As has been recently reported, a vulnerability (known as "BitForge") in two popular and widely used threshold signature schemes (TSS) – specifically GG18 and GG20 – has been discovered.
While Qredo does use a TSS in the distributed multi-party computation (dMPC) signing of transactions, we do not use GG18 or GG20 and therefore our application and customers remain safe and unaffected by BitForge.
Multi-party computation (MPC) and threshold signing scheme (TSS) are both cryptographic concepts that involve multiple parties collaborating on computations.
Multi-party computation is concerned with enabling multiple parties to perform computations on private inputs without revealing those inputs to each other. MPC protocols ensure that each party's private data remains confidential throughout the computation process while allowing the parties to obtain the desired computational result – in this case, a valid digital signature computed from multiple shards of a private key.
A threshold signing scheme is a cryptographic protocol that enables multiple parties to collectively sign a transaction with a valid digital signature without any single party having complete control over the signing process. A TSS ensures that a minimum threshold of participants must cooperate in MPC to generate a valid digital signature, thereby enhancing security by mitigating the risks associated with single points of failure or compromise.
MPC protocols rely on code libraries that provide developers with a set of functions and code components that make up the building blocks of the MPC protocols they develop for their applications. These libraries simplify the development of MPC protocols, ensuring privacy, security, and correctness.
The BitForge vulnerability enables an attacker to extract a private signing key when the Paillier modulus has small factors. The vulnerability that has been identified is that the GG18 and GG20 code implementations in an MPC protocol do not check to make sure that the Paillier modulus is not a biprime or whether it has small factors. The solution to address these vulnerabilities is to integrate range proofs into the protocol, as exemplified in CGGMP21, and provide zero knowledge proofs that the Paillier modulus is a biprime without small factors (less than 256-bit).
Qredo leverages code libraries in the Apache Milagro code repository to run our dMPC protocols. While the Paillier modulus vulnerability was found in GG18 and GG20, both of which are widely available in multiple code libraries (including Apache Milagro), Qredo currently uses a custom CGGMP21 MPC code implementation which keeps our application and customers doubly safe.
First, the Paillier modulus vulnerability is open to attack only in cases where a (malicious) third party is involved in the operation of the TSS. As of now, Qredo is the only entity that runs the TSS on the Qredo protocol.
Second, the CGGMP21 MPC implementation does have steps in place to verify if the Paillier modulus is a biprime and lacks small factors, making it highly secure and resistant to key extraction attacks.
Over the past four years, Qredo has made a significant investment in building and maintaining the open source Apache Milagro code repo to facilitate secure and reliable MPC for our protocol and for the industry more broadly.
While we do not own or control Apache Milagro as it is an open source project, we do have a vested interest in its security and utility. To that end, we have updated the Apache Milagro repo to patch the vulnerability found in GG18 and GG20 and implemented CGGMP21, removing previous vulnerable implementations. We began this work as soon as we learned of the vulnerability and are pleased to be able to deliver this fix.
As a self-custody infrastructure solution with a native Layer 2 and a roadmap towards further decentralization, we at Qredo are always navigating the balance between contributing to and maintaining an open source code repo with the rigorous standards we impose upon our own protocol.
Our strategy of using a custom protocol that checks the mathematical integrity of the Pallier modulus is a perfect example of how we consistently and rigorously prioritize the safety and security of our users’ digital assets as the utmost priority. We will continue to do so to maintain the integrity of our protocol and our application for the benefit of all our users and the broader crypto ecosystem.
Visit the Qredo Trust Portal to learn more about our commitment to the security of digital assets.