Impact Blst versions v0.3.0 through 0.3.10 failed to perform a signature group-check if the call to SigValidate in the Go bindings was complemented with a check for infinity. Formally speaking, infinity, or the identity element of the elliptic curve group, is a member of the group, and the group-check should allow it. An initial review of blst users on GitHub does not uncover any use of this function with the …
Impact Blst versions v0.3.0 to v0.3.2 can produce the incorrect outputs for some inputs to the blst_fp_eucl_inverse function. This could theoretically result in the creation of an invalid signature from correct inputs. However, fuzzing of higher level functions such as sign and verify were unable to produce incorrect results and there has been no reported occurrences of this issue being encountered in production use. Description During the course of differential …
During the course of differential fuzzing of the blst library by @guidovranken it was discovered that blst would produce the incorrect result for some input values in the inverse function. This was the result of the introduction of a new inversion formula in version v0.3.0. This source of these incorrect outputs was due to two issues: The amount of inner loop iterations was not sufficient for the algorithm to converge. …