SlideShare a Scribd company logo

zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]

A
Alex Pruden

Slides accompanying zkStudyClub talk: Zero-Knowledge Proofs Security, in Practice. JP Aumasson (co-creator of the BLAKE hash function family) will share his experience doing security auditing for various projects that use zero-knowledge proofs. He will describe his approach, the common pitfalls in the different components of a proof system, as well as a catalog of bugs that have been discovered in various projects

Technology
1 of 37
Download to read offline
Zero-knowledge proofs security, in practice JP Aumasson @veorq CSO @ taurushq.com
NIZK arguments security, in practice JP Aumasson @veorq CSO @ taurushq.com
This talk Focus on zkSNARKs, a class of NIZK arguments Fully succinct = O(1) proof size and O(circuit size) veri fi cation time Based on my experience looking for bugs in systems using Groth16, used in Zcash, Filecoin, and many others Marlin, a universal zkSNARK, used in Aleo Most of the content applies to other systems (Plonk, SONIC, etc.) and STARKs 3
Why study zkSNARKs security? For blockchain projects: A major risk: Complexity + Novelty => Non-trivial bugs A lot at stake ($$$ and user data/privacy) 4
Why study zkSNARKs security? For blockchain projects: A major risk: Complexity + Novelty => Non-trivial bugs A lot at stake ($$$ and user data/privacy) As a cryptographer: The most interesting crypto today: Solving real-world problems and deployed at scale (good papers + good code!) Intricate constructions with non-trivial components “Simple but complex" (non-interactive, many moving parts) “Multidimensional" way to reason about security 5
What is zkSNARKs security? Soundness, often the highest risk in practice: Invalid proofs should always be rejected Forging, altering, replaying valid proofs should be impossible 6
What is zkSNARKs security? Soundness, often the highest risk in practice: Invalid proofs should always be rejected Forging, altering, replaying valid proofs should be impossible Zero-knowledge: Proofs should not leak witness information (private variables) In practice succinct proofs of large programs can leak only little data 7
What is zkSNARKs security? Soundness, often the highest risk in practice: Invalid proofs should always be rejected Forging, altering, replaying valid proofs should be impossible Zero-knowledge: Proofs should not leak witness information (private variables) In practice succinct proofs of large programs can leak only little data Completeness, often a DoS/usability risk that may be further exploited: Valid proofs should always be accepted All programs/circuits supported should be correctly processed 8
Bug hunting challenges Practical zkSNARKs are recent, thus auditors often have Limited experience auditing ZKPs Limited knowledge of the theory, of implementations’ tricks Limited “checklist" of bugs and bug classes Limited tooling and methodology Most bugs found internally or by teams of similar projects 9
New crypto, new approach More collaboration with the devs/designers (joint review sessions, Q&As, etc.) More threat analysis, to understand the application’s unique/novel risks Practical experience: writing PoCs, circuits, proof systems, etc. Learn previous failures, for example from… Public disclosures and exploits Other audit reports Issue trackers / PRs Community 10
General work fl ow, and failure examples 11 Computation Circuit de fi nition Arithmetization Non-interactive proof Integration
General work fl ow, and failure examples 12 Computation Circuit de fi nition Arithmetization Non-interactive proof Integration The program’s logic is not secure The circuit is not equivalent to the program The CS fails to enforce an operation a constraint Bad choice of internal commitment schemes wrt hiding or binding properties The application allows replays of previous proofs
How to break zkSNARKs security? (1/2) Break soundness, for example by exploiting Constraint system not effectively enforcing certain constraints Insecure generation or protection of proving keys 13
How to break zkSNARKs security? (1/2) Break soundness, for example by exploiting Constraint system not effectively enforcing certain constraints Insecure generation or protection of proving keys Break zero-knowledge, for example by exploiting Private data treated as public variables Protocol-level “metadata attacks” 14
How to break zkSNARKs security? (1/2) Break soundness, for example by exploiting Constraint system not effectively enforcing certain constraints Insecure generation or protection of proving keys Break zero-knowledge, for example by exploiting Private data treated as public variables Protocol-level “metadata attacks” Break completeness, for example by exploiting Incorrect R1CS synthesis behaviour on edge cases (e.g. wrt number of private vars) Gadget composition failure caused by type mismatch between gadget i/o values 15
How to break zkSNARKs security? (2/2) Break (off-chain) software, via any bug leading to Leakage of data, including via side channels, encodings (“ZK execution”) Any form in insecure state (code execution, DoS) Compromise the supply-chain, via Trusted setup's code and execution Build and release process integrity Software dependencies 16
