Abstract
With the growing interest in privacy-enhancing technologies, we are seeing a complementary growth in the desire to build and deploy complex cryptographic systems that involve techniques like zero-knowledge proofs. Of these, general purpose proof systems like zkSNARKs have seen the most interest, due to their small proof size, fast verification, and expressiveness. Unfortunately, as we have seen with many areas of cryptography, guaranteeing correct implementations can be tricky, as the protocols themselves are complicated and often require substantial low-level manual effort to achieve maximum performance. To help with this problem, and gain better assurances about the correctness and security of already implemented zkSNARK protocols and the privacy-enhancing applications that use them, we design and build SNARKProbe, an automated security analysis framework for zkSNARKs that can scan R1CS-based libraries and applications to detect various issues, such as edge case crashing, cryptographic operation errors, and/or inconsistencies with protocol descriptions. SNARKProbe leverages a variety of analysis techniques, including fuzzing and SMT solvers. We test the performance of SNARKProbe on a variety of different experimental parameters to demonstrate its practicality and reasonable runtime, and we also evaluate its ability to find potential inconsistencies and errors in implementations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Note that this is something that professional security audits do flag, as these can lead to potential future problems, seeĀ [4].
- 2.
And, in fact, in one instance the underlying library was actually unable to scale and run before we ran into any issues with our tool.
- 3.
https://github.com/BARC-Purdue/SNARKProbe.
- 4.
We note that we cannot do anything about the garbage-in-garbage-out problem (for example, the case where a developer implements a proof that misses a necessary case, such as omitting checking if a value is greater than 0). We can just help determine if the specified statement and realized proof are likely equivalent.
- 5.
We work around the general undecidability of function equality by operating in the more constrained setting (over the finite fields) and adding special rules for primary variables and auxiliary variables.
- 6.
We cannot guarantee equivalence due to the fact that the SMT solver might output UNKNOWN, as well as possible domain gaps (see Appendix A.4).
- 7.
Incorrectly labeling UNIMPORTANT branches as IMPORTANT only increases the fuzzing time without affecting the accuracy of the analysis.
- 8.
We define a āfull runā to be using the Input Generator to produce one zkSNARK program, analyzing coverage status with the Branch Model, and looking for any software and cryptographic related bugs with the Value Model and Value Monitor.
- 9.
One that will verify even though the prover does not actually have a valid witness.
- 10.
We note that Circom is just an example that we tested, and that the same should hold true for other circuit generators as well.
References
Fixing vulnerabilities in the zcash protocol (2016). https://electriccoin.co/blog/fixing-zcash-vulns/
Zcash counterfeiting vulnerability successfully remediated (2019). https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated/
libsnark: a C++ library for zksnark proofs (2020). https://github.com/scipr-lab/libsnark
Nu4 cryptographic specification and implementation review (2020). https://research.nccgroup.com/wp-content/uploads/2020/09/NCC_Group_Zcash_ZCHX006_Report_2020-09-03_v2.0.pdf
Playsnark: a playground to learn proofs systems (2020). https://github.com/nikkolasg/playsnark
Dark forest (2022). https://blog.zkga.me/
Zero-knowledge rollups (2022). https://ethereum.org/en/developers/docs/scaling/zk-rollups/
Aleo (2023). https://www.aleo.org/
atheris, atheris: A coverage-guided, native python fuzzer (2023). https://github.com/google/atheris
bellman, a zk-SNARK library (2023). https://github.com/zkcrypto/bellman
Clangās source-based code coverage (2023). https://clang.llvm.org/docs/SourceBasedCodeCoverage.html
doxygen, doxygen (2023). https://github.com/doxygen/doxygen
gnark zk-SNARK library (2023). https://github.com/Consensys/gnark
libsnark: A rust implementation of the groth16 zkSNARK (2023). https://github.com/arkworks-rs/groth16
Project everest (2023). https://project-everest.github.io/
rapidsnark (2023). https://github.com/iden3/rapidsnark
snarkjs (2023). https://github.com/iden3/snarkjs
wasmsnark (2023). https://github.com/iden3/wasmsnark
Zcash (2023). https://z.cash/
zksnarks for the world (2023). https://research.protocol.ai/sites/snarks/
Aumasson, J.P., Romailler, Y.: Automated testing of crypto software using differential fuzzing. Black Hat USA (2017)
Bang, L., Rosner, N., Bultan, T.: Online synthesis of adaptive side-channel attacks based on noisy observations. In: IEEE EuroS &P (2018)
Barbosa, H., Reynolds, A., Ouraoui, D.E., Tinelli, C., Barrett, C.: Extending SMT solvers to higher-order logic. In: CADE (2019)
Barbosa, M., et al.: SoK: computer-aided cryptography. In: IEEE S &P (2021)
Beck, G., Zinkus, M., Green, M.: Automating the development of chosen ciphertext attacks. In: USENIX Security (2020)
Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. Cryptology ePrint Archive, Report 2013/507 (2013)
Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive zero knowledge for a von Neumann architecture. In: USENIX Security (2014)
Bƶhme, M., Pham, V.T., Nguyen, M.D., Roychoudhury, A.: Directed greybox fuzzing. In: ACM CCS (2017)
Bƶhme, M., Pham, V.T., Roychoudhury, A.: Coverage-based greybox fuzzing as Markov chain. In: IEEE TSE (2017)
Chen, C., Cui, B., Ma, J., Wu, R., Guo, J., Liu, W.: A systematic review of fuzzing techniques. Comput. Secur. 75, 118ā137 (2018)
Ethereum: Python implementation of ECC pairing and bn_128 and bls12_381 curve operations. Ethereum, December 2021. https://github.com/ethereum/py_ecc. Accessed Dec 2021
Faz-HernƔndez, A., Kwiatkowski, K.: Introducing CIRCL: An Advanced Cryptographic Library. Cloudflare, June 2019. https://github.com/cloudflare/circl. v1.2.0 Accessed June 2022
Fredrikson, M., Livshits, B.: ZĆø: An optimizing distributing zero-knowledge compiler. In: USENIX Security (2014)
Gabizon, A.: AuroraLight: improved prover efficiency and SRS size in a Sonic-like system. Cryptology ePrint Archive, Paper 2019/601 (2019). https://eprint.iacr.org/2019/601
Garman, C., Green, M., Kaptchuk, G., Miers, I., Rushanan, M.: Dancing on the lip of the volcano: chosen ciphertext attacks on apple \(\{\)iMessage\(\}\). In: USENIX Security (2016)
Godefroid, P., Peleg, H., Singh, R.: Learn &Fuzz: machine learning for input fuzzing. In: ASE (2017)
Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity and a methodology of cryptographic protocol design. In: FOCS (1986)
Google: syzkaller - kernel fuzzer (2017). https://github.com/google/syzkaller. Accessed July 2022
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305ā326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11
Householder, A.D., Foote, J.M.: Probability-based parameter selection for black-box fuzz testing. Technical report. Carnegie Mellon University, SEI (2012)
iden3: circom - Circuit Compiler for ZK Proving Systems (2023). https://github.com/iden3/circom. Accessed Aug 2022
Kosba, A.: xJsnark (2022). https://github.com/akosba/xjsnark. Accessed Aug 2022
Kupser, D., Mainka, C., Schwenk, J., Somorovsky, J.: How to break XML encryption-automatically. In: USENIX WOOT (2015)
o1 labs: snarky (2023). https://github.com/o1-labs/snarky. Accessed Aug 2022
Macgillivray, A., deBlanc Knowles, T.: Advancing a vision for privacy enhancing technologies (2022). https://www.whitehouse.gov/ostp/news-updates/2022/06/28/advancing-a-vision-for-privacy-enhancing-technologies/
Mouha, N., Raunak, M.S., Kuhn, D.R., Kacker, R.: Finding bugs in cryptographic hash function implementations. IEEE Trans. Reliab. 67(3), 870ā884 (2018)
Moura, L.D., BjĆørner, N.: Z3: an efficient SMT solver. In: TACAS (2008)
Naveed, M., Kamara, S., Wright, C.V.: Inference attacks on property-preserving encrypted databases. In: ACM CCS (2015)
Nicas, J., Isaac, M., Frenkel, S.: Millions flock to telegram and signal as fears grow over big tech (2021). https://www.nytimes.com/2021/01/13/technology/telegram-signal-apps-big-tech.html
Nitulescu, A.: zk-snarks: a gentle introduction. Technical report (2020)
NSA: Patch critical cryptographic vulnerability in Microsoft Windows clients and servers (2020). https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: IEEE S &P (2013)
Pasareanu, C.S., Phan, Q.S., Malacaria, P.: Multi-run side-channel analysis using Symbolic Execution and Max-SMT. In: IEEE CSF (2016)
Phan, Q.S., Bang, L., Pasareanu, C.S., Malacaria, P., Bultan, T.: Synthesis of adaptive side-channel attacks. In: IEEE CSF (2017)
Protzenko, J., Beurdouche, B., Merigoux, D., Bhargavan, K.: Formally verified cryptographic web applications in WebAssembly. In: IEEE S &P (2019)
Rupprecht, D., Kohls, K., Holz, T., Pƶpper, C.: Call me maybe: eavesdropping encrypted LTE calls with ReVoLTE. In: USENIX Security (2020)
