2021-08-05

The talk explores crypto bugs in BLS signatures' libraries and introduces the concept of zero-related bugs and aggregate signature. The main focus is on signature verification and the exploitation of the property of zero.

- Introduction of terminology such as implementation bug, standard graph bug, private key, public key, and message
- Explanation of the concept of aggregate signature and its advantages
- Focus on signature verification and the exploitation of the property of zero
- Discussion of the weaknesses in the standard draft and the implementation of the security check
- Introduction of the concept of pairing and its properties
- Explanation of the BLS signature and its verification process

What is the funniest number in cryptography? 0. The reason is that for all x, x*0 = 0, i.e., the equation is always satisfied no matter what x is. This talk will explore crypto bugs in four BLS signatures' libraries (ethereum/py ecc, supranational/blst, herumi/bls, sigp/milagro bls) that revolve around 0. Furthermore, we developed "splitting zero" attacks to show a weakness in the proof-of-possession aggregate signature scheme standardized in BLS RFC draft v4. Eth2 bug bounties program generously awarded $35,000 in total for the reported bugs.

Materials:

Tags: