SlideShare ist ein Scribd-Unternehmen logo

zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]

A
Alex Pruden

Slides accompanying zkStudyClub talk: Zero-Knowledge Proofs Security, in Practice. JP Aumasson (co-creator of the BLAKE hash function family) will share his experience doing security auditing for various projects that use zero-knowledge proofs. He will describe his approach, the common pitfalls in the different components of a proof system, as well as a catalog of bugs that have been discovered in various projects

Technologie
1 von 37
Downloaden Sie, um offline zu lesen
Zero-knowledge proofs security, in practice JP Aumasson @veorq CSO @ taurushq.com
NIZK arguments security, in practice JP Aumasson @veorq CSO @ taurushq.com
This talk Focus on zkSNARKs, a class of NIZK arguments Fully succinct = O(1) proof size and O(circuit size) veri fi cation time Based on my experience looking for bugs in systems using Groth16, used in Zcash, Filecoin, and many others Marlin, a universal zkSNARK, used in Aleo Most of the content applies to other systems (Plonk, SONIC, etc.) and STARKs 3
Why study zkSNARKs security? For blockchain projects: A major risk: Complexity + Novelty => Non-trivial bugs A lot at stake ($$$ and user data/privacy) 4
Why study zkSNARKs security? For blockchain projects: A major risk: Complexity + Novelty => Non-trivial bugs A lot at stake ($$$ and user data/privacy) As a cryptographer: The most interesting crypto today: Solving real-world problems and deployed at scale (good papers + good code!) Intricate constructions with non-trivial components “Simple but complex" (non-interactive, many moving parts) “Multidimensional" way to reason about security 5
What is zkSNARKs security? Soundness, often the highest risk in practice: Invalid proofs should always be rejected Forging, altering, replaying valid proofs should be impossible 6
What is zkSNARKs security? Soundness, often the highest risk in practice: Invalid proofs should always be rejected Forging, altering, replaying valid proofs should be impossible Zero-knowledge: Proofs should not leak witness information (private variables) In practice succinct proofs of large programs can leak only little data 7
What is zkSNARKs security? Soundness, often the highest risk in practice: Invalid proofs should always be rejected Forging, altering, replaying valid proofs should be impossible Zero-knowledge: Proofs should not leak witness information (private variables) In practice succinct proofs of large programs can leak only little data Completeness, often a DoS/usability risk that may be further exploited: Valid proofs should always be accepted All programs/circuits supported should be correctly processed 8
Bug hunting challenges Practical zkSNARKs are recent, thus auditors often have Limited experience auditing ZKPs Limited knowledge of the theory, of implementations’ tricks Limited “checklist" of bugs and bug classes Limited tooling and methodology Most bugs found internally or by teams of similar projects 9
New crypto, new approach More collaboration with the devs/designers (joint review sessions, Q&As, etc.) More threat analysis, to understand the application’s unique/novel risks Practical experience: writing PoCs, circuits, proof systems, etc. Learn previous failures, for example from… Public disclosures and exploits Other audit reports Issue trackers / PRs Community 10
General work fl ow, and failure examples 11 Computation Circuit de fi nition Arithmetization Non-interactive proof Integration
General work fl ow, and failure examples 12 Computation Circuit de fi nition Arithmetization Non-interactive proof Integration The program’s logic is not secure The circuit is not equivalent to the program The CS fails to enforce an operation a constraint Bad choice of internal commitment schemes wrt hiding or binding properties The application allows replays of previous proofs
How to break zkSNARKs security? (1/2) Break soundness, for example by exploiting Constraint system not effectively enforcing certain constraints Insecure generation or protection of proving keys 13
How to break zkSNARKs security? (1/2) Break soundness, for example by exploiting Constraint system not effectively enforcing certain constraints Insecure generation or protection of proving keys Break zero-knowledge, for example by exploiting Private data treated as public variables Protocol-level “metadata attacks” 14
How to break zkSNARKs security? (1/2) Break soundness, for example by exploiting Constraint system not effectively enforcing certain constraints Insecure generation or protection of proving keys Break zero-knowledge, for example by exploiting Private data treated as public variables Protocol-level “metadata attacks” Break completeness, for example by exploiting Incorrect R1CS synthesis behaviour on edge cases (e.g. wrt number of private vars) Gadget composition failure caused by type mismatch between gadget i/o values 15
How to break zkSNARKs security? (2/2) Break (off-chain) software, via any bug leading to Leakage of data, including via side channels, encodings (“ZK execution”) Any form in insecure state (code execution, DoS) Compromise the supply-chain, via Trusted setup's code and execution Build and release process integrity Software dependencies 16
