Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
144 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

SoK: What don't we know? Understanding Security Vulnerabilities in SNARKs (2402.15293v4)

Published 23 Feb 2024 in cs.CR

Abstract: Zero-knowledge proofs (ZKPs) have evolved from being a theoretical concept providing privacy and verifiability to having practical, real-world implementations, with SNARKs (Succinct Non-Interactive Argument of Knowledge) emerging as one of the most significant innovations. Prior work has mainly focused on designing more efficient SNARK systems and providing security proofs for them. Many think of SNARKs as "just math," implying that what is proven to be correct and secure is correct in practice. In contrast, this paper focuses on assessing end-to-end security properties of real-life SNARK implementations. We start by building foundations with a system model and by establishing threat models and defining adversarial roles for systems that use SNARKs. Our study encompasses an extensive analysis of 141 actual vulnerabilities in SNARK implementations, providing a detailed taxonomy to aid developers and security researchers in understanding the security threats in systems employing SNARKs. Finally, we evaluate existing defense mechanisms and offer recommendations for enhancing the security of SNARK-based systems, paving the way for more robust and reliable implementations in the future.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (109)
  1. Lurk: Lambda, the ultimate recursive knowledge. Cryptology ePrint Archive, 2023.
  2. Anoma. Vamp-ir: A proof-system-agnostic language for writing arithmetic circuits, 2023.
  3. arkworks contributors. arkworks zksnark ecosystem, 2022.
  4. Jolt: Snarks for virtual machines via lookups. Cryptology ePrint Archive, 2023.
  5. A survey of attacks on ethereum smart contracts (sok). In Principles of Security and Trust: 6th International Conference, POST 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017, Proceedings 6, pages 164–186. Springer, 2017.
  6. Aztec. Aztec network, 2023. https://docs.aztec.network/.
  7. Sok: Computer-aided cryptography. In 2021 IEEE symposium on security and privacy (SP), pages 777–795. IEEE, 2021.
  8. The oracle problem in software testing: A survey. IEEE transactions on software engineering, 41(5):507–525, 2014.
  9. Easycrypt: A tutorial. International School on Foundations of Security Analysis and Design, pages 146–166, 2012.
  10. Circom: A circuit description language for building zero-knowledge applications. IEEE Transactions on Dependable and Secure Computing, 2022.
  11. Fast reed-solomon interactive oracle proofs of proximity. In 45th international colloquium on automata, languages, and programming (icalp 2018). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, 2018.
  12. Scalable zero knowledge with no trusted setup. In Advances in Cryptology–CRYPTO 2019: 39th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 18–22, 2019, Proceedings, Part III 39, pages 701–732. Springer, 2019.
  13. Succinct {{\{{Non-Interactive}}\}} zero knowledge for a von neumann architecture. In 23rd USENIX Security Symposium (USENIX Security 14), pages 781–796, 2014.
  14. Mina: Decentralized cryptocurrency at scale. New York Univ. O (1) Labs, New York, NY, USA, Whitepaper, pages 1–47, 2020.
  15. Consensys/gnark: v0.8.0, 2023.
  16. Zexe: Enabling decentralized private computation. In 2020 IEEE Symposium on Security and Privacy (SP), pages 947–964. IEEE, 2020.
  17. Risc zero zkvm: Scalable, transparent arguments of risc-v integrity. https://dev.risczero.com/proof-system-in-detail.pdf, 2023.
  18. Bulletproofs: Short proofs for confidential transactions and more. In 2018 IEEE symposium on security and privacy (SP), pages 315–334. IEEE, 2018.
