Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Regardless of threshold, all polynomials are lines due to small syntactic error #43

Closed
psivesely opened this issue Mar 2, 2018 · 2 comments
Closed

Regardless of threshold, all polynomials are lines due to small syntactic error #43

psivesely opened this issue Mar 2, 2018 · 2 comments
Assignees
@romac
Labels
bug

Comments

@psivesely
Copy link
Contributor

In the the SSS::secret_share function, the author clearly intended to make col_in an array of threshold bytes, but put a comma where the semi-colon should go in the vec! macro. Thus the code always generates just a single coefficient instead of threshold - 1 coefficients for our secret polynomial. So regardless of how high the threshold is set two shares are enough to uncover the secret.

This did not cause an error in the secret recovery code because of the fundamental uniqueness of the Lagrange polynomial: regardless of the number of nodes (shares) presented in excess of k + 1 for a k degree polynomial, Langrange interpolation finds the unique polynomial of degree k.

Here is an illustration of the problem:

extern crate rand;
use rand::{OsRng, Rng};

fn main() {
    let threshold: u8 = 6;
    let mut col_in = vec![0u8, threshold];
    let mut osrng = OsRng::new().unwrap();
    osrng.fill_bytes(&mut col_in[1..]);
    println!("{:?}", col_in);

    let threshold: u8 = 6;
    let mut col_in = vec![0u8; threshold as usize];
    osrng.fill_bytes(&mut col_in[1..]);
    println!("{:?}", col_in);
}
[0, 234]
[0, 196, 181, 63, 217, 112]
psivesely added a commit to psivesely/RustySecrets that referenced this issue Mar 2, 2018
@psivesely
Fix bug where threshold did not set deg of secret polynomial
db473a5 
Fixes SpinResearch#43.

Fixes a syntactic error. Threshold should determine the number of coefficients
in the secret polynomial. As is the code is equivalent to threshold always being
2.
@psivesely psivesely mentioned this issue Mar 2, 2018
Merged
romac added a commit that referenced this issue Mar 2, 2018
@romac
Add a test for issue #43.
fa87116 
Regardless of threshold, all polynomials are lines due to small syntactic error
@romac
Copy link
Member

romac commented Mar 2, 2018
edited
Loading

Hi Noah,

Thank you so much for reporting this, that's a big one.

Fortunately, this bug seem to follow from a refactoring I did while working on the deterministic secret sharing scheme, and is thus not present in RustySecrets v0.0.2. As such, Sunder is thankfully not affected, given that the npm package it depends on actually uses that very same version of the library.

I will merge this as soon as I have time to write a good test to ensure we never make the same mistake in the future.

Thank you so much again for taking the time to go through the code and report this security issue. The DSS code is going to go under audit soon and we'll work towards improving the code coverage in tests. In the meantime, I want to stress that the code published under v0.0.2 has been audited already and does not suffer from this very issue.

Thanks again!
Romain

romac added a commit that referenced this issue Mar 3, 2018
@romac
Add a test for issue #43.
1ad79dc 
Regardless of threshold, all polynomials are lines due to small syntactic error
@romac romac added the bug label Mar 3, 2018
@romac romac self-assigned this Mar 3, 2018
romac added a commit that referenced this issue Mar 3, 2018
@romac
Add a test for issue #43.
3e89d1b 
Regardless of threshold, all polynomials are lines due to small syntactic error
@romac romac closed this as completed in #44 Mar 3, 2018
romac pushed a commit that referenced this issue Mar 3, 2018
@psivesely @romac
Fix bug where threshold did not set deg of secret polynomial
3de1689 
Fixes #43.

Fixes a syntactic error. Threshold should determine the number of coefficients
in the secret polynomial. As is the code is equivalent to threshold always being
2.
@romac
Copy link
Member

romac commented Mar 3, 2018

@nvesely Your patch has been merged. I added a test in #44 to make sure we never encounter this very same issue in the future.

Thank you again for noticing this bug, reporting it, and fixing it :)

@romac romac mentioned this issue Mar 8, 2018
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@romac romac

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@romac @psivesely