Known issues (#81)

* fixes

* typo + remove debug

* audit report

Author: omershlo

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "multi-party-ecdsa"
-version = "0.2.3"
+version = "0.2.4"
 authors = [
     "Gary <[email protected]>",
     "Omer <[email protected]>"
@@ -25,12 +25,12 @@ crate-type = ["lib"]
 
 
 [dependencies]
-paillier = { git = "https://github.com/KZen-networks/rust-paillier", tag = "v0.3.2" }
-zk-paillier = { git = "https://github.com/KZen-networks/zk-paillier", tag = "v0.2.3" }
+paillier = { git = "https://github.com/KZen-networks/rust-paillier", tag = "v0.3.3" }
+zk-paillier = { git = "https://github.com/KZen-networks/zk-paillier", tag = "v0.2.4" }
 subtle = {version = "2", features = ["nightly"]}
 serde = "1.0"
 serde_derive = "1.0"
-
+zeroize = "0.10"
 
 [features]
 cclst = ["class_group"]

audits/REPORT_final_2019-10-22.pdf

@@ -165,11 +165,7 @@ fn main() {
             let decom_j: KeyGenDecommitMessage1 = serde_json::from_str(&round2_ans_vec[j]).unwrap();
             y_vec.push(decom_j.y_i.clone());
             decom_vec.push(decom_j.clone());
-            enc_keys.push(
-                (party_keys.y_i.clone() + decom_j.y_i.clone())
-                    .x_coor()
-                    .unwrap(),
-            );
+            enc_keys.push((decom_j.y_i.clone() * party_keys.u_i).x_coor().unwrap());
             j = j + 1;
         }
     }

examples/gg18_keygen_client.rs

@@ -348,8 +348,6 @@ fn main() {
 
     // we assume the message is already hashed (by the signer).
     let message_bn = BigInt::from(message);
-    let two = BigInt::from(2);
-    let message_bn = message_bn.modulus(&two.pow(256));
     let local_sig =
         LocalSignature::phase5_local_sig(&sign_keys.k_i, &message_bn, &R, &sigma, &y_sum);
 

examples/gg18_sign_client.rs

@@ -24,6 +24,7 @@ extern crate centipede;
 extern crate class_group;
 extern crate curv;
 extern crate paillier;
+extern crate zeroize;
 extern crate zk_paillier;
 pub mod protocols;
 

src/lib.rs

@@ -80,14 +80,15 @@ impl MessageB {
         let ba_btag = &self.b_proof.pk * a + &self.beta_tag_proof.pk;
         match DLogProof::verify(&self.b_proof).is_ok()
             && DLogProof::verify(&self.beta_tag_proof).is_ok()
+            // we prove the correctness of the ciphertext using this check and the proof of knowledge of dlog of beta_tag
             && ba_btag.get_element() == g_alpha.get_element()
         {
             true => Ok(alpha),
             false => Err(InvalidKey),
         }
     }
 
-    //  another version, supportion PartyPrivate therefore binding mta to gg18.
+    //  another version, supporting PartyPrivate therefore binding mta to gg18.
     //  with the regular version mta can be used in general
     pub fn verify_proofs_get_alpha_gg18(
         &self,

src/protocols/multi_party_ecdsa/gg_2018/mta.rs

@@ -158,6 +158,21 @@ impl Keys {
         }
     }
 
+    // we recommend using safe primes if the code is used in production
+    pub fn create_safe_prime(index: usize) -> Keys {
+        let u: FE = ECScalar::new_random();
+        let y = &ECPoint::generator() * &u;
+
+        let (ek, dk) = Paillier::keypair_safe_primes().keys();
+
+        Keys {
+            u_i: u,
+            y_i: y,
+            dk,
+            ek,
+            party_index: index.clone(),
+        }
+    }
     pub fn create_from(u: FE, index: usize) -> Keys {
         let y = &ECPoint::generator() * &u;
         let (ek, dk) = Paillier::keypair().keys();
@@ -334,6 +349,21 @@ impl PartyPrivate {
         }
     }
 
