GHSA-VJ64-RJF3-W3V7 Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss

Impact - Key: challenger/src/multifieldchallenger.rs | MultiField32Challenger::duplexing | transcriptmalleability - Affected files: challenger/src/multifieldchallenger.rs, field/src/helpers.rs - Violated invariant: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed fiel...

PT-2026-42645

Impact - Key: challenger/src/multi field challenger.rs | MultiField32Challenger::duplexing | transcript malleability - Affected files: challenger/src/multi field challenger.rs, field/src/helpers.rs - Violated invariant: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed...

PT-2026-42695

Impact - Key: challenger/src/multi field challenger.rs | MultiField32Challenger::duplexing | transcript malleability - Affected files: challenger/src/multi field challenger.rs, field/src/helpers.rs - Violated invariant: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed...

CVE-2026-42010 Gnutls: gnutls: authentication bypass via nul character in username

A flaw was found in gnutls. Servers configured with RSA-PSK Rivest–Shamir–Adleman – Pre-Shared Key wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass...

EUVD-2022-33901

Malicious code in bioql PyPI...

CVE-2025-59484 AutomationDirect CLICK PLUS Use of a Broken or Risky Cryptographic Algorithm

The use of a broken or risky cryptographic algorithm was discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software uses an insecure implementation of the RSA encryption algorithm...

New Cryptanalysis of the Fiat-Shamir Protocol

A couple of months ago, a new paper demonstrated some new attacks against the Fiat-Shamir transformation. Quanta published a good article that explains the results. This is a pretty exciting paper from a theoretical perspective, but I don't see it leading to any practical real-world cryptanalysis...

CVE-2022-29566

The Bulletproofs 2017/1066 paper mishandles Fiat-Shamir generation because the hash computation fails to include all of the public values from the Zero Knowledge proof statement as well as all of the public values computed in the proof, aka the Frozen Heart issue...

Post Quantum Cryptography (PQC) Signatures without Trapdoors

Some of our current public key methods use a trap door to implement digital signature methods. This includes the RSA method, which uses Fermat's little theorem to support the creation and verification of a digital signature. The problem with a back-door is that the actual trap-door method could, ...

SP1 has missing verifier checks and fiat-shamir observations

In SP1’s STARK verifier, the prover provided chipordering is used to fetch the index of the chips that have preprocessed columns. Prior to v4.0.0, the validation that this chipordering correctly provides these indexes was missing. In v4.0.0, this was fixed by adding a check that the indexed chip’...

CLSA-2025-1736859209 libgcrypt: Fix of CVE-2024-2236

CVE-2024-2236: fix timing-based side-channel vulnerability in RSA implementation...

GHSA-JP37-5QHW-MFFW Sharks has a Bias of Polynomial Coefficients in Secret Sharing

Affected versions of this crate allowed for a bias when generating random polynomials for Shamir Secret Sharing, where instead of being within the range 0, 255 they were instead in the range 1, 255. A description from Cure53, who originally found the issue, is available: The correct method to...

Sharks has a Bias of Polynomial Coefficients in Secret Sharing

Affected versions of this crate allowed for a bias when generating random polynomials for Shamir Secret Sharing, where instead of being within the range 0, 255 they were instead in the range 1, 255. A description from Cure53, who originally found the issue, is available: The correct method to...

PT-2024-40350 · Blahaj +1 · Blahaj +1

Name of the Vulnerable Software and Affected Versions: sharks crate affected versions not specified Description: The issue concerns a bias in generating random polynomials for Shamir Secret Sharing. Instead of coefficients being in the range 0, 255, they were in the range 1, 255. This allows an...

Bias of Polynomial Coefficients in Secret Sharing

Affected versions of this crate allowed for a bias when generating random polynomials for Shamir Secret Sharing, where instead of being within the range 0, 255 they were instead in the range 1, 255. A description from Cure53, who originally found the issue, is available: The correct method to...

RUSTSEC-2024-0398 Bias of Polynomial Coefficients in Secret Sharing

Affected versions of this crate allowed for a bias when generating random polynomials for Shamir Secret Sharing, where instead of being within the range 0, 255 they were instead in the range 1, 255. A description from Cure53, who originally found the issue, is available: The correct method to...

GHSA-8M24-3CFX-9FJW sp1 has insufficient observation of cumulative sum

During proof generation, the prover must observe all values sent to the verifier to generate valid Fiat-Shamir challenges. Prior to v3.0.0 the cumulative sum of the permutation argument was not observed when sampling zeta, which is a random challenge sampled to force the constraints to be true. I...

sp1 has insufficient observation of cumulative sum

During proof generation, the prover must observe all values sent to the verifier to generate valid Fiat-Shamir challenges. Prior to v3.0.0 the cumulative sum of the permutation argument was not observed when sampling zeta, which is a random challenge sampled to force the constraints to be true. I...

golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges.

A flaw was found in the Golang crypto/tls standard library. In previous versions, the package was vulnerable to a Timing Side Channel attack by observing the time it took for RSA-based TLS key exchanges, which was not constant. This flaw allows a malicious user to gather information from the...

opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin)

A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key...