DDH-based schemes for multi-party Function Secret Sharing

DDH-based sc hemes for m ulti-part y F unction Secret Sharing Marc Damie 1 , 2 ⋆ , Florian Hahn 1 , Andreas P eter 3 , and Jan Ramon 2 1 Univ ersity of T w ente, The Netherlands 2 Inria, F rance 3 Carl von Ossietzky Univ ersität Olden burg, Germany Abstract. F unction Secret Sharing (FSS) schemes enable sharing effi- cien tly secret functions. Schemes dedicated to p oin t functions, referred to as Distributed Poin t F unctions (DPF s), are the center of FSS litera- ture thanks to their n umerous applications including priv ate information retriev al, anonymous comm unications, and machine learning. While tw o- part y DPF s b enefit from sc hemes with logarithmic key sizes, multi-part y DPF s ha ve seen limited adv ancemen ts: O ( √ N ) key sizes (with N , the function domain size) and/or exp onen tial factors in the key size. W e propose a DDH-based tec hnique reducing the k ey size of existing m ulti-party schemes. In particular, w e build an honest-ma jority DPF with O ( 3 √ N ) k ey size. Our b enchmark highlights key sizes up to 10 × smaller (on realistic problem sizes) than state-of-the-art schemes. Finally , w e extend our technique to schemes supporting comparison functions. Keyw ords: F unction Secret Sharing · FSS · Distributed P oint F unction · DPF · DDH · Multi-Part y Computations. 1 In tro duction Secret sharing [28] is a p opular cryptographic primitive to p erform m ulti-party computations (MPC) [16]. This primitive enables splitting a secret v alue into sev eral shares, rev ealing individually no information about the secret. While classic secret sharing fo cused on scalar secret v alues, F unction Secret Sharing (FSS) [17] generalizes the concept to share secret functions. FSS schemes consists in three algorithms: Gen , Ev al , and Deco de . Gen outputs p FSS keys based on a secret function f ; each shareholder receives one key . Ev al takes as input an FSS key k i and a p oint x , and outputs a share of f ( x ) (referred to as [ [ f ( x )] ] i ). Finally , Deco de tak es as input p shares { [ [ f ( x )] ] 1 , . . . , [ [ f ( x )] ] p } and outputs f ( x ) . Significan t efforts [4,5,10,12,17] aimed to share p oint functions (i.e., a func- tion equal to zero ev erywhere, except on a p oint α ). These so-called “Distributed P oint F unctions” (DPF s) were initially prop osed to build priv ate information re- triev al (PIR) proto cols [17] and hav e b een later used in other domains such as anon ymous communications [12] or priv acy-preserving machine learning [29]. ⋆ Corresp onding author: m.f.d.damie@utwente.nl 2 M. Damie et al. Recen tly , there is also a gro wing in terest in schemes supp orting comparison functions: functions such that f ( x ) = β when x ≤ α , 0 otherwise. These schemes called “Distributed Comparison F unctions” (DCF) hav e applications notably in MPC pre-computations [6] or priv ate statistics [1]. R elate d works The main goal of FSS w orks is to minimize the key size. In particular, existing works systematically studied the influence of the function domain size N on the key size. While schemes are often describ ed for a generic group G , many w orks fo cused on bit-string outputs [4,10]: G = ( F 2 ) l ; motiv ated b y applications in PIR. How ev er, nov el applications in priv ate statistics [1,2] or MPC precomputations [6] require prime fields F q (e.g., to sum several shared functions). Suc h constraints emphasized under-studied scalability issues in some m ulti-party schemes [4,10] that hav e an exp onential dep endency in q . Recen t w orks [3,22] also highlighted this issue. 2/3-p arty DPF Bo yle et al. [4] presented the reference 2- party scheme, with an O (log N log q ) k ey size. This sc heme has b een further optimized by v arious w orks: key size optimization [5], “incremen tal” DPF [2], reusable keys [8], MPC- based key generation [15], verifiable DPF [11]. Thanks to its logarithmic k ey size, this scheme is used in many application papers including in anonymous comm unications [25], priv ate statistics [2], and access control [27]. Bunn et al. [9] describ ed a three-part y sc heme with O ( √ N ) key size. Later, [10,30] further impro ved it to obtain O (log N ) key sizes. Multi-p arty DPF No w that 2-part y and 3-party schemes hav e logarithmic key sizes, improving arbitrary p -party schemes is the natural next step. As w e fo cus on multi-part y FSS, we will skim through existing schemes, their adv anta ges and disadv antages. T able 1 of Section 3 summarizes this ov erview. First, Boyle et al. [4] designed a scheme based on Pseudo-Random Generators (PR G) with O ( √ N q p − 1 2 log q ) k ey size. The exponential factor q p − 1 2 (with q = | G | ) makes it impractical for applications requiring arbitrary output groups (e.g., priv ate histograms [2]). This weakness was already highligh ted by [22]. Second, Corrigan-Gibbs et al. [12] introduced a DDH-based sc heme with O ( √ N log q ) key size. Recently , Kumar et al. [22] further impro ved this sc heme b y removing a constant factor, but requires a truste d shar e de c o der . Third, Bunn et al. [10] designed an honest-ma jorit y scheme (based on [4]) with O ( 4 √ N q p − 1 2 log q ) key size. It has the best dep endency on N (i.e., O ( 4 √ N ) ), but it inherits the exp onential factor of [4]. Papers presenting PRG-based schemes [4,10] only provide algorithms for q = 2 , but they can easily b e generalized to an arbitrary q (as explained in [3]). F ourth, Bunn et al. [10] also in tro duced an honest-ma jority sc heme with O ( √ N log q ) k ey size. The main adv antage is its information-theoretic secu- rit y . Other works also inv estigated information-theoretic DPF schemes [7,21,23], but [10] is the only with practical k ey sizes. Finally , concurrently to our work, tw o other pap ers [18,20] hav e improv ed m ultiparty DPF. On the one hand, Go el et al. [18] built a PRG-based sc heme DDH-based schemes for m ulti-party FSS 3 replacing the exp onential factor presen t in [4] with a p olynomial factor: O ( √ N · p 3 λ 4 ) . On the other hand, Krips and Pullonen-Raudvere [20] introduced tw o new hardness assumptions to build a m ulti-party scheme with logarithmic k ey size. DCF Bo yle et al. [4] adapted their 2-party DPF to build a DCF scheme with O (log N log q ) key size. They also adapted their m ulti-party DPF to build a m ulti-party DCF with O ( √ N q p − 1 2 log q ) ; suffering from the same scalabilit y is- sues as their DPF. Recently , Kumar et al. [22] prop osed multi-part y DCF in- spired b y the DPF of [12]. The literature describ es no other DCF; the DCF baselines are then w eaker than those in DPF. Gap in the liter atur e When relying on standard hardness assumptions (whic h then excludes [20]), the existing literature leav es t wo choices for m ulti-party DPF: either an O ( 4 √ N ) key size with exponential factors [10], or an O ( √ N ) key size without exp onen tial factors [10,12,14]. Our goal is to pro vide an in termediary solution, a b etter trade-off : O ( 3 √ N ) key size without exponential factors. Similarly , w e wan t to extend these results to DCF, and pro vide the same choice range as in DPF. W e would lik e to emphasize the contribution of [20] which, for the first time, presen ts a multi-part y scheme with logarithmic key size. Unfortunately , it re- quires the introduction of t wo new hardness assumptions. F urther researc h is necessary to estimate the parameters under whic h these assumptions hold. Our pap er, on the other hand, relies on standard, widely-established assumptions. Our Contributions 1. W e build a multi-part y DDH-based DPF with O ( 3 √ N ) key size . Our sc heme provides keys up to × 10 smaller than existing works. 2. W e extend our approach to build a DCF with O ( 3 √ N ) key size. 3. As DDH-based schemes require enco ding the secret as a DDH group element, w e present t wo enco dings, discuss their prop erties and applications . 2 Definitions Let p b e the n umber of parties/shareholders, m b e the n umber of dishonest parties. Let F q b e a prime field and let G b e a cyclic group. Let N b e the function domain size and 1 λ a security parameter. Finally , let s R ← − S b e the uniform sampling of an element s from the set S . Let [ [ x ] ] b e a share of x , and g [ [ x ] ] to g to the p ow er [ [ x ] ] . 2.1 Threat mo del MPC proto cols are referred to as secure if they preserve output correctness and input priv acy in presence of an adv ersary . Subsection 2.2 provides definitions of correctness and priv acy sp ecific to FSS. 4 M. Damie et al. Lik e most FSS w orks [4,5,10,17,22], w e focus on semi-honest adv ersaries; adv ersaries following the proto col and p assively infering secret information. Moreo ver, secure protocols are c haracterized by the tuple ( m, p ) . The secu- rit y of an ( m, p ) -secure proto col is guaranteed only if the num b er of dishonest parties is b elow than or equal to m . The literature distinguishes honest-ma jority proto cols ( m < p/ 2 ) from dishonest-ma jorit y proto cols ( m ≥ p/ 2 ). 2.2 F unction Secret Sharing F unction secret sharing (FSS) [4] generalizes the concept of secret sharing to secret functions. Each FSS scheme can share functions from a specific function family . A function family F [3] is a pair ( P F , E F ) where P F ⊆ { 0 , 1 } ∗ is an infinite collection of function descriptions ˆ f , and E F : P F × { 0 , 1 } ∗ → { 0 , 1 } ∗ is a p olynomial-time algorithm defining the function describ ed b y ˆ f . In other words, eac h function description ˆ f ∈ P F describ es a corresp onding function f suc h that f ( x ) = E F ( ˆ f , x ) . A description ˆ f for suc h functions is the tuple ( α, β , X , Y ) , with X the function domain and Y the output space. Ov er the y ears, the literature has described schemes for v arious function families esp ecially p oint functions [4,5,7,10,12,17] (functions f such that f ( x ) = β if x = α , and f ( x ) = 0 otherwise), and comparison functions [4,22]. Other function families such as decision trees [5] hav e FSS schemes, but they hav e few er applications than DPF and DCF. All functions within a function family must share the same domain and out- put space. Moreo ver, we use the notation K to refer to the FSS key space. Definition 1. A p -p arty FSS scheme (for a family F ) has 3 algorithms: – Gen : N × P F → K p takes as input a se curity p ar ameter 1 λ ∈ N and a function description ˆ f ∈ P F , and outputs p keys k 1 , . . . , k p ∈ K . – Ev al : K × X → G takes as input k i and a p oint x ∈ X , outputs a shar e of f ( x ) that we denote as [ [ f ( x )] ] i . – Deco de : G p → Y takes as input p shar es { [ [ f ( x )] ] 1 , . . . , [ [ f ( x )] ] p } and outputs the se cr et f ( x ) . Recen t FSS w orks [10,30] generalized this definition to supp ort threshold secret-sharing. Our work (lik e most existing works [4,5,10,12]) do es not require suc h a generalization, so we stick to the classic definitions from [4]. Definition 2 (Correctness [4]). F or any function f ∈ F , for any p oint x ∈ X , we have k 1 , . . . , k p ← Gen(1 λ , ˆ f ) and P [ De c o de (Ev al( k 1 , x ) , . . . , Ev al( k p , x )) = f ( x )] = 1 Definition 3 (Priv acy [3]). L et Leak : { 0 , 1 } ∗ → { 0 , 1 } ∗ b e a function sp e ci- fying the al lowable le akage. If omitte d, it is understo o d to b e Leak( ˆ f ) = ( X , Y ) . W e c al l a p -p arty FSS scheme private if, for every set of c orrupte d p arties S ⊆ { 1 . . . p } of size m , ther e exists a PPT algorithm Sim (simulator), such DDH-based schemes for m ulti-party FSS 5 that for every se quenc e of function descriptions fr om P F ( ˆ f 1 , ˆ f 2 , . . . ) of size p olynomial in λ , the outputs of the fol lowing exp eriments Real and Ideal ar e c omputational ly indistinguishable: – Real(1 λ ) : ( k 1 , . . . , k p ) ← Gen(1 λ , ˆ f λ ); Output ( k i ) i ∈ S – Ideal(1 λ ) : Output Sim(1 λ , Leak( ˆ f λ )) 3 DDH-based Distributed Poin t F unction This section introduces a DDH-based approach to build a sc heme with O ( 3 √ N ) k ey size up on the information-theoretic sc heme of [10] whic h has an O ( 2 √ N ) key size. W e call “sub-DPF” or “sub-scheme” the DPF sc heme of [10] on which we apply our DDH-based optimization. As this section focuses on p oint functions, we use the notation ( α, β ) to refer to the parameters of the secret function f (i.e., f ( x ) = β if x = α , 0 otherwise). 3.1 Sc heme W e represent the domain as a grid of dimensions: ( 3 √ N ) 2 × 3 √ N (see Figure 1) The non-zero v alue is in cell ( γ ∗ , δ ∗ ) . Fig. 1: High-lev el structure of our DDH-based DPF Gen : Let G b e a cyclic group of prime order q 0 , with g a generator. W e assume that the DDH assumption holds in G . Let g β = Enco de DDH ( β ) b e the enco ding of β in G (p ossible enco dings are discussed in Section 6). Our Gen algorithm starts b y sampling one random num b er r R ← − F q 0 and compute r inv its m ultiplicative inv erse. This multiplicativ e inv erse exists b ecause q 0 is prime. W e then use the sub-DPF to share t wo secret p oint functions f a , f b suc h that f a ( x ) = r and f b ( x ) = 1 , if x = γ ∗ , otherwise 0 . This step outputs tw o sets of DPF keys { k ( a ) 1 , . . . , k ( a ) p } and { k ( b ) 1 , . . . , k ( b ) p } , with each key of size O ( 3 √ N ) 6 M. Damie et al. Algorithm 1 DDH-based DPF sc heme 1: Let G be a cyclic group of prime order q 0 and with g a generator. W e assume that the DDH assumption holds in G . 2: Let (Gen ( ∗ ) DPF , Ev al ( ∗ ) DPF , Decode + ) b e the information-theoretic DPF proposed by Bunn et al. [10] (with output in F q 0 ). 3: Let Encode DDH : Y → G and Decode DDH : G → Y b e t wo functions such that Enco de DDH (0) = g 0 and Deco de DDH (Enco de DDH ( y )) = y for an y y ∈ Y . 4: function Gen DPF ( α, β , p, m ) 5: Let g β ← Enco de DDH ( β ) . 6: Let ( γ ∗ , δ ∗ ) b e the p osition of α in a ( ν ) 2 × ν grid, with ν = ⌈ 3 √ N ⌉ 7: Sample one (non-zero) r R ← − F q 0 and set r inv ← r − 1 . 8: Generate tw o sets of DPF keys: { k ( a ) 1 , . . . , k ( a ) p } ← Gen ( ∗ ) DPF ( γ ∗ , r , p, m ) { k ( b ) 1 , . . . , k ( b ) p } ← Gen ( ∗ ) DPF ( γ ∗ , 1 , p, m ) . 9: for δ ∈ { 1 . . . ν } , δ  = δ ∗ do 10: Sample a p oint g δ from G and set h δ ← g − r inv δ . 11: Sample a g δ ∗ from G and set h δ ∗ ← g − r inv δ ∗ · g r inv β . 12: Set k i = ( k ( a ) i || k ( b ) i || g 1 || h 1 || . . . || g ν || h ν ) , ∀ i ∈ { 1 . . . p } 13: return ( k 1 , . . . , k p ) . 14: function Ev al DPF ( k i , x ) 15: Let ( γ ′ , δ ′ ) b e the p osition of x in a ( 3 √ N ) k × 3 √ N grid. 16: P arse k i as k i = ( k ( a ) i || k ( b ) i || g 1 || h 1 || . . . || g ν || h ν ) . 17: Let [ [ s a ] ] i ← Ev al ( ∗ ) DPF ( k ( a ) i , γ ′ ) , [ [ s b ] ] i ← Ev al ( ∗ ) DPF ( k ( b ) i , γ ′ ) . 18: Let [ [ f ( x )] ] i ← h [ [ s a ] ] i δ ′ · g [ [ s b ] ] i δ ′ . 19: return [ [ f ( x )] ] i ▷ [ [ f ( x )] ] i ∈ G . 20: function Deco de DPF ( [ [ f ( x )] ] 1 , . . . , [ [ f ( x )] ] p ) return Deco de DDH ( Q p i =1 [ [ f ( x )] ] i ) thanks to the sub-DPF. F or each column δ , we sample a random generator g δ R ← − G . F or all δ  = δ ∗ , w e set the “correction p oin ts” h δ = g r inv δ . W e set the correction p oin ts for the column δ ∗ : h δ ∗ ← g − r inv δ ∗ · g r inv β . Each party i receives a k ey k i con taining tw o DPF “sub-keys” k ( a ) i , k ( b ) i and all corrections p oin ts. Ev al : represents x as ( γ ′ , δ ′ ) and ev aluates: [ [ s a ] ] i ← Ev al DPF ( k ( a ) i , γ ′ ) and [ [ s b ] ] i ← Ev al DPF ( k ( b ) i ) . Eac h party obtains [ [ f ( x )] ] i = h [ [ s a ] ] i δ ′ · g [ [ s b ] ] i δ ′ . Algorithm 1 details our DDH-based sc heme. 3.2 Asymptotic key size Figure 1 provides a high-level representation of our DPF keys, with an O ( 3 √ N ·  p − 1 m  · ( λ + log q )) key size. Let us break down this asymptotic cost. First, we hav e t wo sub-DPF k eys. The previous DPF s are defined ov er the domain { 1 . . . ( 3 √ N ) 2 } to “cov er all the ro ws”. W e hav e ( 3 √ N ) 2 ro ws and use [10] DDH-based schemes for m ulti-party FSS 7 as sub-DPF (with an O ( √ M  p − 1 m  log q 0 ) k ey size for a domain of size M ). Each sub-DPF k ey is then of size O ( 3 √ N ·  p − 1 m  · log q 0 ) ( M = ( 3 √ N ) 2 in our case). Second, for eac h column δ , w e hav e g δ , h δ ∈ G . F or con venience, assume G = F × q . As w e hav e 3 √ N columns, the total size of these elements is O ( 3 √ N · log q ) . In our sc heme, λ is implicitly present because DDH is assumed to b e hard in cyclic group G . As G is of order q 0 , w e hav e λ = O (log q 0 ) . Supp orting other sub-DPFs W e use a grid of size ( 3 √ N ) 2 × 3 √ N b ecause the sub- DPF w e use has an O ( √ M ) key size (for a domain size of M ). How ever, using our DDH-based approach, we can replace [10] with an y scheme that outputs additiv e shares in F q 0 . Sp ecifically , for an y sub-scheme with key size O ( k √ N ) , our metho d yields a DDH-based v ariant with key size O ( k +1 √ N ) . In particular, our approac h can b e applied to the dishonest-ma jority sc heme prop osed in [18]. The resulting sc heme (combining [18] with our DDH-based approac h) is secure against a dishonest ma jority and has key size O ( 3 √ N · p 3 λ 3 · (log q + λ )) . As shown in Section 4, the scheme of [18] already has larger keys than sharing the function’s truth table. Therefore, extending our scheme using [18] w ould result in an impractical solution, b ecause [18] is impractical. Giv en this, we do not further dev elop this extension in our w ork. Instead, we fo cus our discussions solely on our honest-ma jority scheme, which, in con trast, pro vides substantial key size reductions for practical problem sizes. Since w e can reduce key sizes from O ( k √ N ) to O ( k +1 √ N ) , our result raises a k ey question: can we build a m ulti-party scheme with logarithmic key size via a recursive application of our scheme? Our DDH-based scheme outputs multi- plicativ e shares (in a DDH group), so it cannot b e used recursively . 3.3 Securit y In our scheme, the DDH assumption prev ents an adversary from distinguishing the correction p oin ts, and then preven ts them from recov ering the column δ ∗ con taining the non-zero from the k ey . T o prov e this in tuition, we prop ose to consider the follo wing theorem: Theorem 1. L et λ ∈ N , N , p ∈ N , then (Gen DPF , Ev al DPF , Deco de DPF ) as de- scrib e d in A lgorithm 1 is an FSS scheme for the family of p oint functions. Assuming that the DDH assumption holds in G and that the information- the or etic scheme (Gen ( ∗ ) DPF , Ev al ( ∗ ) DPF , Deco de + ) fr om [10] is a c orr e ct and private DPF scheme, then this scheme is c orr e ct and private against at most m semi- honest p arties with m < p/ 2 . Pr o of. Given in App endix A. 3.4 Comparison with existing works T able 1 compares existing sc hemes to ours. W e achiev e tw o goals: (1) a voiding exp onen tial factors present in [4,10], and (2) improving the dep endency on the 8 M. Damie et al. Sc heme Y ear Ma jority Assumptions Key size [4] 2015 Dishonest PR G O ( √ N · q p − 1 2 · (log q + λ )) [12,22] 2015 Dishonest DDH O ( √ N · ( λ + log q )) PR G-based [10] 2022 Honest PR G O ( 4 √ N · p q p m ·  p − 1 m  · ( λ + log q )) Info.-Th. [10] 2022 Honest None O ( √ N ·  p − 1 m  · log q ) [18] 2025 Dishonest PR G O ( √ N · p 3 λ 3 · (log q + λ )) [20] 2025 Dishonest DDH + 2 new hardness assumpt. O (log N · (log q + λ )) Our scheme 2025 Honest DDH O ( 3 √ N ·  p − 1 m  · ( λ + log q )) T able 1: Comparison of the multi-part y DPF sc hemes function domain size N (compared to other practical schemes [10,12,18]). W e offer an in termediary solution b etw een an O ( 4 √ N ) k ey size with exponential factors [10] and O ( √ N ) key sizes without exp onential factors [10,12,18]. The sc heme of [20] ac hieves the best kno wn asymptotic k ey size, namely O (log N ) . Ho wev er, this improv ement comes at the cost of relying on t wo new hardness assumptions whose concrete securit y is not y et w ell understo o d. The w ork of [20] represen ts an exciting theoretical adv ancement, but the lack of concrete securit y hinders its implementation for now . F urther researc h is needed to determine parameter sets that achiev e standard security levels (e.g., 128-bit or 256-bit). In contrast, our scheme has O ( 3 √ N ) key sizes, but is based solely on the DDH assumption; a standar d and extensively studie d crypto gr aphic assumption . 3.5 Pseudo-random secret sharing Pseudo-random secret sharing (PRSS) [13] is a proto col reducing the comm uni- cation cost of secret sharing proto cols thanks to pseudo-random seed expansion. As most multi-part y schemes [4,10,12] (including ours) output DPF keys con- taining secret shares, w e can reduce their size thanks to PRSS. In particular, we rely on the simplest form of PRSS applied to additive se- cret shares. Additiv e secret sharing on a secret s normally outputs p shares { [ [ s ] ] 1 . . . [ [ s ] ] p } , such that P i [ [ s ] ] i = s . With PRSS, the secret holder generates p − 1 random seeds r 1 , . . . , r p − 1 and a share [ [ s ] ] p , such that [ [ s ] ] p + P p − 1 i =1 G ( r i ) = s (with G a PRG). One shareholder receives [ [ s ] ] p and the other p − 1 parties receive a random seed r i . The random seeds can b e reused to share multiple v alues. T o share a vector of n v alues, the secret holder sends p − 1 seeds and a single vector of n shares DDH-based schemes for m ulti-party FSS 9 (vs. p v ector of n shares in classic secret sharing). If the MPC proto col allows the secret holder to b e a shareholder, they can keep the v ector of shares and send only random seeds to the other shareholders. This technique amortizes the communication costs (i.e., key size) when the proto cols require sharing large vectors. Since all practical sc hemes [10,12] are compatible with PRSS, Section 4 compares the k ey sizes using PRSS. 4 Key size b enchmark W e compare the exact k ey size of our DPF scheme to those of existing sc hemes. Our exp eriments rep ort the total k ey size instead of the individual key size. This metric takes in to account the k ey size amortization provided b y PRSS. F or this b enchmark, we implemen t our scheme using elliptic curves E ( F q ) , as they pro vide prime-order cyclic groups in which the DDH is known to b e hard. More sp ecifically , we use the curve P-256. Exp onential factors in existing works Figure 2 illustrates the exp onen tial factor of the PR G-based multi-part y DPF [4,10]. Figure 2a represents their key size in function of the output bit length (i.e., log 2 q for an output in F q ). While this problem was barely discussed in existing w orks [4,10], Figure 2 sho ws that it mak es these tec hniques purely un usable. F or only 12-bit mo duli, the DPF of [4] has a key size of 10 18 bits and the PRG-based DPF of [10] has a k ey size of 10 38 . Figure 2 includes a curve “T rivial sc heme”, corresponding to the most trivial DPF implemen tation: sharing the truth table of the function. This trivial base- line is muc h better than these PR G-based solutions for prime fields other than F 2 . While other works [3,22] warned ab out this p otential scalability issue, our w ork provides the first evidence of their impracticality in F q . In comparison, w e can barely see on Figure 2a the key size difference b et ween the rest of the DPF schemes [10,12, Ours]. Note that Figure 2 includes curves for the DDH-based schemes [12, Ours]. Suc h schemes are implemen ted with a fixed elliptic curve P-256, so the output is of fixed size (256 bits). Th us, their k ey sizes are constant on this figure. Recen tly , Bo yle [3] prop osed an optimization based on the Chinese Remain- der Theorem (CR T) to optimize the key sizes of PRG-based schemes [4,10] for comp osite mo duli. Thanks to this CR T tric k, we can replace the exp onen tial factor q p with a sum of smaller factors P i q p i (with q i the prime factors of the comp osite mo dulus). Figure 2b represen ts the k ey sizes for v arying composite moduli, but the figure is hard to read, b ecause this tric k is sensitive to the prime decomposition. T wo num b ers m and m + 1 can hav e completely differen t prime factors. T o pro vide more readable results, Figure 2c represen ts the k ey sizes for v arying priomorial mo duli. A primorial is a comp osite num b er whose prime factors are the n smallest primes. Suc h num b ers are the b est case scenario for the CR T tric k b ecause they provide the smallest factors possible. On Figure 2c, we observe that the tric k significan tly impro ves the key size of the PR G-based schemes, but they remain w ay ab ov e the trivial scheme for any mo dulus ab ov e 210. 10 M. Damie et al. (a) Prime mo duli (b) Arbitrary mo duli (c) Primorial mo duli (d) Legend Fig. 2: DPF k ey sizes for v arying mo duli. P arameters: p = 5 parties, N = 10 6 . Finally , Figure 2 provides a key insigh t into [18]. Note that their k ey size ma y seem constant in q on Figure 2, but it is not; their key size is simply dom- inated by factors indep endent of q . While their work replaces the exp onential factor present in [4] with a p olynomial factor of p 3 λ 3 , we demonstrate that, for realistic problem sizes, this p olynomial term actually exceeds q p . As a result, the asymptotic improv emen t offered b y [18] does not translate into practical ef- ficiency: the k ey size remains significantly larger than that of the trivial sc heme. In other words, although [18] presents a notable theoretical adv ance by elim- inating the exp onential term of [4], the resulting scheme remains impractical; p erforming w orse than the trivial DPF scheme. Since PRG-based schemes [4,10,18] are impractical for mo duli larger than 210 (ev en with the CR T optimization of [3]), w e exclude them from our other exper- imen ts. This allows us to observe precisely the k ey size improv ements achiev ed b y our scheme when compared to practical DPF schemes [10,12]. V arying function domain Figure 3a compares the key sizes in function of the domain sizes; v arying from 10 2 to 10 10 . Zyskind et al. [30] used the same problem sizes to b enc hmark three-party DPF schemes. Our key size is the smallest for any domain size ab o ve 10 3 . When N = 10 6 , our k ey size is 3 times smaller. When N = 10 9 , our key size is 10 times smaller. Our k ey size is higher than those of [10,12] only when N is b elo w 10 3 . T o put this in to p ersp ectiv e, Figure 3a also sho ws that the trivial DPF sc heme becomes DDH-based schemes for m ulti-party FSS 11 (a) V arying domain size ( p = 5 ) (b) V arying nb. of parties ( N = 10 6 ) Fig. 3: Key sizes for v arying domain sizes and num b er of parties. the most efficient for smaller domain sizes (b elow 10 2 ). Thus, the adv antage pro vided [10,12] only holds for particularly small function domains and the trivial DPF could ev en b e preferable in such cases. V arying numb er of p arties Figure 3b compares the key sizes in function of the n umber of parties; v arying from 3 to 10. W e observe that Corrigan-Gibbs et al. [12] has a b etter scaling than our sc heme, but our key size remains smaller. The gro wth of our key size is not as smo oth as the growth of the scheme by [12]. F or example, the gro wth b etw een 3 and 4 parties is steep er than b etw een 4 and 5. This phenomenon is caused b y the honest-ma jority assumption: (contrary to [12]) our total key size is correlated to the num b er of honest parties. Under the honest-ma jorit y assumption, 4-party and 5-part y setups ha ve exactly the same n umber of honest parties (i.e., 3). The same phenomenon is present for [10]. 5 DDH-based Distributed Comparison F unction This section adapts our DPF scheme to comparison functions. Ho wev er, the literature has describ ed fewer DCF schemes than DPF. Indeed, only [4,22] hav e describ ed m ultiparty DCF s, which provides w eak baselines compared to DPF. Th us, Appendix B adapts the DPF schemes of [10] to DCF in order to compare our DCF to c hallenging baselines. 5.1 Sc heme W e build our DDH-based DCF upon the information-theoretic DPF of [10] and the DCF adapted from [10] (see App endix B). The main change compared to our DPF sc heme is that w e require b oth a sub-DCF and a sub-DPF. Algorithm 2 details our sc heme (with the changes compared to our DPF in blue ). T o understand their resp ectiv e roles, let us represent the function domain as a grid. On the one hand, the DCF co vers all rows containing only non-zeros v alues 12 M. Damie et al. Algorithm 2 DDH-based DCF sc heme (c hanges compared to our DPF in blue ) 1: Let G b e a cyclic group of prime order q 0 and with g a generator. 2: Let (Gen ( ∗ ) DPF , Ev al ( ∗ ) DPF , Decode + ) b e the information-theoretic DPF of Bunn et al. [10] and (Gen ( ∗ ) DCF , Ev al ( ∗ ) DCF , Decode + ) b e the DCF adapted from it . 3: Let Encode DDH : Y → G and Decode DDH : G → Y b e t wo functions such that Enco de DDH (0) = g 0 and Deco de DDH (Enco de DDH ( y )) = y for an y y ∈ Y . 4: function Gen DPF ( α, β , p, m ) 5: Let g β ← Enco de DDH ( β ) . 6: Let ( γ ∗ , δ ∗ ) b e the p osition of α in a ( ν ) k × ν grid, with ν = ⌈ 3 √ N ⌉ . 7: Sample tw o (non-zero) r, s R ← − F q 0 and set r inv ← r − 1 and s inv ← s − 1 . 8: Generate tw o sets of DPF keys and one of DCF keys : { k ( a ) 1 , . . . , k ( a ) p } ← Gen ( ∗ ) DPF ( γ ∗ , r , p, m ) { k ( b ) 1 , . . . , k ( b ) p } ← Gen ( ∗ ) DPF ( γ ∗ , 1 , p, m ) { k ( c ) 1 , . . . , k ( c ) p } ← Gen ( ∗ ) DCF ( γ ∗ − 1 , r c , p, m ) . 9: for δ > δ ∗ do Sample a point g δ from G and set h δ ← g − r inv δ . 10: for δ ≤ δ ∗ do Sample a g δ from G and set h δ ← g − r inv δ · g r inv β . 11: Let u ← g s inv β . 12: Set k i = ( k ( a ) i || k ( b ) i || g 1 || h 1 || . . . || g ν || h ν || u ) , ∀ i ∈ { 1 . . . p } 13: return ( k 1 , . . . , k p ) . 14: function Ev al DPF ( k i , x ) 15: Let ( γ ′ , δ ′ ) b e the p osition of x in a ( 3 √ N ) 2 × 3 √ N grid. 16: P arse k i = ( k ( a ) i || k ( b ) i || g 1 || h 1 || . . . || g ν || h ν || u ) . 17: Let [ [ s a ] ] i ← Ev al ( ∗ ) DPF ( k ( a ) i , γ ′ ) , [ [ s b ] ] i ← Ev al ( ∗ ) DPF ( k ( b ) i , γ ′ ) 18: Let [ [ s c ] ] i ← Ev al ( ∗ ) DCF ( k ( c ) i , γ ′ ) 19: Let [ [ f ( x )] ] i ← h [ [ s a ] ] i δ ′ · g [ [ s b ] ] i δ ′ · u [ [ s c ] ] i . 20: return [ [ f ( x )] ] i ▷ [ [ f ( x )] ] i ∈ G . 21: function Deco de DPF ( [ [ f ( x )] ] 1 , . . . , [ [ f ( x )] ] p ) return Deco de DDH ( Q p i =1 [ [ f ( x )] ] i ) (i.e., β ). On the other hand, the DPF enables to select the row γ ∗ con taining a segment of β and a segmen t of 0 . T o complete our extension, w e up date the definition of the “correction points”, so that the γ ∗ ro w con tains β until the column δ ∗ and 0 after. This sc heme is a simple adaptation of our DPF; adding a (secure) sub-DCF and up dating the correction p oints. Th us, its securit y pro of relies on the same argumen ts as our DPF scheme (see App endix A). 5.2 Comparison T able 2 compares our DCF schemes to the existing sc hemes. The DCF schemes adapted from [10] ha ve resp ectively O ( 4 √ N · √ q p m ·  p − 1 m  · ( λ + log q )) k ey size for the PR G-based and O ( √ N ·  p − 1 m  · log q ) k ey size for the information-theoretic. Finally , our DDH-based scheme has a key size of O ( 3 √ N ·  p m +1  · log q ) . DDH-based schemes for m ulti-party FSS 13 Sc heme Ma jority Assumption Key size [4] Dishonest PR G O ( √ N · q p − 1 2 · ( λ + log q )) [22] Dishonest DDH + T rusted deco der O ( √ N (2 − p − 1 2 · λ +2 p − 1 2 · log q )) Our adaptation PR G-based [10] Honest PR G O ( 4 √ N · p q p m ·  p − 1 m  · ( λ + log q )) Our adaptation Info.-Th. [10] Honest None O ( √ N ·  p − 1 m  · log q ) Our scheme Honest DDH O ( 3 √ N ·  p − 1 m  · ( λ + log q )) T able 2: Comparison of the multi-part y DCF sc hemes W e obtain the same conclusions as in multi-part y DPF: our scheme pro vides an intermediary solution b etw een efficient schemes [22,10] with O ( √ N ) k ey size and an impractical PR G-based scheme [10] with O ( 4 √ N q p ) k ey size. 6 DDH-based secret enco dings and their applications Our schemes (as well as other DDH-based schemes) need to enco de/deco de the secret v alue β in the cyclic group G . This encoding and decoding steps are essen tial as FSS applications usually inv olv e real-v alued or integer secrets that m ust be mapp ed to G . Existing pap ers [12,22] hav e been v ague on the exact wa y to enco de and handle secret in DDH-based sc hemes. T o hav e a discussion as concrete as p ossible, this section uses elliptic curves as cyclic group; G = E ( F q ) . Elliptic curv es provide (DDH-hard) cyclic group with prime orders. They were notably used by [12] as they provide smaller k ey sizes than other DDH-hard cyclic groups. Con trary to other DPF schemes [4,10], DDH-based schemes use multiplica- tion to decode the secret shares. How ever, using elliptic curv es, the multiplica- tion in the cyclic group corresp onds to an addition of elliptic curv e p oints. Ev en though elliptic curv es provide a form of additive decoding, this deco ding do es not pro vide the same prop erties as linear share deco ding in F q . Th us, this section presents tw o p ossible DDH-based secret enco ding. F or each enco ding, w e present its prop erties and use cases. 6.1 Share compressibility Bo yle et al. [4] identified some desirable share prop erties, in particular: compress- ibilit y . According to them, a scheme has compressible shares if we can combine 14 M. Damie et al. the shares “in a meaningful wa y” without communication b etw een the share- holders. They fo cused on the aggregation of m ultiple shares: [ [ f ( x 1 )] ] ⊕ [ [ f ( x 2 )] ] = [ [ f ( x 1 ) + f ( x 2 )] ] . Man y FSS applications (e.g., PIR [17] or priv ate histograms [2]) require a form of compressibilit y . W orks like [4,10] satisfy this prop erty thanks to their additiv e secret-sharing in F q . How ever, “DDH-based” enco ding can require a non-linear share deco ding, that do es not necessarily guarantee compressibility . The next subsections present t wo DDH-based secret enco dings, discuss their relation to compressibilit y , and list some applications. 