cblokh
commented
10 months ago BN_bn2binpad functions pads A to sizeof N bytes (i.e. the pedersen modulus size), and A must be exactly sizeof N bytes long in the serialized proof, see ring_pedersen_param_zkp_serialized_size and deserialize_ring_pedersen_param_zkp functions
lucky1024
Hi expert.
It seems the ring_pedersen(dlnproof) can be forged, this may lead to an α-shuffle attack. https://github.com/fireblocks/mpc-lib/blob/88530614e2062f7c8a7d5d27ede595da42a309b7/src/common/crypto/commitments/ring_pedersen.c#L442-L450
Suggest include the length of each proof->A[I]. Like Binance's fix: https://github.com/bnb-chain/tss-lib/commit/bb6fb30bd3ebd35c755109836aa1a5ee6126c8a0
See: https://github.com/verichains/tsshock/blob/main/verichains-tsshock-wp-v1.0.pdf