GHSA-7F6P-PHW2-8253

Vulnerability from github – Published: 2024-11-25 15:11 – Updated: 2025-01-28 18:06
VLAI?
Summary
Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws
Details

Coinbase researchers reported 2 security issues in our implementation of the oblivious transfer (OT) based protocol DKLS:

1. Secret share recovery attack

If the base OT setup of the protocol is reused for another execution of the OT extension, then a malicious participant can extract a bit of the secret of another participant. By repeating the execution they can eventually recover the whole secret.

Therefore, unlike our comments suggested, you must not reuse an OT setup for multiple protocol executions.

We're adding a warning in the code:

https://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114

2. Invalid security proof due to incorrect operator

The original 2018 version of the DKLS had a typo in the OT extension protocol when computing the check value in the OT extension: the paper noted a XOR whereas it should be a field multiplication. This erroneous behavior was implemented in our code.

The proof of security fails in this case. No concrete attack is known, however.

The 2023 update of the DKLS paper reported that typo and updated the protocol definition.

~As of 20241124, patching is in progress (branch otfix), but not merged to the main branch yes as the tests fail to pass. We're troubleshooting the issue and will merge into the main branch when it's resolved.~

As of 20250128, a patched version is available in https://github.com/taurushq-io/multi-party-sig/releases/tag/v0.7.0-alpha-2025-01-28, thanks to https://github.com/taurushq-io/multi-party-sig/pull/119.

Workarounds

Do not reuse an OT setup in the event that an abort is detected, to eliminate the secret recovery attack.

Credits

Thanks to the Coinbase researchers Yi-Hsiu Chen and Samuel Ranellucci for discovering these issues and providing a comprehensive write-up. Thank you to Yehuda Lindell for coordinating the disclosure. Thanks to Jay Prakash for clarifying the risk of the base setup reuse. Thanks to @cronokirby for writing the corrected code.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.6.0-alpha-2021-09-21"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/taurusgroup/multi-party-sig"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.0-alpha-2025-01-28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-25T15:11:11Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Coinbase researchers reported 2 security issues in our implementation of the oblivious transfer (OT) based protocol [DKLS](https://eprint.iacr.org/2018/499.pdf):\n\n### 1. Secret share recovery attack\n\nIf the base OT setup of the protocol is reused for another execution of the OT extension, then a malicious participant can extract a bit of the secret of another participant. By repeating the execution they can eventually recover the whole secret.\n\nTherefore, unlike our comments suggested, you **must not reuse an OT setup** for multiple protocol executions. \n\nWe\u0027re adding a warning in the code:\n\nhttps://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114\n\n### 2. Invalid security proof due to incorrect operator\n\nThe original 2018 version of the DKLS had a typo in the OT extension protocol when computing the check value in the OT extension: the paper noted a XOR whereas it should be a field multiplication. This erroneous behavior was implemented [in our code](https://github.com/taurushq-io/multi-party-sig/blob/4d84aafb57b437da1b933db9a265fb7ce4e7c138/internal/ot/extended.go#L188). \n\nThe proof of security fails in this case. No concrete attack is known, however.\n\nThe [2023 update](https://eprint.iacr.org/2018/499.pdf) of the DKLS paper reported that typo and updated the protocol definition.\n\n~As of 20241124, patching is in progress (branch [otfix](https://github.com/taurushq-io/multi-party-sig/tree/otfix)), but not merged to the main branch yes as the tests fail to pass. We\u0027re troubleshooting the issue and will merge into the main branch when it\u0027s resolved.~\n\nAs of 20250128, a patched version is available in https://github.com/taurushq-io/multi-party-sig/releases/tag/v0.7.0-alpha-2025-01-28, thanks to https://github.com/taurushq-io/multi-party-sig/pull/119.\n\n### Workarounds\n\nDo not reuse an OT setup in the event that an abort is detected, to eliminate the secret recovery attack.\n  \n\n### Credits\n\nThanks to the Coinbase researchers Yi-Hsiu Chen and Samuel Ranellucci for discovering these issues and providing a comprehensive write-up. Thank you to Yehuda Lindell for coordinating the disclosure.\nThanks to Jay Prakash for clarifying the risk of the base setup reuse.\nThanks to @cronokirby for writing the corrected code.\n\n\n",
  "id": "GHSA-7f6p-phw2-8253",
  "modified": "2025-01-28T18:06:15Z",
  "published": "2024-11-25T15:11:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/taurushq-io/multi-party-sig/security/advisories/GHSA-7f6p-phw2-8253"
    },
    {
      "type": "WEB",
      "url": "https://eprint.iacr.org/2018/499.pdf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/taurushq-io/multi-party-sig"
    },
    {
      "type": "WEB",
      "url": "https://github.com/taurushq-io/multi-party-sig/blob/4d84aafb57b437da1b933db9a265fb7ce4e7c138/internal/ot/extended.go#L188"
    },
    {
      "type": "WEB",
      "url": "https://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114"
    },
    {
      "type": "WEB",
      "url": "https://github.com/taurushq-io/multi-party-sig/tree/otfix"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.