Possible key extraction vulnerability Alpha Rays

[johnthethird]

In short, our attacks allow an attacker, controlling a single party to extract the full private key. To pull off the attack, the attacker must participate in a small number of signatures. In some cases, one signature is enough.

Our attacks target the multiplicative to additive (MtA) subprotocol. There are two variants of it in the paper. The fast option is done without range proofs, while the full version includes range proofs. We attack the first variant by using an oracle access not accounted for in the paper (in fact it was conjectured in the paper that such oracle does not exist). We attack the full version with range proofs by taking advantage of a missing Paillier size check and a mistake, probably a typo, in the bounds of one of the ZK proofs used.

https://hackmd.io/@omershlo/Sk_8JT-qt

[tylerstillwater]

It appears this issue has been addressed in Coinbase's Kryptology package already: https://github.com/coinbase/kryptology/pull/16

[cronokirby]

I don't think our library is vulnerable to this (nor was it at any point, actually). We've always checked the size of the Paillier keys:

https://github.com/taurusgroup/multi-party-sig/blob/main/protocols/cmp/keygen/round3.go#L96

Furthermore, I'm not entirely sure if the Alpha-Rays attack applies to the modifications to GG20 that feature in the CGGMP protocol, which we implement.