DKGResultVerification.verify byte inputs validation #1525
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There could be no more misbehaved than the group size minus the minimum signature threshold. For example for a group size of 64 members and minimum threshold of 33 members supporting the result, we can have no more than 31 misbehaving members. Added validation to make the manipulation of DKG signature harder. We now check the exact size of public key and maximum size of misbehaved bytestring before we pass them to abi.encodePacked
The number of possible valid signatures should be limited by members array passed to verify function as a parameter. However, since this library keeps a group size in storage it makes sense to do all the validation possible to make sure the internal state is consistent.
Because we now validate group public key in `verify` function, we need to use a correct bytestring.
eth-r
approved these changes
Mar 30, 2020
There was a problem hiding this comment.
Looks good to me. The requirement for the pubkey to be always 128 bytes seems sufficient given the threshold requirement of signatures on the key; if no honest member signs a public key of invalid length, only a dishonest majority could pass a malformed key as correct and then they'd be caught when tasked with signing.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes: #1524
Three additional validations added to
bytesinput parameters inDKGResultVerification.verifyto limit the possibility of arbitrarily moving bytes betweengroupPubKeyandmisbehavedby the submitter:groupPubKeymust have exactly128bytesIt is altbn128 G2 point in uncompressed form; it must have
128bytes.misbehavedcan be up togroup_size - signature_thresholdbytesmisbehavedcan be empty or can have some elements but it can never have more elements than the group size minus the minimum DKG result signature threshold. No group member will vote on the result where it is marked as misbehaving. If the result is going to be accepted, it must have at least the minimum signature threshold. Hence, the maximum number of members indicated as misbehaving isgroup_size - signature_threshold. If the number of elements inmisbehavedis higher than the client is broken or it's trying to cheat.number of signatures supporting the result can not be higher than the group size
The number of possible valid signatures should be limited by
membersarray passed toverifyfunction as a parameter. However, sinceDKGResultVerificationlibrary keeps a group size in its storage, it makes sense to do all the validation possible to make sure the internal state is consistent.#1524, as per audit, recommends adding a salt between the group public key and misbehaved. This PR does not contain this change as I don't see a clear advantage of this, given that: