Closed veorq closed 3 years ago
In the implementation of https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407, a zero coefficient would allow the verification of signatures including an invalid one (if assigned a zero r_i).
If the PRNG behaves correctly, the chance of this happening is negligible, but since a non-crypto PRNG is used, and as defense-in-depth measure (along the same lines as ECDSA checks), I would recommend to enforce non-zeroness in:
https://github.com/ConsenSys/teku/blob/a0270026d4e70db13b0042eb057ffbdb5709e4ca/bls/src/main/java/tech/pegasys/teku/bls/impl/blst/BlstBLS12381.java#L185-L189
Good find! I'll take a look at this.
Looks like non-zeroness is enforced there, but I don't fully understand what they're doing:
https://github.com/status-im/nim-blscurve/blob/e1b9392b802ef53407035bf78a1d2a3f3067d7d7/blscurve/blst/blst_min_pubkey_sig_core.nim#L518-L521
In the implementation of https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407, a zero coefficient would allow the verification of signatures including an invalid one (if assigned a zero r_i).
If the PRNG behaves correctly, the chance of this happening is negligible, but since a non-crypto PRNG is used, and as defense-in-depth measure (along the same lines as ECDSA checks), I would recommend to enforce non-zeroness in:
https://github.com/ConsenSys/teku/blob/a0270026d4e70db13b0042eb057ffbdb5709e4ca/bls/src/main/java/tech/pegasys/teku/bls/impl/blst/BlstBLS12381.java#L185-L189