Thanks for what I think is the first Wesolowski VDF implementation in Rust!
As I studied up on Wesolowski VDF implementations, I noticed that this repo is vulnerable to the vulnerability described in the Weak Fiat-Shamir Attacks on Modern Proof Systems paper (p. 14 and onwards). The issue is that hash_prime doesn't include the time delay and the group description in the hash. This can lead to the attacker forging proofs for very large time delays. As the paper explains, an actual attack is unlikely since the time delay variable is only 64-bits. The fix would be to include the number of iterations and the discriminant in the hash.
The second issue is with the primality check in hash_prime. GMP's primality checking up to and including 6.1.2 was vulnerable to adversary controlled input, since it didn't do a Baillie-PSW primality test in addition to Miller-Rabin tests. My understanding is that this repo will use whatever version of GMP is installed on the system, so I think we should assert that we're using a safe version of GMP. The Prime and Prejudice: Primality Testing Under Adversarial Conditions contains more info about the problem with Miller-Rabin tests.
I'm happy to provide a PR if you agree with the proposed fixes.
I didn't think these vulnerabilities warrant private disclosure since the linked paper lists this repo as vulnerable to the first one and the second one is about using a vulnerable dependency.
Hi,
Thanks for what I think is the first Wesolowski VDF implementation in Rust!
As I studied up on Wesolowski VDF implementations, I noticed that this repo is vulnerable to the vulnerability described in the Weak Fiat-Shamir Attacks on Modern Proof Systems paper (p. 14 and onwards). The issue is that
hash_primedoesn't include the time delay and the group description in the hash. This can lead to the attacker forging proofs for very large time delays. As the paper explains, an actual attack is unlikely since the time delay variable is only 64-bits. The fix would be to include the number of iterations and the discriminant in the hash.The second issue is with the primality check in
hash_prime. GMP's primality checking up to and including 6.1.2 was vulnerable to adversary controlled input, since it didn't do a Baillie-PSW primality test in addition to Miller-Rabin tests. My understanding is that this repo will use whatever version of GMP is installed on the system, so I think we should assert that we're using a safe version of GMP. The Prime and Prejudice: Primality Testing Under Adversarial Conditions contains more info about the problem with Miller-Rabin tests.I'm happy to provide a PR if you agree with the proposed fixes.
I didn't think these vulnerabilities warrant private disclosure since the linked paper lists this repo as vulnerable to the first one and the second one is about using a vulnerable dependency.
Best, Agost