{"url":"http://public2.vulnerablecode.io/api/packages/372892?format=json","purl":"pkg:golang/github.com/taurusgroup/multi-party-sig@0.7.0-alpha-2025-01-28","type":"golang","namespace":"github.com/taurusgroup","name":"multi-party-sig","version":"0.7.0-alpha-2025-01-28","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"0.7.0-alpha-2025-01-28","latest_non_vulnerable_version":"0.7.0-alpha-2025-01-28","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359710?format=json","vulnerability_id":"VCID-b28y-286t-zkb2","summary":"Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws\nCoinbase researchers reported 2 security issues in our implementation of the oblivious transfer (OT) based protocol [DKLS](https://eprint.iacr.org/2018/499.pdf):\n\n### 1. Secret share recovery attack\n\nIf the base OT setup of the protocol is reused for another execution of the OT extension, then a malicious participant can extract a bit of the secret of another participant. By repeating the execution they can eventually recover the whole secret.\n\nTherefore, unlike our comments suggested, you **must not reuse an OT setup** for multiple protocol executions. \n\nWe're adding a warning in the code:\n\nhttps://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114\n\n### 2. Invalid security proof due to incorrect operator\n\nThe original 2018 version of the DKLS had a typo in the OT extension protocol when computing the check value in the OT extension: the paper noted a XOR whereas it should be a field multiplication. This erroneous behavior was implemented [in our code](https://github.com/taurushq-io/multi-party-sig/blob/4d84aafb57b437da1b933db9a265fb7ce4e7c138/internal/ot/extended.go#L188). \n\nThe proof of security fails in this case. No concrete attack is known, however.\n\nThe [2023 update](https://eprint.iacr.org/2018/499.pdf) of the DKLS paper reported that typo and updated the protocol definition.\n\n~As of 20241124, patching is in progress (branch [otfix](https://github.com/taurushq-io/multi-party-sig/tree/otfix)), but not merged to the main branch yes as the tests fail to pass. We're troubleshooting the issue and will merge into the main branch when it's resolved.~\n\nAs of 20250128, a patched version is available in https://github.com/taurushq-io/multi-party-sig/releases/tag/v0.7.0-alpha-2025-01-28, thanks to https://github.com/taurushq-io/multi-party-sig/pull/119.\n\n### Workarounds\n\nDo not reuse an OT setup in the event that an abort is detected, to eliminate the secret recovery attack.\n  \n\n### Credits\n\nThanks to the Coinbase researchers Yi-Hsiu Chen and Samuel Ranellucci for discovering these issues and providing a comprehensive write-up. Thank you to Yehuda Lindell for coordinating the disclosure.\nThanks to Jay Prakash for clarifying the risk of the base setup reuse.\nThanks to @cronokirby for writing the corrected code.","references":[{"reference_url":"https://eprint.iacr.org/2018/499.pdf","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://eprint.iacr.org/2018/499.pdf"},{"reference_url":"https://github.com/taurushq-io/multi-party-sig","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/taurushq-io/multi-party-sig"},{"reference_url":"https://github.com/taurushq-io/multi-party-sig/blob/4d84aafb57b437da1b933db9a265fb7ce4e7c138/internal/ot/extended.go#L188","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/taurushq-io/multi-party-sig/blob/4d84aafb57b437da1b933db9a265fb7ce4e7c138/internal/ot/extended.go#L188"},{"reference_url":"https://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go#L114"},{"reference_url":"https://github.com/taurushq-io/multi-party-sig/security/advisories/GHSA-7f6p-phw2-8253","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/taurushq-io/multi-party-sig/security/advisories/GHSA-7f6p-phw2-8253"},{"reference_url":"https://github.com/taurushq-io/multi-party-sig/tree/otfix","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/taurushq-io/multi-party-sig/tree/otfix"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372892?format=json","purl":"pkg:golang/github.com/taurusgroup/multi-party-sig@0.7.0-alpha-2025-01-28","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/taurusgroup/multi-party-sig@0.7.0-alpha-2025-01-28"}],"aliases":["GHSA-7f6p-phw2-8253"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b28y-286t-zkb2"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/taurusgroup/multi-party-sig@0.7.0-alpha-2025-01-28"}