Description

The BLS12-381 key and signature-aggregation implementation in the VM skips critical subgroup membership checks for the first element in both public key and signature-aggregation operations. This affects the following components:

1. Public-key aggregation (radix-common/src/crypto/bls12381/public_key.rs)

pub fn aggregate(public_keys: &[Bls12381G1PublicKey]) -> Result<Self, ParseBlsPublicKeyError> {
    if !public_keys.is_empty() {
        let pk_first = public_keys[0].to_native_public_key()?;
        let mut agg_pk = AggregatePublicKey::from_public_key(&pk_first); // No validation
        for pk in public_keys.iter().skip(1) {
            agg_pk.add_public_key(&pk.to_native_public_key()?, true)?; // Validates subsequent keys
        }
        // ...
    }
    // ...
}

2. Signature aggregation (radix-common/src/crypto/bls12381/signature.rs)

pub fn aggregate(signatures: &[Bls12381G2Signature]) -> Result<Self, ParseBlsSignatureError> {
    if !signatures.is_empty() {
        let sig_first = signatures[0].to_native_signature()?;
        let mut agg_sig = AggregateSignature::from_signature(&sig_first); // No validation
        for sig in signatures.iter().skip(1) {
            agg_sig.add_signature(&sig.to_native_signature()?, true)?; // Validates subsequent signatures
        }
        // ...
    }
    // ...
}

The implementation omits subgroup checks for the first element in both cases, while correctly validating subsequent elements. This violates the security requirements specified in the BLS signature specification↗ (draft-irtf-cfrg-bls-signature-04, Section 5.2).

Impact

The missing subgroup check on the first element during aggregation operations undermines the security guarantees of the BLS signature scheme.

Specifically, an attacker can provide a carefully crafted invalid point as the first element in an aggregation that, when combined with valid subsequent points, produces a signature that should be invalid but passes verification. The implementation allows signature malleability since points not in the correct subgroup can be used, violating the uniqueness properties required by the BLS signature scheme. The vulnerability enables related techniques from small subgroup attacks, potentially compromising the security assumptions around signature aggregation.

Recommendations

We recommend the following changes to the implementation:

1. Implement consistent subgroup validation for all elements.

2. Add explicit subgroup membership tests for all points before aggregation.

3. Add comprehensive test cases that specifically verify subgroup membership validation.

Remediation

This issue has been acknowledged by Radix Publishing Limited, and a fix was implemented in commit 184f2620↗.