myl7/fss 1.1.0
Function secret sharing (FSS) primitives including distributed point/comparison function (DPF/DCF)
Loading...
Searching...
No Matches
Classes
vdpf.cuh File Reference

2-party verifiable distributed point function (VDPF). More...

#include <cuda_runtime.h>
#include <cuda/std/array>
#include <cuda/std/span>
#include <cuda/std/tuple>
#include <type_traits>
#include <cstddef>
#include <cassert>
#include <omp.h>
#include <fss/group.cuh>
#include <fss/prg.cuh>
#include <fss/hash.cuh>
#include <fss/util.cuh>

Go to the source code of this file.

Classes

class  fss::Vdpf< in_bits, Group, Prg, XorHash, Hash, In, par_depth >
 2-party VDPF scheme. More...
 
struct  fss::Vdpf< in_bits, Group, Prg, XorHash, Hash, In, par_depth >::Cw
 Correction word. More...
 

Detailed Description

2-party verifiable distributed point function (VDPF).

Copyright
Apache License, Version 2.0. Copyright (C) 2026 Yulong Ming i@myl.nosp@m.7.or.nosp@m.g.
Author
Yulong Ming i@myl.nosp@m.7.or.nosp@m.g

The scheme is from the paper, Lightweight, Maliciously Secure Verifiable Function Secret Sharing (1: the published version).

Definitions

Point function: for the input domain \(\sG_{in} = \{0, 1\}^n\), the output domain \((\sG_{out}, +)\) that is a group, \(a \in \sG_{in}\), and \(b \in \sG_{out}\), a point function \(f_{a, b}\) is a function that for any input \(x\), the output \(y\) has \(y = b\) only when \(x = a\), otherwise \(y = 0\).

VDPF: extends DPF with verifiability. The evaluation produces both output shares and a proof. Two parties can compare proofs to detect malicious key modification.

  • Key generation: \(Gen(1^\lambda, f_{a, b}) \rightarrow (k_0, k_1)\).
  • Evaluation: \(Eval(k_i, x) \rightarrow (y_{i,x}, \tilde\pi_{i,x})\).
  • Proof accumulation: \(Prove(\{\tilde\pi\}, cs) \rightarrow \pi\).
  • Verification: \(Verify(\pi_0, \pi_1) \rightarrow \{Accept, Reject\}\).

Implementation Details

We fix the output domain size at 16B and always set the last word's LSB to 0, corresponding to \(\lambda = 127\). See Groupable for more details.

We limit the max input domain bit size to 128. This is enough for most applications and allows us to represent the input as an integer.

References

  1. Leo de Castro, Antigoni Polychroniadou: Lightweight, Maliciously Secure Verifiable Function Secret Sharing. EUROCRYPT 2022: 150-179. https://doi.org/10.1007/978-3-031-06944-4_6.