Asynchronous Secret Reconstruction and Its Application to the Threshold Cryptography

Abstract

In Shamir’s threshold of the secret sharing scheme, a secret is divided into shares by a dealer and is shared among shareholders in such a way that (a) the secret can be reconstructed when there are or more than shares; and (b) the secret cannot be obtained when there are fewer than shares. In the secret reconstruction, participating users can be either legitimate shareholders or attackers. Shamir’s scheme only considers the situation when all participating users are legitimate shareholders. In this paper, we show that when there are more than users participating and shares are released asynchronously in the secret reconstruction, an attacker can always release his share last. In such a way, after knowing valid shares of legitimate shareholders, the attacker can obtain the secret and therefore, can successfully impersonate to be a legitimate shareholder without being detected. We propose a simple modification of Shamir’s scheme to fix this security problem. Threshold cryptography is a research of group-oriented applications based on the secret sharing scheme. We show that a similar security problem also exists in threshold cryptographic applications. We propose a modified scheme to fix this security problem as well.