<h1 style="text-align:center;">Secret Sharing for secure and distributed storage</h1> 


## 1. Introduction

Introduced in [1] and [2], secret sharing is a cryptographic protocol used to divide a confidential information, referred to as the "secret", into multiple shares and distribute them in group of participants such that a minimum number of shares are needed to reconstruct the secret. 

The main idea is to use polynomials over finite fields, since polynomials provide a simple and efficient way of generating and combining secret shares such as solving linear systems or taking a polynomial interpolation. Furthermore, finite fields will provide algebraic and statistical properties that make secret sharing schemes perfectly secure from a information theory perspective, as we'll see in more detail later.

## 2. Finite Fields

In order to present secret sharing, it will be sufficient to give an overview of a particularly simple and important category of finite fields, the prime fields or the field of remainders in modulo $p$ where $p$ is prime, but first, let us remember the definition of a field.

**Definition 2.1:** A **field** is a set $\mathbb{F}$ with two binary operation called addition $(+)$ and multiplication $(*)$ that satisfies the following properties $\forall a,b,c \in \mathbb{F}$:

1. **Closure:** The addition and multiplication of any elements in $\mathbb{F}$ belongs to $\mathbb{F}$.
2. **Associativity:** $(a+b)+c=a+(b+c)$ and $(a*b)*c=a*(b*c)$.
3. **Identity:** There is an element $0 \in \mathbb{F}$ with respect to the addition and $1 \in \mathbb{F}$ with respect to the multiplication such that $a+0 = 0+a = a$ and $a*1 = 1*a = a$.
4. **Inverse:** There is a elements $a' \in \mathbb{F}$ such that $a+ a' = a'+ a = 0$. There is a element $a'' \in \mathbb{F}$ for $a \neq 0$ such that $a*a'' = a''*a = 1$.
5. **Commutative:** $a*b=b*a$.
6. **Distributive:** $a*(b+c)=(a*b)+(a*c)$.

**Definition 2.2:** Let $p \in \mathbb{Z}$ be a prime number. The **field of remainders in modulo $\mathbf{p}$** is a set 
\begin{align*}
    \mathbb{Z}_p=\{\overline{0},\overline{1},...,\overline{p-1}\}
\end{align*}
where the operations are defined as, for $\overline{a},\overline{b} \in \mathbb{Z}_p$, we do the usual addition of $\mathbb{Z}$, divide $(a+b)$ by $p$ to get the remainder $0\leq r \leq p-1$ and define $\overline{a+b}=\overline{r}$. We define multiplication in the same way.

**Example 2.1:** The operations in $\mathbb{Z}_{2}= \{\overline{0},\overline{1}\}$ are defined in the tables below:
$$
\begin{aligned}
\begin{array}{|c|c|c|}
\hline \text {+} & \overline{0} & \overline{1} \\
\hline \overline{0} & \overline{0} & \overline{1} \\
\overline{1} & \overline{1} & \overline{0} \\
\hline
\end{array}
\ \ \ \ \ \ \ \ \ \ \ \ \         
\begin{array}{|c|c|c|}
\hline \text {*} & \overline{0} & \overline{1} \\
\hline \overline{0} & \overline{0} & \overline{0} \\
\overline{1} & \overline{0} & \overline{1} \\
\hline
\end{array}
\end{aligned}
$$

**Example 2.2:** The operations in $\mathbb{Z}_{3}= \{\overline{0},\overline{1},\overline{2}\}$ are defined in the tables below:
$$
\begin{aligned}
\begin{array}{|c|c|c|c|}
\hline \text {+} & \overline{0} & \overline{1} & \overline{2} \\
\hline \overline{0} & \overline{0} & \overline{1} & \overline{2} \\
\overline{1} & \overline{1} & \overline{2} & \overline{0} \\
\overline{2} & \overline{2} & \overline{0} & \overline{1} \\
\hline
\end{array}
\ \ \ \ \ \ \ \ \ \ \ \ \         
\begin{array}{|c|c|c|c|}
\hline \text {*} & \overline{0} & \overline{1} & \overline{2} \\
\hline \overline{0} & \overline{0} & \overline{0} & \overline{0} \\
\overline{1} & \overline{0} & \overline{1} & \overline{2} \\
\overline{2} & \overline{0} & \overline{2} & \overline{1} \\
\hline
\end{array}
\end{aligned}
$$

**Example 2.3:** The operations in $\mathbb{Z}_{5}= \{\overline{0},\overline{1},\overline{2},\overline{3},\overline{4}\}$ are defined in the tables below:
$$
\begin{aligned}
\begin{array}{|c|c|c|c|c|c|}
\hline \text {+} & \overline{0} & \overline{1} & \overline{2} & \overline{3} & \overline{4} \\
\hline \overline{0} & \overline{0} & \overline{1} & \overline{2} & \overline{3} & \overline{4} \\
\overline{1} & \overline{1} & \overline{2} & \overline{3} & \overline{4} & \overline{0} \\
\overline{2} & \overline{2} & \overline{3} & \overline{4} & \overline{0} & \overline{1} \\
\overline{3} & \overline{3} & \overline{4} & \overline{0} & \overline{1} & \overline{2} \\
\overline{4} & \overline{4} & \overline{0} & \overline{1} & \overline{2} & \overline{3} \\
\hline
\end{array}
\ \ \ \ \ \ \ \ \ \ \ \ \         
\begin{array}{|c|c|c|c|c|c|}
\hline \text {*} & \overline{0} & \overline{1} & \overline{2} & \overline{3} & \overline{4} \\
\hline \overline{0} & \overline{0} & \overline{0} & \overline{0} & \overline{0} & \overline{0} \\
\overline{1} & \overline{0} & \overline{1} & \overline{2} & \overline{3} & \overline{4} \\
\overline{2} & \overline{0} & \overline{2} & \overline{4} & \overline{1} & \overline{3} \\
\overline{3} & \overline{0} & \overline{3} & \overline{1} & \overline{4} & \overline{2} \\
\overline{4} & \overline{0} & \overline{4} & \overline{3} & \overline{2} & \overline{1} \\
\hline
\end{array}
\end{aligned}
$$

There are two other generic notations for finite fields, $GF(q)$ and $\mathbb{F}_q$, as there are other types of finite fields. For our purposes, we will use the notation $GF(q)$ where $GF(p)=\mathbb{Z}_p$ if $p$ is prime. We adopt this convention because we will use a library called "galois" to present the implementations. Furthermore, to avoid confusion with the library notation, we will omit the slashes above the elements, denoting $\overline{x} \in GF(p)$ by $x$. 

**Remark 2.1:** The name "galois" comes from the famous mathematician Évariste Galois, known for his fundamental contributions to group theory, which has a significant importance in the study of finite fields. "$GF$" is equivalent to Galois Field.

The library provides many interesting things for implementing codes using finite fields arithmetic, learning about finite field theory (for example, the non-prime finite fields), provide error correction codes, etc. We can install galois from PyPI running "pip install galois" in the terminal. So, let us consider some examples that will be useful for learning some functions which we will use later.

**Example 2.4:** A finite field is defined using the command "galois.GF($q$)" where $q$ is the number of elements in your field.

In [2]:
import galois

GF2 = galois.GF(2)
print(GF2)

GF3 = galois.GF(3)
print(GF3)

<class 'galois.GF(2)'>
<class 'galois.GF(3)'>


**Example 2.5:** An element $x$ of a finite field $GF(q)$ for $0 \leq x \leq q-1$ can be represented as follows:

In [3]:
GF3 = galois.GF(3)
x = GF3(2)
print(x)
print(type(x))
print(type(2))

2
<class 'galois.GF(3)'>
<class 'int'>


**Example 2.6:** The operations of addition and multiplication are accepted if the elements belong to the same finite field:

In [9]:
GF3 = galois.GF(3)
x = GF3(2)
y = GF3(1)
print('The addition result is', x+y)
print('The multiplication result is', x*y)

The addition result is 0
The multiplication result is 2


The galois library also offers perfect integration with the NumPy library, which provides functions for performing operations with arrays, polynomial interpolations, solving linear systems, etc. (NumPy can be installed by running "pip install numpy" in the terminal)

**Example 2.7:** Any numpy array can be converted to a array over finite fields if the entries are elements $x \in GF(q)$:

In [8]:
import numpy as np

GF5 = galois.GF(5)
v = np.array([1, 2, 4])
print(type(v))
v = GF5(v)
print(type(v))
print(v)

<class 'numpy.ndarray'>
<class 'galois.GF(5)'>
[1 2 4]


**Example 2.8:** We can solve a linear system over finite fields as follows:

In [10]:
GF5 = galois.GF(5)
A = GF5(np.array([[1,1,1],[1,2,4],[1,3,4]]))
b = GF5(np.array([0, 2, 2]))
x = np.linalg.solve(A, b)
print('The solution for the matrix equation Ax = b is x =', x)
print(type(x))

The solution for the matrix equation Ax = b is x = [1 0 4]
<class 'galois.GF(5)'>


**Example 2.9:** The inverse of any non-singular square matrix (non-zero determinant) over finite fields is obtained using the following function:

In [11]:
GF5 = galois.GF(5)
A = GF5(np.array([[1,1,1],[1,2,4],[1,3,4]]))
inv_A = np.linalg.inv(A)
print(inv_A)
print(type(inv_A))

[[3 2 1]
 [0 4 1]
 [3 4 3]]
<class 'galois.GF(5)'>


We can verify the result by multiplying matrix A by the inverse of A to obtain the identity matrix:

In [12]:
I = np.dot(A, inv_A)
print(I)
print(type(I))

[[1 0 0]
 [0 1 0]
 [0 0 1]]
<class 'galois.GF(5)'>


More information about the library galois can be found in https://pypi.org/project/galois/ and NumPy in https://numpy.org.

## 3. Secret Sharing

Let us begin the Secret Sharing section with a simple example.

**Example 3.1:** An individual wants to store a secret in a group of two participants that do not communicate, i.e., do not contribute to obtain information about the secret. For secure storage, each participant receives a secret share. The sharing process must be done in such a way that no participant can deduce any information about the secret only with their sharing and only in the presence of both sharers, the secret can be completely determined. This problem can be solved using a secret sharing scheme as shown below:

- **Step 1:** If $S \in GF(3)$ is the secret, choose $R \in GF(3)$ uniformly at random, i.e., $R$ can assume any value of $GF(3)$ with equal probability. For example, we can use function "Random()" from galois library which when executed generates a random element of the finite field:


In [13]:
GF3 = galois.GF(3)
R = GF3.Random()
print(R)

0


- **Step 2:** Define the polynomial $f(x)=S+Rx$ over the finite field $GF(3)$.

- **Step 3:** Send participant 1 the evaluation $f(1)=S+R$ and participant 2 the evaluation $f(2)=S+2R$. These evaluations will be the shares that each participant receives.

For example, suppose that $S=2 \in GF(3)$. A possible scenario for shares definition is as follows:

In [20]:
S = GF3(2)
R = GF3.Random()
print('The value of the random variable R is', R)
print('')
f_1 = S + R
f_2 = S + GF3(2) * R
print('Participant 1 receives the share', f_1)
print('Participant 2 receives the share', f_2)

The value of the random variable R is 0

Participant 1 receives the share 2
Participant 2 receives the share 2


Note that when the individual wants to reconstruct the secret $S \in GF(3)$, since the shares $f(1)$ and $f(2)$ are known, he just has to do 
\begin{align*}
    2f(1)+2f(2)=2(S+R)+2(S+2R)=2S+2S+2R+R=S
\end{align*}

If we follow the previous example where $S=2 \in GF(3)$, we can do

In [21]:
S = GF3(2) * f_1 + GF3(2) * f_2 
print('The secret is', S)

The secret is 2


In other words, the problem for reconstruct the secret can be summarized by solving the linear system over the finite field $GF(3)$ as below:
$$
\begin{bmatrix}
    1 & 1 \\
    1 & 2
\end{bmatrix}

\begin{bmatrix}
    S \\
    R
\end{bmatrix}
=
\begin{bmatrix}
    f(1) \\
    f(2)
\end{bmatrix}
$$
where the $2 \times 2$ matrix is invertible (non-zero determinant), which implies that the system has a unique solution. We can quickly check by computing the determinant with NumPy:

In [22]:
det = np.linalg.det(GF3(np.array([[1, 1], [1, 2]])))
print('The determinant is', det)

The determinant is 1


Then, another possibility could be to calculate the inverse of the matrix of coefficients $2 \times 2$:

In [23]:
inv = np.linalg.inv(GF3(np.array([[1, 1], [1, 2]])))
print(inv)

[[2 2]
 [2 1]]


and obtain $S$ by multiplying the first line of the inverse by the vector $[f(1),f(2)]^t \in GF(3)^2$:
$$
\begin{bmatrix}
    S \\
    R
\end{bmatrix}
=
\begin{bmatrix}
    2 & 2 \\
    2 & 1
\end{bmatrix}

\begin{bmatrix}
    f(1) \\
    f(2)
\end{bmatrix}
$$

$$
\begin{bmatrix}
    S \\
    R
\end{bmatrix}
=
\begin{bmatrix}
    2f(1)+2f(2) \\
    2f(1)+f(2)
\end{bmatrix}
$$

In terms of statistics, this is equivalent to say that the probability of getting $S$ given that one has the evaluations $f(1)$ and $f(2)$ is 1, i.e., 
\begin{align*}
    Pr[S=s|f(1)=t_1,f(2)=t_2]=
    \begin{cases}
        1, & \text{if} \ s=2t_1+2t_2, \forall t_1,t_2 \in GF(3). \\
        0, & \text{otherwise}.
        \end{cases}
\end{align*}

Therefore, the scheme has the property known as Decodability, since it is possible to decode the secret $S \in GF(3)$ from the shares $f(1)$ and $f(2)$.

Now, we check why the scheme keeps the secret secure. 

In information theory perspective, a secret is perfectly secure if the secret can assume any possible element with same probability. Initially, since no participant has any information about $S$, the probability of obtaining $S$ is uniform for any value in $GF(3)$, because $S$ is undetermined. After sending the shares, note that each participant $i \in \{1,2\}$ only observes the share $f(i)$ created by the individual. So, let us show that the probability of getting $S$ does not change based on the share $f(i)$ that each participant $i$ has.

- For participant $i=1$: First, since $R \in GF(3)$ is uniformly at random, we have that
\begin{align*}
    Pr[R=r]=\frac{1}{3}
\end{align*}
$\forall r \in GF(3)$.

  So, the probabily of $f(1)=S+R$ assume any value $t \in GF(3)$ is
\begin{align*}
    Pr[f(1)=t]=Pr[S+R=t]=Pr[R=t-S]=\frac{1}{3}
\end{align*}
where the last equality follows because $S \in GF(3)$ and $GF(3)$ is a field.

  Now, note that the conditional probability of $f(1)$ given the secret $S$ is
\begin{align*}
    Pr[f(1)=t|S=s]=Pr[S+R=t|S=s]=Pr[s+R=t]=Pr[R=t-s]=\frac{1}{3}
\end{align*}
$\forall s,t \in GF(3)$. 

  Therefore, using Bayes theorem, it follows that
\begin{align*}
    Pr[S=s|f(1)=t]&=\frac{Pr[f(1)=t|S=s]Pr[S=s]}{Pr[f(1)=t]}\\
    &=\frac{\frac{1}{3}Pr[S=s]}{\frac{1}{3}}\\
    &=Pr[S=s]
\end{align*}


- For participant $i=2$: Similarly, the probabily of $f(2)=S+2R$ assume any value $t \in GF(3)$ is
\begin{align*}
    Pr[f(2)=t]=Pr[S+2R=t]=Pr[R=2^{-1}(t-S)]=\frac{1}{3}
\end{align*}
Note that $2^{-1} \in GF(3)$ is equivalent to $2 \in GF(3)$ using **Definition 2.2** and **Example 2.2**.

  In addition, the conditional probability of $f(2)$ given the secret $S$ is
\begin{align*}
    Pr[f(2)=t|S=s]=Pr[S+2R=t|S=s]=Pr[s+2R=t]=Pr[R=2^{-1}(t-s)]=\frac{1}{3}
\end{align*}
$\forall s,t \in GF(3)$. 

  Therefore, using Bayes theorem, it follows
\begin{align*}
    Pr[S=s|f(2)=t]&=\frac{Pr[f(2)=t|S=s]Pr[S=s]}{Pr[f(2)=t]}\\
    &=\frac{\frac{1}{3}Pr[S=s]}{\frac{1}{3}}\\
    &=Pr[S=s]
\end{align*}

In other words, as $f(x)=S+Rx$ is a line, a line cannot be completely determined by a single point $(i,f(i))$. Thus, the randomness of $R$ leaves $S$ completely indeterminate, i.e., the scheme has the property known as Security.

The previous example shows the case where no participant can communicate and contribute to discovering the secret. Let us consider an example where communication between some participants (not all) is allowed.

**Example 3.2:** An individual wants to store a secret in a group of three participants where any two of them can communicate. For secure storage, each participant receives a secret share. The sharing process must be done in such a way that no group of two or fewer participants can deduce any information about the secret only with their sharing and only in the presence of the three sharers, the secret can be completely determined. Again, this problem can be solved using a secret sharing scheme as shown below:

- **Step 1:** If $S \in GF(11)$ is the secret, choose $R_1,R_2 \in GF(11)$ uniformly at random.
- **Step 2:** Define the polynomial $f(x)=S+R_1x+R_2x^2$ over the finite field $GF(11)$.
- **Step 3:** Send for each participant $i$ the evaluation $f(i)=S+R_1i+R_2i^2$, $i \in \{1,2,3\}$.

To make things more clear, suppose that $S=6 \in GF(11)$. Then, we can compute the shares as follows:

In [24]:
GF11 = galois.GF(11)

S = GF11(6)
R_1 = GF11.Random()
R_2 = GF11.Random()

f_1 = S + R_1 + R_2
f_2 = S + GF11(2) * R_1 + GF11(4) * R_2
f_3 = S + GF11(3) * R_1 + GF11(9) * R_2

print('Participant 1 receives the share', f_1)
print('Participant 2 receives the share', f_2)
print('Participant 3 receives the share', f_3)

Participant 1 receives the share 4
Participant 2 receives the share 0
Participant 3 receives the share 5


To reconstruct the secret with the shares $f(1), f(2)$ and $f(3)$, we can solve the following matrix equation based on the definition of the polynomial $f(x)$:
$$\begin{cases}
  S+R_1+R_2 &= f(1) \\
  S+2R_1+4R_2 &= f(2) \\
  S+3R_1+9R_2 &= f(3)
\end{cases}
\iff
\begin{bmatrix}
    1 & 1 & 1 \\
    1 & 2 & 4 \\
    1 & 3 & 9
\end{bmatrix}

\begin{bmatrix}
    S \\
    R_1 \\
    R_2
\end{bmatrix}
=
\begin{bmatrix}
    f(1) \\
    f(2) \\
    f(3)
\end{bmatrix}
$$
where the $3 \times 3$ matrix is invertible, because the determinant is non-zero.

