Inferensys

Glossary

Function Secret Sharing (FSS)

A cryptographic method for splitting a function into compact secret shares that can be evaluated independently, enabling secure two-party computation with minimal communication for specific function classes like distributed point functions.
Operations room with a large monitor wall for system visibility and control.
CRYPTOGRAPHIC PRIMITIVE

What is Function Secret Sharing (FSS)?

Function Secret Sharing (FSS) is a cryptographic primitive that splits a function f into compact, independently evaluable secret shares, enabling secure two-party computation with minimal interaction for specific function classes.

Function Secret Sharing (FSS) is a cryptographic primitive that decomposes a function f into a pair of succinct secret shares (k0, k1), such that each share kb defines a function g(kb, x) and the XOR of the evaluations equals f(x). Unlike general-purpose MPC, FSS achieves this with shares proportional to the function's description size, not its circuit size, enabling communication-efficient secure computation for structured functions like distributed point functions (DPFs) and comparison functions.

The core mechanism relies on pseudorandom generators and correlated randomness. A dealer samples a random seed and uses a GGM-style tree to derive correction words that ensure the two evaluations cancel out everywhere except at a secret point. This allows two non-colluding servers to obliviously evaluate f on a client's input with no interaction between the servers, making FSS a foundational building block for private information retrieval (PIR), secure aggregation, and lightweight MPC protocols.

CRYPTOGRAPHIC PRIMITIVES

Key Features of Function Secret Sharing

Function Secret Sharing (FSS) decomposes a function into compact, independently evaluable shares, enabling secure two-party computation with minimal interaction for specific function classes.

01

Distributed Point Function (DPF)

The foundational FSS scheme for point functions. A DPF splits a function f(x) that outputs a secret value β only at a specific point α into two keys. Each key individually reveals nothing about α or β, but when evaluated at every point in the domain and XORed together, the secret is recovered only at x=α.

  • Key Size: O(λ log N) bits for a domain of size N, where λ is the security parameter
  • Evaluation: Each party evaluates their key locally, requiring zero interaction
  • Use Case: Private information retrieval (PIR) and secure database queries
O(λ log N)
Key Size Complexity
02

Distributed Comparison Function (DCF)

An FSS scheme for interval functions where f(x) = β if x < α and 0 otherwise. DCFs enable efficient private comparisons without bit-by-bit circuit evaluation. The construction uses a binary tree representation of the comparison threshold, with shares encoding the path to the boundary.

  • Efficiency: Avoids expensive garbled circuit comparisons
  • Communication: Only the initial key distribution requires interaction; evaluation is fully non-interactive
  • Application: Secure range queries, private decision tree evaluation, and threshold-based analytics
03

Function Classes and Expressiveness

FSS supports a growing taxonomy of efficiently shareable function families beyond point and comparison functions. Each class exploits specific algebraic structure to achieve compact key sizes.

  • Splittable Functions: Functions whose truth table can be recursively decomposed
  • Decision Trees: Entire tree models can be shared as a collection of DCFs
  • Sparse Functions: Functions with few non-zero outputs in a large domain
  • Linear Combinations: Multiple FSS shares can be combined to represent more complex functions
  • Limitation: Not all functions are efficiently shareable; general circuits still require garbled circuits or full MPC
04

Two-Party Secure Computation Model

FSS operates in a two-party model where a dealer generates and distributes keys to two non-colluding servers. Clients send queries to both servers, which evaluate their shares locally and return results. The client XORs the responses to recover the output.

  • Trust Assumption: The two servers must not collude
  • Client Role: The client is typically the party receiving the result, not contributing input
  • Dealer Role: Can be a trusted third party or implemented via a secure distributed setup protocol
  • Advantage over Garbled Circuits: Eliminates the need for interactive evaluation for supported function classes
05

Communication Complexity

FSS achieves optimal communication for the supported function classes. After the one-time key distribution phase, the online evaluation phase requires only a single round of communication: the client sends a query to each server and receives one response.

  • Key Distribution: One-time cost proportional to key size
  • Online Phase: 1 round, O(1) or O(λ) bits per query
  • Comparison: Garbled circuits require O(κ) bits per AND gate and multiple rounds; FSS eliminates this for point and comparison functions
  • Practical Impact: Enables sub-second private queries over billion-entry databases
1
Online Rounds
O(1)
Online Communication
06

Security Guarantees

FSS provides information-theoretic or computational security depending on the construction. Each key individually is uniformly random and reveals no information about the underlying function, threshold, or output value.

  • Perfect Secrecy: For DPF with information-theoretic constructions, a single key gives zero information about α or β
  • Computational Hiding: Some efficient constructions rely on pseudorandom generators (PRGs) and achieve computational security
  • Malicious Security: Standard FSS assumes semi-honest servers; extensions using verifiable secret sharing or MACs can detect cheating
  • Composability: FSS can be combined with other MPC primitives while maintaining security under the universal composability framework
FUNCTION SECRET SHARING

Frequently Asked Questions

Clear, technically precise answers to the most common questions about Function Secret Sharing (FSS), its mechanisms, and its role in secure computation.

Function Secret Sharing (FSS) is a cryptographic primitive that splits a function f into a pair of compact, independently evaluable keys (k0, k1) such that each key hides f completely, but together their evaluations at a point x sum to f(x). The process begins with a dealer who knows the target function f and runs a key-generation algorithm Gen(1^λ, f) to produce the two keys. These keys are distributed to two non-colluding servers. When queried on an input x, each server runs an evaluation algorithm Eval(b, kb, x) to produce a share yb. The client then simply computes y0 + y1 to recover f(x). The critical property is that each individual key computationally hides the function f, meaning a single server learns nothing about the function being evaluated. This enables secure two-party computation (2PC) for specific function classes—most notably Distributed Point Functions (DPFs) and Distributed Comparison Functions (DCFs)—with minimal communication overhead, often just a single round of interaction.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.