-
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* docs/kzg.md * docs/kzg.md * docs/kzg.md * docs/kzg.md * docs/kzg.md * docs/kzg.md * docs/kzg.md * docs/kzg.md * docs/kzg.md * docs/kzg.md * docs/kzg.md * docs/smc.md * docs/smc.md * docs/smc.md * docs/smc.md * docs/smc.md * docs/smc.md * docs/ss.md * docs/ss.md * docs/ss.md * docs/ss.md * docs/ss.md * docs/ss.md * docs/ss.md * docs/ss.md --------- Co-authored-by: Yijun Lee <[email protected]>
- Loading branch information
Showing
5 changed files
with
165 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
69 changes: 69 additions & 0 deletions
69
...acy Enhancing Technologies (PET)/Secret Sharing/Linear Secret Sharing Scheme.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| # Linear Secret Sharing Scheme (LSSS) | ||
|
|
||
| The **Linear Secret Sharing Scheme (LSSS)** is a cryptographic method that divides a secret into multiple parts, known as *shares*. These shares are distributed among several participants, and the secret can only be reconstructed when a specific group of participants come together. This design ensures that only authorized subsets of participants can access the original secret. | ||
|
|
||
| <br/> | ||
|
|
||
| ## Access Structure | ||
|
|
||
| The **access structure** defines the specific combinations of participants that are allowed to reconstruct the secret. LSSS implements this access structure through linear operations, enabling secure sharing of the secret information and controlling its reconstruction to authorized groups only. | ||
|
|
||
| - Let $\mathcal{P} = {P_1, P_2, \ldots, P_n}$ be a set of participants. | ||
|
|
||
| - $\Gamma \subseteq 2^{{P_1, P_2, \ldots, P_n}}$: A collection of subsets of participants authorized to reconstruct the secret. | ||
|
|
||
|
|
||
| ## Linearity | ||
|
|
||
| The core property of LSSS is **linearity**, which allows valid shares to be combined to reconstruct the secret or to generate new valid shares. For example, the linear combination of share1 and share2 can produce a new valid share. This linearity provides flexibility in designing access structures and enables simple and efficient secret reconstruction through basic operations. | ||
|
|
||
| As a result, LSSS is widely used as a foundational cryptographic method in various Multi-Party Computation (MPC) protocols, such as Shamir's Secret Sharing or additive sharing. | ||
|
|
||
| <br/> | ||
|
|
||
| ## Core Components and Processes | ||
|
|
||
| - **Secret:** $s \in \mathbb{Z}_p$ | ||
| - **Random Values:** $r_2, r_3, \ldots, r_d \in \mathbb{Z}_p$ | ||
|
|
||
| - **Column Vector:** $\vec{v} = (s, r_2, \ldots, r_d)$ | ||
| - **Share Calculation:** $\lambda_i = \langle M_i, \vec{v} \rangle = M_i \cdot \vec{v}$ | ||
| - **Share Distribution:** Each participant $P_i$ receives their share $\lambda_i$. | ||
| - **Linear Reconstruction:** $s = \sum_{i \in S} \omega_i \lambda_i$ | ||
|
|
||
| Here, $S \in \Gamma$ is the set of participants authorized to reconstruct the secret $s$. | ||
|
|
||
| - **Condition:** $\sum_{i \in S} \omega_i M_i = (1, 0, \ldots, 0)$ | ||
|
|
||
| <br/> | ||
|
|
||
| Shares are calculated as linear functions of the secret and random values. This process begins by constructing a vector containing the secret and the random values, which is then multiplied by a pre-defined generator matrix. Each participant receives their share as the result of this computation. | ||
|
|
||
| Individual shares do not reveal any information about the secret. However, participants in an authorized set can collaborate and perform a linear combination of their shares to recover the secret. During reconstruction, the random values cancel out, and mathematically designed weights ensure that only the secret is extracted. | ||
|
|
||
| This mechanism makes LSSS both secure and efficient for secret sharing and reconstruction. | ||
|
|
||
| <br/> | ||
| <br/> | ||
|
|
||
| ### Linear (t, n) Secret Sharing Scheme: | ||
|
|
||
| Linear $(t, n)$ secret sharing scheme is a special type of secret sharing scheme where all the n shares of the secret satisfy a linear relationship. | ||
|
|
||
| A $(t, n)$ secret sharing scheme is a linear secret sharing scheme when the n shares, $v_1, v_2, \ldots, v_n$ can be presented as in Equation | ||
|
|
||
| $(v_1, v_2, \ldots, v_n) = (k_1, k_2, \ldots, k_t) H,$ | ||
|
|
||
| where H is a public $t \times n$ matrix whose any $t \times t$ submatrix is not singular. The vector $(k_1, k_2, \ldots, k_t)$ is randomly chosen by the dealer. | ||
|
|
||
| <br/> | ||
|
|
||
| We can see that [[Shamir’s Secret Sharing Scheme]] is a linear scheme. Let | ||
|
|
||
| $f(x) = a_0 + a_1x + a_2x^2 + \cdots + a_{t-1}x^{t-1}.$ | ||
|
|
||
| The shares $v_i = f(i), i = 1, 2, \ldots, n$ can be presented as in Equation | ||
|
|
||
| $(v_1, v_2, \ldots, v_n) = (a_0, a_1, a_2, \ldots, a_{t-1}) H,$ | ||
|
|
||
| where $h_{i,j} = j^i$ ($h_{i,j}$ denotes the entry at $i$-th row and $j$-th column of matrix $H$). |
62 changes: 62 additions & 0 deletions
62
content/Privacy Enhancing Technologies (PET)/Secret Sharing/Secret Sharing.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| ## What is secret sharing? | ||
