diff --git a/Cryptography b/Cryptography new file mode 160000 index 0000000..e58ebf5 --- /dev/null +++ b/Cryptography @@ -0,0 +1 @@ +Subproject commit e58ebf555964007b0f82b882aa11232eb6269030 diff --git a/content/Basic Algebra/Chinese Remainder Theorem.md b/content/Basic Algebra/Chinese Remainder Theorem.md new file mode 100644 index 0000000..8fa273f --- /dev/null +++ b/content/Basic Algebra/Chinese Remainder Theorem.md @@ -0,0 +1,138 @@ +## Intro +Chinese remainder theorem states that if one knows remainders of the Euclidean division of an integer n by several integers which are pairwise coprime, one can uniquely determine the remainder of the division of n. + + >Simple example is as follows. + >If one knows that the remainder of n divided by 3 is 2 ($n \equiv 2 \pmod{3}$), and that remainder divided by 7 is 2 ($n \equiv 2\pmod{7}$), one can determine that remainder of n divided by $105(=3*5*7)$ has a unique value, 23. + +## Theorem +>If the integers \(m_1, m_2, \dots, m_n\) are pairwise coprime, then the following system of simultaneous congruences: +\[ + x\equiv + \begin{cases} + a_1 \pmod{m_1} \\ + a_2 \pmod{m_2} \\ + a_3 \pmod{m_3} \\ + \vdots \\ + a_n \pmod{m_n} + \end{cases} +\] + has a unique solution modulo + \[ + M=\prod_{i=1}^{n} m_i=m_1 m_2 \cdots m_n. + \] + +Such formula could be otherwise expressed as written in section "Ring Isomorphism" below, according to ring isomorphism.(definition can be checked from [[Ring Homorphism]].) + +## Computation +Though its existence can be checked using CRT, derivation of value $x$ using pure computation requires long time. + +### 1. Systematic Search +Systematic Search is the simplest method available to find the solution, which checks every possible value for $x$. +It suffices to check all the possible values from 0 to $N$, computing the remainder of the Euclidean division of $x$ by each $n_i$. + +Although such method is very simple, it is very inefficient. This algorithm is an exponential time algorithm, as the size of the input is the number of digits of $N$, and the average number of operation is of the order of $N$. + +### 2. Search by Sieving +Searching of the solution can be made faster by using "sieving" algorithm. + +**1. Concept** +Given the system of congruences: + +\[ +x \equiv a_1 \pmod{n_1} +\] + +\[ +x \equiv a_2 \pmod{n_2} +\] + +\[ +\vdots +\] + +\[ +x \equiv a_k \pmod{n_k} +\] + +the **sieving method** finds the solution by iteratively filtering values that satisfy each congruence. + + +**2. Step-by-Step Process** +1. **Generate the sequence from the first congruence** + - The numbers satisfying \( x \equiv a_1 \pmod{n_1} \) form an arithmetic sequence: + \[ + a_1, a_1 + n_1, a_1 + 2n_1, \dots + \] + +2. **Filter by the second modulus \( n_2 \)** + - Test values from the sequence modulo \( n_2 \) until finding the first \( x_2 \) such that: + \[ + x_2 \equiv a_2 \pmod{n_2} + \] + - Once found, construct a new sequence: + \[ + x_2, x_2 + n_1 n_2, x_2 + 2 n_1 n_2, \dots + \] + +3. **Repeat the process for \( n_3, n_4, \dots, n_k \)** + - Continue filtering each sequence by the next modulus \( n_3 \), forming a new arithmetic sequence each time. + - The final step yields the unique solution \( x \). + +--- +### **Mathematical Representation: Ring Isomorphism** +This can be mathematically formulated by defining the following function \( f \): + +\[ +f: \mathbb{Z}/N\mathbb{Z} \to \mathbb{Z}/n_1\mathbb{Z} \times \mathbb{Z}/n_2\mathbb{Z} \times \cdots \times \mathbb{Z}/n_k\mathbb{Z} +\] + +This function operates as follows: + +\[ +x \mod N \mapsto (x \mod n_1, x \mod n_2, \dots, x \mod n_k) +\] + +That is, the function takes an integer \( x \) modulo \( N \) and transforms it into a tuple of its remainders when divided by \( n_1, n_2, \dots, n_k \). + +The key point is that this function \( f \) is a **ring isomorphism**, meaning that the following holds: + +\[ +\mathbb{Z}/N\mathbb{Z} \cong \mathbb{Z}/n_1\mathbb{Z} \times \cdots \times \mathbb{Z}/n_k\mathbb{Z} +\] + +This implies that the ring of integers modulo \( N \) has a structure equivalent to the direct product of the rings of integers modulo \( n_i \). In other words, for doing sequence of arithmetic operations in \(\mathbb{Z}/N\mathbb{Z}\), one can do the same computation independently in each \( \mathbb{Z}/n_i\mathbb{Z}\), and then get the result by applying the isomorphism. This can work way faster than the direct computation of $N$. + +## Example: Direct Calculation + +Consider the system of congruences for \( N = 15 \), where \( n_1 = 3 \) and \( n_2 = 5 \): + +\[ +x \equiv 2 \pmod{3} +\] + +\[ +x \equiv 3 \pmod{5} +\] + +Using the Chinese Remainder Theorem (CRT), we find \( x \) as follows: + +\[ +x \equiv 8 \pmod{15} +\] + +Thus, \( x = 8 \) is the unique solution. + +However, using **ring isomorphism**, we can take a different approach: + +1. **Perform independent computations** + - \( x_1 \equiv 2 \pmod{3} \) + - \( x_2 \equiv 3 \pmod{5} \) + +2. **Combine the results** + - \( x \equiv 8 \pmod{15} \) + +By extending this method, we can optimize computations involving a large number \( N \) by performing calculations on smaller values \( n_i \) and then recombining the results. This approach significantly improves efficiency in modular arithmetic. + + +Rather than simply solving a system of congruences, the Chinese Remainder Theorem possesses the remarkable property that a unique solution exists, making it an extremely powerful tool. + diff --git a/content/Basic Algebra/Ring Homomorphism.md b/content/Basic Algebra/Ring Homomorphism.md index 905aa08..4dd4144 100644 --- a/content/Basic Algebra/Ring Homomorphism.md +++ b/content/Basic Algebra/Ring Homomorphism.md @@ -1,6 +1,38 @@ +## Definition For two [[Rings]] $R$ and $S$, a mapping $f: R \to S$ is called a ring homomorphism if it satisfies the following conditions: 1. For any $(a, b) \in R$, $f(a + b) = f(a) + f(b)$. 2. For any $(a, b) \in R$, $f(ab) = f(a) \cdot f(b)$. 3. $f(1_R) = 1_S$. -Here, the operations on the left-hand side of each condition are those defined in $R$, and the operations on the right-hand side are those defined in $S$. If such a mapping $f$ is bijective, it is called a [[Ring Isomorphism]]. +Here, the operations on the left-hand side of each condition are those defined in $R$, and the operations on the right-hand side are those defined in $S$. + +### Ring Isomorphism +If addition $f$ above is bijection, then its inverse $f^{-1}$ is also a ring homomorphism. In such cases, $f$ is called a ring isomorphism, and the rings R and S are called isomorphic. +Such isomorphism is noted as $R \cong S$ + +## Properties +Below are useful properties derived from ring homomorphism. +- \( f(0_R) = 0_S \). +- \( f(-a) = -f(a) \) for all \( a \in R \). +- For any **unit** \( a \) in \( R \), \( f(a) \) is a unit element such that + \[ + f(a)^{-1} = f(a^{-1}) + \] + In particular, \( f \) induces a **group homomorphism** from the (multiplicative) group of units of \( R \) to the (multiplicative) group of units of \( S \) (or of \( \operatorname{im}(f) \)). +- The **image** of \( f \), denoted \( \operatorname{im}(f) \), is a subring of \( S \). +- The **kernel** of \( f \), defined as + \[ + \ker(f) = \{ a \in R \mid f(a) = 0_S \} + \] + is a **two-sided ideal** in \( R \). Every two-sided ideal in a ring \( R \) is the kernel of some ring homomorphism. +- A homomorphism is injective if and only if the kernel is the **zero ideal**. +- The **characteristic** of \( S \) **divides** the characteristic of \( R \). This can sometimes be used to show that between certain rings \( R \) and \( S \), no ring homomorphism \( R \to S \) exists. +- If \( R_p \) is the smallest **subring** contained in \( R \) and \( S_p \) is the smallest subring contained in \( S \), then every ring homomorphism \( f: R \to S \) induces a ring homomorphism \( f_p: R_p \to S_p \). +- If \( R \) is a **field** (or more generally a **skew-field**) and \( S \) is not the **zero ring**, then \( f \) is injective. +- If both \( R \) and \( S \) are **fields**, then \( \operatorname{im}(f) \) is a subfield of \( S \), so \( S \) can be viewed as a **field extension** of \( R \). +- If \( I \) is an ideal of \( S \), then \( f^{-1}(I) \) is an ideal of \( R \). +- If \( R \) and \( S \) are commutative and \( P \) is a **prime ideal** of \( S \), then \( f^{-1}(P) \) is a prime ideal of \( R \). +- If \( R \) and \( S \) are commutative, \( M \) is a **maximal ideal** of \( S \), and \( f \) is surjective, then \( f^{-1}(M) \) is a maximal ideal of \( R \). +- If \( R \) and \( S \) are commutative and \( S \) is an **integral domain**, then \( \ker(f) \) is a prime ideal of \( R \). +- If \( R \) and \( S \) are commutative, \( S \) is a field, and \( f \) is surjective, then \( \ker(f) \) is a **maximal ideal** of \( R \). +- If \( f \) is surjective, \( P \) is a prime (maximal) ideal in \( R \) and \( \ker(f) \subseteq P \), then \( f(P) \) is a prime (maximal) ideal in \( S \). diff --git a/content/Basic Cryptography/Feistel cipher.md b/content/Basic Cryptography/Feistel cipher.md new file mode 100644 index 0000000..00a51bf --- /dev/null +++ b/content/Basic Cryptography/Feistel cipher.md @@ -0,0 +1,106 @@ +## Intro +The Feistel Cipher is a cryptographic structure that divides the input into left and right blocks, repeatedly applying a round function to one block and combining its output with the other block. +Typically, all elements of an encryption process must be invertible, as decryption requires reversing the encryption steps to recover the plaintext. However, the Feistel Cipher uniquely employs both invertible and non-invertible components. + +The primary reason the Feistel Cipher can utilize non-invertible elements lies in its design, which is based on the XOR operation. +> [!Question] The Invertibility of XOR +> Due to the "self-inverse" property of XOR, performing the same XOR operation during the decryption phase restores the original data. +> * Self-inverse property: A⊕B⊕B=A + +As a result, the Feistel Cipher allows for more flexible designs compared to Non-Feistel Ciphers. Additionally, the use of non-invertible components simplifies management by making the encryption and decryption processes identical. + +A well-known example of a Feistel Cipher is [[DES]] (Data Encryption Standard). In contrast, a prominent example of a Non-Feistel Cipher is [[AES]] (Advanced Encryption Standard). + + +## Design +### 1-Round Feistel Structure +![[Feistel_cipher(1).png]] + +The left side represents the encryption process, while the right side shows the decryption process. + +#### Encryption Process + +In the encryption process, the plaintext input $p = (L_0 \parallel R_0)$ is divided into $L_0$​ and $R_0$​. A function $F$ takes the key $k$ and $R_0$​ as its input. Then, $L_0$​ is XORed with the output of $F(k, R_0)$, producing the left half of the ciphertext $L_1$. Meanwhile, $R_0$​ remains unchanged and becomes the right half of the ciphertext $R_1$​. + +The encryption process can be represented mathematically as follows: +$$ +L_1 = L_0 \oplus F(k, R_0) +$$ +$$ +R_1 = R_0 +$$ + +#### Decryption Process + +In the decryption process, the input ciphertext $c = (L'_0|R'_0) = (L_1|R_1)$ is divided into $L'_0$​ and $R'_0$. +$L'_0$ is XORed with $F(k, R'_0)$, resulting in the left half of the plaintext $L'_1$. Similarly, $R'_0$ remains unchanged and becomes the right half of the plaintext $R'_1$. + +The decryption process can be represented mathematically as follows: +$$ +L'_1 = L'_0 \oplus F(k, R'_0) +$$$$ +R'_1 = R'_0 +$$ + +#### Observations + +As you may have noticed, the encryption and