CVE-2024-45040: 
vulnerability analysis and mitigation

gnark, a fast zk-SNARK library that offers a high-level API to design circuits, was found to have a vulnerability in its implementation of commitments to private witnesses in Groth16 that breaks the zero-knowledge property. The vulnerability (CVE-2024-45040) affects versions prior to 0.11.0 and specifically impacts Groth16 proofs with commitments, while PLONK proofs remain unaffected. The issue was discovered and reported by security researcher maltezellic (GitHub Advisory).

The vulnerability stems from the implementation of commitments to private witnesses in Groth16. The commitment to private witnesses wi is computed as c = sumi wi * bi where bi represents ProvingKey.CommitmentKeys[0].Basis[i] in the code. While this implementation creates a binding commitment, it fails to provide the hiding property. An adversary can determine the points bi from the proving key and verify the correctness of guessed values by computing c' and comparing it with c. This implementation breaks the perfect zero-knowledge property of Groth16, causing the scheme to fail as a proper zk-SNARK when using commitments to private witnesses (GitHub Advisory).

The vulnerability compromises the zero-knowledge property of Groth16 proofs that use commitments. When witness values are small, attackers can enumerate possible choices to deduce the actual value. However, if the possible choices for the committed variables are large or many values are committed, it becomes computationally infeasible to enumerate all valid choices. Importantly, the vulnerability does not affect the completeness or soundness properties of the proofs (GitHub Advisory).

The vulnerability has been fixed in version 0.11.0 through the addition of a random mask to the list of committed values at proving time. This masks the other committed values, restoring the hiding property. As a workaround for affected versions, users can manually commit to a randomized value (GitHub Advisory, Patch).