Ideal Private Simultaneous Messages Schemes and Their Applications

Hiwatashi, Keitaro; Eriguchi, Reo

doi:10.4230/LIPIcs.ITCS.2026.76

Ideal Private Simultaneous Messages Schemes and Their Applications

Keitaro Hiwatashi¹¹1corresponding author National Institute of Advanced Industrial Science and Technology, Tokyo, Japan Reo Eriguchi

National Institute of Advanced Industrial Science and Technology, Tokyo, Japan

Abstract

Private Simultaneous Messages (PSM) is a minimal model for secure computation, where two parties, Alice and Bob, have private inputs $x, y$ and a shared random string. Each of them sends a single message to an external party, Charlie, who can compute $f(x,y)$ for a public function $f$ but learns nothing else. The problem of narrowing the gap between upper and lower bounds on the communication complexity of PSM has been widely studied, but the gap still remains exponential. In this work, we study the communication complexity of PSM from a different perspective and introduce a special class of PSM, referred to as ideal PSM, in which each party’s message length attains the minimum, that is, their messages are taken from the same domain as inputs. We initiate a systematic study of ideal PSM with a complete characterization, several positive results, and applications. First, we provide a characterization of the class of functions that admit ideal PSM, based on permutation groups acting on the input domain. This characterization allows us to derive asymptotic upper bounds on the total number of such functions and a complete list for small domains. We also present several infinite families of functions of practical interest that admit ideal PSM. Interestingly, by simply restricting the input domains of these ideal PSM schemes, we can recover most of the existing PSM schemes that achieve the best known communication complexity in various computation models. As applications, we show that these ideal PSM schemes yield novel communication-efficient PSM schemes for functions with sparse or dense truth-tables and those with low-rank truth-tables. Furthermore, we obtain a PSM scheme for general functions that improves the constant factor in the dominant term of the best known communication complexity. An additional advantage is that our scheme simplifies the existing construction by avoiding the hierarchical design of internally invoking PSM schemes for smaller functions.

Keywords and phrases:

secure computation, private simultaneous messages, communication complexity

Copyright and License:

2012 ACM Subject Classification:

Theory of computation

\rightarrow

Cryptographic primitives

Acknowledgements:

We would like to thank Koji Nuida for his helpful comments.

Funding:

This work was supported in part by JST CREST Grant Number JPMJCR22M1, JST K Program Grant Number JPMJKP24U3, and JSPS KAKENHI Grant Numbers 24K20775.

Editor:

Shubhangi Saraf

Series and Publisher:

Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik

1 Introduction

Secure computation [49] is a fundamental cryptographic primitive which enables two parties, Alice and Bob, to evaluate a function $f$ over their joint inputs without revealing information other than the output. This problem has been considered in several different models and settings (see, e.g., [30, 12, 17, 20, 21, 22]). In this work, we consider this problem in a minimal model for communication in the setting of information-theoretic security, referred to as Private Simultaneous Messages (PSM) model [29, 33]. In a (two-party) PSM scheme, Alice holds an input $x$ , Bob holds an input $y$ , and they both share common randomness. Each of them sends a message to an external party, Charlie, who can then compute $f(x,y)$ but learns nothing else.

The central research question is to determine the minimum communication complexity of PSM schemes for a given function $f$ , where communication complexity is defined as the total bit-length of Alice’s and Bob’s messages. This question has been extensively studied for general functions as well as for functions with specific representations [34, 23, 7, 6, 9, 2, 3, 47, 25]. The currently best known construction for a general function $f:X\times X\to\{0,1\}$ provides a PSM scheme with communication complexity $O(\sqrt{N})$ , where $N$ denotes the cardinality of $X$ [7]. Whereas, the lower bound of $3\log N-O(\log\log N)$ bits is derived for certain functions [2]. Despite all the progresses, however, there still remains an exponential gap between upper and lower bounds.

In this work, we depart from prior approaches aimed at narrowing the exponential gap and study the communication complexity of PSM from a different perspective. It is clear that a communication complexity of $2\log N$ bits is trivially unavoidable in light of the input length²²2Note that if a non-zero probability of failure is allowed in the reconstruction, this lower bound does not apply. Throughout this paper, we focus on PSM with perfect correctness.. Thus, if a PSM scheme has communication complexity equal to the input length of $f$ , then it is necessarily communication-optimal. We will refer to such schemes as ideal PSM schemes. Due to the lower bounds by [2, 23, 47], not every function admits ideal PSM. Nevertheless, some special functions of interest admit ideal PSM. For example, the function that computes the sum $x+y$ over an abelian group is realized by a PSM scheme where Alice sends $x+r$ and Bob sends $y-r$ for a uniformly random element $r$ . This scheme is ideal since messages are taken from the same domain as inputs. The main goal of this work is to give a complete characterization of functions that admit ideal PSM.

This research direction is inspired by a series of works on ideal secret sharing schemes [15, 42, 48, 11, 27, 28, 26, 18]. A secret sharing scheme is called ideal if the size of every share is equal to that of a secret, which is proven to be the optimal size [37]. While a complete characterization is not known, several classes of access structures are proven to admit ideal secret sharing schemes (see Section 1.2 for details). We are the first to conduct a systematic study of ideal PSM schemes, in analogy with ideal secret sharing schemes.

1.1 Our Results

In this work, we initiate a theory of ideal PSM schemes with a complete characterization, several positive results, and applications. As an interesting implication, our results provide a unified perspective on existing PSM constructions achieving the best known communication complexity, and moreover yield novel and more efficient constructions. First, we show a necessary and sufficient condition for functions to admit ideal PSM, using group-theoretic terminology. Specifically, we prove that such functions are essentially limited to a family of functions induced by certain permutation groups on the input domain. This characterization allows us to derive asymptotic upper bounds on the number of functions admitting ideal PSM and a complete list when the domain size $N$ is small (e.g., up to $N\leq 23$ for boolean functions). We also provide several infinite families of functions of special interest that admit ideal PSM schemes, including the sum function mentioned above. As applications, we propose novel communication-efficient PSM schemes for functions with sparse/dense or low-rank truth-tables, improving upon the previous construction for functions with bounded tiling number [41]. Furthermore, we reduce the constant factor in the dominant term of the best known communication complexity for general functions [7], from $12\sqrt{N}$ to $8\sqrt{N}$ . Below, we elaborate on our results.

1.1.1 Characterization

We say that a PSM scheme is ideal if the message space of each party $i$ is the same as $X_{i}$ . A function $f:X_{0}\times X_{1}\to Y$ is called an ideal PSM function if there exists an ideal PSM scheme for $f$ . To formalize our characterization, we introduce the invariant group $I_{f}$ of $f$ , defined as the set of all pairs of permutations $\pi=(\pi_{0},\pi_{1})$ , where each $\pi_{i}$ acts on $X_{i}$ , such that $f(\pi_{0}(x),\pi_{1}(y))=f(x,y)$ for all $(x,y)\in X_{0}\times X_{1}$ . This group naturally acts on $X_{0}\times X_{1}$ . We show that $f$ is an ideal PSM function if and only if $I_{f}$ satisfies the following condition: for any pair of inputs $(x,y),(x^{\prime},y^{\prime})\in X_{0}\times X_{1}$ such that $f(x,y)=f(x^{\prime},y^{\prime})$ , there exists a permutation $\pi\in I_{f}$ such that $(x^{\prime},y^{\prime})=\pi(x,y)$ . This characterization makes it easier to test if a given function admits ideal PSM, by finding an appropriate permutation that preserves the outputs of $f$ .

A key technical idea in our characterization is that the class of ideal PSM functions is essentially restricted to a special subclass, that is, every ideal PSM function is equivalent to one of them³³3We say that two functions are equivalent if they are identical up to permutations of inputs and outputs.. Specifically, each function $f_{\mathcal{G}}$ in the subclass is parameterized by a tuple $\mathcal{G}=(G_{0},G_{1},\psi)$ , where $G_{i}$ is a subgroup of permutations on $X_{i}$ and $\psi$ is an isomorphism from $G_{0}$ to $G_{1}$ , and $f_{\mathcal{G}}$ maps each input $(x,y)$ to its orbit under the action of $\mathcal{G}$ on $X_{0}\times X_{1}$ . We show that any function $f$ admitting ideal PSM is equivalent to $f_{\mathcal{G}}$ for some $\mathcal{G}$ . This formalization is useful for the enumeration of ideal PSM functions since it reduces the problem to the enumeration of all such tuples $\mathcal{G}$ .

1.1.2 Enumeration

We provide asymptotic upper bounds on the total number of connected functions $f:X_{0}\times X_{1}\to Y$ that admit ideal PSM. Here, we additionally assume that $f$ is connected, meaning that there exists no partition of $X_{0}\times X_{1}$ into rectangles each of which corresponds to disjoint values of $f$ . In the boolean case $Y=\{0,1\}$ , this assumption excludes only a few trivial functions and does not affect the asymptotic results. Note that naively enumerating all tuples $\mathcal{G}$ cannot yield a non-trivial upper bound. This is because a permutation group of degree $N$ contains at least $2^{\Omega(N^{2})}$ subgroups [43], implying that such a naive enumeration cannot improve upon the trivial bound of $2^{N^{2}}$ given by the total number of functions. We leverage group-theoretic properties of ideal PSM functions to remove duplicate counts of $\mathcal{G}$ ’s that correspond to equivalent functions. As a result, we obtain a non-trivial upper bound of $2^{O(N\log^{2}N)}$ on the number of ideal PSM functions, where $N=\max\{|X_{0}|,|X_{1}|\}$ . Furthermore, if $|X_{0}|$ and $|X_{1}|$ are primes, we can significantly improve the upper bound to $2^{O(\log^{3}N)}$ . These bounds demonstrate that the fraction of ideal PSM functions is exponentially small compared to the set of all functions.

We provide a complete list of ideal PSM functions for small domains by enumerating all tuples $\mathcal{G}$ determining non-equivalent functions $f_{\mathcal{G}}$ . We use an open software package called GAP to enumerate permutation groups⁴⁴4https://www.gap-system.org/about/. For a general range $Y$ , we obtain a list of such functions up to $N\leq 15$ except for the case of $|X_{0}|=|X_{1}|=12$ . For a boolean case $Y=\{0,1\}$ , we show that each equivalence class of ideal PSM functions corresponds to a connected component of a certain graph, leading to substantial reduction in computational cost. As a result, we obtain a larger list of functions up to $N\leq 23$ in the boolean case. The resulting lists are available in [1].

1.1.3 Infinite Families

We show that the following families of practically relevant functions admit ideal PSM schemes:

$\blacksquare$

Group product. This function computes the iterated product of a combined sequence of (possibly non-commutative) group elements held by two parties.
$\blacksquare$

Index function. This function takes a function $\phi:H\to G$ from a certain class and a pair $(x,r)\in H\times G$ as input, and outputs $\phi(x)-r$ , where $H$ and $G$ are abelian groups. This family generalizes the original notion of the index function [29, 38], which outputs $D_{x}$ on input a vector $D=(D_{i})_{1\leq i\leq N}$ and an index $x$ . It also includes the inner product and multi-linear polynomials as special cases.
$\blacksquare$

Private set intersection cardinality (PSIC). This function takes two subsets $A_{0}$ and $A_{1}$ of a common set as input and outputs $|A_{0}\cap A_{1}|$ . This family particularly includes the equality function, which tests the equality of two elements.

In particular, we are the first to consider PSIC functions in the PSM setting and to show a communication-optimal construction for them.

Interestingly, by simply restricting the input domains of the above ideal PSM schemes, we can recover most of the existing PSM schemes that achieve the state-of-the-art communication complexity in various computation models. The best known schemes for branching programs [29] and arithmetic formulas [34, 19] are obtained by evaluating the group product over restricted inputs. The nearly optimal construction for polynomials [38] is also obtained by computing a generalized index function, where $\phi$ is taken to be a multi-linear polynomial. As explained below, the previous constructions [7, 3] can be even refined and simplified within our framework based on ideal PSM schemes.

1.1.4 Communication-efficient and Simplified Constructions

We demonstrate that ideal PSM schemes for the above function families induce more communication-efficient PSM schemes for several functions. First, we consider a function $f:X\times X\to\{0,1\}$ such that the number of $1$ ’s in each row of its truth-table $T_{f}$ (viewed as a matrix) is at most $d\ll N:=|X|$ . Prior to our work, the only general construction in [7] can apply, resulting in communication complexity of $O(\sqrt{N})$ . In contrast, by embedding $T_{f}$ to the truth-table of a PSIC function, we obtain a novel PSM scheme for $f$ with communication complexity $O(d\log(N+d))$ , implying a strict improvement when $d=o(\sqrt{N}/\log N)$ . The same communication complexity can be attained when the columns are sparse as well as when the rows (or columns) are dense, that is, they contain at least $n-d$ ones for a small $d$ .

Next, Narayanan et al. [41] showed that a function $f:X\times X\to Y$ can be realized by a PSM scheme with communication complexity $O(k_{f}\log|Y|)$ , where $k_{f}$ denotes the tiling number of $f$ . Here, the tiling number refers to the smallest number of disjoint monochromatic rectangles covering the truth-table $T_{f}$ . On the other hand, by embedding $T_{f}$ to the truth-table of the inner product, we present a novel PSM scheme for $f$ with communication complexity $O(r_{f}\log|Y|)$ , where $r_{f}$ denotes the rank of $T_{f}$ as a matrix over some field of size at least $|Y|$ . As is well known, it always holds that $k_{f}\geq r_{f}$ (e.g., [31]) and thus our scheme achieves a more refined communication complexity.

Finally, Beimel et al. [7] presented a PSM scheme for a general function $f:X\times X\to\{0,1\}$ with communication complexity $O(\sqrt{N})$ , which is at least $12\sqrt{N}$ , where $N=|X|$ . In contrast, we adopt a different approach based on ideal PSM schemes to improve and simplify their construction. We show an ideal PSM function $G_{f}:X^{\prime}\times X^{\prime}\to\{0,1\}$ with $\log|X^{\prime}|={4\sqrt{N}+1}$ that contains $f$ as a restriction. As a result, we obtain a PSM scheme for $f$ with communication complexity $8\sqrt{N}+2$ from the ideal PSM scheme for $G_{f}$ , improving the constant factor in the dominant term of [7]. An additional benefit is that our construction is simpler and more direct: Alice and Bob can compute their messages simply by applying explicitly given permutations to their inputs. As a result, the message functions of our scheme can be expressed in closed form and avoid the hierarchical design of [7, 3], which relies on nested invocations of PSM schemes for smaller functions.

1.2 Related Work

We provide a brief history of the problem of determining the optimal communication complexity of PSM schemes. Feige et al. [29] formalized the notion of PSM schemes and presented the feasibility result of two-party PSM for general functions. Ishai and Kushilevitz [33] extended this to the multi-party setting and showed a $k$ -party PSM scheme for functions represented by branching programs. These constructions, along with several variants including PSM for arithmetic formulas, are summarized in [34]. Subsequently, Beimel et al. [7] successfully devised a two-party PSM scheme for general functions $f:X\times X\to\{0,1\}$ with communication complexity $O(\sqrt{|X|})$ . This result was later generalized and improved by [9, 3], leading to $k$ -party PSM schemes with communication complexity $O(|X|^{(k-1)/2})$ , omitting factors that depend only on $k$ . Another direction aims at obtaining more communication-efficient PSM schemes for functions of special interest. For example, a series of works [6, 13, 24, 46, 25] presented several “tailor-made” constructions for symmetric functions, whose outputs are independent of the order of inputs. PSM schemes have been used to obtain many other cryptographic primitives, e.g., secure computation with general interaction patterns [32], constant-round secure computation [36, 35], and conditional disclosure of secrets [38, 39]. The model of PSM schemes has also been generalized into different scenarios such as ad-hoc PSM [5, 8] where only a subset of the parties actually send messages, and robust PSM (also known as non-interactive secure computation) [6, 13] where an external party may corrupt some parties.

There are known lower bounds on the communication complexity of PSM. Applebaum et al. [2] proved a lower bound of $3\log N-O(\log\log N)$ for the two-party case, and Ball and Randolph [4] showed a lower bound that is roughly $k^{2}\log N$ for $k$ -party PSM when $k=\omega(\log\log N)$ . Tighter upper and lower bounds are known for concrete functions with small input domains and/or a small number of parties, including the $n$ -bit AND function [29, 23, 47], the multi-input equality function [47], and the majority function [47].

A secret sharing scheme [45, 14] is a cryptographic primitive, which divides a secret $x$ into $k$ shares in such a way that $x$ can be recovered from any authorized set of shares while no information on $x$ is revealed from any unauthorized set of shares. The collection of all authorized sets, namely sets of shares that can recover a secret, is called its access structure. A secret sharing scheme is called ideal if each share is taken from the same domain as secrets [15]. Since the size of each share cannot be smaller than the secret size [37], ideal secret sharing schemes necessarily achieve the optimal share size. A series of works have shown that several classes of access structures admit ideal secret sharing schemes [42, 48, 11, 27, 28, 26, 18], and found interesting connections to combinatorics and information theory [10, 16, 40]. Despite all these progresses, the exact characterization of access structures admitting ideal secret sharing schemes is a longstanding open problem.

2 Overview of Our Techniques

2.1 Ideal PSM: Definition and Characterization

In a (two-party) PSM scheme, each of two parties has common randomness $r\in R$ and an input $x_{i}\in X_{i}$ . Then, each party sends a single message $m_{i}\in M_{i}$ to an external party, from which he learns $f(x_{0},x_{1})$ for a public function $f:X_{0}\times X_{1}\to Y$ . The PSM scheme specifies a randomized algorithm $\mathsf{Gen}$ to sample $r$ , message functions $\mathsf{Msg}_{i}:X_{i}\times R_{i}\to M_{i}$ that computes $m_{i}$ from $(x_{i},r)$ , and an evaluation function $\mathsf{Eval}:M_{0}\times M_{1}\to Y$ that outputs $f(x_{0},x_{1})$ from $(m_{0},m_{1})$ . The privacy requirement is that the distribution of messages does not leak any information on the inputs other than $f(x_{0},x_{1})$ . We say that the PSM scheme is ideal if parties’ messages are taken from the same domain as inputs, i.e., $M_{i}=X_{i}$ . A function $f$ is called an ideal PSM function if there exists an ideal PSM scheme for $f$ . The communication complexity of ideal PSM schemes cannot be reduced further if $f$ is non-degenerate, by which we mean that its truth-table has no identical rows or columns. Throughout the paper, we only consider non-degenerate functions as the computation of degenerate functions is reduced to the computation of a smaller non-degenerate function.

We introduce a special class of ideal PSM schemes. As will be shown later, these schemes are canonical in the sense that every function admitting ideal PSM can be realized by some ideal PSM scheme in this class. Each of them is parameterized by a tuple $\mathcal{G}=(G_{0},G_{1},\psi)$ , where $G_{i}$ is a subgroup of the group $\mathcal{S}_{X_{i}}$ of all permutations over $X_{i}$ , and $\psi$ is an isomorphism from $G_{0}$ to $G_{1}$ , that is, $\psi$ maps a permutation belonging to $G_{0}$ to another permutation belonging to $G_{1}$ . We define a group $\Gamma_{\mathcal{G}}$ as $\Gamma_{\mathcal{G}}=\{(\pi_{0},\pi_{1})\in G_{0}\times G_{1}:\pi_{1}=\psi(\pi% _{0})\}.$ Then, $\Gamma_{\mathcal{G}}$ naturally acts on $X_{0}\times X_{1}$ as it is a subgroup of $\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ , and thus specifies the set of orbits, $Y_{\mathcal{G}}=\{\mathrm{Orb}_{\Gamma_{\mathcal{G}}}(x_{0},x_{1}):(x_{0},x_{1% })\in X_{0}\times X_{1}\}$ , where $\mathrm{Orb}_{\Gamma_{\mathcal{G}}}(x_{0},x_{1})=\{(\pi_{0}(x_{0}),\pi_{1}(x_{% 1})):(\pi_{0},\pi_{1})\in\Gamma_{\mathcal{G}}\}$ . We define $f_{\mathcal{G}}:X_{0}\times X_{1}\to Y_{\mathcal{G}}$ as a function that maps each input to its orbit, namely

f_{\mathcal{G}}(x_{0},x_{1})=\mathrm{Orb}_{\Gamma_{\mathcal{G}}}(x_{0},x_{1}).

We can construct an ideal PSM scheme $\Pi_{\mathcal{G}}$ for $f_{\mathcal{G}}$ as follows:

$\blacksquare$

$\mathsf{Gen}$ samples a permutation $\pi=(\pi_{0},\pi_{1})$ chosen from $\Gamma_{\mathcal{G}}$ uniformly at random.
$\blacksquare$

$\mathsf{Msg}_{i}$ applies the permutation $\pi$ to an input $x_{i}$ , namely $\mathsf{Msg}_{i}(x_{i},\pi)=\pi_{i}(x_{i})$ .
$\blacksquare$

$\mathsf{Eval}$ outputs the orbit of messages $(m_{0},m_{1})$ , namely $\mathsf{Eval}(m_{0},m_{1})=\mathrm{Orb}_{\Gamma_{\mathcal{G}}}(m_{0},m_{1})$ .

Since an orbit of $(x_{0},x_{1})$ is invariant under a permutation $\pi\in\Gamma_{\mathcal{G}}$ , $\Pi_{\mathcal{G}}$ correctly computes $f_{\mathcal{G}}$ . Furthermore, if $f_{\mathcal{G}}(x_{0},x_{1})=f_{\mathcal{G}}(x_{0}^{\prime},x_{1}^{\prime})$ , then $(x_{0},x_{1})$ and $(x_{0}^{\prime},x_{1}^{\prime})$ are mapped to each other by some permutation $\pi\in\Gamma_{\mathcal{G}}$ as their orbits are identical, implying the privacy of $\Pi_{\mathcal{G}}$ .

We show that every ideal PSM function $f:X_{0}\times X_{1}\to Y$ is equivalent (that is, identical up to permutations of inputs and outputs) to $f_{\mathcal{G}}$ for some $\mathcal{G}$ . We obtain this characterization by proving that the following conditions are equivalent:

1.

$f$ is an ideal PSM function.
2.
For any two inputs $(x_{0},x_{1}),(x_{0}^{\prime},x_{1}^{\prime})$ such that $f(x_{0},x_{1})=f(x_{0}^{\prime},x_{1}^{\prime})$ , there exists a pair of permutations $\pi=(\pi_{0},\pi_{1})\in\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ such that
- $\blacksquare$
  
  $\pi(x_{0},x_{1})=(\pi_{0}(x_{0}),\pi_{1}(x_{1}))=(x_{0}^{\prime},x_{1}^{\prime})$ .
- $\blacksquare$
  
  $\pi\in I_{f}$ , i.e., the values of $f$ are invariant under $\pi$ .
3.

$f$ is equivalent to $f_{\mathcal{G}}$ for some $\mathcal{G}$ .

We have already seen the implication 3 $\Rightarrow$ 1.

To prove the implication 1 $\Rightarrow$ 2, we observe that since $M_{i}=X_{i}$ in an ideal PSM scheme, the message function $\mathsf{Msg}_{i}(\cdot,r)$ induces a permutation $\pi^{i}_{r}$ over $X_{i}$ for a random string $r\in R$ . We construct $S$ as a group generated by all such permutations $(\pi^{0}_{r},\pi^{1}_{r})$ ’s. We also observe that an ideal PSM scheme for $f$ can be transformed into an ideal PSM scheme whose evaluation function is identical to $f$ , namely $\mathsf{Eval}(m_{0},m_{1})=f(m_{0},m_{1})$ . Then, the correctness property ensures that any permutation in $S$ preserves the outputs of $f$ since $f(\pi^{0}_{r}(x_{0}),\pi^{1}_{r}(x_{1}))=\mathsf{Eval}(\mathsf{Msg}_{0}(x_{0},% r),\mathsf{Msg}_{1}(x_{1},r))=f(x_{0},x_{1})$ . Furthermore, the privacy property ensures that if $f(x_{0},x_{1})=f(x_{0}^{\prime},x_{1}^{\prime})$ , then there exist random strings $r,r^{\prime}\in R$ such that $(\mathsf{Msg}_{0}(x_{0},r),\mathsf{Msg}_{1}(x_{1},r))=(\mathsf{Msg}_{0}(x_{0}^% {\prime},r^{\prime}),\mathsf{Msg}_{1}(x_{1}^{\prime},r^{\prime}))$ . This implies that there exists a permutation $\pi\in S$ that maps $(x_{0},x_{1})$ to $(x_{0}^{\prime},x_{1}^{\prime})$ .

To prove the implication 2 $\Rightarrow$ 3, we show a one-to-one correspondence between the set of orbits under the action of $I_{f}$ and the range of $f$ , that is,

\{\mathrm{Orb}_{I_{f}}(x_{0},x_{1}):(x_{0},x_{1})\in X_{0}\times X_{1}\}% \xleftrightarrow{\text{1-to-1}}\{f(x_{0},x_{1}):(x_{0},x_{1})\in X_{0}\times X% _{1}\}.

Indeed, if $\mathrm{Orb}_{I_{f}}(x_{0},x_{1})=\mathrm{Orb}_{I_{f}}(x_{0}^{\prime},x_{1}^{% \prime})$ , then the values of $f$ on them are identical since $f$ is invariant under any permutation in $I_{f}$ . Conversely, if $f(x_{0},x_{1})=f(x_{0}^{\prime},x_{1}^{\prime})$ , then there exists a permutation $\pi\in I_{f}$ that maps $(x_{0},x_{1})$ to $(x_{0}^{\prime},x_{1}^{\prime})$ , and hence their orbits are identical. Furthermore, we can construct a tuple $\mathcal{G}=(G_{0},G_{1},\psi)$ such that $\Gamma_{\mathcal{G}}=I_{f}$ . Indeed, if $f$ is non-degenerate, then any permutation $\pi_{0}$ appearing in the first component of $I_{f}$ uniquely determines its counterpart $\pi_{1}$ such that $(\pi_{0},\pi_{1})\in I_{f}$ . In particular, $I_{f}$ , $\mathsf{pr}_{0}(I_{f})$ , and $\mathsf{pr}_{1}(I_{f})$ are isomorphic to each other, where $\mathsf{pr}_{i}:\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}\to\mathcal{S}_{X_% {i}}$ is a projection map. We set $G_{0}=\mathsf{pr}_{0}(I_{f})$ , $G_{1}=\mathsf{pr}_{1}(I_{f})$ , and $\psi=\mathsf{pr}_{1}\circ\mathsf{pr}_{0}^{-1}$ . Note that $G_{i}$ forms a group as $\mathsf{pr}_{i}$ is a homomorphism. Then, we have $I_{f}=\Gamma_{\mathcal{G}}$ where $\mathcal{G}=(G_{0},G_{1},\psi)$ . Therefore, we obtain that $f_{\mathcal{G}}(x_{0},x_{1})=\mathrm{Orb}_{I_{f}}(x_{0},x_{1})$ and hence $f_{\mathcal{G}}$ is equivalent to $f$ .

As a demonstration, we consider the sum function $f(x_{0},x_{1})=x_{0}+x_{1}$ over an abelian group $X$ . For $r\in X$ , let $\sigma_{r}:X\to X$ denote a permutation that shifts each element $x\in X$ by $r$ . It is easy to verify that if $f(x_{0}^{\prime},x_{1}^{\prime})=f(x_{0},x_{1})$ , then $(x_{0}^{\prime},x_{1}^{\prime})=(\sigma_{r}(x_{0}),\sigma_{-r}(x_{1}))$ and $(\sigma_{r},\sigma_{-r})\in I_{f}$ , where $r:=x_{0}^{\prime}-x_{0}$ . Thus, our characterization ensures that $f$ is an ideal PSM function. Note that $f$ is equivalent to $f_{\mathcal{G}}=f_{(G_{0},G_{1},\psi)}$ where both $G_{0}$ and $G_{1}$ are the set consisting of all $\sigma_{r}$ ’s, and $\psi:G_{0}\to G_{1}$ is defined as $\psi(\sigma_{r})=\sigma_{-r}$ . Interestingly, this argument does not require presenting any explicit PSM protocol for $f$ .

2.2 Enumeration of Ideal PSM Functions

The above characterization reduces the enumeration of ideal PSM functions $f:X_{0}\times X_{1}\to Y$ to the enumeration of all tuples $\mathcal{G}$ ’s. For ease of exposition, we assume that $|X_{0}|=|X_{1}|=:N$ . See Section 5 for a general case.

First, we provide asymptotic upper bounds on the total number of such functions. Here, we focus on connected functions, that is, there exists no partition of $X_{0}\times X_{1}$ into rectangles each of which corresponds to disjoint sets of values of $f$ . In the boolean case $Y=\{0,1\}$ , this assumption excludes only a few trivial functions and does not affect the asymptotic results. Thanks to our characterization, we can obtain an upper bound by counting the number of all $\mathcal{G}=(G_{0},G_{1},\psi)$ , where $G_{i}$ is a subgroup of $\mathcal{S}_{X_{i}}$ and $\psi$ is an isomorphism between $G_{0}$ and $G_{1}$ . However, since the total number of subgroups of $\mathcal{S}_{N}$ is $2^{\Theta(N^{2})}$ [43], naively enumerating all subgroups cannot provide a non-trivial upper bound beyond the trivial bound of $2^{N^{2}}$ , which is the number of all functions with domain $X_{0}\times X_{1}$ . To remove duplicate counts of $\mathcal{G}$ ’s that correspond to equivalent functions, we first observe that if $\mathcal{G}$ and $\mathcal{G}^{\prime}$ are conjugate, then the corresponding functions $f_{\mathcal{G}}$ and $f_{\mathcal{G}^{\prime}}$ are equivalent. Hence, it suffices to enumerate only conjugacy classes. As a more effective technique, we consider a minimal subgroup $H_{\mathcal{G}}$ of $\Gamma_{\mathcal{G}}$ that induces the same set of orbits as $\Gamma_{\mathcal{G}}$ . Then, $H_{\mathcal{G}}$ uniquely determines $f_{\mathcal{G}}$ , that is, $f_{\mathcal{G}}$ and $f_{\mathcal{G}^{\prime}}$ are equivalent if $H_{\mathcal{G}}=H_{\mathcal{G}^{\prime}}$ . It thus suffices to bound the number of all such subgroups $H_{\mathcal{G}}$ ’s. A key observation is that $H_{\mathcal{G}}$ belongs to a special class of permutation groups called orbit-minimal groups. It is shown in [43] that any orbit-minimal group over a set $X$ is generated by only $\log|X|$ permutations. As a result, any $H_{\mathcal{G}}$ is generated by at most $\log|X_{0}\times X_{1}|=\log(N^{2})$ pairs of permutations in $\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ . We thus obtain a non-trivial upper bound on the number of ideal PSM functions as

\binom{|\mathcal{S}_{X_{0}}|\cdot|\mathcal{S}_{X_{1}}|}{\log|X_{0}\times X_{1}% |}=(N!)^{O(\log(N^{2}))}=2^{O(N\log^{2}N)}.

Furthermore, we obtain a tighter upper bound in the special case where both $|X_{0}|$ and $|X_{1}|$ are primes. We observe that it suffices to enumerate $\mathcal{G}=(G_{0},G_{1},\psi)$ such that $G_{0}$ and $G_{1}$ are transitive groups, when connected functions are considered. For a prime $N$ , the total number of transitive subgroups of $\mathcal{S}_{N}$ is at most $2^{O(\log N)}$ [44]. Moreover, we show that the possible types of transitive groups relevant to our setting are limited, and in particular, their sizes are upper bounded by $2^{O(\log^{2}N)}$ . Consequently, in this special case, we obtain the following bound:

\sum_{G_{0},G_{1}:\text{transitive}}\binom{|G_{0}|\cdot|G_{1}|}{\log|X_{0}% \times X_{1}|}=2^{O(\log N)}|G_{0}|^{\log(N^{2})}|G_{1}|^{\log(N^{2})}=2^{O(% \log^{3}N)}.

Next, we provide a complete list of ideal PSM functions $f:X_{0}\times X_{1}\to Y$ for small domains. We use an open software package called GAP to enumerate all the conjugacy classes of $\mathcal{G}$ . For a general range $Y$ , we obtain a complete list up to $\max\{|X_{0}|,|X_{1}|\}\leq 15$ except for the case of $|X_{0}|=|X_{1}|=12$ . In the boolean case $Y=\{0,1\}$ , we devise a more computationally efficient method to enumerate $\mathcal{G}$ . As a result, we obtain a list of boolean functions admitting ideal PSM up to $\max\{|X_{0}|,|X_{1}|\}\leq 23$ . Specifically, if $f$ is an ideal PSM function, i.e., $f=f_{\mathcal{G}}$ for some $\mathcal{G}=(G_{0},G_{1},\psi)$ , then the truth-table $T_{f}$ , viewed as a $|X_{0}|$ -by- $|X_{1}|$ matrix, satisfies the following property: If $v\in\{0,1\}^{|X_{1}|}$ is a column of $T_{f}$ , then so is a permuted vector $\pi_{0}(v)$ for any $\pi_{0}\in G_{0}$ . Conversely, for any pair of columns $v,v^{\prime}$ of $T_{f}$ , there exists a permutation $\pi_{0}\in G_{0}$ such that $v^{\prime}=\pi_{0}(v)$ . Leveraging this property, we can enumerate ideal PSM functions as follows: For each transitive group $G_{0}$ , we construct a graph $\mathfrak{G}_{G_{0}}=(V_{G_{0}},E_{G_{0}})$ where $V_{G_{0}}=\{0,1\}^{n}$ and $E_{G_{0}}=\{(v,v^{\prime})\in V_{G_{0}}\times V_{G_{0}}:\exists\pi_{0}\in G_{0% },v^{\prime}=\pi_{0}(v)\}.$ From the above property, the truth-table of any $f_{\mathcal{G}}$ with $\mathcal{G}=(G_{0},G_{1},\psi)$ corresponds to some connected component of $\mathfrak{G}_{G_{0}}$ . We then collect the connected components of $\mathfrak{G}_{G_{0}}$ for all $G_{0}$ ’s, which contain all desired functions.

2.3 Infinite Families of Ideal PSM Functions

We present several infinite families of ideal PSM functions. The simplest family is the group product, which computes

f((x_{i})_{i\in S_{0}},(y_{i})_{i\in S_{1}})=\prod_{i\in S_{0}\cup S_{1}}z_{i},

where each $x_{i}$ and $y_{i}$ are taken from a possibly non-abelian group $G$ and we set $z_{i}=x_{i}$ for $i\in S_{0}$ and $z_{i}=y_{i}$ for $i\in S_{1}$ . Feige et al. [29] constructed an ideal PSM scheme for this function by randomizing a sequence of group elements while preserving their product.

Next, we show that a function computing private set intersection cardinality admits ideal PSM. Specifically, for parameters $n,d_{0},d_{1}\in\mathbb{N}$ , we define

\mathsf{PSIC}_{n,(d_{0},d_{1})}(A_{0},A_{1})=|A_{0}\cap A_{1}|,

where $A_{i}$ is taken from the set of all $d_{i}$ -sized subsets of a common set $U$ of $n$ elements. To see that $\mathsf{PSIC}_{n,(d_{0},d_{1})}$ is an ideal PSM function, suppose that $|A_{0}\cap A_{1}|=|A_{0}^{\prime}\cap A_{1}^{\prime}|$ and let $B=A_{0}\cap A_{1}$ and $B^{\prime}=A_{0}^{\prime}\cap A_{1}^{\prime}$ . Then, we can choose a permutation $\pi$ on $U$ such that $\pi(A_{0})=A_{0}^{\prime}$ and $\pi(A_{1})=A_{1}^{\prime}$ , and apply our characterization result. The existence of such $\pi$ is guaranteed by the fact that both $A_{0}\cup A_{1}$ and $A_{0}^{\prime}\cup A_{1}^{\prime}$ admit partitions whose corresponding blocks have the same sizes, that is, $|A_{0}\setminus B|=|A_{0}^{\prime}\setminus B^{\prime}|$ , $|A_{1}\setminus B|=|A_{1}^{\prime}\setminus B^{\prime}|$ , and $|B|=|B^{\prime}|$ . In particular, $\mathsf{PSIC}_{n,(1,1)}$ is equivalent to the functionality of testing whether two given elements are identical, which implies that the equality function is an ideal PSM function.

Finally, we introduce a class of functions that generalizes the index function [29, 38]. Let $H$ and $G$ be abelian groups and let $\mathcal{F}$ be any set of families $\phi:H\to G$ that are closed under sums (that is, $\phi\pm\phi^{\prime}\in\mathcal{F}$ for any $\phi,\phi^{\prime}\in\mathcal{F}$ ) and are closed under input shifts (that is, $\phi_{s}\in\mathcal{F}$ for any $\phi\in\mathcal{F},s\in H$ , where $\phi_{s}(x):=\phi(x-s)$ ). We set $X_{0}=H\times G$ and $X_{1}=\mathcal{F}$ , and define a function $f:(H\times G)\times\mathcal{F}\to G$ as

f((x,r),\phi)=\phi(x)-r.

This class of functions includes the original index function considered in [29], an augmented form of the inner product, and multi-linear polynomials as special instances. To show that these functions admit ideal PSM, we define two families of permutations over $X_{0}\times X_{1}$ :

$\blacksquare$

$\pi^{s}:((x,r),\phi)\mapsto((x+s,r),\phi_{s})$ for any $s\in H$ .
$\blacksquare$

$\sigma^{\tau}:((x,r),\phi)\mapsto((x,r+\tau(x)),\phi+\tau)$ for any $\tau\in\mathcal{F}$ .

Intuitively, the first family of permutations allows us to freely move Alice’s input $(x,r)$ to any $(x^{\prime},r)$ while preserving the outputs of $f$ . The second family allows us to freely move Bob’s input $\phi$ to any $\phi^{\prime}$ . Thus, for any pair of inputs $(x_{0},x_{1}),(x_{0}^{\prime},x_{1}^{\prime})$ with $f(x_{0},x_{1})=f(x_{0}^{\prime},x_{1}^{\prime})$ , we can find a permutation that maps $(x_{0},x_{1})$ to $(x_{0}^{\prime},x_{1}^{\prime})$ preserving the outputs of $f$ and apply our characterization result.

2.4 Communication-efficient and Simplified PSM Schemes

In general, if we obtain a PSM scheme for a function $F:X_{0}^{\prime}\times X_{1}^{\prime}\to Y$ , then the scheme naturally induces a PSM scheme for any function $f:X_{0}\times X_{1}\to Y$ that can be embedded into $F$ , simply by restricting the input domains. Here, by saying that $f$ is embedded into $F$ , we mean that there are injections $\tau_{i}:X_{i}\to X_{i}^{\prime}$ such that $f(x_{0},x_{1})=F(\tau_{0}(x_{0}),\tau_{1}(x_{1}))$ for all $(x_{0},x_{1})\in X_{0}\times X_{1}$ . Thus, the ideal PSM schemes described above particularly induce PSM schemes for functions that are embedded into the corresponding functions. We refer to such a construction template of PSM as the “embedding-to-ideal-PSM” construction. Interestingly, most of the existing PSM schemes achieving the state-of-the-art communication complexity in various computation models follow the embedding-to-ideal-PSM template. For example, the best known schemes for branching programs [29] and arithmetic formulas [34, 19] are obtained from the ideal PSM scheme for the group product. The nearly optimal scheme for polynomials [38] is obtained from the ideal PSM scheme for a generalized index function, where $\mathcal{F}$ is the set of all multi-linear polynomials.

By embedding target functions to ideal PSM functions, we obtain novel communication-efficient PSM schemes for functions with sparse/dense or low-rank truth-tables. First, we consider a function $f:X_{0}\times X_{1}\to\{0,1\}$ whose truth-table $T_{f}$ , viewed as a $|X_{0}|$ -by- $|X_{1}|$ matrix, contains at most $d$ ones in each row for a small $d\ll N_{1}:=|X_{1}|$ . By appending each row with an appropriate number of ones, we can embed $f$ into a function $f^{\prime}:X_{0}\times X_{1}^{\prime}\to\{0,1\}$ whose truth-table contains exactly $d$ ones in each row, where $N_{1}^{\prime}:=|X_{1}^{\prime}|=N_{1}+d$ . Note that the truth-table of $\mathsf{PSIC}_{N_{1}^{\prime},(d,1)}$ is a $\binom{N_{1}^{\prime}}{d}$ -by- $N_{1}^{\prime}$ matrix, which consists of all row vectors of weight $d$ . We can then embed $f^{\prime}$ (and hence $f$ ) into $\mathsf{PSIC}_{N_{1}^{\prime},(d,1)}$ . The ideal PSM scheme for $\mathsf{PSIC}_{N_{1}^{\prime},(d,1)}$ induces a PSM scheme for $f$ with communication complexity $O(\log\binom{N_{1}^{\prime}}{d})=O(d\log(N_{1}+d))$ . Prior to this work, the only general construction in [7] can apply in this setting which results in communication complexity of $O(\sqrt{N_{1}})$ . Thus, our construction achieves a strict improvement when $d=o(\sqrt{N_{1}}/\log N_{1})$ . Note that these schemes also apply to functions such that the rows (or the columns) are dense, that is, they contain at least $n-d$ ones for a small $d$ .

Next, Narayanan et al. [41] showed a PSM scheme for a function $f:X_{0}\times X_{1}\to Y$ whose communication complexity is $O(k\log|Y|)$ , where $k$ is the tiling number of $f$ . Here, the tiling number refers to the smallest number of disjoint monochromatic rectangles covering the truth-table $T_{f}$ . Let $q$ be the smallest prime power larger than $|Y|$ (we can choose $q$ so that $q=O(|Y|)$ ). If the rank of the truth-table $T_{f}$ is at most $r$ over $\mathbb{F}_{q}$ , then we can decompose $T_{f}=\mathbf{M}_{0}\mathbf{M}_{1}^{\top}$ where $\mathbf{M}_{i}\in\mathbb{F}_{q}^{|X_{i}|\times r}$ . Thus, by defining an injection

\tau_{i}:X_{i}\ni x_{i}\mapsto\mathbf{M}_{i}[x_{i}]\in\mathbb{F}_{q}^{r},

where $\mathbf{M}_{i}[x]$ denotes the $x$ -th row of $\mathbf{M}_{i}$ , we can embed $f$ into the inner product function over $\mathbb{F}_{q}^{r}$ . The inner product is a special case of the generalized index function and hence admits ideal PSM. As a result, we obtain a PSM scheme for $f$ with communication complexity $O(r\log|Y|)$ . Since it holds that $k\geq r$ for any $f$ , our construction achieves a more refined communication complexity than [41].

Finally, Beimel et al. [7] showed a PSM scheme for a general function $f:X\times X\to\{0,1\}$ with communication complexity $O(\sqrt{N})$ , where $X=\{0,1,\ldots,N-1\}$ . According to the description in [3], the more precise communication complexity is at least $12\sqrt{N}$ . In contrast, we show that any function $f$ can be embedded into an ideal PSM function $G_{f}:X^{\prime}\times X^{\prime}\to\{0,1\}$ with $\log|X^{\prime}|={4\sqrt{N}+1}$ . Precisely, we consider a multi-linear function $\hat{f}:(\{0,1\}^{\sqrt{N}})^{4}\to\{0,1\}$ such that

\hat{f}(\mathbf{e}_{i_{0}},\mathbf{e}_{j_{0}},\mathbf{e}_{i_{1}},\mathbf{e}_{j% _{1}})=f(i_{0}\sqrt{N}+j_{0},i_{1}\sqrt{N}+j_{1})

for any $i_{0},j_{0},i_{1},j_{1}\in\{0,1,\ldots,\sqrt{N}-1\}$ , where $\mathbf{e}_{i}$ denotes a one-hot vector whose $i$ -th element is one. Then, we set $X^{\prime}=(\{0,1\}^{\sqrt{N}})^{4}\times\{0,1\}$ and define a function $G_{f}:X^{\prime}\times X^{\prime}\to\{0,1\}$ as

			$\displaystyle G_{f}((\mathbf{x}_{0},\mathbf{x}_{1},\mathbf{i}_{0},\mathbf{i}_{% 1},a),(\mathbf{y}_{0},\mathbf{y}_{1},\mathbf{j}_{0},\mathbf{j}_{1},b))$
		$\displaystyle=$	$\displaystyle\hat{f}(\mathbf{x}_{0},\mathbf{x}_{1},\mathbf{y}_{0},\mathbf{y}_{% 1})\oplus\langle\mathbf{x}_{0},\mathbf{j}_{0}\rangle\oplus\langle\mathbf{x}_{1% },\mathbf{j}_{1}\rangle\oplus\langle\mathbf{y}_{0},\mathbf{i}_{0}\rangle\oplus% \langle\mathbf{y}_{1},\mathbf{i}_{1}\rangle\oplus a\oplus b$

for any $\mathbf{x}_{0},\mathbf{x}_{1},\mathbf{i}_{0},\mathbf{i}_{1},\mathbf{y}_{0},% \mathbf{y}_{1},\mathbf{j}_{0},\mathbf{j}_{1}\in\{0,1\}^{\sqrt{N}}$ and $a,b\in\{0,1\}$ . To show that $G_{f}$ admits ideal PSM, we construct the following families of permutations over $X^{\prime}\times X^{\prime}$ under which the outputs of $G_{f}$ are invariant:

$\blacksquare$

For any $\mathbf{t}_{0},\mathbf{t}_{1}\in\{0,1\}^{\sqrt{N}}$ , $\pi^{\mathbf{t}_{0},\mathbf{t}_{1}}$ freely shifts part of Alice’s input $(\mathbf{x}_{0},\mathbf{x}_{1})$ by $(\mathbf{t}_{0},\mathbf{t}_{1})$ .
$\blacksquare$

For any $\mathbf{s}_{0},\mathbf{s}_{1}\in\{0,1\}^{\sqrt{N}}$ , $\sigma^{\mathbf{s}_{0},\mathbf{s}_{1}}$ freely shifts part of Bob’s input $(\mathbf{y}_{0},\mathbf{y}_{1})$ by $(\mathbf{s}_{0},\mathbf{s}_{1})$ .
$\blacksquare$

For any $\mathbf{p}_{0},\mathbf{p}_{1},\mathbf{q}_{0},\mathbf{q}_{1}\in\{0,1\}^{\sqrt{N}}$ , $\tau^{\mathbf{p}_{0},\mathbf{p}_{1},\mathbf{q}_{0},\mathbf{q}_{1}}$ freely shifts part of Alice’s and Bob’s inputs, $(\mathbf{i}_{0},\mathbf{i}_{1})$ and $(\mathbf{j}_{0},\mathbf{j}_{1})$ , by $(\mathbf{p}_{0},\mathbf{p}_{1})$ and $(\mathbf{q}_{0},\mathbf{q}_{1})$ , respectively.
$\blacksquare$

For any $r\in\{0,1\}$ , $\rho^{r}$ maps part of Alice’s and Bob’s inputs $(a,b)$ to $(a\oplus r,b\oplus r)$ .

Thus, we can map an input to any other input by composing permutations from the above families as long as their corresponding outputs of $G_{f}$ are equal, which shows the existence of ideal PSM for $G_{f}$ . Since the communication complexity of the resulting ideal PSM scheme is $\log|X^{\prime}\times X^{\prime}|=8\sqrt{N}+2$ , our construction improves the constant factor in the dominant term of the best known communication complexity. An additional benefit is that Alice and Bob can compute their messages simply by applying a composition of the permutations defined above to their inputs. As a result, the message functions of our scheme can be expressed in closed form and simplifies the hierarchical design of [7, 3], which relies on nested invocations of PSM schemes for smaller functions.

3 Preliminaries

This section summarizes basic notations used in the paper. For $n\in\mathbb{N}$ , we define $[n]=\{0,1,2,\ldots,n-1\}$ . For a set $X$ , let $\binom{X}{k}$ denote the set of all $k$ -sized subsets of $X$ . We write $x\leftarrow\mathrel{\mkern-2.0mu}\mathrel{\mathchoice{\vbox{\hbox{$% \displaystyle\textnormal{\$\thinspace}$}}}{\vbox{\hbox{$\textstyle\textnormal{% \$\thinspace}$}}}{\vbox{\hbox{$\scriptstyle\textnormal{\$\thinspace}$}}}{\vbox% {\hbox{$\scriptscriptstyle\textnormal{\$\thinspace}$}}}}X$ if an element $x$ is sampled uniformly at random from a set $X$ . The statistical distance between two random variables $X, Y$ over a set $U$ is defined as $\mathsf{SD}(X,Y)=(1/2)\sum_{a\in U}|\operatorname{Pr}\left[X=a\right]-% \operatorname{Pr}\left[Y=a\right]|$ . For two vectors $\mathbf{u},\mathbf{v}$ , we denote their inner product by $\langle\mathbf{u},\mathbf{v}\rangle$ and their tensor (or Kronecker product) by $\mathbf{u}\otimes\mathbf{v}$ . Let $\mathbb{F}_{q}$ denote a finite field of size $q$ .

3.1 Permutation Groups

If $H$ is a subgroup of a group $G$ , then we write $H\leq G$ . We denote the group of all permutations over a finite set $X$ by $\mathcal{S}_{X}$ . If $|X|=N$ , then we also denote it by $\mathcal{S}_{N}$ and call it the permutation group of degree $N$ . We denote the inverse of a permutation $\pi$ by $\pi^{-1}$ and the composition of $\pi$ and $\pi^{\prime}$ by $\pi^{\prime}\circ\pi$ . We say that $G$ is generated by a subset $S\subseteq G$ if every element of $G$ can be expressed by a composition of finitely many elements of $S$ or their inverses. Each permutation $\pi\in\mathcal{S}_{X}$ naturally acts on the set $X$ . If $n=|X|$ , then $\pi$ also acts on the set $Y^{n}$ of $n$ -dimensional vectors over a set $Y$ : for each $v=(v_{x})_{x\in X}\in Y^{n}$ , define $\pi(v)=(v_{x}^{\prime})_{x\in X}\in Y^{n}$ as $v_{\pi(x)}^{\prime}=v_{x}$ for all $x\in X$ . For a subset $S\subseteq\mathcal{S}_{X}$ , we define the orbit of $x\in X$ under the action of $S$ on $X$ by $\mathrm{Orb}_{S}(x)=\{\pi(x):\pi\in S\}.$ We say that $G\leq\mathcal{S}_{X}$ is transitive if for any $x,x^{\prime}\in X$ , there exists $\pi\in G$ such that $\pi(x)=x^{\prime}$ , that is, the orbit of any $x\in X$ is equal to $X$ . A (not necessarily transitive) subgroup $G\leq\mathcal{S}_{X}$ is called orbit-minimal if for any proper subgroup $H\lneq G$ , it holds that $|\{\mathrm{Orb}_{H}(x):x\in X\}|>|\{\mathrm{Orb}_{G}(x):x\in X\}|$ . Let $X_{0},X_{1}$ be sets. We naturally identify $\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ as a subgroup of $\mathcal{S}_{X_{0}\times X_{1}}$ via $\tau(x_{0},x_{1})=(\tau_{0}(x_{0}),\tau_{1}(x_{1}))$ where $\tau=(\tau_{0},\tau_{1})\in\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ and $(x_{0},x_{1})\in X_{0}\times X_{1}$ . We denote a natural projection from $\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ onto $\mathcal{S}_{X_{i}}$ by $\mathsf{pr}_{i}$ . For $S\subseteq\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ , we similarly define the orbit of $(x_{0},x_{1})$ under the action of $S$ on $X_{0}\times X_{1}$ , denoted by $\mathrm{Orb}_{S}(x_{0},x_{1})$ .

3.2 Functions

Let $f:X_{0}\times X_{1}\to Y$ be a function. For subsets $A_{0}\subseteq X_{0}$ and $A_{1}\subseteq X_{1}$ , we denote $f(A_{0}\times A_{1})=\{f(x_{0},x_{1}):(x_{0},x_{1})\in A_{0}\times A_{1}\}$ and denote $\mathrm{Range}(f)=f(X_{0}\times X_{1})$ . We also denote $f^{-1}(y)=\{(x_{0},x_{1})\in X_{0}\times X_{1}:f(x_{0},x_{1})=y\}$ for $y\in\mathrm{Range}(f)$ . We define an equivalence relation $\simeq$ on the set of all functions whose domain is $X_{0}\times X_{1}$ as follows:

\displaystyle f\simeq g\nobreak\ \overset{\text{def}}{\iff}\nobreak\ \forall(x% _{0},x_{1})\in X_{0}\times X_{1},\nobreak\ \sigma(f(\tau_{0}(x_{0}),\tau_{1}(x% _{1})))=g(x_{0},x_{1})

for some pair of permutations $(\tau_{0},\tau_{1})\in\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ and some bijection $\sigma:\mathrm{Range}(f)\rightarrow\mathrm{Range}(g)$ . The truth-table of $f:X_{0}\times X_{1}\rightarrow Y$ is defined as a matrix $T_{f}$ whose rows and columns are indexed by $X_{0}$ and $X_{1}$ and whose $(x_{0},x_{1})$ -th entry $T_{f}[x_{0},x_{1}]$ is $f(x_{0},x_{1})$ for any $(x_{0},x_{1})\in X_{0}\times X_{1}$ . For each $x_{0}\in X_{0}$ , we denote the row vector of $T_{f}$ corresponding to $x_{0}$ by $T_{f}[x_{0},*]\in Y^{|X_{1}|}$ . Similarly, we denote the column vector of $T_{f}$ corresponding to $x_{1}\in X_{1}$ by $T_{f}[*,x_{1}]\in Y^{|X_{0}|}$ . We say that a function $f:X_{0}\times X_{1}\rightarrow Y$ is degenerate if there exist $i\in\{0,1\}$ and $x_{i}\neq x_{i}^{\prime}\in X_{i}$ such that $f(x_{i},x_{1-i})=f(x_{i}^{\prime},x_{1-i})$ for all $x_{1-i}\in X_{1-i}$ , where the inputs are supposed to be sorted according to the index. We say that $f$ is non-degenerate if $f$ is not degenerate. We say that $f:X_{0}\times X_{1}\to Y$ is disconnected if there exist $i\in\{0,1\}$ and a partition $X_{i}=A_{i}\cup B_{i}$ such that $f(A_{i}\times X_{1-i})\cap f(B_{i}\times X_{1-i})=\emptyset$ . We say that $f$ is connected if $f$ is not disconnected. Note that if $Y=\{0,1\}$ , then non-degenerate disconnected functions are limited to those whose truth tables are $(1\nobreak\ 0)$ or its transpose, or functions that are equivalent to them. For $\pi=(\pi_{0},\pi_{1})\in\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ and $x=(x_{0},x_{1})\in X_{0}\times X_{1}$ , we simply write $\pi(x)=(\pi_{0}(x_{0}),\pi_{1}(x_{1}))$ and $f(\pi(x))=f(\pi_{0}(x_{0}),\pi_{1}(x_{1}))$ . We define the invariant group of $f$ , denoted by $I_{f}$ , as the subgroup consisting of all pairs of permutations in $\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ under which the outputs of $f$ are invariant, i.e., $I_{f}=\{\pi\in\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}:f(\pi(x))=f(x),% \forall x\in X_{0}\times X_{1}\}.$

3.3 Private Simultaneous Messages

We introduce Private Simultaneous Messages (PSM) schemes. Each of two parties holds an input $x_{i}$ and they both share a common string $r$ sampled by a randomized algorithm $\mathsf{Gen}$ . Then, each party runs an algorithm $\mathsf{Msg}$ to compute a message $m_{i}$ . They send the messages to an external party, who then runs an algorithm $\mathsf{Eval}$ to obtain $f(x_{0},x_{1})$ . The privacy requirement is that the joint distribution of messages leaks no extra information. We provide the formal definition below.

Definition 1.

Let $f:X_{0}\times X_{1}\rightarrow Y$ be a function. A Private Simultaneous Messages (PSM) scheme $\Pi$ for $f$ is a tuple $(\mathsf{Gen},\mathsf{Msg},\mathsf{Eval})$ of three algorithms, where

$\blacksquare$

$\mathsf{Gen}()\rightarrow r$ : $\mathsf{Gen}$ is a randomized algorithm that takes no input and outputs $r\in R$ sampled from a probability distribution over a set $R$ .
$\blacksquare$

$\mathsf{Msg}(i,x_{i},r)$ : $\mathsf{Msg}$ is a deterministic algorithm that takes $i\in\{0,1\}$ , $x_{i}\in X_{i}$ , and $r\in R$ as input and outputs a message $m_{i}$ .
$\blacksquare$

$\mathsf{Eval}(m_{0},m_{1})$ : $\mathsf{Eval}$ is a deterministic algorithm that takes messages $(m_{0},m_{1})$ as input and outputs $y\in Y$ .

satisfying the following properties:

Correctness.: For any $(x_{0},x_{1})\in X_{0}\times X_{1}$ and $r\in R$ , it holds that $\mathsf{Eval}(\mathsf{Msg}(0,x_{0},r),\mathsf{Msg}(1,x_{1},r))=f(x_{0},x_{1})$ .
Privacy.: For any input $(x_{0},x_{1})\in X_{0}\times X_{1}$ , let $\mathcal{D}_{(x_{0},x_{1})}$ denote the probability distribution of $(\mathsf{Msg}(i,x_{i},r))_{i\in\{0,1\}}$ induced by $r\leftarrow\mathsf{Gen}()$ . For any pair of inputs $(x_{0},x_{1}),(x_{0}^{\prime},x_{1}^{\prime})\in X_{0}\times X_{1}$ with $f(x_{0},x_{1})=f(x_{0}^{\prime},x_{1}^{\prime})$ , it holds that $\mathsf{SD}\left(\mathcal{D}_{(x_{0},x_{1})},\mathcal{D}_{(x_{0}^{\prime},x_{1% }^{\prime})}\right)=0.$

We call the set of all possible outcomes of $\mathsf{Gen}$ (i.e., $R$ ) the randomness space of $\Pi$ . We call the set of all possible outcomes of $\mathsf{Msg}(i,\cdot,\cdot)$ the $i$ -th message space and denote it by $M_{i}$ . The communication complexity of $\Pi$ is defined as $\log|M_{0}|+\log|M_{1}|$ .

If a PSM scheme for a function $f$ is given, then it immediately implies a PSM scheme with the same communication complexity for any function $f^{\prime}$ that is equivalent to $f$ . Therefore, throughout this paper, we do not distinguish between equivalent functions and rather focus on equivalence classes of functions.

Furthermore, we focus on PSM schemes for non-degenerate functions. Suppose that $f:X_{0}\times X_{1}\to Y$ is degenerate, and that there exist $x_{0},x_{0}^{\prime}\in X_{0}$ such that $f(x_{0},x_{1})=f(x_{0}^{\prime},x_{1})$ for any $x_{1}\in X_{1}$ . Then, any PSM scheme $\Pi^{\prime}$ for the restriction $f^{\prime}$ of $f$ to $X_{0}\setminus\{x_{0}^{\prime}\}\times X_{1}$ can be extended to a PSM scheme $\Pi$ for $f$ simply by letting party $0$ “reuse” his message for $x_{0}$ when his input is $x_{0}^{\prime}$ . The communication complexity of $\Pi$ is the same as that of $\Pi^{\prime}$ .

4 Ideal PSM

In this section, we introduce the notion of ideal PSM schemes, in which messages are taken from the same domain as inputs. Ideal PSM schemes are necessarily communication-optimal as communication complexity must be at least the input length of a function. We begin by presenting the formal definition.

Definition 2.

We say that a PSM scheme $\Pi$ for a function $f:X_{0}\times X_{1}\to Y$ is ideal if the message spaces satisfy

\displaystyle M_{0}=X_{0}\nobreak\ \text{and}\nobreak\ M_{1}=X_{1}.

We say that a function $f$ admits ideal PSM or is an ideal PSM function if there exists an ideal PSM scheme for $f$ .

Suppose that $\Pi$ is an ideal PSM scheme for a non-degenerate function $f$ . Then, the communication complexity of $\Pi$ cannot be reduced further. This is because otherwise, for some randomness $r$ and some pair of inputs, say $x_{0},x_{0}^{\prime}$ , the corresponding messages coincide. Then, the perfect correctness of $\Pi$ implies that $f(x_{0},x_{1})=f(x_{0}^{\prime},x_{1})$ for any $x_{1}$ , which contradicts that $f$ is non-degenerate.

4.1 Canonical Ideal PSM Schemes

We introduce a special class of ideal PSM schemes induced by permutation groups. Jumping ahead, we will show that the set of ideal PSM functions is essentially limited to those realized by this special type of ideal PSM schemes. In that sense, we refer to these ideal schemes as “canonical”.

For sets $X_{0},X_{1}$ , we define

\displaystyle\Psi_{X_{0},X_{1}}=\{(G_{0},G_{1},\psi):G_{0}\leq\mathcal{S}_{X_{% 0}},G_{1}\leq\mathcal{S}_{X_{1}},\nobreak\ \text{$\psi:G_{0}\rightarrow G_{1}$% is an isomorphism}\}.

For each $\mathcal{G}=(G_{0},G_{1},\psi)\in\Psi_{X_{0},X_{1}}$ , we define a subgroup $\Gamma_{\mathcal{G}}$ of $\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ as

\displaystyle\Gamma_{\mathcal{G}}=\{(\pi_{0},\pi_{1}):\pi_{0}\in G_{0},\pi_{1}% =\psi(\pi_{0})\}.

and $Y_{\mathcal{G}}=\{\mathrm{Orb}_{\Gamma_{\mathcal{G}}}(x_{0},x_{1}):(x_{0},x_{1% })\in X_{0}\times X_{1}\}$ . Finally, we define a function $f_{\mathcal{G}}:X_{0}\times X_{1}\rightarrow Y_{\mathcal{G}}$ by

\displaystyle f_{\mathcal{G}}(x_{0},x_{1})=\mathrm{Orb}_{\Gamma_{\mathcal{G}}}% (x_{0},x_{1})

for all $(x_{0},x_{1})\in X_{0}\times X_{1}$ .

We can see that each function $f_{\mathcal{G}}$ admits ideal PSM.

Proposition 3.

For each $\mathcal{G}=(G_{0},G_{1},\psi)\in\Psi_{X_{0},X_{1}}$ , there exists an ideal PSM scheme $\Pi_{\mathcal{G}}$ for the function $f_{\mathcal{G}}$ .

Proof.

We construct $\Pi_{\mathcal{G}}$ as follows. The randomness generation algorithm $\mathsf{Gen}$ outputs $\pi=(\pi_{0},\pi_{1})$ chosen uniformly at random from $\Gamma_{\mathcal{G}}$ . The message function $\mathsf{Msg}$ is defined as $\mathsf{Msg}(i,x_{i},\pi)=\pi_{i}(x_{i})$ . The evaluation function $\mathsf{Eval}$ is defined as $\mathsf{Eval}(m_{0},m_{1})=\mathrm{Orb}_{\Gamma_{\mathcal{G}}}(m_{0},m_{1})$ . By definition, $\Pi_{\mathcal{G}}$ is ideal.

We have that
$\displaystyle\mathsf{Eval}(\mathsf{Msg}(0,x_{0},\pi),\mathsf{Msg}(1,x_{1},\pi))$ $\displaystyle=\mathrm{Orb}_{\Gamma_{\mathcal{G}}}(\pi_{0}(x_{0}),\pi_{1}(x_{1}% ))=\mathrm{Orb}_{\Gamma_{\mathcal{G}}}(x_{0},x_{1})=f_{\mathcal{G}}(x_{0},x_{1% }).$

The second equality follows from $\pi=(\pi_{0},\pi_{1})\in\Gamma_{\mathcal{G}}$ . Thus, the correctness of $\Pi_{\mathcal{G}}$ follows.

Let $(x_{0},x_{1}),(x_{0}^{\prime},x_{1}^{\prime})$ be two inputs such that $f_{\mathcal{G}}(x_{0},x_{1})=f_{\mathcal{G}}(x_{0}^{\prime},x_{1}^{\prime})$ . Then, $\mathrm{Orb}_{\Gamma_{\mathcal{G}}}(x_{0},x_{1})=\mathrm{Orb}_{\Gamma_{% \mathcal{G}}}(x_{0}^{\prime},x_{1}^{\prime})$ . It follows from the orbit-stabilizer theorem that the distribution of

(\mathsf{Msg}(0,x_{0},\pi),\mathsf{Msg}(1,x_{1},\pi))=(\pi_{0}(x_{0}),\pi_{1}(% x_{1}))

induced by $\pi\leftarrow\mathrel{\mkern-2.0mu}\mathrel{\mathchoice{\vbox{\hbox{$% \displaystyle\textnormal{\$\thinspace}$}}}{\vbox{\hbox{$\textstyle\textnormal{% \$\thinspace}$}}}{\vbox{\hbox{$\scriptstyle\textnormal{\$\thinspace}$}}}{\vbox% {\hbox{$\scriptscriptstyle\textnormal{\$\thinspace}$}}}}\Gamma_{\mathcal{G}}$ is a uniform distribution over the orbit $\mathrm{Orb}_{\Gamma_{\mathcal{G}}}(x_{0},x_{1})$ . Similarly, the distribution of $(\mathsf{Msg}(0,x_{0}^{\prime},\pi^{\prime}),\mathsf{Msg}(1,x_{1}^{\prime},\pi% ^{\prime}))$ induced by $\pi^{\prime}\leftarrow\mathrel{\mkern-2.0mu}\mathrel{\mathchoice{\vbox{\hbox{$% \displaystyle\textnormal{\$\thinspace}$}}}{\vbox{\hbox{$\textstyle\textnormal{% \$\thinspace}$}}}{\vbox{\hbox{$\scriptstyle\textnormal{\$\thinspace}$}}}{\vbox% {\hbox{$\scriptscriptstyle\textnormal{\$\thinspace}$}}}}\Gamma_{\mathcal{G}}$ is a uniform distribution over $\mathrm{Orb}_{\Gamma_{\mathcal{G}}}(x_{0}^{\prime},x_{1}^{\prime})$ . Therefore, the distribution of $(\mathsf{Msg}(i,x_{i},\pi))_{i\in\{0,1\}}$ is identical with that of $(\mathsf{Msg}(i,x_{i}^{\prime},\pi^{\prime}))_{i\in\{0,1\}}$ , from which the privacy of $\Pi_{\mathcal{G}}$ follows. $\hfill\blacktriangleleft$

4.2 Characterization

We show that the class of ideal PSM functions is essentially equal to those computed by the canonical ideal PSM schemes, namely the $f_{\mathcal{G}}$ ’s.

First, we prepare two lemmas, whose proofs are provided in the full version.

Lemma 4.

Let $\Pi=(\mathsf{Gen},\mathsf{Msg},\mathsf{Eval})$ be a PSM scheme for a non-degenerate function $f:X_{0}\times X_{1}\to Y$ with randomness space $R$ . Then, for any $r\in R$ and $i\in\{0,1\}$ , the function $\mathsf{Msg}(i,\cdot,r)\colon X_{i}\to M_{i}$ is injective. In particular, if $\Pi$ is ideal, then $\mathsf{Msg}(i,\cdot,r)\colon X_{i}\to X_{i}$ is a bijection.

Lemma 5.

Assume that a non-degenerate function $f:X_{0}\times X_{1}\rightarrow Y$ admits ideal PSM. Then, there exists an ideal PSM scheme $\Pi^{\prime}=(\mathsf{Gen}^{\prime},\mathsf{Msg}^{\prime},\mathsf{Eval}^{% \prime})$ for $f$ such that $\mathsf{Eval}^{\prime}=f$ .

Now, we show a characterization of ideal PSM functions.

Theorem 6.

Let $f:X_{0}\times X_{1}\rightarrow Y$ be a non-degenerate function. Then, the following conditions are equivalent:

1.

$f$ admits ideal PSM.
2.

There exists $\mathcal{G}\in\Psi_{X_{0},X_{1}}$ such that $f\simeq f_{\mathcal{G}}$ .
3.

It holds that $\mathrm{Orb}_{I_{f}}(x_{0},x_{1})=f^{-1}(f(x_{0},x_{1}))$ for any $(x_{0},x_{1})\in X_{0}\times X_{1}$ .
4.

There exists a subset $S\subseteq I_{f}$ such that $\mathrm{Orb}_{S}(x_{0},x_{1})=f^{-1}(f(x_{0},x_{1}))$ for any $(x_{0},x_{1})\in X_{0}\times X_{1}$ .

Proof.

2 $\Rightarrow$ 1.

Let $\Pi_{\mathcal{G}}=(\mathsf{Gen}_{\mathcal{G}},\mathsf{Msg}_{\mathcal{G}},% \mathsf{Eval}_{\mathcal{G}})$ be the ideal PSM scheme for $f_{\mathcal{G}}$ constructed in Proposition 3. Since $f\simeq f_{\mathcal{G}}$ , there are a pair of permutations $\tau=(\tau_{0},\tau_{1})\in\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ and a bijection $\sigma:Y\rightarrow Y_{\mathcal{G}}$ such that $\sigma(f(\tau(x)))=f_{\mathcal{G}}(x)$ for all $x=(x_{0},x_{1})\in X_{0}\times X_{1}$ .

It suffices to construct an ideal PSM scheme $\Pi=(\mathsf{Gen},\mathsf{Msg},\mathsf{Eval})$ for $f$ . We define $\Pi$ as follows:

$\blacksquare$

$\mathsf{Gen}=\mathsf{Gen}_{\mathcal{G}}$ , that is, $\mathsf{Gen}$ outputs $\pi=(\pi_{0},\pi_{1})\leftarrow\mathrel{\mkern-2.0mu}\mathrel{\mathchoice{% \vbox{\hbox{$\displaystyle\textnormal{\$\thinspace}$}}}{\vbox{\hbox{$% \textstyle\textnormal{\$\thinspace}$}}}{\vbox{\hbox{$\scriptstyle\textnormal{% \$\thinspace}$}}}{\vbox{\hbox{$\scriptscriptstyle\textnormal{\$\thinspace}$}}}% }\Gamma_{\mathcal{G}}$ .
$\blacksquare$

$\mathsf{Msg}(i,x_{i},\pi)=\mathsf{Msg}_{\mathcal{G}}(i,\tau_{i}^{-1}(x_{i}),% \pi)=\pi_{i}(\tau_{i}^{-1}(x_{i}))$ .
$\blacksquare$

$\mathsf{Eval}(m_{0},m_{1})=\sigma^{-1}(\mathsf{Eval}_{\mathcal{G}}(m_{0},m_{1}))$ .

The correctness follows since

	$\displaystyle\mathsf{Eval}(\mathsf{Msg}(0,x_{0},\pi),\mathsf{Msg}(1,x_{1},\pi))$	$\displaystyle=\sigma^{-1}(\mathsf{Eval}_{\mathcal{G}}(\mathsf{Msg}_{\mathcal{G% }}(0,\tau_{0}^{-1}(x_{0}),\pi),\mathsf{Msg}_{\mathcal{G}}(1,\tau_{1}^{-1}(x_{1% }),\pi))$
		$\displaystyle=\sigma^{-1}(f_{\mathcal{G}}(\tau_{0}^{-1}(x_{0}),\tau_{1}^{-1}(x% _{1})))$
		$\displaystyle=f(x_{0},x_{1}).$

The privacy of $\Pi$ is implied by that of $\Pi_{\mathcal{G}}$ since $f(x_{0},x_{1})=f(x_{0}^{\prime},x_{1}^{\prime})$ if and only if $f_{\mathcal{G}}(\tau_{0}^{-1}(x_{0}),\tau_{1}^{-1}(x_{1}))=f_{\mathcal{G}}(% \tau_{0}^{-1}(x_{0}^{\prime}),\tau_{1}^{-1}(x_{1}^{\prime}))$ . Clearly, $\Pi$ is ideal.

1 $\Rightarrow$ 4.

Let $\Pi$ be an ideal PSM scheme for $f$ obtained via Lemma 5. Let $R$ be the randomness space of $\Pi$ . For each $r\in R$ and $i\in\{0,1\}$ , we define $\pi_{r}^{i}:X_{i}\rightarrow X_{i}$ as $\pi_{r}^{i}(x_{i})=\mathsf{Msg}(i,x_{i},r)$ . From Lemma 4, $\pi_{r}^{i}$ is a permutation on $X_{i}$ . Let $S$ be a subgroup of $\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ generated by $\{(\pi_{r}^{0},\pi_{r}^{1}):r\in R\}$ .

First, we prove that $S\subseteq I_{f}$ . Let $(x_{0},x_{1})\in X_{0}\times X_{1}$ and $(\pi_{0},\pi_{1})\in S$ . Since $S$ is generated by $\{(\pi^{0}_{r},\pi^{1}_{r}):r\in R\}$ , there exists a sequence $(r_{1},\dots,r_{m})$ such that

\displaystyle(\pi_{0},\pi_{1})=(\pi^{0}_{r_{1}},\pi^{1}_{r_{1}})\circ\cdots% \circ(\pi^{0}_{r_{m}},\pi^{1}_{r_{m}}).

(1)

Note that since $S$ is a finite group, for any $(\pi_{0},\pi_{1})\in S$ , there exists $k>0$ such that $(\pi_{0},\pi_{1})^{-1}=(\pi_{0},\pi_{1})^{k}$ . Hence, any $(\pi_{0},\pi_{1})\in S$ can be represented as in Eq. (1). Then, from the correctness of $\Pi$ , we have $f(x_{0},x_{1})=f(\pi^{0}_{r_{m}}(x_{0}),\pi^{1}_{r_{m}}(x_{1}))=f(\pi^{0}_{r_{% m-1}}\circ\pi^{0}_{r_{m}}(x_{0}),\pi^{1}_{r_{m-1}}\circ\pi^{1}_{r_{m}}(x_{1}))% =\cdots=f(\pi_{0}(x_{0}),\pi_{1}(x_{1}))$ for all $(x_{0},x_{1})\in X_{0}\times X_{1}$ .

Next, we prove that $\mathrm{Orb}_{S}(x_{0},x_{1})=f^{-1}(f(x_{0},x_{1}))$ for any $(x_{0},x_{1})\in X_{0}\times X_{1}$ . Since we have shown $S\subseteq I_{f}$ , it holds that $\mathrm{Orb}_{S}(x_{0},x_{1})\subseteq f^{-1}(f(x_{0},x_{1}))$ . It remains to show that for any $(x_{0}^{\prime},x_{1}^{\prime})\in f^{-1}(f(x_{0},x_{1}))$ , there exists $(\pi_{0},\pi_{1})\in S$ such that $\pi_{0}(x_{0})=x_{0}^{\prime}$ and $\pi_{1}(x_{1})=x_{1}^{\prime}$ . From the privacy requirement of $\Pi$ , the distribution of $(\pi^{0}_{r}(x_{0}),\pi^{1}_{r}(x_{1}))$ induced by $r\leftarrow\mathrel{\mkern-2.0mu}\mathrel{\mathchoice{\vbox{\hbox{$% \displaystyle\textnormal{\$\thinspace}$}}}{\vbox{\hbox{$\textstyle\textnormal{% \$\thinspace}$}}}{\vbox{\hbox{$\scriptstyle\textnormal{\$\thinspace}$}}}{\vbox% {\hbox{$\scriptscriptstyle\textnormal{\$\thinspace}$}}}}R$ is identical with that of $(\pi^{0}_{r^{\prime}}(x_{0}^{\prime}),\pi^{1}_{r^{\prime}}(x_{1}^{\prime}))$ induced by $r^{\prime}\leftarrow\mathrel{\mkern-2.0mu}\mathrel{\mathchoice{\vbox{\hbox{$% \displaystyle\textnormal{\$\thinspace}$}}}{\vbox{\hbox{$\textstyle\textnormal{% \$\thinspace}$}}}{\vbox{\hbox{$\scriptstyle\textnormal{\$\thinspace}$}}}{\vbox% {\hbox{$\scriptscriptstyle\textnormal{\$\thinspace}$}}}}R$ , since $f(x_{0},x_{1})=f(x_{0}^{\prime},x_{1}^{\prime})$ . This particularly implies that there exist $r,r^{\prime}\in R$ such that $(\pi^{0}_{r}(x_{0}),\pi^{1}_{r}(x_{1}))=(\pi^{0}_{r^{\prime}}(x_{0}^{\prime}),% \pi^{1}_{r^{\prime}}(x_{1}^{\prime}))$ . By the definition of $S$ , $(\pi_{0},\pi_{1}):=(\pi^{0}_{r^{\prime}},\pi^{1}_{r^{\prime}})^{-1}\circ(\pi^{% 0}_{r},\pi^{1}_{r})$ belongs to $S$ and $(\pi_{0}(x_{0}),\pi_{1}(x_{1}))=(x_{0}^{\prime},x_{1}^{\prime})$ .

4 $\Rightarrow$ 3.

Let $(x_{0},x_{1})\in X_{0}\times X_{1}$ . By the definition of $I_{f}$ , it holds that $\mathrm{Orb}_{I_{f}}(x_{0},x_{1})\subseteq f^{-1}(f(x_{0},x_{1}))$ . The converse inclusion follows from $f^{-1}(f(x_{0},x_{1}))=\mathrm{Orb}_{S}(x_{0},x_{1})\subseteq\mathrm{Orb}_{I_{% f}}(x_{0},x_{1})$ as $S\subseteq I_{f}$ .

3 $\Rightarrow$ 2.

Define $G_{i}=\mathsf{pr}_{i}(I_{f})$ for $i\in\{0,1\}$ . First, we prove that the restriction of the projection $\mathsf{pr}_{i}$ to $I_{f}$ is an isomorphism, i.e., $G_{i}$ and $I_{f}$ are isomorphic. Since $\mathsf{pr}_{i}$ is surjective, it is enough to show that it is injective. Suppose on the contrary that there exist $\pi_{0}\in G_{0}$ and $\pi_{1}\neq\pi_{1}^{\prime}\in G_{1}$ such that $(\pi_{0},\pi_{1})\in I_{f}$ and $(\pi_{0},\pi_{1}^{\prime})\in I_{f}$ . Then, there exists $x_{1}\in X_{1}$ such that $\pi_{1}(x_{1})\neq\pi_{1}^{\prime}(x_{1})$ . For any $x_{0}\in X_{0}$ , we have $f(\pi_{0}(x_{0}),\pi_{1}(x_{1}))=f(x_{0},x_{1})=f(\pi_{0}(x_{0}),\pi_{1}^{% \prime}(x_{1}))$ . Since $\pi_{0}$ is a bijection, this implies that for any $x_{0}\in X_{0}$ , we have $f(x_{0},\pi_{1}(x_{1}))=f(x_{0},\pi_{1}^{\prime}(x_{1}))$ . This contradicts that $f$ is non-degenerate. Thus, the projection $\mathsf{pr}_{i}:I_{f}\rightarrow G_{i}$ is an injection and hence is an isomorphism. In summary, $G_{0}$ , $G_{1}$ and $I_{f}$ are isomorphic to each other. Let $\psi$ be an isomorphism from $G_{0}$ to $G_{1}$ .

We set $\mathcal{G}=(G_{0},G_{1},\psi)\in\Psi_{X_{0},X_{1}}$ . Note that $\Gamma_{\mathcal{G}}=I_{f}$ and $Y_{\mathcal{G}}=\{\mathrm{Orb}_{I_{f}}(x_{0},x_{1}):(x_{0},x_{1})\in X_{0}% \times X_{1}\}$ . We show that $f\simeq f_{\mathcal{G}}$ . Define $\sigma:Y\rightarrow Y_{\mathcal{G}}$ as follows: For any $y\in Y$ , pick any $(x_{0},x_{1})\in f^{-1}(y)$ and set $\sigma(y)=\mathrm{Orb}_{I_{f}}(x_{0},x_{1}).$ We see that $\sigma$ is well-defined. Indeed, the condition 3 ensures that for any $(x_{0}^{\prime},x_{1}^{\prime})\in f^{-1}(y)$ , it holds that $\mathrm{Orb}_{I_{f}}(x_{0}^{\prime},x_{1}^{\prime})=f^{-1}(f(y))=\mathrm{Orb}_% {I_{f}}(x_{0},x_{1})$ . We also see that $\sigma$ is a bijection. We define $\sigma^{\prime}:Y_{\mathcal{G}}\rightarrow Y$ as $\sigma^{\prime}(\mathrm{Orb}_{I_{f}}(x_{0},x_{1}))=f(x_{0},x_{1})$ for any $\mathrm{Orb}_{I_{f}}(x_{0},x_{1})\in Y_{\mathcal{G}}$ . We see that $\sigma^{\prime}$ is well-defined. Indeed, if $\mathrm{Orb}_{I_{f}}(x_{0},x_{1})=\mathrm{Orb}_{I_{f}}(x_{0}^{\prime},x_{1}^{% \prime})$ , then there is $\pi\in I_{f}$ such that $\pi(x_{0},x_{1})=(x_{0}^{\prime},x_{1}^{\prime})$ , which implies that $f(x_{0}^{\prime},x_{1}^{\prime})=f(\pi(x_{0},x_{1}))=f(x_{0},x_{1})$ . Since $\sigma^{\prime}$ is clearly the inverse of $\sigma$ , $\sigma$ is a bijection. Furthermore, $\sigma(f(x_{0},x_{1}))=\mathrm{Orb}_{I_{f}}(x_{0},x_{1})=\mathrm{Orb}_{\Gamma_% {\mathcal{G}}}(x_{0},x_{1})=f_{\mathcal{G}}(x_{0},x_{1})$ for any $(x_{0},x_{1})\in X_{0}\times X_{1}$ . $\hfill\blacktriangleleft$

We note that the tuple $\mathcal{G}=(G_{0},G_{1},\psi)$ such that $f\simeq f_{\mathcal{G}}$ may not be uniquely determined by a function $f$ . In other words, there may exist distinct $\mathcal{G}\neq\mathcal{G}^{\prime}\in\Psi_{X_{0},X_{1}}$ such that $f_{\mathcal{G}}\simeq f_{\mathcal{G}^{\prime}}$ .

5 Enumeration of Ideal PSM Functions

In this section, we give asymptotic upper bounds on the total number of non-degenerate connected functions $f:X_{0}\times X_{1}\to Y$ that admit ideal PSM. In addition, we provide a complete list of such functions for small domains by a brute-force search. Our approach for enumeration is based on Theorem 6, which ensures that it is sufficient to enumerate all possible tuples $(G_{0},G_{1},\psi)\in\Psi_{X_{0},X_{1}}$ where $G_{0}\leq\mathcal{S}_{X_{0}}$ , $G_{1}\leq\mathcal{S}_{X_{1}}$ , and $\psi$ is an isomorphism from $G_{0}$ to $G_{1}$ .

5.1 Asymptotic Upper Bounds

We define $C_{N_{0},N_{1}}$ as the total number of non-degenerate connected functions $f$ , up to the equivalence relation $\simeq$ (defined in Section 3.2), such that

$\blacksquare$

The domain of $f$ is $X_{0}\times X_{1}$ with $|X_{0}|=N_{0}$ and $|X_{1}|=N_{1}$ .
$\blacksquare$

$f$ admits ideal PSM.

From Theorem 6, a non-degenerate ideal PSM function $f$ is equivalent to $f_{\mathcal{G}}$ for some $\mathcal{G}\in\Psi_{X_{0},X_{1}}$ . Thus, we can upper bound $C_{N_{0},N_{1}}$ by enumerating all $f_{\mathcal{G}}$ ’s up to equivalence.

Furthermore, it suffices to enumerate all orbit-minimal subgroups $H$ of $\mathcal{S}_{X_{0}\times X_{1}}$ such that $H\leq\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ . Indeed, given $f_{\mathcal{G}}$ , let $H_{\mathcal{G}}$ be a minimal one among subgroups of $\Gamma_{\mathcal{G}}$ such that $\{\mathrm{Orb}_{H_{\mathcal{G}}}(x_{0},x_{1}):(x_{0},x_{1})\in X_{0}\times X_{% 1}\}=\{\mathrm{Orb}_{\Gamma_{\mathcal{G}}}(x_{0},x_{1}):(x_{0},x_{1})\in X_{0}% \times X_{1}\}.$ Then, ${H_{\mathcal{G}}}$ is an orbit-minimal subgroup of $\mathcal{S}_{X_{0}\times X_{1}}$ since otherwise, there is a proper subgroup $H^{\prime}\lneq{H_{\mathcal{G}}}$ such that $|\{\mathrm{Orb}_{H^{\prime}}(x_{0},x_{1}):(x_{0},x_{1})\in X_{0}\times X_{1}\}% |=|\{\mathrm{Orb}_{H_{\mathcal{G}}}(x_{0},x_{1}):(x_{0},x_{1})\in X_{0}\times X% _{1}\}|=|\{\mathrm{Orb}_{\Gamma_{\mathcal{G}}}(x_{0},x_{1}):(x_{0},x_{1})\in X% _{0}\times X_{1}\}|,$ which contradicts the choice of ${H_{\mathcal{G}}}$ . Furthermore, if $f_{\mathcal{G}}$ and $f_{\mathcal{G}^{\prime}}$ lead to the same subgroup $H={H_{\mathcal{G}}}={H_{\mathcal{G}^{\prime}}}$ , then it holds that $\{\mathrm{Orb}_{\Gamma_{\mathcal{G}}}(x_{0},x_{1}):(x_{0},x_{1})\in X_{0}% \times X_{1}\}=\{\mathrm{Orb}_{H}(x_{0},x_{1}):(x_{0},x_{1})\in X_{0}\times X_% {1}\}=\{\mathrm{Orb}_{\Gamma_{\mathcal{G}^{\prime}}}(x_{0},x_{1}):(x_{0},x_{1}% )\in X_{0}\times X_{1}\}$ and hence $f_{\mathcal{G}}\simeq f_{\mathcal{G}^{\prime}}$ . Therefore, the total number of non-equivalent $f_{\mathcal{G}}$ ’s and hence $C_{N_{0},N_{1}}$ are upper bounded by the total number of orbit-minimal subgroups $H$ of $\mathcal{S}_{X_{0}\times X_{1}}$ such that $H\leq\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ . According to [43, Theorem 1.5], any orbit-minimal subgroup $H$ with $H\leq\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ is generated by a set $S$ of at most $\log(N_{0}N_{1})$ elements. Furthermore, since each element of $S$ is expressed as $(\pi_{0},\pi_{1})$ for some $\pi_{0}\in\mathcal{S}_{X_{0}}$ and $\pi_{1}\in\mathcal{S}_{X_{1}}$ , the total number of such $H$ ’s is upper bounded by $\binom{|\mathcal{S}_{X_{0}}|\cdot|\mathcal{S}_{X_{1}}|}{\log(N_{0}N_{1})}.$

Theorem 7.

The total number of non-degenerate ideal PSM functions $f:X_{0}\times X_{1}\to Y$ with $|X_{0}|=N_{0}$ and $|X_{1}|=N_{1}$ , up to equivalence, is at most

\displaystyle\binom{N_{0}!\cdot N_{1}!}{\log(N_{0}N_{1})}=2^{O((N_{0}\log N_{0% }+N_{1}\log N_{1})\log N_{0}N_{1})}

If the message spaces of both parties are of prime size, i.e., $N_{0}$ and $N_{1}$ are primes, then we can obtain a better upper bound for $C_{N_{0},N_{1}}$ . See the full version for details.

Theorem 8.

Let $N_{0}$ and $N_{1}$ be primes and $f:X_{0}\times X_{1}\to Y$ be a non-degenerate, connected, ideal PSM function with $|X_{0}|=N_{0}$ and $|X_{1}|=N_{1}$ . Then, $N_{0}=N_{1}$ . Furthermore, the total number $C_{N_{0},N_{1}}$ of such functions is at most $2^{O(\log^{3}{p})}$ , where $p:=N_{0}=N_{1}$ .

5.2 Complete Lists of Small Ideal PSM Functions

Finally, we provide a complete list of non-degenerate connected functions $f:X_{0}\times X_{1}\to Y$ that admit ideal PSM when $|X_{0}|$ and $|X_{1}|$ are small. Since we are interested in equivalence classes of ideal PSM functions, it is sufficient to enumerate $G_{0}\leq\mathcal{S}_{X_{0}}$ and $G_{1}\leq\mathcal{S}_{X_{1}}$ up to conjugacy, and isomorphism $\psi\colon G_{0}\to G_{1}$ . Furthermore, we observe that if connected functions are considered, it suffices to enumerate such $(G_{0},G_{1},\psi)$ assuming that $G_{0}$ and $G_{1}$ are transitive. For small domains, we do this by a brute-force search using an open software package called GAP. GAP has a list of all transitive permutation groups (up to conjugacy) of degree at most 30. GAP has a function that takes $G_{0}$ and $G_{1}$ as input and computes an isomorphism from $G_{0}$ to $G_{1}$ (if exists). GAP also has a function that takes $G_{0}$ as input and computes all automorphism of $G_{0}$ . Using these functions, we can enumerate $\Psi_{X_{0},X_{1}}$ with $\max\{|X_{0}|,|X_{1}|\}\leq 15$ except for the case of $|X_{0}|=|X_{1}|=12$ . We were unable to deal with larger cases or $|X_{0}|=|X_{1}|=12$ due to limited computational resources. There are possibilities that $f_{\mathcal{G}}$ is degenerate for some $\mathcal{G}\in\Psi_{X_{0},X_{1}}$ or that $f_{\mathcal{G}}\simeq f_{\mathcal{G^{\prime}}}$ for some $\mathcal{G}\neq\mathcal{G^{\prime}}\in\Psi_{X_{0},X_{1}}$ . We manually eliminate such degenerate functions and duplicates. The resulting list and our source codes are available in [1] and the exact values of $C_{N_{0},N_{1}}$ are provided in the full version. It can be observed that the exact values of $C_{N_{0},N_{1}}$ seem to be much smaller than our asymptotic upper bounds. We leave the question of the tightness of our upper bounds on $C_{N_{0},N_{1}}$ to future work. In the full version, we also show a more efficient method to enumerate boolean functions $f:X_{0}\times X_{1}\to\{0,1\}$ that admit ideal PSM. This allows us to enumerate such functions with $\max\{|X_{0}|,|X_{1}|\}\leq 23$ .

6 Infinite Families of Ideal PSM Functions

6.1 Group Product

The sum function $f:G\times G\to G$ over an abelian group $G$ , defined as $f(x,y)=x+y$ , admits ideal PSM: one party with input $x$ computes a message $x+r$ and the other party with input $y$ computes a message $y-r$ .

More generally, let $G$ be a possibly non-abelian group. Let $m\in\mathbb{N}$ , $(S_{0},S_{1})$ be a partition of $[m]$ , and $s_{i}=|S_{i}|$ for $i\in\{0,1\}$ . We define a function $f:G^{s_{0}}\times G^{s_{1}}\to G$ as

\displaystyle f((x_{i})_{i\in S_{0}},(y_{i})_{i\in S_{1}})=\prod_{i\in[m]}z_{i},

where we set $z_{i}=x_{i}$ for $i\in S_{0}$ and $z_{i}=y_{i}$ for $i\in S_{1}$ . The PSM scheme for $f$ presented in [29] is ideal and hence $f$ is an ideal PSM function.

6.2 Private Set Intersection Cardinality

Let $U$ be a set of size $n$ and $d_{0},d_{1}\in\mathbb{N}$ be such that $d_{0}\leq n$ and $d_{1}\leq n$ . Set $d=\min\{d_{0},d_{1}\}$ . Define a function $\mathsf{PSIC}_{n,(d_{0},d_{1})}:\binom{U}{d_{0}}\times\binom{U}{d_{1}}% \rightarrow\{0,1,\ldots,d\}$ as

\displaystyle\mathsf{PSIC}_{n,(d_{0},d_{1})}(A_{0},A_{1})=|A_{0}\cap A_{1}|

for all $(A_{0},A_{1})\in\binom{U}{d_{0}}\times\binom{U}{d_{1}}$ . We show that $\mathsf{PSIC}_{n,(d_{0},d_{1})}$ admits ideal PSM based on Theorem 6. Let $(A_{0},A_{1}),(A_{0}^{\prime},A_{1}^{\prime})\in\binom{U}{d_{0}}\times\binom{U% }{d_{1}}$ be two inputs such that $|A_{0}\cap A_{1}|=|A_{0}^{\prime}\cap A_{1}^{\prime}|$ . Observe that both $A_{0}\cup A_{1}$ and $A_{0}^{\prime}\cup A_{1}^{\prime}$ admit partitions whose corresponding blocks have the same sizes, that is, $A_{0}\cup A_{1}=(A_{0}\setminus A_{1})\cup(A_{0}\cap A_{1})\cup(A_{1}\setminus A% _{0})$ and $A_{0}^{\prime}\cup A_{1}^{\prime}=(A_{0}^{\prime}\setminus A_{1}^{\prime})\cup% (A_{0}^{\prime}\cap A_{1}^{\prime})\cup(A_{1}^{\prime}\setminus A_{0}^{\prime}).$ Thus, there exists a permutation $\sigma$ over $U$ such that $\sigma(A_{0})=A_{0}^{\prime}$ and $\sigma(A_{1})=A_{1}^{\prime}$ . Furthermore, since $\sigma$ is a permutation, $|\sigma(X)\cap\sigma(Y)|=|\sigma(X\cap Y)|=|X\cap Y|$ for any $(X,Y)\in\binom{U}{d_{0}}\times\binom{U}{d_{1}}$ . Thus, the fourth condition in Theorem 6 is satisfied.

6.3 Index Function

We show that an index function, which takes a vector $D=(D_{j})_{j\in[N]}\in\{0,1\}^{N}$ and an index $x\in[N]$ as input and outputs $D_{x}$ , admits ideal PSM. The index function was implicitly used to prove the feasibility of PSM for general functions $f$ in [29] by setting $D$ as the truth-table of $f(x_{0},\cdot)$ and $x=x_{1}$ . It has played an important role to improve the worst-case communication complexity of PSM [7, 38, 9, 3].

We prove that a more general form of the index functions admit ideal PSM. Let $H$ and ${G}$ be abelian groups. Let $\mathcal{F}$ be a set of functions from $H$ to ${G}$ satisfying the following properties:

$\blacksquare$

For any $\phi,\phi^{\prime}\in\mathcal{F}$ , the function $\phi+\phi^{\prime}$ (resp. $\phi-\phi^{\prime}$ ), defined as $(\phi+\phi^{\prime})(t)=\phi(t)+\phi^{\prime}(t)$ (resp. $(\phi-\phi^{\prime})(t)=\phi(t)-\phi^{\prime}(t)$ ) for any $t\in H$ , is also in $\mathcal{F}$ .
$\blacksquare$

For any $\phi\in\mathcal{F}$ and $s\in H$ , the function $\phi_{s}$ , defined as $\phi_{s}(t)=\phi(t-s)$ for any $t\in H$ , is also in $\mathcal{F}$ .

Set $X_{0}=H\times G$ and $X_{1}=\mathcal{F}$ . Define $f:X_{0}\times X_{1}\to{G}$ as

\displaystyle f((x,r),\phi)=\phi(x)-r

(2)

for any $x\in H$ , $r\in{G}$ , and $\phi:H\to{G}\in\mathcal{F}$ . The original index function can be viewed as a special instance by setting $G=\{0,1\}$ , $H=\mathbb{Z}_{N}$ , and $\mathcal{F}$ as the set of all functions from $[N]$ to $\{0,1\}$ . We show that $f$ admits ideal PSM if it is non-degenerate. For $s\in H$ , we define $(\pi^{s}_{0},\pi^{s}_{1})\in\mathcal{S}_{X_{0}}\times\mathcal{S}_{X_{1}}$ as $\pi^{s}_{0}(x,r)=(x+s,r)$ and $\pi^{s}_{1}(\phi)=\phi_{s}.$ For $\tau\in X_{1}$ , we define $(\sigma^{\tau}_{0},\sigma^{\tau}_{1})$ as $\sigma^{\tau}_{0}(x,r)=(x,r+\tau(x))$ and $\sigma^{\tau}_{1}(\phi)=\phi+\tau.$ Let $S$ be a subgroup generated by $\{(\pi^{s}_{0},\pi^{s}_{1}):s\in H\}\cup\{(\sigma^{\tau}_{0},\sigma^{\tau}_{1}% ):\tau\in X_{1}\}$ . Then, $S$ satisfies the fourth condition in Theorem 6. See the full version for details.

We also show that an augmented form of the inner product can be expressed as a special instance of the index function $f$ in Eq. (2) and hence admits ideal PSM. Formally, define $\mathsf{IP}_{q,r}:(\mathbb{F}_{q}^{r}\times\mathbb{F}_{q})\times(\mathbb{F}_{q% }^{r}\times\mathbb{F}_{q})\to\mathbb{F}_{q}$ as

\displaystyle\mathsf{IP}_{q,r}((\mathbf{x}_{0},a_{0}),(\mathbf{x}_{1},a_{1}))=% \langle\mathbf{x}_{0},\mathbf{x}_{1}\rangle-a_{0}-a_{1}

for any $\mathbf{x}_{0},\mathbf{x}_{1}\in\mathbb{F}_{q}^{r}$ and $a_{0},a_{1}\in\mathbb{F}_{q}$ . Let $G=\mathbb{F}_{q}$ and $H=\mathbb{F}_{q}^{r}$ . For $\mathbf{x}_{1}\in\mathbb{F}_{q}^{r}$ and $a_{1}\in\mathbb{F}_{q}$ , define a function $\phi^{\mathbf{x}_{1},a_{1}}:H\to G$ as $\phi^{\mathbf{x}_{1},a_{1}}(\mathbf{x}_{0})=\langle\mathbf{x}_{0},\mathbf{x}_{% 1}\rangle-a_{1}$ for any $\mathbf{x}_{0}\in H$ . Let $X_{0}=H\times G$ and $X_{1}=\mathcal{F}=\{\phi^{\mathbf{x}_{1},a_{1}}:\mathbf{x}_{1}\in\mathbb{F}_{q% }^{r},a_{1}\in\mathbb{F}_{q}\}$ . It then holds that $\mathsf{IP}_{q,r}((\mathbf{x}_{0},a_{0}),(\mathbf{x}_{1},a_{1}))=f((\mathbf{x}% _{0},a_{0}),\phi^{\mathbf{x}_{1},a_{1}}).$ We have that $\phi^{\mathbf{x}_{1},a_{1}}+\phi^{\mathbf{x}_{1}^{\prime},a_{1}^{\prime}}=\phi% ^{\mathbf{x}_{1}+\mathbf{x}_{1}^{\prime},a_{1}+a_{1}^{\prime}}$ and $\phi^{\mathbf{x}_{1},a_{1}}_{\mathbf{s}}(\mathbf{x}_{0}):=\phi^{\mathbf{x}_{1}% ,a_{1}}(\mathbf{x}_{0}-\mathbf{s})=\phi^{\mathbf{x}_{1},a_{1}+\langle\mathbf{s% },\mathbf{x}_{1}\rangle}(\mathbf{x}_{0})$ . Hence, $X_{1}$ satisfies the assumption in Section 6.3.

7 Communication-efficient and Simplified PSM Schemes

In this section, we improve the communication complexity of state-of-the-art PSM schemes for several functions. Our constructions follow the same template: We embed a target function $f$ into a larger function $f^{\prime}$ that admits an ideal PSM scheme, from which we naturally derive a PSM scheme for $f$ . Since the ideal PSM scheme is communication-optimal, the key question is how much we can restrict the domain of $f^{\prime}$ while still containing $f$ as a restriction. Formally, we say that a function $f:X_{0}\times X_{1}\to Y$ is embedded into a function $f^{\prime}:X_{0}^{\prime}\times X_{1}^{\prime}\to Y$ if there are injective functions $\tau_{i}:X_{i}\to X_{i}^{\prime}$ such that $f(x_{0},x_{1})=f^{\prime}(\tau_{0}(x_{0}),\tau_{1}(x_{1}))$ for all $(x_{0},x_{1})\in X_{0}\times X_{1}$ . If $f$ is embedded into $f^{\prime}$ , then a PSM scheme for $f^{\prime}$ naturally induces a PSM scheme for $f$ .

7.1 Functions with Sparse/Dense Truth-tables

First, we consider functions with sparse truth-tables. Specifically, let $f:[N_{0}]\times[N_{1}]\to\{0,1\}$ be a function such that each row of the truth-table $T_{f}$ has at most $d$ ones for a small $d\ll N_{1}$ . Prior to this work, the only general construction in [7] can apply, resulting in communication complexity of $O(\max\{\sqrt{N_{0}},\sqrt{N_{1}}\})$ .

We show an efficient PSM scheme for $f$ with communication complexity $O(d\log(N_{1}+d))$ , resulting in a strict improvement over [7] when $d=o(\sqrt{N_{1}}//\log N_{1})$ . The same communication complexity can be attained when the columns of the truth-table are sparse. These schemes also apply to functions such that the rows (or the columns) are dense, that is, they contain at least $n-d$ ones for a small $d$ , by taking the NOT of sparse functions.

Proposition 9.

Let $f:[N_{0}]\times[N_{1}]\to\{0,1\}$ be a non-degenerate function such that for any $x_{0}\in X_{0}$ , the number of ones in the row $T_{f}[x_{0},*]$ of the truth-table $T_{f}$ is at most $d$ . Then, there exists a PSM scheme for $f$ such that $|M_{0}|=\binom{N_{1}+d}{d}$ and $|M_{1}|=N_{1}+d$ .

