Additive Secret Sharing in Cryptography

Updated 17 February 2026

Additive secret sharing is a cryptographic primitive that divides a secret from an algebraic structure into multiple shares, ensuring information-theoretic security.
It supports local linear and homomorphic operations, enabling efficient secure computations in scenarios like private analytics, voting, and machine learning.
Recent advances extend its capabilities to dynamic access structures and quantum implementations, balancing efficiency with robust security guarantees.

Additive secret sharing is a foundational primitive in information-theoretic cryptography and secure multiparty computation. It enables a secret value from a chosen algebraic structure to be divided into multiple pieces, or shares, such that the arithmetic sum (modulo the relevant field or ring) of the shares reconstructs the secret, while each individual share (and any subset below a given threshold) reveals nothing about the secret. Additive secret sharing forms the backbone of numerous protocols in secure distributed computing, including protocols for privacy-preserving analytics, private machine learning, secure e-voting, and privacy-preserving database queries. It is implemented over various algebraic structures, generalizes linearly to multiple parties, and supports efficient composition via homomorphic properties.

1. Definition and Core Properties

Let $\mathbb{F}$ be a field, ring, or finite group. In its canonical form for two parties, to share a value $x \in \mathbb{F}$ , one party $P_1$ samples $x_1 \xleftarrow{\$} \mathbb{F} $, and$ P_2 $receives$ x_2 := x - x_1 \;(\mathrm{mod}\;|\mathbb{F}|) $so that$ [x] = (x_1, x_2) $. Reconstruction is performed by$ x = x_1 + x_2 \;(\mathrm{mod}\;|\mathbb{F}|) $. This construction is information-theoretically secure—each share is uniformly distributed, rendering any strict subset uninformative about$ x $(<a href="/papers/2009.05356" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xiong et al., 2020</a>, <a href="/papers/2009.06893" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xia et al., 2020</a>, <a href="/papers/2504.19702" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Grilo et al., 28 Apr 2025</a>). For$ n $-party additive secret sharing,$ x $is divided into$ x_1,\ldots,x_n \in \mathbb{F} $such that$ x = \sum_{i=1}^n x_i $. The protocol generalizes naturally to vectors and matrices. Additive secret sharing supports a local, communication-free homomorphism for both addition and scalar multiplication:$ [x] + [y] = (x_1+y_1, x_2+y_2) $and$ a\cdot[x] = (a x_1, a x_2) $. This homomorphic property extends to Shamir’s secret sharing: the sum of two shares is a valid sharing of the sum of secrets and is employed in additive homomorphic protocols such as secure e-voting (<a href="/papers/1602.05372" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Binu et al., 2016</a>). <h2 class='paper-heading' id='protocol-mechanisms-and-building-blocks'>2. Protocol Mechanisms and Building Blocks</h2> Additive secret sharing forms the basis for secure multiparty computation (<a href="https://www.emergentmind.com/topics/decentralized-model-predictive-control-mpc-framework" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">MPC</a>), where computations are performed directly on the shares. Essential building blocks include: <ul> <li>Linear operations on shares: All linear operations (additions, scalar products, biasing) can be computed locally on the shares with no interaction (<a href="/papers/2009.05356" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xiong et al., 2020</a>, <a href="/papers/2009.06893" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xia et al., 2020</a>).</li> <li>Multiplicative operations (Beaver triples): Secure multiplication is achieved through pre-distributed tuples$ (a, b, c) $known as Beaver triples, where$ c=ab $. This enables two parties to evaluate$ [xy] $from$ [x],[y]$, with 1 round and low communication complexity (e.g., 4 field elements for basic multiplication) (Xiong et al., 2020, Xia et al., 2020).

Comparison, division, exponentiation, and non-linear primitives: Protocols for secure comparison, division, and transcendental functions are constructed atop the additive secret sharing layer—typically via conversion to multiplicative secret sharing or through auxiliary primitives relying on masking and randomness (e.g., use of randomization to hide comparison results except for sign) (Xiong et al., 2020).

Tables summarizing communication/round complexity (see below) demonstrate the efficiency of these protocols, particularly in the two-party setting:

Protocol	Rounds (R)	Communication (C, field elements)
SecMul	1	4
SecCom	3	4
SecExp	1	2
SecLog	2	2
Division	3	6

Protocols achieve constant rounds and linear communication, making them well-suited to high-latency settings (Xiong et al., 2020).

3. Mathematical Structure and Homomorphism

Additive secret sharing is fundamentally linked to linear codes. In Shamir’s secret sharing, sharing is realized via evaluation of a random polynomial at distinct points, and the sum of two polynomials yields a sharing of the sum of the secrets. This “ $+,+$ ” homomorphism underpins secure computation: aggregation and threshold reconstruction can proceed via share-wise addition and (for threshold schemes) Lagrange interpolation (Binu et al., 2016).

Variants extend to additive codes over $\mathrm{GF}(4)$ and more complex access structures, where the additive property underlies the combinatorial design of access groups. Additive codes permit two-step reconstruction procedures that rely on trace computations and dual codewords, enabling access structures not possible in threshold schemes (Kim et al., 2017).

4. Access Structures and Dynamic Generalizations

While threshold additive secret sharing (where any $t$ of $n$ shares can reconstruct the secret) is standard, recent work has generalized to additive access structures (AAS), supporting dynamically evolving sets of authorized/unauthorized groups. At each time step, the set of authorized subsets grows, with the protocol assigning public messages and secret keys to guarantee:

Reliability for authorized subsets,
Secrecy (information-theoretic, negligible leakage) for unauthorized subsets.

A universal “quantized binning” coding approach enables this flexibility, supporting dynamic monotone access growth and achieving secret rates matching capacity for arbitrary and threshold access structures (Miller et al., 14 Jan 2026).

In the quantum setting, additive secret sharing protocols have been realized using quantum networks (e.g., Qline), achieving composable, information-theoretic security for share distribution, with resource costs independent of the number of parties (Grilo et al., 28 Apr 2025).

5. Applications

Additive secret sharing is directly or indirectly embedded in a broad set of cryptographic and privacy-preserving systems:

Secure multiparty computation (MPC): Building general arithmetic circuit evaluation frameworks, enabling secure two-party or $n$ -party evaluation of complex functions (Xiong et al., 2020, Xia et al., 2020).
Cloud-assisted privacy-preserving analytics: Outsourcing computation to non-colluding cloud servers while maintaining input/output privacy (Xiong et al., 2020).
Privacy-preserving machine learning: Enabling private evaluation of neural networks, e.g., via secure evaluation of CNNs, ReLU, max-pooling, PCA, and LSH-based retrieval using only additive secret sharing and efficient secure primitives (Xia et al., 2020).
Secure voting: Aggregating encoded votes share-wise, reconstructing with threshold interpolation, and exploiting $+,+$ homomorphism for correctness and privacy (Binu et al., 2016).
Quantum cryptographic protocols: Composably secure distribution of additive secret shares suitable for subsequent cryptographic applications (anonymous veto, symmetric key establishment) on emerging quantum infrastructures (Grilo et al., 28 Apr 2025).
General secret sharing with flexible access structures: Capacity-achieving protocols supporting dynamic, monotone access structure evolution and arbitrary correlation sources (Miller et al., 14 Jan 2026).
Rich non-threshold access via additive codes: Implementation of non-trivial access structures with minimal authorized groups based on combinatorial designs (Kim et al., 2017).

6. Security Guarantees

Protocols based on additive secret sharing achieve information-theoretic secrecy: any strict subset of shares is statistically independent of the secret, provided shares are uniformly random and the reconstruction threshold is not met (Xiong et al., 2020, Binu et al., 2016). In the quantum setting, security definitions are couched in Abstract Cryptography and universal composability: the real protocol is indistinguishable from an ideal functionality up to a negligible parameter, and security composes under protocol composition (Grilo et al., 28 Apr 2025). For all the efficient MPC schemes described, UC-security is proven in the honest-but-curious (semi-honest) model (Xiong et al., 2020). In generalizations involving codes, security and access conditions follow directly from properties of the code, such as minimum distance, dual supports, and combinatorial designs (Kim et al., 2017).

7. Extensions and Trade-offs

n-party and code-based schemes: ASS and its generalizations extend to any $n$ via the $x = \sum_{i=1}^n x_i$ paradigm; multiplicative sharing analogs exist with product constraints (Xiong et al., 2020).
Multiplicative secret sharing: Conversion protocols between additive and multiplicative forms permit efficient support for division, exponentiation, and comparisons (Xiong et al., 2020).
Composability: The protocols fit atop universally composable frameworks and can be integrated in high-level MPC toolchains (e.g., ABY, Sharemind) (Xiong et al., 2020).
Access structure expressiveness: Additive codes over fields such as $\mathrm{GF}(4)$ support more expressive access structures with combinatorial symmetry, at the cost of increased reconstruction complexity (Kim et al., 2017).
Implementation trade-offs: Two-step reconstruction, arithmetic over extension fields, and episodic masking may complicate integration with legacy systems but provide enhanced security flexibility.

Additive secret sharing remains a central abstraction in privacy-preserving computation, with an expanding body of theory and practice supporting its extension to new access models, platforms (including quantum), and composable system architectures (Xiong et al., 2020, Grilo et al., 28 Apr 2025, Miller et al., 14 Jan 2026, Xia et al., 2020, Kim et al., 2017, Binu et al., 2016).