> or the leading zero coefficient that I pointed to at the other post.
That isn't actually a problem, although I've seen a lot of people that think it is.
The problem is framed as "if you have a leading zero coefficient, it's equivalent to a threshold of t-1", but you'd need a zero leading coefficient for every polynomial.
With a 32 byte secret and GF(2^8), you expect at least 1 leading zero coefficient in 11% of random secrets, but a threshold reduction from t to t-1 only occurs with 2^-256 probability (that is, every leading coefficient has to be 0).
You might think you can detect this condition, but SSS is kind of like a one-time pad if you don't have sufficient shares.
> it doesn't mention any other concern like constant time implementations, cache side channel attacks
These are table stakes for secure cryptography. ZKDocs is a guide to algorithms, not implementations.
That isn't actually a problem, although I've seen a lot of people that think it is.
The problem is framed as "if you have a leading zero coefficient, it's equivalent to a threshold of t-1", but you'd need a zero leading coefficient for every polynomial.
With a 32 byte secret and GF(2^8), you expect at least 1 leading zero coefficient in 11% of random secrets, but a threshold reduction from t to t-1 only occurs with 2^-256 probability (that is, every leading coefficient has to be 0).
You might think you can detect this condition, but SSS is kind of like a one-time pad if you don't have sufficient shares.
> it doesn't mention any other concern like constant time implementations, cache side channel attacks
These are table stakes for secure cryptography. ZKDocs is a guide to algorithms, not implementations.