Homomorphic Secret Sharing (HSS)

Updated 8 December 2025

Homomorphic Secret Sharing (HSS) is a cryptographic scheme that splits private data among multiple parties to enable independent, secure local computations.
It utilizes both linear (e.g., Shamir’s scheme) and nonlinear constructions to realize additive and multiplicative homomorphic operations, ensuring robust information-theoretic privacy.
Advanced HSS variants, including hybrid and verifiable schemes, optimize download rates and context hiding, with applications in secure e-voting, control systems, and machine learning.

Homomorphic secret sharing (HSS) is a class of cryptographic protocols that enables distribution of private input data among multiple parties in such a way that these parties can independently compute (homomorphically) on their respective shares, locally producing output shares, which, when combined, reveal only the computed function value and nothing else about the underlying secrets. HSS improves the efficiency and flexibility of secure multiparty computation and has deep connections with information theory, error-correcting codes, and classical secret sharing. The canonical form of HSS is based on Shamir’s threshold schemes and their additive homomorphism, but the field now includes both linear and nonlinear variants, explicit constructions for arbitrary-degree polynomials, compact two-server solutions, and hybrid schemes leveraging homomorphic encryption.

1. Formal and Information-Theoretic Foundations

A homomorphic secret sharing scheme for $n$ input clients and $m$ servers is specified by a triple $(\mathsf{Share}, \mathsf{Eval}, \mathsf{Dec})$ , where:

$\mathsf{Share}$ : Given $\mathbf{x} \in \mathbb{F}_p^n$ , produces $m$ input shares $(\mathbf{s}_1, ..., \mathbf{s}_m)$ , typically via a randomized process.
$\mathsf{Eval}$ : Each server $j$ uses its share $\mathbf{s}_j$ and a function $f$ (often a polynomial of bounded degree) to compute an output share $y_j = f(\mathbf{s}_j)$ .
$\mathsf{Dec}$ : The output client reconstructs the value $f(\mathbf{x})$ from the vector $(y_1, ..., y_m)$ .

A requirement of information-theoretic HSS is $t$ -privacy: any coalition of at most $t$ out of $m$ servers, when given their shares, cannot infer any information about $\mathbf{x}$ beyond what is revealed by $f(\mathbf{x})$ itself. This property is paramount for secure multiparty computation, confidential outsourced computing, and privacy-preserving data analytics (Feng et al., 1 Dec 2025).

Shamir’s $(t,n)$ scheme forms the archetype for HSS. A dealer encodes a secret $S\in \mathbb{F}_p$ by evaluating a random degree- $(t-1)$ polynomial $f(x)$ with $f(0) = S$ , producing $n$ shares $s_i = f(x_i)$ . The scheme is additively homomorphic: the sum of shares from two shared secrets yields shares of the sum (Binu et al., 2016). Any $t$ shares suffice for reconstruction by Lagrange interpolation.

2. Homomorphic Properties and Context Hiding

The core property of HSS is that local sharewise operations reflect algebra on secrets:

Additive homomorphism: Pointwise addition of shares yields a valid sharing of the sum.
Multiplicative (and higher-degree) homomorphism: For higher-degree polynomials, the design requires more elaborate constructions, sometimes at the cost of efficiency or increased server count.

A central security criterion beyond $t$ -privacy is context hiding (also called symmetric privacy): the output client, given all server output shares, learns only $f(\mathbf{x})$ and nothing else. This property can fail for some functions under naive HSS. For example, in Shamir-based HSS for multilinear monomials of two or more variables, the output shares can leak information distinguishing inputs with identical output (Feng et al., 1 Dec 2025). The context-hiding game formalizes adversarial advantage in distinguishing such cases.

Schemes can enforce context hiding for all functions by “rerandomization” — masking outputs with independent shares of zero. However, such countermeasures increase share size and communication, motivating domain-specific analysis of when rerandomization is necessary.

Function $f$	Context-Hiding in Shamir HSS	Paper
Linear monomials $f(x) = x$	Perfectly context-hiding	(Feng et al., 1 Dec 2025)
Multilinear monomials $f(\mathbf{x}) = x_1\cdots x_d$ , $d \geq 2$	Not context-hiding (over full domain)	(Feng et al., 1 Dec 2025)
$f(x) = x^d$ (single variable)	Perfectly context-hiding	(Feng et al., 1 Dec 2025)
$f(\mathbf{x}) = \prod x_i^{d_i}$ , $\mathbf{x} \in (\mathbb{F}_p^*)^n$	Perfectly context-hiding	(Feng et al., 1 Dec 2025)

Context hiding thus depends on both function structure and domain, and careful scheme selection can optimize both efficiency and privacy.

3. Coding-Theoretic and Linear HSS Framework

Modern linear HSS has a direct equivalence with coding-theoretic objects, especially labelweight codes. In this framework, a linear HSS for $s$ servers and $t$ -privacy, with reconstruction map $\mathsf{Rec}$ , corresponds to a linear code $C \subset \mathbb{F}^n$ of dimension $\ell$ , with a labeling $L: [n] \to [s]$ (mapping coordinates to servers), such that the code’s minimum labelweight is at least $dt + 1$ for degree- $d$ polynomial evaluation. The download rate is $R = \frac{\ell}{n}$ (Blackwell et al., 2023, Blackwell et al., 13 Mar 2024).

Schemes achieving the optimal download rate $R^* = 1 - dt/s$ for degree- $d$ secure polynomial evaluation must amortize over $\ell = \Omega(s \log s)$ instances (via Reed–Solomon or optimal labelweight codes). Algebraic geometry code constructions, e.g. Hermitian and Goppa codes, allow slightly suboptimal rates but achieve linear amortization $\ell = O(s)$ , making HSS more practical for settings with limited batching capacity (Blackwell et al., 13 Mar 2024).

4. Advanced Constructions: Nonlinear, High-Degree Polynomials, and Hybrid HSS

Achieving efficient homomorphic evaluation of high-degree or nonlinear functions requires advanced techniques:

Verifiable HSS (VHSS): Two-server VHSS schemes provide correctness and verifiability for polynomials of degree up to $\text{poly}(\lambda)$ , using public key encryption with homomorphic properties, share verification tags, and efficient distributed decryption (Chen et al., 2021).
Paillier-based HSS with Nonlinear Support (MORSE): MORSE employs a FastPai Paillier variant for two-server subtractive sharing, enabling efficient addition, subtraction, multiplication, scalar multiplication, and secure comparison, using conversion protocols between Paillier ciphertexts and secret shares (Deng et al., 9 Oct 2024).
Pure Secret-Sharing Polynomial Evaluation: For secure control or signal processing, additive HSS in $(2, n+1)$ -sharing enables non-interactive, perfectly-secure polynomial computation with a complexity advantage over HE+SS hybrids (Schlor et al., 2021).
Hybrid HSS+HE Schemes: Combinations, as in CAESAR, use secret sharing for model state privacy and HE for communication-efficient linear algebra in machine learning, leveraging the sparsity of data for communication and computational gains (Chen et al., 2020).

5. Performance, Efficiency, and Download Rate Trade-Offs

Download rate, i.e., the ratio of output length to total share download, is central for HSS practicality. The optimal rate for linear HSS schemes achieving degree- $d$ polynomial evaluation is $R^* = 1 - dt/s$ (Fosli et al., 2021). Coding-theoretic constructions (labelweight codes) precisely characterize when optimal rate is feasible for given server counts and privacy thresholds; for instance, over large enough fields and sufficient amortization, Shamir-based schemes realize $R^*$ (Blackwell et al., 2023).

Recent work demonstrates explicit near-optimal constructions with amortization $O(s)$ and rate losses vanishing as $s \to \infty$ for Hermitian and Goppa codes, while classical linear HSS reaches $R^*$ only for $\ell = \Omega(s \log s)$ . Extensions permit breaking the $1-dt/s$ barrier by sacrificing perfect decoding and allowing negligible error via nonlinear output reconstruction (Fosli et al., 2021).

Construction Type	Download Rate	Minimal Amortization	Reference
Labelweight-optimal (RS)	$1-dt/s$	$\ell = \Omega(s \log s)$	(Blackwell et al., 13 Mar 2024)
Hermitian/AG	$1-dt/s - o(1)$	$O(s)$	(Blackwell et al., 13 Mar 2024)
Nonlinear compressible	$> 1-dt/s$ (tiny err)	$O(1)$	(Fosli et al., 2021)

6. Applications and Efficiency in Practice

HSS finds primary applications in privacy-preserving e-voting, distributed control, and secure machine learning:

Secure e-voting: Additive HSS (Shamir’s scheme) enables efficient, integrity-preserving vote tallying; only a threshold of collection centers can reconstruct results, maintaining vote privacy (Binu et al., 2016).
Encrypted control: Three-party and $n$ -party additive HSS schemes evaluate polynomial feedback with orders-of-magnitude speedup over HE-based methods (Schlor et al., 2021).
Privacy-preserving ML: Schemes like CAESAR exploit the communication efficiency of HE for sparse linear algebra and the security guarantees of secret sharing for model state and gradient privacy (Chen et al., 2020).
Efficient nonlinear operations: MORSE achieves fast secure comparison and multiplication with up to $9 \times$ speedup in secure multiplication and $16\%$ reduced communication over previous Paillier-based HSS (Deng et al., 9 Oct 2024).

7. Open Directions, Limitations, and Research Frontiers

Numerous research problems and limitations remain:

Functionality restrictions: Existing linear HSS covers polynomials; full support for general non-linearities is an ongoing challenge, with rerandomization or hybrid protocols providing only partial solutions (Feng et al., 1 Dec 2025).
Context hiding trade-offs: Ensuring context hiding for all functions (not just most monomials) typically incurs communication and decoding overhead (Feng et al., 1 Dec 2025).
Malicious security: Most schemes provide only semi-honest or passive-adversary guarantees. Achieving active security requires costly MACs or zero-knowledge proofs (Schlor et al., 2021).
Parameter selection and field arithmetic: Fixed-point, quantization, and arithmetic circuit depth must be tightly controlled for deployment in practice (Chen et al., 2021).
Connections to the MDS conjecture: Coding-theoretic optimality barriers for download rate are tied to longstanding questions in coding theory, specifically MDS code constructions over finite fields (Blackwell et al., 2023).

Future research targets context hiding for general low-degree polynomials, efficient support for dynamic and branching computations, compact batch-optimized schemes, and seamless integration with advanced cryptographic primitives (e.g., KZG, multi-key HSS) (Feng et al., 1 Dec 2025, Blackwell et al., 13 Mar 2024). Advances in coding theory may further improve the amortization and efficiency frontier of HSS.

References:

(Binu et al., 2016) Secret Sharing Homomorphism and Secure E-voting
(Feng et al., 1 Dec 2025) On the Context-Hiding Property of Shamir-Based Homomorphic Secret Sharing
(Schlor et al., 2021) Multi-party computation enables secure polynomial control based solely on secret-sharing
(Chen et al., 2021) Two-Server Verifiable Homomorphic Secret Sharing for High-Degree Polynomials
(Blackwell et al., 13 Mar 2024) Improved Trade-offs Between Amortization and Download Bandwidth for Linear HSS
(Fosli et al., 2021) On the Download Rate of Homomorphic Secret Sharing
(Chen et al., 2020) When Homomorphic Encryption Marries Secret Sharing: Secure Large-Scale Sparse Logistic Regression and Applications in Risk Control
(Blackwell et al., 2023) A Characterization of Optimal-Rate Linear Homomorphic Secret Sharing Schemes, and Applications
(Deng et al., 9 Oct 2024) MORSE: An Efficient Homomorphic Secret Sharing Scheme Enabling Non-Linear Operation