Skip to content

Prevent the possibility of changing the threshold during Key Refresh #57

New issue
New issue
Closed
#223
Closed
Prevent the possibility of changing the threshold during Key Refresh#57
#223
Assignees
gilcu3
Labels
Security improvementNo Panic! Deserves to be fixed soon to prevent future security problems on misuseaudit
@SimonRastikian

Description

@SimonRastikian
SimonRastikian
opened on Sep 4, 2025

After looking into the security update of https://github.com/ZcashFoundation/frost/releases/tag/frost-core%2Fv2.2.0, we decided that we should ourselves also do this check to prevent in the future from running refresh while dropping the threshold.

Currently this seems difficult to do as the threshold is not hardcoded in the implementation, nor in the key shares making the check impossible to do as a library user could always make the mistake of refreshing with different threshold than the old one.
The equality of threshold and old_threshold obscures an inconsistency in the lower
layers of the protocol as currently written.

Could be tied to #18

Acceptance Criteria:

Short term, document that threshold congruence is deliberate and that removing this
property could have security consequences, so that it is not accidentally changed without
the developer being aware.
Long term, update the APIs to not tolerate different threshold values during key refresh if
they are not intended to be changed.

Metadata

Metadata

Assignees

Labels

Security improvementNo Panic! Deserves to be fixed soon to prevent future security problems on misuseaudit

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions