Zero - The Funniest Number in Cryptography

Conference:  BlackHat USA 2021



The talk explores crypto bugs in BLS signatures' libraries and introduces the concept of zero-related bugs and aggregate signature. The main focus is on signature verification and the exploitation of the property of zero.
  • Introduction of terminology such as implementation bug, standard graph bug, private key, public key, and message
  • Explanation of the concept of aggregate signature and its advantages
  • Focus on signature verification and the exploitation of the property of zero
  • Discussion of the weaknesses in the standard draft and the implementation of the security check
  • Introduction of the concept of pairing and its properties
  • Explanation of the BLS signature and its verification process
The speaker introduces the concept of zero as the funniest number in cryptography and explains how it can be exploited in signature verification. The use of aggregate signature is also illustrated with the example of millions of signatures being sent and verified, which can be costly in terms of bandwidth and CPU time. The speaker also highlights the importance of implementing the security check mandated by the standard to prevent zero-related bugs.


What is the funniest number in cryptography? 0. The reason is that for all x, x*0 = 0, i.e., the equation is always satisfied no matter what x is. This talk will explore crypto bugs in four BLS signatures' libraries (ethereum/py ecc, supranational/blst, herumi/bls, sigp/milagro bls) that revolve around 0. Furthermore, we developed "splitting zero" attacks to show a weakness in the proof-of-possession aggregate signature scheme standardized in BLS RFC draft v4. Eth2 bug bounties program generously awarded $35,000 in total for the reported bugs.