PT-2026-42695 · Plonky3+1 · Plonky3+1
Published
2026-05-21
·
Updated
2026-06-10
·
CVE-2026-46654
CVSS v4.0
8.9
High
| Vector | AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Plonky3 versions prior to 0.4.3
Plonky3 versions prior to 0.5.3
Description
An attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. This occurs due to three attack vectors:
-
Partial-chunk aliasing during absorption: The
duplexing()function packsinput buffer.chunks(num f elms)usingreduce 32without a length marker or zeroing unused rate slots. This allows an attacker to extend or truncate the tail of an observation batch without altering future challenges. -
Non-injective squeeze: The
split 32function decomposes PF rate cells into base-2^64 digits and maps them throughTF::from u64, which reduces them modF::ORDER. Distinct PF values differing only in their upper 33 bits produce identical challenge sequences, weakening entropy and enabling selective forgery. -
High-bit truncation: The calculation
num f elms = PF::bits() / 64uses floor division. For BN254 (a 254-bit field), this results in 3 limbs covering 192 bits, causing the top 62 bits of every digest word to be discarded. This allows distinct BN254 hash digests differing only in bits 192–253 to be used interchangeably.
Recommendations
Update to version 0.4.3.
Update to version 0.5.3.
Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Plonky3
P3-Challenger