In [25]:
A = GF11(np.array([[1, 1, 1], [1, 2, 4], [1, 3, 9]]))
print('The determinant of A is', np.linalg.det(A))
print('')
b = GF11(np.array([f_1, f_2, f_3]))

x = np.linalg.solve(A,b)
S = x[0]

print('The secret is', S)

The determinant of A is 2

The secret is 6


Or we could calculate the inverse of the matrix of coefficients $3 \times 3$:

In [26]:
inv = np.linalg.inv(A)
print(inv)

[[ 3  8  1]
 [ 3  4  4]
 [ 6 10  6]]


And obtain $S$ with the matrix equation
$$
\begin{bmatrix}
    S \\
    R_1 \\
    R_2
\end{bmatrix}
=
\begin{bmatrix}
    3 & 8 & 1 \\
    3 & 4 & 4 \\
    6 & 10 & 6
\end{bmatrix}

\begin{bmatrix}
    f(1) \\
    f(2) \\
    f(3)
\end{bmatrix}
$$


I.e., we only need to multiply the first line of the inverse with the vector $[f(1), f(2), f(2)]^t \in GF(11)^3$ to compute $S$ as follows:

In [27]:
print('The first line of the inverse is the vector', inv[0])
S = np.dot(inv[0], b)
print('The secret is', S)

The first line of the inverse is the vector [3 8 1]
The secret is 6


In terms of statistics, we can say that the probability of obtaining $S$ given the shares $f(1),f(2)$ and $f(3)$ is 1, i.e,
\begin{align*}
    Pr[S=s|f(1)=t_1,f(2)=t_2,f(3)=t_3]=
    \begin{cases}
        1, & \text{if} \ s=3t_1+8t_2+t_3, \forall t_1,t_2,t_3 \in GF(11). \\
        0, & \text{otherwise}.
        \end{cases}
\end{align*}


Now, let us show that the probability of getting $S$ does not change based on any two shares $f(i)$ and $f(j)$ that any two participants $i$ and $j$ have.

Initially, since $R_1,R_2 \in GF(11)$ is uniformly at random, we have
\begin{align*}
    Pr[R_1=r_1,R_2=r_2]=Pr[R_1=r_1]Pr[R_2=r_2]=\frac{1}{11}\frac{1}{11}=\frac{1}{121}
\end{align*}

So, the joint probability distribution of $f(i)$ and $f(j)$ is
\begin{align*}
    Pr[f(i)=t_i,f(j)=t_j]&=Pr[S+R_1i+R_2i^2=t_i,S+R_1j+R_2j^2=t_j]\\
    &=Pr[R_1=i^{-1}(t_i-S-R_2i^2),R_2=j^{-2}(t_j-S-R_1j)]\\
    &=\frac{1}{11}\frac{1}{11}=\frac{1}{121}
\end{align*}
where the final equality follows because $GF(11)$ is a field, $\forall t_i,t_j \in GF(11)$.

Similarly, the conditional probability of $f(i)$ and $f(j)$ given $S$ is
\begin{align*}
    Pr[f(i)=t_i,f(j)=t_j|S=s]&=Pr[S+R_1i+R_2i^2=t_i,S+R_1j+R_2j^2=t_j|S=s]\\
    &=Pr[s+R_1i+R_2i^2=t_i,s+R_1j+R_2j^2=t_j]\\
    &=Pr[R_1=i^{-1}(t_i-s-R_2i^2),R_2=j^{-2}(t_j-s-R_1j)]\\
    &=\frac{1}{11}\frac{1}{11}=\frac{1}{121}
\end{align*}
$\forall s,t_i,t_j \in GF(11)$.

Therefore, using Bayes theorem, it follows
\begin{align*}
    Pr[S=s|f(i)=t_i,f(j)=t_j]&=\frac{Pr[f(i)=t_i,f(j)=t_j|S=s]Pr[S=s]}{Pr[f(i)=t_i,f(j)=t_j]}\\
    &=\frac{\frac{1}{121}Pr[S=s]}{\frac{1}{121}}\\
    &=Pr[S=s]
\end{align*}

In other words, any two give no information about the secret $S$, i.e., the randomness of $R_1$ and $R_2$ leaves $S$ completely indeterminate, being able to assume any element of $GF(11)$ with equal probability. From this, the scheme has the property known as Security. 

Another way of understanding security property is to think that the polynomial $f(x)=S+R_1x+R_2x^2$ is a parabola and a parabola is completely determined by three points. Any two participants with two points were unable to determine the values of $S,R_1,R_2 \in GF(11)$ because there are more than one parabola that pass through only two points. To see this, we can consider two participants $i$ and $j$. As each participant has one point, they would have to solve the following system over $GF(11)$: 
$$
\begin{cases}
  S+R_1i+R_2i^2 &= f(i) \\
  S+R_1j+R_2j^2 &= f(j)
\end{cases}
$$
for $i,j \in \{1,2,3\}$ with $i \neq j$.

Since we have two equations and three variables, the system is classified as impossible, which implies that there is more than one solution to the problem that are equiprobable due to the randomness of $R_1,R_2 \in GF(11)$.

Before showing the general case, we will introduce a matrix that appeared informally in the previous examples.

In both examples, when we reach to the phase of checking if the scheme has the property of decoding the secret, we obtained the following coefficient matrices:
$$
\begin{bmatrix}
    1 & 1 \\
    1 & 2
\end{bmatrix}
$$

$$
\begin{bmatrix}
    1 & 1 & 1 \\
    1 & 2 & 4 \\
    1 & 3 & 9
\end{bmatrix}
$$
Note that these matrices can be rewritten with respect to $GF(3)$ and $GF(11)$, respectively, as follows:
$$
\begin{bmatrix}
    1^0 & 1^1 \\
    2^0 & 2^1
\end{bmatrix}
$$

$$
\begin{bmatrix}
    1^0 & 1^1 & 1^2 \\
    2^0 & 2^1 & 2^2 \\
    3^0 & 3^1 & 3^2
\end{bmatrix}
$$
We can observe a great similarity between these matrices in relation to the shown above. This type of matrix is known as the **Vandermonde matrix**.

**Definition 3.1:** Let $a_1,...,a_n$ be distinct elements of a field $\mathbb{F}$ with at least $n$ elements. The Vandermonde matrix $V=V(a_1,...,a_n)$ is defined by
$$
V=V(a_1,...,a_n)=
\begin{bmatrix}
    1 & a_1 & a_1^2 & \cdots & a_1^{n-1} \\
    1 & a_2 & a_2^2 & \cdots & a_2^{n-1} \\
    \vdots & \vdots & \vdots & \ddots & \vdots \\
    1 & a_n & a_n^2 & \cdots & a_n^{n-1} \\
\end{bmatrix}
$$

The main advantage of the Vandermonde matrix is that it is always invertible for non-zero and distinct coefficients $a_1,a_2,...,a_n$. This result can be stated by the following lemma.

**Lemma 3.1:** If $a_1,...,a_n \in \mathbb{F}\backslash\{0\}$ are distinct elements, then the Vandermonde matrix $V=V(a_1,...,a_n)$ is invertible and
\begin{align*}
    \det(V) = \prod_{1 \leq i < j \leq n} (a_j - a_i)
\end{align*}

Through the formula, note that the determinant is always different from zero, because we are making the product of subtractions $(a_j-a_i)$ and as $a_1,...,a_n$ are distinct, any $(a_j-a_i)$ cannot be zero, i.e., $\det(V)\neq 0$.

**Remark 3.1:** For the Vandermonde matrix $V(a_1,...,a_n)$ be invertible, we need that the field $\mathbb{F}$ have at least $n+1$ elements, because any square matrix with a row or column of zeros is not invertible.

**Remark 3.2:** The proof of the lemma can be obtained by doing Gauss elimination.

In Python, we can use a list with the coefficients $a_1,a_2,...,a_n \in \mathbb{F}$ to run two "for's" between the elements and the number of elements in the list to compute a Vandermonde matrix. For example, we compute $V(1,2,3)$ over $GF(11)$ as follows:

In [28]:
coeff = [1, 2, 3]
V = [[GF11(i)**j for j in range(len(coeff))] for i in coeff]
V = GF11(np.array(V))
print(V)

[[1 1 1]
 [1 2 4]
 [1 3 9]]


This approach is interesting because we can define the Vandermonde matrix in smaller finite fields since the galois library does not accept the definition of elements $q \in GF(p)$ for $p \leq q$. For example, we can compute $V(1,2,3)$ over $GF(5)$ and do the whole secret sharing scheme in example 3.2 over $GF(5)$ if it is interesting. 

In [29]:
V = [[GF5(i)**j for j in range(len(coeff))] for i in coeff]
V = GF5(np.array(V))
print(V)

[[1 1 1]
 [1 2 4]
 [1 3 4]]


## 4. The general Secret Sharing Scheme

Finally, let us present the general case for a secret sharing scheme.

An individual wants to store a secret $S \in GF(q)$ with $N>1$ participants where any $T$ of them $(1\leq T<N<q)$ can collude. The sharing process must be done in such a way that each participant receives a secret share, no group of $T$ or fewer participants can deduce any information about the secret and only in the presence of the $(T+1)$ or more shares, the secret can be completely determined. The $(N,T+1)$-Secret Sharing Scheme that solves the problem is defined as below:

- **Step 1:** Choose $R_1,...,R_T \in GF(q)$ uniformly at random.
- **Step 2:** Define the polynomial $f(x)=S+R_1x+...+R_Tx^T$ over the finite field $GF(q)$.
- **Step 3:** Send for each participant $i$ the evaluation $f(i)=S+R_1i+...+R_Ti^T$ for $i \in \{1,2,...,N\}$ and $N<q$.


The decodability property is based on the fact that it is possible to reconstruct $S$ from any number $(T+1)$ of different shares. So, suppose a subset $\{i_1,i_2,...,i_{T+1}\} \subset \{1,2,...,N\}$. In this way, if we have the shares $f(i_1),f(i_2),...,f(i_{T+1})$, the following matrix equation can be constructed:
$$
\begin{bmatrix}
    1 & i_1 & \cdots & i_1^T \\
    1 & i_2 & \cdots & i_2^T \\
    \vdots & \vdots & \ddots & \vdots \\
    1 & i_{T+1} & \cdots & i_{T+1}^T 
\end{bmatrix}

\begin{bmatrix}
    S \\
    R_1 \\
    \vdots \\
    R_T
\end{bmatrix}
=
\begin{bmatrix}
    f(i_1) \\
    f(i_2) \\
    \vdots \\
    f(i_{T+1})
\end{bmatrix}
$$
where the $(T+1)\times (T+1)$ matrix is the Vandermonde matrix $V(i_1,...,i_{T+1})$.

Since $i_1,i_2,...,i_{T+1}$ are distinct numbers in $GF(q)$, by **Lemma 3.1**, $V(i_1,...,i_{T+1})$ is invertible. From this, the above equation has a unique solution. In other words, $S$ is deterministic and can be expressed as a function of $f(i_1),f(i_2),...,f(i_{T+1})$. Thus, let $S=g(f(i_1),...,f(i_{T+1}))$, the probability of getting $S$ given the shares $f(i_1),f(i_2),...,f(i_{T+1})$ is
\begin{align*}
    &Pr[S=s|f(i_1)=t_1,...,f(i_{T+1})=t_{T+1}]=\\
    &Pr[g(f(i_1),...,f(i_{T+1}))=s|f(i_1)=t_1,...,f(i_{T+1})=t_{T+1}]=
    \begin{cases}
        1, & \text{if} \ s=g(t_1,...,t_{T+1}). \\
        0, & \text{otherwise}.
    \end{cases}
\end{align*}
$\forall s,t_1,...,t_{T+1} \in GF(q)$.

The security property is based on the fact that any number $T$ of different shares leaves $S$ completely undetermined. So, suppose a subset $\{i_1,i_2,...,i_T\} \subset \{1,2,...,N\}$. Since $R_1,...,R_T$ is uniformly at random, the joint probability of $f(i_1),...,f(i_T)$ is
\begin{align*}
    Pr[f(i_1)&=t_1,...,f(i_T)=t_T]=Pr[S+R_1i_1+...+R_Ti_1^T=t_1,...,S+R_1i_T+...+R_Ti_T^T=t_T]\\
    &=Pr[R_1=i_1^{-1}(t_1-S-...-R_Ti_1^T),...,R_T=i_T^{-T}(t_T-S-...-R_{T-1}i_T^{T-1})]\\
    &=\underbrace{\frac{1}{q}...\frac{1}{q}}_{\text{$T$ times}}=\left( \frac{1}{q}\right)^T
\end{align*}
$\forall t_1,...,t_T \in GF(q)$.

In addition, the conditional probability of the shares $f(i_1),...,f(i_T)$ given the secret $S$ is
\begin{align*}
    Pr[f(i_1)&=t_1,...,f(i_T)=t_T|S=s]=Pr[S+R_1i_1+...+R_Ti_1^T=t_1,...,S+R_1i_T+...+R_Ti_T^T=t_T|S=s]\\
    &=Pr[s+R_1i_1+...+R_Ti_1^T=t_1,...,s+R_1i_T+...+R_Ti_T^T=t_T]\\
    &=Pr[R_1=i_1^{-1}(t_1-s-...-R_Ti_1^T),...,R_T=i_T^{-T}(t_T-s-...-R_{T-1}i_T^{T-1})]\\
    &=\underbrace{\frac{1}{q}...\frac{1}{q}}_{\text{$T$ times}}=\left( \frac{1}{q}\right)^T
\end{align*}
$\forall s,t_1,...,t_T \in GF(q)$.

Therefore, using Bayes theorem, it follows that
\begin{align*}
    Pr[S=s|f(i_1)=t_1,...,f(i_T)=t_T]&=\frac{Pr[f(i_1)=t_1,...,f(i_T)=t_T|S=s]Pr[S=s]}{Pr[f(i_1)=t_1,...,f(i_T)=t_T]}\\
    &=\frac{\left(\frac{1}{q}\right)^T Pr[S=s]}{\left(\frac{1}{q}\right)^T}\\
    &=Pr[S=s]
\end{align*}

In other words, security follows from the facts that we need $(T+1)$ points to determine a polynomial of degree $T$ and $R_1,...,R_T$ are uniformly at random.

## 5. A possible implementation in Python

Secret sharing schemes can be implemented in many ways. We will show two of them.

Initially, assume the scenario where an individual wants to store a secret $S \in GF(q)$ among $N>1$ participants with any $T\geq 1$ colluding. 

The **Step 1** to create a secret sharing scheme for this problem is to choose $R_1,...,R_T \in GF(q)$ uniformly at random. For this, we can define a function that takes as argument the values of $S$, $T$ and $q$ to create a tuple where the first element is the value of $S$ and the other elements are the values of the random variables generated randomly in the field $GF(q)$.

In [30]:
import galois

def generate_value(S, T, q):
    GF = galois.GF(q)
    coeff = [GF(S)] + [GF.Random() for _ in range(T)]
    return tuple(coeff)

For example, if $S=3$, $T=3$ and $q=17$, the function will compute the tuple $[S,R_1,R_2,R_3]$ where $R_1,R_2,R_3$ are randomly generated through the "for" loop that will run following the maximum number $T$ of participants that can collude:

In [50]:
coeff = generate_value(3,3,17)
print(coeff)
print('The secret is', coeff[0])

(GF(3, order=17), GF(10, order=17), GF(14, order=17), GF(1, order=17))
The secret is 3


The steps **2** and **3** involve defining the polynomial $f(x)=S+R_1x+...+R_Tx^T$ over the finite field $GF(q)$ and sending to each participant $i$ the share $f(i)$. For these steps, we will use the two functions below:

In [32]:
def evaluate_poly(values, x, q):
    GF = galois.GF(q)
    evaluate = GF(0)
    for degree, value in enumerate(values):
        evaluate += value * (GF(x) ** degree)
    return evaluate

def generate_shares(S, N, T, q):
    coeff = generate_value(S, T, q)
    shares = []
    for i in range(1, N+1):
        shares.append((i, evaluate_poly(coeff, i, q)))
    return tuple(shares)

The "evaluate_poly()" function will iteratively evaluate the polynomial $f(x)$ by accessing the coefficients stored in the tuple $[S,R_1,...,R_T]$ of the polynomial $f(x)=S+R_1x+...+R_Tx^T$, receiving the value $x$ in which $f(x)$ will be calculated and the value $q$ to define the finite field $GF(q)$. 

For example, if we use the tuple "coeff" generated by the previous example where $S=3$, $T=3$ and $q=17$, we can have the evaluations $f(2)$ and $f(11)$ as follows:

In [51]:
f_2 = evaluate_poly(coeff, 2, 17)
f_12 = evaluate_poly(coeff, 12, 17)

print("Participant 2 receives f(2) =",f_2)
print("Participant 12 receives f(12) =",f_12)

Participant 2 receives f(2) = 2
Participant 12 receives f(12) = 8


The "generate_shares()" function creates the pairs $(i,f(i))$ to store in tuple and send the shares to each participant where $i \in \{1,2,...,N\}$ is the number given to the participant and $f(i)$ the share that the participant $i$ will receive. To do this, the function uses the "generate_value()" and "evaluate poly()" functions to create $N$ evaluations (shares) $f(i)$ by accessing the tuple of coefficients created by generate_value().

Following the two previous examples where $S=3$, $T=3$ and $q=17$, if we assume that the number of participants is $N=6$ we can compute the pairs $(i,f(i))$ as below:

In [52]:
shares = generate_shares(3, 6, 3, 17)
print(shares)

((1, GF(14, order=17)), (2, GF(4, order=17)), (3, GF(1, order=17)), (4, GF(16, order=17)), (5, GF(9, order=17)), (6, GF(8, order=17)))


Now, let us present a possible code for decoding the secret.

For the decodability code, we will use the approach of calculating the inverse of the vandermonde matrix created from the the participants $i_1,i_2,...,i_{T+1}$, because we can multiply the first line of the inverse of $V(i_1,...,i_{T+1})$ by the vector $[f(i_1),...,f(i_{T+1})]^t$ to obtain $S$.

