blahaj::math: increase allowable polynomial coefficients to maximum

The previously existing polynomial coefficients had an inverse bias
towards `0`, only starting higher than `1`. This allows `0` to be a
valid polynomial.

As per an audit performed by Cure53:

> The correct method to select a random polynomial would be to select
all coefficients (including the most significant coefficient) uniformly
in the range 0..255 (inclusive). Otherwise, knowledge that a coefficient
in a polynomial cannot be 0 permits the exclusion of single byte values
for the shared secret given one share less than required. [...]
Exploiting this weakness necessitates sharing the same secret multiple
times. In this scenario, an attacker could exclude an exponential number
of values for each of the shared bytes until sufficiently few values
remain for brute forcing.  Cure53 estimates that under ideal
circumstances (e.g., a 2-out-of-N scheme) a shared secret can be
reconstructed if the same secret has been distributed 500-1500 times.
This commit is contained in:
Ryan Heywood 2024-11-16 19:26:26 -05:00
parent f10fef2c88
commit 4faab1cd33
Signed by: ryan
GPG Key ID: 8E401478A3FBEF72
1 changed files with 2 additions and 2 deletions

View File

@ -30,12 +30,12 @@ pub fn interpolate(shares: &[Share]) -> Vec<u8> {
.collect()
}
// Generates `k` polynomial coefficients, being the last one `s` and the others randomly generated between `[1, 255]`.
// Generates `k` polynomial coefficients, being the last one `s` and the others randomly generated between `[0, 255]`.
// Coefficient degrees go from higher to lower in the returned vector order.
pub fn random_polynomial<R: rand::Rng>(s: GF256, k: u8, rng: &mut R) -> Vec<GF256> {
let k = k as usize;
let mut poly = Vec::with_capacity(k);
let between = Uniform::new_inclusive(1, 255);
let between = Uniform::new_inclusive(0, 255);
for _ in 1..k {
poly.push(GF256(between.sample(rng)));