One can recover other's private key after collecting other's partial signature in multisignature .
logic
group generator:G
public key:PK={pk1,pk2}
random k:Klist={k1,k2}
commitment: R={k1*G,k2*G}
partial signature:{s1=k1+sk1*H(PK,R,m),s2=k2+sk2*H(PK,R,m)}
multi-signature:{s=s1+s2}
The one who proposal a multisignature knows PK,Klist,R,m.Once he get a partial signature(eg. s2), he can recover corresponding sk2 using "sk2=(s2-k2)/H(PK,R,m)".
In fact, the multisignature algorithm used in the cmd is just a demo. It should not be a one round process. The problem you mentioned in this demo, is because Ki is stored in the KList of MultiSigData struct. This struct should never be used in the real scenes. In fact, Ki should be only stored in the node which is participating the multisignature process, and be used for calculating R and Si, what's more, if the node has received a Si calcaulating request with C, R and m, and then receives another C, R with a different m for Si calcaulating request, this node should aquire that this is an attack which will be rejected. In order to do that, each node will maintain a local history about C, R and m. So we fully understand how to use multisignature correctly , and this demo does have some risks. Thanks a million for that.
The measures that @HawkJing mentioned is effective to defense the attack in multi-signature scheme, but it is not enough without some sepecific measures. I think it really need some more formal discussions for how to use compact multi-signature correctly in blockchain system.
I notice that the multisignature is added as a feature since v3.3.0,I want to know whether it's possible for (1) removing the feature from current version or marking it be a experiment feature in document and help option in cmd (2) opening a new branch for that feature.
Brief of the issue
One can recover other's private key after collecting other's partial signature in multisignature .
logic
The one who proposal a multisignature knows PK,Klist,R,m.Once he get a partial signature(eg. s2), he can recover corresponding sk2 using "sk2=(s2-k2)/H(PK,R,m)".
Repo steps
1.create contract account
private keys
2.generate multisignature transaction
3.collect partial siganture
4.caculate hash of transactions
5.recover private key
run exploit.go
Additional information
I think no one-round-multisignature is proven security based schnorr signature.Change to BLS signature or just use plain multi-signature.
The text was updated successfully, but these errors were encountered: