shopxperience
Ethereum: When using the eip‑197 precompile, is there a risk of forgery when allowing the degeneracy of bilinear pairings when using Groth16 with public inputs?
admin
February 6, 2025
5:01 pm


Tampering Risks When Using EIP-197 and Groth16 with Public Inputs

Using pre-compiled Ethereum libraries, such as EIP-197 (also known as the “bilinear pairings” library), can introduce new security risks in certain scenarios. One such risk is the possibility of tampering when allowing the degeneracy of bilinear pairings using Groth16 with public inputs.


What are bilinear pairings and EIP-197?

Bilinear pairings, as introduced by Groth’s 2004 paper [1], allow secure multiplicative computations on pairs of large numbers. These computations can be used for a variety of cryptographic applications, such as digital signatures and untraceable payments. The EIP-197 library is a pre-compiled solution that provides bilinear pairings in Ethereum.


The Degeneracy Criterion



To prevent forgery, it is essential to ensure that the degeneracy criterion is satisfied. In simpler terms, the degeneracy criterion states that there must be no bilinear pairing that results in a finite field element equal to 1 (i.e., the multiplicative identity). This ensures that any attempt to forge a digital signature or perform another cryptographic operation will fail.


The Case of Optimal Ate Pairing

When using EIP-197 with an optimal Ate pairing, this degeneracy criterion can be problematic. Specifically, if one of the point pairs in the Ate pairing has a specific property, this can lead to a scenario of degenerate bilinear pairings when using Groth16 (a variant of bilinear pairing) with public inputs.


Potential Risks and Mitigations



When using EIP-197 with Groth16 and public inputs, there is an inherent risk of tampering due to the degeneracy criterion. This can lead to:


  • Forced Choice Attacks: An attacker can force a specific point pair in the Ate pairing without having access to its private key or secret value.


  • Recoverable Signatures: If a tampering attempt is successful, the attacker may be able to recover the private key of the compromised account.

To mitigate these risks, developers can implement additional security measures, such as:


  • Randomizing Point Pairs: Ensuring that all point pairs in the Ate pairing are randomly generated and have different properties.


  • Using a Secure Random Number Generator: Using a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) to generate public inputs.


Conclusion

Using EIP-197 with Groth16 and public inputs introduces new security risks, particularly related to the degeneracy criterion. Developers should carefully consider these risks when designing their applications and implement additional security measures to mitigate them. By understanding potential vulnerabilities and implementing appropriate security protocols, we can create more secure and reliable blockchain systems.

References:

[1] Groth, M. (2004). Bilinear Pairings for Secure Electronic Transactions. Proceedings of the 24th International Conference on Theory of Cryptography.

Category : CRYPTOCURRENCY

Leave a Reply

Your email address will not be published.