search

ZK-Garage / plonk

A pure Rust PLONK implementation using arkworks as a backend.
https://discord.gg/XWJdhVf37F
Mozilla Public License 2.0
294 stars 76 forks source link

Insufficient blinding of `z_poly` #170

Open krnak opened 1 year ago

krnak commented 1 year ago

Method StandardComposer::add_blinding_factors uses 4 random scalars to blind wire polynomials w_l and w_r and the permutation polynomial z_poly polynomial. Also notice that blinding factors of w_o and w_4 does not contribute to a blinding of z_poly, because these values will cancel out from equation of z_poly.

Since the verifier gets 5 evaluations of these 3 polynomials, namely

w_l(z_challenge)
w_r(z_challenge)
w_l(shifted_z_challenge)
w_r(shifted_z_challenge)
z_poly(shifted_z_challenge)

four scalars are definitely not enough to blind these polynomials. It follows that the current implementation of the protocol does not have the zero-knowledge property.

lopeetall commented 1 year ago

You are correct @krnak. This should be at least partially fixed by PR #148 by @CarloModicaPortfolio which I looked over again this morning.

I am not sure #148 solves the entire blinding issue. I am concerned that more blinding for the z_poly may be needed. Will you look it over and give a review?

krnak commented 1 year ago

I have reviewed #148. New blinding looks sufficient to me.