CVE-2026-46654
Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss
In short
Plonky3's cryptographic challenger can be manipulated to generate identical challenges from different transcripts, undermining the security guarantee that prevents attackers from forging proofs. This breaks the mathematical foundation that makes Fiat-Shamir hashing trustworthy.
Technical detail
An attacker controlling prover observations can exploit transcript malleability in MultiField32Challenger to create distinct transcripts yielding identical challenges, violating the binding property of Fiat-Shamir. The vulnerability stems from insufficient challenge entropy derivation, allowing an adversary to forge valid proofs by manipulating transcript inputs before the hash-based challenge generation.
Summary generated and translated by AI from the official description.
Plonky3 is a toolkit for polynomial IOPs (PIOPs). Prior to versions 0.4.3 and 0.5.3, an attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. This issue has been patched in versions 0.4.3 and 0.5.3.
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
Affected products
Plonky3 · Plonky3Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →