Thursday, March 23, 2023
  • Login
  • Register
btclive365.com
  • Home
  • Cryptocurrency News Today
  • Bitcoin (BTC)
  • Altcoins
  • Blockchain
  • Crypto Mining
  • CryptoCurrency Predictions
  • Defi
  • Dogecoins
  • Earn Crypto
  • Ethereum (ETH)
  • Forex Trading
  • ICO
  • Litecoin ( LTC )
  • NFT
  • Ripple
  • Trend cryptocurrency
No Result
View All Result
  • Home
  • Cryptocurrency News Today
  • Bitcoin (BTC)
  • Altcoins
  • Blockchain
  • Crypto Mining
  • CryptoCurrency Predictions
  • Defi
  • Dogecoins
  • Earn Crypto
  • Ethereum (ETH)
  • Forex Trading
  • ICO
  • Litecoin ( LTC )
  • NFT
  • Ripple
  • Trend cryptocurrency
No Result
View All Result
btclive365.com
No Result
View All Result
Home Ethereum (ETH)

Secured no. 1 | Ethereum Foundation Blog

btclive365 by btclive365
November 10, 2022
in Ethereum (ETH)
0
0
SHARES
0
VIEWS
Share on FacebookShare on Twitter


Earlier this year, we launched a bug bounty program focused on finding issues in the beacon chain specification, and/or in client implementations (Lighthouse, Nimbus, Teku, Prysm etc…). The results (and vulnerability reports) have been enlightening as have the lessons learned while patching potential issues.

In this new series, we aim to explore and share some of the insight we’ve gained from security work to date and as we move forward.

This first post will analyze some of the submissions specifically targeting BLS primitives.

Disclaimer: All bugs mentioned in this post have been already fixed.

BLS is everywhere

A few years ago, Diego F. Aranha gave a talk at the 21st Workshop on Elliptic Curve Cryptography with the title: Pairings are not dead, just resting. How prophetic.

Here we are in 2021, and pairings are one of the primary actors behind many of the cryptographic primitives used in the blockchain space (and beyond): BLS aggregate signatures, ZK-SNARKS systems, etc.

Development and standardization work related to BLS signatures has been an ongoing project for EF researchers for a while now, driven in-part by Justin Drake and summarized in a recent post of his on reddit.

The latest and greatest

In the meantime, there have been plenty of updates. BLS12-381 is now universally recognized as the pairing curve to be used given our present knowledge.

Three different IRTF drafts are currently under development:

  1. Pairing-Friendly Curves
  2. BLS signatures
  3. Hashing to Elliptic Curves

Moreover, the beacon chain specification has matured and is already partially deployed. As mentioned above, BLS signatures are an important piece of the puzzle behind proof-of-stake (PoS) and the beacon chain.

Recent lessons learned

After collecting submissions targeting the BLS primitives used in the consensus-layer, we’re able to split reported bugs into three areas:

  • IRTF draft oversights
  • Implementation mistakes
  • IRTF draft implementation violations

Let’s zoom into each section.

IRTF draft oversights

One of the reporters, (Nguyen Thoi Minh Quan), found discrepancies in the IRTF draft, and published two white papers with findings:

While the specific inconsistencies are still subject for debate, he found some interesting implementation issues while conducting his research.

Implementation mistakes

Guido Vranken was able to uncover several “little” issues in BLST using differential fuzzing. See examples of those below:

He topped this off with discovery of a moderate vulnerability affecting the BLST’s blst_fp_eucl_inverse function.

IRTF draft implementation violations

A third category of bug was related to IRTF draft implementation violations. The first one affected the Prysm client.

In order to describe this we need first to provide a bit of background. The BLS signatures IRTF draft includes 3 schemes:

  1. Basic scheme
  2. Message augmentation
  3. Proof of possession

The Prysm client doesn’t make any distinction between the 3 in its API, which is unique among implementations (e.g. py_ecc). One peculiarity about the basic scheme is quoting verbatim: ‘This function first ensures that all messages are distinct’ . This was not ensured in the AggregateVerify function. Prysm fixed this discrepancy by deprecating the usage of AggregateVerify (which is not used anywhere in the beacon chain specification).

