Cryptology ePrint Archive: Report 2021/323
0
Nguyen Thoi Minh Quan
Abstract: What is the funniest number in cryptography? 0. The reason is that for all x, x*0 = 0,
i.e., the equation is always satisfied no matter what x is. This article discusses crypto
bugs in four BLS signatures’ libraries (ethereum/py ecc, supranational/blst, herumi/bls,
sigp/milagro bls) that revolve around 0. Furthermore, we develop ”splitting zero” attacks
to show a weakness in the proof-of-possession aggregate signature scheme standardized in
BLS RFC draft v4. Eth2 bug bounties program generously awarded $35,000
in total for the reported bugs.
Category / Keywords: public-key cryptography / BLS, aggregate signature
Date: received 10 Mar 2021, last revised 3 Apr 2021
Contact author: msuntmquan at gmail com
Available format(s): PDF | BibTeX Citation
Note: latest version vs 1st version: clarify attack cost, remove proposed fix because proposing fix without proof is scary, add 1 attack scenario at protocol layer, answer 1 FAQ.
Version: 20210403:190259 (All versions of this report)
Short URL: ia.cr/2021/323
[ Cryptology ePrint archive ]