Key Extraction Attacks on Threshold ECDSA Implementations

I just want to make sure the community is aware of this attack discovered on Threshold ECDSA implementations: https://twitter.com/OmerShlomovits/status/1470747585132519430

Not sure if it affects our upcoming implementation.

3 Likes

Not sure, I’ll ping the folks working on this.

1 Like

Hi @lastmjs! I had a quick look at the paper yesterday. It looks to me that the attack does NOT apply to the protocol we are implementing.

The attack applies to an optimisation of a scheme that uses ZK range proofs to ensure the correctness of additive shares of a product of two committed value. In the optimised protocol the range proofs are dropped and replaced with less expensive checks. However, this seems to leak some information which can be exploited by an attacker to progressively extract bits of the secret key (I haven’t verified the details of the papers though).

In our protocol we use a different approach. We also compute shares of products of previously shared values, but we do include a ZK proof for the correctness of this product. We don’t need to use expensive range proofs for this, since we use homomorphic commitment schemes (e.g. Pedersen commitments) which support efficient ZK proofs for multiplicative relations of committed values.

9 Likes

Thanks for the heads up @lastmjs!

1 Like

I’ll just echo @andrea’s reply, which is basically that the attacks in that paper are on protocol elements that are not at all present in our protocol.

We are working on a document that describes our protocol in detail, including proofs of security. It is basically done, but not quite ready for public release. It should be publicly available in a few weeks…certainly before we release the tECDSA feature itself.

6 Likes

Awesome, thanks everyone!

2 Likes

more info about the attack on Threshold ECDSA

1 Like