Skip to content

BLS Aggregate Signature Rogue Public-Key Attack Mitigation Missing #7

Closed
#46
Closed
BLS Aggregate Signature Rogue Public-Key Attack Mitigation Missing#7
#46
Assignees
damianosakwe
Labels
Complexity: HardcoreIssues requiring deep systems-level engineering rigorGrantFox OSSIssue tracked in GrantFox OSSLayer: Core-EngineCore engine layerMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial CampaignCampaign: Official CampaignType: Core-ArchitectureCore architecture change

Description

@JamesEjembi
JamesEjembi
opened on Jun 23, 2026

Problem Statement / Feature Objective

The BLS aggregate signature verification routine does not defensively validate that each participating public key is in the correct prime-order subgroup G1 prior to aggregation. Without a subgroup check (BLS12-381, r = 52435875175126190479447740508185965837690552500527637822603658699938581184513), an adversary can supply a rogue low-order public key, forge aggregate signatures that pass batch verification, and trigger a false-positive slashing event.

Technical Invariants & Bounds

  • Curve: BLS12-381, G1 prime subgroup order r as above.
  • Aggregate signature size: 48 bytes (G1 compressed).
  • Public keys must satisfy pk * r == O_G1 (identity check).
  • Maximum validators per aggregate: 2^16 (protocol bound).
  • Signature verification must reject aggregates containing any invalid subgroup element.

Codebase Navigation Guide

  • src/crypto/bls-keys.rs - public key deserialization and subgroup validation.
  • src/attestation/bls-aggregator.rs - aggregation and batch verification logic.
  • src/slashing/condition-engine.rs - slashing event dispatch that consumes aggregate proofs.
  • src/crypto/verifier.rs - low-level pairing check routines.
  • tests/crypto/bls_subgroup_test.rs - existing test harness.

Implementation Blueprint

  1. Add subgroup_check(pk: &G1Point) -> bool in src/crypto/bls-keys.rs that multiplies the decompressed point by r and verifies the result is the identity element.
  2. Call this check inside src/attestation/bls-aggregator.rs at the start of aggregate_signatures() and verify_aggregate(), before any pairing computation.
  3. On failure, return a typed AggregateError::RogueKey instead of panicking.
  4. Add property-based tests that inject low-order points and assert rejection.
  5. Update the slashing condition engine's evaluate() path to propagate the error and mark the attestation as invalid.

Metadata

Metadata

Assignees

Labels

Complexity: HardcoreIssues requiring deep systems-level engineering rigorGrantFox OSSIssue tracked in GrantFox OSSLayer: Core-EngineCore engine layerMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial CampaignCampaign: Official CampaignType: Core-ArchitectureCore architecture change

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions