Paper 2021/323

0

Nguyen Thoi Minh Quan

Abstract

What is the funniest number in cryptography? 0. The reason is that for all x, x*0 = 0, i.e., the equation is always satisfied no matter what x is. This article discusses crypto bugs in four BLS signatures’ libraries (ethereum/py ecc, supranational/blst, herumi/bls, sigp/milagro bls) that revolve around 0. Furthermore, we develop ”splitting zero” attacks to show a weakness in the proof-of-possession aggregate signature scheme standardized in BLS RFC draft v4. Eth2 bug bounties program generously awarded $35,000 in total for the reported bugs.

Note: latest version vs 1st version: clarify attack cost, remove proposed fix because proposing fix without proof is scary, add 1 attack scenario at protocol layer, answer 1 FAQ.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint. Minor revision.
Keywords
BLSaggregate signature
Contact author(s)
msuntmquan @ gmail com
History
2021-04-03: last of 3 revisions
2021-03-11: received
See all versions
Short URL
https://ia.cr/2021/323
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2021/323,
      author = {Nguyen Thoi Minh Quan},
      title = {0},
      howpublished = {Cryptology ePrint Archive, Paper 2021/323},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/323}},
      url = {https://eprint.iacr.org/2021/323}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.