New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix carry handling in the g function in blake.ts #344

Open

thogiti opened this issue Oct 15, 2024 · 0 comments

Labels

audit 🔍 bug 🐛

thogiti commented Oct 15, 2024

Incorrect Carry Handling in the `g` Function

The g function in Implementation in blake.ts uses ~~(lo / 0x0100000000) to compute the carry from the lower 32 bits of a 64-bit word.

Since lo can be up to 0x2FFFFFFFC (i.e., approximately 3 times 0x0100000000), the carry can erroneously be 2 or 3.

Impact

Functional Integrity: Incorrect carry values can corrupt the internal state, leading to wrong hash outputs.
Security Risks: The integrity of the hash function is compromised, potentially allowing for hash collisions or predictable outputs, which undermines the cryptographic strength of Blake2-512.

Recommendation

Modify the carry calculation to ensure that only a single carry bit (0 or 1) is propagated. For example:

const carry = lo >= 0x100000000 ? 1 : 0;
v[a * 2] = (v[a * 2] + ((m[sigma[i][e] * 2] ^ u512[sigma[i][e + 1] * 2]) >>> 0) + v[b * 2] + carry) >>> 0;

Alternatively, use BigInt for precise 64-bit arithmetic operations as in the original Blake implementation in the npm repo, which TypeScript supports, to handle carries correctly without manual intervention.

The text was updated successfully, but these errors were encountered:

thogiti added the bug 🐛 label

cedoor added the audit 🔍 label

thogiti mentioned this issue

Fix carry handling in the g function in blake.ts iden3/js-crypto#24

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment