Distributed Point Functions (DPFs)
- Distributed Point Functions (DPFs) are cryptographic primitives that encode a point function with a nonzero value at a specific index and zeros elsewhere, securely shared among multiple parties.
- They power privacy-enhancing technologies such as private information retrieval, anonymous messaging, secure multiparty computation, and privacy-preserving machine learning.
- Key design goals include sublinear key sizes, efficient evaluation, and robust privacy against colluding adversaries, achieved via PRG-based, information-theoretic, and DDH-based constructions.
Distributed Point Functions (DPFs) are cryptographic primitives enabling the secret sharing of point functions across multiple parties for a broad class of privacy-preserving technologies. DPFs efficiently encode a function —which is at a single point and zero elsewhere—into shares or keys distributed among servers, ensuring that only the correct recombination reveals the function value at any point, while bounded subsets of colluding servers learn nothing about . DPFs serve as the foundation for function secret sharing schemes, with major applications in private information retrieval, anonymous messaging systems, secure multiparty computation, and privacy-preserving machine learning. Research has yielded a variety of DPF constructions under different trust and adversary models, including those based on pseudorandom generators (PRGs), information-theoretic secret sharing, and algebraic assumptions such as the Decisional Diffie–Hellman (DDH).
1. Formal Definition and Properties
Given a domain and an Abelian group , a point function is if and $0$ otherwise. A -party 0-DPF scheme consists of a key generation algorithm 1, where 2 is a security parameter, and per-party evaluation algorithms 3. A decoding procedure reconstructs 4 from the 5's. Required properties are:
- Correctness: For all inputs,
6
with probability 7.
- 8-Privacy: For any coalition of up to 9 corrupted parties, their joint keys reveal no information about 0 beyond public parameters.
- Efficiency: Key size and evaluation time are much smaller than the full function table size. Achieving sublinear or polylogarithmic key size is a central objective.
The privacy and correctness requirements are formalized under both information-theoretic and computational notions, depending on adversarial assumptions and cryptographic setting (Damie et al., 18 Mar 2026, Miranda et al., 2021, Ke et al., 1 Apr 2026).
2. Main Construction Paradigms
DPFs have been instantiated using PRG-based, algebraic, and information-theoretic primitives. Key paradigms include:
- PRG-Based DPFs: Classic 2-party DPFs use a PRG and a binary tree structure, with the key size scaling logarithmically in 1 (Miranda et al., 2021). Generalizing to the 2-party case, early schemes faced exponential key growth in the number of parties and field size. Recent advancements under the honest-majority assumption remove the exponential factor, achieving practical key sizes proportional to 3 rather than 4 (Damie et al., 26 Sep 2025).
- Information-Theoretic DPFs (ITDPFs): ITDPFs rely on threshold secret sharing (e.g., Shamir's), enabling perfect 5-privacy for any 6 (Miranda et al., 2021, Deng et al., 27 Apr 2026, Ke et al., 1 Apr 2026). These schemes encode the point location and value with optimal information-flow, supporting both single and multi-party evaluations. Newer constructions leverage tools from PIR schemes (e.g., Ghasemi–Kopparty–Sudan), yielding shorter keys and further improvements in asymptotic behavior (Deng et al., 27 Apr 2026).
- DDH-Based DPFs: For domains requiring algebraic groups (e.g., elliptic curve groups), DPFs can be constructed using the DDH assumption. The latest DDH-based honest-majority DPF reduces key size to 7, outperforming previous 8 constructions via grid decomposition and hybrid information-theoretic and algebraic techniques (Damie et al., 18 Mar 2026).
3. Threshold, Multi-User, and Extended Models
Recent work extends the DPF primitive to more general trust models and multi-user settings:
- Threshold DPFs: 9-threshold DPFs enable reconstruction only when at least 0 shares are present. This is achieved via a combination of Shamir sharing, key-homomorphic PRFs, and careful randomized masking. Threshold DPFs support adaptive, multi-evaluation security and are central to robustness in secret sharing (Miranda et al., 2021).
- Distributed Multi-User Point Functions (DMUPF): In DMUPF scenarios, a master node distributes shares to 1 servers for 2 users with arbitrary access structures, ensuring that each user can evaluate its own point function with information-theoretic privacy even in the presence of colluding users. The achievable storage rate is precisely characterized by combinatorial covering constraints on the access sets (Khalesi et al., 17 Jan 2025).
- Comparison and Generalized Functions: DPF techniques have been expanded to closely related function classes such as comparison (DCFs) and bounded-support functions. The extension preserves efficient key size through suitable grid decompositions and correction methods (Damie et al., 18 Mar 2026). General function secret sharing for arbitrary polynomials is achieved by distributing coefficients with threshold secret sharing (Miranda et al., 2021).
