Applications in Secure and Distributed Computing

Where Secret Sharing Reappears

Secret sharing is not an endpoint; it is a building block. This final section of Chapter 3 sketches how the constructions of Sections 3.2–3.4 will be used in the remainder of the book, with forward references to the relevant chapters. Reading this section with the three-way (privacy / robustness / efficiency) tradeoff of Chapter 1 in mind will make the later material feel much less surprising.

Three canonical applications cover almost all of what follows: (i) distributing sensitive data across workers for coded computing, (ii) masking gradients for secure aggregation in federated learning, and (iii) providing information-theoretic privacy in PIR.

Definition:

Secret Sharing for Privacy-Aware Coded Computing

In secure coded matrix multiplication (the topic of Chapter 5 with a privacy extension), the dataset rows ai\mathbf{a}_i are sensitive: we want workers to compute ATB\mathbf{A}^T \mathbf{B} without any single worker learning any row of A\mathbf{A} (or the corresponding row of B\mathbf{B}).

Construction. Split each row ai\mathbf{a}_i via a (t,N)(t, N)-Shamir scheme before distributing to NN workers. Each worker computes its polynomial-coded product of the share; the master reconstructs the sum via Lagrange interpolation from any KtK \geq t responses. No single worker, and no coalition of fewer than tt workers, learns any row of A\mathbf{A}.

The privacy parameter tt interacts with the recovery threshold KK of the coded-computing scheme: privacy costs t1t - 1 "extra" redundant workers, which the recovery threshold inherits.

Example: Secure Coded Matrix Multiplication at N=5N = 5, t=2t = 2

Illustrate how Shamir-sharing is composed with polynomial coded matrix multiplication for N=5N = 5 workers, recovery threshold K=4K = 4, privacy threshold t=2t = 2.

Solution
Set up

Each row ai\mathbf{a}_i is Shamir-shared as ai(k)=pai(αk)\mathbf{a}_i^{(k)} = p_{\mathbf{a}_i}(\alpha_k), where paip_{\mathbf{a}_i} is a degree-(t1)=1(t-1) = 1 polynomial with random coefficient in each coordinate. Worker kk receives ai(k)\mathbf{a}_i^{(k)} for all ii.

Per-worker product

Worker kk computes Yk=(A(k))TB(k)=iai(k)(bi(k))T\mathbf{Y}_k = (\mathbf{A}^{(k)})^T \mathbf{B}^{(k)} = \sum_i \mathbf{a}_i^{(k)} (\mathbf{b}_i^{(k)})^T. This is now a polynomial evaluation of degree 2(t1)=2\leq 2(t-1) = 2 in the shared variable, with ATB\mathbf{A}^T \mathbf{B} as the constant term.

Recover

The master collects any K=4K = 4 responses and interpolates the degree-22 polynomial, reading off ATB\mathbf{A}^T \mathbf{B} at x=0x = 0. This K=4>2(t1)=2K = 4 > 2(t-1) = 2 is required so interpolation succeeds.

Privacy

Any single worker sees only A(k)\mathbf{A}^{(k)}, which is Shamir-secret-shared and hence independent of any row of A\mathbf{A}. Perfect privacy against a single worker; colluding coalitions of t=2\geq t = 2 would break the privacy, but the protocol explicitly defends against single workers in this example.

Why This Matters: Chapter 5 Develops This Compositionally

Chapter 5 builds up the secure coded-matrix-multiplication protocol from scratch, treating the Shamir part of this section as a black box. The payoff is a closed-form expression for the privacy / communication / straggler-tolerance trade-off — another instance of the golden thread from Chapter 1.

Definition:

Additive Secret Sharing for Secure Aggregation

Secure aggregation (Chapter 10) lets a server compute kgk\sum_k \mathbf{g}_k over nn users' gradients without learning any individual gradient. The essential primitive is the additive (n,n)(n, n)-scheme from Section 3.1: each user adds pairwise random masks to its gradient, and all masks cancel in the aggregate.

More precisely, for each pair (i,j)(i, j) of users, let rij=rji\mathbf{r}_{ij} = -\mathbf{r}_{ji} be a symmetric random mask drawn from a fresh per-round pseudorandom generator seeded by a Diffie-Hellman key exchange. User kk uploads g~k  =  gk+jkrkj.\tilde{\mathbf{g}}_k \;=\; \mathbf{g}_k + \sum_{j \neq k} \mathbf{r}_{kj}. The server sums: kg~k=kgk+i<j(rij+rji)=kgk+0=kgk\sum_k \tilde{\mathbf{g}}_k = \sum_k \mathbf{g}_k + \sum_{i < j} (\mathbf{r}_{ij} + \mathbf{r}_{ji}) = \sum_k \mathbf{g}_k + 0 = \sum_k \mathbf{g}_k. No subset of the users can break the aggregate's privacy because the sum of masks is zero only when all are combined.