  19. Sok: Understanding the prevailing security vulnerabilities in trustzone-assisted tee systems. In 2020 IEEE Symposium on Security and Privacy (SP), pages 1416–1432. IEEE, 2020.
  20. Smart contract and defi security tools: Do they meet the needs of practitioners? In 2024 IEEE/ACM 46th International Conference on Software Engineering (ICSE), pages 705–717. IEEE Computer Society, 2023.
  21. Well-typed programs can go wrong: A study of typing-related bugs in jvm compilers. Proceedings of the ACM on Programming Languages, 5(OOPSLA):1–30, 2021.
  22. Finding typing compiler bugs. In Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation, pages 183–198, 2022.
  23. Kyle Charbonnet. Completeness bug on semaphore protocol. https://github.com/semaphore-protocol/semaphore/issues/90, 2022. Accessed: date-of-access.
  24. Taming compiler fuzzers. In Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation, pages 197–208, 2013.
  25. Marlin: Preprocessing zksnarks with universal and updatable srs. In Advances in Cryptology–EUROCRYPT 2020: 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, May 10–14, 2020, Proceedings, Part I 39, pages 738–768. Springer, 2020.
  26. Eos: Efficient private delegation of zksnark provers. In USENIX Security Symposium. USENIX Association, 2023.
  27. Leo: A programming language for formally verified, zero-knowledge applications. Cryptology ePrint Archive, 2021.
  28. Compositional formal verification of zero-knowledge circuits. Cryptology ePrint Archive, 2023.
  29. Formal verification of zero-knowledge circuits. arXiv preprint arXiv:2311.08858, 2023.
  30. World Wide Web Consortium et al. Verifiable credentials data model 1.0: expressing verifiable information on the web. https://www. w3. org/TR/vc-data-model/?# core-data-model, 2019.
  31. Using zk proofs to fight disinformation, 2022. Accessed: 2023-11-10.
  32. Zokrates-scalable privacy-preserving off-chain computations. In 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pages 1084–1091. IEEE, 2018.
  33. Families of snark-friendly 2-chains of elliptic curves. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 367–396. Springer, 2022.
  34. zk-bench: A toolset for comparative evaluation and performance benchmarking of snarks. Cryptology ePrint Archive, 2023.
  35. Do you need a zero knowledge proof? Cryptology ePrint Archive, Paper 2024/050, 2024. https://eprint.iacr.org/2024/050.
  36. Privacy & Scaling Explorations. halo2 community edition, 2023.
  37. Snarkprobe: An automated security analysis framework for zksnark implementations. International Conference on Applied Cryptography and Network Security, 2024.
  38. Zero-knowledge in easycrypt. In 2023 IEEE 36th Computer Security Foundations Symposium (CSF), pages 1–16. IEEE, 2023.
  39. Aleo Network Foundation. Aleo, 2023.
  40. Nil Foundation. zkllvm. https://github.com/NilFoundation/zkLLVM, 2023.
  41. Ariel Gabizon. On the security of the bctv pinocchio zk-snark variant. Cryptology ePrint Archive, Paper 2019/119, 2019. https://eprint.iacr.org/2019/119.
  42. plookup: A simplified polynomial protocol for lookup tables. Cryptology ePrint Archive, 2020.
  43. Plonk: Permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, 2019.
  44. Snarkpack: Practical snark aggregation. In International Conference on Financial Cryptography and Data Security, pages 203–229. Springer, 2022.
  45. Rinocchio: Snarks for ring arithmetic. Journal of Cryptology, 36(4):41, 2023.
  46. zksaas: Zero-knowledge snarks as a service. Cryptology ePrint Archive, 2023.
  47. Quadratic span programs and succinct nizks without pcps. In Advances in Cryptology–EUROCRYPT 2013: 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26-30, 2013. Proceedings 32, pages 626–645. Springer, 2013.
