The Fireblocks team previously disclosed zero-day vulnerabilities in the GG18, GG20, and Lindel 17 MPC protocols that allow attackers to extract the real key behind a set of MPC private key shares. They collaborated with the Safeheron team to fix these vulnerabilities. CipherLab is leading us through this case study to understand how CipherBC effectively applies cryptography to enhance the security of our MPC wallets.
Scope of the Vulnerability in GG18 and GG20 MPC Protocols
This article focuses on the impact of the zero-day vulnerability on GG18 and GG20 protocols. The attack leverages specially crafted Paillier keys during the MPC signing phase. By performing a limited number of signatures, the attacker can deduce the private key shares of other participants. This vulnerability affects a broad range of implementations, as it undermines the security assumptions of the MPC protocols.
Vulnerability Mechanism
How can MPC protocols be attacked? Standard MPC protocols are probably secure under certain security assumptions. Attacks on MPC protocols often focus on these assumptions. According to the data, for GG18/GG20, the security relies on the Paillier homomorphic encryption algorithm. Paillier is based on the composite residue problem and supports homomorphic addition.
The MtA protocol is used to convert multiplication into addition during signing. The protocol is as follows:
Input: Alice inputs a secret data kA and Bob inputs a secret data xB
Output: Alice gets a secret α and Bob gets a secret β
Function: Alice and Bob do not know each other’s secrets, but the secrets satisfy
kAxB = α+β
Key Attack Points
Attack Point 1: Manipulation of kA in MtA Protocol
By choosing a larger kA, Alice can nullify the β′ masking effect, leaking Bob’s secret xB.
When kA is normal, the study shows:
xB=0x1337
β′ (mask)=0x4242424242
kA=0x6789
xBkA=0x7c5696f
xBkA+β′=0x424a0xab1
When kA is large:
xB=0x1337β′ (mask)=0x4242424242
kA=0x100000000000
xBkA=0x133700000000000
xBkA+β′=0x133704242424242
But for the MtA protocol, what is sought is:
N=0x10000000000
(xBkA+β′)%N=0x704242424242
Only a small part of the top7th bit is leaked xB, equivalent to we can only get xB %p value, p a prime factor of N. Suppose N =p1p2…p16*q , pi is a 16-bit small prime number, when signing each time let kA = N / pi , you can get 16 xB % pi by signing 16 times, and then using the Chinese remainder theorem, we can get xB % (p1p2…p16), thus obtaining a complete 256-bit xB.
Yet Alice still needs to prove kA<q3 , and It is not satisfied when it is too large, so Alice needs to forge a range proof.
Attack Point 2: Forging Range Proofs
Alice needs to provide a range proof that kA<q³. If kA is too large, Alice must forge the proof.
Alice constructs s1 (s1 = 𝑒* kA + α) and ciphertext c from kA, and sends them to Bob.
Bob verifies:
If all conditions are met, Bob will believe that the Paillier ciphertext c sent by Alice corresponds to a plaintext kA that satisfies 𝑘𝐴∈[−𝑞³,𝑞³]. Since 𝑘𝐴=𝑁/𝑝 has 2032 bits, Bob will find that 𝑠1≤𝑞³ is not satisfied. What can be done? If Alice replaces kA in s1 with 0, then 𝑠1≤𝑞³can be satisfied.
However, this will cause the second equation to fail verification because 𝑐 is the ciphertext of kA, not 0. Alice’s solution is to manipulate the random value to adjust 𝑒, until 𝑒 mod pi=0, making 𝐸𝑛𝑐(𝑁/𝑝𝑖)^e=𝐸𝑛𝑐(0)^e 𝑚𝑜𝑑 𝑁² valid. Since pi is only 16 bits, a brute force search can find a suitable 𝑒.
Application Scenario
To attack an MPC-based self-custody wallet, the attacker needs:
- Knowledge of the wallet creation and transaction mechanisms
- Ability to simulate wallet creation and signing using the MPC protocol
Step 1: Simulate Wallet Creation
During wallet creation (KeyGen sub-protocol), Alice constructs an insecure homomorphic key and retrieves the local private key share A, while attacking the protocol to obtain cloud share B.
Step 2: Simulate Transactions
Perform 16 malicious signings with forged kA and range proofs, collecting data to deduce the cloud private key share.
Once both shares A and B are obtained, the attacker can reconstruct the full private key.
Fixing the Vulnerability in GG18 and GG20
To prevent this attack, additional zero-knowledge proofs have been added to GG18/GG20 protocols to avoid small factors in Paillier modulus N:
Paillier-Blum’s modulus proof ensures the N is the product of exactly two suitable odd primes.
No small factor modulus proof to ensure the N can be factored into two big numbers.
About CipherBC
CipherBC stands as a market leader in digital asset custody and payment solutions. Catering to businesses seeking a secure and efficient transition to Web3 transformation, ensuring the security of assets and We are committed to the mission of “ fostering financial freedom.” In line with this objective, we provide asset owners with a complete range of services, encompassing asset custody, merchant payments, clearing and other financial services.