Cointime

Download App
iOS & Android

ZKP Series: Principles and Implementation of Extensibility Attacks on Groth16 Proofs

Preface

In our previous article, we reviewed the technical features of mainstream ZKP implementation solutions and mentioned the potential extensibility risks associated with certain ZKP algorithms. In this article, we will continue to demonstrate the attack principles and defense methods from a practical perspective.

Vulnerability Overview

Extensibility attacks on ZKP refer to the ability of an adversary to generate a new valid proof without knowledge of the witness, given an existing valid proof.

Not all proof systems are susceptible to extensibility attacks. In fact, this problem currently exists mainly in the Groth16 proof system. So why do we still insist on using Groth16, given that there are so many other proof systems available? The truth is that the proofs generated by Groth16 are extremely small in size and very fast to verify. In the context of blockchain, where computational costs are high, using Groth16 seems to be the most ideal choice.

What risks does extensibility vulnerability bring? Let’s imagine a deposit system that uses ZKP proofs submitted by users to verify their identity. Once verified, users can make withdrawals. Since the verification process of this system is public, anyone can obtain the proof. If the proof value itself is used as a withdrawal record and the proof is obtained and transformed, it can be used for multiple withdrawals. The exploitation of this vulnerability depends on the specific scenario, but we can see that extensibility vulnerability primarily brings the risk of double-spending.

Mathematical Principles

To understand the attack principles, we first need to understand the algorithm, which requires some knowledge of cryptography. Interested readers can find information on the Groth16 algorithm on their own. Here, we will focus on the root cause of the vulnerability: the verification function.

Let’s take a look at the formula for the verification function:

Without going into a detailed explanation of each individual variable, it may be difficult to fully comprehend the formula’s meaning. However, an extensive introduction is not necessarily required. By simply remembering the “A * B” on the left side of the formula, we can begin to unravel its intricacies and apply mathematical magic. The following incantation is all it takes:

This is just one of the simpler construction methods, and there is another construction method, which we will not elaborate on here, as we have already gathered what we needed.

Implementation

With the above formula, we can execute the extension of Groth16 proofs in implementation. To forge a proof for a target object, we can obtain its proof, for example:

{  pi_a: [    '17566212007750634279332191898019870443899908963707812937725971557556988121113',    '13653824972036797689593667463260040326059024360787769597142078414930263663703',    '1'  ],  pi_b: [    [      '14906111038352923510344648516413952434168552622848767570599399834157918236589',      '15289017543994496306320102143103349779456992442925111629326024552687168229256'    ],    [      '18841235948006283310515755114762069779103481848435391875780416574913227842443',      '6835281862874020275059416795628130939104366467185014410026268177455413514889'    ],    [ '1', '0' ]  ],  pi_c: [    '21641806348662631815866837255154640732047306895903168385641666607914783128458',    '2082587994352117459125871298218148663854896572836176277773049196516560449682',    '1'  ],  protocol: 'groth16',  curve: 'bn128'}

Let’s take a look at a proof like this: pi_a, pi_b, pi_c are the A, B, C described in the formula above. This proof uses the BN128 curve, so we need to find a development library that supports the BN128 curve. Here, we choose ffjavascript, which is a finite field library based on JavaScript that supports the BN128 and BLS12381 curves.

First, we arbitrarily construct an element on the field and its inverse element:

const X = F.e("123456");const invX = F.inv(X);

Then, we multiply them together separately. The core code is as follows:

const A = curve.G1.fromObject(proof.pi_a);const B = curve.G2.fromObect(proof.pi_b);new_pi_a = curve.G1.timesScalar(A, X);  //A'=x*Anew_pi_b = curve.G2.timesScalar(B, invX);  //B'=x^{-1}*B

Finally, we replace the original proof with new_pi_a and new_pi_b to obtain a new proof:

{  pi_a: [    '6515337738552169645617263495374285821912767490069335826295120714428977813009',    '10671874016637483602721966808912960491553808325993800847672325376634242358838',    '1'  ],  pi_b: [    [      '20523135654483520737281403147507843211011765855706506084021355785019229409285',      '4032527486736971273144842057682931136787425732029780739716144011227563817375'    ],    [      '9389285843105460816015935120908213706233585149018458753845466963847282799614',      '7207137211649923819130654483456848273137049778520784010268635580504303221849'    ],    [ '1', '0' ]  ],  pi_c: [    '21641806348662631815866837255154640732047306895903168385641666607914783128458',    '2082587994352117459125871298218148663854896572836176277773049196516560449682',    '1'  ],  protocol: 'groth16',  curve: 'bn128'}

By this point, we have successfully constructed a new proof. When we place this proof into the verification function, we can see that it can pass the verification.