How to break zkSNARKs security? (2/2) Break (off-chain) software, via any bug leading to Leakage of data, including via side channels, encodings (“ZK execution”) Any form in insecure state (code execution, DoS) Compromise the supply-chain, via Trusted setup's code and execution Build and release process integrity Software dependencies Break (on-chain) software (incl. veri fi er) via smart contract bugs, logic fl aws, etc. 17
Multiple layers 18 A failure in a lower layer can jeopardise the security of all upper layers Platform: language, runtime, OS, hardware, dependencies Prover/veri fi er Application 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Field arithmetic, elliptic curves group operations Arithmetization / constraints generation 
 from fi xed or user-de fi ned circuit
Multiple layers 19 A failure in a lower layer can jeopardise the security of all upper layers Platform: language, runtime, OS, hardware, dependencies Prover/veri fi er Application 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Zero-knowledge greater risks Completeness and 
 Soundness greater risks Field arithmetic, elliptic curves group operations Arithmetization / constraints generation 
 from fi xed or user-de fi ned circuit
Multiple layers 20 Field arithmetic, elliptic curves group operations A failure in a subcomponent can jeopardise the security of all upper layers Platform: language, runtime, OS, hardware, dependencies Arithmetization / constraints generation 
 from fi xed or user-de fi ned circuit Prover/veri fi er Application 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Hashing, PRF,Algebraic commitment, Randomness, Merkle trees, … Fiat-Shamir, Polynomial commitments, Hash-to-curve, linear algebra, … Key/nonce management,Testing Interface, Side channels, Replays Fast operations, multi-exp, … R1CS,AIR, polynomials, … RNG, … ..
Multiple layers 21 Security 101: Input validation must be de fi ned, implemented, and tested Prover/veri fi er Elliptic curves, Pairings, Hash functions, PRF,Algebraic commitment Randomness, Merkle trees Linear algebra, Multi-exp. Polynomial commitments, Fiat-Shamir transforms, etc. etc. Application Key management,Testing Interface, Side channels 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Contracts between components must be de fi ned to prevent insecure composition Example: which component is responsible 
 for group membership checks?
22
Soundness – Field arithmetic Root cause: Missing over fl ow check (of a nulli fi er ~ unique ID of a shielded payment) https://github.com/appliedzkp/semaphore/issues/16 23
Soundness – Field arithmetic Missing over fl ow check (of a public input) https://github.com/eea-oasis/baseline/issues/34 24
Soundness – Field arithmetic Missing over fl ow check (of a public input) https://github.com/appliedzkp/semaphore/pull/96/ 25
Soundness – R1CS Field element inverse property not enforced by the constraint system https://github.com/arkworks-rs/r1cs-std/pull/70 26
Soundness – Hash validation Coding error, allowing to fake the witness’ Merkel root and forge proofs https://tornado-cash.medium.com/tornado-cash-got-hacked-by-us-b1e012a3c9a8 27
Soundness – Paper / Setup Theoretical fl aw in the paper’s setup description (sensitive values not cleared) https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated/ 28
Zero-knowledge – Application (Aztec) Nonces not correctly set by the application, breaking privacy https://medium.com/@jaosef/54dff729a24f (Aztec 2.0 Pre-Launch Notes) 29
Zero-knowledge – Application (Zcash) Correlations between (shielded) transactions 
 leaking exploitable information https://eprint.iacr.org/2020/627.pdf 30
Zero-knowledge – Prover (Plonkup) Missing (randomized) blinding to hide private inputs – potential ZK loss https://github.com/dusk-network/plonk/pull/651 31
DoS – Merkle tree Incomplete tree constraints, leading to a freeze of the rollup validation https://medium.com/aztec-protocol/vulnerabilities-found-in-aztec-2-0-9b80c8bf416c 32
DoS / Completeness? – DSL / Signatures Valid signatures rejected, risk initially deemed negligible https://github.com/starkware-libs/cairo-lang/issues/39 33
Other types of bugs Crypto issues such as: Pedersen bases generation/uniqueness Padding scheme in algebraic hashes and commitments Non-conform implementations of crypto schemes (e.g. Poseidon algebra bugs) Insuf fi cient data being “Fiat-Shamir'd" from the transcript Composability: unsafe interactions between nested proof systems Side channels: Non-ct code, RAM leakage, speculative execution leaks 34
Conclusions 😌 Why not be too scared? Robust code and frameworks (e.g. Rust projects such as arkworks and zkcrypto) DSLs (Cairo, Leo, etc.) make it easier to write safe code Relatively narrow attack surface in practice 35
Conclusions 😌 Why not be too scared? Robust code and frameworks (e.g. Rust projects such as arkworks and zkcrypto) DSLs (Cairo, Leo, etc.) make it easier to write safe code Relatively narrow attack surface in practice 😱 Why be scared? Few people understand zkSNARKs, even fewer can fi nd bugs Lack of tooling (wrt testing, fuzzing, veri fi cation) More ZKPs used => more $$$ at stake => greater RoI for vuln researchers 36
Thank you! JP Aumasson @veorq CSO @ taurushq.com Thanks to Aleo, Protocol Labs, Kobi Gurkan, Adrian Hamelink, Lúcás Meier, Mathilde Raynal

