search

skalenetwork / sgxwallet

sgxwallet is the first-ever opensource high-performance hardware secure crypto wallet that is based on Intel SGX technology. First opensource product on Intel SGX whitelist. Scales to 100,000+ transactions per second. Currently supports ETH and SKALE, and will support BTC in the future. Sgxwallet is under heavy development and use by SKALE network.
https://skale.network
GNU Affero General Public License v3.0
64 stars 35 forks source link

add check public shares are in G2 group #317

Closed sync-by-unito[bot] closed 3 years ago

sync-by-unito[bot] commented 3 years ago

The is_well_formed check in libff::alt_bn128_G2 is insufficient. It checks that the projective coordinates (X,Y,Z) satisfy the equation of the curve, but G2 is actually a subgroup of the elliptic curve points. An attacker that controls n-t participants, where n are all participants and t+1 is the number of participants required to sign a message with the common public key, will always be able to corrupt the public key so it is almost impossible to create a common signature, allowing the attacker to escape later detection during the signing phase. With a probability of 1/10069 the attacker can do the same with n-t participants.

┆Issue is synchronized with this Jira Bug

sync-by-unito[bot] commented 3 years ago

➤ comh commented:

skale-sec-ops triaged report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11660531 ) on HackerOne

{panel} Hello [@rumata|/rumata] Thank you for your submission! We were able to validate your report, and have submitted it to the libBLS team for review. A fix is now in process. Please note that the status and severity are subject to change. Best, [@skale-sec-ops|/skale-sec-ops]

{panel}

sync-by-unito[bot] commented 3 years ago

➤ comh commented:

hackbot suggested, CWE-697, MITRE ( https://cwe.mitre.org/data/definitions/697.html ) for remediation guidance on HackerOne

sync-by-unito[bot] commented 3 years ago

➤ comh commented:

skale-sec-ops posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11661894 ) on HackerOne

{panel} [@rumata|/rumata] the libBLS team would like to use your code and integrate it into the libBLS repo for testing and further investigation. The team kindly asks that you open a PR in libBLS and place your .sage script under /scripts and your .cpp under /test and finally please sign the CLA in the PR. If you have any questions, please let us know.

{panel}

sync-by-unito[bot] commented 3 years ago

➤ comh commented:

rumata posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11666288 ) on HackerOne

{panel} I made a PR and tried to sign in with github at cla.skale.network. If that is what it means to sign the CLA, then I completed it. I slightly changed the dkg_attack.cpp in comaprison to what I submitted here, because I saw a misleading request that was left over from an earlier version. Please tell me if there are any issues.

{panel}

sync-by-unito[bot] commented 3 years ago

➤ comh commented:

rumata posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11666607 ) on HackerOne

{panel} Ok, I signed the CLA in PR. (Had to do another PR because of commit name/email configuration)

{panel}

sync-by-unito[bot] commented 3 years ago

➤ comh commented:

skale-sec-ops posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11666693 ) on HackerOne

{panel} [@rumata|/rumata] Fantastic, the team appreciates your PR and signing the CLA. The team provide another update on Monday. In the meantime, feel free to reach out if you have any concerns or other questions.

{panel}

sync-by-unito[bot] commented 3 years ago

➤ comh commented:

skale-sec-ops posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11685787 ) on HackerOne

{panel} [@rumata|/rumata] can you please clarify and further explain how you arrived at the conclusion "that the probability that the equations are not linearly independent is 1/10069”?

{panel}

sync-by-unito[bot] commented 3 years ago

➤ comh commented:

rumata posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11685935 ) on HackerOne

{panel} This is a rough estimate, it will actually be a bit more than that. I should have written "~1/10069", since I am using subgroup of order 10069. For a bigger subgroup it will obviously be smaller. The idea is pretty simple: let's say we have a matrix:[ [ [ a ,x_0_1, x_0_2 ], [ a ,x_1_1, x_1_2 ], [ a ,x_2_1, x_2_2 ] ]. Let's say that the 0th and 1st and 0th and 2nd rows are linearly independent (the way we construct from i to the power of j that will be the case). We take the 0th row and reduce the first and second row, after which we are left with 0th row definitely independent of first and second. First and second now consist of 0 at position 1 and two elements: [[0, y_1_1,y_1_2], [0, y_2_1, y_2_2 ]]. They are linearly dependent when y_1_2/y_1_1=y_2_2/y_2_1. If we pick a uniform random k=y_2_2/y_2_1, then the probability that y_1_2/y_1_1=k is ~1/(order of field). so for rank of matrix=n-1 the probability is ~1/(order of field). For rank=n-2 it will be somewhere around square of that. So the sum of probabilities will be ~1/(order of field).

{panel}

sync-by-unito[bot] commented 3 years ago

➤ comh commented:

skale-sec-ops posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11704972 ) on HackerOne

{panel} [@rumata|/rumata] The libBLS team questions your conclusion. Please kindly see the attached PDF regarding linear dependency, review, and provide comments.

{panel}