ISO/IEC 4922-2:2024

International
Standard
ISO/IEC 4922-2
First edition
Information security — Secure
2024-03
multiparty computation —
Part 2:
Mechanisms based on secret sharing
Sécurité de l'information — Calcul multipartite sécurisé —
Partie 2: Mécanismes basés sur le partage de secret
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms. 3
5 Secure multiparty computation based on secret sharing . 3
5.1 General .3
5.2 Secret sharing . .4
5.3 Secure multiparty computation based on secret sharing .4
6 Addition, subtraction, and multiplication by a constant . 5
6.1 General .5
6.2 Addition .5
6.2.1 Addition for the Shamir secret sharing scheme .5
6.2.2 Addition of a constant for the Shamir secret sharing scheme .6
6.2.3 Addition for the replicated additive secret sharing scheme.6
6.2.4 Addition of a constant for the replicated additive secret sharing scheme .6
6.3 Subtraction.7
6.3.1 Subtraction for the Shamir secret sharing scheme .7
6.3.2 Subtraction of a constant for the Shamir secret sharing scheme .7
6.3.3 Subtraction for the replicated additive secret sharing scheme .8
6.3.4 Subtraction of a constant for the replicated additive secret sharing scheme .8
6.4 Multiplication by a constant .9
6.4.1 Multiplication by a constant for the Shamir secret sharing scheme .9
6.4.2 Multiplication by a constant for the replicated additive secret sharing scheme .9
7 Shared random number generation .10
7.1 General .10
7.2 Information-theoretically secure shared random number generation .10
7.2.1 General-purpose shared random number generation scheme .10
7.2.2 Shared random number generation for the replicated additive secret sharing
scheme .11
7.2.3 Shared random number generation for the Shamir secret sharing scheme .11
7.3 Computationally secure shared random number generation . 12
7.3.1 General . 12
7.3.2 Seed sharing phase . 13
7.3.3 Shared random number generation phase for the replicated additive secret
sharing scheme . 13
7.3.4 Shared random number generation phase for the Shamir secret sharing scheme .14
8 Multiplication .15
8.1 General . 15
8.2 GRR-multiplication for the Shamir secret sharing scheme . 15
8.2.1 General . 15
8.2.2 Parameters . 15
8.2.3 Multiplication protocol . 15
8.2.4 Dot product protocol.16
8.2.5 Properties .16
8.3 DN-multiplication for the Shamir secret sharing scheme .16
8.3.1 General .16
8.3.2 Parameters .17
8.3.3 Multiplication protocol .17
8.3.4 Dot product protocol.17
8.3.5 Properties .18

© ISO/IEC 2024 – All rights reserved
iii
8.4 CHIKP-multiplication for the replicated additive secret sharing scheme.18
8.4.1 General .18
8.4.2 Parameters .18
8.4.3 Multiplication protocol .18
8.4.4 Properties .18
8.5 Beaver-multiplication .19
8.5.1 General .19
8.5.2 Parameters .19
8.5.3 Multiplication protocol .19
8.5.4 Properties .19
9 Secure function evaluation .20
Annex A (normative) Object identifiers .21
Annex B (informative) Numerical examples .23
Annex C (informative) Security considerations .32
Bibliography .33

© ISO/IEC 2024 – All rights reserved
iv
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 4922 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2024 – All rights reserved
v
Introduction
Secure multiparty computation is a cryptographic technique that computes a function on a message while
maintaining the confidentiality of the message. The technique is used to outsource computations to two or
more stakeholders while preserving privacy. To facilitate the effective use of secure multiparty computation
and maintain interoperability, the ISO/IEC 4922 series specifies secure multiparty computation and related
technologies.
Secure multiparty computation often uses cryptographic mechanisms as building blocks. For secure
multiparty computation which is based on secret sharing, secret sharing schemes are used as building blocks.
Secret sharing is a cryptographic technique used to protect the confidentiality of a message by dividing
it into pieces called shares. A secret sharing scheme has two main parts: a message sharing algorithm for
dividing the message into shares and a message reconstruction algorithm for recovering the message from
all or a subset of the shares. The ISO/IEC 19592 series specifies secret sharing and related technologies.
In secure multiparty computation based on secret sharing, a message is shared among participants called
parties via a message sharing algorithm. The parties compute a function on the shared message while
maintaining its confidentiality and obtain shares of the function output. The function output can be obtained
using a message reconstruction algorithm taking as input all or a subset of the output shares. This document
specifies secure multiparty computation based on secret sharing, especially mechanisms to compute a
function on the shared secret.

© ISO/IEC 2024 – All rights reserved
vi
International Standard ISO/IEC 4922-2:2024(en)
Information security — Secure multiparty computation —
Part 2:
Mechanisms based on secret sharing
1 Scope
This document specifies the processes for secure multiparty computation mechanisms based on the secret
sharing techniques which are specified in ISO/IEC 19592-2. Secure multiparty computation based on secret
sharing can be used for confidential data processing. Examples of possible applications include collaborative
data analytics or machine learning where data are kept secret, secure auctions where each bidding price is
hidden, and performing cryptographic operations where the secrecy of the private keys is maintained.
This document specifies the mechanisms including but not limited to addition, subtraction, multiplication
by a constant, shared random number generation, and multiplication with their parameters and properties.
This document describes how to perform a secure function evaluation using these mechanisms and secret
sharing techniques.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 4922-1, Information security — Secure multiparty computation — Part 1: General
ISO/IEC 19592-1, Information technology — Security techniques — Secret sharing — Part 1: General
ISO/IEC 19592-2:2017, Information technology — Security techniques — Secret sharing — Part 2: Fundamental
mechanisms
3 Terms and definitions
For this document, the terms and definitions given in ISO/IEC 4922-1, ISO/IEC 19592-1, ISO/IEC 19592-2 and
the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
group
set of elements G and an operation + defined on the set of elements such that: (i) a + (b + c) = (a + b) + c for
every a, b and c in G; (ii) there exists an identity element e in G such that a + e = e + a = a for every a in G; (iii)
for every a in G there exists an inverse element −a in G such that a + (−a) = (−a) + a = e
−1
[SOURCE: ISO/IEC 19592-2:2017, 3.8, modified — the notation “a ” has been replaced by “−a”.]

© ISO/IEC 2024 – All rights reserved
3.2
finite cyclic group
abelian group (G,+) that is a group (3.1) and a + b = b + a for every a and b in G (with identity element 0),
containing a finite number of elements, such that there exists g in G, where every a in G is equal to g or g
added to itself a finite number of times
Note 1 to entry: Definition adapted from ISO/IEC 19592-2:2017, 3.6.
3.3
ring
set of elements R and a pair of operations (+, *) defined on R such that: (i) a * (b + c) = a * b + a * c for every
a, b and c in R; (ii) R together with + forms an abelian group that is a group (3.1) and a + b = b + a for every a
and b in R (with identity element 0); (iii) R excluding 0 together with * forms a monoid such that: (i) a * (b *
c) = (a * b) * c for every a, b and c in R; (ii) there exists an identity element e in R such that a * e = e * a = a for
every a in R
3.4
finite ring
ring (3.3) containing a finite number of elements
3.5
field
set of elements K and a pair of operations (+, *) defined on K such that: (i) a * (b + c) = a * b + a * c for every a,
b and c in K; (ii) K together with + forms an abelian group that is a group (3.1) and a + b = b + a for every a and
b in K (with identity element 0); (iii) K excluding 0 together with * forms an abelian group that is a group and
a * b = b * a for every a and b in K
[SOURCE: ISO/IEC 19592-2:2017, 3.5, modified — the phrases “that is a group (3.1) and a + b = b + a for every
a and b in K” and “that is a group and a * b = b * a for every a and b in K” have been added.]
3.6
finite field
field (3.5) containing a finite number of elements
[SOURCE: ISO/IEC 19592-2:2017, 3.7]
3.7
deterministic random bit generator
DRBG
random bit generator that produces a random-appearing sequence of bits by applying a deterministic
algorithm to a suitably random initial value called a seed and, possibly, some secondary inputs upon which
the security of the random bit generator does not depend
Note 1 to entry: A DRBG takes a high-entropy, secret random string as input and outputs a longer string of bits, which
is computationally indistinguishable from random data to adversaries not knowing the input.
[SOURCE: ISO/IEC 18031:2011, 3.10, modified — the original note to entry has been replaced.]
3.8
replicated additive secret sharing scheme
secret sharing scheme in which shares are specified as subsets of a set of random values that sum to the secret
Note 1 to entry: The replicated additive secret sharing scheme is specified in ISO/IEC 19592-2.
3.9
Shamir secret sharing scheme
secret sharing scheme in which shares are specified as points on a random polynomial for which the secret
is the constant
Note 1 to entry: The Shamir secret sharing scheme is specified in ISO/IEC 19592-2.

© ISO/IEC 2024 – All rights reserved
4 Symbols and abbreviated terms
A adversary structure of threshold k
t
A set of t-tuples of elements of A
A ⊂ B A is a subset of B
a ∈ A a is an element of A
A × B direct product of A and B, i.e. the set of all ordered pairs (a, b), where a ∈ A and b ∈ B
|A| number of elements in A
[a] i-th share of a message a
i
[a] vector of shares ([a] , ., [a] )
1 n
C binomial coefficient, namely i choose j
i j
G finite cyclic group
K finite field
K[x] set of all polynomials in x with coefficients in K
k threshold of shares
m number of sub-shares for each party in an instance of the replicated additive secret sharing scheme
n number of shares
P i-th computing party of secure multiparty computation
i
R finite ring
Recover message reconstruction algorithm of a secret sharing scheme
sub-share of the replicated additive secret sharing scheme corresponding to Z∈A
r
Z
Share message sharing algorithm of a secret sharing scheme
x non-zero fixed field element corresponding to party P , where the value x are distinct and known
i i i
to all computing parties
5 Secure multiparty computation based on secret sharing
5.1 General
This clause specifies fundamental concepts for secure multiparty computation based on secret sharing. The
secret sharing schemes and the parameters used in this document are described in 5.2. The process flow
and parameters for secure multiparty computation based on secret sharing are described in 5.3. Annex A
lists the object identifiers which shall be used to identify the mechanisms specified in this document.
Annex B provides numerical examples for the mechanisms specified in this document, which can be used for
checking the correctness of implementations. Annex C provides security considerations that can be used to
obtain additional information regarding the security of all the mechanisms specified in this document.

© ISO/IEC 2024 – All rights reserved
5.2 Secret sharing
The secure multiparty computation schemes based on secret sharing specified in this document use
the Shamir and replicated additive secret sharing schemes. These secret sharing schemes are defined in
ISO/IEC 19592-2 and employ the following algorithms and parameters.
— Message space: the set of possible messages that can be input to the message sharing algorithm.
— Share space: the set of possible shares that can be output by the message sharing algorithm.
— Number of shares: the range of possible values of n supported by the scheme.
— Threshold: the range of possible values of k supported by the scheme.
— Adversary structure: the set of all maximal coalitions of participants that are not sufficient to
reconstruct the message. For a threshold secret sharing scheme with threshold k, the adversary
structure A is {|ZZ ⊂…11,,nZ,}=−k .
{}
— Message sharing algorithm: an algorithm that divides a message into n shares.
— Message reconstruction algorithm: an algorithm that reconstructs a message from k shares.
— Lagrange interpolation coefficients: the coefficients used in the reconstruction algorithm of the Shamir
secret sharing scheme.
5.3 Secure multiparty computation based on secret sharing
The secure multiparty computation schemes based on secret sharing specified in this document are
intended to be used for performing a secure function evaluation. The process of a secure function evaluation
is as follows.
a) Input parties run the message sharing algorithm on their function inputs and then send the resulting
shares to the computing parties.
b) The computing parties evaluate the function using one or more of the multiparty protocols specified in
this document.
c) The computing parties send the result of the evaluation to the result parties, and the result parties then
run the message reconstruction algorithm to obtain the function output.
NOTE The notions of input parties, computing parties, result parties, and multiparty protocols are defined in
ISO/IEC 4922-1.
The following parameters apply to all the mechanisms specified in this document.
— Input message space: the same as the message space of the secret sharing scheme (see 5.2).
— Output message space: the same as the message space of the secret sharing scheme (see 5.2).
— Encoded message space: the same as the share space of the secret sharing scheme (see 5.2).
— Restriction of roles: there are no restrictions on the roles of a party, i.e. one party can take multiple roles.
— Communication channel: a point-to-point secure channel between each pair of parties.
Clauses 6, 7 and 8 specify mechanisms for computing parties that can be used to build a multiparty protocol
for secure function evaluation. For each mechanism, the following items are listed.
d) Parameters
1) Number of computing parties: the number of computing parties n’, supported by the protocol. In
this document, n is used instead of n’ since all mechanisms specified in this document assume that
each computing party holds a single share, meaning that n equals to n’.

© ISO/IEC 2024 – All rights reserved
′
2) Threshold: the number of computing parties k such that even against an adversary corrupting
′
fewer than k parties, the input privacy defined in ISO/IEC 4922-1 holds. In this document, k is used
instead of k’ since all the mechanisms specified in this document assume that each computing party
holds a single share, meaning that k equals to k’.
3) Other parameters (if applicable).
e) Protocol description: the protocol that jointly computes a function on the input shares among the
computing parties.
f) Properties
1) Communication complexity: the total number of elements communicated among the computing
parties.
2) Round complexity: the number of communication rounds, where communication is as parallelized
as possible.
3) Tolerable adversary behaviour: the type of adversary against which the protocol will remain secure.
The protocols specified in this document are secure against either passive adversaries (adversaries
that only observe the protocol execution), or active adversaries (adversaries can interrupt or modify
communications).
6 Addition, subtraction, and multiplication by a constant
6.1 General
This clause contains protocols which achieve secure multiparty computation for addition, subtraction,
addition and subtraction of a constant, and multiplication by a constant based on the Shamir and replicated
additive secret sharing schemes. These protocols involve only local computations, i.e. they do not require
communication. Therefore, discussion of communication and round complexities is omitted in this clause.
The protocols are a detailed description of the homomorphic operations of the secret sharing schemes
described in ISO/IEC 19592-2.
6.2 Addition
6.2.1 Addition for the Shamir secret sharing scheme
6.2.1.1 Parameters
Number of computing parties: n , satisfying nK< .
Threshold: k , satisfying kn≤ .
6.2.1.2 Addition protocol
n
′′
Input: share vectors aa,,… ,,aa…, ∈K .
()[] [] ()[] []
11nn
n
Output: share vector aa+ ′′,,…+aa ∈K .
()[] []
1 n
′′
a) Each P for 1≤≤in computes []aa+ =[]aa+[] ∈K .
i
ii i
n
′′
b) Output aa+ ,,…+aa ∈K .
()[] []
1 n
© ISO/IEC 2024 – All rights reserved
6.2.1.3 Properties
n
Tolerable adversary behaviour: active if k−<1 , otherwise passive.
6.2.2 Addition of a constant for the Shamir secret sharing scheme
6.2.2.1 Parameters
Number of computing parties: n , satisfying nK< .
Threshold: k , satisfying kn≤ .
6.2.2.2 Addition-of-a-constant protocol
n
Input: a share vector aa,,… ∈K , and a constant cK∈ .
()[] []
1 n
n
Output: share vector []ac+ ,,…+[]ac ∈K .
()
1 n
a) Each P for 1≤≤in computes ac+ = ac+∈K .
[] []
i
ii
n
b) Output ac+ ,,…+ac ∈K .
