Skip to content

RISC Zero zkVM notes on zero-knowledge

Low severity GitHub Reviewed Published Jul 15, 2024 in risc0/risc0 • Updated Jul 15, 2024

Package

cargo risc0-zkvm (Rust)

Affected versions

<= 1.0.2

Patched versions

None

Description

RISC Zero zkVM was designed from its inception to provide three main guarantees:

  1. Computational integrity: that a given software program executed correctly.
  2. Succinctness: that the proof of execution does not grow in relation to the program being executed.
  3. Zero Knowledge: that details of the program execution are not visible within the proof of program execution.

Ulrich Habock and Al Kindi have released new research that indicates that several STARK implementations -including our RISC Zero zkVM- do not meet the requirements to assert the specific property of zero knowledge provably.

While a vast majority of real-world applications that leverage RISC Zero zkVM or similar systems depend primarily on computational integrity and succinctness, a subset of applications critically depend on the privacy guarantees provided by zero-knowledge; and for those use cases, users are cautioned to understand the research and make informed decisions based on the risks outlined in using an impacted system.

Although the maintainers are not aware of any attacks that can take advantage of this potential weakness, they are working to proactively address this discovery as quickly as possible.

References

@kevinnassery kevinnassery published to risc0/risc0 Jul 15, 2024
Published to the GitHub Advisory Database Jul 15, 2024
Reviewed Jul 15, 2024
Last updated Jul 15, 2024

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-5xgj-pmjj-gw49

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.