CryptoDB
Nikesh Nazareth
Publications and invited talks
    Year
  
  
    Venue
  
  
    Title
  
    2025
  
  
    RWC
  
  
    Exploiting Vulnerable Implementations of ZK-based Cryptographic Schemes Used in the Ethereum Ecosystem
            
      Abstract    
    
The Fiat-Shamir transform is a well-known and widely employed technique for converting sound public-coin interactive protocols into sound non-interactive protocols. Even though the transformation itself is relatively clear and simple, some implementations choose to deviate from the specifications, for example for performance reasons. In this work, we present a vulnerability arising from such a deviation in a KZG-based PLONK verifier implementation. This deviation stemmed from the incorrect computation of the last challenge of the PLONK protocol, where the KZG batching proof challenge was computed before, and, hence, independently from the KZG evaluation proofs. More generally, such a vulnerability may affect any KZG implementation where one uses batched KZG proof evaluations for at least two distinct evaluation points. We call an attack enabled by such a deviation a Last Challenge Attack. For concreteness, we show that when a PLONK verifier implementation presents such a deviation, a malicious PLONK prover can mount a Last Challenge Attack to construct verifiable proofs of false statements. The described vulnerability was initially discovered as part of an audit, and has been responsibly disclosed to the developers and fixed. A proof of concept of the vulnerability, in which a proof is forged for an arbitrary public input, was made available.
Apart from the above attack, the talk will also describe other implementation vulnerabilities discovered while performing audits for ZK-based cryptographic systems used within the Ethereum ecosystem.
  Coauthors
- Oana Ciobotaru (1)
- Nikesh Nazareth (1)
- Maxim Peter (1)
- Vesselin Velichkov (1)
- Sam Wong (1)