+    // we recommend using safe primes if the code is used in production
+    pub fn refresh_private_key_safe_prime(&self, factor: &FE, index: usize) -> Keys {
+        let u: FE = self.u_i + factor;
+        let y = &ECPoint::generator() * &u;
+        let (ek, dk) = Paillier::keypair_safe_primes().keys();
+
+        Keys {
+            u_i: u,
+            y_i: y,
+            dk,
+            ek,
+            party_index: index.clone(),
+        }
+    }
+
     // used for verifiable recovery
     pub fn to_encrypted_segment(
         &self,
@@ -425,10 +455,11 @@ impl SignKeys {
         delta_inv: &FE,
         b_proof_vec: &Vec<&DLogProof>,
         phase1_decommit_vec: Vec<SignDecommitPhase1>,
-        // blind_vec: &Vec<BigInt>,
-        //  g_gamma_i_vec: &Vec<GE>,
         bc1_vec: &Vec<SignBroadcastPhase1>,
     ) -> Result<GE, Error> {
+        // note: b_proof_vec is populated using the results
+        //from the MtAwc, which is handling the proof of knowledge verification of gamma_i such that
+        // Gamme_i = gamma_i * G in the verify_proofs_get_alpha()
         let test_b_vec_and_com = (0..b_proof_vec.len())
             .map(|i| {
                 b_proof_vec[i].pk.get_element() == phase1_decommit_vec[i].g_gamma_i.get_element()

src/protocols/multi_party_ecdsa/gg_2018/party_i.rs

@@ -45,6 +45,7 @@ use curv::BigInt;
 use curv::FE;
 use curv::GE;
 
+use zeroize::Zeroize;
 use Error::{self, InvalidSig};
 
 use subtle::ConstantTimeEq;
@@ -141,10 +142,10 @@ impl KeyGenFirstMsg {
     pub fn create_commitments() -> (KeyGenFirstMsg, CommWitness, EcKeyPair) {
         let base: GE = ECPoint::generator();
 
-        let secret_share: FE = ECScalar::new_random();
+        let mut scalar: FE = ECScalar::new_random();
         //in Lindell's protocol range proof works only for x1<q/3
-        let secret_share: FE =
-            ECScalar::from(&secret_share.to_big_int().div_floor(&BigInt::from(3)));
+        let mut secret_share: FE = ECScalar::from(&scalar.to_big_int().div_floor(&BigInt::from(3)));
+        scalar.zeroize();
 
         let public_share = base.scalar_mul(&secret_share.get_element());
 
@@ -167,6 +168,7 @@ impl KeyGenFirstMsg {
             public_share,
             secret_share,
         };
+        secret_share.zeroize();
         (
             KeyGenFirstMsg {
                 pk_commitment,
@@ -183,7 +185,7 @@ impl KeyGenFirstMsg {
     }
 
     pub fn create_commitments_with_fixed_secret_share(
-        secret_share: FE,
+        mut secret_share: FE,
     ) -> (KeyGenFirstMsg, CommWitness, EcKeyPair) {
         //in Lindell's protocol range proof works only for x1<q/3
         let sk_bigint = secret_share.to_big_int();
@@ -212,6 +214,7 @@ impl KeyGenFirstMsg {
             public_share,
             secret_share,
         };
+        secret_share.zeroize();
         (
             KeyGenFirstMsg {
                 pk_commitment,
@@ -411,7 +414,7 @@ impl PaillierKeyPair {
         let b = pdl_party_two_second_message.decommit.b.clone();
         let blindness = pdl_party_two_second_message.decommit.blindness.clone();
 
-        let ab_concat = a.clone() + b.clone().shl(a.bit_length());
+        let ab_concat = a.clone() + b.clone().shl(a.bit_length()); // b|a (in the paper it is a|b)
         let c_tag_tag_test =
             HashCommitment::create_commitment_with_user_defined_randomness(&ab_concat, &blindness);
         let ax1 = a.clone() * party_one_private.x1.to_big_int();
@@ -429,13 +432,13 @@ impl PaillierKeyPair {
 impl EphKeyGenFirstMsg {
     pub fn create() -> (EphKeyGenFirstMsg, EphEcKeyPair) {
         let base: GE = ECPoint::generator();
-        let secret_share: FE = ECScalar::new_random();
+        let mut secret_share: FE = ECScalar::new_random();
         let public_share = &base * &secret_share;
         let h: GE = GE::base_point2();
-        let w = ECDDHWitness {
-            x: secret_share.clone(),
-        };
+
         let c = &h * &secret_share;
+        let mut x = secret_share;
+        let w = ECDDHWitness { x };
         let delta = ECDDHStatement {
             g1: base.clone(),
             h1: public_share.clone(),
@@ -447,6 +450,8 @@ impl EphKeyGenFirstMsg {
             public_share: public_share.clone(),
             secret_share,
         };
+        secret_share.zeroize();
+        x.zeroize();
         (
             EphKeyGenFirstMsg {
                 d_log_proof,
@@ -517,17 +522,22 @@ impl Signature {
         r = r.scalar_mul(&ephemeral_local_share.secret_share.get_element());
 
         let rx = r.x_coor().unwrap().mod_floor(&FE::q());
-        let k1_inv = &ephemeral_local_share
-            .secret_share
-            .to_big_int()
-            .invert(&FE::q())
-            .unwrap();
+
+        let mut k1_inv = ephemeral_local_share.secret_share.invert();
+
         let s_tag = Paillier::decrypt(
             &party_one_private.paillier_priv,
             &RawCiphertext::from(partial_sig_c3),
-        );
-        let s_tag_tag = BigInt::mod_mul(&k1_inv, &s_tag.0, &FE::q());
-        let s = cmp::min(s_tag_tag.clone(), FE::q().clone() - s_tag_tag.clone());
+        )
+        .0;
+        let mut s_tag_fe: FE = ECScalar::from(&s_tag);
+        let s_tag_tag = s_tag_fe * k1_inv;
+        k1_inv.zeroize();
+        s_tag_fe.zeroize();
+        let s_tag_tag_bn = s_tag_tag.to_big_int();
+
+        let s = cmp::min(s_tag_tag_bn.clone(), FE::q().clone() - s_tag_tag_bn.clone());
+
         Signature { s, r: rx }
     }
 
@@ -543,17 +553,19 @@ impl Signature {
 
         let rx = r.x_coor().unwrap().mod_floor(&FE::q());
         let ry = r.y_coor().unwrap().mod_floor(&FE::q());
-        let k1_inv = &ephemeral_local_share
-            .secret_share
-            .to_big_int()
-            .invert(&FE::q())
-            .unwrap();
+        let mut k1_inv = ephemeral_local_share.secret_share.invert();
+
         let s_tag = Paillier::decrypt(
             &party_one_private.paillier_priv,
             &RawCiphertext::from(partial_sig_c3),
-        );
-        let s_tag_tag = BigInt::mod_mul(&k1_inv, &s_tag.0, &FE::q());
-        let s = cmp::min(s_tag_tag.clone(), FE::q().clone() - s_tag_tag.clone());
+        )
+        .0;
+        let mut s_tag_fe: FE = ECScalar::from(&s_tag);
+        let s_tag_tag = s_tag_fe * k1_inv;
+        k1_inv.zeroize();
+        s_tag_fe.zeroize();
+        let s_tag_tag_bn = s_tag_tag.to_big_int();
+        let s = cmp::min(s_tag_tag_bn.clone(), FE::q().clone() - s_tag_tag_bn.clone());
 
         /*
          Calculate recovery id - it is not possible to compute the public key out of the signature
@@ -563,7 +575,7 @@ impl Signature {
         */
         let is_ry_odd = ry.tstbit(0);
         let mut recid = if is_ry_odd { 1 } else { 0 };
-        if s_tag_tag.clone() > FE::q() - s_tag_tag.clone() {
+        if s_tag_tag_bn.clone() > FE::q() - s_tag_tag_bn.clone() {
             recid = recid ^ 1;
         }
 

src/protocols/two_party_ecdsa/lindell_2017/party_one.rs

@@ -47,6 +47,9 @@ use centipede::juggling::proof_system::{Helgamalsegmented, Witness};
 use centipede::juggling::segmentation::Msegmentation;
 use protocols::multi_party_ecdsa::gg_2018::mta::{MessageA, MessageB};
 
