论文标题
00
00
论文作者
论文摘要
密码学中最有趣的数字是什么(第2集)? 0 [1]。原因是$ \ forall x,x \ cdot 0 = 0 $,即,无论$ x $是什么。我们将使用零来攻击零知识证明(ZKP)。特别是,我们将在尖端的ZKP PLONK [2] C ++实现中讨论一个关键问题,该实现使攻击者可以创建所有验证者接受的伪造证明。我们将展示理论如何指导攻击的方向。在实践中,攻击就像魅力一样,我们将展示攻击如何通过一系列完美的软件破解来降临。在同一代码库中,存在一个独立的关键ECDSA错误,其中(r,s)=(0,0)是任意密钥和消息的有效签名,但是我们不会进一步讨论它,因为它是Google Wycheproofforage faceproof Crampresanalysis Project中的已知ECDSA攻击向量[3]我几年前工作过。 所有错误均已通过供应商的Bug Bounty计划负责任地披露,总奖励$ \ sim \ $ 15,000 $(谢谢)。
What is the funniest number in cryptography (Episode 2)? 0 [1]. The reason is that $\forall x, x \cdot 0 = 0$, i.e., the equation is satisfied no matter what $x$ is. We'll use zero to attack zero-knowledge proof (ZKP). In particular, we'll discuss a critical issue in a cutting-edge ZKP PLONK [2] C++ implementation which allows an attacker to create a forged proof that all verifiers will accept. We'll show how theory guides the attack's direction. In practice, the attack works like a charm and we'll show how the attack falls through a chain of perfectly aligned software cracks. In the same codebase, there is an independent critical ECDSA bug where (r, s) = (0, 0) is a valid signature for arbitrary keys and messages, but we won't discuss it further because it's a known ECDSA attack vector in the Google Wycheproof cryptanalysis project [3] that I worked on a few years ago. All bugs have been responsibly disclosed through the vendor's bug bounty program with total reward $\sim \$15,000$ (thank you).
