Efficient Threshold Function Secret Sharing With Information-Theoretic Security

Function secret sharing (FSS) is a cryptographic primitive that is introduced by Boyle <italic>et al.</italic> (Eurocrypt 2015), motivated by application scenarios involving private access to large distributed data while minimising the overhead of communication, for example, private information retrieval. Informally, an <inline-formula> <tex-math notation="LaTeX">$n$ </tex-math></inline-formula>-party FSS scheme splits a function <inline-formula> <tex-math notation="LaTeX">$f$ </tex-math></inline-formula> into <inline-formula> <tex-math notation="LaTeX">$n$ </tex-math></inline-formula> functions <inline-formula> <tex-math notation="LaTeX">$f_{1},\ldots,f_{n}$ </tex-math></inline-formula> such that <inline-formula> <tex-math notation="LaTeX">$f=f_{1}+\cdots +f_{n}$ </tex-math></inline-formula> and every strict subset of the function shares hide <inline-formula> <tex-math notation="LaTeX">$f$ </tex-math></inline-formula>. Most of the known FSS constructions only have computational hiding, namely, the hiding property holds only against a computationally bounded adversary. We consider information-theoretic hiding in this work while allowing <inline-formula> <tex-math notation="LaTeX">$f$ </tex-math></inline-formula> to be recovered from <inline-formula> <tex-math notation="LaTeX">$t$ </tex-math></inline-formula> function shares and correspondingly, any <inline-formula> <tex-math notation="LaTeX">$(t-1)$ </tex-math></inline-formula> function shares unconditionally hide <inline-formula> <tex-math notation="LaTeX">$f$ </tex-math></inline-formula>. Call it <inline-formula> <tex-math notation="LaTeX">$(t,n)$ </tex-math></inline-formula>-threshold function secret sharing (<inline-formula> <tex-math notation="LaTeX">$(t,n)$ </tex-math></inline-formula>-TFSS for short). Using information-theoretic tools and through a series of optimizations, we show that our <inline-formula> <tex-math notation="LaTeX">$(t,n)$ </tex-math></inline-formula>-TFSS have better performance than FSS in terms of communication complexity, a criterion that measures the efficiency of such protocols. Specifically, a <inline-formula> <tex-math notation="LaTeX">$(t,n)$ </tex-math></inline-formula>-TFSS scheme with communication complexity <inline-formula> <tex-math notation="LaTeX">$O(l)$ </tex-math></inline-formula> is designed in this paper and it is better than the existing FSS schemes with lowest communication complexity <inline-formula> <tex-math notation="LaTeX">$O(\lambda l)$ </tex-math></inline-formula>, where <inline-formula> <tex-math notation="LaTeX">$\lambda $ </tex-math></inline-formula> is the length of pseudo-random generator’s seeds. In addition, the <inline-formula> <tex-math notation="LaTeX">$(t,n)$ </tex-math></inline-formula>-TFSS have an extra robustness property in the sense that even if up to <inline-formula> <tex-math notation="LaTeX">$(n-t)$ </tex-math></inline-formula> function shares are not available, the protocol still computes the function value at a given point correctly.


I. INTRODUCTION
Function secret sharing (FSS) is a cryptographic primitive that is recently introduced by Boyle et al. [1] motivated by application scenarios involving private access to large distributed data while minimising the overhead of communication, for example, private information retrieval (PIR) [2]- [4], private information storage [5]. An n-party FSS, at least those explicitly constructed in [1], [6], [7], is simply described as follows. A function f : {0, 1} * → G, with arbitrary input length and range G, which is generally assumed to be a group, is divided into n function shares f i : {0, 1} * → G for i = 1, . . . , n, which are sent to each participant independently and privately over some communication channels.
The associate editor coordinating the review of this manuscript and approving it for publication was Junggab Son .
Each participant computes f i (x) with an input x which is given to all participants and they work together to reconstruct the function value of f at x as f (x) = f 1 (x) + · · · + f n (x), where ''+'' is the group operation in G. The security means any strict subset of function shares hide f . FSS was proposed as a natural generalization of the distributed point function (DPF) introduced by Gilboa and Ishai [6]. For α, β ∈ {0, 1} * of arbitrary (possibly different) length, the point function f α,β is defined by f α,β (α) = β and f α,β (x) = 0 for all x = α, where 0 denotes the zero vector. A DPF can be seen as an example of FSS with n = 2 and the function f to be shared is a point function.
The study of DPF led to the construction of the first 2-server computational PIR protocol in which the length of each query is polylogarithmic about the database size and the answers consist of a single bit each. In particular, the authors constructed a DPF based on the pseudo-random generator (PRG) [8], [9]. First, they gave a naive solution of DPF for a function f α,β : {0, 1} l → {0, 1} that shares 2 l bits corresponding to all function values of f through a 2-party additive secret sharing. The length of each share is 2 l in this naive solution. They reduced the length of each share by using PRG to compress the length of function shares: the true random sequence is replaced by a pseudo-random sequence generated by the PRG. They then reduced the length of each share from O(2 l ) to O(λl log 3 ), where λ is the length of PRG seeds through l compressions. The security is computational due to the application of PRG.
The study of FSS then used the communication complexity as a design criterion. The communication complexity of an FSS scheme refers to the total amount of information that needs to be transmitted to complete this FSS scheme. This criterion captures the performance of FSS with respect to its applications to PIR and related scenarios such as homomorphic secret sharing [10]- [13] and fully homomorphic encryption [14], [15]. Most known constructions continued the pursuit of minimising the communication complexity within the computational security setting. In particular, DPF with the communication complexity 4l(λ+1) was constructed in [1]. In addition, they also proposed the first n-party (n ≥ 3) FSS for point functions with the communication complexity O(λ2 (l+n−1)/2 ). In [7], further simplified constructions of DPF through a tensor operation was proposed which reduces the communication complexity from 4l(λ + 1) to l(λ + 2).
An important conceptual contribution of [1] is that it defines a general FSS as a stand-alone primitive (not only as a way to build efficient computational PIR's for example). In the general definition, a function f is split into n function shares f 1 , . . . , f n and the recovery of f (x) from . More generally and still allows the function secret sharing to be useful for various applications. The''splinter system'' [16], constructed based on FSS schemes, supports a wide variety of private search queries. The preprocessing of secure computation using FSS is presented in [17] to improve the efficiency of secure computing.

A. OUR CONTRIBUTIONS
We study FSS with information-theoretic security in this work to complement its computational security analogues [1], [6], [7]. As observed in [1], [6] through a connection between FSS and PIR, insisting on information-theoretic security and recovery through f (x) = n i=1 f i (x) will render the FSS inefficient. In fact, this is the reason that they focused on computational security. We taking a complementary approach, we insist on information-theoretic security and do not recov- We consider a recovery threshold t and a privacy threshold (t − 1). We note here that reconstructing from t players gives the robustness guarantee such that when up to (n − t) communication channels fail and the corresponding function shares are not available, the scheme still function correctly. The security of our scheme requires that any (t − 1) participants do not obtain any information about the shared function.
We formally define the (t, n)-Threshold function secret sharing (or (t, n)-TFSS for short). We define (t, n)-TFSS as an information-theoretic object using the game-based definition of security. It includes a challenger C, an adversary A and a challenge index b. A scheme is information-theoretically secure if for any computationally unbounded adversary A the advantage of A guessing b correctly in the indistinguishability challenge experiment about this protocol is ''0''.
Subsequently, we propose three explicit constructions of (t, n)-TFSS for the point function f α,β : {0, 1} l → F q where F q is a finite field of q elements for some constant q. We start with an initial scheme, where the 2 l function values of f corresponding to all inputs in {0, 1} l are arranged into a vector over F q of length 2 l . This design approach is consistent with the naive solution of [6], however we share each component of the vector using (t, n)-Shamir's scheme [18]. The length of each share in the initial scheme is O(2 l ). The design of the recovery of f α,β (x) then makes use of the rich structures of polynomial based scheme to pin-point the information f i (x), for i = 1, . . . , n, x ∈ {0, 1} l needed for reconstructing f α,β (x) (and only communicating these information) without downloading all information of the F q vector of length 2 l . The communication complexity of the initial scheme is O(2 l ).
In our first improved scheme, the vector of length 2 l is converted to the tensor products of two vectors of length O( √ 2 l ). We then use (t, n)-Shamir's scheme to share each component of these two vectors over F q and the length of each share is O( √ 2 l ). In this way, we reduce the communication complexity of the initial scheme from O(2 l ) to O( √ 2 l ). Furthermore, the vector of length 2 l is converted to the tensor products of l vectors of length 2, in our second improved scheme. We also use (t, n)-Shamir's scheme to share each component of these l vectors over F q .
Finally, we reduce the communication complexity of the initial scheme from O(2 l ) to O(l) and it is optimal. Our constructions are based on the polynomial over the finite field and without any additional assumption (e.g., the exist of PRG). We compare the existing FSS schemes with our three constructions and list them in TABLE 1. We note that Yuan et al. [19] proposed a construction of FSS that can be verified to give (t, n)-TFSS for t ≥ l + 1. Its communication complexity is O(l), same as our second improved scheme which supports any threshold t. However, there was no formal proof in their paper.

B. PAPER ORGANIZATION
The rest of the paper is organized as follows. In Section II, we give some related concepts and definitions. In Section III, we define the information-theoretic function secret sharing and give the security definition under the game-based security model. In Section IV, we design an initial scheme based on Shamir's scheme. In Section V, we use tensor products to reduce the communication complexity of the initial scheme and design two improved schemes. Finally, we conclude the paper in Section VI.

II. PRELIMINARIES
In this section, we introduce the definitions of point function, tensor products and Shamir scheme. We list some of the symbols used in this paper in TABLE 2.

Definition 1 (Point Functions):
Let {0, 1} l be the domain and F q is the range, for any α ∈ {0, 1} l , β ∈ F q , the point function f α,β : {0, 1} l → F q is defined as follows: for any Definition 2 (Tensor Products): Definition 3 ((t, n)-Shamir's Scheme): Let F q be the finite field with q elements, where q is a large prime and q > n, that contains the domain of possible secrets. Let λ 1 , . . . , λ n be distinct nonzero elements in F q that are fixed and publicly known. There is a trusted dealer and n participants {P i } i∈ [n] . The following scheme is a so-called (t, n)-threshold secret sharing scheme, which means any t shares reconstruct the secret while any ≤ t − 1 shares contain no information about the secret.
• Share generation: Given a secret s ∈ F q , the dealer chooses uniformly a 1 , . . . , a t−1 ∈ F q and defines the polynomial P(X ) = s + t−1 i=1 a i X i . This is a random polynomial of degree at most t − 1 with constant term fixed to s. The share of the participant P i , for i = 1, . . . , n, is Each share s i is distributed to the corresponding participant P i independently and privately through a secure channel.
• Secret reconstruction: Any t participants P i r , for r = 1, . . . , t, from the participants set {P i } i∈ [n] , work together to recover the secret s by the polynomial interpolation as follows.
are the interpolation coefficients.

III. INFORMATION-THEORETIC (t , n)-TFSS
In this section, we formally define the information-theoretic (t, n)-TFSS we consider in this work and point out the difference between our definition and the definition of the computational FSS considered in [1], [6], [7]. Then we give the definition of the communication complexity of the TFSS scheme.
Definition 4 (t, n)-Threshold Function Secret Sharing ((t, n)-TFSS): Let F q (q > n) be a finite field. Let n be the number of participants. Let t (t < n) be the reconstruction threshold and the privacy threshold is t − 1. Let f : D f → R f be a function that is efficiently computable and can be succinctly described. A (t, n)-function secret sharing is a triple of probabilistic polynomial time algorithms (Gen, Eval, Dec) with the following syntax.
-Gen(1 λ , f ): This is the share generation algorithm run by the dealer. It takes the security parameter 1 λ and function description f as inputs, and outputs n shares : This is the evaluation algorithm run by each participants P i , for i = 1, . . . , n. It takes the share k i , an evaluation point x ∈ D f as inputs and outputs a value y i , corresponding to the participant's share of f (x). -Dec((i 1 , y i 1 ), . . . , (i t , y i t )): This is the output decoder.
When it receives any t values y i 1 , . . . , y i t , it outputs a value f (x).

VOLUME 8, 2020
The triple (Gen, Eval, Dec) should satisfy the following requirements.
-Correctness. For each function f : It means that the function value f (x) can be computed correctly if the above three algorithms run normally.
• (t − 1)-Security. We consider the following indistinguishability experiment for a set T ⊆ {P 1 , . . . , P n } of corrupted participants, where |T | = t − 1: -Any computationally unbounded adversary A inputs security parameter 1 λ outputting 2 be the advantage of A guessing b correctly in the above indistinguishability experiment. We say a (t, n)-TFSS scheme is informationtheoretically t − 1-secure if for any corrupted participants set T of cardinality t − 1 and any computationally unbounded Remark 1 (Information-Theoretic FSS): This indistinguishability challenge experiment is consistent with [1], [20], where we only focus on the security of information-theoretic, that is, without any computational assumptions. The previous FSS schemes in [1], [6], [7] is secure under the assumption of the existence of PRG and they are computationally secure. In definition 3 the security requires it can resist any computationally unbounded adversaries instead of non-uniform probability polynomial time adversaries and we restrict the value Adv(1 λ , A, T ) = 0.
Remark 2 (Robust Decoding): Obviously, definition 3 allows the algorithm Dec successful decoding the function value at an evaluation point even if at most n−t inputs cannot given in time. This is more flexible than the previous FSS in which Dec requires all n inputs are given to decode the function value.

Definition 5 (Communication Complexity):
The communication complexity of a (t, n)-TFSS scheme will be denoted as = + , where = n i=1 |k i | and = t h=1 |y i h |.

IV. AN INITIAL SCHEME TFSS 1 (GEN, EVAL, DEC)
From this section, we start construct a concrete (t, n)-TFSS schemes for point functions based on (t, n)-Shamir's scheme over the finite field F q . We start with an initial scheme TFSS 1 (Gen, Eval, Dec). In a nutshell, we arranged the truth table (containing N = 2 l field elements of F q ) of a point function f α,β : {0, 1} l → F q in to a vector of length N . This approach is consistent with the naive solution designed in [6], however we use N (t, n)-Shamir's schemes to share the vector. The function share for the participant P i is obtained by packing the i-th shares of the N (t, n)-Shamir's schemes. After determining a particular evaluation point α ∈ {0, 1} l , each participant outputs the component of his/her function share that is corresponding to α , which is a share of the (t, n)-Shamir's scheme that shares the secret f α,β (α ). The correctness and t − 1-security then follow naturally from the (t, n)-Shamir's scheme.
More concretely, in the algorithm of Gen, the dealer D chooses N = 2 l random polynomials over F q with degree at most (t − 1), labeled by elements in {0, 1} l . Let the constant term of the α-th polynomial be f α,β (α ), for all α ∈ {0, 1} l . The dealer D generates n function shares of f α,β through the N polynomials evaluating at n publicly known distinct nonzero elements λ 1 , . . . , λ n ∈ F q . In the algorithm of Eval, the participant P i , upon receiving α ∈ {0, 1} l , outputs the evaluation of the α th polynomial at the point λ i ∈ F q . After the algorithm Dec receives any t evaluations of the α th polynomial at distinct points, it recovers the constant of the α th polynomial using polynomial interpolation, which is f α,β (α ) by construction. The initial scheme TFSS 1 (Gen, Eval, Dec) is detailed in FIGURE 1.
We now show that the initial scheme TFSS 1 (Gen, Eval, Dec) satisfies the following requirements: correctness, (t − 1)-security as defined in Section III. THEOREM 1: Let F q be a finite field and 1 λ be the security parameter. The initial scheme TFSS 1 (Gen, Eval, Dec) is a  Eval(i 1 , k i 1 , α ) we only need to verify the following equation.
• The adversary A takes the security parameter 1 λ as the input and outputs two point functions ( • The adversary A exploits {k i } i∈T , offered by corrupted participants in the set T , outputting a guess b ← A({k i } i∈T ). The (t − 1) shares sent to A satisfy the following equation system: We note that A is a random matrix of size (t − 1) × N and is a nonsingular matrix of order (t − 1). As a result,  N , i = 1, . . . , n has s  |s j,i | = log q. Therefore, = n|k i | log q = n2 l log q, = t log q, hence = + = n2 l log q + t log q = O(2 l ). Therefore, the communication complexity of TFSS 1 is O(2 l ).

