CGGMP Library ECDSA Presignature Vulnerability in cggmp21 and cggmp24

A vulnerability exists in the CGGMP21 and CGGMP24 libraries, specifically in their ECDSA threshold signing protocols. In CGGMP21 versions prior to 0.6.3 and CGGMP24 version 0.7.0-alpha.1, presignatures could be misused in ways that significantly compromised security. This issue has been addressed in CGGMP24 version 0.7.0-alpha.2, which includes API changes to prevent such insecure uses of presignatures.

Impact

The vulnerability allows for presignatures to be used in contexts that weaken security, such as in HD wallets derivation, where the security level could be reduced to 85 bits, or in 'raw signing' scenarios, which could lead to signature forgery.

Reproduction

In CGGMP21 versions prior to 0.6.3, presignatures could be used with HD wallet derivation paths, allowing an attacker to reduce the security level to 85 bits. This was possible by generating a presignature and then choosing a derivation path while issuing a partial signature, a method that has since been removed from the API. In 'raw signing' contexts, presignatures could be used to forge signatures by signing a crafted hash instead of an original message, exploiting the protocol's assumptions.

Remediation

Users are advised to update to 'cggmp24 v0.7.0-alpha.2', which includes the necessary patches and improvements. For those using 'cggmp21', an immediate patch is available in version '0.6.3', but migrating to 'cggmp24' is recommended for long-term security.