  48. Geometry. Groth16 malleability. https://geometry.xyz/notebook/groth16-malleability, 2023.
  49. Cairo–a turing-complete stark-friendly cpu architecture. Cryptology ePrint Archive, 2021.
  50. The knowledge complexity of interactive proof-systems. In Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing, STOC ’85, pages 291–304. Association for Computing Machinery, 1985.
  51. The knowledge complexity of interactive proof systems. SIAM J. COMPUT, 18(1):186–208, 1989.
  52. Jens Groth. On the size of pairing-based non-interactive arguments. In Advances in Cryptology–EUROCRYPT 2016: 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part II 35, pages 305–326. Springer, 2016.
  53. Kobi Gurkan. Tornado cash vulnerability. https://tornado-cash.medium.com/tornado-cash-got-hacked-by-us-b1e012a3c9a8, 2019. Accessed: date-of-access.
  54. Smt solving over finite field arithmetic. arXiv preprint arXiv:2305.00028, 2023.
  55. The security reference architecture for blockchains: Toward a standardized model for studying vulnerabilities, threats, and defenses. IEEE Communications Surveys & Tutorials, 23(1):341–390, 2020.
  56. Scalable verification of zero-knowledge protocols. In 2024 IEEE Symposium on Security and Privacy (SP), pages 133–133. IEEE Computer Society, 2024.
  57. Zk-img: Attested images via zero-knowledge proofs to fight disinformation, 2022.
  58. Constant-size commitments to polynomials and their applications. In Advances in Cryptology-ASIACRYPT 2010: 16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 5-9, 2010. Proceedings 16, pages 177–194. Springer, 2010.
  59. Efficient verifiable image redacting based on zk-snarks. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, ASIA CCS ’21, page 213–226, New York, NY, USA, 2021. Association for Computing Machinery.
  60. xjsnark: A framework for efficient verifiable computation. In 2018 IEEE Symposium on Security and Privacy (SP), pages 944–961. IEEE, 2018.
  61. Nova: Recursive zero-knowledge arguments from folding schemes. In Annual International Cryptology Conference, pages 359–388. Springer, 2022.
  62. Matter Labs. zksync era, 2023. https://era.zksync.io/.
  63. Sok: Taxonomy of attacks on open-source software supply chains. In 2023 IEEE Symposium on Security and Privacy (SP), pages 1509–1526. IEEE, 2023.
  64. Janus: Fast privacy-preserving data provenance for tls 1.3. Cryptology ePrint Archive, 2023.
  65. Compiler validation via equivalence modulo inputs. ACM Sigplan Notices, 49(6):216–226, 2014.
  66. Certifying zero-knowledge circuits with refinement types. arXiv preprint arXiv:2304.07648, 2023.
  67. Pianist: Scalable zkrollups via fully distributed zero-knowledge proofs. Cryptology ePrint Archive, 2023.
  68. William M McKeeman. Differential testing for software. Digital Technical Journal, 10(1):100–107, 1998.
  69. Zerocoin: Anonymous distributed e-cash from bitcoin. In 2013 IEEE Symposium on Security and Privacy, pages 397–411. IEEE, 2013.
  70. Revisiting the nova proof system on a cycle of curves. Cryptology ePrint Archive, Paper 2023/969, 2023. https://eprint.iacr.org/2023/969.
  71. Powers-of-tau to the people: Decentralizing setup ceremonies. Cryptology ePrint Archive, 2022.
  72. noir contributors. noir zksnark language, 2022.
  73. o1 labs. Typescript framework for zk-snarks and zkapps. https://github.com/o1-labs/o1js, 2021.
  74. Trail of Bits. CVE-2019-7167. Available from MITRE, CVE-ID CVE-2019-7167., 2019.
  75. Trail of Bits. CVE-2022-29566. Available from MITRE, CVE-ID CVE-2022-29566., 2019.
  76. Experimenting with collaborative {{\{{zk-SNARKs}}\}}:{{\{{Zero-Knowledge}}\}} proofs for distributed secrets. In 31st USENIX Security Symposium (USENIX Security 22), pages 4291–4308, 2022.
  77. Circ: Compiler infrastructure for proof systems, software verification, and more. In 2022 IEEE Symposium on Security and Privacy (SP), pages 2248–2266. IEEE, 2022.
  78. Satisfiability modulo finite fields. Cryptology ePrint Archive, 2023.
  79. Bounded verification for finite-field-blasting (in a compiler for zero knowledge proofs). Cryptology ePrint Archive, 2023.
  80. Automated detection of under-constrained circuits in zero-knowledge proofs. Proceedings of the ACM on Programming Languages, 7(PLDI):1510–1532, 2023.
  81. Bryan Parno. A note on the unsoundness of vntinyram’s snark. Cryptology ePrint Archive, Paper 2015/437, 2015. https://eprint.iacr.org/2015/437.
  82. Pinocchio: Nearly practical verifiable computation. Communications of the ACM, 59(2):103–112, 2016.
  83. On the composition of public-coin zero-knowledge protocols. SIAM Journal on Computing, 40(6):1529–1553, 2011.
  84. Tornado cash privacy solution version 1.4. Tornado cash privacy solution version, 1, 2019.
  85. Polygon. Miden vm. https://polygon.technology/polygon-miden, 2023.
  86. Polygon. Polygon zkevm, 2023. https://polygon.technology/polygon-zkevm.
  87. Security analysis methods on ethereum smart contract vulnerabilities: a survey. arXiv preprint arXiv:1908.08605, 2019.
  88. Mir Protocol. Plonky2, 2023.
  89. Protocol Labs. Filecoin: A decentralized storage network. https://filecoin.io/filecoin.pdf, 2023.
  90. Nguyen Thoi Minh Quan. Using zero to attack zero-knowledge proof (zkp) plonk c++. https://github.com/cryptosubtlety/00, 2021.
  91. Zebra: Anonymous credentials with practical on-chain verification and applications to kyc in defi. Cryptology ePrint Archive, 2022.
  92. Reclaim. Reclaim protocol. https://www.reclaimprotocol.org/, 2023.
  93. Zerocash: Decentralized anonymous payments from bitcoin. In 2014 IEEE symposium on security and privacy, pages 459–474. IEEE, 2014.
  94. scipt lab. libsnark, 2020.
  95. Scroll. Scroll fix for missing input constraint in ltchip. https://github.com/scroll-tech/zkevm-circuits/commit/d0e7a07e8af25220623564ef1c3ed101ce63220e, 2023.
  96. Scroll. Scroll zkevm, 2023. https://scroll.io/.
  97. Customizable constraint systems for succinct arguments. Cryptology ePrint Archive, 2023.
  98. Automated analysis of halo2 circuits. Cryptology ePrint Archive, 2023.
  99. Justin Thaler et al. Proofs, arguments, and zero-knowledge. Foundations and Trends® in Privacy and Security, 4(2–4):117–660, 2022.
  100. Trail of Bits. circomspect: A static analyzer for circom 2 circuits. https://github.com/trailofbits/circomspect, 2023. Accessed: 2024-01-31.
  101. Franklyn Wang. Ecne. https://github.com/franklynwang/EcneProject, 2022.
  102. Practical security analysis of zero-knowledge proof circuits. Cryptology ePrint Archive, 2023.
  103. zkbridge: Trustless cross-chain bridges made practical. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 3003–3017, 2022.
  104. Orion: Zero knowledge proof with linear prover time. In Annual International Cryptology Conference, pages 299–328. Springer, 2022.
  105. Finding and understanding bugs in c compilers. In Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation, pages 283–294, 2011.
  106. ZCash. halo2, 2023.
  107. Deco: Liberating web data using decentralized oracles for tls. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 1919–1938, 2020.
  108. Sok: Decentralized finance (defi) attacks. In 2023 IEEE Symposium on Security and Privacy (SP), pages 2444–2461. IEEE, 2023.
  109. zksecurity. Noname: a programming language to write zkapps. https://github.com/zksecurity/noname, 2023.
Citations (13)
View on Semantic Scholar