A second issue impacted py_ecc. In this case, the serialization process described in the ZCash BLS12-381 specification that stores integers are always within the range of [0, p – 1]. The py_ecc implementation did this check for the G2 group of BLS12-381 only for the real part but did not perform the modulus operation for the imaginary part. The issue was fixed with the following pull request: Insufficient Validation on decompress_G2 Deserialization in py_ecc.

Wrapping up

Today, we took a look at the BLS related reports we have received as part of our bug bounty program, but this is definitely not the end of the story for security work or for adventures related to BLS.

We strongly encourage you to help ensure the consensus-layer continues to grow safer over time. With that, we look forward hearing from you and encourage you to DIG! If you think you’ve found a security vulnerability or any bug related to the beacon chain or related clients, submit a bug report! 💜🦄





Source link

Previous Post

Bitcoin (BTC/USD) Drops 13% as Binance Back Out of FTX Acquisition

Next Post

Creator Royalties Will Continue on OpenSea

btclive365

btclive365

Next Post

Creator Royalties Will Continue on OpenSea

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected test

  • 23.8k Followers
  • 99 Subscribers
  • Trending
  • Comments
  • Latest

How to sell Bitcoin – Bitcoin Magazine

November 9, 2022

Add a Tangible Asset to Your Portfolio: Buy Gold

January 7, 2023

Building Bitcoin Standard In Portugal – Bitcoin Magazine

November 9, 2022

USD/ZAR Rallies as SA President Ramaphosa Faces Potential Impeachment

December 1, 2022

Bitcoin price hits 2-week lows as FTX ‘bank run’ drains BTC reserves

1

Building Homesteader Lifestyle With Bitcoin – Bitcoin Magazine

1

Arbitrum dealings activity rockets 550% since August: Delphi Digital

0

Bitcoin․com Doubles Down on Self-Custody With Launch of Verse DEX – Press release Bitcoin News

0

EUR/NOK dives to multi-day lows near 11.2000 post-Norges Bank

March 23, 2023

Optimizing the Operations at Dubai Free Zones with Technology

March 23, 2023

Kraken to suspend Plaid withdrawals and deposits via ACH Silvergate

March 23, 2023

SEC Issues Wells Notice to Coinbase, Brian Armstrong Responds to Allegations of Insider Trading

March 23, 2023

Recent News

EUR/NOK dives to multi-day lows near 11.2000 post-Norges Bank

March 23, 2023

Optimizing the Operations at Dubai Free Zones with Technology

March 23, 2023

Kraken to suspend Plaid withdrawals and deposits via ACH Silvergate

March 23, 2023

SEC Issues Wells Notice to Coinbase, Brian Armstrong Responds to Allegations of Insider Trading

March 23, 2023

We deliver up-to-date, breaking crypto news about the latest Bitcoin, Ethereum, Blockchain, NFTs, and Altcoin trends and happenings

Follow Us

Browse by Category

  • Altcoins
  • Bitcoin (BTC)
  • Blockchain
  • Crypto Mining
  • Cryptocurrency News Today
  • CryptoCurrency Predictions
  • Defi
  • Dogecoins
  • Earn Crypto
  • Ethereum (ETH)
  • Forex Trading
  • ICO
  • Litecoin ( LTC )
  • NFT
  • Ripple
  • Trend cryptocurrency

Recent News

EUR/NOK dives to multi-day lows near 11.2000 post-Norges Bank

March 23, 2023

Optimizing the Operations at Dubai Free Zones with Technology

March 23, 2023
  • About
  • Advertise
  • Privacy & Policy
  • Contact

© 2022 btclive365 All Right Rivered .

No Result
View All Result
  • Home
  • Cryptocurrency News Today
  • Bitcoin (BTC)
  • Altcoins
  • Blockchain
  • Crypto Mining
  • CryptoCurrency Predictions
  • Defi
  • Dogecoins
  • Earn Crypto
  • Ethereum (ETH)
  • Forex Trading
  • ICO
  • Litecoin ( LTC )
  • NFT
  • Ripple
  • Trend cryptocurrency

© 2022 btclive365 All Right Rivered .

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In