In [None]:
import numpy as np
from collections import defaultdict
import galois

from typing import List, Tuple
#For typing
Shares = List[Tuple[galois.GF, galois.GF]]

GF = galois.GF(2 ** 13 - 1)

In [None]:
def shamir_share(secret_value: galois.GF, threshold: int, total_shares: int) -> List[Tuple[galois.GF, galois.GF]]:
    # Step 1: Generate random coefficients for the polynomial.
    coefficients = GF([GF.Random() for _ in range(threshold - 1)] + [secret_value])
    
    # Step 2: Create the polynomial using the generated coefficients.
    polynomial = galois.Poly(coefficients)
    
    # Step 3: Evaluate the polynomial at points 1, 2, ..., n to create shares.
    shares = [(GF(x), polynomial(GF(x))) for x in range(1, total_shares + 1)]
    
    return shares

secret = GF(5)  # The secret value to be shared
threshold = 3   # The minimum number of shares required to reconstruct the secret
total_shares = 6  # Total number of shares to generate

In [None]:
# TEST CASE
assert len(shamir_share(GF(5), 3, 6)) == 6
shares = shamir_share(GF(5), 2, 6)
assert reconstruct([shares[0], shares[1]]) == GF(5)

In [None]:
shares1 = shamir_share(GF(20), 2, 6)
shares2 = shamir_share(GF(5), 2, 6)



def add_shares(shares1: Shares, shares2: Shares) -> Shares:
    """Add two sets of Shamir shares."""
    added_shares = []
    for s1, s2 in zip(shares1, shares2):
        x1, y1 = s1
        x2, y2 = s2

        added_shares.append((x1, y1 + y2))

    return added_shares

added_shares = add_shares(shares1, shares2)
print(added_shares)
reconstruct([added_shares[0], added_shares[1]])

In [None]:
# TEST CASE
added_shares = add_shares(shares1, shares2)
assert reconstruct([added_shares[0], added_shares[2]]) == GF(25)

In [None]:
def add_const(shares: Shares, k: int) -> Shares:
    """Add a constant to the y-values of Shamir shares."""
    added_shares: Shares = []
    for s in shares:
        x, y = s
        added_shares.append((x, y + GF(k)))

    return added_shares
sharesk = add_const(shares1, 3)
print(sharesk)
reconstruct(sharesk)

In [None]:
def mult_const(shares: Shares, k: int) -> Shares:
    """Multiply a constant to the y-values of Shamir shares."""
    mult_shares: Shares = []
    for s in shares:
        x, y = s
        mult_shares.append((x, y * GF(k)))

    return mult_shares

sharesk = mult_const(shares1, 3)
reconstruct(sharesk)

In [None]:
def reconstruct(shares: Shares) -> GF:
    """Reconstructs the secret from Shamir shares."""
    # Extract x-values and y-values from shares
    x_values = [x for x, _ in shares]
    y_values = [y for _, y in shares]
    
    # Reconstruct the polynomial using Lagrange interpolation
    reconstructed_polynomial = galois.lagrange_poly(GF(x_values), GF(y_values))
    
    # Evaluate the polynomial at x=0 to get the secret
    secret = reconstructed_polynomial(0)
    
    return secret

In [None]:
# TEST CASE
shares = shamir_share(GF(30), 5, 10)
assert reconstruct(shares) == GF(30)
assert reconstruct(shares[:5]) == GF(30)  # t shares are sufficient
assert reconstruct(shares[:4]) != GF(30)  # t - 1 shares are not sufficient

### References

- Overview of the BGW protocol: [Pragmatic MPC, Section 3.3](https://securecomputation.org/docs/pragmaticmpc.pdf)

The BGW protocol can be used to evaluate an arithmetic circuit over a field F, consisting of addition, multiplication, and multiplication-by-constant gates. The protocol is based on Shamir secret sharing, and it uses the fact that Shamir secret shares are homomorphic in a special
way—the underlying shared value can be manipulated obliviously, by suitable manipulations to the individual shares

We have:

- $n$ parties $P_1, P_2, P_3,...,P_n$, who have shares of the secrets $a$ and $b$ with respect to the polynomials $f_a(x)$ and $f_b(x)$. Each party can compute shares of the product polynomial $g(x)$ by multiplying their shares of $f_a(x)$ and $f_b(x)$.
    
Round 1:
-  Each $P_i$ can compute shares of the product polynomial $g(x)$ by multiplying their shares. Let each of this shares be $z_i = f_a(\alpha_i) \cdot f_b(\alpha_i) = g(\alpha_i)$ for the party $P_i$ , which means $z_1, ..., z_n$ are points on a polynomial of degree $2t$, so the threshold for $z_i$ will be less than or equal to $2t$.
- Each $P_i$ shares their $z_i$ with all the other parties according to $(n, t)$ Shamir Sharing

Round 2:
- Each party $P_i$ receives the shares $z_i$ from others
- $P_i$ computes $\sum (z_i \cdot \lambda_i)$ (where the $λ_i$ terms are the appropriate Lagrange coefficients) and outputs this value as its own share with threshold $t$.


In [None]:
class Party:
    """A participant in a multiparty computation protocol."""
    def __init__(self):
        """Initialize the field size and dictionary to hold received messages."""
        self.input = None
        self.output = None
        self.received = defaultdict(list)
        V_a = GF(np.vander(range(1, n + 1), increasing=True))
        V_a_inv = np.linalg.inv(V_a)
        self.lambda_js = V_a_inv[0]
    
    def send(self, other, round, msg):
        """Simulate sending a message `msg` to another party `other` during round `round`"""
        other.received[round].append(msg)

    def get_view(self):
        """Returns the view of this party: its input, output, and received messages."""
        return (self.input, self.output, dict(self.received))

In [None]:
class MultTwoParty(Party):
    def round1(self, parties, a_shr, b_shr, t):
        """
        First round of the multiplication protocol.

        Parameters:
        - parties (list): List of parties involved in the computation.
        - a_shr (tuple): Share of the first input value.
        - b_shr (tuple): Share of the second input value.
        - t (int): Threshold value for the Shamir's secret sharing scheme.

        Description:
        This method is responsible for computing the product of the input shares
        and distributing the shares of the product to each party using Shamir's
        secret sharing scheme.
        """
        # Save inputs and parties for later use
        self.input = (a_shr, b_shr)
        self.parties = parties
        
        # Number of parties
        n = len(parties)
        
        # Threshold check
        assert t <= n/2
        
        # Extract shares
        a_x, a_y = a_shr
        b_x, b_y = b_shr

        # Compute product of shares
        z_i = a_y * b_y
        
        # Save x coordinate for round 2
        self.x_coord = a_x

        # Share the product using Shamir's secret sharing
        secret_i_js = shamir_share(z_i, t, n)
        
        # Send shares to respective parties
        for party, share in zip(self.parties, secret_i_js):
            self.send(party, 1, share)

    def round2(self):
        """
        Second round of the multiplication protocol.

        Description:
        This method is responsible for receiving the shares of the product
        computed in the first round, computing the weighted sum of these shares,
        and outputting the final share of the original product.
        """
        # Number of parties
        n = len(self.parties)
        
        # Received shares from round 1
        secret_j_is = self.received[1]
        secret_j_is_y = [s[1] for s in secret_j_is]

        # Compute coefficients for Lagrange interpolation
        V_a = GF(np.vander(range(1,n+1), increasing=True))
        V_a_inv = np.linalg.inv(V_a)
        lambda_i = V_a_inv[0]

        # Compute weighted sum of shares
        prods = [secret_j_is_y[i] * lambda_i[i] for i in range(n)]

        # Output share of the original product
        self.output = self.x_coord, GF(prods).sum()
        return self.output

In [None]:
NUM_PARTIES = 6
n = NUM_PARTIES
t = 3

shares1 = shamir_share(5, t, n)
shares2 = shamir_share(6, t, n)

parties = [MultTwoParty() for _ in range(NUM_PARTIES)]

for p,s1,s2 in zip(parties, shares1, shares2):
    p.round1(parties, s1, s2, t)
for p in parties:
    p.round2()
for p in parties:
    print(p.get_view())

output_shares = [p.output for p in parties]
print('Reconstruction, with all shares:', reconstruct(output_shares))
print('Reconstruction, with 3 shares:', reconstruct(output_shares[:3]))
print('Reconstruction, with 2 shares:', reconstruct(output_shares[:2]))

assert reconstruct(output_shares) == 30
assert reconstruct(output_shares[:3]) == 30
assert reconstruct(output_shares[:2]) != 30