Additive Secret Sharing Schemes

• Additive Secret Sharing Schemes are cryptographic primitives that partition a secret into multiple shares such that only the sum reveals the secret, ensuring perfect secrecy.
• They enable efficient secure multiparty computation via local arithmetic operations and constant-round protocols, supporting both classical and quantum network applications.
• Code-theoretic and combinatorial extensions offer fine-grained access control, benefiting privacy-preserving applications like secure cloud computing and machine learning.

Additive Secret Sharing Schemes (ASS) partition a secret $x$ from an algebraic domain (field or ring) into multiple shares $x_1, \ldots, x_n$ such that only the sum (or modular sum) of all shares yields $x$, and no subset of $n - 1$ or fewer shares provides information about $x$ in the information-theoretic sense. This approach underpins secure multiparty computation and numerous cryptographic protocols, due to its homomorphic properties and composable security guarantees. ASS is realized across classical settings, with generalizations to quantum network architectures and code-theoretic structures for controlling access, correctness, and efficiency.

1. Algebraic Foundation and Construction

ASS can be instantiated over arbitrary rings or fields. For $x \in \mathbb{F}$, the share-generation protocol selects $n-1$ independent, uniformly random values $x_1,\ldots,x_{n-1} \in \mathbb{F}$, then computes $x_n = x - \sum_{j=1}^{n-1} x_j$ (addition modulo the group operation in $\mathbb{F}$). Each party $P_j$ receives $x_j$, ensuring $\sum_{j=1}^n x_j = x$ and that any strict subset is uniformly distributed and completely hides $x$ (Xia et al., 2020, Xiong et al., 2020):

