Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1wZmZnLTkyY2cteGY1Y84AA2Qs

gnark-crypto's exponentiation in the pairing target group GT using GLV can give incorrect results

Impact

When the exponent is bigger than r, the group order of the pairing target group GT, the exponentiation à la GLV (ExpGLV) can sometimes give incorrect results compared to normal exponentiation (Exp).

The issue impacts all users using ExpGLV for exponentiations in GT. This does not impact Exp and ExpCyclotomic which are sound. Also note that GLV methods in G1 and G2 are sound and not impacted.

Patches

Fix has been implemented in pull request https://github.com/Consensys/gnark-crypto/pull/451 and merged in commit https://github.com/Consensys/gnark-crypto/commit/ec6be1a037f7c496d595c541a8a8d31c47bcfa3d to master branch.

The fix increased the bounds of the sub-scalars by 1. In fact, since https://github.com/Consensys/gnark-crypto/pull/213, we use a fast scalar decomposition that tradeoffs divisions (needed in the Babai rounding) by right-shifts. We precompute b=2^m*v/d (m > log2(d)) and then at runtime compute scalar*b/2^m (v is a lattice vector and d the lattice determinant). This increases the bounds on sub-scalars by 1 which we check at runtime before increasing the loop size (we don't target constant-timeness). m is chosen to be a machine word twice big than log2(d) so that we rarely need to increase the loop size. Hence why the issue happens only sometimes if we omit to increase the bounds. This bounds increase was implemented in G1 and G2 but forgot in GT.

Workarounds

Updating to v0.12.1+. Alternatively, use Exp or ExpCyclotomic instead. We are not aware of any users using ExpGLV anyway.

References

Acknowledgement

The vulnerability was reported by Antonio Sanso @ EF.

Permalink: https://github.com/advisories/GHSA-pffg-92cg-xf5c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZmZnLTkyY2cteGY1Y84AA2Qs
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 1 year ago
Updated: about 1 year ago


Identifiers: GHSA-pffg-92cg-xf5c
References: Repository: https://github.com/Consensys/gnark-crypto
Blast Radius: 0.0

Affected Packages

go:github.com/consensys/gnark-crypto
Dependent packages: 2,360
Dependent repositories: 2,623
Downloads:
Affected Version Ranges: <= 0.12.0
Fixed in: 0.12.1
All affected versions: 0.0.1, 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.12.0
All unaffected versions: 0.12.1, 0.13.0, 0.14.0