29 comments

[ 1.8 ms ] story [ 71.1 ms ] thread
Does that mean you can fake Bitcoins or cryptocurrency transactions? What exactly could be affected by these vulnerabilities? Is there a better article anywhere that actually spells it out for the layman?
(Take this with a grain of salt as I only learned about the Fiat-Shamir heuristic via this HN thread last week https://news.ycombinator.com/item?id=44458168, and I only have basic experience in theoretical cryptography)

There exists the concept of a zero-knowledge proof: check out the Wikipedia page for some intuitive examples of how these work in an interactive context. Basically, by asking someone who wants to prove something (the prover) a bunch of questions (challenges), you can get probabilistic confidence that they actually know that thing: https://en.wikipedia.org/wiki/Zero-knowledge_proof#Abstract_...

You want it to be interactive because that makes it much harder for the prover to "fake it" on the spot. But it would be more convenient if you didn't need to be online and actively talking to each other - so we want a non-interactive way to do the same thing.

The Fiat-Shamir transform (or heuristic) says that we can transform interactive protocols into non-interactive ones by relying on "random" challenges. If the prover can't control the randomness, then it's about as good as you interactively challenging them (and you can e.g. make them do more challenges to make up for it).

How do we get randomness? In computing we don't really have anything totally random, but cryptographic hash functions are believed to be very difficult to predict the output to. So, in cryptography there's the "random oracle model" where you say, "Well, I don't know if this protocol is safe with these real-life hashes. But if the hash function was a truly random oracle, I can prove it's safe." (The Fiat-Shamir transform is only provably secure if you believe in the random oracle model).

In the past, researchers have constructed new protocols that are safe in the random oracle model, but once you use a real hash function they're breakable because of real-world implementation details. As the abstract of this paper says, "So far, all of these examples have been contrived protocols that were specifically designed to fail." See https://crypto.stackexchange.com/q/879 for some discussion of the mechanics of how it might happen, once you choose a real hash function.

This new paper advances the field by showing an attack that targets a real-world protocol that people actually use, GKR. It shows (and again, take my interpretation with a grain of salt) that when you pick a real hash function, the attacker can construct an input (circuit) that results in whatever output the attacker wants.

---

What's the real-world impact?

There do exist real non-interactive zero-knowledge proof systems, mainly used in blockchains. Instead of publicly exposing all the info to the world and doing computation on the (slow) blockchain, you can protect privacy of transactions and/or bundle a bunch of updates into a cheaper one (ZK-rollups). Theoretically these could be attacked using the methods described in the paper.

It's unclear to me whether those are affected here (though my guess is no, since they could have mentioned it if so).

No, this could not allow for faking Bitcoin or Ethereum TXs. This type of vulnerability mainly concerns "zero-knowledge" proof methods, which do not occur inside the Bitcoin or Ethereum base layers. Some teams are building ZK proofs on top of these and other blockchains though, so those systems could be vulnerable, though they are still largely experimental.
Hashes should never be a source of randomness. Randomness makes assumptions far outside their intended use case.

Hashes should only be a reproducible label that cannot be used to produce the material described by the hash. When used for their intended purposes hashes serve as the strongest point of integrity until value collisions are discovered.

But once you've made a function that "cannot be used to produce the material described by the hash", you've also made a very good pseudo-randomizer. In fact, if a cryptographic hash function cannot be trusted for its ability to produce apparent randomness, then it cannot be trusted for its "intended purposes". You get both properties or neither.
You realize all signatures in use today basically use hash functions as randomness
I'm sorry, but this comment is very vague and unclear.

Cryptographers know that hashes (even cryptographically strong ones!) are deterministic. Yet, it is possible that in going from an interactive proof to a non-interactive one, one does not actually need randomness. Indeed, for some class of protocols, we know how to design hash functions satisfying a particular property (correlation intractability) so that the resulting non-interactive proof is sound. It's just that (a) these hashes are inefficient, and (b) until now no one had found a non-contrived protocol where using standard hashes leads to an attack.

You may want to stay away from all modern CSPRNGs then. Eg Yarrow and Fortuna rely on sources of random input data being mixed in but using a strong hash function (nowadays sha-256) to produce the output at arbitrarily fast rates without consuming entropy.

And to your criticism that this is just programmers who don’t know what they’re doing, these algorithms were developed by Bruce Schneier, Niels Ferguson, and John Kelsey.

I find the actual paper more readable and understandable than this summarization.

https://eprint.iacr.org/2025/118

That's the case with many cryptographic explanations for laypeople, in my experience (as mostly a layperson).

Maybe all these elaborate analogies of Alice walking into a cave and Bob yelling which exit she should come out of, Alice wanting to sell Bob a Hamiltonian cycle trustlessly, Alice and Bob mixing buckets of paint and shipping them via the mail back and forth etc. are working for some people, but it's not me.

(comment deleted)
I recall someone creating a crypto system and then forgetting to protect the constructor of the initial object so other could change the constructor and do whatever they wanted with that crypto system, but in the end the creators were just web developers with a little training in crypto.

In those circumstances those millions of coins flying in or out are not a tragedy (at least for me) but a very plausible outcome.

That's a completely different and unrelated type of vulnerability, though.

Implementation mistakes leading to mass coin theft would certainly be cryptocurrency news, but they would not be crypto(graphy) news. Breaking an actual peer-reviewed zero knowledge proof scheme would be.

>if a professor has assigned 100 problems for homework but doesn’t want to grade a student’s entire assignment, she can randomly choose 10 problems to grade. In the language of computer scientists, she is making 10 “random challenges” to the student’s homework. If the answers to those 10 problems are correct, the professor can feel confident that most of the other answers are correct too.

Eureka! I found the reason that so many things in society have gone to shit in the last few years. Far too many professors are so overworked or maybe just lazy and are using this type of tool to grade student work and the end result is that we have too many students passing through the system who have demonstrably only been able to score a 10/100.

I'm over 60 now and if I had scored lower than my current age back in the day I would fail and need to repeat the grade/course. Now they just kick the can('ts) on down the road and hope no one ever notices.

Too bad some of these failures end up in positions of influence where their uncharted deficiencies have the power to disrupt or destroy functional systems.

Or maybe I'm joking. I'll know once the caffeine hits.

This is just an analogy used by the article to explain the Fiat-Shamir transform.
What is a lie? what is the truth? It is very difficult to find the truth, and the descriptions of the same thing are different for different persons. So the title and its content is a lie.
In context, these terms have specific definitions where this is not an issue.
> When he shared his thoughts with Ethereum’s cryptographers, he was startled to learn that they were unfamiliar with this work

It would be nice if the article included timelines. Ethereum researchers have been talking about GKR since 2020,so it's hard to imagine the lack of familiarity.

I don't believe the "this work" that the article is talking about here is GKR, but work that is referenced earlier in the article:

> In the early 2000s, computer scientists showed how to do just that, contriving interactive proof protocols that were specifically designed to fail when they underwent Fiat-Shamir

Indeed, the artcile points out that targeting GKR was the idea of the Ethereum Foundation researcher.

> Soukhanov had the idea to target a Fiat-Shamir proof system based on something called the GKR protocol

My initial prediction is they just divided by zero someplace - just like every other undergrad in any degree program that requires some advanced math has. I'm happy to see they didn't make this obvious mistake.
The article is lacking a lot of details, so maybe I'll check the paper if I have the time in the coming days. But, my understanding from the article is that this attack works by breaking a premise of the considered protocols that doesn't have much to do with the random oracle model. They basically say that, if you agree on a program to use and you hash it as part of your commitment, then you can use the Fiat-Shamir transform to prove claims regarding the program's output. But it seems natural to me that, if you are tricked into accepting the use of a malicious program, then the protocol breaks. After all, the hashing of the program at the beginning is meant to ensure that you're using a specific binary you agreed upon, but it does nothing to show that such a binary works as intended. This has to be verified outside of such protocol.

Am I missing something? Or maybe the point is that, under the random oracle model, it should be hard to write a program that contains its own hash? But then again, would the trick of reading the hash from an external configuration file that isn't considered as part of the hashing be fair game?

(comment deleted)
The key to why this even works (and didn’t work before) is here: https://community.intercoin.app/t/paper-shows-relying-on-has...

Simply put, a reliable random oracle in an adversarial environment should be based on sources of randomness from multiple sources and participants, usually the sources are the participants’ meaningful actions to prevent collusion.

It has been known for quite a while that if the space of inputs being hashed is small, the hashing is relatively useless for most benefits of a true one-way function (eg hashing a phone number in USA).