multisig-labs / multi-party-sig

Implementation of protocols for threshold signatures
Apache License 2.0
4 stars 2 forks source link

SID is constant by default #15

Closed 0xJohnnyGault closed 1 year ago

0xJohnnyGault commented 2 years ago

Audit: KS-SBCF-F-07

Location: code/protocols/cmp/keygen/keygen.go:19

Description

By default, the session identifier depends on the curve group name, the party identifiers and the threshold. Thus, for two different sessions with the same threshold, the session identifier stays constants even though the code comments of the NewSession function says:

// NewSession creates a new *Helper which can be embedded in the ↪ first Round,
// so that the full struct implements Session.
// `sessionID` is an optional byte slice that can be provided by the user.
// When used, it should be unique for each execution of the protocol.
// It could be a simple counter which is incremented after execution, or a common random string.
// `auxInfo` is a variable list of objects which should be included in the session's hash state.
func NewSession(info Info, sessionID []byte, pl *pool.Pool, auxInfo ...hash.WriterToWithDomain) (*Helper, error) {

This would allow to replay some message in different sessions of the protocol. For example, at round 1 of the key generation, the variable 𝑉𝑖 may be replayed after being recorded in a previous session.

Recommendation

We recommend to ensure the sessionID value is unique per protocol execution.

0xJohnnyGault commented 2 years ago

Our application that uses this lib does generate a unique sessionID for each execution.