Cointime

Cointime

Download App
iOS & Android

ZKP Series: Pseudonym Input Vulnerability in Circom’s Verification Contract Has Been Replicated

Overview

Earlier, a double-spending vulnerability in a zero-knowledge proof verification contract on Semaphore was uncovered by the Russian developer, Poma. As a matter of curiosity, my intention is to replicate the vulnerability’s PoC initially. However, due to the vulnerability code being old and the project being relatively complex, I opted to create a straightforward PoC to replicate the vulnerability.

Introduction

The foundation of Zero Knowledge Proof (ZKP) technology lies in an algorithm called a “proof system”. By performing a series of computations on the message, the algorithm produces a proof to demonstrate the genuineness of the message. The recipient can confirm the message’s authenticity by verifying the proof alone, without requiring additional information.

There are various implementation schemes for ZKP technology, which we discussed in our earlier article “Technical Features of ZKP Mainstream Implementation Schemes”. In this experiment, the Circom platform is employed, which utilizes Groth16 and PlonK as its proof system. During development, developers can select either system. The development framework generates proof parameters and verification contracts automatically without circuit modification.

In simpler terms, Circom creates witness data and attestation data on the client side and submits them to the contract. The verifier.sol contract verifies the submitted data to confirm whether the proof adheres to the specified rules. This approach enables rapid, efficient, and secure verification while safeguarding the message’s content and privacy.

Vulnerability Analysis

1. There isn’t much to discuss, so let’s proceed straight to the problematic code. Please refer to the “verifyHash” function in the image below. The code enclosed in the red box indicates whether specific witness data has been utilized. This method is commonly employed to prevent double spending. However, the vulnerability has arisen in the witness data “hash1”. Normally, a particular set of proof data should only correspond to a set of “hash1” values for verification purposes.

2. The “verify” function in the “verifier.sol” contract carries out elliptic curve computation verification on the input value via the “scalar_mul()” function. This function conducts calculations on elliptic curves utilizing the input parameters and matches the resulting value against the value specified in the provided proof. The function thereby confirms whether the input value is legitimate or not.

3. In a Solidity smart contract, encoding Fq necessitates the usage of the uint256 type. However, as the maximum value of uint256 is larger than the q value, several distinct integers may correspond to the same Fq value following the modulo operation. For example, “s” and “s+q” indicate the same point, namely the “sth” point. Similarly, “s+2q” and so on are also aliases for point “s”. This phenomenon is known as “Input Aliasing”, whereby these integers serve as pseudonyms for one another.

The “q” value mentioned here pertains to the cyclic group’s order, which signifies the number of values within the same Fq that can be input with numerous large integers. In essence, even if a q value is added to the hash, it can still satisfy the verification criterion. Within the uint256 type’s scope, a maximum of uint256_max/q distinct integers can indicate the same point. This signifies that a set of proofs can have up to 5 hash1 values that match and can pass the contract’s verification.

Vulnerability Recurrence

1. Develop a basic circuit that inputs two data sets and produces a witness data, i.e., “hash1,” utilized in the contract.

2. Compile the circuit to create “circuit_final.zkey”, “circuit.wasm”, and “verifier.sol”. Afterward, generate a collection of proofs, a standard hash, and a corrupted hash.

3. Subsequently, deploy the contract and employ the “checkHash” generated earlier to conduct a verification process. The verification successfully passes.

4. Next, apply the identical witness data and the previously generated “attackHash”. It is discovered that the verification is also successful. This demonstrates that a set of proofs can feature several matching hashes that meet the contract’s verification criteria. Thus, the Circom verification contract input pseudonym vulnerability has been effectively replicated.

Solutions to Vulnerabilities

The vulnerability arises from a set of proofs that can have at most 5 hash values that match and meet the contract’s verification requirements. Thus, the bug fix is straightforward: restricting all input hashes to a value less than “q”.

Summary

Input pseudonym vulnerability is a frequently encountered vulnerability in zero-knowledge proof and cryptography implementation. Its fundamental cause lies in the value being equivalent to the remainder within the finite field. Therefore, developers must focus on the verification group’s order when creating cryptography.

Get the latest news here: Cointime channel — https://t.me/cointime_en

Blockchain Crypto
Comments

All Comments

Recommended for you

  • Putin: Russia "supports" Harris, calls her smile "contagious"

    According to foreign media such as TASS and Russia's Sputnik News, Jinse Finance reported that on the afternoon of September 5th local time, Russian President Putin said at the plenary session of the Eastern Economic Forum 2024 that Russia will "support" the US Democratic Party presidential candidate and vice president Harris as recommended by the US President Biden in the upcoming US presidential election. When asked how he viewed the 2024 US election, Putin said it was the choice of the American people. The new US president will be elected by the American people, and Russia will respect the choice of the American people. Putin also said that just as Biden suggested his supporters to support Harris, "we will do the same, we will support her." The report said that Putin also joked that Harris' laughter is "expressive and infectious," which shows that "she is doing everything well." He added that this may mean that she will avoid further sanctions against Russia.

  • An ETH whale repurchased 5,153 ETH with 12.23 million USDT 20 minutes ago

    A certain high-frequency trading ETH whale monitored by on-chain analyst Yu Jin bought 5,153 ETH with 12.23 million USDT 20 minutes ago.

  • CFTC: Uniswap Labs has actively cooperated with the investigation and only needs to pay a fine of US$175,000

    The CFTC has filed a lawsuit against Uniswap Labs and reached a settlement. It was found that Uniswap Labs illegally provided leveraged or margined retail commodity transactions of digital assets through a decentralized digital asset trading protocol. Uniswap Labs was required to pay a civil penalty of $175,000 and cease violations of the Commodity Exchange Act (CEA). The CFTC acknowledged that Uniswap Labs actively cooperated with law enforcement agencies in the investigation and reduced the civil penalty.

  • Federal Reserve Beige Book: Respondents generally expect economic activity to remain stable or improve

    The Federal Reserve's Beige Book pointed out that economic activity in three regions has slightly increased, while the number of regions reporting flat or declining economic activity has increased from five in the previous quarter to nine in this quarter. Overall employment levels remain stable, although some reports indicate that companies are only filling necessary positions, reducing working hours and shifts, or reducing overall employment levels through natural attrition. However, reports of layoffs are still rare. Generally speaking, wage growth is moderate, and the growth rate of labor input costs and sales prices ranges from slight to moderate. Consumer spending has declined in most regions, while in the previous reporting period, consumer spending remained stable overall.

  • Puffpaw Completes $6 Million Seed Round with Lemniscap Ventures as Participant

    Puffpaw has announced the completion of a $6 million seed round of financing, with participation from Lemniscap Ventures. The Puffpaw project plans to launch a blockchain-enabled electronic cigarette aimed at helping users reduce nicotine intake through token incentives. The project encourages users to quit smoking by recording their smoking habits and rewarding them with tokens. Puffpaw's token economics aims to cover 30% of the cost of users' first month of using their product and provide social rewards. The project also considers possible system abuse, but the issue of users potentially reporting smoking habits dishonestly is not yet clear.

  • Affected by Ethervista and others, Ethereum Gas temporarily rose to 33gwei

    According to Etherscan, due to the influence of contracts such as Ethervista, Ethereum Gas has temporarily risen to 33gwei, with the top three being EthervistaRouter, UniswapRouter, and BananaGun.

  • The probability of the Fed cutting interest rates by 25 basis points in September is 55%.

    The probability of the Federal Reserve cutting interest rates by 25 basis points in September is 55.0%, while the probability of a 50 basis point cut is 45.0%. The probability of the Federal Reserve cutting interest rates by a cumulative 50 basis points by November is 32.1%, by 75 basis points is 49.2%, and by 100 basis points is 18.8%.

  • Nvidia: No subpoena received from the US Department of Justice

    Nvidia (NVDA.O) stated that it has not received a subpoena from the US Department of Justice.

  • US SEC again postpones decision on environmentally friendly Bitcoin ETF listing application

    The US Securities and Exchange Commission (SEC) has once again postponed its final decision on the New York Stock Exchange (NYSE) Arca's application for a carbon offset Bitcoin ETF. According to a document dated September 4th, the decision has been extended to November 21st. The ETF aims to provide a Bitcoin investment exposure in an environmentally friendly way by offsetting carbon emissions, tracking an investment portfolio composed of 80% Bitcoin and 20% carbon credit futures. Tidal Investments submitted the fund registration application in December 2023, while NYSE Arca submitted the initial application in March. Concerns have been raised about the environmental impact of Bitcoin mining, with the International Monetary Fund (IMF) reporting that cryptocurrency mining accounts for 1% of global greenhouse gas emissions. The delay in this decision also includes the postponement of approval for the Nasdaq One-Stop Cryptocurrency Investment Portfolio ETF.

  • Coindesk ·

    Careers in Crypto: 5 Insights for 2024

    In an overwhelming job market, leaning into personal networks and connections are more important than ever. Emily Landon, CEO of The Crypto Recruiters, outlines what is happening in the crypto job market and how you can position yourself or your company in 2024.

    Careers in Crypto: 5 Insights for 2024

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company