Attacks on Implementations of Lindell 17 and Its Variants
摘要
Lindell17 is a widely used two-party threshold ECDSA protocol that offers security under concurrent executions and supports global abort upon failure. In this paper, we extend the attack model of Makriyannis, Yomtov, and Galansky by proposing a more general and covert class of attacks, which we term Digit-by-Digit Extraction (DBDE). Our attacks allow the adversary to choose an arbitrary base b and craft nonce values \(k_2 = b^\ell \) , enabling the gradual leakage of the honest party’s key share through signature outcomes. We demonstrate DBDE attacks on Lindell17 and its three main variants: (1) Lindell17 (+), (2) Lindell17 ( \(\cdot \) ) in 2-of-2 setting, (3) the actively refreshed variant Refreshed-Lindell17 (+), and (4) Patched HD Lindell17. To mitigate these attacks, we propose a practical countermeasure that prevents adversarial control over nonce selection by introducing a jointly generated \(k_2\) . Our patch neutralizes all known attacks that exploit nonce selection strategies. We also provide proof-of-concept code to validate our attacks and demonstrate their real-world feasibility.