KarpelesLab / tss-lib / 26678642827

76%

Build Type

push

github

Committed by MagicalTux

Commit Message

mldsatss: per-party round-3 response validity for identifiable abort

FIX 2 (Low). combine() previously summed every party's z_i block
unconditionally with no per-party validity check, so a single malicious party
could submit garbage z_i and force ErrAllTriesRejected for the whole committee
with no attribution (a silent DoS).

Add validatePartyResponses(), run before aggregation in combine(): each
party's non-zero z_i block must satisfy the L-part of that party's own
rejection gate, i.e. its nu-scaled L2 norm Sum_L (z_i[j]/nu)^2 must not exceed
Rp^2. An honest party either rejects a try (all-zero block, passes trivially)
or accepts it (block came from a zf that passed !zf.Excess(R, nu), so the
L-part alone is within R, and rounding stays inside Rp). Gross garbage (the DoS
vector) exceeds Rp^2 and is rejected with *ErrPartyResponseInvalid naming the
offending committee slot and keyId.

PARTIAL: this is a structural bound, not a full algebraic check. A full
identifiable abort would verify HighBits(A*z_i - c*t_i) == HighBits(w_i)
against the committed w_i, which needs each party's public key share
t_i = A*s1_i + s2_i. This trusted-dealer protocol never transmits or stores
t_i (only the aggregate t1 is public), so a small-but-wrong z_i that passes
the bound still surfaces as the non-attributable ErrAllTriesRejected.
Closing that gap requires publishing per-party t_i or a per-party
commitment/proof binding z_i to w_i.

Adds TestSigning44_InvalidResponseIsAttributed: a party broadcasts a
saturated garbage z_i and the honest combiner returns *ErrPartyResponseInvalid
naming its slot rather than ErrAllTriesRejected.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Coverage Stats

41 of 45 new or added lines in 1 file covered. (91.11%)

344 existing lines in 9 files now uncovered.

17419 of 22798 relevant lines covered (76.41%)

124171.97 hits per line