Explicit and Nearly Tight Lower Bound for 2-Party Perfectly Secure FSS

Abstract

Function Secret Sharing (FSS) is a cryptographic tool introduced by Boyle et al. (EUROCRYPT 2015) and is useful for several applications such as private information retrieval, oblivious-RAM, multi-party computation, etc. Most of the known FSS schemes are based on a pseudorandom generator and hence with computational security. In contrast, there are only a few known constructions of information-theoretic FSS, which are just for restricted function classes. It has not been well studied how efficient information-theoretic FSS can be in general. In this paper, we focus on (2-party) perfectly secure information-theoretic FSS and prove that the key size is explicitly (i.e., not just asymptotically) bounded below by the size of the subgroup generated by the function class. To the best of our knowledge, this is the first lower bound for information-theoretic FSS for an arbitrary function class. Our result shows that for several practically meaningful function classes, perfectly secure information-theoretic FSS must be much inefficient, not only asymptotically but also in practical parameters. Furthermore, we prove that this explicit lower bound is nearly tight by constructing perfectly secure information-theoretic FSS schemes for arbitrary function classes almost achieving our lower bound.