GHSA-H24C-6P6P-M3VX

Vulnerability from github – Published: 2023-09-01 20:51 – Updated: 2023-09-01 20:51
VLAI
Summary
tss-lib leaks secret keys in response to incorrectly constructed Paillier moduli
Details

Impact

The specification of the GG18 threshold ECDSA signature protocol contains a vulnerability allowing an attacker to recover the shared secret key. If a participant generates a Paillier modulus N containing small factors (less than 2^100) they can interact with other participants in the signing protocol to steal their secret key shares in as little as sixteen signing attempts. The master key can then be reconstructed from these shares.

Patches

The implementation of GG18 in tss-lib did not prove that N is biprime or that it doesn't contain small factors. The fixed implementation adds the following proofs from the CGGMP21 threshold ECDSA protocol to the key generation:

  • Paillier-Blum Modulus (N is the product of two primes)
  • No Small Factor (both factors of N are greater than 2^256)

These proofs apply to both the Paillier encryption modulus N, and the modulus NTilde used in MTA proofs.

To address the issue in the resharing protocol, an additional round has been added to the end so that participants can confirm that they received valid proofs.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/bnb-chain/tss-lib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-01T20:51:05Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThe specification of the GG18 threshold ECDSA signature protocol contains a vulnerability allowing an attacker to recover the shared secret key. If a participant generates a Paillier modulus `N` containing small factors (less than `2^100`) they can interact with other participants in the signing protocol to steal their secret key shares in as little as sixteen signing attempts. The master key can then be reconstructed from these shares.\n\n### Patches\n\nThe implementation of GG18 in tss-lib did not prove that `N` is biprime or that it doesn\u0027t contain small factors. The fixed implementation adds the following proofs from the CGGMP21 threshold ECDSA protocol to the key generation:\n\n- Paillier-Blum Modulus (`N` is the product of two primes)\n- No Small Factor (both factors of `N` are greater than `2^256`)\n\nThese proofs apply to both the Paillier encryption modulus `N`, and the modulus `NTilde` used in MTA proofs.\n\nTo address the issue in the resharing protocol, an additional round has been added to the end so that participants can confirm that they received valid proofs.\n\n### References\n\n- [GG18](https://eprint.iacr.org/2019/114)\n- [CGGMP21](https://eprint.iacr.org/2021/060)",
  "id": "GHSA-h24c-6p6p-m3vx",
  "modified": "2023-09-01T20:51:05Z",
  "published": "2023-09-01T20:51:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/threshold-network/tss-lib/security/advisories/GHSA-h24c-6p6p-m3vx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/threshold-network/tss-lib/commit/2e712689cfbeefede15f95a0ec7112227d86f702"
    },
    {
      "type": "WEB",
      "url": "https://eprint.iacr.org/2019/114"
    },
    {
      "type": "WEB",
      "url": "https://eprint.iacr.org/2021/060"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/threshold-network/tss-lib"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "tss-lib leaks secret keys in response to incorrectly constructed Paillier moduli"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…