|
|
||
| Secret sharing is an approach that distributes a secret value by using shares, which do not reveal any information about the secret itself. The secret value can only be reconstructed when all shares or a sufficient number of shares are combined. | ||
|
|
||
|
|
||
| **Example:** | ||
|
|
||
| Let's look at how **Additive Secret Sharing** works with an example involving three participants and an addition operation. In this scheme, the secret is divided into m parts, and the secret can only be reconstructed when all parts are combined. | ||
|
|
||
| **Secret Splitting** | ||
|
|
||
| - Choose a secret value. | ||
| - $S = 1337$ | ||
| - Choose $m - 1$ random numbers as shares. | ||
| - $m = 3$ | ||
| - $S_1 = 220$ | ||
| - $S_2 = 540$ | ||
| - Calculate the final share $S_3$. | ||
| - $S = S_1 + S_2 + S_3$ | ||
| - $S_3 = S - (S_1 + S_2) = 1337 - (220 + 540) = 577$ | ||
|
|
||
| Let’s split another secret to perform an addition: | ||
| - $T = 1440$ | ||
| - $T_1 = 118$ | ||
| - $T_2 = 330$ | ||
| - $T_3 = 992$ | ||
|
|
||
| **Share Distribution** | ||
|
|
||
| Distribute the shares to the participants. | ||
| - Participant 1: $S_1$ and $T_1$ | ||
| - Participant 2: $S_2$ and $T_2$ | ||
| - Participant 3: $S_3$ and $T_3$ | ||
|
|
||
| **Perform Operation** | ||
|
|
||
| Each participant can perform the addition locally. | ||
| - $R_1 = S_1 + T_1 = 220 + 118 = 338$ | ||
| - $R_2 = S_2 + T_2 = 540 + 330 = 870$ | ||
| - $R_3 = S_3 + T_3 = 577 + 992 = 1569$ | ||
|
|
||
| **Secret Reconstruction** | ||
|
|
||
| Reconstruct the result from the shares: | ||
| - $R = S + T$ | ||
| - $R = (S_1 + S_2 + S_3) + (T_1 + T_2 + T_3) = (S_1 + T_1) + (S_2 + T_2) + (S_3 + T_3)$ | ||
| - $R = 338 + 870 + 1569 = 2777$ | ||
|
|
||
| <br/> | ||
|
|
||
| The overall secret value $R$ is obtained as the sum of two secret values, $S$ and $T$. | ||
|
|
||
| Each participant performs individual operations using only their own share, and in the final step, all results are combined to reconstruct the final secret. | ||
|
|
||
| In the previous steps, each participant operates solely on their own share, so no information about the input values is exposed. | ||
|
|
||
| <br/> | ||
|
|
||
| ### Index | ||
| - [[Shamir's Secret Sharing Scheme]] | ||
| - [[Linear Secret Sharing Scheme]] | ||
|
|
33 changes: 33 additions & 0 deletions
33
...y Enhancing Technologies (PET)/Secret Sharing/Shamir's Secret Sharing Scheme.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| # Shamir’s Secret Sharing Scheme | ||
|
|
||
| Shamir’s Secret Sharing scheme is an algorithm first proposed by Adi Shamir in 1979. This is a method for securely splitting and managing a secret, where the secret is divided into multiple shares, and only a subset of these shares is required to reconstruct the original secret. The minimum number of shares needed for reconstruction is called the threshold. | ||
|
|
||
|  | ||
|
|
||
| This scheme leverages the Lagrange interpolation theorem. Specifically, it uses the fact that $t$ points of a polynomial uniquely determine a polynomial with degree less than or equal to $t-1$. | ||
|
|
||
| Shamir’s Secret Sharing is a $(t, n)$-threshold scheme based on polynomial interpolation over finite fields. | ||
|
|
||
| The secret $S$ is divided into n parts $(S_1, S_2, \ldots, S_n)$, each of which is referred to as a share. This method satisfies the following two conditions: | ||
|
|
||
| 1. With $t$ or more shares $(S_i)$, the secret $S$ can be calculated. In other words, once $k$ shares are combined, the secret $S$ can be reconstructed in every combination. | ||
|
|
||
| 2. With only $t-1$ or fewer shares $(S_i)$, it is impossible to fully determine the secret $S$. The secret cannot be reconstructed with less than $t$ shares. | ||
|
|
||
| In addition, if $n = t$, then all shares are required to reconstruct the secret $S$. | ||
|
|
||
| <br/> | ||
| Let’s assume the secret $S$ can be represented as an element $a_0$ in a finite field $GF(q)$, where $q$ is a value greater than the number of shares $n$ to be generated. In $GF(q)$, $k-1$ elements $(a_1, a_2, \ldots, a_{t-1})$ are randomly selected, and then a polynomial is constructed as follows: | ||
|
|
||
| $f(x) = a_0 + a_1x + a_2x^2 + a_3x^3 + \cdots + a_{t-1}x^{t-1}$ | ||
|
|
||
| We calculate $n$ points on this polynomial. For example, set $i = 1, 2, \ldots, n$ to find the point $(i, f(i))$. Each participant is given one point (a non-zero input to this polynomial and its corresponding output). | ||
|
|
||
| With any combination of $t$ of these points, the value $a_0$ can be determined through interpolation. | ||
|
|
||
| $a_0 = f(0) = \sum_{j=0}^{t-1} y_j \prod_{\substack{m=0 \\ m \neq j}}^{t-1} \frac{x_m}{x_m - x_j}$ | ||
|
|
||
| In the polynomial, we have $t$ points in the form $(x_i, y_i)$. $f(0)$ corresponds to the first coefficient of the polynomial $f(x)$, which is $a_0$. | ||
|
|
||
| Therefore, when $t$ points are combined, $a_0$ can be calculated using this formula, allowing the reconstruction of the secret $S$. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters