Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to forge proofs in eff_ecdsa.circom #14

Open
Subway2023 opened this issue Sep 27, 2024 · 0 comments
Open

How to forge proofs in eff_ecdsa.circom #14

Subway2023 opened this issue Sep 27, 2024 · 0 comments

Comments

@Subway2023
Copy link

In the version prior to the fix, my approach to forgery was to modify the output in the witness data to the negative of the previous output, thereby generating a false proof.

the origin eff_ecdsa.circom is

pragma circom 2.0.2;

include "./secp256k1/mul.circom";
include "../node_modules/circomlib/circuits/bitify.circom";

/**
 *  EfficientECDSA
 *  ====================
 *  
 *  Converts inputted efficient ECDSA signature to an public key. There is no
 *  public key validation included.
 */
template EfficientECDSA() {
    var bits = 256;
    signal input s;
    signal input Tx; // T = r^-1 * R
    signal input Ty; 
    signal input Ux; // U = -(m * r^-1 * G)
    signal input Uy;

    signal output pubKeyX;
    signal output pubKeyY;

    // sMultT = s * T
    component sMultT = Secp256k1Mul();
    sMultT.scalar <== s;
    sMultT.xP <== Tx;
    sMultT.yP <== Ty;

    // pubKey = sMultT + U 
    component pubKey = Secp256k1AddComplete();
    pubKey.xP <== sMultT.outX;
    pubKey.yP <== sMultT.outY;
    pubKey.xQ <== Ux;
    pubKey.yQ <== Uy;

    pubKeyX <== pubKey.outX;
    pubKeyY <== pubKey.outY;
}

component main = EfficientECDSA();

my input.json is

{
    "s": "0",
    "Tx": "0",
    "Ty": "0",
    "Ux": "3",
    "Uy": "-4"
}

my witness.json is

[
 "1",
 "3",
 "21888242871839275222246405745257275088548364400416034343698204186575808495613",
 "0",
 "0",
 "3",
 "21888242871839275222246405745257275088548364400416034343698204186575808495613",
 ······
]

The forged witness data (exploit_witness.json) is

[
 "1",
 "3",
 "4",
 "0",
 "0",
 "3",
 "21888242871839275222246405745257275088548364400416034343698204186575808495613",
 ······
]

However,the forged witness does not pass verification. But I do not know why? I forged the witness based on the vulnerability's logic, so why did it fail?

snarkjs wtns check eff_ecdsa.r1cs exploit_witness.wtns

[INFO]  snarkJS: ----------------------------
[INFO]  snarkJS: > Checking witness correctness
[WARN]  snarkJS: ··· aborting checking process at constraint 2
[WARN]  snarkJS: WITNESS IS NOT CORRECT
[WARN]  snarkJS: WITNESS CHECKING FINISHED UNSUCCESSFULLY
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Subway2023