Somorovsky, J.: Systematic fuzzing and testing of TLS libraries. In: ACM CCS (2016)
Walz, A., Sikora, A.: Exploiting dissent: towards fuzzing-based differential black-box testing of TLS implementations. In: IEEE TDSC (2017)
Woo, M., Cha, S.K., Gottlieb, S., Brumley, D.: Scheduling black-box mutational fuzzing. In: ACM CCS (2013)
Zalewski, M.: American fuzzy lop (2016). https://github.com/mirrorer/afl. v2.52b Accessed July 2022
Acknowledgments
This work was supported by NSF grant CNS-2047991.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Additional Information forĀ Constraint Checker
1.1 A.1 An optimization forĀ theĀ SMT solver
The SMT solver may take a while to solve some complicated equations. To reduce the processing time in the equality check, we introduce optimizations and simplify some equations in the R1CS matrix. For example, many libsnark gadgets use bit shifting, which produces the equation \((x * (1 + (p - 1) * x)) \bmod p = 0\) in R1CS gates. This equation represents \(x = 0\) or \(x = 1\). For our optimization, if the Constraint Checker detects such a relation, it will be replaced with \(0 \le x \wedge x \le 1\) where \(x \in \mathbb {F}\). These are logically equivalent, but our replacement is much easier for the SMT solver to work with. A real world gadget like the comparison_gadget in libsnark has 16 constraints, and there are 11 constraints representing \(x = 0\) or \(x = 1\) (see Appendix C).
1.2 A.2 Protocol ofĀ theĀ Constraint Checker byĀ theĀ SMT Solver
1.3 A.3 Example Constraint Checker
For the interested reader, we provide an example of our Constraint Checker to show how a developer can run the tool. More examples can be found in our code.
1.4 A.4 Domain Gap Issues
The same upper bound and lower bound does not guarantee that statement equations and R1CS gates have the same range. FigureĀ 4c and 4d shows an example of an unmatched domain with the same upper bound and lower bound.
Domain Gap in Statement Equations Ā
The ground truth domain of statement equations is known and provided by the user (which means we know the domain gap in the statement equations), the Constraint Checker can use the SMT solver to find if the R1CS gates have solution(s) outside the domain of statement equations (e.g. in the gap). If the SMT solver returns SAT, then the domainsā of the statement equations and R1CS gates do not match and thus they are not equivalent. This example corresponds to Fig.Ā 4d.
Domain Gap in R1CS Gates Ā
Since the domain of the R1CS gates is unknown, the Constraint Checker cannot use the SMT solver to detect an unmatched domain as in the previous example. However, in this instance, the prover likely will not be able to generate a proof for a secret value in the gap because these secret values are not in the domain of R1CS Gates even though they are valid solutions to the original statement equations. That is, the set of allowable input values for the implemented R1CS matrix is a subset of the set of input values for the desired proof statement. Therefore, while this leads to undesirable behavior as the prover cannot generate proofs for the entire valid input range, it does not lead to any exploits or āfakeā proofs (i.e., the ability to generate a valid proof without knowledge of the secret value). This example corresponds to Fig.Ā 4c.
We believe this type of gap is very rare, but we still try to find this issue by producing a set of uniform random numbers as input for statement equations and R1CS gates. If the R1CS gates do not have a solution but the statement equations do have a valid solution for an input number, then there is a gap in the statement equations, which is not equivalent to the statement equationsā domain. This test does not guarantee finding an existing domain gap, but a larger set of numbers has higher confidence in finding any existing gaps.
B Additional Information forĀ SnarkFuzzer
1.1 B.1 Example Ideal Model Files
1.2 B.2 PrettyPrint Example
C Equations comparison_gadget Represents
Rights and permissions
Copyright information
Ā© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Fan, Y., Xu, Y., Garman, C. (2024). SNARKProbe: An Automated Security Analysis Framework forĀ zkSNARK Implementations. In: Pƶpper, C., Batina, L. (eds) Applied Cryptography and Network Security. ACNS 2024. Lecture Notes in Computer Science, vol 14584. Springer, Cham. https://doi.org/10.1007/978-3-031-54773-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-54773-7_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-54772-0
Online ISBN: 978-3-031-54773-7
eBook Packages: Computer ScienceComputer Science (R0)