About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Shamir’s Secret Sharing Vulnerabilities- 723

Filipe Casal & Jim Miller - Trail of BitsPosted 4 Years Ago
  • Threshold signature schemes are a protocol that allows a group of users to generate and control a private signing key. Using this, jointly the users can sign the data but it cannot be done individually.
  • Secret Sharing is a protocol for splitting a secret key into key shares. These shares can be combined in order to create a key. A common technique for this is Shamir Secret Sharing. The high-level idea behind Shamir’s scheme is that for n users, you want at least t of them (where t <= n) to recover the secret by combining their shares.
  • To make this work, a polynomial of p of degree t-l (t users necessary to use the secret) over a finite group. The shares are created by evaluating the polynomial at n (amount of users) at different points with one for each user. The key is that a single point does not reveal any information about the polynomial.
  • Since the secret value is encoded in the polynomial, recovering the polynomial recovers the secret.
  • Since the constant term of the polynomial is the secret value, it is essential that the x-value of the point is non-zero. Otherwise, the secret will be exposed. In many of the libraries, the implementation did not stop this from happening! So, it would be possible for the secret to get leaked to one of the share holders!
  • Many of the implementations used a unique ID value for the polynomial to choose. Additionally, when you operate over a finite group, it is modulo the order of the group. This means that even if 0 was not allowed, a wrap around could be used to access the zeroth element to find the key.
  • The second bug was a divide by 0. Many people forget that modulus is a division operation as well. Hence, the authors of the libraries forgot to check for the 0 case, leading to crashes.
  • The authors noted that these algorithms had very little implementation standards. As a result, they created ZKDocs to provide and help developers create non-standard cryptographic primitives.
  • Overall, this was an interesting attack that uses basic math to break the implementation. I particularly appreciated the modulus wrap around attack about this.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed