Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-h24c-6p6p-m3vx: tss-lib leaks secret keys in response to incorrectly constructed Paillier moduli

Impact

The specification of the GG18 threshold ECDSA signature protocol contains a vulnerability allowing an attacker to recover the shared secret key. If a participant generates a Paillier modulus N containing small factors (less than 2^100) they can interact with other participants in the signing protocol to steal their secret key shares in as little as sixteen signing attempts. The master key can then be reconstructed from these shares.

Patches

The implementation of GG18 in tss-lib did not prove that N is biprime or that it doesn’t contain small factors. The fixed implementation adds the following proofs from the CGGMP21 threshold ECDSA protocol to the key generation:

  • Paillier-Blum Modulus (N is the product of two primes)
  • No Small Factor (both factors of N are greater than 2^256)

These proofs apply to both the Paillier encryption modulus N, and the modulus NTilde used in MTA proofs.

To address the issue in the resharing protocol, an additional round has been added to the end so that participants can confirm that they received valid proofs.

References

ghsa
Open in Source
#vulnerability#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-h24c-6p6p-m3vx

tss-lib leaks secret keys in response to incorrectly constructed Paillier moduli

Critical severity GitHub Reviewed Published Sep 1, 2023 in threshold-network/tss-lib • Updated Sep 1, 2023

Package

gomod github.com/bnb-chain/tss-lib (Go)

Affected versions

<= 1.3.5

Impact

The specification of the GG18 threshold ECDSA signature protocol contains a vulnerability allowing an attacker to recover the shared secret key. If a participant generates a Paillier modulus N containing small factors (less than 2^100) they can interact with other participants in the signing protocol to steal their secret key shares in as little as sixteen signing attempts. The master key can then be reconstructed from these shares.

Patches

The implementation of GG18 in tss-lib did not prove that N is biprime or that it doesn’t contain small factors. The fixed implementation adds the following proofs from the CGGMP21 threshold ECDSA protocol to the key generation:

  • Paillier-Blum Modulus (N is the product of two primes)
  • No Small Factor (both factors of N are greater than 2^256)

These proofs apply to both the Paillier encryption modulus N, and the modulus NTilde used in MTA proofs.

To address the issue in the resharing protocol, an additional round has been added to the end so that participants can confirm that they received valid proofs.

References

  • GG18
  • CGGMP21

References

  • GHSA-h24c-6p6p-m3vx
  • threshold-network/tss-lib@2e71268
  • https://eprint.iacr.org/2019/114
  • https://eprint.iacr.org/2021/060

Published to the GitHub Advisory Database

Sep 1, 2023

ghsa: Latest News

GHSA-mm6v-68qp-f9fw: Crayfish allows Remote Code Execution via Homarus Authorization header
ghsa