SoK: What Don't We Know? Understanding Security Vulnerabilities in SNARKs

Authors: 

Stefanos Chaliasos, Imperial College London; Jens Ernstberger, Technical University of Munich; David Theodore, Ethereum Foundation; David Wong, zkSecurity; Mohammad Jahanara, Scroll Foundation; Benjamin Livshits, Imperial College London & Matter Labs

Abstract: 

Zero-knowledge proofs (ZKPs) have evolved from being a theoretical concept providing privacy and verifiability to having practical, real-world implementations, with SNARKs (Succinct Non-Interactive Argument of Knowledge) emerging as one of the most significant innovations. Prior work has mainly focused on designing more efficient SNARK systems and providing security proofs for them. Many think of SNARKs as "just math," implying that what is proven to be correct and secure is correct in practice. In contrast, this paper focuses on assessing end-to-end security properties of real-life SNARK implementations. We start by building foundations with a system model and by establishing threat models and defining adversarial roles for systems that use SNARKs. Our study encompasses an extensive analysis of 141 actual vulnerabilities in SNARK implementations, providing a detailed taxonomy to aid developers and security researchers in understanding the security threats in systems employing SNARKs. Finally, we evaluate existing defense mechanisms and offer recommendations for enhancing the security of SNARK-based systems, paving the way for more robust and reliable implementations in the future.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {299848,
author = {Stefanos Chaliasos and Jens Ernstberger and David Theodore and David Wong and Mohammad Jahanara and Benjamin Livshits},
title = {{SoK}: What Don{\textquoteright}t We Know? Understanding Security Vulnerabilities in {SNARKs}},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {3855--3872},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/chaliasos},
publisher = {USENIX Association},
month = aug
}

Presentation Video