Recommended

Multi-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideasMulti-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideas
Gus Gutoski
 
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
Alex Pruden
 
ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)
Alex Pruden
 
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
Alex Pruden
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
Alex Pruden
 
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonZero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
SSIMeetup
 
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
Alex Pruden
 
Scaling Ethereum using Zero-Knowledge Proofs
Scaling Ethereum using Zero-Knowledge ProofsScaling Ethereum using Zero-Knowledge Proofs
Scaling Ethereum using Zero-Knowledge Proofs
Hyojun Kim
 

Recommended

Multi-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideasMulti-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideas
Gus Gutoski
 
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
Alex Pruden
 
ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)
Alex Pruden
 
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
Alex Pruden
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
Alex Pruden
 
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonZero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
SSIMeetup
 
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
Alex Pruden
 
Scaling Ethereum using Zero-Knowledge Proofs
Scaling Ethereum using Zero-Knowledge ProofsScaling Ethereum using Zero-Knowledge Proofs
Scaling Ethereum using Zero-Knowledge Proofs
Hyojun Kim
 
OSMC 2023 | Large-scale logging made easy by Alexandr Valialkin
OSMC 2023 | Large-scale logging made easy by Alexandr ValialkinOSMC 2023 | Large-scale logging made easy by Alexandr Valialkin
OSMC 2023 | Large-scale logging made easy by Alexandr Valialkin
NETWAYS
 
楕円曲線と暗号
楕円曲線と暗号楕円曲線と暗号
楕円曲線と暗号
MITSUNARI Shigeo
 
Decentralized Application: A Software Engineering Perspective
Decentralized Application: A Software Engineering PerspectiveDecentralized Application: A Software Engineering Perspective
Decentralized Application: A Software Engineering Perspective
Bambang Purnomosidi D. P.
 
新しい暗号技術
新しい暗号技術新しい暗号技術
新しい暗号技術
MITSUNARI Shigeo
 
Introduction to complex networks
Introduction to complex networksIntroduction to complex networks
Introduction to complex networks
Vincent Traag
 
zk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてzk-SNARKsの仕組みについて
zk-SNARKsの仕組みについて
ts21
 
ブロックチェーン系プロジェクトで着目される暗号技術
ブロックチェーン系プロジェクトで着目される暗号技術ブロックチェーン系プロジェクトで着目される暗号技術
ブロックチェーン系プロジェクトで着目される暗号技術
MITSUNARI Shigeo
 
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
MITSUNARI Shigeo
 
WASM(WebAssembly)入門 ペアリング演算やってみた
WASM(WebAssembly)入門 ペアリング演算やってみたWASM(WebAssembly)入門 ペアリング演算やってみた
WASM(WebAssembly)入門 ペアリング演算やってみた
MITSUNARI Shigeo
 
Eos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK proversEos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK provers
Alex Pruden
 
Binary indexed tree
Binary indexed treeBinary indexed tree
Binary indexed tree
HCPC: 北海道大学競技プログラミングサークル
 
ERC20 Step-by-Step - Creating Your First Ethereum Token
ERC20 Step-by-Step - Creating Your First Ethereum TokenERC20 Step-by-Step - Creating Your First Ethereum Token
ERC20 Step-by-Step - Creating Your First Ethereum Token
CodeOps Technologies LLP
 
Security and privacy with blockchain
Security and privacy with blockchainSecurity and privacy with blockchain
Security and privacy with blockchain
Celine George
 
Developing Scylla Applications: Practical Tips
Developing Scylla Applications: Practical TipsDeveloping Scylla Applications: Practical Tips
Developing Scylla Applications: Practical Tips
ScyllaDB
 
Propositional logic & inference
Propositional logic & inferencePropositional logic & inference
Propositional logic & inference
Slideshare
 
Zksnarks in english
Zksnarks in englishZksnarks in english
Zksnarks in english
Ronak Kogta
 
自作ペアリング/BLS署名ライブラリの紹介
自作ペアリング/BLS署名ライブラリの紹介自作ペアリング/BLS署名ライブラリの紹介
自作ペアリング/BLS署名ライブラリの紹介
MITSUNARI Shigeo
 
多段階計算の型システムの基礎
多段階計算の型システムの基礎多段階計算の型システムの基礎
多段階計算の型システムの基礎
T. Suwa
 
snarks <3 hash functions
snarks <3 hash functionssnarks <3 hash functions
snarks <3 hash functions
Rebekah Mercer
 
暗号化したまま計算できる暗号技術とOSS開発による広がり
暗号化したまま計算できる暗号技術とOSS開発による広がり暗号化したまま計算できる暗号技術とOSS開発による広がり
暗号化したまま計算できる暗号技術とOSS開発による広がり
MITSUNARI Shigeo
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
Global Knowledge Training
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
Dmitry Evteev
 

More Related Content

What's hot

OSMC 2023 | Large-scale logging made easy by Alexandr Valialkin
OSMC 2023 | Large-scale logging made easy by Alexandr ValialkinOSMC 2023 | Large-scale logging made easy by Alexandr Valialkin
OSMC 2023 | Large-scale logging made easy by Alexandr Valialkin
NETWAYS
 
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
MITSUNARI Shigeo
 
Eos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK proversEos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK provers
Alex Pruden
 
Propositional logic & inference
Propositional logic & inferencePropositional logic & inference
Propositional logic & inference
Slideshare
 

What's hot (20)

OSMC 2023 | Large-scale logging made easy by Alexandr Valialkin
OSMC 2023 | Large-scale logging made easy by Alexandr ValialkinOSMC 2023 | Large-scale logging made easy by Alexandr Valialkin
OSMC 2023 | Large-scale logging made easy by Alexandr Valialkin
 
楕円曲線と暗号
楕円曲線と暗号楕円曲線と暗号
楕円曲線と暗号
 
Decentralized Application: A Software Engineering Perspective
Decentralized Application: A Software Engineering PerspectiveDecentralized Application: A Software Engineering Perspective
Decentralized Application: A Software Engineering Perspective
 
新しい暗号技術
新しい暗号技術新しい暗号技術
新しい暗号技術
 
Introduction to complex networks
Introduction to complex networksIntroduction to complex networks
Introduction to complex networks
 
zk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてzk-SNARKsの仕組みについて
zk-SNARKsの仕組みについて
 
ブロックチェーン系プロジェクトで着目される暗号技術
ブロックチェーン系プロジェクトで着目される暗号技術ブロックチェーン系プロジェクトで着目される暗号技術
ブロックチェーン系プロジェクトで着目される暗号技術
 
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
 
WASM(WebAssembly)入門 ペアリング演算やってみた
WASM(WebAssembly)入門 ペアリング演算やってみたWASM(WebAssembly)入門 ペアリング演算やってみた
WASM(WebAssembly)入門 ペアリング演算やってみた
 
Eos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK proversEos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK provers
 
Binary indexed tree
Binary indexed treeBinary indexed tree
Binary indexed tree
 
ERC20 Step-by-Step - Creating Your First Ethereum Token
ERC20 Step-by-Step - Creating Your First Ethereum TokenERC20 Step-by-Step - Creating Your First Ethereum Token
ERC20 Step-by-Step - Creating Your First Ethereum Token
 
Security and privacy with blockchain
Security and privacy with blockchainSecurity and privacy with blockchain
Security and privacy with blockchain
 
Developing Scylla Applications: Practical Tips
Developing Scylla Applications: Practical TipsDeveloping Scylla Applications: Practical Tips
Developing Scylla Applications: Practical Tips
 
Propositional logic & inference
Propositional logic & inferencePropositional logic & inference
Propositional logic & inference
 
Zksnarks in english
Zksnarks in englishZksnarks in english
Zksnarks in english
 
自作ペアリング/BLS署名ライブラリの紹介
自作ペアリング/BLS署名ライブラリの紹介自作ペアリング/BLS署名ライブラリの紹介
自作ペアリング/BLS署名ライブラリの紹介
 
多段階計算の型システムの基礎
多段階計算の型システムの基礎多段階計算の型システムの基礎
多段階計算の型システムの基礎
 
snarks <3 hash functions
snarks <3 hash functionssnarks <3 hash functions
snarks <3 hash functions
 
暗号化したまま計算できる暗号技術とOSS開発による広がり
暗号化したまま計算できる暗号技術とOSS開発による広がり暗号化したまま計算できる暗号技術とOSS開発による広がり
暗号化したまま計算できる暗号技術とOSS開発による広がり
 

Similar to zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]

Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
Global Knowledge Training
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
Dmitry Evteev
 
6.Resource Exhaustion
6.Resource Exhaustion6.Resource Exhaustion
6.Resource Exhaustion
phanleson
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
phanleson
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0
Neelu Tripathy
 

Similar to zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus] (20)

Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
6.Resource Exhaustion
6.Resource Exhaustion6.Resource Exhaustion
6.Resource Exhaustion
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
Super1
Super1Super1
Super1
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Day4
Day4Day4
Day4
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
Make the Smartcard great again
Make the Smartcard great againMake the Smartcard great again
Make the Smartcard great again
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
 
Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 

More from Alex Pruden

zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
Alex Pruden
 

More from Alex Pruden (9)

zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
 
zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...
zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...
zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...
 
zkStudyClub - cqlin: Efficient linear operations on KZG commitments
zkStudyClub - cqlin: Efficient linear operations on KZG commitments zkStudyClub - cqlin: Efficient linear operations on KZG commitments
zkStudyClub - cqlin: Efficient linear operations on KZG commitments
 
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
 
zkStudy Club: Subquadratic SNARGs in the Random Oracle Model
zkStudy Club: Subquadratic SNARGs in the Random Oracle ModelzkStudy Club: Subquadratic SNARGs in the Random Oracle Model
zkStudy Club: Subquadratic SNARGs in the Random Oracle Model
 
ZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their Applications
 
Ecfft zk studyclub 9.9
Ecfft zk studyclub 9.9Ecfft zk studyclub 9.9
Ecfft zk studyclub 9.9
 
Quarks zk study-club
Quarks zk study-clubQuarks zk study-club
Quarks zk study-club
 
zkStudyClub: CirC and Compiling Programs to Circuits
zkStudyClub: CirC and Compiling Programs to CircuitszkStudyClub: CirC and Compiling Programs to Circuits
zkStudyClub: CirC and Compiling Programs to Circuits
 

Recently uploaded

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
David Michel
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 

Recently uploaded (20)

10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 

zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]