+use zeroize::Zeroize;
+
+const PAILLIER_KEY_SIZE: usize = 2048;
 //****************** Begin: Party Two structs ******************//
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
@@ -137,13 +140,14 @@ pub struct EphKeyGenSecondMsg {
 impl KeyGenFirstMsg {
     pub fn create() -> (KeyGenFirstMsg, EcKeyPair) {
         let base: GE = ECPoint::generator();
-        let secret_share: FE = ECScalar::new_random();
+        let mut secret_share: FE = ECScalar::new_random();
         let public_share = base * &secret_share;
         let d_log_proof = DLogProof::prove(&secret_share);
         let ec_key_pair = EcKeyPair {
             public_share: public_share.clone(),
             secret_share,
         };
+        secret_share.zeroize();
         (
             KeyGenFirstMsg {
                 d_log_proof,
@@ -153,14 +157,15 @@ impl KeyGenFirstMsg {
         )
     }
 
-    pub fn create_with_fixed_secret_share(secret_share: FE) -> (KeyGenFirstMsg, EcKeyPair) {
+    pub fn create_with_fixed_secret_share(mut secret_share: FE) -> (KeyGenFirstMsg, EcKeyPair) {
         let base: GE = ECPoint::generator();
         let public_share = base * &secret_share;
         let d_log_proof = DLogProof::prove(&secret_share);
         let ec_key_pair = EcKeyPair {
             public_share: public_share.clone(),
             secret_share,
         };
+        secret_share.zeroize();
         (
             KeyGenFirstMsg {
                 d_log_proof,
@@ -333,6 +338,10 @@ impl PaillierPublic {
         proof: NICorrectKeyProof,
         ek: &EncryptionKey,
     ) -> Result<(), CorrectKeyProofError> {
+        //
+        if ek.n.bit_length() < PAILLIER_KEY_SIZE - 1 {
+            return Err(CorrectKeyProofError);
+        };
         proof.verify(&ek)
     }
 }
@@ -341,15 +350,15 @@ impl EphKeyGenFirstMsg {
     pub fn create_commitments() -> (EphKeyGenFirstMsg, EphCommWitness, EphEcKeyPair) {
         let base: GE = ECPoint::generator();
 
-        let secret_share: FE = ECScalar::new_random();
+        let mut secret_share: FE = ECScalar::new_random();
 
         let public_share = base.scalar_mul(&secret_share.get_element());
 
         let h: GE = GE::base_point2();
-        let w = ECDDHWitness {
-            x: secret_share.clone(),
-        };
+
         let c = &h * &secret_share;
+        let mut x = secret_share;
+        let w = ECDDHWitness { x };
         let delta = ECDDHStatement {
             g1: base.clone(),
             h1: public_share.clone(),
@@ -375,6 +384,8 @@ impl EphKeyGenFirstMsg {
             public_share,
             secret_share,
         };
+        secret_share.zeroize();
+        x.zeroize();
         (
             EphKeyGenFirstMsg {
                 pk_commitment,
@@ -424,18 +435,20 @@ impl PartialSig {
 
         let rx = r.x_coor().unwrap().mod_floor(&q);
         let rho = BigInt::sample_below(&q.pow(2));
-        let k2_inv = &ephemeral_local_share
+        let mut k2_inv = ephemeral_local_share
             .secret_share
             .to_big_int()
             .invert(&q)
             .unwrap();
         let partial_sig = rho * &q + BigInt::mod_mul(&k2_inv, message, &q);
+
         let c1 = Paillier::encrypt(ek, RawPlaintext::from(partial_sig));
         let v = BigInt::mod_mul(
             &k2_inv,
             &BigInt::mod_mul(&rx, &local_share.x2.to_big_int(), &q),
             &q,
         );
+        k2_inv.zeroize_bn();
         let c2 = Paillier::mul(
             ek,
             RawCiphertext::from(encrypted_secret_share.clone()),