Attack on Verifiable Secret Sharing scheme

From: Ann Brandon (
Date: 07/28/05

Date: Thu, 28 Jul 2005 20:54:55 +0200

Hi group,

this question is somehow related to my question from yesterday, but I
hope you can understand it without reading my former postings.

Let us consider n parties P_1, ... , P_n and a polynomial:
f(x) = a_0 + a_1*x + ... + a_t*x^t mod p shared by a dealer D.
First the values COMMIT_i = g^{a_i}, 0<=i<=t are sent to each party.
Then each party gets its share: s_j = f(j), 1 <=j<=n and can verify the
correctness of its shares.

Later then the dealer wants to share another secret a'_0. D first
generates the commitment COMMIT'_0 = g^{a'_0} and sent it to every party
P_j. Then D creates shares:
s'_j =f'(j), where f'(x) = a'_0 + a_1*x + ... + a_t*x^t mod p and send
the share s'_j to party P_j.
As you see, the polynomial f and f' only differ in the constant coefficient.

Each party now holds s_j and s'_j and the commitments. Is it now
possible for an adversary who controls up to t partys and hence knows in
all 2t shares (for each polynomial t shares, but the polynomial f and f'
only differ in the constant coefficient) to reconstruct the secrets a_0
and/or a'_0?

In fact, an adversary knows the difference d= a_0-a'_0 = s_j -s'_j of
the secrets, but will this help in reconstruction the secrets? Is there
any other problem beside the knowledge of the difference?

Thanks for your time,

Relevant Pages

  • Re: interesting article on quantum cryptography
    ... shares off their weekend. ... Try not to rush o'clock while you're reacting through a shocked ... party. ...
  • Re: Shorting the mortgage market - and general investing
    ... shares at a later time and return them. ... if party A is going to agree to do this for party ... B, party A has to believe the stock isn't going to drop, but rise.. ... student/grad student lifestyle I took for granted. ...
  • Re: Long tail
    ... > "white mail". ... A takeover target's sale of a large number of its own shares at a bargain ... shares from a party friendly to the target company. ...
  • Re: distributed key generation
    ... > Let the one party generate the secret and distribute shares. ... The other partys who get the shares can't verify that these shares ... > they combine shares to reveal information about x. ... You can solve this with verifiable secret sharing or zero-knowkedge ...
  • Re: Attack on Verifiable Secret Sharing scheme
    ... >>Yes, of course, but I assume in this example, that the dealer is honest. ... But why would you design your scheme ... Some time later a new party P_wants ... then the adversary gets all shares from honest ...