While auditing the Shamir Secret Sharing implementation in the jsbtc library, I identified a cryptographic vulnerability in the coefficient generation process. This flaw violates the information-theoretic security of the SSSS by introducing a non-uniform distribution.
The vulnerability exists in src/functions/shamir_secret_sharing.js within the __split_secret function. Specifically, the implementation uses a rejection sampling loop:
while (q.includes(w))
This logic forces all polynomial coefficients to be distinct ($a_0 \neq a_1 \neq a_2 ... \neq a_n$).
In a standard Shamir scheme, coefficients must be chosen independently and uniformly from GF(256). By enforcing distinctness, the implementation leaks information about the secret to any attacker holding $k-1$ shares. For a threshold of 3, the keyspace for each byte is reduced from 256 to ~253 candidates. Across a 16-byte entropy (BIP-39), this results in a measurable reduction of the search space by a factor of approximately $(256/253)^{16} \approx 1.21$.
While some issues have touched on "non-uniformity," my report provides a full mathematical breakdown and a comparison with the pybtc implementation to confirm the intended behavior vs. the current JS flaw.
I have sent a comprehensive Security Advisory Report (PDF) including a Python-based Proof of Concept to admin@bitaps.com.
Reference Name in Email: VortexQuant171
Bounty Program: This report is submitted for the Shamir Secret Backup Scheme Bug Bounty.
Please let me know if you require further technical details.
My addres BTC: bc1q4y5sn0wxprx0yxjc7qejk4w7pvj9lc20uqsl4x
Thank you
While auditing the Shamir Secret Sharing implementation in the
jsbtclibrary, I identified a cryptographic vulnerability in the coefficient generation process. This flaw violates the information-theoretic security of the SSSS by introducing a non-uniform distribution.The vulnerability exists in
src/functions/shamir_secret_sharing.jswithin the__split_secretfunction. Specifically, the implementation uses a rejection sampling loop:while (q.includes(w))This logic forces all polynomial coefficients to be distinct ($a_0 \neq a_1 \neq a_2 ... \neq a_n$ ).
In a standard Shamir scheme, coefficients must be chosen independently and uniformly from GF(256). By enforcing distinctness, the implementation leaks information about the secret to any attacker holding$k-1$ shares. For a threshold of 3, the keyspace for each byte is reduced from 256 to ~253 candidates. Across a 16-byte entropy (BIP-39), this results in a measurable reduction of the search space by a factor of approximately $(256/253)^{16} \approx 1.21$ .
While some issues have touched on "non-uniformity," my report provides a full mathematical breakdown and a comparison with the
pybtcimplementation to confirm the intended behavior vs. the current JS flaw.I have sent a comprehensive Security Advisory Report (PDF) including a Python-based Proof of Concept to
admin@bitaps.com.Reference Name in Email: VortexQuant171
Bounty Program: This report is submitted for the Shamir Secret Backup Scheme Bug Bounty.
Please let me know if you require further technical details.
My addres BTC: bc1q4y5sn0wxprx0yxjc7qejk4w7pvj9lc20uqsl4x
Thank you