Warning: GG18/20-Based Attack Towards MPC Threshold Signature


By Max

According to Chief Scientist of Safeheron’s iString Lab, Max, a new attack towards threshold signature algorithm has just been discovered by Dmytro and Omer [DO21].

The new attack mainly targets at the threshold signature algorithm introduced by [GG18] and [GG20]. Since the publication of these 2 papers, [GG18] and [GG20] have been the most widely used private key signature algorithms due to their inborn security. Many noted MPC technology companies like Zengo, Binance, ING, PayPal/Curv, Fireblocks, Safeheron have implemented their own multiparty signature algorithm libraries based on these papers. Therefore, this attack can have widespread impact which may lead to asset losses.

iString Lab will give detailed introduction on attacking principle, attacking consequences and recovery plan of this vulnerability in the near future.

Attacking Principle (Brief)

The attacking’s prime aim is the subprotocol, multiplicative-to-additive (MtA Subprotocol in short), which is used both in [GG18] and [GG20]. During the execution of MtA subprotocol, attackers will choose the proper value k, apply the normal result from protocol, and then, analyze and speculate on the range of value w which is directly related to the user’s private key. After multiple attacks, even under the circumstance of secure multiparty signature protocol fails, attackers can still get closer to and narrow down the range of value w. When the range is narrowed down to a certain scope, value w can be violently computed without lots of hash power, and consequently attackers get user’s private key shards.

Attacking Consequences (Brief)

When the secure multiparty signature protocol is being executed, a single individual can launch an effective attack to obtain private key shards of all participants. Through signing multiple times, the attacker will choose the appropriate value k in the MtA subprotocol and record the return from the attacked party. As the attack accumulates to a certain amount (16 times for the experiments in the paper), the attacker can calculate the private key shards of all participants from value k and returns from the attacked parties.

Research from iString Lab showed that Safeheron is not affected by this attack and iString Lab will continue to follow this vulnerability attack.

In the very near future, we will give you a thorough introduction on theory principle, attacking consequences and recovery plan of the vulnerability.


  • [DO21] Alpha-Rays: Key Extraction Attacks on Threshold ECDSA Implementations

  • [GG18] Rosario Gennaro and Steven Goldfeder. Fast multiparty threshold ecdsa with fast trustless setup. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 1179–1194, 2018.

  • [GG20] Rosario Gennaro and Steven Goldfeder. One round threshold ecdsa with identifiable abort. IACR Cryptol. ePrint Arch., 2020:540, 2020.

Last updated