Ramp Secret Sharing: Trading Security for Efficiency

Why Shrink the Shares?

Section 3.1 showed that perfect secrecy in a (t,n)(t, n)-threshold scheme forces every share to be at least as big as the secret. That is a real cost: if we want to share a 1 GB gradient vector across n=100n = 100 federated users, every user must store 1 GB of share. In federated learning, where per-user storage is at a premium, this overhead is crippling.

The ramp variant relaxes the perfect-secrecy constraint. Instead of "any tt reconstruct, any t1t-1 learn nothing", we demand "any t2t_2 reconstruct, any t1t_1 learn nothing" with t1<t2t_1 < t_2. The gap g=t2t1g = t_2 - t_1 is called the ramp width; coalitions of size between t1t_1 and t2t_2 learn a controlled, quantifiable amount about the secret. In exchange, shares become gg times smaller — exactly what we need for federated learning.

Ramp secret sharing is the workhorse of Chapter 11's ByzSecAgg protocol and of several CommIT-group results in later chapters. This section gives the construction and quantifies the trade-off.

Definition:

(t1,t2,n)(t_1, t_2, n)-Ramp Secret Sharing

A (t1,t2,n)(t_1, t_2, n)-ramp secret-sharing scheme with t1<t2nt_1 < t_2 \leq n and ramp width g=t2t1g = t_2 - t_1 consists of Share and Reconstruct algorithms satisfying:

  1. Correctness. Any t2t_2 shares reconstruct the secret ss exactly (same as Shamir).
  2. Perfect secrecy below t1t_1. Any subset of size t1\leq t_1 has I(s;shares)=0I(s; \text{shares}) = 0.
  3. Linear leakage in the ramp zone. For a subset of size t1+it_1 + i with 1ig1 \leq i \leq g, the mutual information is I(s;shares)=(i/g)H(s)I(s; \text{shares}) = (i / g) H(s), and this scales smoothly with the coalition size between the two thresholds.

Equivalently, ramp splits the secret into gg pieces, each of which is Shamir-shared with a different threshold, producing a scheme with share size secret/g|\text{secret}| / g and a smoothly- degrading security guarantee.

,

Ramp Secret Sharing

A generalization of Shamir where the reconstruction threshold t2t_2 and the perfect-secrecy threshold t1t_1 are separated by a ramp width g=t2t1g = t_2 - t_1. Shares are gg times smaller than in Shamir; coalitions of intermediate size learn a fraction of the secret that grows linearly with the coalition size.

Ramp Secret-Sharing Share Generation

Complexity: O(nt2)O(n t_2) finite-field multiplications
Input: Secret s=(s(1),,s(g))Fqg\mathbf{s} = (s^{(1)}, \ldots, s^{(g)}) \in \mathbb{F}_q^g, thresholds t1<t2t_1 < t_2, number of parties
nt2n \geq t_2, distinct nonzero α1,,αn\alpha_1, \ldots, \alpha_n.
Output: Shares s1,,snFqs_1, \ldots, s_n \in \mathbb{F}_q.
1. Draw r1,,rt1r_1, \ldots, r_{t_1} independently and uniformly from Fq\mathbb{F}_q.
2. Build polynomial
p(x)=j=1gs(j)Lj(x)+j=1t1rjMj(x),p(x) = \sum_{j=1}^{g} s^{(j)} \cdot L_j(x) + \sum_{j=1}^{t_1} r_j \cdot M_j(x),
where Lj(x)L_j(x) and Mj(x)M_j(x) are fixed, publicly known
degree-(t21)(t_2 - 1) Lagrange-like basis polynomials chosen so
that the LjL_j's encode the secret chunks and the MjM_j's add
randomness across the other coefficients.
3. for k=1,2,,nk = 1, 2, \ldots, n do
4. skp(αk)\quad s_k \leftarrow p(\alpha_k)
5. end for
6. return (s1,s2,,sn)(s_1, s_2, \ldots, s_n)

A simpler, equivalent construction is to let p(x)p(x) be a degree-(t21)(t_2 - 1) polynomial with gg of its coefficients equal to the secret chunks and the remaining t1t_1 coefficients uniform random. Reconstruction is still Lagrange interpolation.

Theorem: Ramp Rate–Security Tradeoff

The (t1,t2,n)(t_1, t_2, n)-ramp scheme with ramp width g=t2t1g = t_2 - t_1 satisfies

  1. Correctness. Any t2t_2 shares reconstruct the full secret sFqg\mathbf{s} \in \mathbb{F}_q^g.
  2. Perfect secrecy below t1t_1. Any subset of size t1\leq t_1 has I(s;shares)=0I(\mathbf{s}; \text{shares}) = 0.
  3. Share rate. sk=1|s_k| = 1 field element, while s=g|\mathbf{s}| = g field elements. Hence Rshare=sk/s=1/gR_{\text{share}} = |s_k|/|\mathbf{s}| = 1/g — a gg-fold savings over Shamir's Rshare=1R_{\text{share}} = 1.
  4. Linear leakage. For coalition size t1+it_1 + i (1ig1 \leq i \leq g), I(s;shares)=ilogqI(\mathbf{s}; \text{shares}) = i \cdot \log q bits, linear in the number of "extra" shares beyond t1t_1.

Ramp "reuses" the same degree-(t21)(t_2 - 1) polynomial to encode gg secrets simultaneously. The perfect-secrecy guarantee is preserved for any coalition that cannot evaluate more than t1t_1 points — those coalitions see only a t1t_1-dimensional subspace of random variables. Once the coalition size exceeds t1t_1, each additional share reveals one more secret chunk in a controlled fashion. The gg-fold savings in share size is why ramp is the scheme of choice for federated learning with large gradients.

Proof
Correctness

Same as Shamir: a degree-(t21)(t_2 - 1) polynomial is uniquely determined by its values at t2t_2 distinct points, so Lagrange interpolation from any t2t_2 shares recovers the full coefficient vector, including the gg secret chunks.

Perfect secrecy below $t_1$

Any size-t1t_1 coalition observes p(αk1),,p(αkt1)p(\alpha_{k_1}), \ldots, p(\alpha_{k_{t_1}}) — a Vandermonde-invertible linear transformation of the t1t_1 uniform random coefficients (combined with the gg fixed secret chunks). The secret chunks, being fixed, do not contribute to the conditional distribution of the view, which is exactly uniform over Fqt1\mathbb{F}_q^{t_1} — hence independent of s\mathbf{s}.

Share rate

Each share is one field element; the secret is gg field elements. Per-share efficiency is 1/g1/g of the secret size — a direct gg-fold savings over Shamir.

Linear leakage in the ramp

For a coalition of size t1+it_1 + i with i{1,,g}i \in \{1, \ldots, g\}, the extra ii shares partially determine the polynomial's coefficients. A linear-algebraic calculation shows that exactly ii secret chunks can be expressed as linear combinations of the observations, giving I(s;shares)=ilogqI(\mathbf{s}; \text{shares}) = i \cdot \log q bits. \blacksquare

Ramp Secret Sharing: Rate vs. Security

Plot the share-size rate Rshare=1/gR_{\text{share}} = 1/g as a function of the ramp width g=t2t1g = t_2 - t_1, with the overlaid security guarantee t1/nt_1 / n (perfect-secrecy threshold fraction). As gg grows, the shares shrink but perfect-secrecy tolerance (t1t_1) shrinks too. The Pareto frontier is a simple hyperbola.

Parameters
20
10

Example: Why Ramp Is the Right Choice for Federated Learning

In a federated-learning round, each user holds a gradient vector of d=106d = 10^6 coordinates. We want to secret-share each user's gradient among the other n=100n = 100 users, requiring perfect secrecy against any coalition of t1=30t_1 = 30 users and reconstructability by any t2=70t_2 = 70. Compare the share size of Shamir vs. ramp.

Solution
Shamir approach

Use (t=31,n=100)(t = 31, n = 100) Shamir (for perfect secrecy against any 30-user coalition). Each gradient scalar requires one share per user, so each user's share is 10610^6 scalars — the full gradient size per user!

Ramp approach

Use (t1=30,t2=70,n=100)(t_1 = 30, t_2 = 70, n = 100)-ramp with g=40g = 40. Each share is 106/40=2500010^6 / 40 = 25\,000 scalars, a 40×40\times savings. Perfect secrecy holds against any 30-user coalition; reconstruction still works with any 70 users; coalitions of 31–69 users learn a controlled, quantifiable amount (linear in coalition size beyond t1t_1).

