Advisories for Pypi/PostQuantum-Feldman-VSS package

Description: PostQuantum-Feldman-VSS, a Python library implementing Feldman's Verifiable Secret Sharing scheme with post-quantum security, was vulnerable to denial-of-service attacks in versions up to and including 0.7.6b0. This vulnerability stems from the library's reliance on the gmpy2 library for arbitrary-precision arithmetic. gmpy2, in turn, depends on the GNU Multiple Precision Arithmetic Library (GMP). GMP, by design, terminates the process when it cannot allocate memory. An attacker could exploit this by providing …

Description: The feldman_vss library contains timing side-channel vulnerabilities in its matrix operations, specifically within the _find_secure_pivot function and potentially other parts of _secure_matrix_solve. These vulnerabilities are due to Python's execution model, which does not guarantee constant-time execution. An attacker with the ability to measure the execution time of these functions (e.g., through repeated calls with carefully crafted inputs) could potentially recover secret information used in the Verifiable Secret Sharing (VSS) …

Description: The secure_redundant_execution function in feldman_vss.py attempts to mitigate fault injection attacks by executing a function multiple times and comparing results. However, several critical weaknesses exist: Python's execution environment cannot guarantee true isolation between redundant executions The constant-time comparison implementation in Python is subject to timing variations The randomized execution order and timing provide insufficient protection against sophisticated fault attacks The error handling may leak timing information about partial execution …