Skip to main content

Succinct Homomorphic Secret Sharing

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2024 (EUROCRYPT 2024)

Abstract

This work introduces homomorphic secret sharing (HSS) with succinct share size. In HSS, private inputs are shared between parties, who can then homomorphically evaluate a function on their shares, obtaining a share of the function output. In succinct HSS, a portion of the inputs can be distributed using shares whose size is sublinear in the number of such inputs. The parties can then locally evaluate a function f on the shares, with the restriction that f must be linear in the succinctly shared inputs.

We construct succinct, two-party HSS for branching programs, based on either the decisional composite residuosity assumption, a DDH-like assumption in class groups, or learning with errors with a superpolynomial modulus-to-noise ratio. We then give several applications of succinct HSS, which were only previously known using fully homomorphic encryption, or stronger tools:

  • Succinct vector oblivious linear evaluation (VOLE): Two parties can obtain secret shares of a long, arbitrary vector \(\boldsymbol{x}\), multiplied by a scalar \(\varDelta \), with communication sublinear in the size of the vector.

  • Batch, multi-party distributed point functions: A protocol for distributing a batch of secret, random point functions among N parties, for any polynomial N, with communication sublinear in the number of DPFs.

  • Sublinear MPC for any number of parties: Two new constructions of MPC with sublinear communication complexity, with N parties for any polynomial N: (1) For general layered Boolean circuits of size s, with communication \(O(N s/\log \log s)\), and (2) For layered, sufficiently wide Boolean circuits, with communication \(O(N s/\log s)\).

Supported by the Aarhus University Research Foundation (AUFF), the Independent Research Fund Denmark (DFF) (grant DFF-0165-00107B “C3PO”), and the DARPA SIEVE program (contract HR001120C0085 “FROMAGER”). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of DARPA. Distribution Statement “A” (Approved for Public Release, Distribution Unlimited).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Ignoring factors of \(\textsf{poly}(\lambda )\), for security parameter \(\lambda \).

  2. 2.

    Technically, this is a simplification for Damgård–Jurik-based HSS [RS21]. For other schemes, \(\boldsymbol{k}\) becomes a vector, and c becomes a matrix of group elements which has \(\boldsymbol{k}\) as a kind of eigenvector (in the exponent).

  3. 3.

    For HSS based on DDH, this is only possible with probability \(1 - 1/\textsf{poly}(\lambda )\).

  4. 4.

    Note that in any such protocol both parties must at least commit to their inputs. If one didn’t, then it could learn two different output shares \([\![z]\!]_i, [\![z']\!]_i\), and take the difference to get \(z - z'\) (since the other party’s share must be the same both times), which would leak.

  5. 5.

    This requires some \({\textsf{Setup}}\) to be run before the protocol starts, since the hasher must not learn \(\alpha \).

  6. 6.

    The SIS problem corresponding to d being a collision-resistant hash was defined in [CLM23]. They named it vanishing SIS, and gave some evidence for its hardness.

  7. 7.

    A OTTT [IKM+13] is a truth table, permuted according to a random input mask, secret shared among all N parties.

  8. 8.

    These input ciphertexts can sent to all parties at the start, and reused for all layers.

  9. 9.

    For instance, \(\rho _0\) can represent the randomness used to produce \(g_0\), if we aim to generate them using common random string or a random oracle.

  10. 10.

    If that wasn’t the case, we could send a length-n message m with o(n) communication by just inputting \(\boldsymbol{x}=\boldsymbol{0}\) and \(\boldsymbol{y}=m\) in the VOLE protocol.

References

  1. Abram, D., Damgård, I., Orlandi, C., Scholl, P.: An algebraic framework for silent preprocessing with trustless setup and active security. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part IV. LNCS, vol. 13510, pp. 421–452. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15985-5_15

    Chapter  Google Scholar 

  2. Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th ACM STOC, pp. 99–108. ACM Press, May 1996

    Google Scholar 

  3. Abram, D., Roy, L., Scholl, P.: Succinct homomorphic secret sharing. Cryptology ePrint Archive (2024). (Full version)

    Google Scholar 

  4. Boyle, E., Couteau, G., Gilboa, N., Ishai, Y., Kohl, L., Scholl, P.: Efficient pseudorandom correlation generators: silent OT extension and more. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 489–518. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_16

    Chapter  Google Scholar 

  5. Boyle, E., Couteau, G., Meyer, P.: Sublinear-communication secure multiparty computation does not require FHE. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023, Part II. LNCS, vol. 14005, pp. 159–189. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-30617-4_6

    Chapter  Google Scholar 

  6. Boyle, E., Gilboa, N., Ishai, Y.: Breaking the circuit size barrier for secure computation under DDH. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 509–539. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_19

    Chapter  Google Scholar 

  7. Boyle, E., Kohl, L., Scholl, P.: Homomorphic secret sharing from lattices without FHE. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part II. LNCS, vol. 11477, pp. 3–33. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_1

    Chapter  Google Scholar 

  8. Baum, C., Malozemoff, A.J., Rosen, M.B., Scholl, P.: \(\sf Mac^{\prime }n^{\prime }Cheese\): zero-knowledge proofs for boolean and arithmetic circuits with nested disjunctions. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part IV. LNCS, vol. 12828, pp. 92–122. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_4

    Chapter  Google Scholar 

  9. Cini, V., Lai, R.W.F., Malavolta, G.: Lattice-based succinct arguments from vanishing polynomials. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. LNCS, vol. 14082, pp. 72–105. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38545-2_3

    Chapter  Google Scholar 

  10. Couteau, G.: A note on the communication complexity of multiparty computation in the correlated randomness model. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part II. LNCS, vol. 11477, pp. 473–503. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_17

    Chapter  Google Scholar 

  11. Döttling, N., Garg, S., Ishai, Y., Malavolta, G., Mour, T., Ostrovsky, R.: Trapdoor hash functions and their applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 3–32. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_1

    Chapter  Google Scholar 

  12. Dao, Q., Ishai, Y., Jain, A., Lin, H.: Multi-party homomorphic secret sharing and sublinear MPC from sparse LPN. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. Lecture Notes in Computer Science, vol. 14082, pp. 315–348. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38545-2_11

    Chapter  Google Scholar 

  13. Dittmer, S., Ishai, Y., Ostrovsky, R.: Line-point zero knowledge and its applications. In: 2nd Conference on Information-Theoretic Cryptography (ITC 2021). Schloss Dagstuhl-Leibniz-Zentrum für Informatik (2021)

    Google Scholar 

  14. Garg, S., Hajiabadi, M., Ostrovsky, R.: Efficient range-trapdoor functions and applications: rate-1 OT and more. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part I. LNCS, vol. 12550, pp. 88–116. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64375-1_4

    Chapter  Google Scholar 

  15. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 197–206. ACM Press, May 2008

    Google Scholar 

  16. Ishai, Y., Kushilevitz, E., Meldgaard, S., Orlandi, C., Paskin-Cherniavsky, A.: On the power of correlated randomness in secure computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 600–620. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_34

    Chapter  Google Scholar 

  17. Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: 24th ACM STOC, pp. 723–732. ACM Press, May 1992

    Google Scholar 

  18. Naor, M., Nissim, K.: Communication preserving protocols for secure function evaluation. In: 33rd ACM STOC, pp. 590–599. ACM Press, July 2001

    Google Scholar 

  19. Orlandi, C., Scholl, P., Yakoubov, S.: The rise of Paillier: homomorphic secret sharing and public-key silent OT. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 678–708. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_24

    Chapter  Google Scholar 

  20. Quach, W., Wee, H., Wichs, D.: Laconic function evaluation and applications. In: Thorup, M. (ed.) 59th FOCS, pp. 859–870. IEEE Computer Society Press, October 2018

    Google Scholar 

  21. Roşie, R.: Adaptively secure laconic function evaluation for \(\sf NC^1\). In: Galbraith, S.D. (ed.) CT-RSA 2022. LNCS, vol. 13161, pp. 427–450. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-95312-6_18

    Chapter  Google Scholar 

  22. Raghuraman, S., Rindal, P.: Blazing fast PSI from improved OKVS and subfield VOLE. In: Yin, H., Stavrou, A., Cremers, C., Shi, E. (eds.) ACM CCS 2022, pp. 2505–2517. ACM Press, November 2022

    Google Scholar 

  23. Roy, L., Singh, J.: Large message homomorphic secret sharing from DCR and applications. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part III. LNCS, vol. 12827, pp. 687–717. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_23

    Chapter  Google Scholar 

  24. Yang, K., Sarkar, P., Weng, C., Wang, X.: QuickSilver: efficient and affordable zero-knowledge proofs for circuits and polynomials over any field. In: Vigna, G., Shi, E. (eds.) ACM CCS 2021, pp. 2986–3001. ACM Press, November 2021

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Damiano Abram .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2024 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Abram, D., Roy, L., Scholl, P. (2024). Succinct Homomorphic Secret Sharing. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14656. Springer, Cham. https://doi.org/10.1007/978-3-031-58751-1_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-58751-1_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-58750-4

  • Online ISBN: 978-3-031-58751-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics