In a distributed scheme allowing any number of members to compute a commonsecret without revealing individual secret was proposed. We present asecurity weakness of this protocol. In doing so, we show that any twomembers can collude and obtain the secret contributed by middle memberin generating the common secret.

Journal of Cryptology