From 4faab1cd33d455f0ca2ccc7208093fd6c18e0767 Mon Sep 17 00:00:00 2001 From: ryan Date: Sat, 16 Nov 2024 19:26:26 -0500 Subject: [PATCH] blahaj::math: increase allowable polynomial coefficients to maximum The previously existing polynomial coefficients had an inverse bias towards `0`, only starting higher than `1`. This allows `0` to be a valid polynomial. As per an audit performed by Cure53: > The correct method to select a random polynomial would be to select all coefficients (including the most significant coefficient) uniformly in the range 0..255 (inclusive). Otherwise, knowledge that a coefficient in a polynomial cannot be 0 permits the exclusion of single byte values for the shared secret given one share less than required. [...] Exploiting this weakness necessitates sharing the same secret multiple times. In this scenario, an attacker could exclude an exponential number of values for each of the shared bytes until sufficiently few values remain for brute forcing. Cure53 estimates that under ideal circumstances (e.g., a 2-out-of-N scheme) a shared secret can be reconstructed if the same secret has been distributed 500-1500 times. --- src/math.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/math.rs b/src/math.rs index 6ae678d..865f1cc 100644 --- a/src/math.rs +++ b/src/math.rs @@ -30,12 +30,12 @@ pub fn interpolate(shares: &[Share]) -> Vec { .collect() } -// Generates `k` polynomial coefficients, being the last one `s` and the others randomly generated between `[1, 255]`. +// Generates `k` polynomial coefficients, being the last one `s` and the others randomly generated between `[0, 255]`. // Coefficient degrees go from higher to lower in the returned vector order. pub fn random_polynomial(s: GF256, k: u8, rng: &mut R) -> Vec { let k = k as usize; let mut poly = Vec::with_capacity(k); - let between = Uniform::new_inclusive(1, 255); + let between = Uniform::new_inclusive(0, 255); for _ in 1..k { poly.push(GF256(between.sample(rng)));