{"id":11841,"date":"2025-05-08T01:14:54","date_gmt":"2025-05-07T23:14:54","guid":{"rendered":"https:\/\/wsj-crypto.com\/?p=11841"},"modified":"2025-05-08T01:14:54","modified_gmt":"2025-05-07T23:14:54","slug":"the-intriguing-mystery-of-subgroup-verification-in-besu-explaining-cve-2025-30147","status":"publish","type":"post","link":"https:\/\/wsj-crypto.com\/index.php\/2025\/05\/08\/the-intriguing-mystery-of-subgroup-verification-in-besu-explaining-cve-2025-30147\/","title":{"rendered":"“The Intriguing Mystery of Subgroup Verification in Besu: Explaining CVE-2025-30147”"},"content":{"rendered":"

“`html
\n<\/p>\n

\n

Appreciation goes to Marius Van Der Wijden for developing the test case and statetest, and for assisting the Besu team in validating the issue. Furthermore, commendations to the Besu team, the EF security team, and Kevaundray Wedderburn. Additionally, gratitude to Justin Traglia, Marius Van Der Wijden, Benedikt Wagner, and Kevaundray Wedderburn for reviewing the content. Should you have further inquiries or comments, reach out to me on Twitter at @asanso<\/a><\/em><\/p>\n

<\/p>\n

tl;dr<\/strong>: Besu Ethereum execution client<\/a> version 25.2.2 encountered a consensus flaw<\/strong> associated with the EIP-196<\/a>\/EIP-197<\/a> precompiled contract management for the elliptic curve alt_bn128<\/span> (also known as bn254). The matter was rectified in release 25.3.0<\/a>.
\nAccess<\/a> the complete CVE report.<\/p>\n

<\/p>\n

N.B.<\/strong>: A portion of this article necessitates some understanding of elliptic curves (cryptography).<\/p>\n

<\/p>\n

Introduction<\/h2>\n

<\/p>\n

The bn254<\/span> curve (also referred to as alt_bn128<\/span>) serves as an elliptic curve utilized in Ethereum for cryptographic procedures. It facilitates processes such as elliptic curve cryptography, rendering it essential for numerous Ethereum functionalities. Prior to EIP-2537<\/a> and the latest Pectra update, bn254<\/span> was the exclusive pairing curve endorsed by the Ethereum Virtual Machine (EVM). Both EIP-196<\/a> and EIP-197<\/a> outline precompiled contracts for effective computations on this curve. For additional information regarding bn254<\/span>, you may refer to this link<\/a>.<\/p>\n

<\/p>\n

A notable security weakness in elliptic curve cryptography is the invalid curve attack<\/strong>, initially proposed in the document \u201cDifferential fault attacks on elliptic curve cryptosystems\u201d<\/a>. This assault targets the use of points not residing on the accurate elliptic curve, potentially resulting in vulnerabilities within cryptographic protocols. For non-prime order curves (like those used in pairing-based cryptography and in G<\/mi>2<\/mn><\/msub><\/mrow>G_2<\/annotation><\/semantics><\/math><\/span>G<\/span>2<\/span><\/span><\/span><\/span>\u200b<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span> for bn254<\/span>), it becomes particularly vital that the point is within the appropriate subgroup<\/strong>. If the point fails to belong to the designated subgroup, the cryptographic procedure may be influenced, potentially undermining the security of systems that depend on elliptic curve cryptography.<\/p>\n

<\/p>\n

To ascertain if a point P<\/span> is legitimate in elliptic curve cryptography, it must be confirmed that the point is situated on the curve and is part of the correct subgroup. This verification is especially crucial when the point P<\/span> originates from an untrusted or possibly hostile source, as invalid or purposefully designed points can lead to security flaws. Below is pseudocode illustrating this procedure:<\/p>\n

