Earlier this year we bug bounty program Focuses on finding issues in the beacon chain specification and/or client implementation (Lighthouse, Nimbus, Teku, Prysm, etc…). The results (and vulnerability reports) were enlightening, as were the lessons learned while patching potential problems.
In this new series, we aim to explore and share some of the insights we have gained from our security work to date and the road ahead.
In this first post, we analyze some submissions specifically targeting BLS primitives.
disclaimer: All bugs mentioned in this post have already been fixed.
BLS is everywhere
few years ago, Diego F. Aranha gave a speech in 21st Elliptic Curve Cryptography Workshop title: The pairing isn’t dead, it’s just resting. How prophetic.
It is now 2021. Pairing is one of the main actors in many cryptographic primitives used in the blockchain space (and beyond). BLS Aggregate signatures, ZK-SNARKS system, etc.
Development and standardization work related to BLS signatures has been an ongoing project by EF researchers for some time. justin drake It is summarized in: His recent Reddit posts.
Latest and Best
There have been many updates in the meantime. BLS12-381 It is now universally recognized. pairing curve to be used Considering our current knowledge.
Three different IRTF drafts are currently in development.
- Pairing friendly curves
- BLS Signature
- Hashing with Elliptic Curve
Furthermore, Beacon chain specifications It has matured and has already been partially deployed. As mentioned above, BLS Signature It is an important piece of the puzzle behind Proof of Stake (PoS) and beacon chains.
Recent Lessons Learned
After collecting submissions targeting the BLS primitives used in the consensus layer, reported bugs can be divided into three areas:
- IRTF Draft Supervisor
- implementation mistake
- Violation of IRTF draft implementation
Let’s zoom in on each section.
IRTF Draft Supervisor
One of the reporters (Nguyen Thoy Minh Quan) found a discrepancy. IRTF draftWe have published two white papers containing our findings.
Although specific inconsistencies remain a topic. for discussionHe found something interesting avatar problem While conducting his research.
implementation mistake
Guido Brancken I was able to find a few “minor” issues. BLST using Differential fuzzing. See example below.
He concluded this by discovering a moderate vulnerability that affected it. blst_fp_eucl_inverse function in BLST.
Violation of IRTF draft implementation
The third category of bugs involves violations of the IRTF draft implementation. The first affected: prism client.
To explain this, I first need to provide a little background. that much BLS Signature The IRTF draft includes three plans:
- master plan
- Message Augmentation
- proof of ownership
that much prism client It does not distinguish between 3 unique APIs between implementations, e.g. py_ecc). One peculiar thing is master plan is quote verbatim: ‘This function first checks if all messages are distinct’ . This was not guaranteed. Check tally function. Prysm corrected these inconsistencies as follows: Usage Deprecated ~ Of Check tally (Not used anywhere in the Beacon Chain specification).
Second issue affected py_ecc. In this case the serialization process is ZCash BLS12-381 Specifications Storing integers is always within the scope of: (0, p – 1). that much py_ecc In our implementation, we only performed this check for the G2 group of BLS12-381. real part However, no modulus calculation was performed. imaginary part. This issue was resolved with the following pull request: Insufficient validation for decompress_G2 deserialization in py_ecc..
finish
Today, we looked at the BLS-related reports we received. bug bounty programBut this is not the end of the story of my security work or adventures with BLS.
we strongly encourage you Enables the consensus layer to continue to grow more secure over time. With this, we look forward to hearing from you and encourage you to join DIG! If you believe you have discovered a security vulnerability or bug related to Beacon Chain or its related clients, Submit a bug report! ππ¦