{"uuid": "c7b747fe-1ffc-468a-9e3e-7056f10a6d1a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "GHSA-7F6P-PHW2-8253", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/3264", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: GHSA-7f6p-phw2-8253\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: Coinbase researchers reported 2 security issues in our implementation of the oblivious transfer (OT) based protocol [DKLS](https://eprint.iacr.org/2018/499.pdf):\n\n### 1. Secret share recovery attack\n\nIf the base OT setup of the protocol is reused for another execution of the OT extension, then a malicious participant can extract a bit of the secret of another participant. By repeating the execution they can eventually recover the whole secret.\n\nTherefore, unlike our comments suggested, you **must not reuse an OT setup** for multiple protocol executions. \n\nWe're adding a warning in the code:\n\nhttps://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114\n\n### 2. Invalid security proof due to incorrect operator\n\nThe original 2018 version of the DKLS had a typo in the OT extension protocol when computing the check value in the OT extension: the paper noted a XOR whereas it should be a field multiplication. This erroneous behavior was implemented [in our code](https://github.com/taurushq-io/multi-party-sig/blob/4d84aafb57b437da1b933db9a265fb7ce4e7c138/internal/ot/extended.go#L188). \n\nThe proof of security fails in this case. No concrete attack is known, however.\n\nThe [2023 update](https://eprint.iacr.org/2018/499.pdf) of the DKLS paper reported that typo and updated the protocol definition.\n\n~As of 20241124, patching is in progress (branch [otfix](https://github.com/taurushq-io/multi-party-sig/tree/otfix)), but not merged to the main branch yes as the tests fail to pass. We're troubleshooting the issue and will merge into the main branch when it's resolved.~\n\nAs of 20250128, a patched version is available in https://github.com/taurushq-io/multi-party-sig/releases/tag/v0.7.0-alpha-2025-01-28, thanks to https://github.com/taurushq-io/multi-party-sig/pull/119.\n\n### Workarounds\n\nDo not reuse an OT setup in the event that an abort is detected, to eliminate the secret recovery attack.\n  \n\n### Credits\n\nThanks to the Coinbase researchers Yi-Hsiu Chen and Samuel Ranellucci for discovering these issues and providing a comprehensive write-up. Thank you to Yehuda Lindell for coordinating the disclosure.\nThanks to Jay Prakash for clarifying the risk of the base setup reuse.\nThanks to @cronokirby for writing the corrected code.\n\n\n\n\ud83d\udccf Published: 2024-11-25T15:11:11Z\n\ud83d\udccf Modified: 2025-01-28T18:06:15Z\n\ud83d\udd17 References:\n1. https://github.com/taurushq-io/multi-party-sig/security/advisories/GHSA-7f6p-phw2-8253\n2. https://eprint.iacr.org/2018/499.pdf\n3. https://github.com/taurushq-io/multi-party-sig\n4. https://github.com/taurushq-io/multi-party-sig/blob/4d84aafb57b437da1b933db9a265fb7ce4e7c138/internal/ot/extended.go#L188\n5. https://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114\n6. https://github.com/taurushq-io/multi-party-sig/tree/otfix", "creation_timestamp": "2025-01-28T18:10:48.000000Z"}