Cointime

Download App
iOS & Android

ZKP Series: Principles and Implementation of Extensibility Attacks on Groth16 Proofs

Preface

In our previous article, we reviewed the technical features of mainstream ZKP implementation solutions and mentioned the potential extensibility risks associated with certain ZKP algorithms. In this article, we will continue to demonstrate the attack principles and defense methods from a practical perspective.

Vulnerability Overview

Extensibility attacks on ZKP refer to the ability of an adversary to generate a new valid proof without knowledge of the witness, given an existing valid proof.

Not all proof systems are susceptible to extensibility attacks. In fact, this problem currently exists mainly in the Groth16 proof system. So why do we still insist on using Groth16, given that there are so many other proof systems available? The truth is that the proofs generated by Groth16 are extremely small in size and very fast to verify. In the context of blockchain, where computational costs are high, using Groth16 seems to be the most ideal choice.

What risks does extensibility vulnerability bring? Let’s imagine a deposit system that uses ZKP proofs submitted by users to verify their identity. Once verified, users can make withdrawals. Since the verification process of this system is public, anyone can obtain the proof. If the proof value itself is used as a withdrawal record and the proof is obtained and transformed, it can be used for multiple withdrawals. The exploitation of this vulnerability depends on the specific scenario, but we can see that extensibility vulnerability primarily brings the risk of double-spending.

Mathematical Principles

To understand the attack principles, we first need to understand the algorithm, which requires some knowledge of cryptography. Interested readers can find information on the Groth16 algorithm on their own. Here, we will focus on the root cause of the vulnerability: the verification function.

Let’s take a look at the formula for the verification function:

Without going into a detailed explanation of each individual variable, it may be difficult to fully comprehend the formula’s meaning. However, an extensive introduction is not necessarily required. By simply remembering the “A * B” on the left side of the formula, we can begin to unravel its intricacies and apply mathematical magic. The following incantation is all it takes:

This is just one of the simpler construction methods, and there is another construction method, which we will not elaborate on here, as we have already gathered what we needed.

Implementation

With the above formula, we can execute the extension of Groth16 proofs in implementation. To forge a proof for a target object, we can obtain its proof, for example:

{  pi_a: [    '17566212007750634279332191898019870443899908963707812937725971557556988121113',    '13653824972036797689593667463260040326059024360787769597142078414930263663703',    '1'  ],  pi_b: [    [      '14906111038352923510344648516413952434168552622848767570599399834157918236589',      '15289017543994496306320102143103349779456992442925111629326024552687168229256'    ],    [      '18841235948006283310515755114762069779103481848435391875780416574913227842443',      '6835281862874020275059416795628130939104366467185014410026268177455413514889'    ],    [ '1', '0' ]  ],  pi_c: [    '21641806348662631815866837255154640732047306895903168385641666607914783128458',    '2082587994352117459125871298218148663854896572836176277773049196516560449682',    '1'  ],  protocol: 'groth16',  curve: 'bn128'}

Let’s take a look at a proof like this: pi_a, pi_b, pi_c are the A, B, C described in the formula above. This proof uses the BN128 curve, so we need to find a development library that supports the BN128 curve. Here, we choose ffjavascript, which is a finite field library based on JavaScript that supports the BN128 and BLS12381 curves.

First, we arbitrarily construct an element on the field and its inverse element:

const X = F.e("123456");const invX = F.inv(X);

Then, we multiply them together separately. The core code is as follows:

const A = curve.G1.fromObject(proof.pi_a);const B = curve.G2.fromObect(proof.pi_b);new_pi_a = curve.G1.timesScalar(A, X);  //A'=x*Anew_pi_b = curve.G2.timesScalar(B, invX);  //B'=x^{-1}*B

Finally, we replace the original proof with new_pi_a and new_pi_b to obtain a new proof:

{  pi_a: [    '6515337738552169645617263495374285821912767490069335826295120714428977813009',    '10671874016637483602721966808912960491553808325993800847672325376634242358838',    '1'  ],  pi_b: [    [      '20523135654483520737281403147507843211011765855706506084021355785019229409285',      '4032527486736971273144842057682931136787425732029780739716144011227563817375'    ],    [      '9389285843105460816015935120908213706233585149018458753845466963847282799614',      '7207137211649923819130654483456848273137049778520784010268635580504303221849'    ],    [ '1', '0' ]  ],  pi_c: [    '21641806348662631815866837255154640732047306895903168385641666607914783128458',    '2082587994352117459125871298218148663854896572836176277773049196516560449682',    '1'  ],  protocol: 'groth16',  curve: 'bn128'}

By this point, we have successfully constructed a new proof. When we place this proof into the verification function, we can see that it can pass the verification.

Prevention

How can we prevent Groth16 extensibility attacks? Here are four methods:

  1. Sign the proof, and have the verifier validate the signature along with the proof.
  2. Add nullifier values in the public inputs of the circuit, as TornadoCash does, to ensure that a proof can only correspond to a public input once.
  3. Add the identity information of the prover (such as Ethereum’s msg.sender) to the public inputs of the circuit, allowing the verifier to verify the prover’s identity.
  4. Use other proof systems, as discussed in our previous article.

Conclusion

In conclusion, Groth16 is vulnerable to extensibility attacks, as new proofs can be forged through simple calculations. In practice, it is important to take measures to prevent double-spending attacks.

Comments

All Comments

Recommended for you

  • Robinhood Chief Legal Officer Dan Gallagher Says He Won't Become SEC Chairman

    According to market news, Dan Gallagher, the Chief Legal Officer of Robinhood, stated that he would not serve as the Chairman of the US Securities and Exchange Commission.

  • Cosine: After a user used GPT to write a bot with a backdoor code, the private key was sent to a phishing website

    SlowMist Yu Xian stated in a post on the X platform that a user used GPT to write a bot with code and sent the private key to a phishing website. The reason why the private key was stolen was because it was directly sent to the phishing website in the HTTP request body. Yu Xian reminded that when using LLM such as GPT/Claude, one must pay attention to the common fraudulent behavior of these LLM. It was previously mentioned that AI poisoning attacks were carried out, and now this is a real attack case targeting the crypto industry.

  • U.S. Supreme Court rejects Facebook's attempt to avoid shareholder securities fraud lawsuit

     US Supreme Court rejected Facebook's attempt to avoid shareholder securities fraud lawsuits under the META umbrella.

  • The final value of the US one-year inflation rate in November is expected to be 2.6%, the expected value is 2.7%, and the previous value is 2.60%

     the expected final value of the US one-year inflation rate in November is 2.6%, with an expected value of 2.7% and a previous value of 2.60%. The expected final value of the US five-to-ten-year inflation rate in November is 3.2%, with an expected value of 3.1% and a previous value of 3.10%.

  • Polymarket Blocks French Users Amid Government Investigation into Gambling Law Compliance

    Polymarket has blocked users from France following reports of an investigation by the country's gaming authority for compliance with gambling laws. The ban was not stated in Polymarket's terms of service, but French users attempting to access the website using a VPN from a French server were met with a digital blockade. The ANJ, France's national gaming authority, began investigating Polymarket after a French trader placed large bets on Donald Trump winning the 2024 US Presidential election.

  • U.S. stocks open, most crypto stocks open lower

     the US stock market opened with the Dow Jones up 0.19%, the S&P 500 up 0.05%, and the Nasdaq up 0.01%. Most cryptocurrency stocks opened lower, with Coinbase (COIN.O) down 0.06%, MicroStrategy (MSTR.O) up 0.4%, and Riot Platforms (RIOT.O) down 2.6%. Previously, Bitcoin had risen above $99,000 before falling back.

  • Amazon to invest an additional $4 billion in Anthropic, OpenAI's rival

     Amazon is deepening its cooperation with Anthropic and will add an additional $4 billion investment to the company. In September of this year, Anthropic, an artificial intelligence startup, was seeking a new round of financing with a valuation of up to $40 billion. Anthropic was founded by former OpenAI executives in 2021 and focuses on creating interpretable, secure, and controllable artificial intelligence systems. The company's flagship AI model, Claude, operates based on "Constitutional AI," which uses predefined principles to guide its output, avoiding some erroneous or discriminatory output reactions.

  • Family Offices Evolve into Powerful Investment Entities with Innovative Strategies and Advanced Technologies

    Family offices, which traditionally focused on conservative investment strategies, have transformed into powerful investment entities with a focus on alternative investments, private equity, co-investments, venture capital, and impact investing. This shift has been driven by innovative financial solutions and modern investment strategies, responding to technological advancements and an evolving global financial landscape. Family offices are taking a more active role in direct investments and co-investments, particularly in high-growth companies and startups, enhancing their control and flexibility. They are also diversifying further into private markets and real assets due to geopolitical and macroeconomic uncertainties, while embracing innovative financing solutions and cutting-edge risk management techniques. Additionally, family offices are implementing AI technologies to improve their decision-making processes, particularly in investment analysis, reflecting their commitment to innovation and strategic planning.

  • The Evolution of Family Offices: Embracing Innovative Investment Strategies and Technology

    Family offices have shifted from conservative investment strategies to more active roles in direct investments and co-investments, thanks to innovative financial solutions and modern investment strategies. They are now leaders in alternative investments, private equity, co-investments, venture capital, and impact investing, leveraging their capital through non-recourse and limited-recourse financing to expand their investments across sectors and regions. Family offices are also adopting sophisticated risk management strategies, diversifying further into private markets and real assets, and integrating advanced technologies such as AI-driven platforms to enhance decision-making processes. A family office in the UAE, International Venture Investments Holding, takes an active investment approach, emphasizing operational autonomy and forming dedicated management teams for specific projects. The UBS Global Family Office Report 2024 shows that 78% of family offices plan to invest in generative artificial intelligence in the next two to three years.

  • XEX officially launched the Slerf/USDT perpetual contract at 19:00 (UTC+8) on November 22

    On November 22nd, XEX officially launched the Slerf/USDT perpetual contract at 19:00 (UTC+8).