Earlier this year we launched a bug bounty program focused on finding problems in the tag chain specification and/or in client implementations (Lighthouse, Nimbus, Teku, Prysm etc…). The results (and vulnerability reports) were enlightening, as were the lessons learned in correcting potential issues.
In this new series, we aim to explore and share some of the knowledge we’ve gained from security work so far and as we move forward.
This first article will analyze some of the submissions specifically targeting BLS primitives.
Disclaimer: All bugs mentioned in this article have already been fixed.
BLS is everywhere
A few years ago, Diego F. Aranha gave a lecture at 21st Workshop on Elliptic Curve Cryptography with the title: The couples are not dead, they are simply resting. How prophetic.
Here we are in 2021, and pairings are one of the main players behind many cryptographic primitives used in the blockchain space (and beyond): BLS aggregate signatures, ZK-SNARKS systems, etc.
Development and standardization work related to BLS signatures has been an ongoing project for EF researchers for some time now, led in part by Justin Drake and summarized in one of his recent posts on Reddit.
The latest and the best
In the meantime, many updates have been made. BLS12-381 is now universally recognized as the matching curve to use given our current knowledge.
Three different versions of the IRTF are currently under development:
- Curves adapted to coupling
- BLS signature
- Hashing to elliptic curves
Furthermore, the tag string specification has matured and is already partially deployed. As mentioned above, BLS signature are an important piece of the puzzle behind proof of stake (PoS) and beacon chaining.
Recent lessons learned
After collecting submissions targeting BLS primitives used in the consensus layer, we are able to divide the reported bugs into three areas:
- IRTF forgetting project
- Implementation errors
- IRTF Project Implementation Violations
Let’s zoom in on each section.
IRTF forgetting project
One of the journalists, (Nguyen Thoi Minh Quan), noted discrepancies in IRTF projectand published two white papers containing conclusions:
Even if specific inconsistencies remain subject for the debatehe found some interesting things implementation problems while carrying out his research.
Implementation errors
Guido Vranken was able to discover several “small” problems in BLST using differential fuzzing. See examples below:
He topped this off with the discovery of a moderate vulnerability affecting the BLST function blst_fp_eucl_inverse.
IRTF Project Implementation Violations
A third category of bugs was related to IRTF project implementation violations. The first hit the Prism Client.
In order to describe this, we first need to provide some context. THE BLS signature The IRTF project includes 3 plans:
- Basic scheme
- Increase in messages
- Proof of possession
THE Prism Client makes no distinction between the 3 in its API, which is unique among implementations (e.g. py_ecc). A particularity of the basic diagram East quote verbatim: “This function first ensures that all messages are distinct” . This was not guaranteed in the AggregateCheck function. Prysm corrected this discrepancy by depreciate use of AggregateCheck (which is not used anywhere in the tag string specification).
A second problem impacted py_ecc. In this case, the serialization process described in the ZCash BLS12-381 Specification that the stored integers are always in the range of (0,p-1). THE py_ecc the implementation performed this check for the G2 group of the BLS12-381 only for the real part but did not perform the module operation for the imaginary part. The issue was resolved with the following pull request: Insufficient validation when deserializing decompress_G2 in py_ecc.
Conclusion
Today we reviewed the BLS-related reports we received as part of our bug bounty programbut this is certainly not the end of the story for security work or BLS-related adventures.
We strongly encourage You to help ensure that the consensus layer continues to become more secure over time. With that, we look forward to hearing from you and encourage you to DIG! If you think you have found a security vulnerability or any bug related to the beacon chain or associated clients, submit a bug report! 💜🦄
