Read Time 3 mins | Written by: Aviv Frenkel
This research and blog post has been co-authored by Aviv Frenkel, Dima Kogan, and Ben Riva (Mysten Labs).
Our cryptography team has recently uncovered three critical vulnerabilities in open-source cryptographic libraries. Two of these vulnerabilities result in key extraction attacks on Threshold ECDSA implementations within these libraries. The vulnerabilities were found in implementations of Oblivious Transfer, a simple yet fundamental cryptographic building block for Multi-Party Computation (MPC) protocols.
Threshold signature schemes (TSS) are a key component of MPC wallets, enabling multiple parties to collaboratively generate digital signatures without revealing their key shares. There are two main approaches to constructing threshold signatures for the ECDSA signature scheme:
1. Linearly Homomorphic Encryption (LHE)
2. Oblivious Transfer (OT)
While LHE-based TSS schemes have faced significant attacks recently with BitForge and TSSHOCK, OT-based protocols have gained popularity due to their simplicity and perceived robustness.
Our research suggests that although OT-based TSS implementations show promise, security can still be improved in certain areas.
We found vulnerabilities in the implementation of Oblivious Transfer in each of the following libraries:
- mpecdsa: The reference implementation of DKLs19 by the authors of the protocol. Its implementation of Oblivious Transfer contains a bug that makes the TSS protocol vulnerable to a key-extraction attack by an active adversary.
- sl-crypto: A commercial, professionally-audited implementation of the DKLs23 protocol. Its implementation of Oblivious Transfer contained a bug that made the TSS protocol vulnerable to a key-extraction attack by a passive adversary.
- docknetwork/crypto: A library offering various cryptographic primitives, including an OT implementation that contained a bug where one of the parties inadvertently revealed its secret state.
In our full technical blog post, we will explain the concept of Oblivious Transfer, discuss two different OT protocols, and highlight the respective vulnerabilities in the implementations of these protocols.
Responsible Disclosure
Upon discovering these vulnerabilities, we promptly informed the maintainers of each library to ensure that they were aware of the issues and could take appropriate action. We provided enough time for the maintainers to release the patches and for users of these libraries to update their systems.
The maintainers of sl-crypto were responsible enough to acknowledge and come back with a patch within two days. They confirmed that none of the users in production were affected.
The maintainers of mpecdsa have acknowledged the issue, and docknetwork/crypto have addressed the vulnerabilities and patched their code accordingly.
