Key Extraction Attack for TSS (Discovered by Verichains)
8422 sats \ 3 comments \ @frostdragon 29 Mar 2023 bitcoin
First off - as far as I can tell, this does not affect bitcoin unless:
A) There are still TSS wallets in use that were generated when bitcoin was on ECDSA that B) have malicious participants that know how to take advantage of this yet-to-be-disclosed cryptographic vulnerability
That being said, this is probably the closest bitcoin has ever been to a legitimate, hackable vulnerability that could have resulted in real loss of funds.
Here's what I'm talking about: https://blog.verichains.io/p/verichains-discovers-critical-key

To break this down:
TSS (Threshold Signature Scheme) is a cryptographic protocol that's been around for a few decades, used for generated a multiple-participant private key. In order to sign a message (or, in the context of cryptocurrency, a transaction), you need t of n participants to sign (for example, 2 of 3, 3 of 5, etc). The protocol essentially constructs a private-public key pair (aka, a wallet) from scratch. BNY Mellon, Revolut, ING, Binance, Fireblocks, Coinbase, etc have been using this protocol for various cryptocurrencies.
"... nearly all threshold ECDSA based TSS implementations . . . are vulnerable to key extraction attacks despite having undergone multiple security audits."
!!!
Luckily, Bitcoin switched from ECDSA to Schnorr a few years ago, so unless I'm mistaken, MPC protocols for bitcoin don't have this problem. But it could have been a problem if it weren't for BIP 340.

A few of things to note:
  • While most bitcoin users would not have been affected by this even if we were still on ECDSA, this could have been a major problem for exchanges and other large bitcoin companies, as they are typically the ones to use an MPC
  • MPC protocols shouldn't be confused with multisig - multisig is relatively user-friendly, doesn't involve fancy cryptography, and essentially strings together individual wallets via a set of rules rather than building one from scratch
  • If bitcoin was still on ECDSA, the problem with TSS wouldn't technically be a problem with bitcoin or anything in the bitcoin code - it's a separate, manual, and apparently insecure method for constructing a key pair. That being said, it could have resulted in stolen bitcoin.

Lastly:
Self-custody via cold wallets, people.
Even though this doesn't affect bitcoin, MPC's can be dangerous simply because they have to be manually written into code, and a slightly incorrect implementation could mean game over.
write
preview
related posts
100 sats \ 1 reply \ @siggy47 29 Mar 2023
Another day, another scary scenario. Thanks for the great write up.
reply
0 sats \ 0 replies \ @frostdragon OP 29 Mar 2023
Thanks!
reply
0 sats \ 0 replies \ @shibe 30 Mar 2023 freebie
Luckily, Bitcoin switched from ECDSA to Schnorr a few years ago, so unless I'm mistaken, MPC protocols for bitcoin don't have this problem. But it could have been a problem if it weren't for BIP 340.
I believe you're mistaken. Schnorr signatures were part of Taproot, and you can't just flip them on, you'd have to start using a Taproot address for this. So this vulnerability might still apply to the vast majority of t-of-n wallets.