Keywords

1 Introduction

Secret sharing (SS) schemes are fundamental cryptographic primitives, which were independently invented by Blakley [4] and Shamir [21]. SS schemes involve several ordinary parties (say, p parties) and the special party called a dealer. We suppose that the dealer has a secret information s and partitions the secret information s into share information \(S_{i}\) \((0\le i \le p)\) which will be distributed to the ith party. In (np)-threshold SS scheme, the secret information S can be recovered from n shares (collected if any n parties get together), but no information on s is obtained from at most \(n - 1\) shares. This threshold property can be discussed in terms of access structures. An access structure \(({\mathcal A},{\mathcal B})\) consists of two classes of sets of parties such that (1) if all parties in some set \(A\in {\mathcal A}\) get together, then the secret information can be recovered from their shares; (2) even if all parties in any set \(B\in {\mathcal B}\) get together, then any information of the secret s cannot be obtained. For example, the access structure \(({\mathcal A},{\mathcal B})\) of the (np)-threshold SS scheme can be defined as \({\mathcal A} = \{ A\subseteq \{1,\ldots , p\} : |A| \ge n \}\) and \({\mathcal B} = \{ B\subseteq \{1,\ldots , p\} : |B| < n \}\). Besides the access structure of the threshold type, many variants have been investigated in the literature [3, 6, 7, 13, 15, 17]. As a standard technique for constructing access structures, monotone span programs [10, 11, 14, 18] are often used.

The idea where a secret information is secretly distributed to several parties can be applied to a function. The idea of secretly distributing a function has an application in private information retrieval (PIR) [8, 9, 16] as demonstrated in [12]. Gilboa et al. [12] consider to distribute point functions (DPFs) \(f_{a,b}:\{0,1\}^n \rightarrow \mathbb {G}\), where \(f_{a,b}(x)=b\) if \(x=a\) for some \(a \in \{0, 1\}^n\) and \(f_{a,b}(x)=0\) otherwise. In a basic DPF scheme, the function f is partitioned into two keys \(f_{0}, f_{1}\) and each key is distributed to the respective party of the two parties. Each party calculates the share \(y_{i}=f_i(x)\) for common input x by using the key \(f_i\). On the other hand, each \(f_i\) does not give any important information (e.g., the value a for \(f_{a,b}\)) on the original function. The functional value of the point function \(f_{a,b}\) can be obtained by just summing up two shares \(y_0\) and \(y_1\) of the two parties. Boyle et al. [5] investigate the efficiency in the key size and extend the two-party setting into the multi-party setting. Moreover, they generalize the target functions (i.e., point functions) to other functions and propose an FSS scheme for some function family \(\mathcal {F}\) in which functions \(f:\{0,1\}^n \rightarrow \mathbb {G}\) can be calculated efficiently. In the multi-key FSS scheme, we partition a function \(f \in \mathcal {F}\) into p distributed functions \((f_{1}, \ldots , f_{p})\). Likewise, an equation \(f(x)=\sum ^p_{i=1}f_{i}(x)\) is satisfied with respect to any x, and the information about the secret function f (except the domain and the range) does not leak out from at most \(p-1\) distributed functions. Moreover, distributed functions \(f_{i}\) can be described as short keys \(k_{i}\), and it is required to be efficiently evaluated.

In [20], Ohsawa et al. observed that any function f from \(\{0,1\}^n\) to \(\{0,1\}\) can be described as a linear combination of the basis functions by regarding the function space as a vector space of dimension \(2^n\). While the point functions \(f_{a,1}\) (for all \(a\in \{0,1\}^n\)) constitute a (standard) basis for the vector space, any function \(f:\{0,1\}^n\rightarrow \{\pm 1\}\) can be represented as a linear combination of the Fourier basis functions \(\chi _a(x)=(-1)^{\langle a,x\rangle }\), where \(\langle a, x\rangle \) denotes the inner product between vectors \(a=(a_1,\ldots , a_n)\) and \(x=(x_1,\ldots , x_n)\). Based on the above observation, Ohsawa et al. gave new FSS schemes based on the Fourier basis. If we limit our concern to polynomial-time computable FSS schemes, functions for which the existing schemes are available would be limited. Since polynomial-time computable functions represented by combinations of point functions are quite different from ones represented by the Fourier basis functions, point function-based FSS schemes and Fourier function-based FSS schemes are complementary.

We note that properties of some functions are often discussed in the technique of the Fourier analysis. Akavia et al. [1] introduced a novel framework for proving hard-core properties in terms of Fourier analysis. Any predicates can be represented as a linear combination of Fourier basis functions. Akavia et al. show that if the number of nonzero coefficients in the Fourier representation of hard-core predicates is polynomially bounded, then the coefficients are efficiently approximable. This fact leads to the hard-core properties. Besides hard-core predicates, it is well known that low-degree polynomials are Fourier-concentrated [19].

Contribution

Since the existing FSS schemes are of (pp)-threshold type, it is natural to consider the possibility of FSS schemes with any threshold structure of (np)-type and even general access structures as in the case of SS schemes.

In this paper, we affirmatively answer this question. As mentioned, Fourier-based FSS schemes in [20] are quite simpler than the previous FSS schemes. This is because Fourier basis functions have some linear structure. Shamir’s threshold SS scheme can be seen as an application of the Reed–Solomon code, which is a linear code. Both the distribution phase and the reconstruction phase can be described in a linear algebraic way. From this viewpoint, we construct an (np)-threshold Fourier-based FSS scheme. Moreover, SS schemes with general access structure can be discussed in terms of monotone span program (MSP). The underlying structure of SS schemes by using MSP is similar to the linear algebraic view of Shamir’s (np)-threshold SS scheme, and we can similarly construct Fourier-based FSS schemes with general access structure.

Technically speaking, Ohsawa et al. [20] consider a function from \(\{0,1\}^n\) to \(\mathbb {C}\). That is, they consider Fourier transform over n-dimensional vector space of \(\mathbb {F}_2\). On the other hand, we consider a function from a finite field \(\mathbb {F}_q\) (of prime order q) to \(\mathbb {C}\). So, in this paper, we consider the Fourier transform over \(\mathbb {F}_q\) rather than \((\mathbb {F}_2)^n\). The shift of the underlying mathematical structure enables to construct FSS schemes with general access structure.

2 Preliminaries

2.1 Access Structure and Monotone Span Program

Let us assume that there are p parties in an SS (or, FSS) scheme. A qualified group is a set of parties who are allowed to reconstruct the secret, and a forbidden group is a set of parties who should not be able to get any information about the secret. The set of qualified groups is denoted by \(\mathcal A\) and the set of forbidden groups by \(\mathcal B\). The set \(\mathcal A\) is said to be monotonically increasing if, for any set \(A\in \mathcal A\), any set \(A'\) such that \(A'\supseteq A\) is also included in \(\mathcal A\). The set \(\mathcal B\) is said to be monotonically decreasing if, for any set \(B\in \mathcal B\), any set \(B'\) such that \(B'\subseteq B\) is also included in \(\mathcal B\). If a pair \(({\mathcal A}, {\mathcal B})\) satisfies that \({\mathcal A}\cap {\mathcal B} = \varnothing \), \(\mathcal A\) is monotonically increasing and \(\mathcal B\) is monotonically decreasing, then the pair is called a (monotone) access structure. If an access structure \(({\mathcal A},{\mathcal B})\) satisfies that \({\mathcal A} \cup {\mathcal B}\) coincides with the power set of \(\{1,\ldots , p\}\), we say that the access structure is complete. If we consider a complete access structure, we may simply denote the access structure by \(\mathcal A\) instead of \(({\mathcal A}, {\mathcal B})\), since \(\mathcal B\) is equal to the complement set of \(\mathcal A\).

As mentioned, there are several ways to realize general access structures. Monotone span program (MSP) is a typical way to construct general access structures. Before mentioning the MSP, we prepare some basics and notations for linear algebra.

An \(m\times d\) matrix M over a field \(\mathbb {F}\) defines a linear map from \(\mathbb {F}^d\) to \(\mathbb {F}^m\). The kernel of M, denoted by \(\mathrm{ker}(M)\), is the set of vectors \(\varvec{u}\in \mathbb {F}^d\) such that \(M\varvec{u}=\varvec{0}\). The image of M, denoted by \(\mathrm{im}(M)\), is the set of vectors \(\varvec{v}\in \mathbb {F}^m\) such that \(\varvec{v}=M\varvec{u}\) for some \(\varvec{u}\in \mathbb {F}^d\).

A monotone span program (MSP) \(\mathcal M\) is a triple \((\mathbb {F}, M, \rho )\), where \(\mathbb {F}\) is a finite field, M is an \(m\times d\) matrix over \(\mathbb {F}\), and \(\rho : \{1,\ldots ,m\}\rightarrow \{1,\ldots , p\}\) is a surjective function which labels each row of M by a party. For any set \(A\subseteq \{1,\ldots , p\}\), let \(M_A\) denote the submatrix obtained by restricting M to the rows labeled by parties in A. We say that \(\mathcal M\) accepts A if \(\varvec{e}_1=(1,0,\ldots , 0)^T\in \mathrm{im}(M_A^T)\); otherwise, we say \(\mathcal M\) rejects A. Moreover, we say that \(\mathcal M\) accepts a (complete) access structure \(\mathcal A\) if the following is equivalent: \(\mathcal M\) accepts A if and only if \(A\in \mathcal A\).

When \(\mathcal M\) accepts a set A, there exists a recombination vector \(\varvec{\lambda }\) such that \(M_A^T\varvec{\lambda }=\varvec{e}_1\). Also, note that \(\varvec{e}_1\not \in \mathrm{im}(M_B^T)\) if and only if there exists a vector \(\varvec{\xi }\) such that \(M_B\varvec{\xi }=\varvec{0}\) and the first element of \(\varvec{\xi }\) is 1.

2.2 Function Secret Sharing

The original definition in [5] of FSS schemes are tailored for threshold schemes. We adapt the definition for general access structures. In an FSS scheme, we partition a function f into keys \(k_i\) (the succinct descriptions of \(f_i\)) which the corresponding parties \(P_i\) receive. Each party \(P_i\) calculates the share \(y_i=f_i(x)\) for the common input x. The functional value f(x) is recovered from shares \(\varvec{y}_A\) in a qualified set A of parties, which is a subvector of \(\varvec{y}= (y_1, y_2, \ldots , y_p)\), by using a decode function Dec. Any joint keys \(k_i\) in a forbidden set B of parties do not leak any information on function f except the domain and the range of f. We first define the decoding process from shares.

Definition 1

(Output Decoder) An output decoder \({ Dec}\), on input a set T of parties and shares from the parties in T, outputs a value in the range R of the target function f.

Next, we define FSS schemes. We assume that \(\mathcal A\) is a complete access structure among p parties and \(T\subseteq \{1,2,\ldots , p\}\) is a set of parties.

Definition 2

For any \(p \in \mathbb {N}\), \(T \subseteq \{1,2,\ldots , p\}\), an \(\mathcal A\)-secure FSS scheme with respect to a function class \(\mathcal F\) is a pair of PPT algorithms \(({ Gen}, { Eval})\) satisfying the following.

  • The key generation algorithm \({ Gen}(1^\lambda ,f)\), on input the security parameter \(1^\lambda \) and a function \(f:D\rightarrow R\) in \(\mathcal F\), outputs p keys \((k_1,\ldots , k_p)\).

  • The evaluation algorithm \({ Eval}(i,k_i,x)\), on input a party index i, a key \(k_i\), and an element \(x \in D\), outputs a value \(y_i\), corresponding to the ith party’s share of f(x).

Moreover, these algorithms must satisfy the following properties:

  • \({ Correctness}\): For all \(A\in \mathcal A\), \(f \in \mathcal {F}\) and \(x \in D\),

    $$\begin{aligned} \Pr [ { Dec}(A, \{ { Eval}(i, k_i, x) \}_{i\in A})=f(x) \mid (k_1,\ldots , k_p)\leftarrow { Gen}(1^\lambda , f)]=1. \end{aligned}$$

  • \({ Security}\): Consider the following indistinguishability challenge experiment for a forbidden set B of parties, where \(B\not \in \mathcal A\):

    1. 1.

      The adversary \(\mathcal D\) outputs \((f_0, f_1) \leftarrow \mathcal {D}(1^\lambda )\), where \(f_0, f_1\in \mathcal F\).

    2. 2.

      The challenger chooses \(b \leftarrow \{0,1\}\) and \((k_1, \ldots , k_p) \leftarrow { Gen}(1^\lambda , f_b)\).

    3. 3.

      \(\mathcal {D}\) outputs a guess \(b' \leftarrow \mathcal {D}(\{k_i\}_{i\in B})\), given the keys for the parties in the forbidden set B.

    The advantage of the adversary \(\mathcal D\) is defined as \({ Adv}(1^\lambda , \mathcal {D}):= \Pr [b=b']- 1/2\). The scheme \(({ Gen}, { Eval})\) satisfies that there exists a negligible function \(\nu \) such that for all non-uniform PPT adversaries \(\mathcal {D}\) which corrupts parties in any forbidden set B, it holds that \({ Adv}(1^\lambda , \mathcal {D})\le \nu (\lambda )\).

2.3 Basis Functions

The function space of functions \(f:\mathbb {F}_q \rightarrow \mathbb {C}\) can be regarded as a vector space of dimension q. Therefore, the basis vectors for the function space exist, and we let \(h_{i}(x)\) be each basis function. Any function f in the function space is described as a linear combination of the basis functions

$$\begin{aligned} f(x) = \sum _{j\in \mathbb {F}_q} \beta _j h_j(x), \end{aligned}$$

where \(\beta _j\)s are coefficients in \(\mathbb {C}\).

The Fourier basis

Let \(f:\mathbb {F}_q \rightarrow \mathbb {C}\), where q is an odd prime number. The Fourier transform of the function f is defined as

$$\begin{aligned} \hat{f}(a)=\frac{1}{q}\sum _{x\in \mathbb {F}_q} f(x)e^{-2 \pi (ax/q) i}, \end{aligned}$$
(1)

where i is the imaginary number. Then, f(x) can be described as a linear combination of the basis functions \(\chi _a(x)=e^{2\pi (ax/q) i}\), that is,

$$ f(x)=\sum _{a\in \mathbb {F}_q} \hat{f}(a)\chi _a(x). $$

In the above, \(\hat{f}(a)\) is called Fourier coefficient of \(\chi _a(x)\). By using \(\omega _q=e^{(2\pi /q) i}\), the primitive root of unity of order q, we can denote each Fourier basis function by

$$\begin{aligned} \chi _{a}(x) = (\omega _q)^{ax} \end{aligned}$$

and let \({\mathcal B}_F=\{ \chi _a \mid a\in \mathbb {F}_q\}\) be the sets of all the Fourier basis functions.

It is easy to see that the Fourier basis is orthonormal since

$$\begin{aligned} \frac{1}{q}\sum _{x\in \mathbb {F}_q}\chi _{a}(x)\chi _{b}(x) ={\left\{ \begin{array}{ll} 1 \ \ \ \text{ if } a=b,\\ 0 \ \ \ \text{ otherwise }. \end{array}\right. } \end{aligned}$$
(2)

In this paper, we consider only Boolean-valued functions and assume that the range of the boolean function is \(\{\pm 1\}\) instead of \(\{0,1\}\) without loss of generality. That is, we regard boolean functions as mappings from \(\mathbb {F}_q\) to \(\{\pm 1\}\). Also, we have

$$\begin{aligned} \chi _{a+b}(x)=\chi _a(x)\chi _b(x). \end{aligned}$$

This multiplicative property plays an important role in this paper.

3 Linear Secret Sharing

3.1 Shamir’s Threshold Secret Sharing

First, we give a traditional description of Shamir’s (np)-threshold SS scheme [21], where \(p\ge n\ge 2\). Let s be a secret integer which a dealer D has. First, the dealer D chooses a prime number \(q>s\) and a polynomial \(g(X) \in \mathbb {F}_q[X]\) of degree \(n-1\). Then, the dealer D computes \(s_i=(i,g(i))\) as a share for the ith party \(P_i\) and sends \(s_i\) to each \(P_i\). For the reconstruction, n parties get together and recover the secret s by the Lagrange interpolation from their shares.

The above procedure can be equivalently described as follows. Let M be an \(n\times p\) Vandermonde matrix and \(\varvec{m}_i\) be the ith row in M. That is, \(\varvec{m}_i=(1,i,i^2,\ldots , i^{n-1})\). Let \(\varvec{b}=(b_0,b_1,\ldots , b_{n-1})^T\) be an n-dimensional vector such that \(b_0=s\) and \(b_1,\ldots , b_{n-1}\) are randomly chosen elements in \(\mathbb {F}_q\). Let \(\varvec{y}= (s_1,s_2,\ldots , s_p)^T=M\varvec{b}\). The share \(s_i\) for \(P_i\) is the ith element of \(\varvec{y}\), that is, \(s_i = \langle \varvec{m}_i^T,\varvec{b}\rangle \), where \(\langle \cdot ,\cdot \rangle \) denotes the inner product. Let A be a subset of \(\{1,2,\ldots ,p\}\) which corresponds to a set of parties. Let \(M_A\) be a submatrix of M obtained by collecting rows \(\varvec{m}_j\) for all \(j\in A\). We similarly define a subvector \(\varvec{y}_A\) by collecting elements \(s_j\) for all \(j\in A\). Let \(\varvec{e}_1 = (1,0,0,\ldots ,0)^T \in (\mathbb {F}_q)^n\). Then, we can uniquely determine \(\varvec{\lambda }\) such that \(M_A^T\varvec{\lambda } = \varvec{e}_1\) by solving an equation system if and only if \(|A|\ge n\). Then, we have

$$ s = \langle \varvec{b}, \varvec{e}_1\rangle = \langle \varvec{b}, M_A^T\varvec{\lambda }\rangle = \langle M_A\varvec{b}, \varvec{\lambda }\rangle = \langle \varvec{y}_A, \varvec{\lambda }\rangle . $$

Since \(\varvec{y}_A\) corresponds to all shares for \(P_j\) (\(j\in A\)), we can reconstruct the secret s by computing the inner product \(\langle \varvec{y}_A, \varvec{\lambda }\rangle \).

3.2 Monotone Span Program and Secret Sharing

Here, we give a construction of linear secret sharing (LSS) based on monotone span program (MSP). Here, we do not mention how to construct MSP. For the construction of MSP, see the literature, e.g., [6, 10, 11, 14]. In this paper, we will use the LSS schemes. Since the LSS schemes imply MSPs [2, 22], it is sufficient to consider MSP-based SS schemes.

Let \(s\in \mathbb {F}_q\) be a secret which the dealer D has and \({\mathcal M}=(\mathbb {F}_q,M,\rho )\) be an MSP which corresponds to a complete access structure \(\mathcal A\). The dealer D considers to partition s into several shares. In the sharing phase, the dealer D chooses a random vector \(\varvec{r}\in (\mathbb {F}_q)^{p-1}\) and sends a share \(\langle \varvec{m}_i^T, (s,\varvec{r})^T\rangle \) to the ith party. In the reconstruction phase, using the recombination vector \(\varvec{\lambda }\), any qualified set \(A\in \mathcal A\) of parties can reconstruct the secret as follows:

$$ \langle \varvec{\lambda }, M_A(s,\varvec{r})^T \rangle = \langle M_A^T \varvec{\lambda }, (s,\varvec{r})^T \rangle = \langle \varvec{e}_1, (s,\varvec{r})^T\rangle = s. $$

Regarding the privacy, let B be a forbidden set of parties, and consider the joint information held by the parties in B. That is, \(M_B\varvec{b} = \varvec{y}_B\), where \(\varvec{b}=(s,\varvec{r})^T\). Let \(s'\in \mathbb {F}_q\) be an arbitrary value, and let \(\varvec{\xi }\) be a vector such that \(M_B\varvec{\xi }=\varvec{0}\) and the first element in \(\varvec{\xi }\) is equal to 1. Then, \(\varvec{y}_B=M_B(\varvec{b}+\varvec{\xi }(s'-s))\), where the first coordinate of the vector \(\varvec{b}+\varvec{\xi }(s'-s)\) is now equal to \(s'\). This means that, from the viewpoint of the parties in B, their shares \(\varvec{y}_B\) are equally likely consistent with any secret \(s'\in \mathbb {F}_q\).

4 Our Proposal

As mentioned, any function can be described as a linear combination of basis functions. If the function is described as a linear combination of a super-polynomial number of basis functions, then the computational cost for evaluating the function might be inefficient. We say that a function has a succinct description (with respect to the basis \(\mathcal B\)) if the function f is described as \(f(x)=\sum _{h\in {\mathcal B}'} \beta _h h(x)\) for some \({\mathcal B}'\subset {\mathcal B}\) such that \(|{\mathcal B}'|\) is polynomially bounded in the security parameter. If we can find a good basis set \(\mathcal B\), some functions may have a succinct description with respect to \(\mathcal B\). We consider to take the Fourier basis as such a good basis candidate.

We will provide an FSS scheme for some function class whose elements are functions with succinct description with respect to the Fourier basis \({\mathcal B}_F\). Since the Fourier basis has nice properties, our FSS scheme with general access structure can be realized.

In what follow, we assume that the underlying basis is always the Fourier basis \({\mathcal B}_F\). Moreover, we assume that \({\mathcal M}=(\mathbb {F}_q,M,\rho )\) is an MSP which corresponds to a general complete access structure \(\mathcal A\). We will consider Fourier-based FSS schemes with this access structure.

4.1 FSS Scheme for the Fourier Basis

In this subsection, we consider to partition each Fourier basis function \(\chi _a (x) = (\omega _q)^{ax}\) into several keys. That is, we give an FSS scheme with general access structure with respect to the function class \({\mathcal B}_F\).

Our FSS scheme with respect to \({\mathcal B}_F\) consists of three algorithms \({ Gen}_1^F\) (Algorithm 1), \({ Eval}_1^F\) (Algorithm 2), and \({ Dec}_1^F\) (Algorithm 3). \({ Gen}_1^F\) is an algorithm that divides the secret a (for \(\chi _a (x)\)) into p keys \((k_1, \ldots , k_p)\) as in the SS scheme with the same access structure. Each key \(k_i\) is distributed to the ith party \(P_i\). Note that the secret a can be recovered from the keys \(k_i\) for all i in a qualified set \(A\in {\mathcal A}\).

In \({ Eva}l^F_1\), each party obtains the share by feeding x to the function distributed as the key. \({ Dec}^F_1\) is invoked in order to obtain the Fourier basis function \(\chi _{a}(x)\) from the shares.

The correctness follows from

$$\begin{aligned} \chi _a(x)= & {} (\omega _q)^{ax}\\= & {} (\omega _q)^{\langle \varvec{y}_A, \varvec{\lambda }\rangle x}\\= & {} (\omega _q)^{(\sum k_i\lambda _i ) x}\\= & {} \prod \left( (\omega _q)^{k_ix} \right) ^{\lambda _i}. \end{aligned}$$

For the security, we assume that an adversary \(\mathcal D\) chooses \((f_0, f_1)\) where \(f_0=\chi _a\) and \(f_1=\chi _b\). Then, the challenger chooses a random bit c to select \(f_c\) and invokes \({ Gen}_1^{F}(1^\lambda , a)\) if \(c=0\) and \({ Gen}_1^{F}(1^\lambda , b)\) if \(c=1\). If \(c=0\), then a is divided into p keys. If \(c=1\), then b is divided into different p keys. From the argument in Sect. 3.2, the guess for the secret information a (resp., b) is a perfectly random guess. That is, the inputs to the adversary \(\mathcal D\) are the same in the two cases. Thus, the adversary \(\mathcal D\) cannot decide if the target function is either \(\chi _{a}(x)\) or \(\chi _{b}(x)\). It implies that only \(\mathcal D\) can do for guessing the random bit c selected by the challenger is just a random guess. So, \(Adv(1^\lambda ,{\mathcal D})=0\). This concludes the security proof.

4.2 General FSS Scheme for Succinct Functions

Since we do not know how to evaluate any function efficiently, we limit ourselves to succinct functions with respect to the Fourier basis \({\mathcal B}_F\). Note that succinct functions with respect to \({\mathcal B}_F\) do not coincide with succinct functions with respect to point functions. Simple periodic functions are typical examples of succinct functions with respect to \({\mathcal B}_F\), which might not be succinct functions with respect to point functions. As mentioned, some hard-core predicates of one-way functions are succinct functions with respect to \({\mathcal B}_F\).

Let \({\mathcal F}_{{\mathcal B}_F,\ell }\) be a class of functions f which can be represented as a linear combination of \(\ell \) basis functions (with respect to \({\mathcal B}_F\)) at most, where \(\ell \) is a polynomial in the security parameter. That is, f has the following form:

$$\begin{aligned} f(x) = \sum _{i=1}^\ell \beta _i \chi _{a_i}(x). \end{aligned}$$

We construct an FSS scheme with general access structure \(({ Gen}^F_{\le \ell }, { Eval}^F_{\le \ell }, { Dec}^F_{\le \ell })\) for a function \(f\in {\mathcal F}_{{\mathcal B}_F,\ell }\) as follows. Note that the construction is a simple adaptation of the Fourier-based FSS scheme over \((\mathbb {F}_2)^n\) in [20].

figure a
figure b
figure c

  • \({ Gen}_{\le \ell }^{F}(1^\lambda , f):\) On input the security parameter \(1^\lambda \) and a function f, the key generation algorithm (Algorithm 4) outputs p keys \((k_1,\ldots ,k_{p})\).

