PT-2025-11290 · Unknown · Post-Quantum Secure Feldman'S Verifiable Secret Sharing
Published
2025-03-14
·
Updated
2025-03-14
·
CVE-2025-29779
CVSS v4.0
5.4
Medium
| Vector | AV:P/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions:
Post-Quantum Secure Feldman's Verifiable Secret Sharing versions 0.7.6b0 and prior
Description:
The issue concerns the
secure redundant execution function in feldman vss.py, which attempts to mitigate fault injection attacks. However, several weaknesses exist, including the inability of Python's execution environment to guarantee true isolation between redundant executions, timing variations in constant-time comparison, and insufficient protection against sophisticated fault attacks. These limitations make the protection ineffective against targeted fault injection attacks, especially from attackers with physical access to the hardware. A successful fault injection attack could allow an attacker to bypass the redundancy check mechanisms, extract secret polynomial coefficients, force the acceptance of invalid shares, and/or manipulate the commitment verification process.Recommendations:
For versions 0.7.6b0 and prior, consider the following mitigations:
- Deploy the software in environments with physical security controls.
- Increase the redundancy count by modifying the source code.
- Add external verification of cryptographic operations when possible.
- Consider using hardware security modules (HSMs) for key operations. As a long-term solution, reimplementing the security-critical functions in a lower-level language like Rust is recommended. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Post-Quantum Secure Feldman'S Verifiable Secret Sharing