Multichain’s anyswap/FastMulThreshold-DSA, a fork of bnb-chain/tss-lib, reduced the DLN proof iteration constant from thse spec-mandated 128 down to 1 in commit 4e543437c6, collapsing the soundness margin to a coin flip per attempt (source):
1// FILE: smpc-lib/crypto/ec2/ntildeZK.go — anyswap/FastMulThreshold-DSA @ 4e543437 (vulnerable)
2const (
3 // Iterations iter times
4 Iterations = 1
5)
Verichains demonstrated the TSSHOCK c-guess attack against this configuration: the adversary submits parallel signing requests, forges a valid DLN proof on roughly half of them, and uses the forged proof to extract a signing key share in a single signing ceremony.
The fix in commit 7727e4f833 restored the constant (source):
1// FILE: smpc-lib/crypto/ec2/ntildeZK.go — anyswap/FastMulThreshold-DSA @ 7727e4f8 (fixed)
2const (
3 // Iterations iter times
4 Iterations = 128
5)