We were notified by Trail of Bits, a whitehat cybersecurity firm, about a critical vulnerability in our implementation of PLONK, the proving system Dusk Network uses to create zero-knowledge proofs. The vulnerability has been fully remediated in Dusk Network’s Testnet DayBreak and no action is required by Dusk Network users. This post provides details on the vulnerability, and how we fixed it.
Key Points
- PLONK as a system remains secure; this was a vulnerability in our code implementation
- The vulnerability was discovered in PLONK by Trail of Bits
- The vulnerability has been fully remediated; no action is required for Dusk Network users
- The vulnerability could be used to forge PLONK proofs, but its exploitation would not have impacted user privacy
Dusk Network is no longer affected but any developers or maintainers of systems using PLONK should triage and check if they are affected. You can find the patches we created in our GitHub.
Technical Explanation
The Research & Cryptography teams presented the following technical explanation:
PLONK is, by nature, an interactive proof system between a prover and a verifier. A prover proves they know some values satisfying certain conditions. Typically, first the prover would commit to some information. Then, the verifier would send some challenges to the prover to check if they really know the secret information. Finally, the prover would answer those challenges and, if the answers are satisfactory, the verifier accepts the proof.
This is compiled into a non-interactive proof system via the Fiat-Shamir transformation. The core idea is to use hash functions to simulate the challenges sent by the verifier. The challenges now become a hash of some previous information. Intuitively, the unpredictability of the hash output ensures that the prover will follow the steps in the right order, as if the proofs were interactive.
“The problem arises from not including the public inputs in the hash computation. This opens the possibility of an attack: a malicious prover can produce a forged proof and then tune the public inputs to get the proof accepted when it should be rejected. Now, this is prevented by hashing the public inputs at the beginning of the proof.” - said Marta Bellés Muñoz, Researcher & Cryptographer at Dusk Network.
The Fix
Once Trail of Bits notified us, the team immediately worked on a patch. The patch makes sure that the implementation of the Fiat-Shamir transformation is now secure by hashing the public inputs at the beginning of the proof.
What Is Affected?
While DayBreak, Dusk Network’s Testnet, is no longer affected, any project that depends on an old version of PLONK is vulnerable.
Third-Party Disclosure
Trail of bits led the coordinated disclosure by disclosing the issues to affected vendors. We do not have an exhaustive list of all systems affected by this vulnerability, thus we encourage all users, developers and maintainers of systems using PLONK to take the time to triage this issue and check if they are affected.
Future
Auditing and security analysis is essential for our Testnet. In the next phase, the Incentivized Testnet, we intend to make Grants available for this.
We thank Trail of Bits again for their audit and detection of the vulnerability.
You can read their full statement here: https://blog.trailofbits.com/2...