decryption processes are identical except for their inputs and outputs being reversed. + +Encryption: +$$c = p \oplus (F(k, R_0) \parallel 0)$$ +Decryption: +$$c \oplus (F(k, R'_0) \parallel 0) \\ = p \oplus (F(k, R_0) \parallel 0) \oplus (F(k, R'_0) \parallel 0) \\ = p \oplus (F(k, R_0) \parallel 0) \oplus (F(k, R'_0) \parallel 0) \\ = p \oplus 0 = p$$ +As mentioned in the [[#Intro]], the self-inverse property of the XOR operation ensures that $F(k, R'_0)$ is canceled out during decryption. This means the decryption process works correctly even without requiring the inverse function $F^{-1}$, allowing the use of non-invertible components in the Feistel Cipher. + +#### Limitations of a 1-Round Feistel Structure + +Analyzing the 1-round Feistel Cipher reveals a critical drawback: the right half of the plaintext, $R_0$, directly becomes the right half of the ciphertext, $R_1$, without undergoing any transformation. This exposes half of the plaintext in the ciphertext, significantly compromising security. + +To address this issue, Feistel Cipher structures are designed with multiple rounds. In a multi-round Feistel Cipher, the left and right halves are swapped at the end of each round, effectively ensuring that all parts of the plaintext are processed. However, this design requires more rounds compared to Non-Feistel Ciphers to achieve the same level of security. + +### Multi-Round Feistel Structure +![[Feistel_cipher(2).png]] +The diagram above illustrates a Feistel structure with multiple rounds, as opposed to a single round. + +#### Encryption Process + +Unlike the single-round Feistel structure, in a multi-round Feistel Cipher, the right half of the plaintext ($R_0$) does not directly become the right half of the ciphertext ($R_1$). Instead, it becomes the left half of the output ($L_1$). Additionally, the XOR computation that previously resulted in $L_1$ in the single-round structure now determines $R_1$. In other words, the outputs of the left and right halves are swapped after each round. +In the second round, $L_1$ undergoes further encryption, ensuring that both $L_0$ and $R_0$ are processed through the encryption rounds. + +The encryption process can be expressed as follows: +$$L_1 = R_0$$ +$$ +R_1 = L_0 \oplus F(k_1, R_0) +$$ +$$ +L_2 = L_1 \oplus F(k_2, R_1) +$$ +$$ +R_2 = R_1 +$$ + +#### Decryption Process + +The decryption process mirrors the encryption process, with the only difference being the reverse order of the keys used during the computation. +$$ +L'_1 = R'_0 = R_2 = R_1 +$$ +$$ +R'_1 = L'_0 \oplus F(k_2, R'_0) = L_2 \oplus F(k_2, R_1) +$$ +$$ += L_1 \oplus F(k_2, R_1) \oplus F(k_2, R_1) = L_1 = R_0 +$$ +$$ +L'_2 = L'_1 \oplus F(k_1, R'_1) = R_1 \oplus F(k_1, R_0) +$$ +$$ += L_0 \oplus F(k_1, R_0) \oplus F(k_1, R_0) = L_0 +$$ +$$ +R'_2 = R'_1 = R_0 +$$ + +> [!Note] +> A Feistel Cipher with two rounds provides the same level of security as a single round of a Non-Feistel Cipher. Therefore, Feistel Ciphers generally require a greater number of rounds to achieve comparable security. + diff --git a/content/Basic Cryptography/images/Feistel_cipher(1).png b/content/Basic Cryptography/images/Feistel_cipher(1).png new file mode 100644 index 0000000..e809e8e Binary files /dev/null and b/content/Basic Cryptography/images/Feistel_cipher(1).png differ diff --git a/content/Basic Cryptography/images/Feistel_cipher(2).png b/content/Basic Cryptography/images/Feistel_cipher(2).png new file mode 100644 index 0000000..ca30ec0 Binary files /dev/null and b/content/Basic Cryptography/images/Feistel_cipher(2).png differ diff --git a/content/Privacy Enhancing Technologies (PET)/Secure Multiparty Computation/Garbled Circuit.md b/content/Privacy Enhancing Technologies (PET)/Secure Multiparty Computation/Garbled Circuit.md new file mode 100644 index 0000000..dbf7b6c --- /dev/null +++ b/content/Privacy Enhancing Technologies (PET)/Secure Multiparty Computation/Garbled Circuit.md @@ -0,0 +1,90 @@ +# **Garbled Circuit** + +**Garbled Circuit** is a cryptographic protocol that enables two untrusted parties to jointly compute a function over their private inputs without revealing the inputs to each other. This is achieved without relying on a trusted third party, ensuring secure computation. + +## **Background** + +### **Oblivious Transfer (OT)** +Garbled Circuit protocols rely on **Oblivious Transfer (OT)**, a cryptographic primitive where: +- The sender has two messages \( S_0 \) and \( S_1 \). +- The receiver selects one message \( S_b \) (where \( b \in \{0,1\} \)) without revealing their choice to the sender. +- The sender remains unaware of which message was received. + +Oblivious Transfer ensures that private inputs remain hidden, a crucial requirement for secure computation. + +--- + +## **The Garbled Circuit Protocol** + +Yao’s Garbled Circuit protocol consists of the following steps: + +### **1. Circuit Representation** +The function to be computed is expressed as a **Boolean circuit**, composed of: +- **Input wires** (holding input values). +- **Output wires** (holding final results). +- **Intermediate wires** (connecting gates). + +Each **gate** in the circuit: +- Has **two input wires** and **one output wire**. +- Implements a Boolean function (e.g., AND, XOR). +- Can be represented using a **truth table**. + +### **2. Garbling the Circuit** +The sender (Alice) garbles the circuit as follows: +- Assigns **two random labels** to each wire (representing 0 and 1). +- Encrypts the output labels for each gate using its input labels as encryption keys. +- The **garbled truth table** is shuffled to hide gate information. + +### **3. Data Transmission** +- Alice sends the **garbled circuit** and her input labels to the receiver (Bob). +- Bob obtains his input labels via **1-out-of-2 Oblivious Transfer (OT)**. + +### **4. Circuit Evaluation** +- Bob evaluates the circuit **obliviously**, decrypting only the correct output labels. +- The correct row in each gate’s garbled truth table is found and decrypted, obtaining new labels for the next layer of computation. + +### **5. Output Recovery** +- Bob sends his garbled output labels to Alice. +- Alice maps the labels to actual bits and sends the final output mapping to Bob. + +--- + +## **Optimizations in Garbled Circuit Protocols** +Several techniques improve the efficiency of Garbled Circuit protocols: + +### **1. Point-and-Permute** +- Assigns **select bits** to wire labels, allowing Bob to find the correct ciphertext row efficiently. +- Reduces the number of comparisons, improving circuit evaluation speed. + +### **2. Row Reduction** +- Reduces the garbled truth table size from **4 rows to 3 rows**, minimizing communication overhead. + +### **3. Free XOR** +- Eliminates encryption overhead for XOR gates by leveraging a global random value \( R \), significantly reducing computational costs. + +### **4. Fixed-Key Blockcipher** +- Uses a **fixed-key block cipher** to efficiently encrypt the gate outputs, optimizing performance. + +### **5. Half AND** +- Reduces the garbled truth table for AND gates to **2 rows**, minimizing storage requirements. + +--- + +## **Security Considerations** +### **Semi-Honest Security** +- Yao’s protocol is **secure against semi-honest adversaries**, who follow the protocol but may attempt to infer information from received messages. + +### **Malicious Security** +- A malicious sender could construct a garbled circuit that leaks the receiver’s input. +- Since the receiver cannot inspect the garbled circuit, additional **Zero-Knowledge Proofs (ZKP)** are required for security against malicious adversaries. + +--- + +## **Conclusion** +Garbled Circuit is a powerful cryptographic protocol that allows secure function evaluation between two untrusted parties. It