<\/p>\n

\n
# Pseudocode for verifying if point P is valid<\/span>\n<\/span>def<\/span> <\/span>is_valid_point<\/span>(<\/span>P<\/span>)<\/span>:<\/span>\n<\/span>    <\/span>if<\/span> <\/span>not<\/span> is_on_curve<\/span>(<\/span>P<\/span>)<\/span>:<\/span>    \n<\/span>        <\/span>return<\/span> <\/span>False<\/span>\n<\/span>    <\/span>if<\/span> <\/span>not<\/span> is_in_subgroup<\/span>(<\/span>P<\/span>)<\/span>:<\/span>\n<\/span>        <\/span>return<\/span> <\/span>False<\/span>\n<\/span>    <\/span>return<\/span> <\/span>True<\/span>\n<\/span><\/code><\/pre>\n<\/div>\n
<\/p>\n
Subgroup membership verifications<\/h3>\n
<\/p>\n
As noted previously, when handling any point of uncertain origin, it is essential to ascertain that it belongs to the appropriate subgroup, in addition to confirming that the point is situated on the correct curve. For bn254<\/span>, this validation is only required for G<\/mi>2<\/mn><\/msub><\/mrow>G_2<\/annotation><\/semantics><\/math><\/span>G<\/span>2<\/span><\/span><\/span><\/span>\u200b<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>, since G<\/mi>1<\/mn><\/msub><\/mrow>G_1<\/annotation><\/semantics><\/math><\/span>G<\/span>1<\/span><\/span><\/span><\/span>\u200b<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span> is of prime order. A simple technique to verify membership in G<\/mi><\/mrow>G<\/annotation><\/semantics><\/math><\/span>G<\/span><\/span><\/span><\/span><\/span> is to multiply a point by r<\/mi><\/mrow>r<\/annotation><\/semantics><\/math><\/span>r<\/span><\/span><\/span><\/span><\/span>, where r<\/mi><\/mrow>r<\/annotation><\/semantics><\/math><\/span>r<\/span><\/span><\/span><\/span><\/span> represents the cofactor<\/em> of the curve, which is the ratio of the curve’s order to the base point’s order.<\/p>\n
<\/p>\n
Nevertheless, this method can be prohibitive in practice due to the substantial size of the prime r<\/mi><\/mrow>r<\/annotation><\/semantics><\/math><\/span>r<\/span><\/span><\/span><\/span><\/span>, particularly for G<\/mi>2<\/mn><\/msub><\/mrow>G_2<\/annotation><\/semantics><\/math><\/span>G<\/span>2<\/span><\/span><\/span><\/span>\u200b<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>. In 2021, Scott introduced<\/a> a quicker method for subgroup membership verification on BLS12 curves employing an easily computable endomorphism<\/em>, expediting the process by 2\u00d7, 4\u00d7, and 4\u00d7 for various groups (this approach is detailed in EIP-2537<\/a> for efficient subgroup verifications, as outlined in this document<\/a><\/strong>).
\nSubsequently, Dai et al. extended Scott’s method<\/a> to accommodate a wider variety of curves, including BN curves, diminishing the number of operations necessary for subgroup membership checks. In some instances, the method can be almost cost-free. Koshelev also presented a technique for non-pairing-friendly curves utilizing the Tate pairing<\/a>, which was ultimately
\n“““html
\nfurther expanded to pairing-friendly curves.<\/a><\/p>\n
<\/p>\n
The Genuine Slim Shady<\/h2>\n
<\/p>\n
As illustrated in the timeline at the conclusion of this article, we received a notification regarding a flaw impacting Pectra EIP-2537<\/a> on Besu, submitted through the Pectra Audit Competition<\/a>. We are only briefly addressing that concern here, in case the initial reporter wishes to delve into it further. This article specifically addresses the BN254 EIP-196<\/a>\/EIP-197<\/a> vulnerability<\/strong>.<\/p>\n
<\/p>\n
The initial reporter noted that, in Besu, the is_in_subgroup<\/span> validation was carried out prior to the is_on_curve<\/span> verification. Here’s an example of how that could appear:<\/p>\n
<\/p>\n
\n
# Pseudocode for validating point P<\/span>\n<\/span>def<\/span> <\/span>is_valid_point<\/span>(<\/span>P<\/span>)<\/span>:<\/span>\n<\/span>    <\/span>if<\/span> <\/span>not<\/span> is_in_subgroup<\/span>(<\/span>P<\/span>)<\/span>:<\/span>    \n<\/span>        <\/span>if<\/span> <\/span>not<\/span> is_on_curve<\/span>(<\/span>P<\/span>)<\/span>:<\/span>\n<\/span>            <\/span>return<\/span> <\/span>False<\/span>  \n<\/span>        <\/span>return<\/span> <\/span>False<\/span>\n<\/span>    <\/span>return<\/span> <\/span>True<\/span>\n<\/span><\/code><\/pre>\n<\/div>\n
<\/p>\n
<\/p>\n
\n
# Pseudocode for validating point P<\/span>\n<\/span>def<\/span> <\/span>is_valid_point<\/span>(<\/span>P<\/span>)<\/span>:<\/span>\n<\/span>    <\/span>if<\/span> <\/span>not<\/span> is_in_subgroup<\/span>(<\/span>P<\/span>)<\/span>:<\/span>    \n<\/span>        <\/span>return<\/span> <\/span>False<\/span>\n<\/span>    <\/span>return<\/span> <\/span>True<\/span>\n<\/span><\/code><\/pre>\n<\/div>\n
<\/p>\n
Hold on, what? Where is the is_on_curve<\/span> validation? Precisely\u2014there’s none!!!<\/strong><\/p>\n
<\/p>\n
Now, to potentially circumvent the is_valid_point<\/span> function, all one would need is to present a point that exists within the appropriate subgroup but isn’t genuinely on the curve<\/strong>.<\/p>\n
<\/p>\n
But hold on\u2014is that even feasible?<\/p>\n
Indeed, but solely for specific, meticulously selected curves. In particular, when two curves are isomorphic<\/em>, they possess the identical group structure, signifying that you could fabricate a point from the isomorphic curve that meets subgroup requirements but does not reside on the desired curve.<\/p>\n
<\/p>\n
Clever, right?<\/p>\n
<\/p>\n
\n
<\/p>\n
Did you mention isomorphism?<\/h3>\n
<\/p>\n
You can bypass this section if you’re uninterested in the specifics\u2014we’re about to delve a little deeper into the mathematics.<\/em><\/p>\n
<\/p>\n
Let F<\/mi>q<\/mi><\/msub><\/mrow>mathbb{F}_q<\/annotation><\/semantics><\/math><\/span>F<\/span>q<\/span><\/span><\/span><\/span>\u200b<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span> be a finite field with a characteristic that differs from 2 and 3, meaning q<\/mi>=<\/mo>p<\/mi>f<\/mi><\/msup><\/mrow>q = p^f<\/annotation><\/semantics><\/math><\/span>q<\/span>=<\/span><\/span>p<\/span>f<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span> for some prime p<\/mi>\u2265<\/mo>5<\/mn><\/mrow>p geq 5<\/annotation><\/semantics><\/math><\/span>p<\/span>\u2265<\/span><\/span>5<\/span><\/span><\/span><\/span><\/span> and integer f<\/mi>\u2265<\/mo>1<\/mn><\/mrow>f geq 1<\/annotation><\/semantics><\/math><\/span>f<\/span>\u2265<\/span><\/span>1<\/span><\/span><\/span><\/span><\/span>. We examine elliptic curves E<\/mi><\/mrow>E<\/annotation><\/semantics><\/math><\/span>E<\/span><\/span><\/span><\/span><\/span> over F<\/mi>q<\/mi><\/msub><\/mrow>mathbb{F}_q<\/annotation><\/semantics><\/math><\/span>F<\/span>q<\/span><\/span><\/span><\/span>\u200b<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span> defined by the concise Weierstra\u00df equation:<\/p>\n
<\/p>\n
y<\/mi>2<\/mn><\/msup>=<\/mo>x<\/mi>3<\/mn><\/msup>+<\/mo>A<\/mi>x<\/mi>+<\/mo>B<\/mi><\/mrow>y^2 = x^3 + A x + B   <\/annotation><\/semantics><\/math><\/span>y<\/span>2<\/span><\/span><\/span><\/span><\/span><\/span><\/span>=<\/span><\/span>x<\/span>
\n“““html
\n3<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>+<\/span><\/span>A<\/span>x<\/span>+<\/span><\/span>B<\/span><\/span><\/span><\/span><\/span><\/div>\n
<\/p>\n
where A<\/mi><\/mrow>A<\/annotation><\/semantics><\/math><\/span>A<\/span><\/span><\/span><\/span><\/span> and B<\/mi><\/mrow>B<\/annotation><\/semantics><\/math><\/span>B<\/span><\/span><\/span><\/span><\/span> are constants that fulfill 4<\/mn>A<\/mi>3<\/mn><\/msup>+<\/mo>27<\/mn>B<\/mi>2<\/mn><\/msup>\u2260<\/mo>0<\/mn><\/mrow>4A^3 + 27B^2 neq 0<\/annotation><\/semantics><\/math><\/span>4<\/span>A<\/span>3<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>+<\/span><\/span>27<\/span>B<\/span>2<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>\ue020<\/span><\/span><\/span><\/span><\/span><\/span><\/span>=<\/span><\/span><\/span>0<\/span><\/span><\/span><\/span><\/span>.^[This restriction guarantees the curve is non-singular<\/strong>; should it be disregarded, the equation would depict a singular point devoid of a well-defined tangent, hindering meaningful self-addition. In such scenarios, the entity is not technically an elliptic curve.]<\/p>\n
<\/p>\n
Curve Isomorphisms<\/h4>\n
<\/p>\n
Two elliptic curves are deemed isomorphic<\/strong>^[To leverage the vulnerabilities mentioned here, we genuinely desire isomorphic<\/strong> curves, not solely isogenous<\/strong> curves.] if they can be connected via an affine alteration of variables. Such modifications maintain the group structure and assure that point addition stays coherent. It can be demonstrated that the sole feasible transformations between two curves in short Weierstra\u00df form take the following shape:<\/p>\n
<\/p>\n
(<\/mo>x<\/mi>,<\/mo>y<\/mi>)<\/mo>\u21a6<\/mo>(<\/mo>e<\/mi>2<\/mn><\/msup>x<\/mi>,<\/mo>e<\/mi>3<\/mn><\/msup>y<\/mi>)<\/mo><\/mrow>(x, y) mapsto (e^2 x, e^3 y)<\/annotation><\/semantics><\/math><\/span>(<\/span>x<\/span>,<\/span>y<\/span>)<\/span>\u21a6<\/span><\/span>(<\/span>e<\/span>2<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>x<\/span>,<\/span>e<\/span>3<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>y<\/span>)<\/span><\/span><\/span><\/span><\/span><\/div>\n
<\/p>\n
for some nonzero e<\/mi>\u2208<\/mo> \n“““html\nF<\/mi>q<\/mi><\/msub><\/mrow>e in mathbb{F}_q<\/annotation><\/semantics><\/math><\/span>e<\/span>\u2208<\/span><\/span>F<\/span>q<\/span><\/span><\/span><\/span>\u200b<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>. Utilizing this alteration on the curve equation yields:<\/p>\n
<\/p>\n
y<\/mi>2<\/mn><\/msup>=<\/mo>x<\/mi>3<\/mn><\/msup>+<\/mo>A<\/mi>e<\/mi>4<\/mn><\/msup>x<\/mi>+<\/mo>B<\/mi>e<\/mi>6<\/mn><\/msup><\/mrow>y^2 = x^3 + A e^{4} x + B e^{6}<\/annotation><\/semantics><\/math><\/span>y<\/span>2<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>=<\/span><\/span>x<\/span>3<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>+<\/span><\/span>A<\/span>e<\/span>4<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>x<\/span>+<\/span><\/span>B<\/span>e<\/span>6<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n
<\/p>\n
The j<\/mi><\/mrow>j<\/annotation><\/semantics><\/math><\/span>j<\/span><\/span><\/span><\/span><\/span>-invariant<\/strong> of a curve is characterized as:<\/p>\n
<\/p>\n
j<\/mi>=<\/mo>1728<\/mn>4<\/mn>A<\/mi>3<\/mn><\/msup><\/mrow>4<\/mn>A<\/mi>3<\/mn><\/msup>+<\/mo>27<\/mn>B<\/mi>2<\/mn><\/msup><\/mrow><\/mfrac><\/mrow>j = 1728 frac{4A^3}{4A^3 + 27B^2}<\/annotation><\/semantics><\/math><\/span>j<\/span>=<\/span><\/span>1728<\/span>4<\/span>A<\/span>3<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>+<\/span>27<\/span>B<\/span>2<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>4<\/span>
\n“““html
\nA<\/span>3<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>\u200b<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/div>\n
<\/p>\n
Each component of F<\/mi>q<\/mi><\/msub><\/mrow>mathbb{F}_q<\/annotation><\/semantics><\/math><\/span>F<\/span>q<\/span><\/span><\/span><\/span>\u200b<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span> can be a potential j<\/mi><\/mrow>j<\/annotation><\/semantics><\/math><\/span>j<\/span><\/span><\/span><\/span><\/span>-invariant.^[Both BLS and BN curves exhibit a j-invariant corresponding to 0, which is truly unique<\/strong>.] When two elliptic curves possess the identical j<\/mi><\/mrow>j<\/annotation><\/semantics><\/math><\/span>j<\/span><\/span><\/span><\/span><\/span>-invariant, they are either isomorphic<\/strong> (in the previously mentioned sense) or they are twists<\/strong> of one another.^[We will not delve into twists here, as they are irrelevant to this context.]<\/p>\n
<\/p>\n
Exploitability<\/h2>\n
<\/p>\n
At this juncture, the remaining task is to formulate a suitable point on a meticulously selected curve, and voil\u00e0\u2014le jeu est fait<\/em>.<\/p>\n
<\/p>\n
You may experiment with the test vector via this link<\/a> and have fun.<\/p>\n
<\/p>\n
Conclusion<\/h2>\n
<\/p>\n
In this article, we examined the vulnerability present in Besu’s execution of elliptic curve verifications. This defect, if leveraged, could permit an assailant to forge a point that passes subgroup membership tests but does not actually reside on the valid curve. The Besu developers have subsequently rectified this concern in release 25.3.0. While the problem was confined to Besu and did not impact other clients, such discrepancies elevate significant issues for multi-client frameworks like Ethereum. A misalignment in cryptographic verifications among clients can lead to divergent actions\u2014where one client endorses a transaction or block that another dismisses. This type of inconsistency can jeopardize consensus and erode confidence in the network\u2019s uniformity, particularly when subtle errors go unnoticed across various implementations. This incident underscores the necessity for thorough testing and strong security protocols\u2014especially within blockchain environments, where even trivial cryptographic errors can cascade into considerable systemic weaknesses. Initiatives such as the Pectra audit competition play an essential role in proactively uncovering these problems before they transition to production. By promoting diverse scrutiny of the code, such endeavors enhance the overall stability of the ecosystem.<\/p>\n
<\/p>\n
Timeline<\/h2>\n
<\/p>\n
Fascinated by the previously mentioned matter on the BLS curve, we opted to examine the Besu code for the BN curve. To my utter astonishment, we discovered something akin to this<\/strong><\/a>:<\/p>\n