GHSA-5xgj-pmjj-gw49

Suggest an improvement
Source
https://github.com/advisories/GHSA-5xgj-pmjj-gw49
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-5xgj-pmjj-gw49/GHSA-5xgj-pmjj-gw49.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5xgj-pmjj-gw49
Published
2024-07-15T18:32:22Z
Modified
2024-07-15T18:32:22Z
Summary
RISC Zero zkVM notes on zero-knowledge
Details

RISC Zero zkVM was designed from its inception to provide three main guarantees: 1. Computational integrity: that a given software program executed correctly. 2. Succinctness: that the proof of execution does not grow in relation to the program being executed. 3. Zero Knowledge: that details of the program execution are not visible within the proof of program execution.

Ulrich Habock and Al Kindi have released [new research] that indicates that several STARK implementations -including our RISC Zero zkVM- do not meet the requirements to assert the specific property of zero knowledge provably.

While a vast majority of real-world applications that leverage RISC Zero zkVM or similar systems depend primarily on computational integrity and succinctness, a subset of applications critically depend on the privacy guarantees provided by zero-knowledge; and for those use cases, users are cautioned to understand the research and make informed decisions based on the risks outlined in using an impacted system.

Although the maintainers are not aware of any attacks that can take advantage of this potential weakness, they are working to proactively address this discovery as quickly as possible.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-15T18:32:22Z"
}
References

Affected packages

crates.io / risc0-zkvm

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.0.2