In [53]:
import numpy as np

def decodability(shares, T, q):
    GF = galois.GF(q)
    # Enter the (T+1) servers that will be used for decoding in the format "i_1 i_2 ... i_{T+1}".
    # For example, if you want to use the shares of participants 1, 2 and 3: Type "1 2 3" in the prompt.
    part = np.array([int(i) for i in input('Participants to decode S:').split()])
    print('The list of particants used to decode S is', list(part))
    print('')
    vand_matrix = [[GF(i)**j for j in range(T+1)] for i in part]
    Inv = np.linalg.inv(GF(np.array(vand_matrix)))

    evaluation_list = [shares[i-1][1] for i in part] 

    unique_sol = np.dot(Inv[0], GF(np.array(evaluation_list)))
    return print('Secret reconstructed:', unique_sol)

First, we import the NumPy library to perform the operations of calculating the inverse and multiplication of matrices more easily and efficiently. Next, we construct the vandermonde matrix $V(i_1,..., i_{T+1})$ over the finite field $GF(q)$ taking as input a string containing the numbers $i_1,i_2,..., i_{T+1}$ spaced by " ". Finally, we compute the inverse of $V(i_1,..., i_{T+1})$, collect the $f(i_1),f(i_2),..., f(i_{T+1})$ values stored in the "shares" tuple (given as the function argument) to create an array and perform the final multiplication to reconstruct $S$.

For example, if $S=15$, $N=4$, $T=2$ and $q=17$, we can have that 

In [54]:
shares = generate_shares(15, 4, 2, 17)
print('The shares are', shares)
print('')
decodability(shares, 2, 17)

The shares are ((1, GF(16, order=17)), (2, GF(12, order=17)), (3, GF(3, order=17)), (4, GF(6, order=17)))

The list of particants used to decode S is [2, 3, 4]

Secret reconstructed: 15


The final code can be summarized as follows:

In [55]:
import galois
import numpy as np

def generate_shares(S, N, T, q):
    GF = galois.GF(q)
    coeff = tuple([GF(S)] + [GF.Random() for _ in range(T)])
    def evaluate_poly(values, x):
        evaluate = GF(0)
        for degree, value in enumerate(values):
            evaluate += value * (GF(x) ** degree)
        return evaluate
    shares = []
    for i in range(1, N+1):
        shares.append((i, evaluate_poly(coeff, i, q)))
    return tuple(shares)

def decodability(shares, T, q):
    GF = galois.GF(q)
    # Enter the (T+1) servers that will be used for decoding in the format "i_1 i_2 ... i_{T+1}".
    # For example, if you want to use the shares of participants 1, 2 and 3: Type "1 2 3" in the prompt.
    part = [int(i) for i in sorted(input('Participants to decode S:').split())]

    vand_matrix = [[GF(i)**j for j in range(T+1)] for i in part]
    Inv = np.linalg.inv(GF(np.array(vand_matrix)))
    
    evaluation_list = [shares[i-1][1] for i in part] 
    unique_sol = np.dot(Inv[0], GF(np.array(evaluation_list)))
    return print('Secret reconstructed:', unique_sol)

If we are in a context where the participants are servers and the individual is a computer user, an interesting approach is to modify the "generate_shares()" code to pre-compute the inverses of the Vandermonde matrices defined by all the combinations $\{i_1,i_2,...,i_{T+1}\} \subset \{1,2,...,N\}$ and save them locally. Thus, it will only be necessary to compute each inverse once and the "decodability()" function can access the inverses in the computer database to decode $S$ in matrix multiplication.

To do this, we will use the "itertools", NumPy and "os" libraries that will provide us, respectively, the functions to obtain all possible combinations of $\{i_1,i_2,...,i_{T+1}\} \subset \{1,2,...,N\}$, save the inverses and access the inverses locally. Below, we present a possible reformulation of the final code:

In [56]:
import galois
import numpy as np
from itertools import combinations
import os

def generate_shares(S, N, T, q):
    GF = galois.GF(q)

    list_all_part = list(range(1, N+1))
    comb = list(combinations(list_all_part, T+1))
    for v in comb:
        l = f"V[{','.join(map(str, list(v)))}]_{q}.npy"
        if not os.path.exists(l):
            vand_matrix = [[GF(i)**j for j in range(T+1)] for i in v]
            Inv = np.linalg.inv(GF(np.array(vand_matrix)))
            np.save(l, Inv)

    coeff = tuple([GF(S)] + [GF.Random() for _ in range(T)])
    def evaluate_poly(values, x):
        evaluate = GF(0)
        for degree, value in enumerate(values):
            evaluate += value * (GF(x) ** degree)
        return evaluate
    shares = []
    for i in range(1, N+1):
        shares.append((i, evaluate_poly(coeff, i)))
    return tuple(shares)

def decodability(shares, T, q):
    GF = galois.GF(q)
    # Enter the (T+1) servers that will be used for decoding in the format "i_1 i_2 ... i_{T+1}".
    part = [int(i) for i in sorted(input('Participants to decode S:').split())]

    l = f"V[{','.join(map(str, part))}]_{q}.npy"
    if os.path.exists(l):
        Inv = np.load(l)
        Inv = GF(Inv)
    else:
        vand_matrix = [[GF(i)**j for j in range(T+1)] for i in part]
        Inv = np.linalg.inv(GF(np.array(vand_matrix)))
        np.save(l, Inv)

    evaluation_list = [shares[i-1][1] for i in part] 
    unique_sol = np.dot(Inv[0], GF(np.array(evaluation_list)))
    return print('Secret reconstructed:', unique_sol)

In this version, the "generate_shares()" function starts by creating all the inverses of the vandermonde matrices of dimension $(T+1)\times (T+1)$ over the finite field $GF(q)$ and saving locally with the name "$V[i_1,...,i_{T+1}]\_q$.npy" for $i_1<i_2<...<i_{T+1}$ if they do not exist. Furthermore, the "decodability()" function enters a condition (if and else) to know if the inverse that should be used for the problem exists or not, using the "os" library to locally access the inverses.

For example, if $S=5$, $N=4$, $T=2$ and $q=17$, we can have

In [57]:
sharess = generate_shares(5, 4, 2, 17)
print(sharess)
print('')
decodability(sharess, 2, 17)

((1, GF(8, order=17)), (2, GF(13, order=17)), (3, GF(3, order=17)), (4, GF(12, order=17)))



Secret reconstructed: 5


## 6. Discussion

### 6.1. Why not construct schemes over $\mathbb{R}$?

Let $X$ be a random variable and suppose that $X$ can assume any $x \in$ $\mathbb{R}$ in an uniform (equiprobable) way. Furthermore, consider $Pr[X=x]=k$ for $0<k<1$, $\forall x \in \mathbb{R}$.

Thus, if there is such a $k$ that satisfies the above hypotheses, it follows that
\begin{align*}
    \sum\limits_{x \in \mathbb{R} }^{} Pr[X=x]=\sum\limits_{x \in \mathbb{R} }^{} k= k+k+k+...
\end{align*}
Since the cardinality of $\mathbb{R}$ is infinite, we are making an infinite addition of a constant $k \in (0,1)$, which verifies that 
\begin{align*}
    \sum\limits_{x \in \mathbb{R} }^{} k= k+k+k+... = k*\infty=\infty.
\end{align*}
Absurd, because the sum of all the probabilities of the values that a random variable can take must always be $1$.

On other hand, let $X$ be uniform in $GF(q)$. Then,
\begin{align*}
    Pr[X=x]=\frac{1}{q}, \ \forall x \in GF(q)
\end{align*}
and
\begin{align*}
    \sum\limits_{x \in GF(q)} \frac{1}{q}=q\frac{1}{q}=1.
\end{align*}
Therefore, since the process of choosing uniform and random variables $R_1,...,R_T$ is fundamental to creating secret sharing schemes, we use finite fields because of their finite cardinality, which results in a probability sum equal to $1$.

### 6.2. Vandermonde matrix and Lagrange Interpolation

In this section, we will give a short overview of the difference between finding a polynomial by Vandermonde matrix and Lagrange interpolation, but without going into too much detail about the computational efficiency of each.

In many articles, books, videos, etc., the decoding part of secret sharing is done using Lagrange interpolation. The Lagrange interpolation is an alternative way to find the coefficients $S,R_1,...,R_T$ by determining the polynomial $f(x)=S+R_1x+...+R_Tx^T$ from $(T+1)$ different points $(i,f(i))$ for $\{i_1,...,i_{T+1}\} \subset \{1,2,...,N\}$. The formula is given as follows:

\begin{equation*}
f(x) = \sum_{i=i_1}^{i_{T+1}} f(i) \prod_{\substack{j \in \{i_1,...,i_{T+1}\} \\ i \neq j \\ i_1\leq j \leq i_{T+1}}} \frac{x - j}{i - j}=S+R_1x+...+R_Tx^T
\end{equation*}

The difference between finding a polynomial using the Vandermonde matrix and Lagrange interpolation is that it is not necessary to solve a linear system or calculate the inverse. This can be interesting for large-scale problems where it is very expensive to solve a linear system and/or calculate an inverse.

For example, we could rewrite the final code in section 5 as

In [58]:
import galois

def generate_shares(S, N, T, q):
    GF = galois.GF(q)
    coeff = tuple([GF(S)] + [GF.Random() for _ in range(T)])
    def evaluate_poly(values, x):
        evaluate = GF(0)
        for degree, value in enumerate(values):
            evaluate += value * (GF(x) ** degree)
        return evaluate
    shares = []
    for i in range(1, N+1):
        shares.append((GF(i), evaluate_poly(coeff, i)))
    return tuple(shares)

def decodability(shares, q):
    GF = galois.GF(q)
    # Enter the (T+1) servers that will be used for decoding in the format "i_1 i_2 ... i_{T+1}".
    # For example, if you want to use the shares of participants 1, 2 and 3: Type "1 2 3" in the prompt.
    part = [int(i) for i in sorted(input('Participants to decode S:').split())]

    result = GF(0)
    for i in part:
        f_i = shares[i-1][1]
        for j in part:
            if j != i:
                f_i *= (GF(0) - GF(j)) / (GF(i) - GF(j))
        result += f_i
    return print('Secret reconstructed:', result)

Note that $f(0)=S$, i.e., by Lagrange interpolation formula, we have that

\begin{equation*}
f(0) = \sum_{i=i_1}^{i_{T+1}} f(i) \prod_{\substack{j \in \{i_1,...,i_{T+1}\} \\ i \neq j \\ i_1\leq j \leq i_{T+1}}} \frac{0 - j}{i - j}=S
\end{equation*}

Therefore, we can compute $S$ directly by substituting $x=0$, as we did in the code above.

For example, if $S=2$, $N=5$, $T=2$ and $q=7$, the secret can be decoded as below:

In [59]:
share_s = generate_shares(2, 5, 2, 7)
print(share_s)

decodability(share_s, 7)

((GF(1, order=7), GF(4, order=7)), (GF(2, order=7), GF(6, order=7)), (GF(3, order=7), GF(1, order=7)), (GF(4, order=7), GF(3, order=7)), (GF(5, order=7), GF(5, order=7)))
Secret reconstructed: 2


## References

[1] A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.

[2] G. R. Blakley, “Safeguarding cryptographic keys,” in Managing Requirements Knowledge, International Workshop on. IEEE Computer Society, 1979, pp 313–313.

[3] I. S. Reed and G. Solomon, “Polynomial codes over certain finite fields,” Journal of the society for industrial and applied mathematics, vol. 8, no. 2, pp. 300–304, 1960.

[4] R. J. McEliece and D. V. Sarwate, “On sharing secrets and reed-solomon codes,” Communications of the ACM, vol. 24, no. 9, pp. 583–584, 1981.

[5] G. R. Blakley and C. Meadows, “Security of ramp schemes,” in Workshop on the Theory and Application of Cryptographic Techniques. Springer, 1984, pp. 242–268

[6] R. G. L. D’Oliveira and S. El Rouayheb, “One-shot pir: Refinement and lifting,” IEEE Transactions on Information Theory, vol. 66, no. 4, pp. 2443–2455, 2019.

[7] R. G. L. D’Oliveira, S. El Rouayheb, D. Heinlein, and D. Karpuk, “Notes on communication and computation in secure distributed matrix multiplication,” in 2020 IEEE Conference on Communications and Network Security (CNS). IEEE, 2020, pp. 1–6.

[8] R. G. L. D’Oliveira, S. El Rouayheb, and D. Karpuk, “Gasp codes for secure distributed matrix multiplication,” IEEE Transactions on Information Theory, vol. 66, no. 7, pp. 4038–4050, 2020.

[9] R. G. L. D’Oliveira, S. El Rouayheb, D. Heinlein, and D. Karpuk, “Degree tables for secure distributed matrix multiplication,” IEEE Journal on Selected Areas in Information Theory, vol. 2, no. 3, pp. 907–918, 2021.

[10] Thomas, Joy A., "Elements of information theory", 1991.

[11] McEliece, Robert J., "Finite fields for computer scientists and engineers". Vol. 23. Springer Science & Business Media, 2012.

[12] Rotman, Joseph J., "Advanced modern algebra". Vol. 114. American Mathematical Soc., 2010.

[13] C. E. Shannon, “Communication theory of secrecy systems,” The Bell system technical journal, vol. 28, no. 4, pp 656–715, 1949