  • 1. Zero-knowledge proofs security, in practice JP Aumasson @veorq CSO @ taurushq.com
  • 2. NIZK arguments security, in practice JP Aumasson @veorq CSO @ taurushq.com
  • 3. This talk Focus on zkSNARKs, a class of NIZK arguments Fully succinct = O(1) proof size and O(circuit size) veri fi cation time Based on my experience looking for bugs in systems using Groth16, used in Zcash, Filecoin, and many others Marlin, a universal zkSNARK, used in Aleo Most of the content applies to other systems (Plonk, SONIC, etc.) and STARKs 3
  • 4. Why study zkSNARKs security? For blockchain projects: A major risk: Complexity + Novelty => Non-trivial bugs A lot at stake ($$$ and user data/privacy) 4
  • 5. Why study zkSNARKs security? For blockchain projects: A major risk: Complexity + Novelty => Non-trivial bugs A lot at stake ($$$ and user data/privacy) As a cryptographer: The most interesting crypto today: Solving real-world problems and deployed at scale (good papers + good code!) Intricate constructions with non-trivial components “Simple but complex" (non-interactive, many moving parts) “Multidimensional" way to reason about security 5
  • 6. What is zkSNARKs security? Soundness, often the highest risk in practice: Invalid proofs should always be rejected Forging, altering, replaying valid proofs should be impossible 6
  • 7. What is zkSNARKs security? Soundness, often the highest risk in practice: Invalid proofs should always be rejected Forging, altering, replaying valid proofs should be impossible Zero-knowledge: Proofs should not leak witness information (private variables) In practice succinct proofs of large programs can leak only little data 7
  • 8. What is zkSNARKs security? Soundness, often the highest risk in practice: Invalid proofs should always be rejected Forging, altering, replaying valid proofs should be impossible Zero-knowledge: Proofs should not leak witness information (private variables) In practice succinct proofs of large programs can leak only little data Completeness, often a DoS/usability risk that may be further exploited: Valid proofs should always be accepted All programs/circuits supported should be correctly processed 8
  • 9. Bug hunting challenges Practical zkSNARKs are recent, thus auditors often have Limited experience auditing ZKPs Limited knowledge of the theory, of implementations’ tricks Limited “checklist" of bugs and bug classes Limited tooling and methodology Most bugs found internally or by teams of similar projects 9
  • 10. New crypto, new approach More collaboration with the devs/designers (joint review sessions, Q&As, etc.) More threat analysis, to understand the application’s unique/novel risks Practical experience: writing PoCs, circuits, proof systems, etc. Learn previous failures, for example from… Public disclosures and exploits Other audit reports Issue trackers / PRs Community 10
  • 11. General work fl ow, and failure examples 11 Computation Circuit de fi nition Arithmetization Non-interactive proof Integration
  • 12. General work fl ow, and failure examples 12 Computation Circuit de fi nition Arithmetization Non-interactive proof Integration The program’s logic is not secure The circuit is not equivalent to the program The CS fails to enforce an operation a constraint Bad choice of internal commitment schemes wrt hiding or binding properties The application allows replays of previous proofs
  • 13. How to break zkSNARKs security? (1/2) Break soundness, for example by exploiting Constraint system not effectively enforcing certain constraints Insecure generation or protection of proving keys 13
  • 14. How to break zkSNARKs security? (1/2) Break soundness, for example by exploiting Constraint system not effectively enforcing certain constraints Insecure generation or protection of proving keys Break zero-knowledge, for example by exploiting Private data treated as public variables Protocol-level “metadata attacks” 14
  • 15. How to break zkSNARKs security? (1/2) Break soundness, for example by exploiting Constraint system not effectively enforcing certain constraints Insecure generation or protection of proving keys Break zero-knowledge, for example by exploiting Private data treated as public variables Protocol-level “metadata attacks” Break completeness, for example by exploiting Incorrect R1CS synthesis behaviour on edge cases (e.g. wrt number of private vars) Gadget composition failure caused by type mismatch between gadget i/o values 15
  • 16. How to break zkSNARKs security? (2/2) Break (off-chain) software, via any bug leading to Leakage of data, including via side channels, encodings (“ZK execution”) Any form in insecure state (code execution, DoS) Compromise the supply-chain, via Trusted setup's code and execution Build and release process integrity Software dependencies 16
  • 17. How to break zkSNARKs security? (2/2) Break (off-chain) software, via any bug leading to Leakage of data, including via side channels, encodings (“ZK execution”) Any form in insecure state (code execution, DoS) Compromise the supply-chain, via Trusted setup's code and execution Build and release process integrity Software dependencies Break (on-chain) software (incl. veri fi er) via smart contract bugs, logic fl aws, etc. 17
