Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS01eGdqLXBtamotZ3c0Oc4AA95u

RISC Zero zkVM notes on zero-knowledge

RISC Zero zkVM was designed from its inception to provide three main guarantees:

1. Computational integrity: that a given software program executed correctly.
2. Succinctness: that the proof of execution does not grow in relation to the program being executed.
3. Zero Knowledge: that details of the program execution are not visible within the proof of program execution.

Ulrich Habock and Al Kindi have released new research that indicates that several STARK implementations -including our RISC Zero zkVM- do not meet the requirements to assert the specific property of zero knowledge provably.

While a vast majority of real-world applications that leverage RISC Zero zkVM or similar systems depend primarily on computational integrity and succinctness, a subset of applications critically depend on the privacy guarantees provided by zero-knowledge; and for those use cases, users are cautioned to understand the research and make informed decisions based on the risks outlined in using an impacted system.

Although the maintainers are not aware of any attacks that can take advantage of this potential weakness, they are working to proactively address this discovery as quickly as possible.

Permalink: https://github.com/advisories/GHSA-5xgj-pmjj-gw49
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01eGdqLXBtamotZ3c0Oc4AA95u
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 4 months ago
Updated: 4 months ago

Identifiers: GHSA-5xgj-pmjj-gw49
References:

• https://github.com/risc0/risc0/security/advisories/GHSA-5xgj-pmjj-gw49
• https://eprint.iacr.org/2024/1037
• https://github.com/advisories/GHSA-5xgj-pmjj-gw49

Repository: https://github.com/risc0/risc0
Blast Radius: 0.0

Affected Packages