0

Taking into account this paper I will write here a definition that the authors provide.

$\textbf{Definition:}$ (linear secret sharing scheme). A $(t,n)$ secret sharing scheme is a linear secret sharing scheme when the $n$ shares, $v_1,v_2,...,v_n$ can be presented as in Equation $\ref{5}$

$$(v_1,v_2,...,v_n)=(k_1,k_2,...,k_t)H,\label{5}\tag{5}$$

where $H$ is a public $t × n$ matrix whose any $t × t$ submatrix is not singular. The vector $(k_1,k_2,...,k_n)$ is randomly chosen by the dealer.

According to Definition, we can see that Shamir’s $(t, n)$ secret sharing scheme is a linear scheme. Let

$$f(x)=a_0+a_1x+\cdots+a_{t-1}x^{t-1}, \label{6}\tag{6}$$

The shares $v_i = f(i)$, $i = 1, 2, ..., n$ can be presented as in Equation $\ref{7}$

$$(v_1,v_2,...,v_n)=(a_0,a_1,...,a_{t-1})H,\label{7}\tag{7}$$

How is $\ref{7}$ equivalent to $\ref{6}$? in some definitions it quotes $y_i= f(x_i)$ or $y_i= f(x_i)\bmod{p}$ how do they differ with $\ref{7}$?

kelalaka
  • 49,797
  • 12
  • 123
  • 211
Hunger Learn
  • 279
  • 1
  • 10

1 Answers1

1

Well, one can assign shares as $v_i=f(x_i)$ or $v_i=f(i)$ as long as the $x_i$ are distinct it will work. The authors chose to use $v_i=f(i)$.

The observation that Shamir secret sharing is linear follows directly by using the definition of matrix multiplication. There is a typo in the paper though, the matrix entry quoted should be $h_{i,j}=j^{i-1}$ and they missed a minus sign in the paper.

enter image description here

kodlu
  • 25,146
  • 2
  • 30
  • 63