  • 18. Multiple layers 18 A failure in a lower layer can jeopardise the security of all upper layers Platform: language, runtime, OS, hardware, dependencies Prover/veri fi er Application 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Field arithmetic, elliptic curves group operations Arithmetization / constraints generation 
 from fi xed or user-de fi ned circuit
  • 19. Multiple layers 19 A failure in a lower layer can jeopardise the security of all upper layers Platform: language, runtime, OS, hardware, dependencies Prover/veri fi er Application 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Zero-knowledge greater risks Completeness and 
 Soundness greater risks Field arithmetic, elliptic curves group operations Arithmetization / constraints generation 
 from fi xed or user-de fi ned circuit
  • 20. Multiple layers 20 Field arithmetic, elliptic curves group operations A failure in a subcomponent can jeopardise the security of all upper layers Platform: language, runtime, OS, hardware, dependencies Arithmetization / constraints generation 
 from fi xed or user-de fi ned circuit Prover/veri fi er Application 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Hashing, PRF,Algebraic commitment, Randomness, Merkle trees, … Fiat-Shamir, Polynomial commitments, Hash-to-curve, linear algebra, … Key/nonce management,Testing Interface, Side channels, Replays Fast operations, multi-exp, … R1CS,AIR, polynomials, … RNG, … ..
  • 21. Multiple layers 21 Security 101: Input validation must be de fi ned, implemented, and tested Prover/veri fi er Elliptic curves, Pairings, Hash functions, PRF,Algebraic commitment Randomness, Merkle trees Linear algebra, Multi-exp. Polynomial commitments, Fiat-Shamir transforms, etc. etc. Application Key management,Testing Interface, Side channels 😈 Adversarial input 😈 🥴 Protocol input 🥴 😐 Con fi g 😐 Contracts between components must be de fi ned to prevent insecure composition Example: which component is responsible 
 for group membership checks?
  • 22. 22
  • 23. Soundness – Field arithmetic Root cause: Missing over fl ow check (of a nulli fi er ~ unique ID of a shielded payment) https://github.com/appliedzkp/semaphore/issues/16 23
  • 24. Soundness – Field arithmetic Missing over fl ow check (of a public input) https://github.com/eea-oasis/baseline/issues/34 24
  • 25. Soundness – Field arithmetic Missing over fl ow check (of a public input) https://github.com/appliedzkp/semaphore/pull/96/ 25
  • 26. Soundness – R1CS Field element inverse property not enforced by the constraint system https://github.com/arkworks-rs/r1cs-std/pull/70 26
  • 27. Soundness – Hash validation Coding error, allowing to fake the witness’ Merkel root and forge proofs https://tornado-cash.medium.com/tornado-cash-got-hacked-by-us-b1e012a3c9a8 27
  • 28. Soundness – Paper / Setup Theoretical fl aw in the paper’s setup description (sensitive values not cleared) https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated/ 28
  • 29. Zero-knowledge – Application (Aztec) Nonces not correctly set by the application, breaking privacy https://medium.com/@jaosef/54dff729a24f (Aztec 2.0 Pre-Launch Notes) 29
  • 30. Zero-knowledge – Application (Zcash) Correlations between (shielded) transactions 
 leaking exploitable information https://eprint.iacr.org/2020/627.pdf 30
  • 31. Zero-knowledge – Prover (Plonkup) Missing (randomized) blinding to hide private inputs – potential ZK loss https://github.com/dusk-network/plonk/pull/651 31
  • 32. DoS – Merkle tree Incomplete tree constraints, leading to a freeze of the rollup validation https://medium.com/aztec-protocol/vulnerabilities-found-in-aztec-2-0-9b80c8bf416c 32
  • 33. DoS / Completeness? – DSL / Signatures Valid signatures rejected, risk initially deemed negligible https://github.com/starkware-libs/cairo-lang/issues/39 33
  • 34. Other types of bugs Crypto issues such as: Pedersen bases generation/uniqueness Padding scheme in algebraic hashes and commitments Non-conform implementations of crypto schemes (e.g. Poseidon algebra bugs) Insuf fi cient data being “Fiat-Shamir'd" from the transcript Composability: unsafe interactions between nested proof systems Side channels: Non-ct code, RAM leakage, speculative execution leaks 34
  • 35. Conclusions 😌 Why not be too scared? Robust code and frameworks (e.g. Rust projects such as arkworks and zkcrypto) DSLs (Cairo, Leo, etc.) make it easier to write safe code Relatively narrow attack surface in practice 35
  • 36. Conclusions 😌 Why not be too scared? Robust code and frameworks (e.g. Rust projects such as arkworks and zkcrypto) DSLs (Cairo, Leo, etc.) make it easier to write safe code Relatively narrow attack surface in practice 😱 Why be scared? Few people understand zkSNARKs, even fewer can fi nd bugs Lack of tooling (wrt testing, fuzzing, veri fi cation) More ZKPs used => more $$$ at stake => greater RoI for vuln researchers 36
  • 37. Thank you! JP Aumasson @veorq CSO @ taurushq.com Thanks to Aleo, Protocol Labs, Kobi Gurkan, Adrian Hamelink, Lúcás Meier, Mathilde Raynal