aby3 icon indicating copy to clipboard operation
aby3 copied to clipboard

Published 20 hours ago verified publisher icon ladnir

Forgetting r sampling in multiplication of public number and BShare?

Open n0b0dyCN opened this issue 3 years ago • 3 comments

According to the paper, the multiplication of a public number and a BShared value should first sample a random number r, but I cannot find this step in the implication. Is that step forgotten?

https://github.com/ladnir/aby3/blob/master/aby3/sh3/Sh3Evaluator.cpp#L292

n0b0dyCN avatar May 26 '21 06:05 n0b0dyCN

I believe the zeroShare works as r in the implementation https://github.com/ladnir/aby3/blob/master/aby3/sh3/Sh3Evaluator.cpp#L312

But I could be wrong. Generally, aby3 was written somewhat quickly and probably contains security bugs.

ladnir avatar May 26 '21 15:05 ladnir

According to the paper, the party plays the sender should sample a random number r to avoid the receiver revealing a[b] directly.

The purpose of zero sharing is to prevent the helper party from revealing a[b] fro m a 2-out-of-3 sharing.

without zero sharing, helper could get:
a[b] = r + a[b] -r

with zero sharing, helper could only get:
r + s1 + a[b] - r + s2

As a result, I think it is a security bug.

n0b0dyCN avatar May 27 '21 04:05 n0b0dyCN

I see, OK, I'll fix it when I get time or you can do a PR. Thanks for pointing this out.

ladnir avatar May 27 '21 05:05 ladnir