2.2.1.2 Sum Secret Sharing

Shamir's secret sharing protocol is flexible in that it allows the dealer to vary the number of players required to reconstruct the shared secret, by varying the degree of the polynomial p(x). If we wish to require all players to cooperate in order to be able to reconstruct the secret, then we do not need a secret sharing protocol as (relatively) complicated as Shamir's. In this case, rather than resort to using a polynomial, we can simply distribute n shares whose sum is the desired secret.

Protocol 2 (Sum Secret Sharing)   To share the secret s among players P₁, P₂, ..., P_n, such that all n players are required to reconstruct the secret:

1.

Dealer D chooses n numbers $\ensuremath{\mathrm{share}} _1(s)$, $\ensuremath{\mathrm{share}} _2(s)$, ..., $\ensuremath{\mathrm{share}} _n(s)$, such that the first n-1 are random, and $s = \sum_{j=1}^n \ensuremath{\mathrm{share}} _j(s)$.

2.

Dealer D distributes $\ensuremath{\mathrm{share}} _j(s)$ to P_j for each j.

To reconstruct the secret from shares $\ensuremath{\mathrm{share}} _1(s)$, $\ensuremath{\mathrm{share}} _2(s)$, ..., $\ensuremath{\mathrm{share}} _n(s)$, just compute $s = \sum_{j=1}^n \ensuremath{\mathrm{share}} _j(s)$.$\Box$

Since each value for each individual share is equally likely, collecting together even n-1 of the shares affords no information about the secret. This protocol has the slight advantage over Shamir in that it is easier to compute.