Forgery Risks When Using EIP-197 and Groth16 with Public Inputs
Using precompiled Ethereum libraries, such as EIP-197 (also known as the “bilinear pair” library), can introduce new security risks in certain scenarios. One such risk is the possibility of forgery when allowing bilinear pairs to degenerate using Groth16 with public inputs.
What are bilinear pairs and EIP-197?
Bilinear pairs, as introduced by Groth’s 2004 paper [1], allow for secure multiplicative computations on pairs of large numbers. These computations can be used for a variety of cryptographic applications, such as digital signatures and untraceable payments. The EIP-197 library is a precompiled solution that provides bilinear pairings in Ethereum.
Degeneracy Criterion
To prevent forgery, it is essential to ensure that the degeneracy criterion is met. In simpler terms, the degeneracy criterion states that there should be no bilinear pairing that results in a finite field element equal to 1 (i.e., the multiplicative identity). This ensures that any attempt to forge a digital signature or perform another cryptographic operation will fail.
The Case of Optimal Ate Pairing
When using EIP-197 with optimal Ate association, this degeneracy criterion can be problematic. Specifically, if one of the pairs of points in the Ate pairing has a specific property, this can lead to a degenerate bilinear pairing scenario when using Groth16 (a variant of bilinear pairing) with public inputs.
Potential Risks and Mitigations
When using EIP-197 with Groth16 and public inputs, there is an inherent risk of spoofing due to the degeneracy criterion. This can lead to:
- Forced Choice Attacks: An attacker can brute force a specific pair of points into the Ate pair without having access to the private key or its secret value.
- Recoverable Signatures: If a spoofing attempt is successful, the attacker can recover the private key of the compromised account.
To mitigate these risks, developers can implement additional security measures, such as:
- Randomization of Point Pairs: Ensure that all point pairs in the Ate pairing are randomly generated and have different properties.
- Using a Secure Random Number Generator
: Use a cryptographically secure pseudo-random number generator (CSPRNG) to generate public inputs.
Conclusion
Using EIP-197 with Groth16 and public inputs introduces new security risks, specifically related to the degeneracy criterion. Developers should carefully consider these risks when designing their applications and implement additional security measures to mitigate them. By understanding potential vulnerabilities and implementing appropriate security protocols, we can build more secure and trustworthy blockchain systems.
References:
[1] Groth, M. (2004). Bilinear pairs for secure electronic transactions. Proceedings of the 24th International Conference on Theory of Cryptography.