PLONK Critical Vulnerability Successfully Remediated

News

We were notified by Trail of Bits, a whitehat cybersecurity firm, about
a critical vulnerability in our implementation of PLONK, the proving
system Dusk Network uses to create zero-knowledge proofs. The
vulnerability has been fully remediated in Dusk Network’s Testnet
DayBreak and no action is required by Dusk Network users. This post
provides details on the vulnerability, and how we fixed it.

Key Points

-   PLONK as a system remains secure; this was a vulnerability in our
   code implementation
-   The vulnerability was discovered in PLONK by Trail of Bits
-   The vulnerability has been fully remediated; no action is required
   for Dusk Network users
-   The vulnerability could be used to forge PLONK proofs, but its
   exploitation would not have impacted user privacy

Dusk Network is no longer affected but any developers or maintainers of
systems using PLONK should triage and check if they are affected. [__You
can find the patches we created in our GitHub.

Technical Explanation

The Research & Cryptography teams presented the following technical
explanation:

PLONK is, by nature, an interactive proof system between a prover and a
verifier. A prover proves they know some values satisfying certain
conditions. Typically, first the prover would commit to some
information. Then, the verifier would send some challenges to the prover
to check if they really know the secret information. Finally, the prover
would answer those challenges and, if the answers are satisfactory, the
verifier accepts the proof.

This is compiled into a non-interactive proof system via the Fiat-Shamir
transformation. The core idea is to use hash functions to simulate the
challenges sent by the verifier. The challenges now become a hash of
some previous information. Intuitively, the unpredictability of the hash
output ensures that the prover will follow the steps in the right order,
as if the proofs were interactive.

“The problem arises from not including the public inputs in the hash
computation. This opens the possibility of an attack: a malicious prover
can produce a forged proof and then tune the public inputs to get the
proof accepted when it should be rejected. Now, this is prevented by
hashing the public inputs at the beginning of the proof.” - said Marta
Bellés Muñoz, Researcher & Cryptographer at Dusk Network.

The Fix

Once Trail of Bits notified us, the team immediately worked on a patch.
The patch makes sure that the implementation of the Fiat-Shamir
transformation is now secure by hashing the public inputs at the
beginning of the proof.

What Is Affected?

While DayBreak, Dusk Network’s Testnet, is no longer affected, any
project that depends on an old version of PLONK is vulnerable.

Third-Party Disclosure

Trail of bits led the coordinated disclosure by disclosing the issues to
affected vendors. We do not have an exhaustive list of all systems
affected by this vulnerability, thus we encourage all users, developers
and maintainers of systems using PLONK to take the time to triage this
issue and check if they are affected.

Future

Auditing and security analysis is essential for our Testnet. In the next
phase, the Incentivized Testnet, we intend to make Grants available for
this.

We thank Trail of Bits again for their audit and detection of the
vulnerability.