logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-pffg-92cg-xf5c github.com/consensys/gnark-crypto

Package

Manager: go
Name: github.com/consensys/gnark-crypto
Vulnerable Version: >=0 <0.12.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

gnark-crypto's exponentiation in the pairing target group GT using GLV can give incorrect results ### Impact When the exponent is bigger than `r`, the group order of the pairing target group `GT`, the exponentiation à la GLV (`ExpGLV`) can *sometimes* give incorrect results compared to normal exponentiation (`Exp`). The issue impacts all users using `ExpGLV` for exponentiations in `GT`. This does not impact `Exp` and `ExpCyclotomic` which are sound. Also note that GLV methods in G1 and G2 are sound and _not_ impacted. ### Patches Fix has been implemented in pull request https://github.com/Consensys/gnark-crypto/pull/451 and merged in commit https://github.com/Consensys/gnark-crypto/commit/ec6be1a037f7c496d595c541a8a8d31c47bcfa3d to master branch. The fix increased the bounds of the sub-scalars by 1. In fact, since https://github.com/Consensys/gnark-crypto/pull/213, we use a fast scalar decomposition that tradeoffs divisions (needed in the Babai rounding) by right-shifts. We precompute `b=2^m*v/d (m > log2(d))` and then at runtime compute `scalar*b/2^m` (`v` is a lattice vector and `d` the lattice determinant). This increases the bounds on sub-scalars by 1 which we check at runtime before increasing the loop size (we don't target constant-timeness). `m` is chosen to be a machine word twice big than `log2(d)` so that we rarely need to increase the loop size. Hence why the issue happens only *sometimes* if we omit to increase the bounds. This bounds increase was implemented in G1 and G2 but forgot in GT. ### Workarounds Updating to `v0.12.1+`. Alternatively, use `Exp` or `ExpCyclotomic` instead. We are not aware of any users using `ExpGLV` anyway. ### References - Fix PR: https://github.com/Consensys/gnark-crypto/pull/451 - Fast scalar decomposition PR: https://github.com/Consensys/gnark-crypto/pull/213 - https://eprint.iacr.org/2015/565 Sec.4.2 ### Acknowledgement The vulnerability was reported by [Antonio Sanso](https://github.com/asanso) @ [EF](https://crypto.ethereum.org/).

Metadata

Created: 2023-10-05T20:57:20Z
Modified: 2024-05-20T21:55:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-pffg-92cg-xf5c/GHSA-pffg-92cg-xf5c.json
CWE IDs: []
Alternative ID: N/A
Finding: F138
Auto approve: 1