Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use of BigInt is vulnerable to timing attacks #341

Open
0xDatapunk opened this issue Oct 7, 2024 · 1 comment
Open

use of BigInt is vulnerable to timing attacks #341

0xDatapunk opened this issue Oct 7, 2024 · 1 comment
Labels
audit 🔍 This issue is related to an audit. documentation 📖 Improvements or additions to documentation good first issue Good for newcomers

Comments

@0xDatapunk
Copy link
Collaborator

zk-kit/packages/poseidon-cipher/src/poseidonCipher.ts

Line 19 in c912111

export const poseidonEncrypt = (

implementation that uses the javascript BigInt is vulnerable to timing attacks (more info).
If constant-time operation is a requirement, this needs changes to use constant time modular math libraries.
Otherwise, dependent packages/applications should be made aware.
@github-project-automation github-project-automation bot moved this to 📋 Backlog in ZK-Kit Oct 7, 2024
@cedoor cedoor added the audit 🔍 This issue is related to an audit. label Oct 14, 2024
@cedoor
Copy link
Member

cedoor commented Oct 24, 2024

While waiting for a library, I think we can add a warning in the readme file for now.

@cedoor cedoor added good first issue Good for newcomers documentation 📖 Improvements or additions to documentation labels Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
audit 🔍 This issue is related to an audit. documentation 📖 Improvements or additions to documentation good first issue Good for newcomers
Projects
ZK-Kit
Status: ♻️ Grooming
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cedoor @0xDatapunk