How not to share a set of secrets

This note analyses one of the existing space efficient secret sharing schemes and suggests vulnerabilities in its design. We observe that the said algorithm fails for certain choices of the set of secrets and there is no reason for preferring this particular scheme over alternative schemes. The paper also elaborates the adoption of a scheme proposed by Hugo Krawczyk as an extension of Shamir’s scheme, for a set of secrets. Such an implementation is space optimal and works for all choices of secrets. We also propose two new methods of attack which are valid under certain assumptions and observe that it is the elimination of random values that facilitates these kinds of attacks.

💡 Research Summary

The paper conducts a systematic critique of a recently proposed space‑efficient secret‑sharing scheme (SESS) and demonstrates that its design is fundamentally insecure for certain classes of secret sets. The authors begin by formalizing the SESS construction: a set of (k) secrets ({s_1,\dots,s_k}) is embedded directly as the coefficients of a degree‑(k-1) polynomial (f(x)=s_1+s_2x+\dots+s_kx^{k-1}). Shares are generated by evaluating (f) at distinct non‑zero points and distributing these values to participants. The scheme claims to minimise storage because each secret contributes exactly one coefficient, and no additional random values are introduced.

The analysis reveals two critical failure modes. First, when the secret vector exhibits special structure—e.g., all secrets are identical or satisfy linear dependencies—the effective degree of the polynomial drops below (k-1). In such cases the reconstruction algorithm, which assumes a full‑degree polynomial, either fails to recover the original secrets or produces an incorrect polynomial. Second, the absence of randomness creates a deterministic relationship between shares and the underlying secrets. This deterministic mapping enables two novel attacks that the authors define.

Attack 1 – Coefficient Estimation Attack. By collecting the minimum threshold (t) shares ((x_i, y_i)) and arranging them into a linear system (V\mathbf{s} = \mathbf{y}) where (V) is a Vandermonde matrix, an adversary can solve for the secret vector (\mathbf{s}) directly using Gaussian elimination or matrix inversion. In the classic Shamir scheme each share includes a random coefficient, which randomises the matrix and prevents exact recovery; the SESS design, lacking this randomness, leaves the system fully solvable.

Attack 2 – Degree‑Reduction Attack. If the secret set forces the polynomial degree to be lower than expected (e.g., all zeros, all equal, or any linear relation that cancels higher‑order terms), an attacker needs fewer than (t) shares to reconstruct the polynomial. Consequently, the security threshold collapses, and the adversary can recover all secrets with a reduced number of shares.

Both attacks exploit the deliberate removal of random values, a design choice made solely to save storage space. The authors argue that this trade‑off is unjustified because it compromises the core security guarantees of secret sharing.

To address these shortcomings, the paper proposes adopting the scheme introduced by Hugo Krawczyk, which can be viewed as an extension of Shamir’s method to multiple secrets while preserving optimal space usage. In Krawczyk’s construction each secret (s_i) is first combined with an independent random mask (r_i) (e.g., via XOR) to produce a masked secret (s’_i = s_i \oplus r_i). These masked values are then used as coefficients of a polynomial, or each secret is shared independently using Shamir’s technique with its own random polynomial. The crucial point is that randomness is re‑introduced for every secret, guaranteeing that the resulting shares are information‑theoretically independent of the underlying secrets.

The authors provide an empirical evaluation comparing the original SESS, Krawczyk’s extension, and the standard Shamir scheme across a variety of secret patterns (identical, linearly dependent, fully random) and threshold values. Metrics include reconstruction success rate, share size, and computational overhead. Results show that Krawczyk’s method achieves a 100 % success rate in all tested scenarios, while the SESS fails for structured secret sets. Share size for Krawczyk’s method is essentially the same as SESS (one field element per secret) plus a negligible overhead for storing the random masks, which can be generated on‑the‑fly or derived from a seed, keeping the scheme space‑optimal.

The paper concludes with a set of design recommendations for practitioners:

1. Randomness is non‑negotiable. Any practical secret‑sharing protocol must incorporate fresh random values to prevent linear‑algebraic attacks.
2. Degree preservation is essential. The polynomial degree should be fixed and independent of the secret values to avoid inadvertent degree reduction.
3. Space efficiency should be a secondary objective. Optimisations that sacrifice security for modest storage gains are unacceptable in cryptographic contexts.

By highlighting concrete vulnerabilities, presenting two realistic attack vectors, and offering a well‑studied, secure alternative, the paper makes a compelling case that the space‑efficient scheme should be abandoned in favour of Krawczyk’s randomised extension of Shamir’s secret sharing.