()[] []
1 n
6.2.2.3 Properties
n
Tolerable adversary behaviour: active if k−<1 , otherwise passive.
6.2.3 Addition for the replicated additive secret sharing scheme
6.2.3.1 Parameters
Number of computing parties: n .
Threshold: k , satisfying kn≤ .
′ ′
Form of shares: []ar=∉{}| iZ∈≤A,1 in≤ and []ar= | iZ∉∈A,1≤≤in .
{}
Z
i i
Z
6.2.3.2 Addition protocol
mn×
′′
Input: share vectors []aa,,… [] ,,[]aa…,,[] ∈G where m = C.
() ()
nk−−11
11nn
mn×
′′
Output: share vector aa+ ,,…+aa ∈G .
()[] []
1 n
m
a) Each P for 1≤≤in computes aa+ ′ =+rr′ |iZ∉∈A ∈G .
[] {}
i ZZ
i
mn×
′′
b) Output []aa+ ,,…+[]aa ∈G .
()
1 n
6.2.3.3 Properties
n
Tolerable adversary behaviour: active if k−<1 , otherwise passive.
6.2.4 Addition of a constant for the replicated additive secret sharing scheme
6.2.4.1 Parameters
Number of computing parties: n .

© ISO/IEC 2024 – All rights reserved
Threshold: k , satisfying kn≤ .
Form of shares: ar=∉{}|iZ ∈≤A, 1 in≤ .
[]
Z
i
*
Representative share: a sub-share r to be used in a special way in the protocol, where Z ∈A is a set of
*
Z
participants that shall be agreed by the parties prior to the protocol execution.
6.2.4.2 Addition-of-a-constant protocol
mn×
Input: share vector []aa,,… [] ∈G and a constant cG∈ , where mC= .
()
nk−−11
1 n
mn×
Output: share vector []ac+ ,,…+[]ac ∈G .
()
1 n
*
a) Each P for 1≤≤in sets ac+ =∉ri| Zi′∈≤A, 1 ≤n , where rr=+cG∈ if ZZ′ = , otherwise
[] {}
i Z′ ZZ′
i
rr=.
ZZ′
mn×
b) Output []ac+ ,,…+[]ac ∈G .
()
1 n
6.2.4.3 Properties
n
Tolerable adversary behaviour: active if k−<1 , otherwise passive.
6.3 Subtraction
6.3.1 Subtraction for the Shamir secret sharing scheme
6.3.1.1 Parameters
Number of computing parties: n , satisfying nK< .
Threshold: k , satisfying kn≤ .
6.3.1.2 Subtraction protocol
n
Input: share vectors aa,,… ,,aa′′…, ∈K .
()[] [] ()[] []
11nn
n
′′
Output: share vector []aa− ,,…−[]aa ∈K .
()
1 n
′′ ′ ′
a) Each P for 1≤≤in computes aa− = aa+− ∈K , where − a is an additive inverse of a in
[] [] ()[] [] []
i
ii i i i
K .
n
b) Output aa− ′′,,…−aa ∈K .
()[] []
1 n
6.3.1.3 Properties
n
Tolerable adversary behaviour: active if k−<1 , otherwise passive.
6.3.2 Subtraction of a constant for the Shamir secret sharing scheme
6.3.2.1 Parameters
Number of computing parties: n , satisfying nK< .
Threshold: k , satisfying kn≤ .

© ISO/IEC 2024 – All rights reserved
6.3.2.2 Subtraction-of-a-constant protocol
n
Input: a share vector aa,,… ∈K , and a constant cK∈ .
()[] []
1 n
n
Output: share vector []ac− ,,…−[]ac ∈K .
()
1 n
a) Each P for 1≤≤in computes ac− = ac−∈K .
[] []
i
ii
n
b) Output ac− ,,…−ac ∈K .
()[] []
1 n
6.3.2.3 Properties
n
Tolerable adversary behaviour: active if k−<1 , otherwise passive.
6.3.3 Subtraction for the replicated additive secret sharing scheme
6.3.3.1 Parameters
Number of computing parties: n .
