Context-Hiding in Shamir-Based HSS

Updated 8 December 2025

The paper establishes rigorous context-hiding definitions for Shamir-based HSS, analyzing leakage for various polynomial functions.
It demonstrates that while single-variable monomials and monomials on (Fp*)^n achieve perfect context-hiding, multilinear monomials require rerandomization to avoid information leakage.
The work highlights the trade-offs of rerandomization on upload rate and opens avenues for classifying context-hiding in arbitrary polynomial functions.

The context-hiding property in Shamir-based Homomorphic Secret Sharing (HSS) provides a rigorous security criterion for enabling multiple input clients to share private inputs among servers, such that output shares from servers leak no more information than the function’s output itself. The property is fundamental in secure multi-party computation (MPC) frameworks relying on HSS, with particular emphasis on how output shares of a homomorphic protocol depend on input values and random choices, and on the necessity of rerandomization when context hiding fails for certain function classes (Feng et al., 1 Dec 2025).

1. Preliminaries and Model

HSS operates over a prime field $\Fp$ with key parameters: $n$ (number of inputs), $m$ (number of servers), $t$ (privacy threshold in Shamir’s $(t,m)$ sharing scheme), and $d$ (polynomial degree to be evaluated, under constraint $dt < m$ ). A Shamir-based $t$ -private $m$ -server Information Theoretic HSS (IT-HSS) supports degree- $d$ polynomials. Input clients encode secret values into Shamir shares distributed to servers. Each server then evaluates the function homomorphically on its received share; the aggregate output reconstructs the result, with security tied to the behavior of the output shares conditioned on identical function output.

2. Formal Definition of Context‐Hiding

Context-hiding for a single function $f : \D_f \rightarrow \R_f \subseteq \Fp$ follows Definition [(Feng et al., 1 Dec 2025), Def. \ref{def_ch}]:

Let $\IT$-$\HSS$ be an IT-HSS scheme for $f$ . For any adversary $\A$, consider the experiment:

$\A$ outputs distinct $\x^{(0)}, \x^{(1)} \in \D_f$ with $f(\x^{(0)}) = f(\x^{(1)})$.
A random bit $b$ is chosen; shares $(\s_j)_{j=1}^m \gets \Share(\x^{(b)})$ computed.
Each server $j$ computes $y_j \gets \Eval(j, f, \s_j)$.
$\A$ receives $(y_1, \ldots, y_m)$ and outputs guess $b'$ .
Output is $1$ if $b'=b$ , else $0$.

Adversarial advantage is:

$\Adv_{\A,\IT\text{-}\HSS}^{\CtxHide(f)} = \Big| \Pr[ \Exp_{\A,\IT\text{-}\HSS}^{\CtxHide(f)} = 1 ] - \frac{1}{2} \Big|$

$\IT$-$\HSS$ is context-hiding for $f$ if $\Adv_{\A,\IT\text{-}\HSS}^{\CtxHide(f)} \leq \negl(\lambda)$ for every $\A$ (negligible in security parameter $\lambda$ ). Perfect context-hiding occurs when advantage is zero for all $\A$. Outputs with unique preimages are excluded, as they trivially satisfy context-hiding.

3. Context-Hiding Results for Shamir-Based HSS

A suite of theorems delineates where context-hiding holds or fails:

3.1. Constants and Linear Monomials

For $f_0(x) \equiv 1$ and $f_1(x) = x$ , Shamir-based HSS is perfectly context-hiding [Thm. IV.1]:

A constant function yields output shares independent of input.
For $f(x)=x$ , output client learns $x$ exactly, leaking nothing beyond the function output.

3.2. Multilinear Monomials

For $f(\x)=x_1x_2\cdots x_d$ with $d \geq 2$ , context-hiding fails [Thm. IV.2]:

Construct $\x^{(0)} = (0, ..., 0)$ and $\x^{(1)} = (0, ..., 0, 1)$ with identical outputs.
Output share $y_j^{(b)} = \prod_{i=1}^d (x_i^{(b)} + \sum_{u=1}^t j^u r_{u,i}^{(b)})$ .
A Vandermonde-type linear combination over shares detects $b$ with non-negligible advantage.

3.3. Single-Variable Monomials $x^d$

For $f(x)=x^d$ , Shamir-based HSS is perfectly context-hiding [Thm. IV.3]:

If $\gcd(d, p-1) = 1$ , $f$ is a permutation.
Otherwise, randomness pairing via root of unity $c$ with $c^d=1$ makes output-share vectors identical for any preimage pair.

3.4. General Monomials on $(\Fp^*)^n$

For $f(\x) = \prod_{i=1}^n x_i^{d_i}$ over $(\Fp^*)^n$, perfect context-hiding holds [Thm. IV.4]:

Any two input tuples $\x^{(0)}, \x^{(1)}$ with same output differ by $x_i^{(1)} = c_i x_i^{(0)}$ for $\prod c_i^{d_i}=1$ .
Randomness paired via $r_{u,i}^{(1)} = c_i r_{u,i}^{(0)}$ yields identical output-share vectors.

3.5. Equivalence of Polynomials

Context-hiding is closed under affine/lift transformations [Thm. IV.5]:

$(f, \D_f) \equiv (g, \D_g)$, with $g(\x) = \alpha(f((\x+\mathbf{c})L+\mathbf{e}) + \beta ) + \gamma$ for invertible $L,\alpha,\beta,\gamma,\cc,\ee$.
Context-hiding for $f$ iff for $g$ ; randomness paired via $L^{-1}$ and scalars.

4. Proof Strategies and Leakage Analysis

Algebraic pairing arguments establish perfect context-hiding for monomial settings: bijections on random Shamir-shares equate output-share vectors. For multilinear monomials over $\Fp^n$, combinatorial/Vandermonde analysis shows adversaries can detect input context with non-negligible probability, yielding context-hiding failure. Explicitly, for share construction, clients pick a random polynomial $\varphi(u)$ of degree $\leq t$ , with $\varphi(0) = (x_1, \dots, x_n)$ ; server $j$ receives $\s_j = \varphi(j)$. Monomial evaluation on server: $y_j = \prod_{i=1}^n (\varphi_i(j))^{d_i} = \prod_{i=1}^n (x_i + \sum_{u=1}^{t} j^u r_{u,i})^{d_i}$ ; joint distribution of $(y_j)_{j=1}^m$ governs leakage.

5. Rerandomization and Rate Implications

Context-hiding is often enforced in prior HSS/MPC protocols via rerandomization of output shares:

Alongside $\Share(\x)$, client shares a fresh Shamir-share of $0$.
Servers publish $y_j' = y_j + z_j$ , with $z_j$ a share for $f(0)$ , masking $y_j$ .
Distribution of $(y_j')$ depends only on $f(\x)$.
Share size doubles: original $m$ field elements per client $\rightarrow$ $2m$ field elements; upload rate halved.
General masking by $k$ independent zero-shares incurs a $\times(k+1)$ blowup in share size.
Bit-length per field element remains $\Theta(\log p)$ .

A plausible implication is that maximizing upload rate (avoiding rerandomization) is only feasible for functions with perfect context-hiding, capturing key efficiency/security tradeoffs.

6. Extensions to General Polynomials

Generalization proceeds via equivalence:

For $(f, \D_f)\equiv(g, \D_g)$ (as above), context-hiding properties propagate between $f$ and $g$ .
Any polynomial affinely equivalent to a monomial inherits its context-hiding behavior.
Classification beyond such equivalence classes remains an open problem.

7. Comparison to Prior Results, Limitations, and Open Questions

Earlier HSS/MPC results imposed rerandomization to achieve context-hiding, universally doubling upload. Fosli et al.’s “symmetric privacy” analysis [FIKW22] was restricted to $x_1x_2$ and $x_1x_2x_3$ , omitting the observed sufficiency of Shamir-based HSS for single-variable monomials and monomials on $(\Fp^*)^n$ without rerandomization. The present analysis (Feng et al., 1 Dec 2025) establishes removal of rerandomization for $f(x) = x^d$ or $f(\x) = \prod x_i^{d_i}$ (on $(\Fp^*)^n$), recovering upload rate $=1$ .

Multilinear monomials $x_1x_2\cdots x_d$ over $\Fp^d$ fail context-hiding unless rerandomization is applied. The classification of which polynomial functions admit perfect context-hiding under Shamir-based HSS—beyond affine equivalence classes—remains an open area of research. Achieving context-hiding for arbitrary polynomials via rerandomization entails at least a $2\times$ rate penalty and potentially greater overhead with higher-degree masking.

PDF Markdown Chat (Pro)

References (1)

On the Context-Hiding Property of Shamir-Based Homomorphic Secret Sharing (2025)

Whiteboard

Generate a whiteboard explanation of this topic.

Follow Topic

Get notified by email when new papers are published related to Context-Hiding Property of HSS.