6.2 P oint-based secret enco ding An elliptic curv e p oin t P is defined using the co ordinates ( x, y ) . Using the curv e form ula, we can recov er y for any given x . P oint enco ding consists in finding P β = ( β , y β ) , with y β ≥ 0 . The shares are randomly sampled p oints P 1 , . . . , P p ∈ E ( F q ) such that P i P i = P β . The share deco ding requires summing the p p oints and then extracting the first co ordinate of the sum result. Discussion How ever, this enco ding pr events a gener al shar e c ompr essibility b e- cause w e cannot sum tw o enco ded secrets. This constrain t comes from the prop- erties of the elliptic curve addition. Consider t wo secrets β 1 , β 2 ∈ F q and their resp ectiv e p oint-based enco dings P β 1 , P β 2 , let P ∗ = P β 1 + P β 2 = ( x ∗ , y ∗ ) . In the general case, w e hav e x ∗  = β 1 + β 2 . Nev ertheless, there is an exception to this imp ossible addition: if one of the shared v alues is 0. By con ven tion, w e enco de zero v alues using the point at infinit y O . Hence, w e hav e P β + P 0 = P β + O = P β . Thus, point-based encoding pro vides a limited compressibility: w e can sum multiple function shares only if, at most one of them is not n ull. DPF Use c ase Anon ymous broadcasters enable several parties to broadcast a message without revealing the message origin. These systems often take the form of public bulletin b oard in which the writers are anonymous. In recent years, DPF s hav e b ecome v aluable primitives to build efficien t anon ymous broadcasters lik e in Rip oste [12] and Sp ectrum [25]. Their DPF-based proto cols hav e the follo wing structure: (1) the servers ini- tialize a large shared bulletin board, (2) each sender i picks at random p osition α i in the bulletin b oard, (3) eac h sender i uses their message m i to share a secret p oin t function f i suc h that f i ( x ) = m i if x = α i , 0 otherwise, (4) for each shared function [ [ f i ] ] , the servers obtain a shared vector [ [ v i ] ] such that [ [ v i [ j ]] ] = [ [ f i ( j )] ] , (5) they sum all the v ectors v i with the bulletin b oard, and reveal the final bul- letin board. In other words, the DPF is used as an oblivious write op eration on a secret-shared bulletin b oard. If at most one sender picks an index, the limited compressibilit y is sufficient. Sp ectrum and Riposte prop osed solutions to av oid tw o senders from choosing the same index. DDH-based schemes for m ulti-party FSS 15 DCF Use c ase Many rece n t works [19,22,26] considered FSS to optimize non- linear op erations in priv acy-preserving machine learning. F or instance, Kumar et al. [22] used DCF to perform efficient and secure ReLU operations. This last proto col does not require aggregating multiple shared secrets, so compressibility is not necessary; whic h makes p oint-based encoding p erfectly acceptable. 6.3 Exp onen t-based secret enco ding This second enco ding represents the secret v alue as an exp onent: P β = β · P , with P , a generator of the curv e. The shares are randomly sampled p oin ts P 1 , . . . , P p ∈ E ( F q ) such that P i P i = P β ; it requires sampling p exp onents ( s 1 , . . . , s p ) such that P s i = β . The share deco ding consists in summing p elliptic curv e p oints and then computing the discrete logarithm. While this op eration is hard in a general case, it is p ossible if w e assume a bounded β (e.g., β < 10 6 ). This assumption is realistic in some applications suc h as priv ate statistics. Discussion This enco ding provides compressibility b ecause w e can sum t wo en- co ded secrets: P β 1 + P β 2 = β 1 · P + β 2 · P = ( β 1 + β 2 ) · P = P β 1 + β 2 . How ever, it has one dra wback: the secret must be small, otherwise the deco ding is impractical. DPF Use c ase Some works [2,24] hav e used tw o-party DPF s to build priv ate histograms. In this application, a group of data owners w ants to compute the histogram of a certain property (e.g., salary), but each individual wan ts to keep their v alue priv ate. DPF schemes provides a straightforw ard solution: (1) each individual uses their priv ate v alue a i ∈ { 1 . . . N } to share a secret p oint function f i with f i ( a i ) = 1 , (2) from eac h shared function [ [ f i ] ] , the servers can deduce a shared v ector [ [ v i ] ] suc h that [ [ v i [ j ]] ] = [ [ f i ( j )] ] , (3) The serv ers aggregate the shared v ectors [ [ v i ] ] and deco de the resulting histogram. This priv ate histogram proto col requires share compressibilit y because each bin of the histogram usually contains the sum of m ultiple inputs. Exp onent- based enco ding is then our only option. The main drawbac k of exp onen t-based enco ding is that the secret v alue m ust b e small enough to compute a discrete log- arithm, but this assumption is realistic in histogram-making b ecause histogram v alues num b er are usually b ounded. DCF Use c ase Barczewski et al. [1] recently proposed using DCF to estimate empirical cumulativ e distribution functions (EDCF) on sensitiv e data. These statistics are essen tial notably to ev aluate the p erformances of ML mo dels or to p erform some statistical tests [1]. As ECDF are related to histograms, they re- quire the same share compressibility properties. Thus, exponent-based encoding is necessary for suc h applications, assuming the secret is sufficiently small. Like in priv ate histograms, such a b ound usually exists in practice. 16 M. Damie et al. 7 Conclusion Our work presen ted a DDH-based approach to build optimized m ulti-party FSS sc hemes from existing sc hemes. In particular, it results in to practical schemes with O ( 3 √ N ) key sizes instead of O ( √ N ) . W e applied our technique b oth on DPF (i.e., FSS for p oint functions) and DCF (i.e., FSS for comparison func- tions). Finally , our b enchmark highlighted key size reductions up to a factor 10 compared to state-of-the-art sc hemes on realistic problem sizes. A ckno wledgments. This work w as supp orted by the Netherlands Organization for Scien tific Researc h (De Nederlandse Organisatie voor W etenschappelijk Onderzoek) under NWO:SHARE pro ject [CS.011]. A App endix: Pro of of Theorem 1 Pr o of. Correctness: W e represen t any input x as ( γ , δ ) and α as ( γ ∗ , δ ∗ ) . W e need to study the FSS output in three cases: (1) γ  = γ ∗ , (2) γ = γ ∗ and δ  = δ ∗ , and (3) γ = γ ∗ and δ = δ ∗ . If γ  = γ ∗ , each party i holds [ [ s a ] ] i , [ [ s b ] ] i (obtained using their sub-DPF k eys), suc h that P [ [ s a ] ] i = P [ [ s b ] ] i = 0 (b ecause the sub-DPF is correct b y assumption and outputs additiv e shares). F or an y δ : Y i [ [ f ( x )] ] i = Y i ( h [ [ s a ] ] i δ · g [ [ s b ] ] i δ ) = h P i [ [ s a ] ] i δ · g P i [ [ s b ] ] i δ = h 0 δ · g 0 δ = g 0 ⇒ Decode DPF (Ev al DPF ( k 1 , x ) , . . . , Ev al DPF ( k p , x )) = Deco de DDH ( g 0 ) = 0 If γ = γ ∗ and δ  = δ ∗ , each party i holds [ [ s a ] ] i , [ [ s b ] ] i , such that P i [ [ s a ] ] i = r and P i [ [ s b ] ] i = 1 . The parties obtain: Y i [ [ f ( x )] ] i = Y i ( h [ [ s a ] ] i δ · g [ [ s b ] ] i δ ) = h P i [ [ s a ] ] i δ · g P i [ [ s b ] ] i δ = g − r inv · r δ · g δ = g − 1 δ · g δ = g 0 ⇒ Decode DPF (Ev al DPF ( k 1 , x ) , . . . , Ev al DPF ( k p , x )) = Deco de DDH ( g 0 ) = 0 If γ = γ ∗ and δ = δ ∗ , w e also hav e P i [ [ s a ] ] i = r and P i [ [ s b ] ] i = 1 , but h δ is no w equal to ( g − r inv δ · g r inv β ) . It implies: Y i [ [ f ( x )] ] i = Y i ( h [ [ s a ] ] i δ · g [ [ s b ] ] i δ ) = h P i [ [ s a ] ] i δ · g P i [ [ s b ] ] i δ = g − r inv · r δ · g r inv · r β · g δ = g β ⇒ Decode DPF (Ev al DPF ( k 1 , x ) , . . . , Ev al DPF ( k p , x )) = Deco de DDH ( g β ) = β Priv acy: This pro of will rely on a construction also used in [12] to prov e the securit y of their DDH-based DPF: Seed-Homomorphic PseudoRandom Gen- erators (SH-PRG). A PR G G is seed-homomorphic if it satisfies the following DDH-based schemes for m ulti-party FSS 17 prop ert y: for an y seeds s 1 , s 2 , G ( s 1 + s 2 ) = G ( s 1 ) ⊕ G ( s 2 ) . In particular, Corrigan- Gibbs et al. [12] rely on DDH-based SH-PR G G DDH : giv en L randomly sampled public parameters ( g 1 , . . . , g L ) ∈ G L , G DDH ( s ) = ( g s 1 , . . . , g s L ) for any seed s . SH-PR Gs naturally inherit all prop erties of a PRG, notably the fact that the output is computationally indistinguishable from true randomness if the seed is unkno wn to the adversary . Recall the tw o assumptions of Theorem 1: (1) the DDH is hard, and (2) the sub-DPF scheme is priv ate and correct. T o pro ve the priv acy (see Definition 3), w e must sho w that (for every set of corrupted parties S ⊆ { 1 . . . p } of size m ) there exists an efficien t simulator that, for an y input functions, outputs samples from a distribution that is computationally indistinguishable from the distribution of the DPF k eys. Remind that eac h k ey k i con tains the following elements: t wo sub-DPF keys ( k ( a ) i , k ( b ) i ) and pairs of “correction p oin ts” ( h 1 , g 1 ) , . . . , ( h ν , g ν ) By assumption, the sub-DPF sc heme (Gen ( ∗ ) DPF , Ev al ( ∗ ) DPF , Deco de + ) is secure, so there exists an efficien t simulator to simulate the sub-DPF keys ( k ( a ) i , k ( b ) i ) (for all i ∈ { 1 . . . p } ). T o simulate the correction p oints, for each δ ∈ { 1 . . . ν } , the simulator samples a random generator e g δ ∈ G and another random element f h δ ∈ G . Note that g δ is also sampled randomly during the key generation, so the distribution of g δ is indistinguishable from the distribution of e g δ . Finally , we hav e to prov e that the adversary cannot distinguish h δ from f h δ . T o pro ve this statement, we will consider successiv ely t wo scenarios: (1) the adv ersary knows ( δ ∗ , β ) and (2) the adversary does not know the pair. Let us first assume that the adversary kno ws ( δ ∗ , β ) . Note that we can rewrite the tuple ( h 1 , . . . , h δ ∗ , . . . h ν ) as (( g − 1 1 ) r inv , . . . , ( g − 1 δ ∗ g β ) r inv , . . . ( g − 1 ν ) r inv ) . As g 1 , . . . , g ν and g β are known to the attack er (( g − 1 1 ) , . . . , ( g − 1 δ ∗ g β ) , . . . ( g − 1 ν )) , these v alues can be interpreted as the public parameters of a DDH-based SH- PR G. The only condition on the public parameters is that they m ust b e in- dep enden tly sampled generators. This condition is trivially satisfied for all g δ with δ  = δ ∗ , and we can observe that g δ ∗ is indep endent of g β so ( g − 1 δ ∗ g β ) is indistinguishable from random. Let G ∗ DD H then be a DDH-based SH-PRG with (( g − 1 1 ) , . . . , ( g − 1 δ ∗ g β ) , . . . ( g − 1 ν )) as public parameters. W e hav e: ( h 1 , . . . h ν ) = (( g − 1 1 ) r inv , . . . , ( g − 1 δ ∗ g β ) r inv , . . . ( g − 1 ν ) r inv ) = G ∗ DD H ( r inv ) In other w ords, ( h 1 , . . . h ν ) is the output of G ∗ DD H on the seed r inv . The seed r inv is unknown to the adversary , so they cannot distinguish the real ( h 1 , . . . h ν ) from the randomly sampled ( f h 1 , . . . f h ν ) outputted b y the simulator [12]. Let us no w assume that the adversary do es not know ( δ ∗ , β ) . If the adv ersary w ere able to distinguish h δ from f h δ without this kno wledge, w e could trivially build a distinguisher for an adversary kno wing ( δ ∗ , β ) . Since the h δ can b e for- m ulated as the output of a DDH-based SH-PR G, this h yp othetical distinguisher w ould break the DDH assumption (up on which the SH-PRG is built). By as- 18 M. Damie et al. sumption, DDH is hard, so this adv ersary cannot distinguish real h δ from the sim ulator output f h δ . B App endix: A dapting Bunn et al. [10] to DCF Bunn et al. [10] presen ted a generic technique to build more efficient honest- ma jorit y DPF schemes from dishonest-ma jority sc hemes. They applied their tec hnique on t wo existing sc hemes: the trivial DPF (i.e., a secret-shared truth table) and on the PR G-based scheme from [4]. While their constructions provides some of the b est solutions in DPF (see T able 1), they did not adapt them to comparison functions. This leav es the literature with only w eak DCF baselines [4,22]. Thus, we prop ose to extend their w ork and build a DCF following the same intuition as their DPF. Their DPF schemes T o understand our adaptation, it is first imp ortant to un- derstand their initial DPF. Their main in tuition is to represent a p oint function f as the pro duct of tw o p oin t functions f a and f b (defined ov er small domains): f ( x ) = f a ( γ ) × f b ( δ ) (with ( γ , δ ) the represen tation of x in a ( √ N × √ N ) grid). Eac h function is shared using an existing DPF sc heme. How ever, additive secret shares cannot b e m ultiplied without communications. Instead of using additiv e secret sharing, Bunn et al. [10] used replicated secret sharing: each party receiv es multiple DPF k eys. Under the honest-ma jority assumption, the shareholders can p erform one offline multiplication on v alues shared via replicated secret sharing. T o sum up, Bunn et al. [10] used replicated secret-sharing and the honest- ma jorit y assumption to build a technique reducing the key size of existing dishonest-ma jorit y schemes from O ( k √ N ) to O ( 2 k √ N ) . As rep orted in T able 1, this technique leads to a PR G-based DPF with O ( 4 √ N ) key size and an information-theoretic DPF with O ( √ N ) key size. Our adapte d DCF While point functions are the product of t wo p oint functions, w e can decomp ose comparison functions using three sub-functions (defined o ver smaller domains): one p oint function f a and t wo comparison functions f b , f c . A comparison function f can b e expressed as f ( x ) = f a ( γ ) × f b ( δ ) + f c ( γ ) with – f ( x ) = β if x ≤ α , 0 otherwise; with x ∈ { 1 . . . N } and α = γ ∗ × ⌈ √ N ⌉ + δ ∗ . – f a ( γ ) = β if γ = γ ∗ , 0 otherwise; with γ ∈ { 1 . . . ⌈ √ N ⌉} . – f b ( δ ) = 1 if δ ≤ δ ∗ , 0 otherwise; with δ ∈ { 1 . . . ⌈ √ N ⌉} . – f c ( γ ) = β if γ < γ ∗ , 0 otherwise;with γ ∈ { 1 . . . ⌈ √ N ⌉} . The multiplication of f a and f b enables to represent the row γ ∗ con taining a segmen t of β v alues and a segment of 0 v alues. F urthermore, f c co vers all the ro ws b efore γ ∗ full of β v alues. Lik e in [10], we rely on honest-ma jority and replicated secret sharing to p erform the multiplication of f a and f b . Due to space limitations, we cannot include the detailed algorithms. DDH-based schemes for m ulti-party FSS 19 Similarly to [10], we can apply this technique either on the PRG-based sc hemes of [4] or on the trivial FSS schemes (i.e., sharing a truth table). The PR G-based DCF has O ( 4 √ N · √ q p m ·  p − 1 m  · ( λ + log q )) key size, while the information-theoretic DCF has O ( √ N ·  p − 1 m  · log q ) key size. Since our adapted DCF only adds a sub-DCF (assumed to b e secure) com- pared to the initial DPF, the securit y pro ofs can b e easily adapted from [10]. References 1. Barczewski, A., Maw ass, A., Ramon, J.: Differentially Priv ate Empirical Cumula- tiv e Distribution F unctions (F eb 2025). https://doi.org/10.48550/arXiv.2502. 06651 , arXiv:2502.06651 [cs] 2. Boneh, D., Boyle, E., Corrigan-Gibbs, H., Gilboa, N., Ishai, Y.: Ligh tw eight T ech- niques for Priv ate Heavy Hitters. In: 2021 IEEE Symp osium on Security and Pri- v acy (SP). pp. 762–776 (Ma y 2021). https://doi.org/10.1109/SP40001.2021. 00048 3. Bo yle, E., Couteau, G., Gilboa, N., Ishai, Y.: F unction Secret Sharing and Homo- morphic Secret Sharing (2022) 4. Bo yle, E., Gilboa, N., Ishai, Y.: F unction Secret Sharing. In: Adv ances in Cryptol- ogy - EUROCR YPT 2015. pp. 337–367. Lecture Notes in Computer Science (2015). https://doi.org/10.1007/978- 3- 662- 46803- 6_12 5. Bo yle, E., Gilb oa, N., Ishai, Y.: F unction Secret Sharing: Impro vemen ts and Ex- tensions. In: Pro ceedings of the 2016 ACM SIGSAC Conference on Computer and Comm unications Security . pp. 1292–1303 (Oct 2016). https://doi.org/10.1145/ 2976749.2978429 6. Bo yle, E., Gilb oa, N., Ishai, Y.: Secure Computation with Prepro cessing via F unc- tion Secret Sharing. In: Theory of Cryptography . pp. 341–371 (2019). https: //doi.org/10.1007/978- 3- 030- 36030- 6_14 7. Bo yle, E., Gilb oa, N., Ishai, Y., Kolobov, V.I.: Information-Theoretic Distributed P oint F unctions. In: DR OPS-IDN/v2/do cument/10.4230/LIPIcs.ITC.2022.17 (2022). https://doi.org/10.4230/LIPIcs.ITC.2022.17 8. Bo yle, E., Gilboa, N., Ishai, Y., Kolobov, V.I.: Programmable Distributed Poin t F unctions. In: Adv ances in Cryptology – CR YPTO 2022 (2022) 9. Bunn, P ., Katz, J., Kushilevitz, E., Ostro vsky , R.: Efficien t 3-Part y Distributed ORAM. In: Securit y and Cryptography for Netw orks. v ol. 12238 (2020). https: //doi.org/10.1007/978- 3- 030- 57990- 6_11 10. Bunn, P ., Kushilevitz, E., Ostro vsky , R.: CNF-FSS and Its Applications. In: Public- Key Cryptography – PKC 2022. v ol. 13177, pp. 283–314 (2022). https://doi.org/ 10.1007/978- 3- 030- 97121- 2_11 11. de Castro, L., Polyc hroniadou, A.: Light weigh t, Maliciously Secure V erifiable F unc- tion Secret Sharing. In: Adv ances in Cryptology – EUROCR YPT 2022. pp. 150–179 (2022). https://doi.org/10.1007/978- 3- 031- 06944- 4_6 12. Corrigan-Gibbs, H., Boneh, D., Mazières, D.: Rip oste: An Anonymous Messaging System Handling Millions of Users. In: 2015 IEEE Symp osium on Security and Priv acy. pp. 321–338 (May 2015). https://doi.org/10.1109/SP.2015.27 13. Cramer, R., Damgård, I., Ishai, Y.: Share conv ersion, pseudorandom secret-sharing and applications to secure distributed computing. In: Theory of Cryptography. pp. 342–362 (2005) 20 M. Damie et al. 14. Damie, M., Hahn, F., Peter, A., Ramon, J.: Eliminating Exponential Key Gro wth in PRG-Based Distributed Poin t F unctions (Sep 2025). https://doi.org/10. 48550/arXiv.2509.22022 , arXiv:2509.22022 [cs] 15. Do erner, J., Shelat, A.: Scaling ORAM for Secure Computation. In: Pro ceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Securit y. pp. 523–535. CCS ’17 (Oct 2017). https://doi.org/10.1145/3133956.3133967 16. Ev ans, D., Kolesnik ov, V., Rosulek, M.: A Pragmatic Introduction to Secure Multi- P arty Computation. F oundations and T rends ® in Priv acy and Securit y 2 (2-3), 70–246 (Dec 2018). https://doi.org/10.1561/3300000019 17. Gilb oa, N., Ishai, Y.: Distributed Poin t F unctions and Their Applica- tions. In: EUR OCR YPT 2014. pp. 640–658 (2014). https://doi.org/10.1007/ 978- 3- 642- 55220- 5_35 18. Go el, A., W ang, M., W ang, Z.: Multipart y Distributed P oint F unctions (2025) 19. Ja walk ar, N., Gupta, K., Basu, A., Chandran, N., Gupta, D., Sharma, R.: Orca: FSS-based Secure T raining and Inference with GPUs. In: 2024 IEEE Symp osium on Security and Priv acy (SP) (2024), publication info: Published elsewhere. Minor revision. IEEE S&P 2024 20. Krips, T., Pullonen-Raudvere, P .: Multi-P arty Distributed P oint F unctions with P olylogarithmic Key Size from Inv ariants of Matrices (2025) 21. Kruglik, S., Dau, S.H., Kiah, H.M., W ang, H., Zhang, L.F.: V erifiable Information- Theoretic F unction Secret Sharing (2024), publication info: Preprint. 22. Kumar, C., Patranabis, S., Mukhopadhy ay , D.: Compact Key F unction Secret Sharing with Non-linear Deco der. IACR Communications in Cryptology 1 (2) (Jul 2024). https://doi.org/10.62056/a3c3c3w9p , num b er: 2 23. Li, J., Ke, P ., Zhang, L.F.: Efficient Information-Theoretic Distributed Poin t F unc- tion with General Output Groups (2023), rep ort Number: 625 24. Mouris, D., Sark ar, P ., T soutsos, N.G.: PLASMA: Priv ate, Light weigh t Aggregated Statistics against Malicious A dversaries. Proceedings on Priv acy Enhancing T ech- nologies (2024) 25. Newman, Z., Serv an-Schreiber, S ., Dev adas, S.: Sp ectrum: High-bandwidth Anony- mous Broadcast. In: 19th USENIX Symp osium on Net work ed Systems Design and Implemen tation (NSDI 22). pp. 229–248 (Apr 2022) 26. Ryffel, T., Tholoniat, P ., Poin tchev al, D., Bach, F.: AriaNN: Low-In teraction Priv acy-Preserving Deep Learning via F unction Secret Sharing. Proceedings on Priv acy Enhancing T echnologies 1 , 291–316 (2022) 27. Serv an-Schreiber, S., Beyzerov, S., Y ablon, E., Park, H.: Priv ate Access Control for F unction Secret Sharing. In: 2023 IEEE Symposium on Securit y and Priv acy (SP). pp. 809–828 (May 2023). https://doi.org/10.1109/SP46215.2023.10179295 28. Shamir, A.: How to share a secret. Communications of the A CM 22 (11), 612–613 (No v 1979). https://doi.org/10.1145/359168.359176 29. W agh, S.: Pik a: Secure Computation using F unction Secret Sharing o ver Rings. Pro ceedings on Priv acy Enhancing T echnologies p. 27 (2022) 30. Zyskind, G., Y anai, A., P entland, A.S.: High-Throughput Three-P arty DPF s with Applications to ORAM and Digital Currencies. In: Pro ceedings of the 2024 A CM SIGSA C Conference on Computer and Comm unications Security (2024)