Summary

  • The paper provides a structured model of SNARK systems by defining four layers and adversarial roles to assess security risks.
  • The paper analyzes 141 vulnerabilities in SNARK implementations, categorizing them into under-constrained, over-constrained, and computational errors.
  • The paper reviews current defense mechanisms and identifies gaps, recommending future research and enhanced verification methods.

Understanding Security Vulnerabilities in SNARKs: A Study

The paper, "SoK: What don’t we know? Understanding Security Vulnerabilities in SNARKs," presents a comprehensive analysis of vulnerabilities in Succinct Non-Interactive Argument of Knowledge (SNARK) systems. The research aims to build a foundation for understanding end-to-end security properties of SNARK implementations, which have become integral in various practical applications, from privacy-oriented digital assets to blockchain scalability solutions.

Key Contributions and Findings

The paper’s contributions include:

  1. System and Threat Models - The researchers provide a structured framework for reasoning about SNARK-based systems. They define four primary layers (Circuit, Frontend, Backend, and Integration) and delineate adversarial roles and potential impacts on these systems.
  2. Extensive Study of Vulnerabilities - The authors compiled and analyzed 141 vulnerabilities across SNARK implementations, sourced from audit reports, vulnerability disclosures, and bug trackers. This represents significant coverage of the SNARK landscape.
  3. Taxonomy of Vulnerabilities - The paper categorizes vulnerabilities into under-constrained circuits, over-constrained circuits, computational/hints errors, and more, providing a clear and organized way to understand potential pitfalls in SNARK systems.
  4. Defense Mechanisms Analysis - They review existing defense strategies and highlight gaps, suggesting potential improvements and future research directions.

Detailed Analysis

Circuit Layer Vulnerabilities

The Circuit Layer encompasses the logic and arithmetic constraints essential for SNARKs. This layer is particularly prone to vulnerabilities, which can manifest as:

  • Under-Constrained Issues - The most prevalent type, occurring when constraints do not fully cover the logic, allowing invalid proofs to be accepted.
  • Over-Constrained Issues - These are less frequent but problematic, leading to the rejection of valid witnesses.
  • Computational Errors - Erroneous computations that typically impact completeness but can also affect soundness.

Root causes often involve developers' unfamiliarity with the low-level programming models and the difficulty of translating logical statements into circuit constraints efficiently.

Frontend and Backend Layer Vulnerabilities

Vulnerabilities in these layers generally stem from:

  • Incorrect Constraint Compilation - Flaws during the compilation of high-level languages to circuit constraints.
  • Witness Generation Errors - Issues during the assignment of values to witnesses, leading to either crashes or incorrect proof generation.
  • Unsafe Verifier Implementations - Vulnerabilities due to missing checks or incorrect logic in the verifier’s implementation.

These layers play a critical role in ensuring the robust functionality of SNARK systems, and vulnerabilities here can undermine even well-constructed circuits.

Integration Layer Vulnerabilities

The Integration Layer deals with the logic linking the circuit and invocation or proof verification carried out by external code. Vulnerabilities typically arise from:

  • Passing Unchecked Data - Failing to validate inputs adequately before they are processed by the circuits, leading to potential security breaches.
  • Proof Delegation Errors - Errors when delegating proof generation to potentially untrusted parties, which can lead to manipulated proofs.
  • Complementary Logic Vulnerabilities - Issues stemming from flawed implementations of logic that work alongside the core ZKPs, such as poor management of nullifiers in privacy-centric applications.

Defense Mechanisms and Future Research

The paper notes the promising but limited current state of defense mechanisms. Tools like Circomspect and Picus offer valuable static analysis and symbolic execution for detecting circuit-level vulnerabilities, but they are DSL-specific and sometimes limited in scope. The researchers suggest enhancements through more advanced testing, formal verification tools, and the development of robust multi-layer defenses, including more intuitive and error-resistant DSLs.

Implications and Significance

The paper underscores several critical points:

  • Complexity of SNARK Systems - The intricacy of SNARKs introduces unique challenges that necessitate specialized knowledge and tools for both developers and auditors.
  • Importance of Comprehensive Testing - Security validation must span all layers, from circuit design through to integration, to ensure holistic coverage of potential vulnerabilities.
  • Ongoing Research Needs - The evolving landscape of SNARK applications demands continuous advancement in defensive measures, emphasizing the need for more sophisticated and scalable security tools.

Conclusion

This work contributes significantly to the understanding of SNARK security, offering a detailed exploration of vulnerabilities and proposing a pathway toward more secure implementations. Its findings and recommendations serve as a crucial resource for researchers and practitioners aiming to fortify SNARK-based systems against emerging security challenges.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown
Youtube Logo Streamline Icon: https://streamlinehq.com

YouTube