Paper 2024/398

The Last Challenge Attack on Fiat-Shamir in KZG-based SNARKs

Oana Ciobotaru, Independent Researcher
Maxim Peter, General Intuition
Vesselin Velichkov, OpenZeppelin
Abstract

The Fiat-Shamir transform [11] is a fundamental technique for converting sound public-coin interactive protocols into sound non-interactive protocols. While the theoretical transformation is conceptually simple, implementation-level deviations—often motivated by performance optimisations—can introduce catastrophic security flaws. In this work, we present the Last Challenge Attack (LCA), a vulnerability arising from such a deviation in a real-world KZG-based SNARK verifier implementation. The vulnerability stems from an incorrect computation of the final KZG [17] protocol challenge, which is a batching challenge derived independently of the evaluation proofs. This flaw potentially affects any KZG implementation of batched proofs for multiple evaluation points. We demonstrate that a malicious prover can exploit this deviation to forge proofs of false statements. We provide a proof-of-concept implementation demonstrating the forgery of a proof for an arbitrary public input. This vulnerability was discovered during a security audit, responsibly disclosed, and fixed.

Note: This is the extended version of the article accepted for publication at Financial Cryptography and Data Security 2026. Updated affiliations.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Published elsewhere. Minor revision. Financial Cryptography and Data Security 2026
Keywords
Fiat-ShamirSNARKsKZGPLONKVulnerability
Contact author(s)
oana ciobotaru @ gmail com
vesselin velichkov @ openzeppelin com
History
2026-04-06: last of 5 revisions
2024-03-04: received
See all versions
Short URL
https://ia.cr/2024/398
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/398,
      author = {Oana Ciobotaru and Maxim Peter and Vesselin Velichkov},
      title = {The Last Challenge Attack on Fiat-Shamir in {KZG}-based {SNARKs}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/398},
      year = {2024},
      url = {https://eprint.iacr.org/2024/398}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.