The Cheating Dealer

The Trust Problem

Shamir’s scheme has a hidden assumption: we trust the dealer.

The dealer builds the polynomial, computes all shares, and hands them out. Players receive their share and… just believe it’s correct?

What if the dealer cheats?

How a Dealer Can Cheat

A malicious dealer could give inconsistent shares to different players.

PlayerShare received
AlicePoint from polynomial f(x)f(x)
BobPoint from polynomial f(x)f(x)
CarolPoint from a different polynomial g(x)g(x)

When Alice and Bob combine shares, they recover the real secret.

When Alice and Carol combine shares, they get garbage. Or worse, a wrong secret that looks valid.

The dealer can selectively control who can reconstruct and who cannot.

The Problem with Blind Trust

Players have no way to verify their shares are consistent.

  • Each player only sees their own share
  • They can’t compare with others (that would leak information)
  • They only discover the problem at reconstruction time
  • By then, it’s too late

In basic Shamir, you must trust the dealer completely. That’s a dangerous assumption.

The Solution: Commitments

What if the dealer had to commit to the polynomial before distributing shares?

A commitment scheme lets you:

  1. Commit to a value (lock it in, but keep it hidden)
  2. Reveal later (prove what you committed to)
PropertyMeaning
HidingCommitment reveals nothing about the value
BindingCan’t change the value after committing

Verifiable Secret Sharing

Verifiable Secret Sharing (VSS) adds commitments to Shamir’s scheme.

The dealer must commit to the polynomial coefficients publicly. Players can then verify their share is consistent with those commitments.

If you cheated, the math won’t check out.

How It Works

Setup: Dealer has polynomial f(x)=S+a1x+a2x2++at1xt1f(x) = S + a_1 x + a_2 x^2 + \ldots + a_{t-1} x^{t-1}

Step 1: Commit to coefficients

The dealer publishes commitments to every coefficient:

CoefficientCommitment
SS (secret)C0=Commit(S)C_0 = \text{Commit}(S)
a1a_1C1=Commit(a1)C_1 = \text{Commit}(a_1)
a2a_2C2=Commit(a2)C_2 = \text{Commit}(a_2)

These commitments are public. Everyone sees them.

But commitments are hiding. No one learns the actual values.

Step 2: Distribute shares

Dealer gives each player their share as usual:

  • Player 1 gets (1,f(1))(1, f(1))
  • Player 2 gets (2,f(2))(2, f(2))
  • Player ii gets (i,f(i))(i, f(i))

Step 3: Players verify

Here’s the key insight. If we use homomorphic commitments (like Pedersen commitments), we can do math on commitments:

Commit(a)Commit(b)=Commit(a+b)\text{Commit}(a) \cdot \text{Commit}(b) = \text{Commit}(a + b)

Player ii can compute what the commitment to f(i)f(i) should be:

C0C1iC2i2=Commit(f(i))C_0 \cdot C_1^i \cdot C_2^{i^2} \cdot \ldots = \text{Commit}(f(i))

Then they check: does this match their share?

If the dealer gave you a fake share, the commitment check fails.

Key Insight

Verifiable Secret Sharing transforms “trust the dealer” into “verify the math.”

The commitment scheme acts as a cryptographic receipt. The dealer commits publicly, and that commitment holds them accountable.

Don’t trust. Verify.