Paper 2024/398

The Last Challenge Attack: Exploiting a Vulnerable Implementation of the Fiat-Shamir Transform in a KZG-based SNARK

Oana Ciobotaru, OpenZeppelin
Maxim Peter, OpenZeppelin
Vesselin Velichkov, OpenZeppelin
Abstract

The Fiat-Shamir transform [1] is a well-known and widely employed technique for converting sound public-coin interactive protocols into sound non-interactive protocols. Even though the transformation itself is relatively clear and simple, some implementations choose to deviate from the specifications, for example for performance reasons. In this short note, we present a vulnerability arising from such a deviation in a KZG-based PLONK verifier implementation. This deviation stemmed from the incorrect computation of the last challenge of the PLONK protocol [2], where the KZG batching proof challenge was computed before, and, hence, independently from the KZG evaluation proofs. More generally, such a vulnerability may affect any KZG [3] implementation where one uses batched KZG proof evaluations for at least two distinct evaluation points. We call an attack enabled by such a deviation a Last Challenge Attack. For concreteness, we show that when a PLONK verifier implementation presents such a deviation, a malicious PLONK prover can mount a Last Challenge Attack to construct verifiable proofs of false statements. The described vulnerability was initially discovered as part of an audit, and has been responsibly disclosed to the developers and fixed. A proof of concept of the vulnerability, in which a proof is forged for an arbitrary public input, is made available. In addition to the above, in this work we also provide a security proof of the knowledge-soundness of the batched KZG scheme with evaluations for at least two distinct values.

Note: email address update

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
batched KZG schemeincorrect FS transform implementationvulnerable SNARK verifier implementation
Contact author(s)
oana ciobotaru @ gmail com
maxim peter @ openzeppelin com
vesselin velichkov @ openzeppelin com
History
2024-04-17: last of 3 revisions
2024-03-04: received
See all versions
Short URL
https://ia.cr/2024/398
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/398,
      author = {Oana Ciobotaru and Maxim Peter and Vesselin Velichkov},
      title = {The Last Challenge Attack: Exploiting a Vulnerable Implementation of the Fiat-Shamir Transform in a {KZG}-based {SNARK}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/398},
      year = {2024},
      url = {https://eprint.iacr.org/2024/398}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.