Skip to content
This repository has been archived by the owner on Jun 11, 2024. It is now read-only.

BLS library does not properly check secret key Severity: Informational #8783

Closed
Tracked by #7226
shuse2 opened this issue Jul 31, 2023 · 0 comments
Closed
Tracked by #7226

BLS library does not properly check secret key Severity: Informational #8783

shuse2 opened this issue Jul 31, 2023 · 0 comments
Assignees
@mosmartin
Labels
elements/cryptography
Milestone
Sprint 102

Comments

@shuse2
Copy link
Collaborator

shuse2 commented Jul 31, 2023
edited
Loading

Description

The SecretKey.fromBytes method performs some validation on the input, such as ensuring the secret key is non-zero and of correct length. However, the check against the secret key is not done modulo the order of the elliptic curve. Therefore, it is possible for a secret key equivalent to zero to be used if the value of the secret key is a multiple of this elliptic curve order.

https://github.com/ChainSafe/blst-ts/blob/ad0af59d9d01d45ea144b8306f44e45426c5888b/src/lib.ts#L63-L73

Acceptance Criteria

Add checks to all functions making use of the SecretKey.fromBytes function to ensure that the secret key being used for signing and other operations is non-zero modulo the order of the elliptic curve.

Additional Information

Reference: ChainSafe/bls#96
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mosmartin mosmartin

Labels
elements/cryptography
Projects
None yet
Milestone
Sprint 102
Development

No branches or pull requests
3 participants
@shuse2 @mosmartin @Madhulearn