Shamir-Based HSS for Monomials

• The paper introduces a Shamir-based homomorphic secret sharing scheme for monomials that achieves perfect context-hiding and secure multi-party computation over a prime field.
• The methodology leverages polynomial share generation, local homomorphic evaluation at servers, and Lagrange interpolation for accurate output reconstruction.
• The scheme balances privacy with communication efficiency by meeting parameter constraints, enabling secure evaluation of monomials in MPC frameworks.

Shamir-based homomorphic secret sharing (HSS) for monomials is a secret-sharing scheme that enables secure multi-party computation over a prime field $\F_p$ by distributing shares of individual client inputs among $m$ servers. Each server computes a homomorphic evaluation of a monomial function over its received shares, enabling reconstruction of the functional output and achieving a strong privacy guarantee: the output shares reveal no more information about the private inputs than the output value itself. At the heart of this privacy is the context-hiding property, which ensures indistinguishability of output-share distributions for input tuples yielding the same function output.

1. Scheme Definition and Preliminaries

The scheme is instantiated for an arbitrary monomial $f(x_1,\dots,x_n)=x_1^{e_1}x_2^{e_2}\dots x_n^{e_n}$, specialized from the general Shamir-HSS protocols of Ishai–Lai–Malavolta [ILM21] and Fosli–Ishai–Kolobov–Wootters [FIKW22], as detailed in (Feng et al., 1 Dec 2025). It operates over the field $\F_p$, with $t$ denoting the privacy threshold such that up to $t$ colluding servers learn nothing about the inputs, and $m$ the number of servers, subject to $m>t\sum_i e_i$ for successful output reconstruction.

Three algorithms define the scheme:

• $\Gen(x_1,\dots,x_n)$: For each client $i$, sample a random Shamir polynomial $\varphi_i(u) = x_i + r_{i,1}u + \dots + r_{i,t}u^t$, $r_{i,u}\in\F_p$. For each server $j$, compute shares $s_{i,j} = \varphi_i(\alpha_j)$.
• $\Eval(j,f,\mathbf{s}_j)$: Server $j$ locally computes $y_j = \prod_{i=1}^n (s_{i,j})^{e_i}\in\F_p$.
• $\Rec((y_1,\dots,y_m))$: View $g(u)=\prod_{i=1}^n \varphi_i(u)^{e_i}$, interpolate $g(0)=f(x_1,\dots,x_n)$ from $(\alpha_j,y_j)$ using Lagrange interpolation with basis coefficients $$\ell_j=\prod_{k\neq j} \frac{\alpha_k}{\alpha_k-\alpha_j}$$.

2. Share Generation, Homomorphic Evaluation, and Reconstruction

Input sharing follows the classic Shamir secret sharing paradigm, generating polynomials $p_i(u)=x_i+\sum_{u=1}^t r_{i,u}u^u$. Server $j$ receives the tuple $(s_{1,j},\dots,s_{n,j})$.

Homomorphic evaluation is performed locally: $$y_j = \prod_{i=1}^n p_i(\alpha_j)^{e_i} = g(\alpha_j),$$ where $g(u)$ has total degree at most $\sum_i e_i t$, permitting output reconstruction if $m>\sum_i e_i t$.

Final reconstruction uses the set $\{(\alpha_j,y_j)\}_{j=1}^m$: $f(x_1,\dots,x_n) = g(0) = \sum_{j=1}^m y_j \ell_j,$ recovering the functional output with perfect completeness.

Step	Input	Output
Share Generation	$x_i\in\F_p$	$s_{i,j}=p_i(\alpha_j)$
Homomorphic Eval	$s_{i,j}$	$y_j=\prod_i s_{i,j}^{e_i}$
Reconstruction	$(y_j)$	$f(x_1,\dots,x_n)$

3. Context-Hiding Property and Formal Definition

Context-hiding requires that output shares $(y_1,\dots,y_m)$ for two distinct input tuples $\mathbf{x}^{(0)} \neq \mathbf{x}^{(1)}$ yielding the same function output, $f(\mathbf{x}^{(0)})=f(\mathbf{x}^{(1)})$, are identically distributed. As formalized (adapted from Definition 4 in (Feng et al., 1 Dec 2025)), perfect context-hiding for $f$ means indistinguishability of output-share distributions when the function outputs coincide.

4. Characterization and Proof of Context-Hiding

Rigorous characterization is provided in Theorems 5 and 6 of (Feng et al., 1 Dec 2025):

• For $n=1$, i.e., $f(x)=x^d$ on $\F_p$, the scheme is perfectly context-hiding.
• For $n\ge2$, restricting inputs to $(\F_p^*)^n$ (i.e., each $x_i\neq0$), the scheme remains perfectly context-hiding.

The proof utilizes the scaling property: given two input tuples $\mathbf{x}^{(0)},\mathbf{x}^{(1)}\in (\F_p^*)^n$ with equal $f(\cdot)$, there exist scalars $c_i\in\F_p^*$ such that $x_i^{(1)}=c_i x_i^{(0)}$, with $\prod_i c_i^{e_i}=1$. Corresponding Shamir polynomials are set such that $r_{i,u}^{(1)}=c_i r_{i,u}^{(0)}$, yielding $p_i^{(1)}(u)=c_i p_i^{(0)}(u)$ and recursively $y_j^{(1)}=y_j^{(0)}$. Thus, the output-share joint distributions are identical, confirming zero advantage for any distinguisher.

5. Communication Complexity and Trade-offs

The scheme's communication properties are dictated by parameters $n$, $m$, and $t$, as follows:

• Upload (input-share): Each of $n$ clients sends one field element to each of the $m$ servers, for a total of $nm$ elements (rate $\approx 1/m$).
• Download (output-share): Each server sends one field element ($m$ elements total, $\approx 1/m$ rate).
• The degree $t$ sets the privacy threshold: higher $t$ increases polynomial degree, raising minimal $m$ as $m>t\sum_i e_i$.

Privacy and performance trade-off: to tolerate larger $t$ or evaluate higher-degree monomials, $m$ must increase, raising communication overhead but preserving information-theoretic security guarantees.

6. Example Instantiation

Consider $n=2$, $f(x_1,x_2)=x_1^2x_2^3$, $t=1$, hence $\sum e_i=5$ and select $m\ge7$. The process is:

• Client $1$: $p_1(u) = x_1 + r_{1,1}u$
• Client $2$: $p_2(u) = x_2 + r_{2,1}u$
• Server $j$ receives $(s_{1,j},s_{2,j})=(p_1(j),p_2(j))$, computes $y_j = p_1(j)^2 p_2(j)^3$
• The combiner calculates $$f(x_1,x_2)=\sum_{j=1}^7 y_j \prod_{k\neq j}\frac{k}{k-j}$$

Context-hiding is preserved if input pairs $(x_1^{(0)},x_2^{(0)})\neq(x_1^{(1)},x_2^{(1)})$ satisfying $$(x_1^{(0)})^2(x_2^{(0)})^3 = (x_1^{(1)})^2(x_2^{(1)})^3$$ induce the same distribution of $(y_1,\dots,y_7)$.

7. Significance, Implications, and Extensions

Shamir-based HSS for monomials provides information-theoretic privacy and supports perfect context hiding under suitable parameterizations. Its applicability extends to secure multi-party computation for functions represented as monomials (and more generally polynomials, as discussed in (Feng et al., 1 Dec 2025)). The scheme's rigorous context-hiding guarantee is achieved without rerandomization, thus optimizing share size and communication complexity versus previous techniques.

A plausible implication is the extension to arbitrary polynomials and the broader deployment of such context-hiding HSS approaches in MPC frameworks, leveraging the strict privacy bounds and efficient evaluation characteristic of Shamir-based structures.