Motivated by the goal of securely searching and updating distributed data, we introduce and study the notion of function secret sharing (FSS). This new notion is a natural generalization of distributed point functions (DPF), a primitive that was recently introduced by Gilboa and Ishai (Eurocrypt 2014). Given a positive integer p ≥ 2 and a class F of functions f : {0, 1} n → G, where G is an Abelian group, a p-party FSS scheme for F allows one to split each f ∈ F into p succinctly described functions fi : {0, 1} n → G, 1 ≤ i ≤ p, such that: (1) p i=1 fi = f , and (2) any strict subset of the fi hides f . Thus, an FSS for F can be thought of as method for succinctly performing an "additive secret sharing" of functions from F . The original definition of DPF coincides with a twoparty FSS for the class of point functions, namely the class of functions that have a nonzero output on at most one input.We present two types of results. First, we obtain efficiency improvements and extensions of the original DPF construction. Then, we initiate a systematic study of general FSS, providing some constructions and establishing relations with other cryptographic primitives. More concretely, we obtain the following main results:-Improved DPF. We present an improved (two-party) DPF construction from a pseudorandom generator (PRG), reducing the length of the key describing each fi from O(λ • n log 2 3 ) to O(λn), where λ is the PRG seed length. -Multi-party DPF. We present the first nontrivial construction of a p-party DPF for p ≥ 3, obtaining a near-quadratic improvement over a naive construction that additively shares the truth-table of f . This constrcution too can be based on any PRG. -FSS for simple functions. We present efficient PRG-based FSS constructions for natural function classes that extend point functions, including interval functions and partial matching functions. -A study of general FSS. We show several relations between general FSS and other cryptographic primitives. These include a construction of general FSS via obfuscation, an indication for the
Private information ret rieval (PIR) schemes enable a user to access k replicated copies of a database (k z 2), and privately retrieve one of the n bits of data stored in the databases. This means that the queries give each individual database no partial information (in the information theoretic sense) on the identity of the item retrieved by the user. Today, the best two database scheme (k = 2) has communication complexity O(TZ1/3), while for any constant number, k, the best k database scheme has communication complexity 0(nl/(2k-lJ). The motivation for the present work is the question whether this complexity can be reduced if one is willing to achieve computational privacy, rather than information theoretic privacy. (This means that privacy is guaranteed only with respect to databases that are restricted to polynomial time computations. )We answer this question affirmatively, and
Abstract. For x, y ∈ {0, 1}* , the point function Px,y is defined by Px,y(x) = y and Px,y(x ) = 0 |y| for all x = x. We introduce the notion of a distributed point function (DPF), which is a keyed function family F k with the following property. Given x, y specifying a point function, one can efficiently generate a key pair (k0, k1) such that: (1) F k 0 ⊕F k 1 = Px,y, and (2) each of k0 and k1 hides x and y. Our main result is an efficient construction of a DPF under the (minimal) assumption that a one-way function exists.Distributed point functions have applications to private information retrieval (PIR) and related problems, as well as to worst-case to averagecase reductions. Concretely, assuming the existence of a strong one-way function, we obtain the following applications.-Polylogarithmic 2-server binary PIR. We present the first 2-server computational PIR protocol in which the length of each query is polylogarithmic in the database size n and the answers consist of a single bit each. This improves over the 2 O( √ log n) query length of the protocol of Chor and Gilboa (STOC '97). Similarly, we get a polylogarithmic "PIR writing" scheme, allowing secure non-interactive updates of a database shared between two servers. Assuming just a standard one-way function, we get the first 2-server private keyword search protocol in which the query length is polynomial in the keyword size, the answers consist of a single bit, and there is no error probability. In all these protocols, the computational cost on the server side is comparable to applying a symmetric encryption scheme to the entire database. -Worst-case to average-case reductions. We present the first worst-case to average-case reductions for PSPACE and EXPTIME complete languages that require only a constant number of oracle queries. These reductions complement a recent negative result of Watson (TOTC '12).
We present a protocol for two parties to generate an RSA key in a distributed manner. At the end of the protocol the public key: a modulus N = P Q, and an encryption exponent e are known to both parties. Individually, neither party obtains information about the decryption key d and the prime factors of N : P and Q. However, d is shared among the parties so that threshold decryption is possible.
No abstract
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.