How to break zkSNARKs security? (2/2) Break (off-chain) software, via any bug leading to Leakage of data, including via side channels, encodings (“ZK execution”) Any form in insecure state (code execution, DoS) Compromise the supply-chain, via Trusted setup's code and execution Build and release process integrity Software dependencies Break (on-chain) software (incl. veri fi er) via smart contract bugs, logic fl aws, etc. 17
Multiple layers 18 A failure in a lower layer can jeopardise the security of all upper layers Platform: language, runtime, OS, hardware, dependencies Prover/veri fi er Application 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Field arithmetic, elliptic curves group operations Arithmetization / constraints generation 
 from fi xed or user-de fi ned circuit
Multiple layers 19 A failure in a lower layer can jeopardise the security of all upper layers Platform: language, runtime, OS, hardware, dependencies Prover/veri fi er Application 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Zero-knowledge greater risks Completeness and 
 Soundness greater risks Field arithmetic, elliptic curves group operations Arithmetization / constraints generation 
 from fi xed or user-de fi ned circuit
Multiple layers 20 Field arithmetic, elliptic curves group operations A failure in a subcomponent can jeopardise the security of all upper layers Platform: language, runtime, OS, hardware, dependencies Arithmetization / constraints generation 
 from fi xed or user-de fi ned circuit Prover/veri fi er Application 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Hashing, PRF,Algebraic commitment, Randomness, Merkle trees, … Fiat-Shamir, Polynomial commitments, Hash-to-curve, linear algebra, … Key/nonce management,Testing Interface, Side channels, Replays Fast operations, multi-exp, … R1CS,AIR, polynomials, … RNG, … ..
Multiple layers 21 Security 101: Input validation must be de fi ned, implemented, and tested Prover/veri fi er Elliptic curves, Pairings, Hash functions, PRF,Algebraic commitment Randomness, Merkle trees Linear algebra, Multi-exp. Polynomial commitments, Fiat-Shamir transforms, etc. etc. Application Key management,Testing Interface, Side channels 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Contracts between components must be de fi ned to prevent insecure composition Example: which component is responsible 
 for group membership checks?
22
Soundness – Field arithmetic Root cause: Missing over fl ow check (of a nulli fi er ~ unique ID of a shielded payment) https://github.com/appliedzkp/semaphore/issues/16 23
Soundness – Field arithmetic Missing over fl ow check (of a public input) https://github.com/eea-oasis/baseline/issues/34 24
Soundness – Field arithmetic Missing over fl ow check (of a public input) https://github.com/appliedzkp/semaphore/pull/96/ 25
Soundness – R1CS Field element inverse property not enforced by the constraint system https://github.com/arkworks-rs/r1cs-std/pull/70 26
Soundness – Hash validation Coding error, allowing to fake the witness’ Merkel root and forge proofs https://tornado-cash.medium.com/tornado-cash-got-hacked-by-us-b1e012a3c9a8 27
Soundness – Paper / Setup Theoretical fl aw in the paper’s setup description (sensitive values not cleared) https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated/ 28
Zero-knowledge – Application (Aztec) Nonces not correctly set by the application, breaking privacy https://medium.com/@jaosef/54dff729a24f (Aztec 2.0 Pre-Launch Notes) 29
Zero-knowledge – Application (Zcash) Correlations between (shielded) transactions 
 leaking exploitable information https://eprint.iacr.org/2020/627.pdf 30
Zero-knowledge – Prover (Plonkup) Missing (randomized) blinding to hide private inputs – potential ZK loss https://github.com/dusk-network/plonk/pull/651 31
DoS – Merkle tree Incomplete tree constraints, leading to a freeze of the rollup validation https://medium.com/aztec-protocol/vulnerabilities-found-in-aztec-2-0-9b80c8bf416c 32
DoS / Completeness? – DSL / Signatures Valid signatures rejected, risk initially deemed negligible https://github.com/starkware-libs/cairo-lang/issues/39 33
Other types of bugs Crypto issues such as: Pedersen bases generation/uniqueness Padding scheme in algebraic hashes and commitments Non-conform implementations of crypto schemes (e.g. Poseidon algebra bugs) Insuf fi cient data being “Fiat-Shamir'd" from the transcript Composability: unsafe interactions between nested proof systems Side channels: Non-ct code, RAM leakage, speculative execution leaks 34
Conclusions 😌 Why not be too scared? Robust code and frameworks (e.g. Rust projects such as arkworks and zkcrypto) DSLs (Cairo, Leo, etc.) make it easier to write safe code Relatively narrow attack surface in practice 35
Conclusions 😌 Why not be too scared? Robust code and frameworks (e.g. Rust projects such as arkworks and zkcrypto) DSLs (Cairo, Leo, etc.) make it easier to write safe code Relatively narrow attack surface in practice 😱 Why be scared? Few people understand zkSNARKs, even fewer can fi nd bugs Lack of tooling (wrt testing, fuzzing, veri fi cation) More ZKPs used => more $$$ at stake => greater RoI for vuln researchers 36
Thank you! JP Aumasson @veorq CSO @ taurushq.com Thanks to Aleo, Protocol Labs, Kobi Gurkan, Adrian Hamelink, Lúcás Meier, Mathilde Raynal

Empfohlen

Elliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofElliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofArunanand Ta
 
Fuzzing - A Tale of Two Cultures
Fuzzing - A Tale of Two CulturesFuzzing - A Tale of Two Cultures
Fuzzing - A Tale of Two CulturesCISPA Helmholtz Center for Information Security
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...Alex Pruden
 
ClickHouse Data Warehouse 101: The First Billion Rows, by Alexander Zaitsev a...
ClickHouse Data Warehouse 101: The First Billion Rows, by Alexander Zaitsev a...ClickHouse Data Warehouse 101: The First Billion Rows, by Alexander Zaitsev a...
ClickHouse Data Warehouse 101: The First Billion Rows, by Alexander Zaitsev a...Altinity Ltd
 
RSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjpRSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjpsonickun
 
Quantum Knowledge Proofs and Post Quantum Cryptography - A Primer
Quantum Knowledge Proofs and Post Quantum Cryptography - A PrimerQuantum Knowledge Proofs and Post Quantum Cryptography - A Primer
Quantum Knowledge Proofs and Post Quantum Cryptography - A PrimerGokul Alex
 
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlare
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlareClickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlare
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlareAltinity Ltd
 
楕円曲線と暗号
楕円曲線と暗号楕円曲線と暗号
楕円曲線と暗号MITSUNARI Shigeo
 

Empfohlen

Elliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofElliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofArunanand Ta
 
Fuzzing - A Tale of Two Cultures
Fuzzing - A Tale of Two CulturesFuzzing - A Tale of Two Cultures
Fuzzing - A Tale of Two CulturesCISPA Helmholtz Center for Information Security
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...Alex Pruden
 
ClickHouse Data Warehouse 101: The First Billion Rows, by Alexander Zaitsev a...
ClickHouse Data Warehouse 101: The First Billion Rows, by Alexander Zaitsev a...ClickHouse Data Warehouse 101: The First Billion Rows, by Alexander Zaitsev a...
ClickHouse Data Warehouse 101: The First Billion Rows, by Alexander Zaitsev a...Altinity Ltd
 
RSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjpRSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjpsonickun
 
Quantum Knowledge Proofs and Post Quantum Cryptography - A Primer
Quantum Knowledge Proofs and Post Quantum Cryptography - A PrimerQuantum Knowledge Proofs and Post Quantum Cryptography - A Primer
Quantum Knowledge Proofs and Post Quantum Cryptography - A PrimerGokul Alex
 
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlare
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlareClickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlare
Clickhouse Capacity Planning for OLAP Workloads, Mik Kocikowski of CloudFlareAltinity Ltd
 
楕円曲線と暗号
楕円曲線と暗号楕円曲線と暗号
楕円曲線と暗号MITSUNARI Shigeo
 
(JP) GPGPUがPostgreSQLを加速する
(JP) GPGPUがPostgreSQLを加速する(JP) GPGPUがPostgreSQLを加速する
(JP) GPGPUがPostgreSQLを加速するKohei KaiGai
 
A Fast Intro to Fast Query with ClickHouse, by Robert Hodges
A Fast Intro to Fast Query with ClickHouse, by Robert HodgesA Fast Intro to Fast Query with ClickHouse, by Robert Hodges
A Fast Intro to Fast Query with ClickHouse, by Robert HodgesAltinity Ltd
 
Kafka timestamp offset
Kafka timestamp offsetKafka timestamp offset
Kafka timestamp offsetDaeMyung Kang
 
Introduction to the Disruptor
Introduction to the DisruptorIntroduction to the Disruptor
Introduction to the DisruptorTrisha Gee
 
Spectre/Meltdownとその派生
Spectre/Meltdownとその派生Spectre/Meltdownとその派生
Spectre/Meltdownとその派生MITSUNARI Shigeo
 
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)Alex Pruden
 
自作ペアリング/BLS署名ライブラリの紹介
自作ペアリング/BLS署名ライブラリの紹介自作ペアリング/BLS署名ライブラリの紹介
自作ペアリング/BLS署名ライブラリの紹介MITSUNARI Shigeo
 
BSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookBSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookChris Sistrunk
 
組織デザインの展開 ~官僚制からティール組織まで~
組織デザインの展開 ~官僚制からティール組織まで~組織デザインの展開 ~官僚制からティール組織まで~
組織デザインの展開 ~官僚制からティール組織まで~Hiroki Iida
 
Quantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdfQuantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdfRonSteinfeld1
 
Multi-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideasMulti-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideasGus Gutoski
 
暗号技術入門
暗号技術入門暗号技術入門
暗号技術入門MITSUNARI Shigeo
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownInformation Security Awareness Group
 
より深く知るオプティマイザとそのチューニング
より深く知るオプティマイザとそのチューニングより深く知るオプティマイザとそのチューニング
より深く知るオプティマイザとそのチューニングYuto Hayamizu
 
Computer Security Lecture 3: Classical Encryption Techniques 2
Computer Security Lecture 3: Classical Encryption Techniques 2Computer Security Lecture 3: Classical Encryption Techniques 2
Computer Security Lecture 3: Classical Encryption Techniques 2Mohamed Loey
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDKDenys Haryachyy
 
PostgreSQL:行数推定を読み解く
PostgreSQL:行数推定を読み解くPostgreSQL:行数推定を読み解く
PostgreSQL:行数推定を読み解くHiroya Kabata
 
Post quantum cryptography
Post quantum cryptographyPost quantum cryptography
Post quantum cryptographyMartins Okoi
 
Problems with PostgreSQL on Multi-core Systems with MultiTerabyte Data
Problems with PostgreSQL on Multi-core Systems with MultiTerabyte DataProblems with PostgreSQL on Multi-core Systems with MultiTerabyte Data
Problems with PostgreSQL on Multi-core Systems with MultiTerabyte DataJignesh Shah
 
Geep networking stack-linuxkernel
Geep networking stack-linuxkernelGeep networking stack-linuxkernel
Geep networking stack-linuxkernelKiran Divekar
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceGlobal Knowledge Training
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 

Weitere ähnliche Inhalte

Was ist angesagt?

(JP) GPGPUがPostgreSQLを加速する
(JP) GPGPUがPostgreSQLを加速する(JP) GPGPUがPostgreSQLを加速する
(JP) GPGPUがPostgreSQLを加速するKohei KaiGai
 
A Fast Intro to Fast Query with ClickHouse, by Robert Hodges
A Fast Intro to Fast Query with ClickHouse, by Robert HodgesA Fast Intro to Fast Query with ClickHouse, by Robert Hodges
A Fast Intro to Fast Query with ClickHouse, by Robert HodgesAltinity Ltd
 
Kafka timestamp offset
Kafka timestamp offsetKafka timestamp offset
Kafka timestamp offsetDaeMyung Kang
 
Introduction to the Disruptor
Introduction to the DisruptorIntroduction to the Disruptor
Introduction to the DisruptorTrisha Gee
 
Spectre/Meltdownとその派生
Spectre/Meltdownとその派生Spectre/Meltdownとその派生
Spectre/Meltdownとその派生MITSUNARI Shigeo
 
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)Alex Pruden
 
自作ペアリング/BLS署名ライブラリの紹介
自作ペアリング/BLS署名ライブラリの紹介自作ペアリング/BLS署名ライブラリの紹介
自作ペアリング/BLS署名ライブラリの紹介MITSUNARI Shigeo
 
BSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookBSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookChris Sistrunk
 
組織デザインの展開 ~官僚制からティール組織まで~
組織デザインの展開 ~官僚制からティール組織まで~組織デザインの展開 ~官僚制からティール組織まで~
組織デザインの展開 ~官僚制からティール組織まで~Hiroki Iida
 
Quantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdfQuantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdfRonSteinfeld1
 
Multi-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideasMulti-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideasGus Gutoski
 
より深く知るオプティマイザとそのチューニング
より深く知るオプティマイザとそのチューニングより深く知るオプティマイザとそのチューニング
より深く知るオプティマイザとそのチューニングYuto Hayamizu
 
Computer Security Lecture 3: Classical Encryption Techniques 2
Computer Security Lecture 3: Classical Encryption Techniques 2Computer Security Lecture 3: Classical Encryption Techniques 2
Computer Security Lecture 3: Classical Encryption Techniques 2Mohamed Loey
 
PostgreSQL:行数推定を読み解く
PostgreSQL:行数推定を読み解くPostgreSQL:行数推定を読み解く
PostgreSQL:行数推定を読み解くHiroya Kabata
 
Post quantum cryptography
Post quantum cryptographyPost quantum cryptography
Post quantum cryptographyMartins Okoi
 
Problems with PostgreSQL on Multi-core Systems with MultiTerabyte Data
Problems with PostgreSQL on Multi-core Systems with MultiTerabyte DataProblems with PostgreSQL on Multi-core Systems with MultiTerabyte Data
Problems with PostgreSQL on Multi-core Systems with MultiTerabyte DataJignesh Shah
 
Geep networking stack-linuxkernel
Geep networking stack-linuxkernelGeep networking stack-linuxkernel
Geep networking stack-linuxkernelKiran Divekar
 

Was ist angesagt? (20)

(JP) GPGPUがPostgreSQLを加速する
(JP) GPGPUがPostgreSQLを加速する(JP) GPGPUがPostgreSQLを加速する
(JP) GPGPUがPostgreSQLを加速する
 
A Fast Intro to Fast Query with ClickHouse, by Robert Hodges
A Fast Intro to Fast Query with ClickHouse, by Robert HodgesA Fast Intro to Fast Query with ClickHouse, by Robert Hodges
A Fast Intro to Fast Query with ClickHouse, by Robert Hodges
 
Kafka timestamp offset
Kafka timestamp offsetKafka timestamp offset
Kafka timestamp offset
 
Introduction to the Disruptor
Introduction to the DisruptorIntroduction to the Disruptor
Introduction to the Disruptor
 
Spectre/Meltdownとその派生
Spectre/Meltdownとその派生Spectre/Meltdownとその派生
Spectre/Meltdownとその派生
 
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
 
自作ペアリング/BLS署名ライブラリの紹介
自作ペアリング/BLS署名ライブラリの紹介自作ペアリング/BLS署名ライブラリの紹介
自作ペアリング/BLS署名ライブラリの紹介
 
BSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookBSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security Playbook
 
組織デザインの展開 ~官僚制からティール組織まで~
組織デザインの展開 ~官僚制からティール組織まで~組織デザインの展開 ~官僚制からティール組織まで~
組織デザインの展開 ~官僚制からティール組織まで~
 
Quantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdfQuantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdf
 
Multi-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideasMulti-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideas
 
暗号技術入門
暗号技術入門暗号技術入門
暗号技術入門
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie Brown
 
より深く知るオプティマイザとそのチューニング
より深く知るオプティマイザとそのチューニングより深く知るオプティマイザとそのチューニング
より深く知るオプティマイザとそのチューニング
 
Computer Security Lecture 3: Classical Encryption Techniques 2
Computer Security Lecture 3: Classical Encryption Techniques 2Computer Security Lecture 3: Classical Encryption Techniques 2
Computer Security Lecture 3: Classical Encryption Techniques 2
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
PostgreSQL:行数推定を読み解く
PostgreSQL:行数推定を読み解くPostgreSQL:行数推定を読み解く
PostgreSQL:行数推定を読み解く
 
Post quantum cryptography
Post quantum cryptographyPost quantum cryptography
Post quantum cryptography
 
Problems with PostgreSQL on Multi-core Systems with MultiTerabyte Data
Problems with PostgreSQL on Multi-core Systems with MultiTerabyte DataProblems with PostgreSQL on Multi-core Systems with MultiTerabyte Data
Problems with PostgreSQL on Multi-core Systems with MultiTerabyte Data
 
Geep networking stack-linuxkernel
Geep networking stack-linuxkernelGeep networking stack-linuxkernel
Geep networking stack-linuxkernel
 

Ähnlich wie zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]

Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceGlobal Knowledge Training
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
6.Resource Exhaustion
6.Resource Exhaustion6.Resource Exhaustion
6.Resource Exhaustionphanleson
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdflior mazor
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Processphanleson
 
Make the Smartcard great again
Make the Smartcard great againMake the Smartcard great again
Make the Smartcard great againEric Larcheveque
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging96Boards
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3Linaro
 
Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Neelu Tripathy
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 

Ähnlich wie zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus] (20)

Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
6.Resource Exhaustion
6.Resource Exhaustion6.Resource Exhaustion
6.Resource Exhaustion
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
Super1
Super1Super1
Super1
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Day4
Day4Day4
Day4
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
Make the Smartcard great again
Make the Smartcard great againMake the Smartcard great again
Make the Smartcard great again
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
 
Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 

Mehr von Alex Pruden

zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)Alex Pruden
 
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)Alex Pruden
 
zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...
zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...
zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...Alex Pruden
 
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)Alex Pruden
 
zkStudyClub - cqlin: Efficient linear operations on KZG commitments
zkStudyClub - cqlin: Efficient linear operations on KZG commitments zkStudyClub - cqlin: Efficient linear operations on KZG commitments
zkStudyClub - cqlin: Efficient linear operations on KZG commitments Alex Pruden
 
ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)Alex Pruden
 
Eos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK proversEos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK proversAlex Pruden
 
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)Alex Pruden
 
zkStudy Club: Subquadratic SNARGs in the Random Oracle Model
zkStudy Club: Subquadratic SNARGs in the Random Oracle ModelzkStudy Club: Subquadratic SNARGs in the Random Oracle Model
zkStudy Club: Subquadratic SNARGs in the Random Oracle ModelAlex Pruden
 
ZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsAlex Pruden
 
Ecfft zk studyclub 9.9
Ecfft zk studyclub 9.9Ecfft zk studyclub 9.9
Ecfft zk studyclub 9.9Alex Pruden
 
Quarks zk study-club
Quarks zk study-clubQuarks zk study-club
Quarks zk study-clubAlex Pruden
 
zkStudyClub: CirC and Compiling Programs to Circuits
zkStudyClub: CirC and Compiling Programs to CircuitszkStudyClub: CirC and Compiling Programs to Circuits
zkStudyClub: CirC and Compiling Programs to CircuitsAlex Pruden
 

Mehr von Alex Pruden (13)

zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
 
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
 
zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...
zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...
zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...
 
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
 
zkStudyClub - cqlin: Efficient linear operations on KZG commitments
zkStudyClub - cqlin: Efficient linear operations on KZG commitments zkStudyClub - cqlin: Efficient linear operations on KZG commitments
zkStudyClub - cqlin: Efficient linear operations on KZG commitments
 
ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)
 
Eos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK proversEos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK provers
 
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
 
zkStudy Club: Subquadratic SNARGs in the Random Oracle Model
zkStudy Club: Subquadratic SNARGs in the Random Oracle ModelzkStudy Club: Subquadratic SNARGs in the Random Oracle Model
zkStudy Club: Subquadratic SNARGs in the Random Oracle Model
 
ZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their Applications
 
Ecfft zk studyclub 9.9
Ecfft zk studyclub 9.9Ecfft zk studyclub 9.9
Ecfft zk studyclub 9.9
 
Quarks zk study-club
Quarks zk study-clubQuarks zk study-club
Quarks zk study-club
 
zkStudyClub: CirC and Compiling Programs to Circuits
zkStudyClub: CirC and Compiling Programs to CircuitszkStudyClub: CirC and Compiling Programs to Circuits
zkStudyClub: CirC and Compiling Programs to Circuits
 

Kürzlich hochgeladen

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Kürzlich hochgeladen (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]

