KZen’s multi-party ECDSA library is written in Rust and provides an implementation of threshold ECDSA signatures containing two protocols:
- Key generation for creating secret shares
- Signing using the secret shares to generate a signature
During the audit we looked at protocol security, safety of the code written for the project, cryptography, as well as protocol specification matching. We identified the following issues:
- 4 security issues of medium severity
- 2 security issues of low severity
- 10 observations related to general code safety
During the audit, we also identified an issue with the academic paper referenced to implement the library and reported it to the paper’s author, renown cryptographer Yehuda Lindell. The problem was in the specification of the key generation algorithm for the 2-party multisignature case: during an intermediate step, one of the two parties must generate a temporary Paillier encryption keypair. For reasons of efficiency, it is important to keep the modulus bitsize of this keypair as small as possible, otherwise it has a negative impact during signing. But on the other side, the modulus has to be large enough to guarantee security of the encryption, in order to achieve non-repudiability of the signature scheme. One of the contributions of Lindell’s paper was to improve the tradeoff in finding the optimal size of this key, as the maximum between two values. However, in the detailed specification of the algorithm, an error was introduced, and the minimum of these two values appeared instead. This was of course little more than a typo, but it could easily cause problems when software engineers without extensive cryptographic background were simply following the specs and blindly implementing the algorithm in the code. The author of the paper acknowledged and corrected the mistake in the online version of the academic paper, for the benefit of future reference.
The report of the KZen audit can be downloaded here.
KZen addressed the issues identified identified in the report.
We’d like to thank KZen for trusting us, and for their constant availability to answer our questions and to provide feedback about our findings.