Additive Secret Sharing Scheme

Updated 26 November 2025

Additive Secret Sharing Schemes are cryptographic primitives that split a secret into shares so that only the complete set reconstructs the original value.
They facilitate secure multiparty computation by enabling participants to perform local linear operations without revealing individual secrets.
Variants using additive codes over GF(4) introduce complex access structures and error detection capabilities, enhancing protocol robustness.

Additive Secret Sharing Schemes (ASS) are cryptographic primitives that enable secure and efficient distribution of a secret value among multiple parties such that only the collective combination of all shares reconstructs the original secret, while individual shares reveal no information. In the canonical (2,2)-threshold version, a value $x$ over a field $\mathbb{F}$ is split into two shares $\{r, x - r\}$ , where $r$ is sampled uniformly at random. Additive secret sharing forms the basis of numerous protocols in secure multiparty computation (MPC), offering both simplicity and strong statistical security in the honest-but-curious model. Beyond this, additive secret sharing also appears in more advanced constructions, such as those utilizing additive codes over $GF(4)$ , which introduce nontrivial access structures and require multi-step reconstruction procedures.

Let $\mathbb{F}$ denote a field, which may be $\mathbb{R}$ , a finite field $\mathbb{Z}_p$ , or a ring such as $\mathbb{Z}_{2^\ell}$ . In the standard (2,2)-threshold additive secret sharing scheme, the following algorithms are specified:

ASS.Setup $(1^\lambda)$ : No setup beyond establishing $\mathbb{F}$ is required.
ASS.Share $(x\in\mathbb{F})$ :
- Sample $r \xleftarrow{\$} \mathbb{F} $uniformly at random.</li> <li>Compute$ [x]_1 = r $,$ [x]_2 = x - r $.</li> <li>Output the pair$ \ass{x} = ([x]_1, [x]_2) $.</li> </ul></li> <li><strong>ASS.Recon$ ([x]_1, [x]_2) $</strong>: <ul> <li>Compute$ x = [x]_1 + [x]_2 $.</li> </ul></li> </ul> <p>Correctness holds since$ r + (x - r) = x $. Security against semi-honest adversaries follows as each share is independently and uniformly distributed in$ \mathbb{F} $, statistically hiding$ x $. The scheme generalizes directly to$ n $parties by decomposing$ x $as a sum of$ n $random field elements summing to$ x $(<a href="/papers/2009.05356" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xiong et al., 2020</a>).</p> <h2 class='paper-heading' id='security-properties-and-universal-composability'>2. Security Properties and Universal Composability</h2> <p>For any party$ P_i $, the view of its share$ [x]_i $is indistinguishable from a uniformly random element of$ \mathbb{F} $. Theorem 2.1 establishes that there exists a perfect simulator that, on input$ \bot $, outputs a simulated share distributed identically to$ [x]_i $. Thus, in the honest-but-curious adversary model, the scheme achieves strong statistical secrecy.</p> <p>Protocols based on ASS are proven to be Universally Composable (UC) secure in this model. The composability arises since every protocol step either performs only local linear operations on shares or executes a masked value exchange using Beaver triples, which leak no information about the underlying secret due to additive or multiplicative masking (<a href="/papers/2009.05356" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xiong et al., 2020</a>).</p> <h2 class='paper-heading' id='multiplicative-secret-sharing-and-share-conversion'>3. Multiplicative Secret Sharing and Share Conversion</h2> <p>While ASS naturally supports addition and affine linear operations, multiplicative homomorphism requires a dual sharing scheme, termed Multiplicative Secret Sharing (<a href="https://www.emergentmind.com/topics/model-set-selection-mss" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">MSS</a>). To multiplicatively share$ u \in \mathbb{F}\setminus\{0\} $between two parties:</p> <ul> <li>Sample$ u_1 \xleftarrow{\$} \mathbb{F}^{\times $.</sup></li> <li>Set$ [u]_1^\times = u_1 $,$ [u]_2^\times = u/u_1 $.</li> <li>The reconstruction is$ u = [u]_1^\times \cdot [u]_2^\times $.</li> </ul> <p>Efficient, constant-round, UC-secure protocols convert between ASS and MSS representations:</p> <ul> <li><strong>SecMulRes</strong> (MSS → ASS): With a shared Beaver triple$ (a,b,c) $($ c = ab $), the parties manipulate their MSS shares and exchange masked deltas to produce an ASS sharing of the product (<a href="/papers/2009.05356" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xiong et al., 2020</a>).</li> <li><strong>SecAddRes</strong> (ASS → MSS): Using similar Beaver triple resources, two communication rounds suffice to obtain an MSS sharing from an ASS sharing.</li> </ul> <p>The correctness and UC security of these resharing protocols are formally established in [(<a href="/papers/2009.05356" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xiong et al., 2020</a>), Thms. 3.2–3.3].</p> <h2 class='paper-heading' id='arithmetic-protocols-and-functionality'>4. Arithmetic Protocols and Functionality</h2> <p>ASS serves as the foundation for an extensive suite of secure two-party arithmetic protocols. Core functionalities include:</p> <ul> <li><strong>Secure Addition (SecLinear):</strong> Locally compute share-wise sums. No communication is required.</li> <li><strong>Secure Multiplication (SecMul):</strong> Requires a single round and 4 field elements exchanged by utilizing Beaver triples, thus securely evaluating the product of two ASS-shared secrets.</li> <li><strong>Secure Comparison (SecCom):</strong> Involves three protocol rounds and$ 2\ell + 2 $bits of communication for$ \ell $-bit fields.</li> <li><strong>Element-wise Functions:</strong> Secure exponentiation, logarithms, powers, and trigonometric functions are supported, typically requiring a combination of resharing (between ASS and MSS), local computations, and one to three rounds of online communication.</li> </ul> <p>The round complexity and communication costs are tabulated as follows:</p> <div class='overflow-x-auto max-w-full my-4'><table class='table border-collapse w-full' style='table-layout: fixed'><thead><tr> <th>Protocol</th> <th>Rounds</th> <th>Communication</th> </tr> </thead><tbody><tr> <td>SecMul</td> <td>1</td> <td>4$ \ell $</td> </tr> <tr> <td>SecMulRes</td> <td>1</td> <td>2$ \ell $</td> </tr> <tr> <td>SecAddRes</td> <td>2</td> <td>2$ \ell $</td> </tr> <tr> <td>SecCom</td> <td>3</td> <td>2$ \ell $+ 2</td> </tr> <tr> <td>SecExp</td> <td>1</td> <td>2$ \ell $</td> </tr> <tr> <td>SecLog</td> <td>2</td> <td>2$ \ell $</td> </tr> <tr> <td>SecPow</td> <td>3</td> <td>(2n + 2)$ \ell $</td> </tr> <tr> <td>SecSin/SecCos</td> <td>1</td> <td>4$ \ell $</td> </tr> <tr> <td>Division</td> <td>3</td> <td>6$ \ell $</td> </tr> <tr> <td>Product</td> <td>min(3,$ \lceil\log_2 n\rceil $)</td> <td>(2n+2)$ \ell $or (4n-4)$ \ell $</td> </tr> </tbody></table></div> <p>Head-to-head with prior schemes, the ASS-based protocols in (<a href="/papers/2009.05356" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xiong et al., 2020</a>) achieve demonstrably lower round and communication complexity for comparison and division functionalities.</p> <h2 class='paper-heading' id='additive-secret-sharing-over-additive-codes'>5. Additive Secret Sharing over Additive Codes</h2> <p>ASS can be instantiated more generally using additive codes over$ GF(4) $, as formalized by Kim and Lee (<a href="/papers/1701.04183" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Kim et al., 2017</a>). An additive code$ C $of length$ n $over$ GF(4) $is an additive subgroup of$ GF(4)^n $, inherently a vector space over$ GF(2) $with generator matrix$ G $of dimensions$ k\times n $,$ k = \dim_{GF(2)}(C) $. The secret is encoded into the first coordinate$ t_0 $of a codeword$ t = uG $, where$ u $is a random binary information vector constrained so$ u\cdot g_0 = s $for secret$ s $. Each participant$ P_i $receives share$ t_i $.</p> <p>Uniformity of$ u $over the affine hyperplane guarantees that all shares (except$ t_0 $) are independent of$ s $.</p> <h2 class='paper-heading' id='reconstruction-and-access-structures-in-code-based-schemes'>6. Reconstruction and Access Structures in Code-Based Schemes</h2> <p>Unlike linear code-based schemes, additive codes over$ GF(4) $require two rounds for reconstruction. The trace-inner product, using the dual code$ C^\perp $, yields three classes$ H_1, H_2, H_3 $of dual codewords whose first coordinate is$ 1, \omega, \overline{\omega} $, respectively. Each such codeword produces a trace equation$ Q_k $relating to the secret, but only the combination of two independent equations (from distinct$ H_k $) suffices to uniquely recover$ s $. This two-step structure defines the access structure:</p> <ul> <li><strong>Authorized Sets:</strong> Any pair$ (A, B) $with$ A\in TH_i $,$ B\in TH_j $for$ i \neq j $, where$ TH_k $is the collection of supports of codewords in$ H_k $omitting the secret holder.</li> <li><strong>Minimal Access Pairs:</strong> Pairs where neither component strictly contains the support of a smaller dual codeword in$ H_k $.</li> </ul> <p>For self-dual additive codes, minimal access pairs correspond directly to pairs of minimal supports in distinct$ H $-classes.</p> <h2 class='paper-heading' id='applications-performance-and-error-detection'>7. Applications, Performance, and Error Detection</h2> <p>ASS forms the core of secure two-party computation protocols with constant rounds and minimal bandwidth—properties demonstrated in high-throughput cloud computation and other privacy-preserving settings (<a href="/papers/2009.05356" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xiong et al., 2020</a>). For code-based variants:</p> <ul> <li><strong>Examples of Additive Codes:</strong> The hexacode ($ n=6 $), dodecacode QC$ _{12} $($ n=12 $), and$ S_{18} $($ n=18 $) illustrate schemes with extremal parameters and access structures matching the properties discussed in (<a href="/papers/1701.04183" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Kim et al., 2017</a>).</li> <li><strong>Generalized 2-Designs:</strong> The access structures in these schemes are combinatorially uniform, as the supports of codewords form generalized$ t $-designs, ensuring symmetric treatment of all participants.</li> <li><strong>Error Detection:</strong> The minimum distance$ d $of the code determines the tolerance for cheaters: up to$ d-1 $errors can be detected, and up to$ \lfloor(d-1)/2\rfloor $corrected through standard syndrome-based correction.</li> <li><strong>Efficiency:</strong> Reconstruction requires only two rounds of combining traces, with each participating share contributing one bit. This yields computational effort$ O(|S| + |T|)$ for authorized minimal pairs.}
The universality, efficiency, and combinatorial access structures of additive secret sharing ensure its continued relevance in privacy-preserving computation, distributed protocols, and cryptographic design (Xiong et al., 2020, Kim et al., 2017).

PDF Markdown Chat (Pro)

References (2)

1.

Efficient Privacy-Preserving Computation Based on Additive Secret Sharing (2020)

2.

Secret sharing schemes based on additive codes over $GF(4)$ (2017)

Whiteboard

Follow Topic

Get notified by email when new papers are published related to Additive Secret Sharing Scheme (ASS).

Additive Secret Sharing Scheme

1. Formal Structure of Additive Secret Sharing

Sponsor

Whiteboard

Follow Topic

Continue Learning

Related Topics