqualified path) and the residing unqualified path of such an edge. The residing unqualified path distance d(e, P) is the number of edges in the shortest unqualified path that contains the internal qualified edge e. The authors prove that C = 1 if and only if every internal qualified edge has residing distance d = 1, i.e., each qualified edge is directly adjacent to an unqualified edge. In graph terms, this means the qualified subgraph can be “covered” by the unqualified edges without any gaps, allowing perfect alignment of noise and messages. This result is formalized in Theorem 1.

General linear converse bound.
For linear CDS schemes (where all encoding functions are linear over a finite field), the authors derive a universal upper bound on the achievable noise rate. Two graph parameters appear:

1. The covering parameter ρ, defined as the size of the smallest set of qualified edges that together cover all vertices incident to unqualified edges. Intuitively, ρ measures how many qualified edges are needed to “protect” the unqualified part of the graph.

2. The unqualified path distance d, the minimum residing distance over all internal qualified edges.

The linear converse (Theorem 2) states:

• If ρ is finite,
  \