Threshold: k , satisfying kn≤ .
′ ′
Form of shares: []ar=∉{}|iZ ∈≤A, 1 in≤ and []ar={}|iZ∉∈A, 1 ≤≤in .
Z Z
i i
6.3.3.2 Subtraction protocol
mn×
′′
Input: share vectors []aa,,… [] ,,[]aa…,[] ∈G , where m = C .
() ()
nk−−11
11nn
mn×
′′
Output: share vector []aa− ,,…−[]aa ∈G .
()
1 n
m
a) Each P for 1≤≤in computes aa− ′ =+rr− ′ |iZ∉∈A ∈G , where −rG′ ∈ is an additive
[] {}()
i ZZ Z
i
inverse of rG′ ∈ .
Z
mn×
′′
b) Output []aa− ,,…−[]aa ∈G .
()
1 n
6.3.3.3 Properties
n
Tolerable adversary behaviour: active if k−<1 , otherwise passive.
6.3.4 Subtraction of a constant for the replicated additive secret sharing scheme
6.3.4.1 Parameters
Number of computing parties: n .
Threshold: k , satisfying kn≤ .
Form of shares: ar=∉{}|iZ ∈≤A, 1 in≤ .
[]
Z
i
*
Representative share: a sub-share r to be used in a special way in the protocol, where Z ∈A is a set of
*
Z
participants that shall be agreed by the parties prior to the protocol execution.
6.3.4.2 Subtraction-of-a-constant protocol
mn×
Input: share vector aa,,… ∈G and a constant cG∈ , where m = C.
()[] []
nk−−11
1 n
© ISO/IEC 2024 – All rights reserved
mn×
Output: share vector []ac− ,,…−[]ac ∈G .
()
1 n
*
′ ′
a) Each P for 1≤≤in sets ac− =∉{}ri| Zi∈≤A, 1 ≤n , where rr=−cG∈ if ZZ= and
[]
i Z′ ZZ′
i
rr= otherwise .
ZZ′
mn×
b) Output []ac− ,,…−[]ac ∈G .
()
1 n
6.3.4.3 Properties
n
Tolerable adversary behaviour: active if k−<1 , otherwise passive.
6.4 Multiplication by a constant
6.4.1 Multiplication by a constant for the Shamir secret sharing scheme
6.4.1.1 Parameters
Number of computing parties: n , satisfying nK< .
Threshold: k , satisfying kn≤ .
6.4.1.2 Multiplication by a constant protocol
n
Input: share vector aa,,… ∈K , and a constant cK∈ .
()[] []
1 n
n
Output: share vector []ca ,,… []ca ∈K .
()
1 n
a) Each P for 1≤≤in computes []ca =ca[] ∈K .
i
ii
n
b) Output ca ,,… ca ∈K .
()[] []
1 n
6.4.1.3 Properties
n
Tolerable adversary behaviour: active if k−<1 , otherwise passive.
6.4.2 Multiplication by a constant for the replicated additive secret sharing scheme
6.4.2.1 Parameters
Number of computing parties: n .
Threshold: k , satisfying kn≤ .
Form of share: []ar=∉{}|iZ∈A .
Z
i
6.4.2.2 Multiplication by a constant protocol
mn×
Input: share vector []aa,,… [] ∈=Gm whereC , and a constant c such that 01≤≤cG − .
()
nk−−11
1 n
mn×
Output: share vector []ca ,,… []ca ∈G .
()
1 n
m
a) Each P for 1≤≤in computes ca =∉cr |iZ∈A ∈G , where cr ∈G means recursive c−1 additions
[] {}
i Z Z
i
of r as rr++…+r when 11≤≤cG − , or the substitution by 0 when c= 0 .
Z ZZ Z
mn×
b) Output []ca ,,… []ca ∈G .
()
1 n
© ISO/IEC 2024 – All rights reserved
NOTE If G is a ring and cG∈ , each P can compute cr by multiplying c by r in a).
i Z Z
6.4.2.3 Properties
n
Tolerable adversary behaviour: active if k−<1 , otherwise passive.