  • 1. Zero-knowledge proofs security, in practice JP Aumasson @veorq CSO @ taurushq.com
  • 2. NIZK arguments security, in practice JP Aumasson @veorq CSO @ taurushq.com
  • 3. This talk Focus on zkSNARKs, a class of NIZK arguments Fully succinct = O(1) proof size and O(circuit size) veri fi cation time Based on my experience looking for bugs in systems using Groth16, used in Zcash, Filecoin, and many others Marlin, a universal zkSNARK, used in Aleo Most of the content applies to other systems (Plonk, SONIC, etc.) and STARKs 3
  • 4. Why study zkSNARKs security? For blockchain projects: A major risk: Complexity + Novelty => Non-trivial bugs A lot at stake ($$$ and user data/privacy) 4
  • 5. Why study zkSNARKs security? For blockchain projects: A major risk: Complexity + Novelty => Non-trivial bugs A lot at stake ($$$ and user data/privacy) As a cryptographer: The most interesting crypto today: Solving real-world problems and deployed at scale (good papers + good code!) Intricate constructions with non-trivial components “Simple but complex" (non-interactive, many moving parts) “Multidimensional" way to reason about security 5
  • 6. What is zkSNARKs security? Soundness, often the highest risk in practice: Invalid proofs should always be rejected Forging, altering, replaying valid proofs should be impossible 6
  • 7. What is zkSNARKs security? Soundness, often the highest risk in practice: Invalid proofs should always be rejected Forging, altering, replaying valid proofs should be impossible Zero-knowledge: Proofs should not leak witness information (private variables) In practice succinct proofs of large programs can leak only little data 7
  • 8. What is zkSNARKs security? Soundness, often the highest risk in practice: Invalid proofs should always be rejected Forging, altering, replaying valid proofs should be impossible Zero-knowledge: Proofs should not leak witness information (private variables) In practice succinct proofs of large programs can leak only little data Completeness, often a DoS/usability risk that may be further exploited: Valid proofs should always be accepted All programs/circuits supported should be correctly processed 8
  • 9. Bug hunting challenges Practical zkSNARKs are recent, thus auditors often have Limited experience auditing ZKPs Limited knowledge of the theory, of implementations’ tricks Limited “checklist" of bugs and bug classes Limited tooling and methodology Most bugs found internally or by teams of similar projects 9
  • 10. New crypto, new approach More collaboration with the devs/designers (joint review sessions, Q&As, etc.) More threat analysis, to understand the application’s unique/novel risks Practical experience: writing PoCs, circuits, proof systems, etc. Learn previous failures, for example from… Public disclosures and exploits Other audit reports Issue trackers / PRs Community 10
  • 11. General work fl ow, and failure examples 11 Computation Circuit de fi nition Arithmetization Non-interactive proof Integration
  • 12. General work fl ow, and failure examples 12 Computation Circuit de fi nition Arithmetization Non-interactive proof Integration The program’s logic is not secure The circuit is not equivalent to the program The CS fails to enforce an operation a constraint Bad choice of internal commitment schemes wrt hiding or binding properties The application allows replays of previous proofs
  • 13. How to break zkSNARKs security? (1/2) Break soundness, for example by exploiting Constraint system not effectively enforcing certain constraints Insecure generation or protection of proving keys 13
  • 14. How to break zkSNARKs security? (1/2) Break soundness, for example by exploiting Constraint system not effectively enforcing certain constraints Insecure generation or protection of proving keys Break zero-knowledge, for example by exploiting Private data treated as public variables Protocol-level “metadata attacks” 14
  • 15. How to break zkSNARKs security? (1/2) Break soundness, for example by exploiting Constraint system not effectively enforcing certain constraints Insecure generation or protection of proving keys Break zero-knowledge, for example by exploiting Private data treated as public variables Protocol-level “metadata attacks” Break completeness, for example by exploiting Incorrect R1CS synthesis behaviour on edge cases (e.g. wrt number of private vars) Gadget composition failure caused by type mismatch between gadget i/o values 15
  • 16. How to break zkSNARKs security? (2/2) Break (off-chain) software, via any bug leading to Leakage of data, including via side channels, encodings (“ZK execution”) Any form in insecure state (code execution, DoS) Compromise the supply-chain, via Trusted setup's code and execution Build and release process integrity Software dependencies 16
  • 17. How to break zkSNARKs security? (2/2) Break (off-chain) software, via any bug leading to Leakage of data, including via side channels, encodings (“ZK execution”) Any form in insecure state (code execution, DoS) Compromise the supply-chain, via Trusted setup's code and execution Build and release process integrity Software dependencies Break (on-chain) software (incl. veri fi er) via smart contract bugs, logic fl aws, etc. 17
