Ferkans — Interactive Telecom Tutor

Why Look at Alternatives?

Shamir's scheme is so dominant in modern cryptography that alternative constructions are rarely implemented in production. Why study them at all? Two reasons. First, the geometric intuition of Blakley's hyperplane construction is sometimes more illuminating than Shamir's algebraic one — especially for students encountering secret sharing for the first time. Second, some generalizations (CRT-based schemes, matrix-product schemes, and quantum-resistant variants) extend more naturally from one construction than the other.

This section is short by design. It gives Blakley's construction, explains the equivalence to Shamir modulo field-size overhead, and cross-references a few alternative constructions whose relevance will return in later chapters.

Blakley's Scheme

A $(t, n)$ -threshold secret-sharing scheme in which the secret is a coordinate of a point in $\mathbb{F}_q^t$ , and each share is a hyperplane through that point. Any $t$ hyperplanes (in general position) intersect at the point; fewer than $t$ leave an affine subspace of unrevealed possibilities.

Theorem: Blakley and Shamir Are Information-Theoretically Equivalent

For any $t \leq n$ , the Shamir $(t, n)$ -scheme and the Blakley $(t, n)$ -scheme over the same field $\mathbb{F}_q$ (with $q > n$ ) are information-theoretically equivalent:

Both achieve perfect $(t, n)$ -threshold secrecy.
Both require share entropy $H(s_k) = H(s)$ (matching the converse of §3.1).
Shares of one scheme can be converted into shares of the other by a public, deterministic linear transformation.

The difference is only in the representation: Blakley's share is $t$ field elements (the hyperplane coefficients), whereas Shamir's share is $1$ field element (the polynomial evaluation). Shamir is therefore strictly more compact in representation, which is why it dominates practice.

Both schemes encode a single field-element secret into $n$ shares using $t-1$ independent random elements of $\mathbb{F}_q$ . The underlying linear-algebraic machine is the same — Blakley uses hyperplane equations, Shamir uses polynomial evaluations, but both are representations of the same $(t-1)$ -dimensional random subspace in $\mathbb{F}_q^t$ .

Proof

Both achieve perfect secrecy

Shamir: proved in Theorem 3.2.1. Blakley: any $t-1$ hyperplanes (in general position) intersect in an affine line in $\mathbb{F}_q^t$ , which contains exactly $q$ points with $q$ different first coordinates — uniform over $\mathbb{F}_q$ given the $t-1$ shares.

Share sizes

In Shamir, each share is a single field element (the value of $p(\alpha_k)$ ). In Blakley, each share is the equation of a hyperplane in $\mathbb{F}_q^t$ , i.e., $t$ field elements $(\mathbf{a}_k, b_k)$ (with one free parameter absorbed by normalization, often leaving $t$ elements). So Blakley's shares are $t$ times larger.

Linear conversion

A Blakley share $\mathbf{a}_k^\top \mathbf{x} = b_k$ can be converted into a Shamir share by a public linear projection; the inverse mapping requires $t$ auxiliary random field elements. Since both are linear codes over $\mathbb{F}_q$ , the conversion preserves secrecy. $\blacksquare$

Shamir vs. Blakley: Same Security, Different Flavor

Property	Shamir (1979)	Blakley (1979)
Secret structure	Polynomial $p(x)$ , $p(0) = s$	Point $\mathbf{p} \in \mathbb{F}_q^t$ , $p_1 = s$
Share	$s_k = p(\alpha_k) \in \mathbb{F}_q$	Hyperplane eq. $(\mathbf{a}_k, b_k)$ in $\mathbb{F}_q^t$
Share size	$1$ field element	$t$ field elements
Reconstruction	Lagrange interpolation	Linear-system solve
Elegance	Compact, algebraic	Geometric, pictorial
Production use	Dominant (MPC wallets, HSMs)	Rare, mostly pedagogical

Other Threshold Schemes and Their Niches

Three alternative constructions appear in the literature and will be cross-referenced in later chapters:

Asmuth–Bloom (1983) — uses the Chinese Remainder Theorem. Shares are residues modulo carefully chosen moduli. Attractive when the secret is naturally an integer (RSA keys) and when threshold signing is desired.
McEliece–Sarwate (1981) — Reed–Solomon code interpretation of Shamir. Highlights the coding-theoretic view: any MDS code of appropriate parameters gives a secret-sharing scheme. Chapter 11 uses this view when combining Shamir with Byzantine-error-correction.
Karnin–Greene–Hellman (1983) — linear combinations over matrix rings. Generalizes both Shamir and Blakley; provides the cleanest converse proof of the share-size lower bound.

The point is that each construction offers a different handle on the same core information-theoretic problem. Engineers pick Shamir for compact shares, Asmuth–Bloom for integer-native secrets, and McEliece–Sarwate for explicit coding-theoretic bounds.

Example: Asmuth–Bloom CRT Sharing at $n = 3$

Share integer secret $s = 11$ among $n = 3$ parties with threshold $t = 2$ using the Asmuth–Bloom scheme with moduli $(m_1, m_2, m_3) = (7, 11, 13)$ . Verify that any two shares reconstruct $s$ , using the Chinese Remainder Theorem.

Solution

Compute shares

Each share is $s_k = s \bmod m_k$ : $s_1 = 11 \bmod 7 = 4$ ; $s_2 = 11 \bmod 11 = 0$ ; $s_3 = 11 \bmod 13 = 11$ .

Reconstruct from shares 1 and 2

By CRT, the unique $s^\star$ with $s^\star \equiv 4 \pmod 7$ and $s^\star \equiv 0 \pmod{11}$ and $0 \leq s^\star < 77$ is $s^\star = 11$ . ✓

Reconstruct from shares 1 and 3

CRT: $s^\star \equiv 4 \pmod 7$ and $s^\star \equiv 11 \pmod{13}$ , $0 \leq s^\star < 91$ . Solving, $s^\star = 11$ . Same answer regardless of which two shares are used.

Caveat

For Asmuth–Bloom to achieve perfect secrecy, the moduli must satisfy $m_1 m_2 > s \cdot m_3$ (for $(2, 3)$ and $m_1 < m_2 < m_3$ ). Our numbers happen to work because $s = 11$ is small; a more formal deployment would choose $s$ from a pre-committed range.

Common Mistake: Hyperplanes Must Be in General Position

Mistake:

Assign each party the same hyperplane up to translation, or use linearly dependent hyperplane normals.

Correction:

If the $\mathbf{a}_k$ 's are linearly dependent, $t$ shares can fail to intersect in a single point (the intersection has positive dimension), and reconstruction fails. The standard fix is to draw the $\mathbf{a}_k$ 's from a Vandermonde construction — which, not coincidentally, recovers Shamir exactly. The "alternative" constructions collapse to the same algebraic backbone when you insist on worst-case correctness.

Key Takeaway

Many constructions, one information-theoretic problem. Shamir, Blakley, Asmuth–Bloom, and McEliece–Sarwate all achieve perfect $(t, n)$ -threshold secret sharing. They differ in representation and in which algebraic structure they emphasize, but they are equivalent up to a public, efficient linear transformation. For the rest of the book we use Shamir exclusively, both for its compactness and its natural connection to polynomial-based coded computing (Chapter 5).

Quick Check

Compared to Shamir's $(t, n)$ -scheme, Blakley's hyperplane scheme has:

Stronger security against computationally bounded adversaries

Larger shares (by a factor of $t$ ) but the same security guarantee.

Smaller shares, with a weaker security guarantee

A different threshold structure (e.g., general access structures)