fix: bind public inputs to Fiat-Shamir transcript#5
Open
jiayaoqijia wants to merge 1 commit intoleanEthereum:mainfrom
Open
fix: bind public inputs to Fiat-Shamir transcript#5jiayaoqijia wants to merge 1 commit intoleanEthereum:mainfrom
jiayaoqijia wants to merge 1 commit intoleanEthereum:mainfrom
Conversation
ProverState::new() creates a fresh challenger without absorbing any public inputs into the sponge state. This means the Fiat-Shamir transcript is not bound to the statement being proved: an adversary can reuse a valid proof for statement S1 as a "proof" for a different statement S2 that shares the same witness structure, since the challenge generation is identical for both. Modify new() to accept a public_inputs slice and absorb it into the challenger via add_base_scalars() before any proof generation begins. This ensures all challenges are derived from a transcript that includes the public statement, preventing cross-statement proof reuse. BREAKING CHANGE: ProverState::new() now requires a second argument `public_inputs: &[PF<EF>]`. Callers with no public inputs can pass `&[]` to preserve the previous behavior. Severity: HIGH (F-03)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Severity: HIGH (F-03)
ProverState::new()insrc/prover.rs:27-35creates a fresh DuplexChallenger without absorbing any public inputs into the sponge state. This means the Fiat-Shamir transcript is not bound to the statement being proved.An adversary can exploit this by reusing a valid proof for statement S1 as a "proof" for a different statement S2, since the challenge derivation is identical when the same witness structure is used. This breaks the soundness of any protocol built on top of this Fiat-Shamir implementation.
Fix
Modify
ProverState::new()to accept apublic_inputs: &[PF<EF>]parameter and absorb it into the challenger viaadd_base_scalars()before any proof generation begins:BREAKING CHANGE:
ProverState::new()now requires a second argument. Callers with no public inputs can pass&[]to preserve the previous behavior. The test intests/grinding.rshas been updated accordingly.Test plan
&[]for no public inputsleanMultisig/crates/utils/src/wrappers.rs,leanMultisig/crates/whir/tests/run_whir.rs) to pass appropriate public inputsFound during security audit of leanEthereum repositories.