The CCESA Optimization

The full pairwise-masking protocol above uses Θ(n2)\Theta(n^2) pairwise mask exchanges — one per pair of users. In Chapter 12 we will see the CCESA (Communication-Efficient Secure Aggregation) protocol, a CommIT contribution, that replaces the complete graph of pairwise relationships with a sparse Erdős- Rényi random graph. The mask-cancellation guarantee is preserved in expectation while the communication overhead drops to O(nn/logn)O(n \sqrt{n / \log n}). Reading Chapter 12 with the additive (n,n)(n, n)-scheme from Section 3.1 in mind will illuminate the construction immediately.

Definition:

Secret Sharing for Private Information Retrieval

In private information retrieval (Chapter 13), a user wants to retrieve file WθW_{\theta} from NN databases without revealing the index θ\theta to any single database. The user constructs NN queries Q1,,QNQ_1, \ldots, Q_N, one per database, such that:

  • The joint of (Q1,,QN)(Q_1, \ldots, Q_N) depends on θ\theta;
  • Each individual QkQ_k is information-theoretically independent of θ\theta (or, in the TT-colluding variant, any TT-subset is independent).

The Sun–Jafar protocol implements this using linear secret sharing: each query is a Shamir-like evaluation of a carefully- constructed polynomial whose coefficients encode the query index. Secret sharing is the primitive that hides the query from individual databases; coding theory is the primitive that keeps the download rate as close to the PIR capacity as possible.

Why This Matters: The PIR Capacity Is Made Possible by Secret Sharing

Chapter 13 derives the Sun–Jafar capacity CPIR=(1+1/N++1/NK1)1C_{\text{PIR}} = (1 + 1/N + \cdots + 1/N^{K-1})^{-1} and its coded-storage and colluding variants. Every known capacity-achieving PIR scheme uses secret sharing as the privacy primitive. The beautiful thing is that the same information-theoretic lens — query as polynomial — appears here that made Shamir and coded matrix multiplication work: share the secret index via a polynomial, use the algebraic structure to construct efficient downloads.

Key Takeaway

Secret sharing is the privacy primitive of this book. Shamir for perfect-secrecy threshold schemes, additive (n,n)(n, n) for secure aggregation, ramp for storage-efficient federated-learning protocols. Every privacy guarantee in Parts III–V ultimately rests on one of these constructions. Time invested in understanding Sections 3.1–3.4 pays off in every later chapter.

Which Variant Goes Where

VariantUsed inWhy
Additive (n,n)(n, n)Secure aggregation (Ch 10), CCESA (Ch 12), AirComp (Ch 16)Aggregation only, no dropout tolerance, minimal overhead
Shamir (t,n)(t, n)Coded matrix mult. w/ privacy (Ch 5), MPC wallets, threshold cryptoPerfect secrecy, any tt reconstruct, ntn - t can drop out
Ramp (t1,t2,n)(t_1, t_2, n)ByzSecAgg (Ch 11), FL with large gradientsgg-fold share-size savings, graceful degradation
Linear / coded (Sun–Jafar)PIR (Ch 13), coded PIR (Ch 14), cache-aided PIR (Ch 15)Privacy against colluders, capacity-matching download rate

Quick Check

In federated learning with n=1000n = 1000 users and a gradient of d=108d = 10^8 coordinates, which secret-sharing variant is most appropriate for the per-round aggregation primitive?

Shamir (t,n)(t, n) with t=500t = 500

Additive (n,n)(n, n)-scheme via pairwise masks (as in Bonawitz's protocol).

Blakley's hyperplane scheme

Asmuth–Bloom CRT scheme

Correction:
Additive (n,n)(n, n)-scheme via pairwise masks (as in Bonawitz's protocol).

Correct: only aggregation is needed, no threshold reconstruction is required, and the (n,n)(n, n)-scheme has the smallest per-user overhead — the user uploads a single masked gradient of the same size as gk\mathbf{g}_k.

Ramp Secret Sharing: Trading Security for EfficiencyChapter Summary