Multiplicative Secret Sharing Overview

• Multiplicative Secret Sharing is a cryptographic primitive where secrets are reconstructed by multiplying distributed shares rather than adding them.
• Variants such as threshold schemes, LSSS-based constructions, and hidden multiplier methods enable local, zero-communication operations in secure multiparty computation.
• MSS optimizes share reusability and composability while introducing challenges like larger share sizes and distinct security considerations compared to additive schemes.

Multiplicative Secret Sharing (MSS) is a cryptographic primitive and secret-sharing modality in which secrets are shared such that the product of the shares, rather than their sum, reconstructs the secret. Variants of MSS—ranging from simple threshold schemes to highly structured Linear Secret Sharing Schemes (LSSS) and protocols based on group-theoretic "hidden multipliers"—serve as critical tools in secure multiparty computation (MPC), privacy-preserving protocols, and threshold cryptography. MSS enables local (zero-communication) computation of products and offers unique efficiency and composability characteristics, but also raises distinct design and security considerations compared to standard additive secret sharing.

1. Formal Definitions and Core Schemes

(2,2)-Threshold MSS

Given a field $\F$ (possibly $\F = \R$ as in real-valued computation), the fundamental two-party multiplicative secret sharing scheme is as follows. To share a nonzero secret $u \in \F^\times$, select a uniform random $u_1 \in \F^\times$ and set $u_2 = u / u_1$. The pair $\mss{u} = (u_1,u_2)$ satisfies $u_1 u_2 = u$; reconstruction is via multiplication: $u = u_1 u_2$. Neither share reveals any information about $u$ (Xiong et al., 2020).

Multiplicative LSSS and Higher-Order Multiplicativity

A general Linear Secret Sharing Scheme (LSSS) is defined by an underlying monotone access structure and admits a secret-sharing matrix $M$ over a field $\F$. An LSSS is called multiplicative if shares of two secrets $s, s'$ enable each participant to locally compute products of their shares, and there exists a global recombination vector transforming these products (the "diamond product") into a sharing of the product $ss'$ (0812.2518). Strong multiplicativity requires that this property be preserved after removing any unauthorized subset of participants.

For more complex functions, 3-multiplicative LSSS support the local combination of three shares to recover $s_1 s_2 s_3$ directly, a property that strictly strengthens strong multiplicativity.

Multiplicative Sharing Based on Hidden Multipliers

Schemes based on hidden multipliers, as in the work of Roman'kov, instantiate MSS within a finite field's multiplicative group or groups of invertible elements in commutative rings (Roman'kov, 2021). Here, secrets are elements of a subgroup $F \leq G = \F_p^\times$ (or $G=K^\times$) of order $d$, and shares are exponents or random multipliers drawn from a subgroup $H \leq G$ of coprime order to $d$. The dealer distributes pairwise-coprime exponents $(t_1, \dots, t_n)$ to $n$ users only once, and shares can be reused for multiple secrets.

2. Protocol Conversions and Operations

Resharing Between Additive and Multiplicative Schemes

Practical MPC frameworks frequently need to convert between ASS and MSS. Protocols (SecMulRes for MSS→ASS and SecAddRes for ASS→MSS) are constructed using Beaver triples to maintain security under standard UC composability, ensuring that no party learns the secret in the process and that output shares appear uniformly random to the parties (Xiong et al., 2020).

The overall communication and round complexity for these transitions are low: SecMulRes uses one round and $2\ell$ bits of communication (for field elements of bit-length $\ell$), while SecAddRes uses two rounds but an identical communication profile.

Local Operations in MSS

MSS is uniquely suited to local, zero-communication computation of products and inverses. If $\mss{u}$ and $\mss{v}$ are MSS-shares of $u$ and $v$, then $(u_1v_1, u_2v_2)$ is an MSS of $uv$. Inversion is also local: $(u_1^{-1}, u_2^{-1})$ shares $u^{-1}$.

Mixed operations (for exponentiations, trigonometric, and comparison functions) typically involve a transition from ASS to MSS, computation in MSS, and conversion back to ASS. For example, to compute $a^x$ (public $a$), parties compute $u_1 = a^{x_1}, u_2 = a^{x_2}$, then recover an additive share via SecMulRes (Xiong et al., 2020).

Group-Theoretic Multiplicative Sharing

In hidden-multiplier schemes, a coalition of users reconstructs the secret by repeated exponentiation and cancellation of hidden multipliers, leveraging properties of coprime subgroup orders and the hardness of exponent-finding in $G$ (Roman'kov, 2021). Multiple versions exist: Version 1 depends on precise coalition structure (non-monotone), while Version 2 (the inverse-share method) and its $(k,n)$-threshold extension allow reconstruction by any qualifying subset and monotone access structures.

3. Security Notions and Proof Techniques

All presented MSS schemes target security against semi-honest adversaries. In field-based MSS, simulation-based security proofs rely on the indistinguishability of masked messages, shown via additive and multiplicative masking lemmas: adding a uniform random mask makes a value uniform and independent; multiplying by a uniform random nonzero mask achieves the same for products (Xiong et al., 2020).

Group-theoretic schemes guarantee semantic security: the adversary cannot distinguish which of two candidate secrets was shared, assuming the computational intractability of finding element orders or solving hidden exponent problems. These arguments parallel ElGamal-style semantic security, using the intractability of group order decomposition in place of the discrete logarithm assumption (Roman'kov, 2021).