  • 18. Multiple layers 18 A failure in a lower layer can jeopardise the security of all upper layers Platform: language, runtime, OS, hardware, dependencies Prover/veri fi er Application 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Field arithmetic, elliptic curves group operations Arithmetization / constraints generation 
 from fi xed or user-de fi ned circuit
  • 19. Multiple layers 19 A failure in a lower layer can jeopardise the security of all upper layers Platform: language, runtime, OS, hardware, dependencies Prover/veri fi er Application 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Zero-knowledge greater risks Completeness and 
 Soundness greater risks Field arithmetic, elliptic curves group operations Arithmetization / constraints generation 
 from fi xed or user-de fi ned circuit
  • 20. Multiple layers 20 Field arithmetic, elliptic curves group operations A failure in a subcomponent can jeopardise the security of all upper layers Platform: language, runtime, OS, hardware, dependencies Arithmetization / constraints generation 
 from fi xed or user-de fi ned circuit Prover/veri fi er Application 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Hashing, PRF,Algebraic commitment, Randomness, Merkle trees, … Fiat-Shamir, Polynomial commitments, Hash-to-curve, linear algebra, … Key/nonce management,Testing Interface, Side channels, Replays Fast operations, multi-exp, … R1CS,AIR, polynomials, … RNG, … ..
  • 21. Multiple layers 21 Security 101: Input validation must be de fi ned, implemented, and tested Prover/veri fi er Elliptic curves, Pairings, Hash functions, PRF,Algebraic commitment Randomness, Merkle trees Linear algebra, Multi-exp. Polynomial commitments, Fiat-Shamir transforms, etc. etc. Application Key management,Testing Interface, Side channels 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Contracts between components must be de fi ned to prevent insecure composition Example: which component is responsible 
 for group membership checks?
  • 22. 22
  • 23. Soundness – Field arithmetic Root cause: Missing over fl ow check (of a nulli fi er ~ unique ID of a shielded payment) https://github.com/appliedzkp/semaphore/issues/16 23
  • 24. Soundness – Field arithmetic Missing over fl ow check (of a public input) https://github.com/eea-oasis/baseline/issues/34 24
  • 25. Soundness – Field arithmetic Missing over fl ow check (of a public input) https://github.com/appliedzkp/semaphore/pull/96/ 25
  • 26. Soundness – R1CS Field element inverse property not enforced by the constraint system https://github.com/arkworks-rs/r1cs-std/pull/70 26
  • 27. Soundness – Hash validation Coding error, allowing to fake the witness’ Merkel root and forge proofs https://tornado-cash.medium.com/tornado-cash-got-hacked-by-us-b1e012a3c9a8 27
  • 28. Soundness – Paper / Setup Theoretical fl aw in the paper’s setup description (sensitive values not cleared) https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated/ 28
  • 29. Zero-knowledge – Application (Aztec) Nonces not correctly set by the application, breaking privacy https://medium.com/@jaosef/54dff729a24f (Aztec 2.0 Pre-Launch Notes) 29
  • 30. Zero-knowledge – Application (Zcash) Correlations between (shielded) transactions 
 leaking exploitable information https://eprint.iacr.org/2020/627.pdf 30
  • 31. Zero-knowledge – Prover (Plonkup) Missing (randomized) blinding to hide private inputs – potential ZK loss https://github.com/dusk-network/plonk/pull/651 31
  • 32. DoS – Merkle tree Incomplete tree constraints, leading to a freeze of the rollup validation https://medium.com/aztec-protocol/vulnerabilities-found-in-aztec-2-0-9b80c8bf416c 32
  • 33. DoS / Completeness? – DSL / Signatures Valid signatures rejected, risk initially deemed negligible https://github.com/starkware-libs/cairo-lang/issues/39 33
  • 34. Other types of bugs Crypto issues such as: Pedersen bases generation/uniqueness Padding scheme in algebraic hashes and commitments Non-conform implementations of crypto schemes (e.g. Poseidon algebra bugs) Insuf fi cient data being “Fiat-Shamir'd" from the transcript Composability: unsafe interactions between nested proof systems Side channels: Non-ct code, RAM leakage, speculative execution leaks 34
  • 35. Conclusions 😌 Why not be too scared? Robust code and frameworks (e.g. Rust projects such as arkworks and zkcrypto) DSLs (Cairo, Leo, etc.) make it easier to write safe code Relatively narrow attack surface in practice 35
  • 36. Conclusions 😌 Why not be too scared? Robust code and frameworks (e.g. Rust projects such as arkworks and zkcrypto) DSLs (Cairo, Leo, etc.) make it easier to write safe code Relatively narrow attack surface in practice 😱 Why be scared? Few people understand zkSNARKs, even fewer can fi nd bugs Lack of tooling (wrt testing, fuzzing, veri fi cation) More ZKPs used => more $$$ at stake => greater RoI for vuln researchers 36
  • 37. Thank you! JP Aumasson @veorq CSO @ taurushq.com Thanks to Aleo, Protocol Labs, Kobi Gurkan, Adrian Hamelink, Lúcás Meier, Mathilde Raynal