Remove unnecessary index shuffling #10
Conversation
|
I agree that the index shuffling is not required by the security of the design. However, it is not a vulnerability. As noted, this implementation correctly avoids unintentional use of a zero evaluation. I would prefer to leave this implementation as-is for two primary reasons.
|
|
Understood. It may at least be worth a comment in the code that the shuffling is biased, but that security doesn't depend on this. Otherwise, a reader might use the biased shuffle elsewhere where security could be affected. Might make a corresponding issue/PR on the linked repository if the same technique is used. |
|
Interestingly, upstream implemented the shuffle for a reason, in particular to avoid leaking information about the number of shares. This wasn't for a particular threat model, and it's unclear if such a leak would be of concern in this implementation. The shuffle in the Go implementation uses a library function that internally uses a Fisher-Yates-type shuffle. They elect to use an insecure seed for the shuffle for unclear reasons. |
The implementation currently produces share indexes by shuffling an ordered index list. This shuffling is unnecessary, since the security of the design does not require such a distribution of share indexes. Further, the shuffling method used is biased, which was presumably not intended.
This PR simplifies the design by removing the shuffling entirely and issuing shares in numerical order. The change also makes it much easier to assert that a zero-indexed share (which would reveal the secret) is never produced.