BlockstreamResearch / bip-frost-dkg

49 stars 14 forks source link

Domain Separation for PoPs is insufficient #31

Closed jonasnick closed 4 months ago

jonasnick commented 4 months ago

While thinking about https://github.com/BlockstreamResearch/bip-frost-dkg/issues/30#issuecomment-2202630082, I came up with an attack that I'm pretty sure works against the current ChillDKG implementation. The attack requires "deterministic randomness" and the absence of proper domain separation between PoPs and FROST signatures.

The main idea of the attack is as follows: Assume the victim contributes randomness x1 via X1 = x1*G in every session. The adversary uses a signature from the victim in session 1 as PoPs in session 2 which allows him to contribute randomness X1 + Y. By continuing to use signatures in session i as PoPs in session i+1 the adversary is able to double the contributed randomness and obtain the corresponding PoPs from the victim until the adversary has a PoP for (n-1)*X1 + t*Y = -X1 + t*Y which allows key cancellation.

In more detail:

  1. In every session the victim deterministically contributes randomness x1 and X1 = x1*G. Assume wlog that victim is at signer index 1.
  2. The adversary requests 2-of-2 DKG session with the victim, providing some randomness 1*G = G. The threshold public key that is output of the DKG is X1 + G.
  3. The adversary requests two FROST signatures from the victim with the messages chosen such that the signature will serve as a PoP for X1 + G and signer indices 2 and 3 in the subsequent session. The adversary completes the signature.
  4. The adversary requests 3-of-3 DKG session with the victim. This time the adversary provides randomness X1 + G using the PoP obtained through regular FROST signing in the previous step. The adversary correspondingly sends VSS commitment (X1 + G, X2', X3') where X2' and X3' are chosen such that f(1) = 2*G = X1 + G + X2' + X3' where which makes 2 a valid share for the victim signer at index 1. The adversary sends the share to the victim.
  5. This concludes the DKG: the threshold public key is 3*X1 + 2*G and the victim and adversary have all the shares necessaries to sign for it.
  6. The adversary requests a signature from the victim and completes it to a signature for 3*X1 + 2*G with the messages chosen such that the signature will serve as a PoP for X1 + G and signer indices 2 and 3 in the subsequent session.
  7. Adversary requests 3-of-3 DKG session with the victim but now provides VSS commitment (3*X1 + 2*G, X2', X3') and uses the signature from the previous step for the PoP of 3*X1 + 2*G.
  8. Now the threshold public key is 7*X1 + 4*G.
  9. The adversary repeats the previous steps until he obtains a PoP for (n-1)*X1 + y*G = -X1 + y*G.
jonasnick commented 4 months ago

Fixed in 79ce1af534a75ed3fe298c52991607c9fb3ae61e