Caveat

The ramp scheme does not provide perfect secrecy against coalitions in the ramp zone. In federated learning this is usually acceptable because (i) the server is honest-but- curious and sees no coalition of users, and (ii) realistic threat models assume <t1< t_1 colluders. ByzSecAgg (Chapter 11) adds cryptographic bounds that make the ramp leakage provably small even in adversarial settings.

Ramp Leakage as Coalition Grows

Animation: a ramp scheme's mutual information between the secret and the coalition shares as coalition size grows from 00 to nn. Flat zero below t1t_1, linear ramp from t1t_1 to t2t_2, saturated at (˝mathbfs)\H(\\mathbf{s}) once t2t_2 is reached.

Share Size vs. Ramp Width gg

Explore the share-size savings of ramp over Shamir as a function of ramp width gg. The vertical axis is the ratio Rshare=1/gR_{\text{share}} = 1/g. Adjust t1t_1 and nn to see how the achievable ramp width is bounded by nt1n - t_1 — you cannot go beyond full-polynomial fill without losing reconstruction.

Parameters
5
30

Key Takeaway

Ramp secret sharing trades graceful-degradation of secrecy for a gg-fold share-size savings. Set g=1g = 1 and you recover Shamir with perfect secrecy; set gg large and shares become tiny at the cost of partial leakage in the ramp zone. The optimal operating point for federated learning is typically gn/2g \approx n/2, balancing storage with realistic adversary bounds. ByzSecAgg (Chapter 11) makes this choice explicit.

Common Mistake: Ramp is NOT Perfectly Secret Beyond t1t_1

Mistake:

Use a ramp scheme and describe its security guarantee as "perfect secrecy against any coalition smaller than t2t_2".

Correction:

Ramp is perfectly secret only against coalitions of size t1\leq t_1. Between t1t_1 and t2t_2, a carefully-chosen coalition learns a linear amount of information about the secret. If the threat model includes coalitions in the ramp zone, you must either use Shamir (with its gg-fold storage cost) or supplement the ramp scheme with an additional cryptographic layer (as ByzSecAgg does in Chapter 11). Confusing "no reconstruction" with "perfect secrecy" is a common source of subtle bugs in FL system design.

🔧Engineering Note

Ramp in Production: ByzSecAgg's Key Primitive

ByzSecAgg (Chapter 11 of this book) is the CommIT group's Byzantine-resilient secure-aggregation protocol. It combines ramp secret sharing, coded computing for distance-based outlier detection, and vector commitments to achieve a communication complexity of O(nlogn+Bd)O(n \log n + B \cdot d) against BB Byzantine users — a significant improvement over the O(n2)O(n^2) of Bonawitz et al. The key insight is that the ramp parameters g=t2t1g = t_2 - t_1 can be chosen proportionally to BB, which makes the per- user share small while preserving privacy. Without the ramp generalization, ByzSecAgg's savings would be impossible.

Practical Constraints

  • ByzSecAgg uses g=O(B)g = O(B) in the ramp construction

  • Share size scales as d/g=d/Bd/g = d/B per user — much better than dd

  • Trade-off: must accept some leakage in the ramp zone

📋 Ref: Jahani-Nezhad/Maddah-Ali/Caire 2023 IEEE J-SAIT

Historical Note: Ramp Sharing: Blakley and Meadows, Yamamoto

1984–1986

Ramp secret sharing was introduced independently by George Blakley and Catherine Meadows (Crypto 1984, published 1985) and by Hirosuke Yamamoto (IEEE T-IT 1986). Blakley and Meadows motivated ramp from a storage-efficiency angle (KGH's perfect- secrecy lower bound is too expensive for large secrets); Yamamoto gave the information-theoretic characterization of the leakage in the ramp zone and proved the capacity formulation that dominates modern treatment. The two papers are a classic illustration of the cross-pollination between cryptography and multi-user information theory that this book tries to embody.

,

Quick Check

A ramp scheme has (t1,t2,n)=(10,30,40)(t_1, t_2, n) = (10, 30, 40). What is the per-share size as a fraction of the secret size?

1/301/30

1/201/20

1/101/10

1/401/40

Correction:
1/201/20

Rshare=1/g=1/(t2t1)=1/20R_{\text{share}} = 1/g = 1/(t_2 - t_1) = 1/20. Each share is 1/201/20 the size of the secret — a 20×20\times savings over Shamir's 11.

Blakley's Scheme and Alternative ConstructionsApplications in Secure and Distributed Computing