Headline
GHSA-7f6p-phw2-8253: Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws
Coinbase researchers reported 2 security issues in our implementation of the oblivious transfer (OT) based protocol DKLS:
1. Secret share recovery attack
If the base OT setup of the protocol is reused for another execution of the OT extension, then a malicious participant can extract a bit of the secret of another participant. By repeating the execution they can eventually recover the whole secret.
Therefore, unlike our comments suggested, you must not reuse an OT setup for multiple protocol executions.
We’re adding a warning in the code:
https://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114
2. Invalid security proof due to incorrect operator
The original 2018 version of the DKLS had a typo in the OT extension protocol when computing the check value in the OT extension: the paper noted a XOR whereas it should be a field multiplication. This erroneous behavior was implemented in our code.
The proof of security fails in this case. No concrete attack is known, however.
The 2023 update of the DKLS paper reported that typo and updated the protocol definition.
As of 20241124, patching is in progress (branch otfix), but not merged to the main branch yes as the tests fail to pass. We’re troubleshooting the issue and will merge into the main branch when it’s resolved.
Workarounds
Do not reuse an OT setup, to eliminate the secret recovery attack.
Avoid using our implementation of the DKLS protocol until we patch it, and maybe avoid DKLS altogether.
Credits
Thank you to the Coinbase researchers Yi-Hsiu Chen and Samuel Ranellucci for discovering these issues and providing a comprehensive write-up. Thank you to Yehuda Lindell for coordinating the disclosure.
Coinbase researchers reported 2 security issues in our implementation of the oblivious transfer (OT) based protocol DKLS:
1. Secret share recovery attack
If the base OT setup of the protocol is reused for another execution of the OT extension, then a malicious participant can extract a bit of the secret of another participant. By repeating the execution they can eventually recover the whole secret.
Therefore, unlike our comments suggested, you must not reuse an OT setup for multiple protocol executions.
We’re adding a warning in the code:
https://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114
2. Invalid security proof due to incorrect operator
The original 2018 version of the DKLS had a typo in the OT extension protocol when computing the check value in the OT extension: the paper noted a XOR whereas it should be a field multiplication. This erroneous behavior was implemented in our code.
The proof of security fails in this case. No concrete attack is known, however.
The 2023 update of the DKLS paper reported that typo and updated the protocol definition.
As of 20241124, patching is in progress (branch otfix), but not merged to the main branch yes as the tests fail to pass. We’re troubleshooting the issue and will merge into the main branch when it’s resolved.
Workarounds
Do not reuse an OT setup, to eliminate the secret recovery attack.
Avoid using our implementation of the DKLS protocol until we patch it, and maybe avoid DKLS altogether.
Credits
Thank you to the Coinbase researchers Yi-Hsiu Chen and Samuel Ranellucci for discovering these issues and providing a comprehensive write-up. Thank you to Yehuda Lindell for coordinating the disclosure.
References
- GHSA-7f6p-phw2-8253
- https://eprint.iacr.org/2018/499.pdf
- https://github.com/taurushq-io/multi-party-sig/blob/4d84aafb57b437da1b933db9a265fb7ce4e7c138/internal/ot/extended.go#L188
- https://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114
- https://github.com/taurushq-io/multi-party-sig/tree/otfix