Forgery Risks When Using EIP-197 and Groth16 with Public Inputs
The use of precompiled Ethereum libraries such as EIP-197 (also known as the “bilinear pairings” library) can introduce new security risks in certain scenarios. One of these risks is the possibility of forgery when allowing bilinear pairings to decay when using Groth16 with public inputs.
What are bilinear pairings and EIP-197?
Bilinear pairings, introduced in Groth’s 2004 paper [1], enable secure multiplication operations on pairs of large numbers. These calculations can be used for a variety of cryptographic applications, such as digital signatures and untraceable payments. The EIP-197 library is one precompiled solution that provides bilinear pairings on Ethereum.
Degeneracy Criterion
To prevent forgery, it is necessary to ensure that the degeneracy criterion is met. In simpler terms, the degeneracy criterion states that there should be no bilinear pairing that leads to a finite field element equal to 1 (i.e., the multiplicative identity). This ensures that any attempt to forge a digital signature or perform some other cryptographic operation will fail.
The Case of Optimal Ate Pair
When using EIP-197 with an optimal Ate pair, this degeneracy criterion can be problematic. In particular, if one of the pairs of points in the Ate pair has a certain property, it can lead to a degenerate bilinear pairing scenario when using Groth16 (a variant of the bilinear pair) with public inputs.
Potential Risks and Mitigations
When using EIP-197 with Groth16 and public inputs, there is an inherent risk of forgery due to the decay criterion. This can lead to:
- Forced Choice Attacks: An attacker can brute force a given pair of points into an Ate pair without access to its private key or secret value.
- Reversible Signatures
: If the forgery attempt is successful, the attacker may be able to recover the private key of the compromised account.
To mitigate these risks, developers can implement additional security measures, such as:
- Randomization of Point Pairs: Ensure that all point pairs in an Ate pair are randomly generated and have different properties.
- Using a Secure Random Number Generator: Use a cryptographically secure pseudo-random number generator (CSPRNG) to generate public inputs.
Conclusion
The use of EIP-197 with Groth16 and public feeds introduces new security risks, particularly related to the decay criterion. Developers should carefully consider these risks when designing their applications and implement additional security measures to mitigate them. By understanding potential vulnerabilities and implementing appropriate security protocols, we can build more secure and reliable blockchain systems.
References:
[1] Groth, M. (2004). Bilinear Pairings for Secure Electronic Transactions. Proceedings of the 24th International Conference on Cryptography Theory.