is widely used in privacy-preserving computation, including: +- **Secure auctions** +- **Privacy-preserving machine learning** +- **Secure electronic voting** +- **Anonymous data analysis** + +Despite its efficiency improvements, Garbled Circuit protocols still require optimizations for practical large-scale applications. Continued research in cryptographic techniques ensures better efficiency and stronger security guarantees. diff --git a/content/Privacy Enhancing Technologies (PET)/Secure Multiparty Computation/Secure Multiparty Computation.md b/content/Privacy Enhancing Technologies (PET)/Secure Multiparty Computation/Secure Multiparty Computation.md index b1a693c..0d591e5 100644 --- a/content/Privacy Enhancing Technologies (PET)/Secure Multiparty Computation/Secure Multiparty Computation.md +++ b/content/Privacy Enhancing Technologies (PET)/Secure Multiparty Computation/Secure Multiparty Computation.md @@ -12,4 +12,94 @@ One of the primary applications of MPC is the secure aggregation of data from di 3. **Regulatory Compliance:** MPC aids in complying with data protection regulations, ensuring that sensitive data is not shared or exposed. 4. **Collaborative Analysis:** Multiple entities can collaborate on data analysis projects without compromising their proprietary data. -### Index \ No newline at end of file +--- +## Scheme +Let's check out how MPC works in more formal manner. Given a set of \( N \) parties \( P_1, P_2, \dots, P_N \) with respective private inputs \( d_1, d_2, \dots, d_N \), the goal of MPC is to compute a function: + +\[ +F(d_1, d_2, \dots, d_N) +\] + +such that: +- No party learns any information about another party’s private input beyond what can be inferred from their own input and the output. +- The function is correctly computed even in the presence of adversarial behavior. + +### **Motivation and Example** +Consider three participants: Alice, Bob, and Charlie, each holding a private salary \( x, y, z \), respectively. They wish to compute: + +\[ +F(x, y, z) = \max(x, y, z) +\] + +without revealing their individual salaries to each other. A naïve solution would involve a trusted third party who collects the inputs, computes the result, and returns the output. However, MPC aims to achieve this functionality **without relying on any trusted third party**—ensuring that the computation is performed securely through direct interaction between the parties. + +For instance, if the output is \( z \), then: +- Charlie learns that his salary is the maximum. +- Alice and Bob learn that their salary is not the maximum and that the maximum salary is \( z \). + +MPC protocols can be generalized to handle multiple inputs and outputs, ensuring privacy-preserving computations across various scenarios. + +### **Properties of MPC** +An MPC protocol must satisfy two fundamental properties: + +**1. Input Privacy** +- No information about any participant's private input should be revealed through protocol execution beyond what is deducible from the function output. +- The only knowledge gained by a party should be whatever they could infer from knowing their own input and seeing the final result. + +**2. Correctness** +- A subset of colluding adversarial participants should not be able to manipulate the computation to produce incorrect results. +- There are two types of correctness guarantees: + - **Robust MPC:** The honest parties are always guaranteed to receive the correct result. + - **MPC with Abort:** If an error is detected, the protocol terminates without outputting any result. + +--- +## Protocols +As we were able to check above, MPC protocols enable multiple parties to collaboratively compute a function over their private inputs while ensuring that no individuals party's input is disclosed to others. In this section, we are going to check out how MPC is implemented in real-life protocols. + +### 1. Secure Two-Party Computation +Two-party computation (2PC) is a fundamental subset of **Secure Multi-Party Computation (MPC)** that allows two parties to collaboratively compute a function over their private inputs without revealing those inputs to each other. It is particularly interesting because special cryptographic techniques can be applied in this setting that do not necessarily extend to the multi-party case. + +The concept of secure two-party computation was first formalized in the 1980s, particularly through the work of Andrew Yao. The original motivation came from **Yao’s Millionaires’ Problem**, where two individuals wish to determine who is wealthier without disclosing their actual net worth. This led to the development of **Yao’s Garbled Circuits**, which remains one of the most efficient protocols for secure two-party computation. + +Check out [[Garbled Circuit]] for more information! + +### 2.Multi-Party Computation + +Unlike two-party computation (2PC) protocols, most **multi-party computation (MPC) protocols** rely on **secret sharing** as their fundamental mechanism, particularly when operating under unconditional security assumptions with private channels. In MPC, participants do not have predefined roles such as creator and evaluator (as in Yao’s Garbled Circuit). Instead, each party holds a **share of the secret data**, and a protocol is executed to evaluate the desired function securely. + +In contrast to Yao’s binary circuits, multi-party computation operates on **arithmetic circuits** defined over **finite fields**. An **arithmetic circuit** consists of: +- **Addition gates** and **multiplication gates**, +- Where the operands are elements of a finite field. + +This shift from Boolean circuits to arithmetic circuits enables a broader range of cryptographic computations, making MPC suitable for complex secure computations across multiple parties. + + +**[Secret Sharing in MPC]** +Secret sharing is a technique that **distributes a secret among multiple parties** by assigning each party a **random share** of the secret. The secret can only be reconstructed when a sufficient number of shares are combined. + +The two most widely used **secret sharing schemes** in MPC are: +1. **Shamir Secret Sharing** +2. **Additive Secret Sharing** + +In both schemes: +- Each party receives a **random share**. +- The sum (or reconstruction function) of these shares within a finite field **yields the original secret**. +- Security is achieved because **any unauthorized subset of shares appears as a random distribution**. + +**[Security and Adversary Models]** +Secret sharing schemes are designed to **tolerate adversarial behavior** based on: +- **The total number of parties** (\( n \)) +- **The number of adversarial parties** (\( t \)) +- **Whether adversaries are passive or active** + +| Secret Sharing Scheme | Passive Adversary Threshold \( t \) | Active Adversary Threshold \( t \) | Security Type | +|----------------------|----------------------------------|---------------------------------|---------------| +| **Shamir Secret Sharing** | \( t < \frac{n}{2} \) | \( t < \frac{n}{3} \) | **Information-theoretic security** (secure against computationally unbounded adversaries) | +| **Additive Secret Sharing** | \( t < n \) | \( t < n \) | **Computational security** (requires additional assumptions for active adversaries) | + +**[Computing on Secret Shares]** +A fundamental goal in MPC is to **perform secure computation over secret shares**. The **BGW protocol (Ben-Or, Goldwasser, Wigderson)** is a widely used scheme that enables: +- **Secure addition and multiplication on Shamir secret shares**. +- **Fault tolerance against adversarial behavior**. + +Some MPC protocols require an **initial setup phase**, which may introduce security assumptions (e.g., assuming adversaries have bounded computational power).