GHSA-h24c-6p6p-m3vx: 
vulnerability analysis and mitigation

A critical vulnerability was discovered in tss-lib (Go package) affecting versions <= 1.3.5, identified as GHSA-h24c-6p6p-m3vx. The vulnerability exists in the GG18 threshold ECDSA signature protocol implementation, where the system fails to properly validate Paillier modulus N, potentially allowing attackers to recover the shared secret key (GitHub Advisory).

The vulnerability stems from the implementation's failure to prove that the Paillier modulus N is biprime and doesn't contain small factors. If a participant generates a Paillier modulus N containing small factors (less than 2^100), they can exploit the signing protocol to steal other participants' secret key shares. The attack can be successful in as few as sixteen signing attempts, ultimately allowing the reconstruction of the master key (GitHub Advisory).

The vulnerability allows malicious actors to recover the shared secret key by exploiting the signing protocol. This compromises the security of the threshold signature scheme, potentially affecting any systems or applications relying on this implementation for distributed signing operations (GitHub Advisory).

The fixed implementation adds proofs from the CGGMP21 threshold ECDSA protocol to the key generation process, including Paillier-Blum Modulus proof (ensuring N is the product of two primes) and No Small Factor proof (ensuring both factors of N are greater than 2^256). These proofs are applied to both the Paillier encryption modulus N and the modulus NTilde used in MTA proofs. Additionally, the resharing protocol has been enhanced with an extra round to confirm valid proof reception (GitHub Advisory).