Weak Fiat-Shamir vulnerability

From WEB3 Vulnerapedia
Jump to navigation Jump to search

Fiat-Shamir heuristic is a cryptography technique used to transform an interactive zero-knowledge proof into a non-interactive one[1].

As you may know, zero-knowledge proving systems are based on challenges from Verifier to Prover. If the Prover can answer correctly in a certain number of rounds, then the Verifier will accept the proof. To create a challenge, the Verifier needs randomness, so the Prover cannot predict it. This is a problem because, in practice, most proving systems work non-interactively, with all the rounds being sent at once. To achieve this, the Prover will take a hash from all the data and use it instead of that randomness to create a challenge.

The vulnerability can arise if the hash includes the data only partially. In this case, the system will not be sound, and the Prover can game the Verifier. A developer can easily miss this factor in a complex multi-round system.

Read more in the article by Trail of Bits: https://blog.trailofbits.com/2022/04/18/the-frozen-heart-vulnerability-in-plonk/

  1. https://en.wikipedia.org/wiki/Fiat%E2%80%93Shamir_heuristic
Retrieved from "https://wiki.r.security/w/index.php?title=Weak_Fiat-Shamir_vulnerability&oldid=1252"