Proof.

We show that $f$ is embedded into an ideal PSM function $f^{\prime}:[N_{0}^{\prime}]\times[N_{1}^{\prime}]\to\{0,1\}$ with $N_{0}^{\prime}=\binom{N_{1}+d}{d}$ and $N_{1}^{\prime}=N_{1}+d$ . Then, an ideal PSM scheme for $f^{\prime}$ induces a PSM scheme $\Pi$ for $f$ with the stated communication complexity.

We define $f^{\prime\prime}:[N_{0}]\times[N_{1}^{\prime}]\to\{0,1\}$ by specifying its truth-table $T_{f^{\prime\prime}}$ as follows. For each $x_{0}\in[N_{0}]$ , define the row vector $T_{f^{\prime\prime}}[x_{0},*]$ of length $N_{1}^{\prime}=N_{1}+d$ by appending $d-w_{x_{0}}$ ones and $w_{x_{0}}$ zeros to the right of $T_{f}[x_{0},*]$ , where $w_{x_{0}}$ denotes the number of ones in $T_{f}[x_{0},*]$ . Clearly, $f$ is embedded into $f^{\prime\prime}$ and each row of $T_{f^{\prime\prime}}$ contains exact $d$ ones.

We set $f^{\prime}=\mathsf{PSIC}_{N_{1}^{\prime},(d,1)}$ . Note that $f^{\prime}$ has a domain $[N_{0}^{\prime}]\times[N_{1}^{\prime}]$ with $N_{0}^{\prime}=\binom{N_{1}+d}{d}$ and $N_{1}^{\prime}=N_{1}+d$ . Then, $f^{\prime\prime}$ is embedded into $f^{\prime}$ since the rows of the truth-table of $f^{\prime}$ contains any row vector of weight $d$ . Therefore, $f$ is embedded into $f^{\prime}$ . $\hfill\blacktriangleleft$

7.2 Functions with Low-Rank Truth-tables

Narayanan et al. [41] showed PSM schemes for functions that have bounded tiling numbers. Specifically, a $k$ -tiling of a function $f:X_{0}\times X_{1}\to Y$ is a partition of $X_{0}\times X_{1}$ into $k$ monochromatic rectangles, i.e., a tuple of rectangles $(R_{i})_{i\in[k]}$ such that for every $i\in[k]$ , there exists $y_{i}\in Y$ such that $f(x_{0},x_{1})=y_{i}$ for all $(x_{0},x_{1})\in R_{i}$ . The tiling number of a function $f$ is defined as the smallest number $k$ such that $f$ has a $k$ -tiling. They showed a PSM scheme for $f$ with communication complexity $O(k\log|Y|)$ , where $k$ is the tiling number of $f$ .

Let $q$ be the smallest prime power larger than $|Y|$ (we can choose $q$ so that $q=O(|Y|)$ ). Then, the truth-table $T_{f}$ of a function $f:X_{0}\times X_{1}\to Y$ can be viewed as a $|X_{0}|$ -by- $|X_{1}|$ matrix over $\mathbb{F}_{q}$ . In the following, we present a PSM scheme for $f$ with communication complexity $O(r\log q)=O(r\log|Y|)$ , where $r$ is the rank of $T_{f}$ over $\mathbb{F}_{q}$ . As is well known, it holds that $k\geq r$ since $T_{f}$ can be represented as a sum of $k$ rank- $1$ matrices if $f$ has a $k$ -tiling (e.g. [31]). Our construction thus achieves a more refined communication complexity than [41].

Proposition 10.

Let $f:[N_{0}]\times[N_{1}]\to\mathbb{F}_{q}$ be a non-degenerate function whose truth-table $T_{f}\in\mathbb{F}_{q}^{N_{0}\times N_{1}}$ has rank $r$ as a matrix over $\mathbb{F}_{q}$ . Then, there exists a PSM scheme for $f$ such that $|M_{0}|=|M_{1}|=q^{r}$ .

Proof.

We show that $f$ is embedded into the inner-product function $\mathsf{IP}_{q,r}:\mathbb{F}_{q}^{r}\times\mathbb{F}_{q}^{r}\to\mathbb{F}_{q}$ . Then, the proposition follows since $\mathsf{IP}_{q,r}$ admits ideal PSM.

Since $T_{f}$ has rank $r$ , there exist two matrices $\mathbf{M}_{0}\in\mathbb{F}_{q}^{N_{0}\times r}$ and $\mathbf{M}_{1}\in\mathbb{F}_{q}^{N_{1}\times r}$ such that $T_{f}=\mathbf{M}_{0}\mathbf{M}_{1}^{\top}$ as matrices over $\mathbb{F}_{q}$ . In particular, it holds that $T_{f}[x_{0},x_{1}]=\langle\mathbf{M}_{0}[x_{0}],\mathbf{M}_{1}[x_{1}]\rangle$ for any $(x_{0},x_{1})\in[N_{0}]\times[N_{1}]$ , where $\mathbf{M}_{i}[x]$ denotes the $x$ -th row vector of $\mathbf{M}_{i}$ .

For each $i\in\{0,1\}$ , define $\tau_{i}:[N_{i}]\to\mathbb{F}_{q}^{r}$ by $\tau_{i}(x)=\mathbf{M}_{i}[x]$ for any $x\in[N_{i}]$ . From the above, we have $f(x_{0},x_{1})=\mathsf{IP}_{q,r}(\tau_{0}(x_{0}),\tau_{1}(x_{1}))$ for any $(x_{0},x_{1})$ . Since $f$ is non-degenerate, the rows of $\mathbf{M}_{i}$ are pairwise distinct and hence $\tau_{i}$ is injective. Therefore, $f$ is embedded into $\mathsf{IP}_{q,r}$ via the $\tau_{i}$ ’s. $\hfill\blacktriangleleft$

7.3 Simplified PSM for General Functions

Beimel et al. [7] showed a PSM scheme for a general function $f:[N]\times[N]\to\{0,1\}$ with communication complexity $O(\sqrt{N})$ . According to the description in [3], the more precise communication complexity is at least $12\sqrt{N}$ . In the following, we present a PSM scheme for $f$ with communication complexity $8\sqrt{N}+2$ , improving the constant factor in the dominant term of the state-of-the-art construction. An additional benefit is that our construction is simpler and more direct: the message and evaluation functions are given in closed form, unlike the hierarchical designs of [7, 3], which rely on nested invocations of PSM schemes for smaller functions.

Let $f:[N]\times[N]\to\{0,1\}$ be a non-degenerate function. We assume that $N$ is a square number. Otherwise, we embed $f$ into a function $f^{\prime}$ with domain $[N^{\prime}]\times[N^{\prime}]$ for the smallest square number $N^{\prime}$ with $N^{\prime}>N$ . Let $n=\sqrt{N}$ . We define a multi-linear function $\hat{f}\colon(\{0,1\}^{n})^{4}\to\{0,1\}$ as

\displaystyle\hat{f}(\mathbf{a}_{0},\mathbf{b}_{0},\mathbf{a}_{1},\mathbf{b}_{% 1})=\sum_{i_{0},j_{0},i_{1},j_{1}\in[n]}\mathbf{a}_{0}[i_{0}]\cdot\mathbf{b}_{% 0}[j_{0}]\cdot\mathbf{a}_{1}[i_{1}]\cdot\mathbf{b}_{1}[j_{1}]\cdot f(i_{0}n+j_% {0},i_{1}n+j_{1})

for any $\mathbf{a}_{0},\mathbf{b}_{0},\mathbf{a}_{1},\mathbf{b}_{1}\in\{0,1\}^{n}$ , where we denote the $i$ -th bit of a vector $\mathbf{v}$ by $\mathbf{v}[i]$ . Let $X=Y=(\{0,1\}^{n})^{4}\times\{0,1\}$ . We define $G_{f}\colon X\times Y\to\{0,1\}$ as

		$\displaystyle G_{f}((\mathbf{x}_{0},\mathbf{x}_{1},\mathbf{i}_{0},\mathbf{i}_{% 1},a),(\mathbf{y}_{0},\mathbf{y}_{1},\mathbf{j}_{0},\mathbf{j}_{1},b))$
	$\displaystyle=\$	$\displaystyle\hat{f}(\mathbf{x}_{0},\mathbf{x}_{1},\mathbf{y}_{0},\mathbf{y}_{% 1})\oplus\langle\mathbf{x}_{0},\mathbf{j}_{0}\rangle\oplus\langle\mathbf{x}_{1% },\mathbf{j}_{1}\rangle\oplus\langle\mathbf{y}_{0},\mathbf{i}_{0}\rangle\oplus% \langle\mathbf{y}_{1},\mathbf{i}_{1}\rangle\oplus a\oplus b.$

Note that $\hat{f}(\mathbf{u}_{x},\mathbf{v}_{x},\mathbf{u}_{y},\mathbf{v}_{y})=f(x,y)$ , where we let $\mathbf{e}_{x}\in\{0,1\}^{N}$ denote a one-hot vector whose $x$ -th element is one, and $\mathbf{u}_{x},\mathbf{v}_{x}\in\{0,1\}^{n}$ denote one-hot vectors such that $\mathbf{u}_{x}\otimes\mathbf{v}_{x}=\mathbf{e}_{x}$ . Thus, we have $G_{f}((\mathbf{u}_{x},\mathbf{v}_{x},\mathbf{0},\mathbf{0},0),(\mathbf{u}_{y},% \mathbf{v}_{y},\mathbf{0},\mathbf{0},0))=f(x,y)$ and hence $f$ is embedded into $G_{f}$ . In the full version, we show that $G_{f}$ admits ideal PSM, which implies that there exists a PSM scheme for $f$ with communication complexity $8\lceil\sqrt{N}\rceil+2$ . This improves the dominant term $12\sqrt{N}$ of the best known PSM scheme for general functions [7].

References

[1] https://github.com/hiwatashi-keitaro/idealPSM, 2025.
[2] Benny Applebaum, Thomas Holenstein, Manoj Mishra, and Ofer Shayevitz. The communication complexity of private simultaneous messages, revisited. Journal of Cryptology, 33(3):917–953, 2020. doi:10.1007/S00145-019-09334-Y.
[3] Léonard Assouline and Tianren Liu. Multi-party psm, revisited: Improved communication and unbalanced communication. In Theory of Cryptography, pages 194–223, 2021. doi:10.1007/978-3-030-90453-1_7.
[4] Marshall Ball and Tim Randolph. A note on the complexity of private simultaneous messages with many parties. In 3rd Conference on Information-Theoretic Cryptography, ITC 2022, pages 7:1–7:12, 2022. doi:10.4230/LIPIcs.ITC.2022.7.
[5] Amos Beimel, Ariel Gabizon, Yuval Ishai, and Eyal Kushilevitz. Distribution design. In Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, ITCS ’16, pages 81–92, 2016. doi:10.1145/2840728.2840759.
[6] Amos Beimel, Ariel Gabizon, Yuval Ishai, Eyal Kushilevitz, Sigurd Meldgaard, and Anat Paskin-Cherniavsky. Non-interactive secure multiparty computation. In Advances in Cryptology – CRYPTO 2014, Part II, pages 387–404, 2014. doi:10.1007/978-3-662-44381-1_22.
[7] Amos Beimel, Yuval Ishai, Ranjit Kumaresan, and Eyal Kushilevitz. On the cryptographic complexity of the worst functions. In Theory of Cryptography, pages 317–342, 2014. doi:10.1007/978-3-642-54242-8_14.
[8] Amos Beimel, Yuval Ishai, and Eyal Kushilevitz. Ad hoc PSM protocols: Secure computation without coordination. In Advances in Cryptology – EUROCRYPT 2017, Part III, pages 580–608, 2017. doi:10.1007/978-3-319-56617-7_20.
[9] Amos Beimel, Eyal Kushilevitz, and Pnina Nissim. The complexity of multiparty PSM protocols and related models. In Advances in Cryptology – EUROCRYPT 2018, Part II, pages 287–318, 2018. doi:10.1007/978-3-319-78375-8_10.
[10] Amos Beimel, Noam Livne, and Carles Padró. Matroids can be far from ideal secret sharing. In Theory of Cryptography, pages 194–212, 2008. doi:10.1007/978-3-540-78524-8_12.
[11] Amos Beimel, Tamir Tassa, and Enav Weinreb. Characterizing ideal weighted threshold secret sharing. SIAM Journal on Discrete Mathematics, 22(1):360–397, 2008. doi:10.1137/S0895480104445654.
[12] Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, pages 1–10, 1988.
[13] Fabrice Benhamouda, Hugo Krawczyk, and Tal Rabin. Robust non-interactive multiparty computation against constant-size collusion. In Advances in Cryptology – CRYPTO 2017, Part I, pages 391–419, 2017. doi:10.1007/978-3-319-63688-7_13.
[14] G. R. Blakley. Safeguarding cryptographic keys. In 1979 International Workshop on Managing Requirements Knowledge (MARK), pages 313–318, 1979. doi:10.1109/MARK.1979.8817296.
[15] Ernest F. Brickell. Some ideal secret sharing schemes. In Advances in Cryptology — EUROCRYPT ’89, pages 468–475, 1990.
[16] Ernest F Brickell and Daniel M Davenport. On the classification of ideal secret sharing schemes. Journal of Cryptology, 4(2):123–134, 1991. doi:10.1007/BF00196772.
[17] David Chaum, Claude Crépeau, and Ivan Damgard. Multiparty unconditionally secure protocols. In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88, pages 11–19, 1988.
[18] Qi Chen, Chunming Tang, and Zhiqiang Lin. Efficient explicit constructions of compartmented secret sharing schemes. Designs, Codes and Cryptography, 87(12):2913–2940, 2019. doi:10.1007/S10623-019-00657-2.
[19] Richard Cleve. Towards optimal simulations of formulas by bounded-width programs. In Proceedings of the twenty-second annual ACM symposium on Theory of computing, pages 271–277, 1990. doi:10.1145/100216.100251.
[20] Ivan Damgård and Jesper Buus Nielsen. Scalable and unconditionally secure multiparty computation. In Advances in Cryptology – CRYPTO 2007, pages 572–590, 2007. doi:10.1007/978-3-540-74143-5_32.
[21] Ivan Damgård, Valerio Pastro, Nigel Smart, and Sarah Zakarias. Multiparty computation from somewhat homomorphic encryption. In Advances in Cryptology – CRYPTO 2012, pages 643–662, 2012. doi:10.1007/978-3-642-32009-5_38.
[22] Ivan Damgård, Kasper Green Larsen, and Jesper Buus Nielsen. Communication lower bounds for statistically secure mpc, with or without preprocessing. In Advances in Cryptology – CRYPTO 2019, pages 61–84, 2019. doi:10.1007/978-3-030-26951-7_3.
[23] Deepesh Data, Manoj Prabhakaran, and Vinod M. Prabhakaran. On the communication complexity of secure computation. In Advances in Cryptology - CRYPTO 2014, pages 199–216, 2014. doi:10.1007/978-3-662-44381-1_12.
[24] Reo Eriguchi, Kazuma Ohara, Shota Yamada, and Koji Nuida. Non-interactive secure multiparty computation for symmetric functions, revisited: More efficient constructions and extensions. In Advances in Cryptology – CRYPTO 2021, pages 305–334, 2021. doi:10.1007/978-3-030-84245-1_11.
[25] Reo Eriguchi and Kazumasa Shinagawa. Efficient multiparty private simultaneous messages for symmetric functions. In Advances in Cryptology – EUROCRYPT 2025, pages 240–269, 2025. doi:10.1007/978-3-031-91092-0_9.
[26] Oriol Farràs, Jaume Martí-Farré, and Carles Padró. Ideal multipartite secret sharing schemes. Journal of Cryptology, 25(3):434–463, 2012. doi:10.1007/S00145-011-9101-6.
[27] Oriol Farràs and Carles Padró. Ideal hierarchical secret sharing schemes. In Theory of Cryptography, pages 219–236, 2010. doi:10.1007/978-3-642-11799-2_14.
[28] Oriol Farràs and Carles Padró. Ideal secret sharing schemes for useful multipartite access structures. In Coding and Cryptology, pages 99–108, 2011. doi:10.1007/978-3-642-20901-7_6.
[29] Uri Feige, Joe Kilian, and Moni Naor. A minimal model for secure computation (extended abstract). In Proceedings of the Twenty-Sixth Annual ACM Symposium on Theory of Computing, STOC ’94, pages 554–563, 1994.
[30] O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game. In Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, STOC ’87, pages 218–229, 1987.
[31] Mika Göös, Toniann Pitassi, and Thomas Watson. Deterministic communication vs. partition number. SIAM Journal on Computing, 47(6):2435–2450, 2018. doi:10.1137/16M1059369.
[32] Shai Halevi, Yuval Ishai, Abhishek Jain, Eyal Kushilevitz, and Tal Rabin. Secure multiparty computation with general interaction patterns. In Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, ITCS ’16, pages 157–168, 2016. doi:10.1145/2840728.2840760.
[33] Y. Ishai and E. Kushilevitz. Private simultaneous messages protocols with applications. In Proceedings of the Fifth Israeli Symposium on Theory of Computing and Systems, pages 174–183, 1997.
[34] Yuval Ishai. Randomization techniques for secure computation. Secure Multi-Party Computation, 10:222–248, 2013. doi:10.3233/978-1-61499-169-4-222.
[35] Yuval Ishai, Ranjit Kumaresan, Eyal Kushilevitz, and Anat Paskin-Cherniavsky. Secure computation with minimal interaction, revisited. In Advances in Cryptology – CRYPTO 2015, pages 359–378, 2015. doi:10.1007/978-3-662-48000-7_18.
[36] Yuval Ishai, Eyal Kushilevitz, and Anat Paskin. Secure multiparty computation with minimal interaction. In Advances in Cryptology – CRYPTO 2010, pages 577–594, 2010. doi:10.1007/978-3-642-14623-7_31.
[37] E. Karnin, J. Greene, and M. Hellman. On secret sharing systems. IEEE Transactions on Information Theory, 29(1):35–41, 1983. doi:10.1109/TIT.1983.1056621.
[38] Tianren Liu, Vinod Vaikuntanathan, and Hoeteck Wee. Conditional disclosure of secrets via non-linear reconstruction. In Advances in Cryptology – CRYPTO 2017, pages 758–790, 2017. doi:10.1007/978-3-319-63688-7_25.
[39] Tianren Liu, Vinod Vaikuntanathan, and Hoeteck Wee. Towards breaking the exponential barrier for general secret sharing. In Advances in Cryptology – EUROCRYPT 2018, pages 567–596, 2018. doi:10.1007/978-3-319-78381-9_21.
[40] Jaume Martí-Farré and Carles Padró. On secret sharing schemes, matroids and polymatroids. In Theory of Cryptography, pages 273–290, 2007. doi:10.1007/978-3-540-70936-7_15.
[41] Varun Narayanan, Manoj Prabhakaran, and Vinod M. Prabhakaran. Zero-communication reductions. In Theory of Cryptography, pages 274–304, 2020. doi:10.1007/978-3-030-64381-2_10.
[42] Carles Padró and Germán Sáez. Secret sharing schemes with bipartite access structure. IEEE Transactions on Information Theory, 46(7):2596–2604, 2000. doi:10.1109/18.887867.
[43] László Pyber. Asymptotic results for permutation groups. In Groups And Computation, 1991.
[44] László Pyber and Aner Shalev. Asymptotic results for primitive permutation groups. Journal of Algebra, 188(1):103–124, 1997.
[45] A. Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979. doi:10.1145/359168.359176.
[46] Kazumasa Shinagawa, Reo Eriguchi, Shohei Satake, and Koji Nuida. Private simultaneous messages based on quadratic residues. Designs, Codes and Cryptography, 91(12):3915–3932, 2023. doi:10.1007/S10623-023-01279-5.
[47] Kazumasa Shinagawa and Koji Nuida. Explicit lower bounds for communication complexity of PSM for concrete functions. In Progress in Cryptology - INDOCRYPT 2023, pages 45–61, 2023. doi:10.1007/978-3-031-56235-8_3.
[48] Tamir Tassa. Hierarchical threshold secret sharing. In Theory of Cryptography, pages 473–490, 2004. doi:10.1007/978-3-540-24638-1_26.
[49] Andrew C. Yao. Protocols for secure computations. In Proceedings of the 23rd Annual Symposium on Foundations of Computer Science, SFCS ’82, pages 160–164, 1982.

[bib.bib1] [1] https://github.com/hiwatashi-keitaro/idealPSM, 2025.

[bib.bib2] [2] Benny Applebaum, Thomas Holenstein, Manoj Mishra, and Ofer Shayevitz. The communication complexity of private simultaneous messages, revisited. Journal of Cryptology, 33(3):917–953, 2020. doi:10.1007/S00145-019-09334-Y.

[bib.bib3] [3] Léonard Assouline and Tianren Liu. Multi-party psm, revisited: Improved communication and unbalanced communication. In Theory of Cryptography, pages 194–223, 2021. doi:10.1007/978-3-030-90453-1_7.

[bib.bib4] [4] Marshall Ball and Tim Randolph. A note on the complexity of private simultaneous messages with many parties. In 3rd Conference on Information-Theoretic Cryptography, ITC 2022, pages 7:1–7:12, 2022. doi:10.4230/LIPIcs.ITC.2022.7.

[bib.bib5] [5] Amos Beimel, Ariel Gabizon, Yuval Ishai, and Eyal Kushilevitz. Distribution design. In Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, ITCS ’16, pages 81–92, 2016. doi:10.1145/2840728.2840759.

[bib.bib6] [6] Amos Beimel, Ariel Gabizon, Yuval Ishai, Eyal Kushilevitz, Sigurd Meldgaard, and Anat Paskin-Cherniavsky. Non-interactive secure multiparty computation. In Advances in Cryptology – CRYPTO 2014, Part II, pages 387–404, 2014. doi:10.1007/978-3-662-44381-1_22.

[bib.bib7] [7] Amos Beimel, Yuval Ishai, Ranjit Kumaresan, and Eyal Kushilevitz. On the cryptographic complexity of the worst functions. In Theory of Cryptography, pages 317–342, 2014. doi:10.1007/978-3-642-54242-8_14.

[bib.bib8] [8] Amos Beimel, Yuval Ishai, and Eyal Kushilevitz. Ad hoc PSM protocols: Secure computation without coordination. In Advances in Cryptology – EUROCRYPT 2017, Part III, pages 580–608, 2017. doi:10.1007/978-3-319-56617-7_20.

[bib.bib9] [9] Amos Beimel, Eyal Kushilevitz, and Pnina Nissim. The complexity of multiparty PSM protocols and related models. In Advances in Cryptology – EUROCRYPT 2018, Part II, pages 287–318, 2018. doi:10.1007/978-3-319-78375-8_10.

[bib.bib10] [10] Amos Beimel, Noam Livne, and Carles Padró. Matroids can be far from ideal secret sharing. In Theory of Cryptography, pages 194–212, 2008. doi:10.1007/978-3-540-78524-8_12.

[bib.bib11] [11] Amos Beimel, Tamir Tassa, and Enav Weinreb. Characterizing ideal weighted threshold secret sharing. SIAM Journal on Discrete Mathematics, 22(1):360–397, 2008. doi:10.1137/S0895480104445654.

[bib.bib12] [12] Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, pages 1–10, 1988.

[bib.bib13] [13] Fabrice Benhamouda, Hugo Krawczyk, and Tal Rabin. Robust non-interactive multiparty computation against constant-size collusion. In Advances in Cryptology – CRYPTO 2017, Part I, pages 391–419, 2017. doi:10.1007/978-3-319-63688-7_13.

[bib.bib14] [14] G. R. Blakley. Safeguarding cryptographic keys. In 1979 International Workshop on Managing Requirements Knowledge (MARK), pages 313–318, 1979. doi:10.1109/MARK.1979.8817296.

[bib.bib15] [15] Ernest F. Brickell. Some ideal secret sharing schemes. In Advances in Cryptology — EUROCRYPT ’89, pages 468–475, 1990.

[bib.bib16] [16] Ernest F Brickell and Daniel M Davenport. On the classification of ideal secret sharing schemes. Journal of Cryptology, 4(2):123–134, 1991. doi:10.1007/BF00196772.

[bib.bib17] [17] David Chaum, Claude Crépeau, and Ivan Damgard. Multiparty unconditionally secure protocols. In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88, pages 11–19, 1988.

[bib.bib18] [18] Qi Chen, Chunming Tang, and Zhiqiang Lin. Efficient explicit constructions of compartmented secret sharing schemes. Designs, Codes and Cryptography, 87(12):2913–2940, 2019. doi:10.1007/S10623-019-00657-2.

[bib.bib19] [19] Richard Cleve. Towards optimal simulations of formulas by bounded-width programs. In Proceedings of the twenty-second annual ACM symposium on Theory of computing, pages 271–277, 1990. doi:10.1145/100216.100251.

[bib.bib20] [20] Ivan Damgård and Jesper Buus Nielsen. Scalable and unconditionally secure multiparty computation. In Advances in Cryptology – CRYPTO 2007, pages 572–590, 2007. doi:10.1007/978-3-540-74143-5_32.

[bib.bib21] [21] Ivan Damgård, Valerio Pastro, Nigel Smart, and Sarah Zakarias. Multiparty computation from somewhat homomorphic encryption. In Advances in Cryptology – CRYPTO 2012, pages 643–662, 2012. doi:10.1007/978-3-642-32009-5_38.

[bib.bib22] [22] Ivan Damgård, Kasper Green Larsen, and Jesper Buus Nielsen. Communication lower bounds for statistically secure mpc, with or without preprocessing. In Advances in Cryptology – CRYPTO 2019, pages 61–84, 2019. doi:10.1007/978-3-030-26951-7_3.

[bib.bib23] [23] Deepesh Data, Manoj Prabhakaran, and Vinod M. Prabhakaran. On the communication complexity of secure computation. In Advances in Cryptology - CRYPTO 2014, pages 199–216, 2014. doi:10.1007/978-3-662-44381-1_12.

[bib.bib24] [24] Reo Eriguchi, Kazuma Ohara, Shota Yamada, and Koji Nuida. Non-interactive secure multiparty computation for symmetric functions, revisited: More efficient constructions and extensions. In Advances in Cryptology – CRYPTO 2021, pages 305–334, 2021. doi:10.1007/978-3-030-84245-1_11.

[bib.bib25] [25] Reo Eriguchi and Kazumasa Shinagawa. Efficient multiparty private simultaneous messages for symmetric functions. In Advances in Cryptology – EUROCRYPT 2025, pages 240–269, 2025. doi:10.1007/978-3-031-91092-0_9.

[bib.bib26] [26] Oriol Farràs, Jaume Martí-Farré, and Carles Padró. Ideal multipartite secret sharing schemes. Journal of Cryptology, 25(3):434–463, 2012. doi:10.1007/S00145-011-9101-6.

[bib.bib27] [27] Oriol Farràs and Carles Padró. Ideal hierarchical secret sharing schemes. In Theory of Cryptography, pages 219–236, 2010. doi:10.1007/978-3-642-11799-2_14.

[bib.bib28] [28] Oriol Farràs and Carles Padró. Ideal secret sharing schemes for useful multipartite access structures. In Coding and Cryptology, pages 99–108, 2011. doi:10.1007/978-3-642-20901-7_6.

[bib.bib29] [29] Uri Feige, Joe Kilian, and Moni Naor. A minimal model for secure computation (extended abstract). In Proceedings of the Twenty-Sixth Annual ACM Symposium on Theory of Computing, STOC ’94, pages 554–563, 1994.

[bib.bib30] [30] O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game. In Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, STOC ’87, pages 218–229, 1987.

[bib.bib31] [31] Mika Göös, Toniann Pitassi, and Thomas Watson. Deterministic communication vs. partition number. SIAM Journal on Computing, 47(6):2435–2450, 2018. doi:10.1137/16M1059369.

[bib.bib32] [32] Shai Halevi, Yuval Ishai, Abhishek Jain, Eyal Kushilevitz, and Tal Rabin. Secure multiparty computation with general interaction patterns. In Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, ITCS ’16, pages 157–168, 2016. doi:10.1145/2840728.2840760.

[bib.bib33] [33] Y. Ishai and E. Kushilevitz. Private simultaneous messages protocols with applications. In Proceedings of the Fifth Israeli Symposium on Theory of Computing and Systems, pages 174–183, 1997.

[bib.bib34] [34] Yuval Ishai. Randomization techniques for secure computation. Secure Multi-Party Computation, 10:222–248, 2013. doi:10.3233/978-1-61499-169-4-222.

[bib.bib35] [35] Yuval Ishai, Ranjit Kumaresan, Eyal Kushilevitz, and Anat Paskin-Cherniavsky. Secure computation with minimal interaction, revisited. In Advances in Cryptology – CRYPTO 2015, pages 359–378, 2015. doi:10.1007/978-3-662-48000-7_18.

[bib.bib36] [36] Yuval Ishai, Eyal Kushilevitz, and Anat Paskin. Secure multiparty computation with minimal interaction. In Advances in Cryptology – CRYPTO 2010, pages 577–594, 2010. doi:10.1007/978-3-642-14623-7_31.

[bib.bib37] [37] E. Karnin, J. Greene, and M. Hellman. On secret sharing systems. IEEE Transactions on Information Theory, 29(1):35–41, 1983. doi:10.1109/TIT.1983.1056621.

[bib.bib38] [38] Tianren Liu, Vinod Vaikuntanathan, and Hoeteck Wee. Conditional disclosure of secrets via non-linear reconstruction. In Advances in Cryptology – CRYPTO 2017, pages 758–790, 2017. doi:10.1007/978-3-319-63688-7_25.

[bib.bib39] [39] Tianren Liu, Vinod Vaikuntanathan, and Hoeteck Wee. Towards breaking the exponential barrier for general secret sharing. In Advances in Cryptology – EUROCRYPT 2018, pages 567–596, 2018. doi:10.1007/978-3-319-78381-9_21.

[bib.bib40] [40] Jaume Martí-Farré and Carles Padró. On secret sharing schemes, matroids and polymatroids. In Theory of Cryptography, pages 273–290, 2007. doi:10.1007/978-3-540-70936-7_15.

[bib.bib41] [41] Varun Narayanan, Manoj Prabhakaran, and Vinod M. Prabhakaran. Zero-communication reductions. In Theory of Cryptography, pages 274–304, 2020. doi:10.1007/978-3-030-64381-2_10.

[bib.bib42] [42] Carles Padró and Germán Sáez. Secret sharing schemes with bipartite access structure. IEEE Transactions on Information Theory, 46(7):2596–2604, 2000. doi:10.1109/18.887867.

[bib.bib43] [43] László Pyber. Asymptotic results for permutation groups. In Groups And Computation, 1991.

[bib.bib44] [44] László Pyber and Aner Shalev. Asymptotic results for primitive permutation groups. Journal of Algebra, 188(1):103–124, 1997.

[bib.bib45] [45] A. Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979. doi:10.1145/359168.359176.

[bib.bib46] [46] Kazumasa Shinagawa, Reo Eriguchi, Shohei Satake, and Koji Nuida. Private simultaneous messages based on quadratic residues. Designs, Codes and Cryptography, 91(12):3915–3932, 2023. doi:10.1007/S10623-023-01279-5.

[bib.bib47] [47] Kazumasa Shinagawa and Koji Nuida. Explicit lower bounds for communication complexity of PSM for concrete functions. In Progress in Cryptology - INDOCRYPT 2023, pages 45–61, 2023. doi:10.1007/978-3-031-56235-8_3.

[bib.bib48] [48] Tamir Tassa. Hierarchical threshold secret sharing. In Theory of Cryptography, pages 473–490, 2004. doi:10.1007/978-3-540-24638-1_26.

[bib.bib49] [49] Andrew C. Yao. Protocols for secure computations. In Proceedings of the 23rd Annual Symposium on Foundations of Computer Science, SFCS ’82, pages 160–164, 1982.

Ideal Private Simultaneous Messages Schemes and Their Applications

Abstract

Keywords and phrases:

Copyright and License:

2012 ACM Subject Classification:

Acknowledgements:

Funding:

Related Version:

DOI:

Event:

Editor:

Series and Publisher:

1 Introduction

1.1 Our Results

1.1.1 Characterization

1.1.2 Enumeration

1.1.3 Infinite Families

1.1.4 Communication-efficient and Simplified Constructions

1.2 Related Work

2 Overview of Our Techniques

2.1 Ideal PSM: Definition and Characterization

2.2 Enumeration of Ideal PSM Functions

2.3 Infinite Families of Ideal PSM Functions

2.4 Communication-efficient and Simplified PSM Schemes

3 Preliminaries

3.1 Permutation Groups

3.2 Functions

3.3 Private Simultaneous Messages

Definition 1.

4 Ideal PSM

Definition 2.

4.1 Canonical Ideal PSM Schemes

Proposition 3.

Proof.

4.2 Characterization

Lemma 4.

Lemma 5.

Theorem 6.

Proof.

2 ⇒ 1.

1 ⇒ 4.

4 ⇒ 3.

3 ⇒ 2.

5 Enumeration of Ideal PSM Functions

5.1 Asymptotic Upper Bounds

Theorem 7.

Theorem 8.

5.2 Complete Lists of Small Ideal PSM Functions

6 Infinite Families of Ideal PSM Functions

6.1 Group Product

6.2 Private Set Intersection Cardinality

6.3 Index Function

7 Communication-efficient and Simplified PSM Schemes

7.1 Functions with Sparse/Dense Truth-tables

Proposition 9.

Proof.

7.2 Functions with Low-Rank Truth-tables

Proposition 10.

Proof.

7.3 Simplified PSM for General Functions

References

2 $\Rightarrow$ 1.

1 $\Rightarrow$ 4.

4 $\Rightarrow$ 3.

3 $\Rightarrow$ 2.