Not guaranteed. 1 | Ethereum Foundation Blog


Earlier this year, we launched a Bug bounty program Focus on finding issues in the beacon chain specification and/or client implementation (Lighthouse, Nimbus, Teku, Prysm, etc.). The results (and vulnerability reports) are as instructive as the lessons learned from fixing potential problems.

In this new series, our goal is to explore and share some of the insights we have gained from our safety work so far and as we move forward.

The first article will analyze some submissions specifically for BLS primitives.

Disclaimer: All the errors mentioned in this article have been fixed.

BLS is everywhere

Years ago, Diego F. Spider Give a speech at the meeting The 21st Elliptic Curve Cryptography Symposium title: The pairing is not dead, just rest. How predictable.

It’s 2021, and pairing is one of the main players behind many cryptographic primitives used in the blockchain space (and other fields): Bureau of Labor Statistics Aggregate signature, ZK-SNARKS system, etc.

For some time, the development and standardization work related to BLS signatures has been an ongoing project by EF researchers, partly because Justin Drake And summarized in His recent post on reddit.

Newest and best

During this period, there are many updates. BLS12-381 It is now generally considered Pairing curve To be used Given our current knowledge.

Three different IRTF drafts are currently under development:

  1. Pair-friendly curve
  2. BLS signature
  3. Hash to elliptic curve

In addition, the Beacon Chain Specification Has matured and has been partially deployed. As mentioned earlier, BLS signature It is an important puzzle behind Proof of Stake (PoS) and the beacon chain.

Recent lessons

After collecting submissions for the BLS primitives used in the consensus layer, we were able to divide the reported errors into three areas:

  • IRTF draft negligence
  • Implementation error
  • IRTF draft implementation violation

Let’s zoom in on each part.

IRTF draft negligence

One of the reporters (Ruan Tai Mingquan), find the difference IRTF draft, And published two white papers containing survey results:

Although specific inconsistencies still exist debate, He found something interesting implement problem While conducting his research.

Implementation error

Guido Franken Able to find several “small” problems BLST use Differential fuzzing. See the following example:

He finally found an influence BLST’s blst_fp_eucl_inverse function.

IRTF draft implementation violation

The third category of errors is related to the violation of the IRTF draft.The first one affected Prism Client.

In order to describe this, we first need to provide some background knowledge.this BLS signature The IRTF draft includes 3 plans:

  1. Basic plan
  2. Add message
  3. Proof of possession

this Prism Client There is no difference between 3 in its API, which is unique in its implementation (for example py_ecc).A feature about Basic plan Yes Verbatim: ‘This feature first ensures that all messages are different’ . This was not guaranteed at the time AggregateVerify Function. Prysm passed Deprecated usage of AggregateVerify (Not used anywhere in the beacon chain specification).

The second issue affects py_ecc. In this case, the serialization process is ZCash BLS12-381 specification Stored integers are always in range [0, p - 1]. this py_ecc Implement this check only for the G2 group of BLS12-381 Real But no modulo operation Imaginary part. This issue has been fixed with the following pull request: Insufficient verification of decompress_G2 deserialization in py_ecc.

wrap up

Today, we checked the BLS-related reports we received as part of our Bug bounty programBut this is definitely not the end of safe work or adventure stories related to BLS.

US strong Encourage you To help ensure that the consensus layer continues to become safer over time. Therefore, we look forward to hearing from you and encourage you to dig! If you think you have discovered a security breach or any error related to the beacon chain or related clients, Submit a bug report! 💜🦄





Source link

You May Also Like

Leave a Reply

Your email address will not be published.