diff --git a/docs/Schnorr.md b/docs/Schnorr.md index 0aad148..be79f80 100644 --- a/docs/Schnorr.md +++ b/docs/Schnorr.md @@ -81,8 +81,10 @@ Let the aggregated public key be: ``` Note that this aggregation scheme is vulnerable to rogue-key attacks[^musig2-paper]! -In order to prevent such attacks, it **MUST** be verified that participating -public keys own the corresponding private key. +In order to prevent such attacks a separate public key validation step, called a +proof of possession, must be performed. This proof of possession can be +implemented via an ECDSA signature, however, the message signed **MUST** be +derived from the respective public key[^bls-proof-of-possession]. Note further that this aggregation scheme is vulnerable to public keys with linear relationships. A set of public keys `A` leaking the sum of their private @@ -172,5 +174,6 @@ N = Qr * Pₓ⁻¹ | Qr = [( - [Analysis of Bitcoin Improvement Proposal 340](https://courses.csail.mit.edu/6.857/2020/projects/4-Elbahrawy-Lovejoy-Ouyang-Perez.pdf) [^musig2-paper]:[MuSig2 Paper](https://eprint.iacr.org/2020/1261.pdf) +[^bls-proof-of-possession]:[BLSBLS Signatures](https://www.ietf.org/archive/id/draft-irtf-cfrg-bls-signature-05.html#name-proof-of-possession) [^baby-step-giant-step-wikipedia]:[Baby-step giant-step Wikipedia](https://en.wikipedia.org/wiki/Baby-step_giant-step) [^vitalik-ethresearch-post]:[Vitalik's ethresearch post](https://ethresear.ch/t/you-can-kinda-abuse-ecrecover-to-do-ecmul-in-secp256k1-today/2384) diff --git a/docs/Scribe.md b/docs/Scribe.md index 9a29fb9..b69c726 100644 --- a/docs/Scribe.md +++ b/docs/Scribe.md @@ -58,6 +58,14 @@ A feed's identifier is defined as the highest order byte of the feed's address a Feeds _must_ prove the integrity of their public key by proving the ownership of the corresponding private key. The `lift()` function therefore expects an ECDSA signed message, for more info see [`IScribe.feedRegistrationMessage()`](../src/IScribe.sol). +> [!WARNING] +> +> The proof of possession implemented in Scribe is insufficient to defend against rogue-key attacks. In order to sufficiently verify a public key the message being signed MUST be derived from the public key itself. +> +> In order to keep Scribe backwards compatible the extended proof of possession is implemented in the external [ValidatorRegistry](https://github.com/chronicleprotocol/validator-registry) contract. +> +> For more info, see [audits/Cantina@v2.0.0_2.pdf](../audits/Cantina@v2.0.0_2.pdf). + If public key's would not be verified, the Schnorr signature verification would be vulnerable to rogue-key attacks. For more info, see [`docs/Schnorr.md`](./Schnorr.md#key-aggregation-for-multisignatures). ## Chainlink Compatibility diff --git a/src/IScribe.sol b/src/IScribe.sol index 6d1f6ca..3e66818 100644 --- a/src/IScribe.sol +++ b/src/IScribe.sol @@ -188,6 +188,10 @@ interface IScribe is IChronicle { /// @dev Only callable by auth'ed address. /// @dev The message expected to be signed by `ecdsaData` is defined via /// `feedRegistrationMessage()(bytes32)`. + /// @custom:security The lift function's proof of possession is vulnerable + /// to rogue-key attacks. Additional verification MUST be + /// performed before lifting to ensure a feed's public key + /// validity. /// @param pubKey The public key of the feed. /// @param ecdsaData ECDSA signed message by the feed's public key. /// @return feedId The id of the newly lifted feed. @@ -199,6 +203,10 @@ interface IScribe is IChronicle { /// @dev Only callable by auth'ed address. /// @dev The message expected to be signed by `ecdsaDatas` is defined via /// `feedRegistrationMessage()(bytes32)`. + /// @custom:security The lift function's proof of possession is vulnerable + /// to rogue-key attacks. Additional verification MUST be + /// performed before lifting to ensure a feed's public key + /// validity. /// @param pubKeys The public keys of the feeds. /// @param ecdsaDatas ECDSA signed message by the feeds' public keys. /// @return List of feed ids of the newly lifted feeds.