Current implementation of RLN-Relay uses Groth'16 zkSNARK proof mechanism to achieve spam-protection.
Groth'16 ZK proofs are malleable and this fact allows an attacker to embed (arbitrary-but-short) tagging information in zkSNARK proofs (i.e., there exists a so called Subliminal Channel).
The embedding can be executed
while generating a proof
after a proof is generated
and both techniques preserve proof validity (for same proof statement).
The goal of this issue is to discuss the possible security implications of Subliminal Channels in current RLN-Relay implementation.
Proof of Concept
We setup a chat2 environment according to the RLN-relay local test tutorial. In our custom implementation,Carol uses the Groth'16 Inner Subliminal Message to embed the 4 bytes message 00000000 in her zkSNARK proof. The proof is successfully verified by Alice who outputs the received message.
./build/chat2 --staticnode:/ip4/127.0.0.1/tcp/60010 /p2p/16Uiu2HAmKdCdP89q6CwLc6PeFDJnVR1EmM7fTgtphHiacSNBnuAz --content-topic:/toy-chat/2/luzhou/proto --ports-shift=1 --fleet:none --nodekey=f157b19b13e9ee818acfc9d3d7eec6b81f70c0a978dec19def261172acbe26e6 --rln-relay:true --rln-relay-membership-index:1
Choose a nickname >> Alice
Welcome, Alice!
Connecting to nodes
Listening on
/ip4/192.168.1.151/tcp/60001/p2p/16Uiu2HAkyTos6LeGrj1YJyA3WYzp9qKQGCsxbtvyoBRHSu9PCrQZ
>> proof content 0000a573cea2cf701262b4a36ca5ebe1385ae9ecf302c31c77a92d73f6c1179b0eb52e2df702f37ebad64f0ce21917b707d3d4f871ca225edd81227a28ddb0380000c3b3fcfab07e3c1ec091fff96534ebb1868722141dcf4e1010a58b6f569a273591d24e80b2e41355f6c82231e22c49238d34ea4ad61ae0c0adf8cd401a880d4ceb48f1e357415ec40ec7b3ab212a79f83b68c9a2c4c4cd6a5ea00cbb3f1104fa86aedc61b9db2b42f8adf912a722cb8295bd1d27c8e4ecd22d80270c3bed1b283ccb5ca7c92209392aa0da8fcbcf4d09d550cbbeea47ab2fcc12ee5f81d22d83491ddf84bcf3a4328e9e860a6a7fcaa2772289ceab3634bf74c85306b6aca1877a553eff12e1b21632a0545a916a5c5b8060ad7cc6c69956741134397b2d3dbcce09000000000000000000000000000000000000000000000000000000003a6a6df1fd151ac9e6dba5a34bcae20f5b51f0f46897e48684bcb56aa4bb0a0bae71d366b8ddf6dd192592cc89c40c72837ab05c595647d6ee8452e721efd62a9cc8c1e2dac15cd887dac9e2877439ccb8d15faf27188ac79306db80a142c80c290000000000000008e7b4cd900612054361726f6c1a0268692f746f792d636861742f322f6c757a686f752f70726f746f
<Feb 21, 00:00> Carol: hi
In this example, the message 00000000 is embedded in the first two serialized bytes of the elements A and B of Groth'16 zkSNARK proof, i.e., the 1st, 2nd, 65th and 66th byte of the serialized RateLimitProof.
Note that since proofs are not signed to maintain some form of unlinkability, Alice can embed tagging information on Carol's randomly generated proof before relaying Carol`'s message to other network nodes.
Possible attack scenarios
Embedded messages can be encrypted, thus tagged zkSNARK proofs can be made indistinguishable from random ones and messages might be recovered in clear only by a limited number of (authorized) parties.
Some hypothetical attack scenario might include:
A malicious client (compliant with the protocol) leaks users' private keys surreptitiously, that is the leakage cannot be detected using traffic data analysis.
A malicious network node (compliant with the protocol) embeds tagging information on received proofs, e.g. the IP address of the user that sent such message, and replay the tagged proof to other network nodes.
Some information on the network graph might be inferred by multiple probe nodes that concurrently replay proofs with different tags. Since messages with an already seen nullifier are discarded, by later fetching stored messages from different nodes it may be possible to cluster them using the embedded tag information.
Problem
Current implementation of RLN-Relay uses Groth'16 zkSNARK proof mechanism to achieve spam-protection.
Groth'16 ZK proofs are malleable and this fact allows an attacker to embed (arbitrary-but-short) tagging information in zkSNARK proofs (i.e., there exists a so called Subliminal Channel).
The embedding can be executed
and both techniques preserve proof validity (for same proof statement).
The goal of this issue is to discuss the possible security implications of Subliminal Channels in current RLN-Relay implementation.
Proof of Concept
We setup a
chat2environment according to the RLN-relay local test tutorial. In our custom implementation,Caroluses the Groth'16 Inner Subliminal Message to embed the 4 bytes message00000000in her zkSNARK proof. The proof is successfully verified byAlicewho outputs the received message.In this example, the message
00000000is embedded in the first two serialized bytes of the elementsAandBof Groth'16 zkSNARK proof, i.e., the 1st, 2nd, 65th and 66th byte of the serializedRateLimitProof.Note that since proofs are not signed to maintain some form of unlinkability,
Alicecan embed tagging information onCarol's randomly generated proof before relaying Carol`'s message to other network nodes.Possible attack scenarios
Embedded messages can be encrypted, thus tagged zkSNARK proofs can be made indistinguishable from random ones and messages might be recovered in clear only by a limited number of (authorized) parties.
Some hypothetical attack scenario might include:
nullifierare discarded, by later fetching stored messages from different nodes it may be possible to cluster them using the embedded tag information.