Taurus specification document generates lamda and r parameters in keygen Round 1 from incorrect groups

[0xJohnnyGault]

Audit: KS-SBCF-O-07

Location: https://github.com/taurusgroup/multi-party-sig/blob/main/docs/Threshold.pdf

Description

Taurus provides performs the key generation and refresh/auxiliary parameter generation at the same time in their implementation, which is specified [1].

In [1] p.2, Round 1, third step, 𝜆 is generated from 𝑍𝑁∗ 𝑖 and 𝑟 from 𝑍𝜙∗(𝑁𝑖). However, according to [2], p.24, Figure 6, Round 1, 𝑟 is generated from 𝑍𝑁∗ 𝑖 and 𝜆 from 𝑍𝜙∗(𝑁𝑖).

We encourage the client to analyze if the implementation follows the document of Taurus (which is not part of the scope of this audit), hence contradicting the paper of Canetti et al [2].

[cronokirby]

Yeah the code follows the docs, which contain this mistake. The code should swap the distributions being used to follow the paper. (That said, the distributions are essentially indistinguishable).