Whitepaper Question



I’ve been dabbling in trying to figure out the Enigma whitepaper. My brick wall came at p. 5 where SHE is outlined and this paper is referenced. My problem is that this paper, and every other that comes up when I google this technique, assumes that the shares [s]_p_i add up to the original secret s.
However I see no reason for this to be the case for the definition stipulated by Shamir’s scheme in equation (3). Are there additional ‘obvious’ conditions that I am missing here that force each sum of kth powers to be 0 (1 <= k <= t)? Appreciate anyone’s expertise here.


Pre-processing based MPC papers tend to focus on ‘only a single node needs to be honest’ model, so they adopt an additive sharing scheme instead of a threshold one (i.e., Shamir). The papers are written to support that. It’s true (and a really really nice find!) that the offline phase needs to be adapted to support a threshold scheme.

There’s been a lot of work since on improving the (overly complicated) offline phase, so SHE has been phased out in recent research in favor of OT-based correlated randomness generation, which I believe is more amenable to switching between the secret sharing schemes.

I expect we’ll need to do more work on that front. An easy solution we considered was to simply use a share conversion protocol to move between additive shares to Shamir.