Sharing over groups

We do not know the exact reference for this, but the idea is quite straightforward. Suppose we have a group $G$ of order $q$.

We call a group sharing (and denote $[X]_G$) the linear sharing over this group. The additions and multiplications by public scalar in $\mathbb{Z}_q$ work as expected. Provided we have Beaver triples over $\mathbb{Z}_q$ we can use them to multiply elements by $\mathbb{Z}_q$-shared scalars.

Finally, provided we have a pairing $G_1 \times G_2 \rightarrow G_m$, we can also pair shared elements using Beaver triples.

This is heavily used in a recent work https://eprint.iacr.org/2021/1530 on Collaborative SNARKs, which exploits this fact to efficiently prove SNARKs in MPC.

In a situation where $G$ is a group of points of an elliptic curve over $\mathbb{F}_p$ (which we assume is given in Edwards form and has closed addition formulas), it makes sense to discuss the type conversions:

• In order to go from $[X]_G$ to coordinate sharing, we pick each player's elliptic share $X_i$ and interpret it is an individual variable $(0, 0, ..., X_i, ..., 0)$. These can be converted into coordinate form trivially (because they are not shared), and then added up using addition formulas. The addition can be done in a small number of rounds using technique similar to unbounded multiplication fan-in, but we are not certain whether this actually gives a speedup in practice.

• We never require the reverse type conversion, but it can also, theoretically, be done, by all players except player 0 choosing random elements $X_i$, then subtracting them from a coordinate-shared element $X$, and, finally, revealing their shares of $X - \underset{i>0}\sum X_i$ to the player 0.

The first conversion is useful for the El Gamal shared decryption.