  • \({ Eval}_{\le \ell }^{F}(i, k_i, x):\) On input a party index i, a key \(k_{i}\), and an input string \(x \in \mathbb {F}_q\), the evaluation algorithm (Algorithm 5) outputs a value \(y_{i}\), corresponding to the ith party’s share of f(x).

  • \({ Dec}_{\le \ell }^{F}(A, \{ y_i\}_{i\in A}):\) On input shares \(\{ y_i\}_{i\in A}\) of parties in a (possibly) qualified set A, the decryption algorithm (Algorithm 6) outputs a solution f(x) for x.

In the above FSS scheme \(({ Gen}^F_{\le \ell }, { Eval}^F_{\le \ell }, { Dec}^F_{\le \ell })\) for succinct functions \(f\in {\mathcal F}_{{\mathcal B},\ell }\), we invoke FSS scheme \(({ Gen}^F_1, { Eval}^F_1, { Dec}^F_1)\) for basis functions \({\mathcal B}_F\), since f can be represented as a linear combination of at most \(\ell \) basis functions. In this construction, we distribute each basis function \(\chi _{a_i}(x)\) and each coefficient \(\beta _i\) as follows. We invoke \(({ Gen}^F_1, { Eval}^F_1, { Dec}^F_1)\) to distribute each basis function \(\chi _{a_i}(x)\) and use any SS scheme with the same access structure to distribute each coefficient \(\beta _i\).

The correctness of \(({ Gen}_{\le \ell }^F, { Eval}_{\le \ell }^F, { Dec}_{\le \ell }^F)\) just comes from the correctness of each FSS scheme \(({ Gen}^F_{1}, { Eval}^F_{1}, { Dec}^F_{1})\) for the basis function \(\chi _{a_i}(x)\) and the correctness of each SS scheme for the coefficients. But some care must be done. From the assumption, \(f\in {\mathcal F}_{{\mathcal B}_F,\ell }\) has \(\ell \) terms at most. If we represent f as a linear combination of exactly \(\ell \) terms, some coefficients for basis functions must be zero. Since the zero-function \(\chi _0(x)=(\omega _q)^{0\cdot x}=1\) which maps any element \(x\in \mathbb {F}_q\) to 1 can be partitioned into several functions as the ordinary basis functions can be, we can apply \(({ Gen}^F_{\le \ell }, { Eval}^F_{\le \ell }, { Dec}^F_{\le \ell })\) as well.

figure d
figure e
figure f

The security of \(({ Gen}^F_{\le \ell }, { Eval}^F_{\le \ell }, { Dec}^F_{\le \ell })\) can be discussed as follows. Without of loss of generality, we assume that all parties in a forbidden set B (where \(|B|=m\)) get \(((\varvec{k}_1,\varvec{s}_1),\ldots ,(\varvec{k}_m,\varvec{s}_m))\). For any i with \(1\le i \le \ell \), the m-tuples of the ith elements of \(\varvec{k}_1, \ldots , \varvec{k}_m\) are identical whatever the basis function for the ith term of the target function is, because the advantage of any adversary against \(({ Gen}^F_{1}, { Eval}^F_{1}, { Dec}^F_{1})\) is 0 as discussed in Sect. 4.1. Moreover, for any i with \(1\le i \le \ell \), the m-tuples of the ith elements of \(\varvec{s}_1, \ldots , \varvec{s}_m\) are identical whatever the coefficient for the ith term of the target function is, because of the perfect security of the underlying SS scheme with the same access structure. Furthermore, the outputs of several executions of \({ Gen}^F_1\) (even for the same target basis function) are independent because each \({ Gen}^F_1\) uses a fresh randomness. Thus, the information that all the parties in B can get is always the same regardless of the target function \(f\in {\mathcal F}_{{\mathcal B}_F,\ell }\). This guarantees the security of \(({ Gen}^F{\le \ell }, { Eval}^F_{\le \ell }, { Dec}^F_{\le \ell })\).

Remark

If we do not care about the leakage of the number of terms with nonzero coefficients for f, we can omit the partitioning of zero-functions, which increases the efficiency of the scheme.

5 Conclusion

By observing that Fourier-based FSS schemes by Ohsawa et al. [20] are compatible with linear SS schemes, we have provided Fourier-based FSS schemes with general access structure, which affirmatively answers the question raised in [20].