Function Secret Sharing

  • Elette BoyleEmail author
  • Niv Gilboa
  • Yuval Ishai
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9057)


Motivated by the goal of securely searching and updating distributed data, we introduce and study the notion of function secret sharing (FSS). This new notion is a natural generalization of distributed point functions (DPF), a primitive that was recently introduced by Gilboa and Ishai (Eurocrypt 2014). Given a positive integer \(p\ge 2\) and a class \(\mathcal F\) of functions \(f:\{0,1\}^n\rightarrow \mathbb G\), where \(\mathbb G\) is an Abelian group, a \(p\)-party FSS scheme for \(\mathcal F\) allows one to split each \(f\in \mathcal F\) into \(p\) succinctly described functions \(f_i:\{0,1\}^n\rightarrow \mathbb G\), \(1\le i\le p\), such that: (1) \(\sum _{i=1}^p f_i=f\), and (2) any strict subset of the \(f_i\) hides \(f\). Thus, an FSS for \(\mathcal F\) can be thought of as method for succinctly performing an “additive secret sharing” of functions from \(\mathcal F\). The original definition of DPF coincides with a two-party FSS for the class of point functions, namely the class of functions that have a nonzero output on at most one input.

We present two types of results. First, we obtain efficiency improvements and extensions of the original DPF construction. Then, we initiate a systematic study of general FSS, providing some constructions and establishing relations with other cryptographic primitives. More concretely, we obtain the following main results:
  • Improved DPF. We present an improved (two-party) DPF construction from a pseudorandom generator (PRG), reducing the length of the key describing each \(f_i\) from \(O(\lambda \cdot n^{\log _23})\) to \(O(\lambda n)\), where \(\lambda \) is the PRG seed length.

  • Multi-party DPF. We present the first nontrivial construction of a \(p\)-party DPF for \(p\ge 3\), obtaining a near-quadratic improvement over a naive construction that additively shares the truth-table of \(f\). This constrcution too can be based on any PRG.

  • FSS for simple functions. We present efficient PRG-based FSS constructions for natural function classes that extend point functions, including interval functions and partial matching functions.

  • A study of general FSS. We show several relations between general FSS and other cryptographic primitives. These include a construction of general FSS via obfuscation, an indication for the implausibility of constructing general FSS from weak cryptographic assumptions such as the existence of one-way functions, a completeness result, and a relation with pseudorandom functions.


Homomorphic Encryption Pseudorandom Generator Oblivious Transfer Cryptographic Primitive Pseudorandom Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Asharov, G., Jain, A., López-Alt, A., Tromer, E., Vaikuntanathan, V., Wichs, D.: Multiparty computation with low communication, computation and interaction via threshold FHE. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 483–501. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  2. 2.
    Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 221–238. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  3. 3.
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)CrossRefMathSciNetGoogle Scholar
  4. 4.
    Barkol, O., Ishai, Y., Weinreb, E.: On Locally Decodable Codes, Self-Correctable Codes, and t-Private PIR. Algorithmica 58(4), 831–859 (2010)CrossRefzbMATHMathSciNetGoogle Scholar
  5. 5.
    Beigel, R., Fortnow, L., Gasarch, W.I.: A tight lower bound for restricted PIR protocols. Computational Complexity 15(1), 82–91 (2006)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Beimel, A., Ishai, Y., Kushilevitz, E., Orlov, I.: Share conversion and private information retrieval. In: IEEE Conference on Computational Complexity 2012, pp. 258–268 (2012)Google Scholar
  7. 7.
    Bogdanov, A., Lee, C.H.: On the depth complexity of homomorphic encryption schemes. Electronic Colloquium on Computational Complexity (ECCC) 2012/157 (2012)Google Scholar
  8. 8.
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS 2012, pp. 309–325 (2012)Google Scholar
  9. 9.
    Brakerski, Z., Rothblum, G.N.: Virtual black-box obfuscation for all circuits via generic graded encoding. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 1–25. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  10. 10.
    Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: ITCS 2014, pp. 1–12 (2014)Google Scholar
  11. 11.
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: FOCS 2011, pp. 97–106 (2011)Google Scholar
  12. 12.
    Cachin, C., Micali, S., Stadler, M.A.: Computationally private information retrieval with polylogarithmic communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 402–414. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  13. 13.
    Canetti, R., Lin, H., Tessaro, S., Vaikuntanathan, V.: Obfuscation of Probabilistic Circuits and Applications. Cryptology ePrint Archive, Report 2014/882 (2014)Google Scholar
  14. 14.
    Chor, B., Gilboa, N.: Computationally private information retrieval. In: STOC 1997, pp. 304–313 (1997)Google Scholar
  15. 15.
    Chor, B., Goldreich, O., Kushilevitz, E., Sudan, M.: Private Information Retrieval. Journal of the ACM (JACM) 45(6), 965–981 (1998)CrossRefzbMATHMathSciNetGoogle Scholar
  16. 16.
    De Santis, A., Desmedt, Y., Frankel, Y., Yung, M.: How to share a function securely. In: STOC 1994, pp. 522–533 (1994)Google Scholar
  17. 17.
    Desmedt, Y.G.: Society and group oriented cryptography: a new concept. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 120–127. Springer, Heidelberg (1988) Google Scholar
  18. 18.
    Desmedt, Y.G., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, Heidelberg (1990) Google Scholar
  19. 19.
    Dvir, Z., Gopi, S.: 2-Server PIR with sub-polynomial communication. Electronic Colloquium on Computational Complexity (ECCC) 21, 94 (2014)Google Scholar
  20. 20.
    Di Crescenzo, G., Malkin, T., Ostrovsky, R.: Single database private information retrieval implies oblivious transfer. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 122–138. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  21. 21.
    Efremenko, K.: 3-query locally decodable codes of subexponential length. In: STOC 2009, pp. 39–44 (2009)Google Scholar
  22. 22.
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS 2013, pp. 40–49 (2013)Google Scholar
  23. 23.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC 2009, pp. 169–178 (2009)Google Scholar
  24. 24.
    Gentry, C., Ramzan, Z.: Single-database private information retrieval with constant communication rate. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 803–815. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  25. 25.
    Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  26. 26.
    Gilboa, N., Ishai, Y.: Distributed point functions and their applications. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 640–658. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  27. 27.
    Goldreich, O.: A Note on Computational Indistinguishability. Inf. Process. Lett. 34(6), 277–281 (1990)CrossRefzbMATHMathSciNetGoogle Scholar
  28. 28.
    Goldreich, O.: Foundations of Cryptography: Basic Tools. Cambridge University Press (2000)Google Scholar
  29. 29.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. Journal of the ACM (JACM) 33(4), 792–807 (1986)CrossRefMathSciNetGoogle Scholar
  30. 30.
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC 1987, pp. 218–229 (1987)Google Scholar
  31. 31.
    Goldreich, O., Ostrovsky, R.: Software Protection and Simulation on Oblivious RAMs. J. ACM 43(3), 431–473 (1996)CrossRefzbMATHMathSciNetGoogle Scholar
  32. 32.
    Goldwasser, S., Micali, S.: Probabilistic Encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)CrossRefzbMATHMathSciNetGoogle Scholar
  33. 33.
    Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: STOC 2013, pp. 555–564 (2013)Google Scholar
  34. 34.
    Hastad, J., Impagliazzo, R., Levin, L., Luby, M.: A Pseudorandom Generator from any One-way Function. SIAM J. Comput. 28(4), 1364–1396 (1999)CrossRefzbMATHMathSciNetGoogle Scholar
  35. 35.
    Ishai, Y., Kushilevitz, E., Ostrovsky, R.: Sufficient conditions for collision-resistant hashing. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 445–456. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  36. 36.
    Ishai, Y., Paskin, A.: Evaluating branching programs on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 575–594. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  37. 37.
    Kalyanasundaram, B., Schnitger, G.: The Probabilistic Communication Complexity of Set Intersection. SIAM J. Discrete Math. 5(4), 545–557 (1992)CrossRefzbMATHMathSciNetGoogle Scholar
  38. 38.
    Kushilevitz, E., Ostrovsky, R.: Replication is NOT needed: SINGLE database, computationally-private information retrieval. In: FOCS 1997, pp. 364–373 (1997)Google Scholar
  39. 39.
    Lipmaa, H.: An oblivious transfer protocol with log-squared communication. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 314–328. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  40. 40.
    Ostrovsky, R., Shoup, V.: Private information storage. In: STOC 1997, pp. 294–303. ACM (1997)Google Scholar
  41. 41.
    Ostrovsky, R., Skeith III, W.E.: Private Searching on Streaming Data. J. Cryptology 20(4), 397–430 (2007)CrossRefzbMATHMathSciNetGoogle Scholar
  42. 42.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC 2005, pp. 84–93 (2005)Google Scholar
  43. 43.
    Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: STOC 2014, pp. 475–484 (2014)Google Scholar
  44. 44.
    Shamir, A.: How to Share a Secret. CACM 22(11), 612–613 (1979)CrossRefzbMATHMathSciNetGoogle Scholar
  45. 45.
    Wehner, S., de Wolf, R.: Improved lower bounds for locally decodable codes and private information retrieval. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 1424–1436. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  46. 46.
    Yao, A.C.-C.: Protocols for secure computations (extended abstract). In: FOCS 1982, pp. 160–164 (1982)Google Scholar
  47. 47.
    Yekhanin, S.: Towards 3-query locally decodable codes of subexponential length. STOC 2007, pp. 266–274 (2007)Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.Computer Science DepartmentTechnionHaifaIsrael
  2. 2.Department of Communication Systems EngineeringBen Gurion UniversityBeershebaIsrael

Personalised recommendations