fireblocks / mpc-lib Goto Github PK

License: GNU General Public License v3.0

Makefile 0.55% C 32.43% C++ 66.56% Shell 0.05% CMake 0.41%

mpc-lib's Introduction

Fireblocks-MPC

This repository contains Fireblocks' C++ implementation of Secure Multi Party Computation (MPC) algorithms for digital signatures. Covered algorithms include MPC CMP for ECDSA signatures (online and offline variants), online EdDSA signatures and offline asymmetric EdDSA.

It takes the form of a library (libcosigner) containing the algorithms and supporting cryptographic routines, as well as an extensive test suite also serving as an integration example.

Quick Start

Prerequisites

This version of the code targets Ubuntu Linux 20.04 LTS release. The libraries and headers of the following dependencies are required:

OpenSSL version 1.1.1
libuuid (for tests)
libsecp256k1 (for tests, optional)

All required dependencies can be installed with the command:

apt install build-essential libssl-dev uuid-dev libsecp256k1-dev

Building and Testing

Build the library and tests by running:

make

To execute the test suite, run the command:

make run-tests

Usage

A few examples for running a full signing process can be found in the tests section

Security

Please see our dedicated security policy page.

Contributing

Contributions of code and ideas are welcome. Prior to opening a pull request, please carefully review our contribution guidelines.

License

The code in this repository is offered under the terms of the GNU General Public License, as described in the LICENSE file.

mpc-lib's People

Contributors

Stargazers

Watchers

Forkers

asmrprog francoataffarel drbh okaayfine kdai5x sword03 nuclearplan rsempire unblockthechain ninjacato sast-synk zhonglinlynn zzyalbert defconpro imhunterand brohamgoham danielk-repo msebilly lightmelv ghbaik wcc-analytics stuartatmagicsquare zhenguang rodriguezjorgex imentus-rahul acampi24 gopherj trinhtc truesoni cvlabsio kozyilmaz rajamohan324 frostberry-labs nyx-web3 phamquyhai hadigun007 m-arifrizki itspacedev thirdguard wmyao somith11 vbenny42 banesec 1173452 ichhoa129 suci1337 0xjepsen danielmajak dalaocu noobgamer0111 nadav-fireblocks igorkh-fb nickharrison2002000 zain1337 aravindb26 pkeshkamat project0802 ahmadfaransiddiqui apetree100122 kinzozi l1kw1d deeepgandhi 1337cybersecurity kamleshbiloniya wongyoohoo c6ai ymul100 alexmatte kervinct murphyj8 mashharuki morebtcg microbian-systems thomas-lmre zain13337 xchenlabs

mpc-lib's Issues

Rogue signing persistency can crash eddsa signing service

The function eddsa_online_signing_service::get_eddsa_signature dereferences a null pointer.

Line 317 sets the pointer my_s to NULL
The call to memcmp on line 344 dereferences my_s
If the assignment on line 332 never executes, my_s will be NULL and the eddsa online signing service will crash.

How to trigger

Make sure the loop condition on line 318 is false (i.e. data.signers_ids is empty)
Make sure the assignment on line 332 never executes (i.e. my_id is not a data signer)

Modified test case to show this here

SHA256_{Init, Update, Final} are deprecated since OpenSSL 3.0

This causes the build to fail on recent versions of OpenSSL.

make                                                                                                                         (main) 
make[1]: Entering directory '/home/tobias/repos/mpc-lib/src'
make[2]: Entering directory '/home/tobias/repos/mpc-lib/src/common'
CXX  <=  cosigner/cosigner_exception.cpp
cosigner/cmp_setup_service.cpp: In member function ‘void fireblocks::common::cosigner::cmp_setup_service::ack_message(const std::map<long unsigned int, fireblocks::common::cosigner::commitment>&, uint8_t (*)[32])’:
cosigner/cmp_setup_service.cpp:638:16: error: ‘int SHA256_Init(SHA256_CTX*)’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
  638 |     SHA256_Init(&ctx);
      |     ~~~~~~~~~~~^~~~~~
In file included from cosigner/cmp_setup_service.cpp:7:
/usr/include/openssl/sha.h:73:27: note: declared here
   73 | OSSL_DEPRECATEDIN_3_0 int SHA256_Init(SHA256_CTX *c);
      |                           ^~~~~~~~~~~
cosigner/cmp_setup_service.cpp:641:22: error: ‘int SHA256_Update(SHA256_CTX*, const void*, size_t)’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
  641 |         SHA256_Update(&ctx, &i->first, sizeof(uint64_t));
      |         ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/openssl/sha.h:74:27: note: declared here
   74 | OSSL_DEPRECATEDIN_3_0 int SHA256_Update(SHA256_CTX *c,
      |                           ^~~~~~~~~~~~~
cosigner/cmp_setup_service.cpp:642:22: error: ‘int SHA256_Update(SHA256_CTX*, const void*, size_t)’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
  642 |         SHA256_Update(&ctx, &i->second.data, sizeof(commitments_commitment_t));
      |         ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/openssl/sha.h:74:27: note: declared here
   74 | OSSL_DEPRECATEDIN_3_0 int SHA256_Update(SHA256_CTX *c,
      |                           ^~~~~~~~~~~~~
cosigner/cmp_setup_service.cpp:644:17: error: ‘int SHA256_Final(unsigned char*, SHA256_CTX*)’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
  644 |     SHA256_Final(*ack, &ctx);
      |     ~~~~~~~~~~~~^~~~~~~~~~~~
/usr/include/openssl/sha.h:76:27: note: declared here
   76 | OSSL_DEPRECATEDIN_3_0 int SHA256_Final(unsigned char *md, SHA256_CTX *c);
      |                           ^~~~~~~~~~~~
cc1plus: all warnings being treated as errors
make[2]: *** [Makefile:46: cosigner/cmp_setup_service.o] Error 1
make[2]: Leaving directory '/home/tobias/repos/mpc-lib/src/common'
make[1]: *** [Makefile:2: all] Error 2
make[1]: Leaving directory '/home/tobias/repos/mpc-lib/src'
make: *** [Makefile:2: all] Error 2

Instead of SHA256_Init, SHA256_Update, SHA256_Final you can use the following interface:

#include <openssl/sha.h>

unsigned char *SHA256(const unsigned char *data, size_t count, unsigned char *md_buf);

Obviously that requires editing some code (it will simplify the code quite a bit).

Another option is to add the following to your CFLAGS:

-Wno-deprecated-declarations

May be subject to α-shuffle attack

Hi expert.

It seems the ring_pedersen(dlnproof) can be forged, this may lead to an α-shuffle attack.

mpc-lib/src/common/crypto/commitments/ring_pedersen.c

Lines 442 to 450 in 8853061

    
           for (size_t i = 0; i < RING_PEDERSEN_STATISTICAL_SECURITY; i++) 
        
           { 
        
               if (BN_bn2binpad(proof->A[i], a, size) < 0) 
        
               { 
        
                   free(a); 
        
                   return 0; 
        
               } 
        
               SHA256_Update(&ctx, a, size); 
        
           }

Suggest include the length of each proof->A[I]. Like Binance's fix: bnb-chain/tss-lib@bb6fb30

See: https://github.com/verichains/tsshock/blob/main/verichains-tsshock-wp-v1.0.pdf

Threshold ECDSA (with t < n) not supported?

It seems like you don't support threshold ECDSA signatures:

mpc-lib/src/common/cosigner/cmp_setup_service.cpp

Lines 54 to 58 in 84b7fb8

    
           if (t != n) 
        
           { 
        
               LOG_ERROR("CMP protocol doesn't support threshold signatures"); 
        
               throw cosigner_exception(cosigner_exception::INVALID_PARAMETERS); 
        
           }

Issue when run test

I clone this repo to test library, but when run ecdsa_online_test.cpp file, it throws error.
/test: symbol lookup error: ./test: undefined symbol: secp256k1_ecdsa_recoverable_signature_parse_compact.
I also have other questions

what is the purpose of derived key? And what are differences from public key that was generated before creating share keys?
What section of code that compute signature of parties to final signature?
What is the purposes of chaincode data ?

`is_coprime_fast` check can be skipped due to OpenSSL allocation failure

Upon failure of BN_get or BN_copy, is_coprime_fast returns -1. These can fail if OpenSSL fails to allocate the necessary memory (e.g. due to OOM conditions on the OS).

mpc-lib/src/common/crypto/paillier/paillier.c

Lines 9 to 18 in 84b7fb8

    
           int is_coprime_fast(const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) 
        
           { 
        
           	BIGNUM *a, *b; 
        
           	int ret = -1; 
        
           	BN_CTX_start(ctx); 
        
           	a = BN_CTX_get(ctx); 
        
           	b = BN_CTX_get(ctx); 
        
           	if (!a || !BN_copy(a, in_a)) 
        
           		goto cleanup;

mpc-lib/src/common/crypto/paillier/paillier.c

Lines 40 to 43 in 84b7fb8

    
           cleanup: 
        
           	BN_CTX_end(ctx); 
        
           	return ret; 
        
           }

Many instances throughout the code use a if(!is_coprime_fast(...)) pattern, which will succeed even if the inputs are not in fact coprime when the OOM condition mentioned above is hit. Some (nonexhaustive) examples:

mpc-lib/src/common/cosigner/mta.cpp

Line 825 in 84b7fb8

if (!is_coprime_fast(proof.A, _my_paillier->pub.n, _ctx.get()))

mpc-lib/src/common/crypto/zero_knowledge_proof/range_proofs.c

Line 450 in 84b7fb8

if (!is_coprime_fast(tmp1, paillier->n, ctx))

mpc-lib/src/common/crypto/paillier/paillier_zkp.c

Lines 432 to 436 in 84b7fb8

    
           do 
        
           { 
        
               deterministic_rand(seed, n_len, x, &seed); 
        
               res = is_coprime_fast(x, priv->pub.n, ctx); 
        
           } while (res == 0);

While these conditions are difficult to trigger in practice, in theory skipping some of these checks may lead to key disclosure.

The most robust solution is to simply panic immediately if these allocations occur. Alternatively, returning 0 in these cases rather than -1 will prevent introduction of similar problematic callsites in the future.

unable to run it on mac m1 machine

Firstly, I appreciate this README; it's very helpful for me. I successfully ran this code on Ubuntu OS using the provided instructions. However, I am unable to run it on my Mac M1 machine. Please let me know if this code supports macOS. If so, could you please guide me on how to run it on macOS?

Threshold EdDSA Paper

CMP is only suitable for the ECDSA. Which paper is the implementation of EdDSA based on?

	for (size_t i = 0; i < RING_PEDERSEN_STATISTICAL_SECURITY; i++)
	{
	if (BN_bn2binpad(proof->A[i], a, size) < 0)
	{
	free(a);
	return 0;
	}
	SHA256_Update(&ctx, a, size);
	}

	if (t != n)
	{
	LOG_ERROR("CMP protocol doesn't support threshold signatures");
	throw cosigner_exception(cosigner_exception::INVALID_PARAMETERS);
	}

	int is_coprime_fast(const BIGNUM in_a, const BIGNUM in_b, BN_CTX *ctx)
	{
	BIGNUM a, b;
	int ret = -1;
	BN_CTX_start(ctx);
	a = BN_CTX_get(ctx);
	b = BN_CTX_get(ctx);

	if (!a \|\| !BN_copy(a, in_a))
	goto cleanup;

	do
	{
	deterministic_rand(seed, n_len, x, &seed);
	res = is_coprime_fast(x, priv->pub.n, ctx);
	} while (res == 0);