4. Constructions and Key-Size Complexities
Key size is a primary metric for DPF construction practicality.
| Paradigm | Key Size Per Party | Security Model |
|---|---|---|
| 2-party PRG-based | 3 | Computational |
| PRG-based (original, 4) | 5 | Computational |
| PRG-based, honest majority (Damie et al., 26 Sep 2025) | 6 | Computational |
| DDH-based, 7-party (Damie et al., 18 Mar 2026) | 8 | Computational (DDH) |
| ITDPF, 9-private (Deng et al., 27 Apr 2026) | 0 | Perfect |
| ITDPF, ring-based (Ke et al., 1 Apr 2026) | 1 (subpoly., independent of error 2) | Perfect/Statistical |
| Threshold DPF (Miranda et al., 2021) | 3, 4 | Perfect/Comp. |
Advancements focus on eliminating exponential dependence on 5 and 6 (field size), reducing key size to sublinear (often subpolynomial) in 7 under various trust models.
5. Security Models and Proof Techniques
Security goals for DPFs are defined by the adversarial model:
- Information-Theoretic Security: Any minority coalition (8 of 9) gains no information about 0, regardless of computational power (Miranda et al., 2021, Ke et al., 1 Apr 2026, Deng et al., 27 Apr 2026).
- Computational Security: Security is based on hardness assumptions (e.g., DDH). For DDH-based DPFs, simulated keys for the adversary's share set are indistinguishable from honest ones unless the DDH problem can be solved (Damie et al., 18 Mar 2026).
- Adaptive and Multi-Evaluation Security: Advanced DPFs protect against adversaries that adaptively choose queries or may learn multiple function evaluations. Multi-evaluation PRF-based threshold DPFs ensure security even after many evaluation queries at non-target points (Miranda et al., 2021).
Proofs typically reduce any distinguishing adversary to breaking the underlying PRG/PRF pseudorandomness or the algebraic assumption (e.g., DDH). Perfect privacy is shown via information-theoretic independence using the properties of secret sharing.
6. Applications and Implications
DPFs are central to the efficiency and security of numerous protocols:
- Private Information Retrieval (PIR): DPF-based PIR achieves sublinear or subpolynomial cost, supports error detection and even malicious resilience. Ring-based itDPFs enable large-scale, post-quantum secure, and practical error-detecting PIR (Ke et al., 1 Apr 2026).
- Anonymous messaging/broadcast: Protocols such as Riposte and Spectrum rely on DPFs to write or aggregate messages anonymously in a distributed vector; honest-majority DPFs reduce bandwidth and support larger user populations (Damie et al., 18 Mar 2026).
- Private aggregation and statistics: DPFs enable privacy-preserving histograms, empirical CDFs, and frequency estimation, by supporting securely the summation of point-function contributions from many users (Damie et al., 18 Mar 2026).
- Secure computation (FSS): DPFs serve as a basis for broader FSS where arbitrary or structured classes of functions are split and shared, with extensions to polynomials and comparison functions (Miranda et al., 2021, Damie et al., 18 Mar 2026).
7. Limitations, Open Problems, and Future Directions
Significant challenges and research opportunities remain:
- Key Size Lower Bounds: While the 1 DDH-based construction is a marked improvement, it is an open question whether further asymptotic compression to 2 for 3 is possible, especially beyond multiplicative algebraic sharing (Damie et al., 18 Mar 2026).
- Polylogarithmic Key Sizes: For 4 parties, achieving polylogarithmic key size under standard assumptions is unresolved; recent work has proposed candidate algebraic hardness assumptions, but concrete efficient schemes are lacking (Damie et al., 18 Mar 2026).
- Verifiability and Malicious Robustness: Many DPF constructions address only semi-honest threats. Extending to fully malicious, robust, verifiable models—especially for the multi-user case and ITDPFs—requires new machinery (Khalesi et al., 17 Jan 2025, Ke et al., 1 Apr 2026).
- Generalizing Function Classes: Most current DPFs handle point, comparison, or polynomial functions. Efficient FSS for other function classes—particularly with succinct keys—remains a research area (Miranda et al., 2021, Damie et al., 18 Mar 2026).
- Optimality and Second-Order Rates: The precise finite-parameter optimality of multi-user DPF systems, especially under perfect privacy, is not fully characterized (Khalesi et al., 17 Jan 2025).
- Implementation and Scalability: While modern schemes scale efficiently for practical domain sizes, certain parameter regimes or application settings (e.g., very large 5, high security thresholds, or large output group) may still result in large keys or state.
DPFs thus continue to underpin cutting-edge research at the intersection of cryptography, secure computation, and privacy-preserving systems, with ongoing advances in efficiency, generality, and deployability (Damie et al., 18 Mar 2026, Deng et al., 27 Apr 2026, Damie et al., 26 Sep 2025, Ke et al., 1 Apr 2026, Miranda et al., 2021, Khalesi et al., 17 Jan 2025).