





















Maxim Peter, General Intuition
Vesselin Velichkov, OpenZeppelin
The Fiat-Shamir transform [11] is a fundamental technique for converting sound public-coin interactive protocols into sound non-interactive protocols. While the theoretical transformation is conceptually simple, implementation-level deviations—often motivated by performance optimisations—can introduce catastrophic security flaws. In this work, we present the Last Challenge Attack (LCA), a vulnerability arising from such a deviation in a real-world KZG-based SNARK verifier implementation. The vulnerability stems from an incorrect computation of the final KZG [17] protocol challenge, which is a batching challenge derived independently of the evaluation proofs. This flaw potentially affects any KZG implementation of batched proofs for multiple evaluation points. We demonstrate that a malicious prover can exploit this deviation to forge proofs of false statements. We provide a proof-of-concept implementation demonstrating the forgery of a proof for an arbitrary public input. This vulnerability was discovered during a security audit, responsibly disclosed, and fixed.
Note: This is the extended version of the article accepted for publication at Financial Cryptography and Data Security 2026. Updated affiliations.
BibTeX
@misc{cryptoeprint:2024/398,
author = {Oana Ciobotaru and Maxim Peter and Vesselin Velichkov},
title = {The Last Challenge Attack on Fiat-Shamir in {KZG}-based {SNARKs}},
howpublished = {Cryptology {ePrint} Archive, Paper 2024/398},
year = {2024},
url = {https://eprint.iacr.org/2024/398}
}
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。