Skip to content

Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws

High severity GitHub Reviewed Published Nov 24, 2024 in taurushq-io/multi-party-sig • Updated Nov 25, 2024

Package

gomod github.com/taurusgroup/multi-party-sig (Go)

Affected versions

<= 0.6.0-alpha-2021-09-21

Patched versions

None

Description

Coinbase researchers reported 2 security issues in our implementation of the oblivious transfer (OT) based protocol DKLS:

1. Secret share recovery attack

If the base OT setup of the protocol is reused for another execution of the OT extension, then a malicious participant can extract a bit of the secret of another participant. By repeating the execution they can eventually recover the whole secret.

Therefore, unlike our comments suggested, you must not reuse an OT setup for multiple protocol executions.

We're adding a warning in the code:

https://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114

2. Invalid security proof due to incorrect operator

The original 2018 version of the DKLS had a typo in the OT extension protocol when computing the check value in the OT extension: the paper noted a XOR whereas it should be a field multiplication. This erroneous behavior was implemented in our code.

The proof of security fails in this case. No concrete attack is known, however.

The 2023 update of the DKLS paper reported that typo and updated the protocol definition.

As of 20241124, patching is in progress (branch otfix), but not merged to the main branch yes as the tests fail to pass. We're troubleshooting the issue and will merge into the main branch when it's resolved.

Workarounds

Do not reuse an OT setup, to eliminate the secret recovery attack.

Avoid using our implementation of the DKLS protocol until we patch it, and maybe avoid DKLS altogether.

Credits

Thank you to the Coinbase researchers Yi-Hsiu Chen and Samuel Ranellucci for discovering these issues and providing a comprehensive write-up. Thank you to Yehuda Lindell for coordinating the disclosure.

References

@veorq veorq published to taurushq-io/multi-party-sig Nov 24, 2024
Published to the GitHub Advisory Database Nov 25, 2024
Reviewed Nov 25, 2024
Last updated Nov 25, 2024

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-7f6p-phw2-8253
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.