add check public shares are in G2 group about libbls HOT 10 CLOSED

➤ comh commented:

skale-sec-ops triaged report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11660531 ) on HackerOne

{panel}
Hello [@Rumata|/rumata]
Thank you for your submission! We were able to validate your report, and have submitted it to the libBLS team for review.
A fix is now in process. Please note that the status and severity are subject to change.
Best,
[@skale-sec-ops|/skale-sec-ops]

{panel}

from libbls.

➤ comh commented:

hackbot suggested, CWE-697, MITRE ( https://cwe.mitre.org/data/definitions/697.html ) for remediation guidance on HackerOne

from libbls.

➤ comh commented:

skale-sec-ops posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11661894 ) on HackerOne

{panel}
[@Rumata|/rumata] the libBLS team would like to use your code and integrate it into the libBLS repo for testing and further investigation.
The team kindly asks that you open a PR in libBLS and place your .sage script under /scripts and your .cpp under /test and finally please sign the CLA in the PR. If you have any questions, please let us know.

{panel}

from libbls.

➤ comh commented:

rumata posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11666288 ) on HackerOne

{panel}
I made a PR and tried to sign in with github at cla.skale.network. If that is what it means to sign the CLA, then I completed it. I slightly changed the dkg_attack.cpp in comaprison to what I submitted here, because I saw a misleading request that was left over from an earlier version. Please tell me if there are any issues.

{panel}

from libbls.

➤ comh commented:

rumata posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11666607 ) on HackerOne

{panel}
Ok, I signed the CLA in PR. (Had to do another PR because of commit name/email configuration)

{panel}

from libbls.

➤ comh commented:

skale-sec-ops posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11666693 ) on HackerOne

{panel}
[@Rumata|/rumata]
Fantastic, the team appreciates your PR and signing the CLA. The team provide another update on Monday. In the meantime, feel free to reach out if you have any concerns or other questions.

{panel}

from libbls.

➤ comh commented:

skale-sec-ops posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11685787 ) on HackerOne

{panel}
[@Rumata|/rumata] can you please clarify and further explain how you arrived at the conclusion "that the probability that the equations are not linearly independent is 1/10069”?

{panel}

from libbls.

➤ comh commented:

rumata posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11685935 ) on HackerOne

{panel}
This is a rough estimate, it will actually be a bit more than that. I should have written "~1/10069", since I am using subgroup of order 10069. For a bigger subgroup it will obviously be smaller. The idea is pretty simple: let's say we have a matrix:[
[ [ a ,x_0_1, x_0_2 ], [ a ,x_1_1, x_1_2 ], [ a ,x_2_1, x_2_2 ] ]. Let's say that the 0th and 1st and 0th and 2nd rows are linearly independent (the way we construct from i to the power of j that will be the case). We take the 0th row and reduce the first and second row, after which we are left with 0th row definitely independent of first and second. First and second now consist of 0 at position 1 and two elements:
[[0, y_1_1,y_1_2], [0, y_2_1, y_2_2 ]]. They are linearly dependent when y_1_2/y_1_1=y_2_2/y_2_1. If we pick a uniform random k=y_2_2/y_2_1, then the probability that y_1_2/y_1_1=k is ~1/(order of field). so for rank of matrix=n-1 the probability is ~1/(order of field). For rank=n-2 it will be somewhere around square of that. So the sum of probabilities will be ~1/(order of field).

{panel}

from libbls.

➤ comh commented:

skale-sec-ops posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11704972 ) on HackerOne

{panel}
[@Rumata|/rumata] The libBLS team questions your conclusion. Please kindly see the attached PDF regarding linear dependency, review, and provide comments.

{panel}

from libbls.

➤ comh commented:

rumata posted a comment on report 1186912 ( https://hackerone.com/bugs?report_id=1186912&subject=skale_network#activity-11720925 ) on HackerOne

{panel}
Wow. Thanks for teaching me about the Vandermonde matrix, I didn't know about that. Yes, it seems that in the case when there are less than subgroup order participants it is impossible, so my probability is wrong here. However I just thought of a new attack).
Requirements:

1. Number of participants n> subgroup_order
2. The adversary controls all participants with indexes i=k*subgroup_order, where k is a positive integer
3. The adversary controls at least one i=j+k*subgroup_order, such that there is no honest participant with i'=j+k'*p (or the attacker controls all indexes with the same j)

The minimum number of attacker-controlled nodes to fulfill this requirement can be 2 ( for example, the attacker controls nodes 10068 and 10069 and there are less than 20137 nodes in total). In this case even for (t,n)=(10069, 20137) the attacker will be able to perform the attack. 2 is much smaller than 20137-10069=10068.

{panel}

from libbls.