3

I would like to perform a dot product operation among $m$ parties using Shamir's $(m,m)$ secret sharing that is used for Secure Multiparty Computation.

I am aware that Shamir's $(m,m)$ scheme is additively homomorphic, but can someone please provide an example of how I can use it for multiplicative homomorphism for SMC?

nie_11
  • 83
  • 1
  • 7

1 Answers1

3

As far as I know, you can not do multiplication with (m,m) shamir secret sharing. The typical method to do multiplication on shamir secret shares increases the degree of the sharing polynomial, which is why the parties run an additional protocol to reduce the degree. That is why the degree of the sharing polynomial must be less than $m/2$ if there are $m$ parties.

If you indeed need (m,m) (or $m$ out of $m$ parties must be present to do reconstruction and multiplication), and the only operation you need to compute is multiplication (which I'm not sure about since your comments state you want to do multiplication, but your question mentions dot product), then I'd suggest using multiplicative secret sharing.

If instead you need $m$ out of $m$ computation/reconstruction, but need to do both addition and multiplication operations, you'll have to go with some of the newer MPC constructions which achieve full-threshold security (SPDZ and some of it's references or subsequent works which cite it).

Community
  • 1
mikeazo
  • 38,563
  • 8
  • 112
  • 180
  • Thanks for the info. I agree multiplicative secret sharing would work to multiply the values. However my scenario has boolean values at each distributed site. In that case for a '0' if i send shares; one of them will be zero and that will disclose the secret. Any pointers? – nie_11 Apr 11 '14 at 10:15
  • Also could you suggest a paper with the multiplicative secret sharing scheme that you have explained in your earlier post. Thanks. – nie_11 Apr 11 '14 at 11:33
  • 1
    @nie_11 I was never able to find a paper on multiplicative secret sharing which is why I asked about it here. In some sense, multiplicative secret sharing is just additive secret sharing in a multiplicative group. Which leads us to 0 (and something I hadn't thought about previously). If we consider the multiplicative group of integers modulo some $n$, 0 is not in that group. So it makes sense 0 won't work. – mikeazo Apr 11 '14 at 11:53
  • Thanks a ton. That means i have to think of some homomorphic cryptographic scheme which is not something i wanted to do in the first place. – nie_11 Apr 12 '14 at 19:01
  • [link]https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&cad=rja&uact=8&ved=0CEEQFjAD&url=http%3A%2F%2Faeolus.ceid.upatras.gr%2Fscientific-reports%2F3rd_year_reports%2Fsharemind_full.pdf&ei=LpdJU4S0KMeVrgeMloCIBQ&usg=AFQjCNHcVTnJcSzbYyqH6GI8xM93rCk77Q&sig2=kBASL4T5B7yDrRbaxSeywA&bvm=bv.64542518,d.bmk does use multiplicative secret sharing . p10 and 21. Although its a different setting.@mikeazo – nie_11 Apr 12 '14 at 19:45
  • You explained the Degree reduction step in http://crypto.stackexchange.com/questions/13088/secure-degree-reduction-for-shamirs-secret-sharing. However can that be used in an SMC setting for Secure Product where m parties have m secrets that need to be multiplied ?. If it can; could you please give an example. Thanks @mikeazo:) – nie_11 May 27 '14 at 10:05
  • @nie_11, any number of secrets can be multiplied using this process. You just simply do them 2 at a time. Remember though that the threshold must be no more than half of the total number of parties. – mikeazo May 27 '14 at 11:27