B. EXAMPLE
We give a simple example of the scheme TFSS 1 for validation, as shown in FIGURE 2.

V. IMPROVED SCHEMES
In this section, we first reduced the communication complexity of TFSS 1 (Gen, Eval, Dec) from O(2 l ) to O( √ 2 l ) in the improved scheme I TFSS 2 (Gen, Eval, Dec). In a nutshell, we split the truth table of the point function f α,β : {0, 1} l → F q , which can be seen as a vector of length 2 l , into a tensor products of two vectors U , V and let . We share U , V , using U + V (t, n)-Shamir's schemes. The function share for the participant P i is obtained by packing the i-th shares of the U + V (t, n)-Shamir's schemes. After determining a particular evaluation point α = (α 1 , α 2 ), where α ∈ [N ], α 1 ∈ [U ], α 2 ∈ [V ], each participant outputs two components of his/her function share that is corresponding to α 1 , α 2 and using them to calculate the secret f α,β (α ). The correctness and VOLUME 8, 2020 (t − 1)-security then follow naturally from the (t, n)-Shamir's scheme. Subsequently, we reduced the communication complexity of TFSS 1 (Gen, Eval, Dec) from O(2 l ) to O(l) in the improved scheme II TFSS 3 (Gen, Eval, Dec). We split the truth table of f α,β : {0, 1} l → F q to a tensor products of l vectors V 1 , . . . , V l of length 2. We share V 1 , . . . , V l , using 2l (t, n)-Shamir's schemes. The function share for the participant P i is obtained by packing the i-th shares of the 2l (t, n)-Shamir's schemes. Upon determining a particular evaluation point α = (α 1 , . . . , α l ), where α ∈ [N ], α w ∈ [2] = {0, 1}, w = 1, . . . , l, each participant outputs l components of his/her function share that is corresponding to α w and using them to calculate the secret f α,β (α ). The correctness and (t − 1)-security also follow naturally from the (t, n)-Shamir's scheme.
A. IMPROVED SCHEME I:TFSS 2 (GEN, EVAL, DEC) In this section, we construct the improved scheme I TFSS 2 (Gen, Eval, Dec) for the point function f α,β : In Gen, let α = (α 1 , α 2 ), for α 1 ∈ [U ], α 2 ∈ [V ] and β = β 1 · β 2 , for β 1 , β 2 ∈ F q . The dealer D chooses two group random polynomials with degree (t − 1) over F q . The number of first group random polynomials is U and the number of the second group random polynomials is V .
In the first group random polynomials, the constant terms of α 1 -th polynomial is β 1 and the constant term of the rest polynomials are 0. In the second group random polynomials, the constant terms of α 2 -th polynomial is β 2 and the constant term of the rest polynomials are 0. Then D shares the vectors U , V using these two group random polynomials and generates n shares of f α,β through the two group random polynomials evaluating at n publicly known distinct no-zero element λ 1 , . . . , λ n ∈ F q . In the algorithm Eval, the participant P i , upon determining α = (α 1 , α 2 ), for α ∈ [N ] output the evaluation of α 1 -th in the first group and α 2 -th random polynomial in the second group at point λ i . After the algorithm Dec receives any t evaluation of the α 1 -th and α 2 -th random polynomial at distinct point. It recovers the constant terms of α 1 -th and α 2 -th random polynomial respectively utilizing polynomial interpolation, and then computing their product. The improved scheme I TFSS 2 (Gen, Eval, Dec) is detailed in FIGURE 3.
THEOREM 2: Let F q be a finite field and 1 λ be the security parameter. The initial scheme TFSS 2 (Gen, Eval, Dec) is a (t, n)-TFSS for point functions f α,β : {0, 1} l → F q . The communication complexity of TFSS 1 is O( √ 2 l ). The idea of the proof of Theorem 2 is very similar to the proof of Theorem 1. We present them in Appendix 1.

2) EXAMPLE
We give a simple example of the scheme TFSS 2 as a validation in FIGURE 4.
In the w-th set of polynomials, the constant term of (1 + α w )-th polynomial is β w and 0 is the constant term of another polynomial. Similarly, D uses these l group random polynomials to share the vectors V 1 , . . . , V l , and then D generates n shares of f α,β through evaluating at n publicly known distinct no-zero element λ 1 , . . . , λ n of the l group random polynomials. In the algorithm Eval, after determining α = (α 1 , . . . , α l ), for α ∈ {0, 1} l , α w ∈ {0, 1}, w = 1, . . . , l the participant P i outputs the evaluation of (1+α w )-th polynomial in w-th group at point λ i . After the algorithm Dec receives any t evaluation of the (1 + α w )-th random polynomial at distinct point. It recovers the constant terms of (1 + α w )-th polynomial respectively by applying the polynomial interpolation, and then computing their product. The improved scheme II TFSS 3 (Gen, Eval, Dec) is detailed in FIGURE 5.
THEOREM 3: Let F q be a finite field and 1 λ be the security parameter. The improved scheme TFSS 3 (Gen, Eval, Dec) is a (t, n)-TFSS for the point function f α,β : {0, 1} l → F q . The communication complexity of TFSS 3

is O(l).
The idea of the proof of Theorem 3 is also similar to the proof of Theorem 1. We present them in Appendix 2.

2) EXAMPLE
We give a simple example of the scheme TFSS 3 as a validation in FIGURE 6. VOLUME 8, 2020

VI. CONCLUSION
In this work we consider a FSS scheme with threshold allowing the secret function f to be recovered from t function shares and correspondingly, any (t−1) function shares unconditionally hide f . Call it (t, n)-threshold function secret sharing ((t, n)-TFSS). After given the definition of (t, n)-TFSS, we then design three schemes and proved they are (t, n)-TFSS schemes with information-theoretic security according to the definition of (t, n)-TFSS. We construct an initial scheme based on (t, n)-Shamir's scheme with communication complexity O(2 l ). Subsequently, we use the tensor operation to improve the communication complexity of the initial scheme and construct two improved schemes. After analysis, we note the communication complexity of our second improved scheme TFSS 3 is O(l). It is slight better than the optimal two-party computational FSS designed in [7] with communication complexity O(λl), where λ is the length of the pseudo-random generator's seeds. Furthermore, due to the nature of the threshold, our schemes have additional robustness property, that is, the function value at the given point can still be reconstructed when (n − t) participants are offline. Based on the work of this article, we will consider the following work in the future. 1) Attempt to construct a verifiable TFSS schemes based on the TFSS schemes constructed in this paper. 2) Attempt to transplant the method of constructing TFSS in this paper to homomorphic secret sharing to construct a threshold homomorphic secret sharing scheme with information-theoretic security.
we only need to verify the following equation.
• The adversary A exploits {k i } i∈T , offered by corrupted participants in the set T , outputting a guess b ← A({k i } i∈T ). The (t − 1) shares {k i } i∈T sent to A satisfy the following two equation systems (9), as shown at the top of the next page: We note that A U is a random matrix of size (t − 1) × U and A V is a random matrix of size (t − 1) × V . Here is a nonsingular matrix of order (t − 1). As a result,   Eval(i 1 , k i 1 , α )), . . . , (i t , Eval(i t , k i t , α ))) = f α,β (α )] = 1.
we only need to verify the following equation.
• The adversary A exploits {k i } i∈T , offered by corrupted participants in the set T , outputting a guess b ← A({k i } i∈T ).
The (t − 1) shares sent to A satisfy the following equation system (12), as shown at the top of this page: We note that A 1 , . . . , A l are random matrix of size (t − 1) × 2 and is a nonsingular matrix of order (t − 1). As a result, K 1 , . . . , K l ∈ F t−1 q is a random vector. It contains no information about A 0 1 , . . . , A 0 l and hence no information about b. Therefore, Pr[b = b] = 1/2.