CVE-2024-45040

gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.11.0, commitments to private witnesses in Groth16 as implemented break the zero-knowledge property. The vulnerability affects only Groth16 proofs with commitments. Notably, PLONK proofs are not...

CVE-2024-45039 gnark's Groth16 commitment extension unsound for more than one commitment

gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Versions prior to 0.11.0 have a soundness issue - in case of multiple commitments used inside the circuit the prover is able to choose all but the last commitment. As gnark uses the commitments for optimized...

CVE-2024-45039

CVE-2024-45039 (gnark) affects gnark up to version 0.10.x; reported soundness issue arises when multiple commitments are used inside a circuit, allowing the prover to select all but the last commitment. gnark relies on commitments for optimized non-native multiplication and other checks, which co...

CVE-2024-45040 gnark's commitments to private witnesses in Groth16 as implemented break zero-knowledge property

gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.11.0, commitments to private witnesses in Groth16 as implemented break the zero-knowledge property. The vulnerability affects only Groth16 proofs with commitments. Notably, PLONK proofs are not...

CVE-2024-45040 gnark's commitments to private witnesses in Groth16 as implemented break zero-knowledge property

gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.11.0, commitments to private witnesses in Groth16 as implemented break the zero-knowledge property. The vulnerability affects only Groth16 proofs with commitments. Notably, PLONK proofs are not...

PT-2024-31389 · Gnark · Gnark

Name of the Vulnerable Software and Affected Versions: gnark versions prior to 0.11.0 Description: The issue is a soundness problem in the gnark zk-SNARK library. When multiple commitments are used inside a circuit, the prover can choose all but the last commitment. This could impact the soundnes...

Adopting guidance from the US National Cybersecurity Strategy to secure the Internet of Things

The recently published United States National Cybersecurity Strategy warns that many popular Internet of Things IoT devices are not sufficiently secure to protect against many of today’s common cybersecurity threats.1 The strategy also cautions that many of these IoT devices are difficult—or, in...

Adopting guidance from the US National Cybersecurity Strategy to secure the Internet of Things

The recently published United States National Cybersecurity Strategy warns that many popular Internet of Things IoT devices are not sufficiently secure to protect against many of today’s common cybersecurity threats.1 The strategy also cautions that many of these IoT devices are difficult—or, in...

GHSA-MHGM-52VG-PVVC Privilege escalation in Strongbox

Impact An attacker with read-only access to a Strongbox secret could craft a valid encrypted secret same id/version. It also makes the audit logs from KMS less useful. The issue is caused by a bug in the underlying AWS Encryption SDK. By default, the encrypted secrets are stored in DynamoDB and a...

Delegators can Avoid Lock Commitments if they can Reliably get Themselves Blocked when Needed

Lines of code Vulnerability details Impact Users can enjoy the voting power of long lock times whilst not committing their tokens. This could cause the entire system to break down as the incentives don't work any more. Exploit Method This exploit only works if a user is able to use the system and...

PT-2020-16537 · Lightning Network Daemon · Lnd

Name of the Vulnerable Software and Affected Versions: LND versions prior to 0.10.0-beta Description: The issue allows any peer with an open channel to exploit the vulnerability, regardless of the victim's situation, such as being a routing node, payment-receiver, or payment-sender. This can lead...

Partnering with Microsoft on Hackathon 2020 and Saving the Planet

During the week of July 27, thousands of participants from around the globe participated in the Microsoft 2020 Hackathon. In its seventh year -- and this year, fully virtual -- the annual worldwide event brings Microsoft employees and interns together to drum up new ideas, create change, and make...

Making Connections to Sustainable Action During a Pandemic

There is no question that this year has brought disruption to life as we know it. As the world around us is changing, our concept of normalcy does too. Now, more than ever, it is critical that Akamai continue business as usual, providing fast, intelligent, and secure experiences for our customers...

VIDEO: Carbon Black’s Agile Transformation

In 2017, our product team went through a major "Agile Transformation." All employees adopted this new way of working to establish better collaboration within and across teams. We’ve restructured our teams to be smaller and more cross-functional. We’ve hired Agile Coaches and Scrum Masters to keep...

What to Consider When Choosing a Security Vendor

Picking a security vendor for your managed service business should be about business model alignment, not product cost. If you’re a seasoned managed service provider MSP, you are already very familiar with the benefits of the pay-as-you-go business model. In fact, it’s most likely how you sell yo...