# Linear Secret Sharing Schemes (a.k.a LSSS)

In the past two notebooks we have seen two secret sharing schemes, first one is additive secret sharing (where we defined sum and product) and Shamir secret sharing based on polynomial reconstruction. We didn't define product in this last one but don't worry we'll do soon.

Additive secret sharing and Shamir secret sharing are part of a group of secret sharing schemes called linear secret sharing shemes (LSSS) because they can be formalised using linear algebra. Before defining LSSS formally let's reformulate the additive secret sharing.


## Linear reformulation of additive secret sharing

Remember that in this scheme the data holder splits the secret into $n$ random shares whose sum modulo $p$ is the original secret.

$$s = (s_0+s_1+\cdots s_n)\mod p=\sum_{i=0}^{i=n}s_i\pmod{p}$$

For this case we define the identity matrix 

$$M=\mathbb{1}^{n\times n}$$

This is a matrix with diagonal ones and the rest zero. If we multipy any vector of size $n$ by this matrix we get the same vector. Actually this matrix lives in the space $\mathbb{F}^{n\times n}_{p}$ where $p$ is the agreed prime number.

We define a vector $\mathbf{v}$ of size $n$ and only ones in its entries

$$\mathbf{v}=(1, 1, \cdots, 1)_n$$

A vector $\textbf{k}$ of random numbers and accomplishing property that when we sum all coefficcients and apply modulo we get the secret (same as the previous defined $s$ but remember we are reformulating the sscheme. 

$$\textbf{k}=(k_0, k_1, \cdots, k_{n-1})_n$$ 
$$s.t. \sum_{i=0}^{n-1}k_i \pmod{p} = s$$

With this defined we can get the vector of shares as:

$$\textbf{s}=(s_0, s_1, \cdots, s_{n-1})^T=(k_0, k_1, \cdots, k_{n-1})^T=M\cdot \textbf{k}$$

And recover the secret with the scalar product:

$$s = \textbf{v}^t \cdot \textbf{k}\pmod{p} = k_0+k_1+\cdots+k_{n-1} \pmod{p}$$

As always I've coded this. This time in a class called AdditiveLSSS

In [1]:
from smpc import AdditiveLSSS
from random import seed, randrange

seed(5)

bits = 32
parties = 5
scheme = AdditiveLSSS(n=parties, size=bits)

print(f"Chosen random prime {scheme.p}")
print(f"number of parties to split the secret is {scheme.n}")

# just not to put secret 10 we generate one random
secret = randrange(0, scheme.p)
print(f"Random secret chosen {secret}")

Chosen random prime 3244611641
number of parties to split the secret is 5
Random secret chosen 844054145


We get the vector of shares by setting the secret into the object

In [2]:
scheme.secret = secret
print(f"Generated k={scheme.k}")

Generated k=[ 511189398 1056934719 1985156919 1479108632 2300887759]


But every time we call the function generate we will generate and store the new shares of $\textbf{k}$

In [3]:
print("Generating new random shares")
scheme.GenerateShares()
print(f"Generated k={scheme.k}")
print(f"whose sum modulo p is {int(sum(scheme.k)%scheme.p)} secret is {secret}\n")

print("Generating new random shares")
scheme.GenerateShares()
print(f"Generated k={scheme.k}")
print(f"whose sum modulo p is {int(sum(scheme.k)%scheme.p)} secret is {secret}")

Generating new random shares
Generated k=[2201153626 1523825202 2253577168 1077581322  277140109]
whose sum modulo p is 844054145 secret is 844054145

Generating new random shares
Generated k=[1987924596  464083540 2533014395 3214345152 2378521385]
whose sum modulo p is 844054145 secret is 844054145


The recovery of the shares is coded in the same object

In [4]:
print(f"The recovered secret is {scheme.RevealSecret()}")

The recovered secret is 844054145


AttributeError: can't set attribute