[TOB-BSV-2] #334
Description
Categorization
Severity: High
Difficulty: Medium
Type: Cryptography Finding ID: TOB-BSV-2
Target: src/primitives/PrivateKey.ts
Description
The PrivateKey.toKeyShares method does not check that randomly-generated
x-coordinates are unique, or that none of the x-coordinates are equal to zero.
If an x-coordinate is equal to zero, the corresponding y-coordinate would be equal to the
secret being shared, meaning that the secret itself could be distributed to a party.
If two or more shares have the same x-coordinate, the number of distinct shares may drop
below the reconstruction threshold, making secret recovery impossible.
Exploit Scenario
A bug in the system-provided RNG causes it to return a repeating pattern, or all zeroes.
This leads to repeated x-coordinates or to zeroed x-coordinates. When the resulting shares
are distributed, the key is either leaked or unrecoverable.
Recommendations
Short term, add checks to ensure that x-coordinates are unique and nonzero.
Long term, consider mitigation techniques for the zero-share issue, including transforming
the x-coordinates via a nonzero function (e.g., x = new BigNum(“2”, “hex”).pow(x) or
similar), and using a counter to ensure that x-coordinates are unique.