Advisories for Golang/Github.com/Keep-Network/Keep-Ecdsa package

2022

Incorrect validation of parties IDs leaks secret keys in Secret-sharing scheme

In the threshold signature scheme, participants start by dividing secrets into shares using a secret sharing scheme. The Verifiable Secret Sharing scheme generates shares from the user’s IDs but does not properly validate them. Using a malicious ID will make other users reveal their secrets during the secret-sharing procedure. In addition, a second issue resulting from lack of validation could cause nodes to crash when sent maliciously formed user IDs.