Paper 2021/1638

00

Nguyen Thoi Minh Quan

Abstract

What is the funniest number in cryptography (Episode 2 )? 0 . The reason is that ∀x, x ∗ 0 = 0, i.e., the equation is always satisfied no matter what x is. We’ll use zero to attack zero-knowledge proof (ZKP). In particular, we’ll discuss a critical issue in a cutting-edge ZKP PLONK C++ implementation which allows an attacker to create a forged proof that all verifiers will accept. We’ll show how theory guides the attack’s direction. In practice, the attack works like a charm and we’ll show how the attack falls through a chain of perfectly aligned software cracks. In the same codebase, there is an independent critical ECDSA bug where (r, s) = (0, 0) is a valid signature for arbitrary keys and messages, but we won’t discuss it further because it’s a known ECDSA attack vector in the Google Wycheproof project that I worked on a few years ago. All bugs have been responsibly disclosed through the vendor’s bug bounty program with total reward ~ $15,000 (thank you).

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Keywords
zero-knowledge proofZKPzero
Contact author(s)
msuntmquan @ gmail com
History
2021-12-17: received
Short URL
https://ia.cr/2021/1638
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2021/1638,
      author = {Nguyen Thoi Minh Quan},
      title = {00},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1638},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/1638}},
      url = {https://eprint.iacr.org/2021/1638}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.