$\text{Share}(x):\quad x_1,\dots,x_{n-1} \xleftarrow{\$} \mathbb{F},\quad x_n = x - \Bigl( \sum_{j=1}^{n-1} x_j \Bigr)$</p> <p>$\text{Rec}(x_1,\ldots,x_n) := \sum_{j=1}^{n} x_j$$</p> <p>Correctness is immediate, and perfect secrecy against any coalition of size$$< n$$is guaranteed by the uniform masking property.</p> <p>Extensions of ASS leverage the structure of additive codes over finite fields such as$$GF(4)$$, enabling non-threshold access structures and advanced combinatorial control over authorized sets (<a href="/papers/1701.04183" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Kim et al., 2017</a>). In this setting, the codeword generation associates the secret with a linear equation over$$GF(4)$solved by a random vector$u$, and shares are determined by a generator matrix$G$$.</p> <h2 class='paper-heading' id='computation-on-secret-shares'>2. Computation on Secret Shares</h2> <p>ASS shares support a rich suite of arithmetic operations with minimal interaction. Addition and subtraction are purely local due to the linearity of the sharing:</p> <ul> <li><strong>Local addition/subtraction:</strong> Each party computes$$z_j = x_j + y_j$to obtain a share of$z = x + y$$.</li> <li><strong>Secure multiplication:</strong> Requires pre-processing with Beaver triples. A trusted third party generates random$$a, b, c = a b$$, shares them, and parties compute local masks and exchange masked differences. One round of interaction with$$O(1)$$communication suffices (<a href="/papers/2009.06893" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xia et al., 2020</a>, <a href="/papers/2009.05356" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xiong et al., 2020</a>):</li> </ul> <p>$$(a + e)(b + f) = ab + af + be + ef$$</p> <p>Protocols generalize to matrix and vector operations entry-wise and allow efficient <a href="https://www.emergentmind.com/topics/additive-parallel-correction" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">parallel</a> composition (<a href="/papers/2009.06893" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xia et al., 2020</a>).</p> <p>For nonlinear functions (exponentiation, logarithm, division, comparison), switching between ASS and <a href="https://www.emergentmind.com/topics/multiplicative-secret-sharing-mss" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Multiplicative Secret Sharing</a> (MSS) via secure resharing enables constant-round protocols. Trigonometric and inverse trigonometric functions exploit polynomial identities and Taylor expansion, implemented via compositions of the basic constant-round primitives (<a href="/papers/2009.05356" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xiong et al., 2020</a>).</p> <h2 class='paper-heading' id='security-composability-and-model'>3. Security, Composability, and Model</h2> <p>ASS achieves information-theoretic (UC-) security against semi-honest adversaries, both in the classical and quantum settings. The simulation argument shows that the view of any adversarial party can be perfectly simulated by an independent uniform draw, revealing no information about the secret (<a href="/papers/2009.05356" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xiong et al., 2020</a>, <a href="/papers/2009.06893" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xia et al., 2020</a>). In the Abstract Cryptography framework, the ideal functionality$$\mathrm{F_{ADD}}$$receives the secret, distributes randomized shares, and aborts upon adversarial instruction. Security proofs for quantum protocols integrate security reductions to composable <a href="https://www.emergentmind.com/topics/satellite-based-quantum-key-distribution-qkd" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">QKD</a> and <a href="https://www.emergentmind.com/topics/hg-tnet-hybrid" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">hybrid</a> arguments (<a href="/papers/2504.19702" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Grilo et al., 28 Apr 2025</a>).</p> <p>Composable security is crucial: composed executions in classical or quantum networks aggregate distinguishing advantages additively. For quantum Qline-based networks, protocols tolerate abort conditions and achieve$$\varepsilon$-security with$\varepsilon = (H-1)\cdot \varepsilon_{QKD'} + 2^{-\eta}$, where$H$is the number of honest parties and$\eta$$the hash length (<a href="/papers/2504.19702" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Grilo et al., 28 Apr 2025</a>).</p> <h2 class='paper-heading' id='access-structures-and-code-theoretic-extensions'>4. Access Structures and Code-Theoretic Extensions</h2> <p>Classical ASS implements threshold access structures: any$$n$shares suffice, but$< n$are useless. Code-based additive schemes on$GF(4)$$realize richer access structures, controlled by combinatorial designs in the dual additive code. Reconstruction requires two steps using trace inner products with vectors from three distinguished dual-code families$$H_1, H_2, H_3$$, mapping to lookup values that uniquely determine the secret (<a href="/papers/1701.04183" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Kim et al., 2017</a>):</p> <ul> <li><strong>Support-based access:</strong> Coalitions authorized only if they possess shares corresponding to codewords covering distinct blocks in$$H_i$and$H_j$$.</li> <li><strong>Cheater detection:</strong> Minimum code weight$$d$detects up to$d-1$$cheating participants.</li> <li><strong>Minimal authorized sets:</strong> Defined by pairs of supports from different code-design families—yielding non-threshold but highly structured authorization.</li> </ul> <p>Self-dual codes (e.g., hexacode, dodecacode,$$S_{18}$) yield generalized$t$$-designs, controlling coalition sizes and intersection properties.</p> <h2 class='paper-heading' id='quantum-assisted-distribution-and-advanced-protocols'>5. Quantum-Assisted Distribution and Advanced Protocols</h2> <p>Quantum network architectures, notably the Qline model, support efficient ASS distribution at scale. Instead of requiring$$O(n^2)$QKD links, the Qline allows distribution via$O(n)$$quantum links, using chained phase rotations and basis measurements, with classical sifting, error correction, and privacy amplification steps (<a href="/papers/2504.19702" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Grilo et al., 28 Apr 2025</a>):</p> <ul> <li><strong>Prepare-and-measure protocol:</strong> Single source emits BB84-type qubits sequentially through$$J-2$$intermediate phase-rotation nodes, terminating in a detector node. The protocol amalgamates random subset broadcasts, error estimation, syndrome announcement, correctness hashes, and privacy amplification.</li> <li><strong>Multiparty cryptographic primitives:</strong> Secure anonymous veto (Dining Cryptographers) and symmetric key establishment are realized as compositions of independent ASS distributions of zero.</li> <li><strong>Performance:</strong> For$$J=4$parties and$K \approx 1.7$Mbit share size,$\sim 10^7$quantum measurements yield security advantage$10^{-11}$in under$5$$minutes.</li> </ul> <p>Network and communication costs are significantly lower compared to classical QKD-based ASS.</p> <h2 class='paper-heading' id='efficiency-communication-complexity-and-practical-impact'>6. Efficiency, Communication Complexity, and Practical Impact</h2> <p>ASS protocols offer constant or small round complexity for all basic and most advanced functions (<a href="/papers/2009.06893" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xia et al., 2020</a>, <a href="/papers/2009.05356" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Xiong et al., 2020</a>):</p> <div class='overflow-x-auto max-w-full my-4'><table class='table border-collapse w-full' style='table-layout: fixed'><thead><tr> <th>Protocol</th> <th>Rounds</th> <th>Communication per party</th> </tr> </thead><tbody><tr> <td>Secure multiplication</td> <td>1</td> <td>$$4\ell$$</td> </tr> <tr> <td>Matrix multiplication</td> <td>1</td> <td>$$2(mk+kn)\ell$$</td> </tr> <tr> <td>Secure division</td> <td>3</td> <td>$$6\ell$$</td> </tr> <tr> <td>Trigonometric ops</td> <td>1</td> <td>$$4\ell$$</td> </tr> </tbody></table></div> <p>Preprocessing (e.g., Beaver triple generation) can be highly efficient and batched, with rates above$$5 \times 10^5$ triples/sec in practical experiments.

A plausible implication is that ASS with optimized secure computation protocols and quantum-assisted distribution is suitable for high-throughput privacy-preserving machine learning, cloud computing, and multi-party cryptography, delivering drastically reduced latency and communication overheads compared to classical bit-decomposition or homomorphic encryption-based approaches.

7. Comparative Analysis and Applications

ASS differs from Shamir’s threshold secret sharing in reconstruction (unconditional sum versus polynomial interpolation) and supports wider access patterns via additive codes (Kim et al., 2017). Anonymous veto, secure key establishment, privacy-preserving cloud computation (image retrieval, secure neural inference), and efficient MPC all leverage the additive linearity and constant-round computation model (Xia et al., 2020, Xiong et al., 2020, Grilo et al., 28 Apr 2025).

Security is predicated on the semi-honest assumption in classical models and on composable QKD security and quantum hardware integrity in quantum distribution regimes. Code-theoretic extensions provide granular coalition controls, and quantum distribution architectures reduce infrastructure costs and simplify scaling.

In summary, ASS constitutes a foundational cryptographic primitive, supporting scalable and efficient secure computation and secret sharing, with ongoing expansions into quantum networks and combinatorial code-theoretic architectures.