Prevention

How can we prevent Groth16 extensibility attacks? Here are four methods:

  1. Sign the proof, and have the verifier validate the signature along with the proof.
  2. Add nullifier values in the public inputs of the circuit, as TornadoCash does, to ensure that a proof can only correspond to a public input once.
  3. Add the identity information of the prover (such as Ethereum’s msg.sender) to the public inputs of the circuit, allowing the verifier to verify the prover’s identity.
  4. Use other proof systems, as discussed in our previous article.

Conclusion

In conclusion, Groth16 is vulnerable to extensibility attacks, as new proofs can be forged through simple calculations. In practice, it is important to take measures to prevent double-spending attacks.

Comments

All Comments

Recommended for you

  • The State Council Tariff Commission: Adjustment of tariffs on imported goods originating from the United States

    on April 10, 2025, the U.S. government announced that the tariff rate for Chinese goods imported into the U.S. will be further increased to 125%. The U.S. imposing excessively high tariffs on China seriously violates international economic and trade rules, as well as basic economic laws and common sense, and is completely unilateral bullying and coercion. In accordance with the "Customs Law of the People's Republic of China," the "Customs Law of the People's Republic of China," the "Foreign Trade Law of the People's Republic of China," and other laws and regulations, as well as basic principles of international law, with the approval of the State Council, the measures of imposing tariffs on imported goods originating in the U.S. will be adjusted starting from April 12, 2025. The relevant matters are as follows:

  • Plastic Labs Completes $5.35 Million Pre-Seed Funding and Launches AI Identity Platform Honcho

    Plastic Labs has completed a $5.35 million Pre-Seed round of financing, led by Variant, White Star Capital, and Betaworks, with participation from Mozilla Ventures, Seed Club Ventures, Greycroft, and Differential Ventures. Angel investors include Scott Moore, NiMA Asghari, and Thomas Howell. At the same time, its personalized AI identity platform "Honcho" is now open for early access.

  • Trump: There will be problems during the transition, but it will ultimately be an incredible thing

    President Trump of the United States: There will be problems in the transition phase, but in the end it will be an incredible thing.

  • A whale transferred 2,300 ETH that he had held for two years to Kraken

    according to The Data Nerd's monitoring, a whale address that has held ETH for two years just transferred 2300 ETH (about $3.58 million) to Kraken.

  • The three major U.S. stock indexes continued to fall, with the Nasdaq's decline widening to 7%.

    Nasdaq fell by 7%, the S&P 500 index is now down 6.2%, and the Dow fell by 5.3%.

  • Coinbase International will launch COMP, UXLINK, and ATH perpetual contract trading

    Coinbase International will launch COMP, UXLINK, and ATH perpetual contract trading.

  • If Bitcoin falls below $78,000, the cumulative long order liquidation intensity of mainstream CEX will reach 374 million

     according to Coinglass data, if Bitcoin falls below $78,000, the cumulative long liquidation intensity of mainstream CEX will reach 374 million.

  • U.S. House of Representatives passes plan to advance President Trump's tax cuts and raise debt ceiling

    U.S. House of Representatives passed a plan to advance President Trump's tax cut measures and raise the debt ceiling.

  • 🔥【OG All-Star Assemble in Hong Kong!】

    Web3 Carnival Blockbuster Dialogue, Crossing Bulls and Bears, Insight into the Future! 🌐💥📅 Time: 20:30, April 11 (UTC 8)🎧 Cointime Space hits the hot spots: BTC × DePIN × AI × DAOPredict the trend and decrypt the wealth code! 💰🧠🎙️ Super guest lineup:@June_tsy Author of "WEB3.0 Appearance".@Whdysseus |1783DAO promoter@BTCXminer |BTC Miner & DePIN Investor@GodotSancho | Head of Research, Manta Network@jackypan988 | Principal Advisor, Cointime📍 This conversation is not to be missed 👇🔗 https://x.com/i/spaces/1YpKkBpXYgAxj

  • The Ministry of Foreign Affairs responded to the US's 125% tariff increase on China: China does not want to fight a tariff war, but is not afraid of it

    regarding the US announcement of imposing a 125% tariff on China, Foreign Ministry spokesperson Lin Jian said that the US, out of selfish interests, is using tariffs as a weapon to exert extreme pressure and seek private gains, severely infringing on the legitimate rights and interests of all countries, seriously violating the rules of the World Trade Organization, seriously undermining the rules-based multilateral trading system, and seriously disrupting the stability of the global economic order. This is openly defying the will of the world and going against the entire world. I want to emphasize once again that there are no winners in a tariff war or trade war. China does not want to fight, but is not afraid to fight. We will never allow the legitimate rights of the Chinese people to be deprived, and we will never allow the international economic and trade rules and multilateral trading system to be destroyed. If the US insists on waging a tariff war or trade war, China will definitely fight to the end. The US is prioritizing its own interests over the common interests of the international community, sacrificing the legitimate interests of all countries in the world to serve its hegemonic interests, which will inevitably face even stronger opposition from the international community.