I understand the basic Shamir Secret Sharing protocol, and when two shares are multiplied, the degree of the polynomial increases. I've seen in a number of papers a reference to a degree reduction protocol that can be performed to securely reduce the degree back to the original $t$. Yet I cannot find this construction anywhere. Could someone explain to me how the degree reduction is done and/or point me to a paper which describes the details?
Asked
Active
Viewed 2,038 times
2 Answers
13
The process is pretty simple. As you say, each party multiplies their two shares. They then use Shamir secret sharing to share the resulting value with the other parties. Once they have received a "subshare" from each other party, each party simply runs Lagrangian interpolation on the subshares they received (plus their own subshare). The result is a share of the product of the two inputs with the proper degree for the sharing polynomial.
I'll illustrate it with a simple example. Say we have shared two secrets ($5$ and $2$) with three parties as follows. Math done in $\mathbb{Z}_{11}$.
$\sigma_1(x) = 5 + 8x$
$\sigma_2(x) = 2 + 9x$
So the shares of 5 that the parties hold are 2, 10, 7.
The shares of 2 are 0, 9, 7.
So, each party multiplies their shares. The new shares are 0, 2, 5.
They each share these using new polynomials
$\sigma_3(x) = 0 + 3x$ for party 1
$\sigma_4(x) = 2 + 6x$ for party 2
$\sigma_5(x) = 5 + 2x$ for party 3
Which generate subshares: (3, 6, 9); (8, 3, 9); (7, 9, 0)
Thus, after distributing the shares, party 1 holds (3,8,7); party 2 holds (6,3,9); and party 3 holds (9,9,0).
After interpolation, the shares held by the parties are 3, 7, 0. Interpolating these to get the constant term give us 10 as expected.
mikeazo
- 39,117
- 9
- 118
- 183
2
This degree-reduction construction has a chance to be re-invented, still a reference would be "Simplified VSS and fast-track multiparty computations with applications to threshold cryptography".
Vadym Fedyukovych
- 2,347
- 14
- 19