Linear MSS (LSSS) security, especially for strongly and 3-multiplicative schemes, is defined combinatorially: correctness for all authorized sets, privacy for all unauthorized sets, and the local multiplicative property even after adversarial exclusion of participants (0812.2518).

4. Efficiency, Reusability, and Complexity Considerations

MSS-based frameworks exhibit distinctive efficiency tradeoffs:

• Zero-Communication Multiplication: Local operations in MSS (multiplication, inversion) incur no rounds and no communication (Xiong et al., 2020).
• Resharing Overheads: Conversions (ASS↔MSS) are constant-round and send only a few field elements per operation.
• Share Reusability: In hidden-multiplier MSS (Roman'kov, 2021), the dealer distributes shares only once, which are reusable for all future secrets—unlike Shamir's additive scheme, where new polynomials are needed for each secret.
• Size of Shares: Group-theoretic approaches require shares as large as the group order, which can be much larger than elements in Shamir’s field.
• Communication Cost: For each new secret, hidden-multiplier schemes broadcast a single group element, independent of the number of users.

In LSSS, strongly multiplicative schemes are critical for full active security but may have high share complexity, while 3-multiplicative LSSS (constructed from Reed–Muller or AG codes) offer more tractable verification and, for many applications, reduce round complexity of unbounded fan-in multiplication from five to four (0812.2518).

5. Applications and Integration in MPC Protocols

2-Party Secure Computation: MSS is used for efficient protocols in the GMW model, especially where high-precision arithmetic and nonlinear functions (comparison, $\exp$, $\log$, $\sin$) are needed. Computation typically proceeds in ASS, but nonlinear gates "hop" through MSS, ensuring both efficiency and high functionality (Xiong et al., 2020).

Multiparty Threshold Schemes: In hidden-multiplier MSS, the $(k,n)$-threshold extension offers dynamic thresholding and minimal dealer interaction. Flexible access structures and repeated usage of static shares make these schemes attractive where amortized efficiency and dynamic coalition formation are needed (Roman'kov, 2021).

Unbounded Fan-in Multiplication: Strongly multiplicative and 3-multiplicative LSSS permit fast protocols for unbounded fan-in multiplications, a fundamental operation in MPC, with 3-multiplicativity enabling explicit 4-round protocols (0812.2518).

Composability: UC-style security is guaranteed for well-designed MSS protocols, meaning secure composition with other cryptographic building blocks (Xiong et al., 2020).

6. Advantages, Limitations, and Comparison with Additive Schemes

Advantages:

• Local (zero-communication) product computation and efficient handling of complex arithmetic circuits.
• Share reusability for all secrets (in group-theoretic approaches).
• Flexible threshold and dynamic access structures in $(k,n)$-variants (Roman'kov, 2021).
• Communication overhead per secret is minimal in hidden-multiplier schemes.
• Construction of explicit 3-multiplicative LSSS is often easier than for strongly multiplicative LSSS, simplifying implementation in practice (0812.2518).

Limitations:

• Share sizes can become large compared to Shamir additive schemes, especially for group-based constructions.
• In group-theoretic approaches, the underlying platform must provide efficient subgroup generation and hardness of exponent-finding.
• Version 1 hidden-multiplier schemes are non-monotone (only exact coalitions reconstruct), though cured in Version 2.
• Security in hidden-multiplier MSS is computational rather than information-theoretic, in contrast to Shamir's additive scheme.

Property	Field-based MSS (Xiong et al., 2020)	Hidden-multiplier MSS (Roman'kov, 2021)	3-mult. LSSS (0812.2518)
Share size	One field element	One group element per party	Vector per player (code-based)
Reusability	Per secret	Shares fixed, reused for any secret	Varies by construction
Security model	Univ. composable, semi-honest	Computational, semantic (order-finding)	Information-theoretic (structural)
Multiplication (local)	Yes	Yes	Yes
Threshold flexibility	2-party	$(k,n)$, threshold set after setup	Yes (by design)

7. Construction Techniques and Complexity in Practice

Constructions for multiplicative, strongly multiplicative, and 3-multiplicative LSSS leverage algebraic error-correcting codes:

• Reed–Muller Codes: For $3r < m$, the LSSS induced is 3-multiplicative, enabling direct triple-share product recombination and efficient verification.
• Algebraic-Geometric Codes: The scheme is $A$-multiplicative if $m > (A-1)(n-1)+2g$ for curve genus $g$ and divisor degree $m$. These codes afford ramp schemes with fine-grained tradeoffs between share size and authorized set structure.

Conversion methods allow an arbitrary strongly multiplicative LSSS (of size $d$) to be transformed into a 3-multiplicative LSSS of size $O(d^2)$, with explicit constructions provided (0812.2518).

Computational complexity per multiplication is bounded by $O(D^2)$ or $O((m-g)^2)$ depending on the code used. This suggests that schemes are practical for moderate-scale MPC with carefully selected parameters.

In summary, Multiplicative Secret Sharing encapsulates a diverse suite of primitives—encompassing field-based, group-theoretic, and LSSS-based variants—each designed to optimize specific tradeoffs between efficiency, reusability, security model, and arithmetic expressiveness in secure computation (Xiong et al., 2020, Roman'kov, 2021, 0812.2518).