Papers
Topics
Authors
Recent
Search
2000 character limit reached

Distributed Point Functions (DPFs)

Updated 22 June 2026
  • Distributed Point Functions (DPFs) are cryptographic primitives that encode a point function with a nonzero value at a specific index and zeros elsewhere, securely shared among multiple parties.
  • They power privacy-enhancing technologies such as private information retrieval, anonymous messaging, secure multiparty computation, and privacy-preserving machine learning.
  • Key design goals include sublinear key sizes, efficient evaluation, and robust privacy against colluding adversaries, achieved via PRG-based, information-theoretic, and DDH-based constructions.

Distributed Point Functions (DPFs) are cryptographic primitives enabling the secret sharing of point functions across multiple parties for a broad class of privacy-preserving technologies. DPFs efficiently encode a function fα,βf_{\alpha,\beta}—which is β\beta at a single point α\alpha and zero elsewhere—into shares or keys distributed among servers, ensuring that only the correct recombination reveals the function value at any point, while bounded subsets of colluding servers learn nothing about (α,β)(\alpha, \beta). DPFs serve as the foundation for function secret sharing schemes, with major applications in private information retrieval, anonymous messaging systems, secure multiparty computation, and privacy-preserving machine learning. Research has yielded a variety of DPF constructions under different trust and adversary models, including those based on pseudorandom generators (PRGs), information-theoretic secret sharing, and algebraic assumptions such as the Decisional Diffie–Hellman (DDH).

1. Formal Definition and Properties

Given a domain [N]={1,…,N}[N]=\{1,\dots, N\} and an Abelian group G\mathbb{G}, a point function is fα,β(x)=βf_{\alpha, \beta}(x) = \beta if x=αx = \alpha and $0$ otherwise. A pp-party β\beta0-DPF scheme consists of a key generation algorithm β\beta1, where β\beta2 is a security parameter, and per-party evaluation algorithms β\beta3. A decoding procedure reconstructs β\beta4 from the β\beta5's. Required properties are:

  • Correctness: For all inputs,

β\beta6

with probability β\beta7.

  • β\beta8-Privacy: For any coalition of up to β\beta9 corrupted parties, their joint keys reveal no information about α\alpha0 beyond public parameters.
  • Efficiency: Key size and evaluation time are much smaller than the full function table size. Achieving sublinear or polylogarithmic key size is a central objective.

The privacy and correctness requirements are formalized under both information-theoretic and computational notions, depending on adversarial assumptions and cryptographic setting (Damie et al., 18 Mar 2026, Miranda et al., 2021, Ke et al., 1 Apr 2026).

2. Main Construction Paradigms

DPFs have been instantiated using PRG-based, algebraic, and information-theoretic primitives. Key paradigms include:

  • PRG-Based DPFs: Classic 2-party DPFs use a PRG and a binary tree structure, with the key size scaling logarithmically in α\alpha1 (Miranda et al., 2021). Generalizing to the α\alpha2-party case, early schemes faced exponential key growth in the number of parties and field size. Recent advancements under the honest-majority assumption remove the exponential factor, achieving practical key sizes proportional to α\alpha3 rather than α\alpha4 (Damie et al., 26 Sep 2025).
  • Information-Theoretic DPFs (ITDPFs): ITDPFs rely on threshold secret sharing (e.g., Shamir's), enabling perfect α\alpha5-privacy for any α\alpha6 (Miranda et al., 2021, Deng et al., 27 Apr 2026, Ke et al., 1 Apr 2026). These schemes encode the point location and value with optimal information-flow, supporting both single and multi-party evaluations. Newer constructions leverage tools from PIR schemes (e.g., Ghasemi–Kopparty–Sudan), yielding shorter keys and further improvements in asymptotic behavior (Deng et al., 27 Apr 2026).
  • DDH-Based DPFs: For domains requiring algebraic groups (e.g., elliptic curve groups), DPFs can be constructed using the DDH assumption. The latest DDH-based honest-majority DPF reduces key size to α\alpha7, outperforming previous α\alpha8 constructions via grid decomposition and hybrid information-theoretic and algebraic techniques (Damie et al., 18 Mar 2026).

3. Threshold, Multi-User, and Extended Models

Recent work extends the DPF primitive to more general trust models and multi-user settings:

  • Threshold DPFs: α\alpha9-threshold DPFs enable reconstruction only when at least (α,β)(\alpha, \beta)0 shares are present. This is achieved via a combination of Shamir sharing, key-homomorphic PRFs, and careful randomized masking. Threshold DPFs support adaptive, multi-evaluation security and are central to robustness in secret sharing (Miranda et al., 2021).
  • Distributed Multi-User Point Functions (DMUPF): In DMUPF scenarios, a master node distributes shares to (α,β)(\alpha, \beta)1 servers for (α,β)(\alpha, \beta)2 users with arbitrary access structures, ensuring that each user can evaluate its own point function with information-theoretic privacy even in the presence of colluding users. The achievable storage rate is precisely characterized by combinatorial covering constraints on the access sets (Khalesi et al., 17 Jan 2025).
  • Comparison and Generalized Functions: DPF techniques have been expanded to closely related function classes such as comparison (DCFs) and bounded-support functions. The extension preserves efficient key size through suitable grid decompositions and correction methods (Damie et al., 18 Mar 2026). General function secret sharing for arbitrary polynomials is achieved by distributing coefficients with threshold secret sharing (Miranda et al., 2021).

4. Constructions and Key-Size Complexities

Key size is a primary metric for DPF construction practicality.

Paradigm Key Size Per Party Security Model
2-party PRG-based (α,β)(\alpha, \beta)3 Computational
PRG-based (original, (α,β)(\alpha, \beta)4) (α,β)(\alpha, \beta)5 Computational
PRG-based, honest majority (Damie et al., 26 Sep 2025) (α,β)(\alpha, \beta)6 Computational
DDH-based, (α,β)(\alpha, \beta)7-party (Damie et al., 18 Mar 2026) (α,β)(\alpha, \beta)8 Computational (DDH)
ITDPF, (α,β)(\alpha, \beta)9-private (Deng et al., 27 Apr 2026) [N]={1,…,N}[N]=\{1,\dots, N\}0 Perfect
ITDPF, ring-based (Ke et al., 1 Apr 2026) [N]={1,…,N}[N]=\{1,\dots, N\}1 (subpoly., independent of error [N]={1,…,N}[N]=\{1,\dots, N\}2) Perfect/Statistical
Threshold DPF (Miranda et al., 2021) [N]={1,…,N}[N]=\{1,\dots, N\}3, [N]={1,…,N}[N]=\{1,\dots, N\}4 Perfect/Comp.

Advancements focus on eliminating exponential dependence on [N]={1,…,N}[N]=\{1,\dots, N\}5 and [N]={1,…,N}[N]=\{1,\dots, N\}6 (field size), reducing key size to sublinear (often subpolynomial) in [N]={1,…,N}[N]=\{1,\dots, N\}7 under various trust models.

5. Security Models and Proof Techniques

Security goals for DPFs are defined by the adversarial model:

  • Information-Theoretic Security: Any minority coalition ([N]={1,…,N}[N]=\{1,\dots, N\}8 of [N]={1,…,N}[N]=\{1,\dots, N\}9) gains no information about G\mathbb{G}0, regardless of computational power (Miranda et al., 2021, Ke et al., 1 Apr 2026, Deng et al., 27 Apr 2026).
  • Computational Security: Security is based on hardness assumptions (e.g., DDH). For DDH-based DPFs, simulated keys for the adversary's share set are indistinguishable from honest ones unless the DDH problem can be solved (Damie et al., 18 Mar 2026).
  • Adaptive and Multi-Evaluation Security: Advanced DPFs protect against adversaries that adaptively choose queries or may learn multiple function evaluations. Multi-evaluation PRF-based threshold DPFs ensure security even after many evaluation queries at non-target points (Miranda et al., 2021).

Proofs typically reduce any distinguishing adversary to breaking the underlying PRG/PRF pseudorandomness or the algebraic assumption (e.g., DDH). Perfect privacy is shown via information-theoretic independence using the properties of secret sharing.

6. Applications and Implications

DPFs are central to the efficiency and security of numerous protocols:

  • Private Information Retrieval (PIR): DPF-based PIR achieves sublinear or subpolynomial cost, supports error detection and even malicious resilience. Ring-based itDPFs enable large-scale, post-quantum secure, and practical error-detecting PIR (Ke et al., 1 Apr 2026).
  • Anonymous messaging/broadcast: Protocols such as Riposte and Spectrum rely on DPFs to write or aggregate messages anonymously in a distributed vector; honest-majority DPFs reduce bandwidth and support larger user populations (Damie et al., 18 Mar 2026).
  • Private aggregation and statistics: DPFs enable privacy-preserving histograms, empirical CDFs, and frequency estimation, by supporting securely the summation of point-function contributions from many users (Damie et al., 18 Mar 2026).
  • Secure computation (FSS): DPFs serve as a basis for broader FSS where arbitrary or structured classes of functions are split and shared, with extensions to polynomials and comparison functions (Miranda et al., 2021, Damie et al., 18 Mar 2026).

7. Limitations, Open Problems, and Future Directions

Significant challenges and research opportunities remain:

  • Key Size Lower Bounds: While the G\mathbb{G}1 DDH-based construction is a marked improvement, it is an open question whether further asymptotic compression to G\mathbb{G}2 for G\mathbb{G}3 is possible, especially beyond multiplicative algebraic sharing (Damie et al., 18 Mar 2026).
  • Polylogarithmic Key Sizes: For G\mathbb{G}4 parties, achieving polylogarithmic key size under standard assumptions is unresolved; recent work has proposed candidate algebraic hardness assumptions, but concrete efficient schemes are lacking (Damie et al., 18 Mar 2026).
  • Verifiability and Malicious Robustness: Many DPF constructions address only semi-honest threats. Extending to fully malicious, robust, verifiable models—especially for the multi-user case and ITDPFs—requires new machinery (Khalesi et al., 17 Jan 2025, Ke et al., 1 Apr 2026).
  • Generalizing Function Classes: Most current DPFs handle point, comparison, or polynomial functions. Efficient FSS for other function classes—particularly with succinct keys—remains a research area (Miranda et al., 2021, Damie et al., 18 Mar 2026).
  • Optimality and Second-Order Rates: The precise finite-parameter optimality of multi-user DPF systems, especially under perfect privacy, is not fully characterized (Khalesi et al., 17 Jan 2025).
  • Implementation and Scalability: While modern schemes scale efficiently for practical domain sizes, certain parameter regimes or application settings (e.g., very large G\mathbb{G}5, high security thresholds, or large output group) may still result in large keys or state.

DPFs thus continue to underpin cutting-edge research at the intersection of cryptography, secure computation, and privacy-preserving systems, with ongoing advances in efficiency, generality, and deployability (Damie et al., 18 Mar 2026, Deng et al., 27 Apr 2026, Damie et al., 26 Sep 2025, Ke et al., 1 Apr 2026, Miranda et al., 2021, Khalesi et al., 17 Jan 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Distributed Point Functions (DPFs).