According to Canetti et al. p.24, Figure 6, Round 3, Step 2 [2] the proof fac is performed. However, in the Taurus specification this proof is not created [1].
The fac proof or βno small factor proofβ allows a party to prove that the Paillier modulus π = π β π contains π, π > 2π . According to the paper section 6.4.1, the βfac proof prevents then small values close to zero to have noticeably more weight than other values, modulo π(πΜ)
Also, if the other parties could recover her Paillier private key and all the shares of the affected party are sent to the broadcast channel, they could be decrypted by other parties, thus having access to one share of the secret. This would be equivalent to compromise the affected party and steal his share of the secret key.
Recommendation: We recommend to not deviate from protocol specifications.
Audit: KS-SBCF-F-02
Location: protocols/cmp/keygen/round3.go, Taurus specification.
Description:
According to Canetti et al. p.24, Figure 6, Round 3, Step 2 [2] the proof fac is performed. However, in the Taurus specification this proof is not created [1]. The fac proof or βno small factor proofβ allows a party to prove that the Paillier modulus π = π β π contains π, π > 2π . According to the paper section 6.4.1, the βfac proof prevents then small values close to zero to have noticeably more weight than other values, modulo π(πΜ) Also, if the other parties could recover her Paillier private key and all the shares of the affected party are sent to the broadcast channel, they could be decrypted by other parties, thus having access to one share of the secret. This would be equivalent to compromise the affected party and steal his share of the secret key.
Recommendation: We recommend to not deviate from protocol specifications.