7 Shared random number generation
7.1 General
This clause contains secure multiparty computation protocols for generating shares of a random number. No
computing party shall know the generated shared random number.
7.2 Information-theoretically secure shared random number generation
7.2.1 General-purpose shared random number generation scheme
7.2.1.1 General
This subclause contains the parameters (7.2.1.2), protocol (7.2.1.3) and properties (7.2.1.4) of the
information-theoretically secure shared random number generation for secret sharing schemes with
homomorphic operations, as described in Reference [4]. The protocol works on secret sharing schemes
with homomorphic operations, including the Shamir and replicated additive secret sharing schemes. In
this protocol, k random numbers are chosen by k distinct computing parties and shared using the message
sharing algorithm. The parties then sum their received shares and output the result.
NOTE The number of random numbers k is equal to the threshold of the secret sharing scheme.
7.2.1.2 Parameters
Number of computing parties: n , which shall satisfy nK< if the Shamir secret sharing scheme is used.
Threshold: k , satisfying kn≤ .
Subset of parties: PP,,… ⊆…{}PP,, .
{}
ii 1 n
1 k
7.2.1.3 Shared random number generation protocol
Input: none.
Output: share vector ww,,… .
()[] []
1 n
a) Each P for PP∈…,,P
{}
i ii i
1 k
′
1) randomly selects w ,
i
′ ′ ′
2) computes ww,,… =Share()w ,
()[] []
ii i
1 n
3) sends w′ to each party P for 1≤≤jn .
[]
i j
j
k
 
′
b) Compute []ww= by addition described in 6.2.
∑ i
t
 t=1 
 
c) Output ww,,… .
()[] []
1 n
© ISO/IEC 2024 – All rights reserved
7.2.1.4 Properties
Communication complexity: kn−1 elements in K for the Shamir secret sharing scheme and km n−1
() ()
elements in G for the replicated additive secret sharing.
Round complexity: 1 round.
Tolerable adversary behaviour: passive.
7.2.2 Shared random number generation for the replicated additive secret sharing scheme
7.2.2.1 General
This subclause contains the parameters (7.2.2.2), protocol (7.2.2.3) and properties (7.2.2.4) of the
information-theoretically secure shared random number generation for the replicated additive secret
sharing scheme. The protocol is optimized for the replicated additive secret sharing scheme and has lower
communication complexity than the protocol specified in 7.2.1.
7.2.2.2 Parameters
Number of computing parties: n .
Threshold: k , satisfying kn≤ .
Subset of parties: a party P such that PP=∉ forsome iZ for each Z∈A .
Z Zi Z
Z
7.2.2.3 Shared random number generation protocol
Input: none.
mn×
Output: a share vector ww,,… ∈G , where m = C
()[] []
nk−−11 .
1 n
a) P randomly selects rG∈ for each Z∈A .
Z Z
b) P sends r to Pfor all jZ∉∪{}i for each Z∈A .
Z Z j Z
c) P for 1 ≤≤jn sets wr=∉{| jZ∈A} .
[]
j Z
j
mn×
d) Output ww,,… ∈G .
()[] []
1 n
7.2.2.4 Properties
Communication complexity: nZ−−1 elements of G .
()
∑
Z∈A
Round complexity: 1 round.
Tolerable adversary behaviour: passive.
7.2.3 Shared random number generation for the Shamir secret sharing scheme
7.2.3.1 General
This subclause contains the parameters (7.2.3.2), protocol (7.2.3.3) and properties (7.2.3.4) of the
[10]
information-theoretically secure shared random number generation protocol for the Shamir secret
sharing scheme. This protocol generates share vectors for nk−+1 random numbers simultaneously from
share vectors for n random numbers chosen by the computing parties. The protocol has low communication
complexity when generating multiple share vectors of a random number.

© ISO/IEC 2024 – All rights reserved
7.2.3.2 Parameters
Number of computing parties: n , satisfying nK< .
Threshold: k , satisfying kn≤ .
2 nk−
Vandermonde matrix: M, where Mn isan ×−()nk +1 matrix with i-th row 1,, aa ,,… a with the a
()
ii i i
distinct and non-zero, where a for 1≤≤in shall be agreed by the parties prior to executing the protocol.
i
7.2.3.3 Shared random number generation protocol
Input: none.
n
Output: share vectors ww,,… ,,… ww,,… ∈K .
()[] [] ()[] []
1 11nk−+ nk−+1
1 n 1 n
a) Each P for 1≤≤in :
i
′
1) randomly selects wK∈ ,
i
2) computes ww′ ,,… ′ =Share w′ ,
()[] [] ()
ii i
1 n
′
3) sends []w to P for 1≤≤jn .
i j
j
b) Each P for 1≤≤jn :
j
1) receives all ww′ ,,… ′ from P for 1≤≤in ,
[] []
1 n i
j j
T T
T
′ ′
2) computes []ww,,… [] =Mw[] ,,… []w .
() ()
11nk−+ 1 n
j jj j
n
c) Output []ww,,… [] ,,… []ww,,… [] ∈K .
() ()
1 11nk−+ nk−+1
1 n 1 n
7.2.3.4 Properties
Communication complexity: nn()−1 elements of K .
Round complexity: 1 round.
Tolerable adversary behaviour: passive.
7.3 Computationally secure shared random number generation
7.3.1 General
7.3 describes the parameters, protocols and properties of the computationally secure shared random
[9]
number generation protocols. The security of these protocols depends on the computational hardness
assumption of the deterministic random bit generator. The protocols consist of two phases.
a) Seed sharing phase: The parties share seeds among adequate sets of parties. This phase requires
communication.
b) Shared random number generation phase: The parties generate a share vector of a random number. This
phase can be performed without communication.
The parties execute the seed sharing phase first and then execute the random share generation phase
repeatedly until the seeds are updated. The seed sharing phase is common between the Shamir and
replicated additive secret sharing schemes.

© ISO/IEC 2024 – All rights reserved
7.3.2 Seed sharing phase
7.3.2.1 General
The seed sharing phase is desired to provide the computing parties with a replicated seed vector
mn×
SS,,… ∈X , where X is a seed space and Ss=∉|iZ∈A for a random number s . The replicated
() {}
1 n iZ Z
seed vector can be regarded as a share vector of a random number in the replicated additive secret sharing
scheme in X. Therefore, the protocols specified in 7.2.2 can be used to implement this phase.
7.3.2.2 Parameters
Number of computing parties: n .
Threshold: k , satisfying kn≤ .
Subset of parties: a party P such that PP=∉ forsome iZ for each Z∈A .
Z Zi Z
Z
7.3.2.3 Seed sharing phase
Input: none.
mn×
Output: a share vector SS,,… ∈X , where m = C
()
1 n nk−−11 .
a) P randomly selects sX∈ for each Z∈A .
Z Z
b) P sends s to Pfor all jZ∉∪{}i for each Z∈A .
Z Z j Z
c) P for 1 ≤≤jn sets Ss=∉{| jZ∈A} .
j jZ
mn×
d) Output ()SS,,… ∈X .
1 n
NOTE There are alternative ways. An input party can create all the s and send them to the corresponding
Z
computing parties, where the input party is expected to be different from any computing party, or the computing
parties can get together offline and share the s .
Z
7.3.2.4 Properties
Communication complexity: ()nZ−−1 elements of X .
∑
Z∈A
Round complexity: 1 round.
Tolerable adversary behaviour: passive.
7.3.3 Shared random number generation phase for the replicated additive secret sharing scheme
7.3.3.1 Parameters
Number of computing parties: n .
Threshold: k , satisfying kn≤ .
Seed space: a group X.
Deterministic random bit generator: DRBG takes a seed in X and state t as inputs and outputs a pseudo-
random element in G and an updated state t’.
NOTE Both the input and output of an ordinary DRBG a
...