12

I understand the basic Shamir Secret Sharing protocol, and when two shares are multiplied, the degree of the polynomial increases. I've seen in a number of papers a reference to a degree reduction protocol that can be performed to securely reduce the degree back to the original $t$. Yet I cannot find this construction anywhere. Could someone explain to me how the degree reduction is done and/or point me to a paper which describes the details?

Ilmari Karonen
  • 46,120
  • 5
  • 105
  • 181
user3225551
  • 143
  • 4

2 Answers2

12

The process is pretty simple. As you say, each party multiplies their two shares. They then use Shamir secret sharing to share the resulting value with the other parties. Once they have received a "subshare" from each other party, each party simply runs Lagrangian interpolation on the subshares they received (plus their own subshare). The result is a share of the product of the two inputs with the proper degree for the sharing polynomial.

I'll illustrate it with a simple example. Say we have shared two secrets ($5$ and $2$) with three parties as follows. Math done in $\mathbb{Z}_{11}$.

$\sigma_1(x) = 5 + 8x$
$\sigma_2(x) = 2 + 9x$

So the shares of 5 that the parties hold are 2, 10, 7.
The shares of 2 are 0, 9, 7.

So, each party multiplies their shares. The new shares are 0, 2, 5.

They each share these using new polynomials

$\sigma_3(x) = 0 + 3x$ for party 1
$\sigma_4(x) = 2 + 6x$ for party 2
$\sigma_5(x) = 5 + 2x$ for party 3

Which generate subshares: (3, 6, 9); (8, 3, 9); (7, 9, 0)

Thus, after distributing the shares, party 1 holds (3,8,7); party 2 holds (6,3,9); and party 3 holds (9,9,0).

After interpolation, the shares held by the parties are 3, 7, 0. Interpolating these to get the constant term give us 10 as expected.

mikeazo
  • 38,563
  • 8
  • 112
  • 180
  • I followed until the last line. Where does 3,7,0 come from? Thank you! – user3225551 Jan 24 '14 at 02:44
  • Party 1 interpolates the subshares it holds and gets 3, party 2 does the same and gets 7, etc. – mikeazo Jan 24 '14 at 03:22
  • Thank you very much! What is the source for this protocol?( I was looking at the one in the paper that was referenced in the comments on this question, and it seems much more complicated.) – user3225551 Jan 24 '14 at 04:07
  • 1
    @user3225551 it should be in the referenced paper. That paper gives 2 MPC protocols. One in the honest-but-curious (semi-honest) model. That is the one that works as I described. The other is in the malicious model which is much more complicated. Their explanation of the multiplication step is just presented in a different manner. See also this. – mikeazo Jan 24 '14 at 13:23
  • Thanks. Doing everything in Z11 and making the math simple is a gem for explaining the process. I'm asking all my team members who might not be up to speed on this to read it. – Erik Aronesty Nov 07 '19 at 15:39
  • @mikeazo Thank you for the answer! Though I do have a quick question: Why can we use the (3,8,7) or (6,9,3) or (9,9,0) in the first place? Focusing on (3,8,7), each number represents the evaluation of a different polynomial at the same point, 1 in this case. I.e 3 = sigma_3(1), 8 = sigma_4(1), and 7 = sigma_5(1). So when you say "interpolate the shares held by the parties" and get "3" when interpolating (3,8,7) why should anyone expect that this is a share of the secret A*B=10? Heck, to get "3" when interpolating (3,8,7) you had to assume 8 and 7 were the outputs of the interpolation poly ... – z.karl Apr 29 '20 at 05:02
  • @mikeazo ... at 2 and 3, respectively. This is not at all obvious, b/c the 8 and 7 in question were generated by completely different polynomials evaluated at the same point, x=1. Thanks again for your answer, but it really doesn't make any sense why we are allowed to abuse the shares of sigma's 3, 4, and 5 for any other purpose than reconstructing sigma_3,_4,_5. – z.karl Apr 29 '20 at 05:06
  • @z.karl, I'll try to get an answer to you, but you are probably best off starting a new question on the site so that others see it too. The question and answer are over 6 years old. – mikeazo Apr 29 '20 at 17:34
  • @mikeazo Thanks :) I'm amazed that I even got a reply, seeing as it's been that long XD I'll try and ask a question about it! – z.karl May 01 '20 at 06:43
1

This degree-reduction construction has a chance to be re-invented, still a reference would be "Simplified VSS and fast-track multiparty computations with applications to threshold cryptography".

Vadym Fedyukovych
  • 2,267
  • 13
  • 19