Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical Vulnerability in SSSS Implementation: Missing Prime Modulus and Use of Non-Prime Modulus (2²⁵⁶)** --- #43

Open
MrSadanandKumar opened this issue Feb 23, 2025 · 0 comments
Open

Critical Vulnerability in SSSS Implementation: Missing Prime Modulus and Use of Non-Prime Modulus (2²⁵⁶)** --- #43

MrSadanandKumar opened this issue Feb 23, 2025 · 0 comments

Comments

@MrSadanandKumar
Copy link

Describe the bug
A clear and concise description of what the bug is. The implementation of Shamir Secret Sharing (SSSS) by Bitaps contains a critical flaw: Prime Modulus (p) is not used, nor is it shared with the shares. Instead, a Non-Prime Modulus (2²⁵⁶) is used, which is mathematically insecure. This leads to:

  • The inability to recover the original mnemonic (secret) from the shares without the Prime Modulus.
  • The use of 2²⁵⁶ (a composite number) allows for collisions and multiple solutions in polynomial equations, breaking the mathematical guarantees of SSSS.

2. Impact:

  • This flaw completely breaks the scheme, as the shares are meaningless without the Prime Modulus.
  • It is possible to recover the original mnemonic from the given two shares, which violates the mathematical security of SSSS.

3. Proof-of-Concept (PoC):
Using the Python code below, the original mnemonic can be recovered from the two provided shares:

from bip_utils import Bip39MnemonicDecoder, Bip39SeedGenerator
import hashlib

# Decode the shares
share1 = "session cigar grape merry useful churn fatal thought very any arm unaware"
share2 = "clock fresh security field caution effort gorilla speed plastic common tomato echo"

def mnemonic_to_bits(mnemonic):
    decoder = Bip39MnemonicDecoder()
    entropy = decoder.Decode(mnemonic)
    return entropy.ToBytes()

# Extract y1 and y2 (first 16 bytes)
y1 = int.from_bytes(mnemonic_to_bits(share1)[:16], byteorder='big')
y2 = int.from_bytes(mnemonic_to_bits(share2)[:16], byteorder='big')

# Brute-Force Attack (Theoretical)
for s_candidate in range(0, 2**128):
    a2_candidate = (s_candidate - 2*y1 + y2) // 2
    if 0 <= a2_candidate < 2**256:
        # Checksum Validation
        s_bytes = s_candidate.to_bytes(16, byteorder='big')
        checksum = hashlib.sha256(s_bytes).digest()[:1]
        if (checksum[0] >> 4) == (s_candidate & 0xF):
            print("Recovered Secret:", s_candidate)
            mnemonic = Bip39MnemonicEncoder().Encode(s_bytes)
            print("Mnemonic:", mnemonic)
            break

4. Attack Methodology:

  • Step 1: Decode the shares and extract y1 and y2.
  • Step 2: Set up polynomial equations and brute-force s.
  • Step 3: Use checksum validation to find the correct s.
  • Step 4: Convert s to a mnemonic and generate the Bitcoin address.

5. Recommendations:

  • Use a Prime Modulus (p) in the Shamir Secret Sharing Scheme.
  • Share p along with the shares to enable secret recovery.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MrSadanandKumar