{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/challenge-entropy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["p3-challenger"],"_cs_severities":["high"],"_cs_tags":["transcript-malleability","challenge-entropy","cryptography","rust"],"_cs_type":"advisory","_cs_vendors":["rust"],"content_html":"\u003cp\u003eThe \u003ccode\u003ep3-challenger\u003c/code\u003e Rust package, specifically versions prior to 0.4.3 and versions between 0.5.0 and 0.5.3, contains vulnerabilities that can be exploited to manipulate cryptographic transcripts. These vulnerabilities stem from issues in the \u003ccode\u003eMultiField32Challenger::duplexing\u003c/code\u003e function within \u003ccode\u003echallenger/src/multi_field_challenger.rs\u003c/code\u003e. An attacker with control over prover-side observations can exploit these weaknesses to craft distinct transcripts that generate identical challenges, thereby breaking the binding property of the Fiat-Shamir transform. This impacts the integrity of cryptographic protocols that rely on the challenger to produce unpredictable challenges based on previous interactions. The vulnerabilities include partial-chunk aliasing during absorption, non-injective squeeze functions, and high-bit truncation during digest observation. These flaws can lead to weakened entropy and potential for selective forgery.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains control over prover-side observations in a cryptographic protocol using \u003ccode\u003ep3-challenger\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe prover provides an initial observation \u003ccode\u003e[x]\u003c/code\u003e to the \u003ccode\u003eMultiField32Challenger\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to partial-chunk aliasing (CVE-2026-46654), the attacker can manipulate the input by extending the observation with zeros \u003ccode\u003e[x, 0, ..., 0]\u003c/code\u003e without affecting the sponge state, because the \u003ccode\u003ereduce_32\u003c/code\u003e function doesn\u0026rsquo;t account for length.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eduplexing()\u003c/code\u003e function processes the input using \u003ccode\u003ereduce_32\u003c/code\u003e, leading to an equivalent sponge state for both \u003ccode\u003e[x]\u003c/code\u003e and \u003ccode\u003e[x, 0, ..., 0]\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe challenger proceeds to squeeze the sponge state to generate a challenge.  Due to the non-injective squeeze vulnerability, distinct PF values whose base-2^64 digits differ only in their upper 33 bits produce identical F challenge sequences.\u003c/li\u003e\n\u003cli\u003eThe attacker can also observe Hash/MerkleCap values; high-bit truncation discards the top bits. For BN254, only 192 bits are considered, allowing the attacker to manipulate bits 192-253 without affecting challenges.\u003c/li\u003e\n\u003cli\u003eThe identical sponge state results in the same challenge being generated, regardless of the attacker\u0026rsquo;s manipulation of the transcript.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the compromised challenge to forge a proof or selectively alter protocol behavior.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows an attacker to undermine the security of cryptographic protocols relying on the \u003ccode\u003ep3-challenger\u003c/code\u003e package. By crafting transcripts that yield identical challenges, attackers can forge proofs, selectively alter protocol behavior, or bypass security mechanisms designed to prevent malicious activity. The impact is significant in zero-knowledge proof systems, verifiable computation, and other cryptographic applications where the integrity of the challenger is crucial. These vulnerabilities affect any application using the flawed versions of \u003ccode\u003ep3-challenger\u003c/code\u003e, potentially compromising the security of numerous systems that depend on these cryptographic primitives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ep3-challenger\u003c/code\u003e version 0.4.3 or 0.5.3 or later to remediate CVE-2026-46654.\u003c/li\u003e\n\u003cli\u003eImplement input validation to prevent partial-chunk aliasing, ensuring that input buffers are properly padded and length-marked before processing with \u003ccode\u003ereduce_32\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and harden the squeeze function to guarantee injectivity, ensuring distinct PF rate cells yield distinct F challenge sequences, to prevent non-injective squeezes.\u003c/li\u003e\n\u003cli\u003eEnsure that all bits of absorbed elements influence the sponge state, addressing high-bit truncation, especially for fields whose bit-width is not a multiple of 64.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T20:25:28Z","date_published":"2026-05-21T20:25:28Z","id":"https://feed.craftedsignal.io/briefs/2026-05-plonky3-challenger/","summary":"The p3-challenger rust package is vulnerable to transcript malleability and challenge entropy loss, allowing attackers to craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir due to partial-chunk aliasing, non-injective squeeze, and high-bit truncation.","title":"Plonky3 Challenger Transcript Malleability and Challenge Entropy Loss","url":"https://feed.craftedsignal.io/briefs/2026-05-plonky3-challenger/"}],"language":"en","title":"CraftedSignal Threat Feed — Challenge-Entropy","version":"https://jsonfeed.org/version/1.1"}