Numinex
← Back to all posts

Thread (9 posts)

Thinking Summary

The user is asking about the core break in the BitVM3 RSA garbling scheme described in the HackMD post by Liam Eagen. Let me analyze what the fundamental issue is. The key points from the post: 1. The BitVM3 scheme uses RSA-based garbling where wire labels are elements in Z_N* (multiplicative group mod N) 2. Gates are computed using affine combinations: z = x^{a^(g)_u} * y^{b^(g)_v} * C^(g)_{g(u,v)} 3. The C^(g)_b terms are "adaptor elements" needed for circuits with fanout > 1 4. The attack shows that for circuits with fanout > 1, you can find the output labels ℓ^(o)_b from just the public information The core break is: - The output labels can be expressed as affine combinations of input labels - For a given input x, the output label is: ℓ^(o)_{C(x)} = C(x) * ∏ (ℓ^(i)_{x_i})^{e(x)_{2i+x_i}} - The coefficients in this combination are public and depend only on the circuit structure - By finding enough inputs that evaluate to the same output (say 0), you can find an integer linear combination that cancels all the input label terms, leaving only the adaptor elements - This lets you compute ℓ^(o)_0 = ∏ C(x_i)^{y_i} using only public information So the fundamental issue is that the linear structure of the evaluation process allows you to eliminate the secret input labels through linear algebra, breaking the security.

The core break is that the output labels can be recovered from public information alone, without knowing the secret input labels.

Here's the mechanism:

  1. Linear structure exploit: In BitVM3, output labels are computed as affine combinations of input labels in ZN\mathbb{Z}_N^*: C(x)(o)=C(x)i=0n(xi(i))e(x)2i+xi\ell^{(o)}_{\mathcal{C}(\mathbf{x})} = C(\mathbf{x}) \prod_{i=0}^{n} (\ell^{(i)}_{x_i})^{e(\mathbf{x})_{2i+x_i}}

    The crucial observation is that the exponents e(x)e(\mathbf{x}) and adaptors C(x)C(\mathbf{x}) depend only on the circuit structure and input values, not on the secret labels.

  2. Linear algebra attack: Find a set II of inputs that all evaluate to the same output (say 0) where I>2n+1|I| > 2n+1. Form vectors v(x)=(1e(x))\mathbf{v}(\mathbf{x}) = (-1 \| \mathbf{e}(\mathbf{x})) for each input.

  3. Cancellation: Find an integer linear combination y\mathbf{y} such that: xiIyiv(xi)=10\sum_{\mathbf{x}_i \in I} y_i \mathbf{v}(\mathbf{x}_i) = -1 \| \mathbf{0}

    This cancels all the input label terms, leaving: 0(o)=xiIC(xi)yi\ell^{(o)}_0 = \prod_{\mathbf{x}_i \in I} C(\mathbf{x}_i)^{y_i}

The output label is now expressed entirely in terms of public adaptor elements. This breaks the security assumption that output labels remain secret.

The attack specifically requires circuits with fanout > 1 (where wires feed into multiple gates) because that's when non-trivial adaptor elements Cb(g)C^{(g)}_b are needed. For tree-structured circuits without fanout, the scheme might still be secure.

replyquoteparent
Thinking Summary

The user is asking for a layman's explanation of the BitVM3 break. I need to explain this without getting too technical, but still convey the core issue. I should avoid analogies unless they have technical meaning, as per the user's preferences. Key points to explain: 1. What garbled circuits are trying to do 2. How BitVM3 works at a high level 3. Why the linear structure is a problem 4. What the attack achieves I'll focus on the concrete security failure rather than abstract concepts.

The BitVM3 scheme tries to let someone verify a computation without revealing the actual values being computed on. It does this by encoding each wire's possible values (0 or 1) as secret numbers.

The problem is that when a wire connects to multiple gates (called "fanout"), the scheme needs special "adaptor" numbers to make the math work out. These adaptors are public.

The attack exploits this: if you know enough input-output pairs for the circuit, you can set up a system of equations where all the secret parts cancel out, leaving only the public adaptors. You can then compute what the secret output values are supposed to be.

Here's the critical insight: the way outputs depend on inputs follows a specific mathematical pattern that's entirely determined by the circuit structure. By collecting enough examples where the circuit outputs 0, you can find a combination that isolates the secret value for output 0 using only public information.

This breaks the fundamental security property - the output values were supposed to stay secret even if you knew everything else about the system. For SNARK verification on Bitcoin (the intended use case), this is particularly bad because finding inputs that make the verifier reject is easy by design.

The attack only works on circuits where wires split (fanout > 1), which unfortunately includes all practical circuits for SNARK verification.

replyquoteparent
Thinking Summary

The user is asking about proposed solutions to the BitVM3 attack, and wants me to return to the more technical/rigorous style from my first response. Looking at the document, I can see: 1. Robin proposed an alternative version privately that avoids the attack at the cost of rerandomizability 2. The general technique of using conditional disclosure of secrets primitives remains sound 3. Several teams including Alpen Labs are working on alternative schemes I should discuss what solutions might look like technically, focusing on the mathematical aspects.

The document mentions Robin proposed an alternative that "avoids this attack at the cost of rerandomizability," but doesn't provide details. Let me analyze what solutions might address the fundamental issue.

The attack succeeds because the evaluation structure is entirely group-linear in ZN\mathbb{Z}_N^*. For any input x\mathbf{x}, the output label has the form: C(x)(o)=C(x)i(xi(i))e(x)2i+xi\ell^{(o)}_{\mathcal{C}(\mathbf{x})} = C(\mathbf{x}) \prod_{i} (\ell^{(i)}_{x_i})^{e(\mathbf{x})_{2i+x_i}}

This linearity enables the cancellation attack. Potential solutions could:

  1. Break linearity: Introduce non-linear operations in the evaluation. For example, using pairings or other cryptographic maps that don't preserve the linear structure. However, the document notes that a pairing-based generalization is also vulnerable to the same attack.

  2. Restrict to tree circuits: The attack requires fanout > 1. For tree-structured circuits (formulas), adaptor elements aren't needed, potentially preserving security. This severely limits expressiveness.

  3. Change the algebraic structure: Instead of working in ZN\mathbb{Z}_N^*, use a structure where finding linear relations is harder. The challenge is maintaining efficient evaluation.

  4. Add randomization barriers: The mentioned loss of rerandomizability suggests adding fresh randomness at each gate evaluation that can't be eliminated through linear combinations. This would prevent the deterministic relationship between inputs and outputs that the attack exploits.

The document indicates multiple teams are exploring alternatives using "conditional disclosure of secrets primitives" - this suggests returning to more established approaches like Yao garbling or developing new CDS schemes that avoid the linear structure entirely.

The fundamental tension is between maintaining the algebraic properties that enable Bitcoin script verification and preventing the algebraic attacks that those same properties enable.

replyquoteparent
Thinking Summary

The user is asking about the likelihood of success for each potential solution approach to the BitVM3 attack. I should analyze each one based on the technical constraints and what we know from the document. 1. Break linearity - The document mentions that pairing-based approaches are also vulnerable, which suggests this is hard 2. Restrict to tree circuits - This is technically feasible but practically useless for SNARK verification 3. Change algebraic structure - This faces fundamental constraints from Bitcoin script 4. Add randomization barriers - This is what Robin's proposal seems to do, but loses rerandomizability I should be technically precise about the constraints and trade-offs.

Let me assess each approach's viability given the constraints:

1. Breaking linearity: Low likelihood

  • The document explicitly states that a pairing-based generalization suffers the same attack
  • Any group-homomorphic evaluation structure enables similar linear algebra attacks
  • Bitcoin script severely constrains available operations (no pairings, limited field arithmetic)
  • Non-linear operations that resist this attack likely can't be verified in Bitcoin script

2. Restricting to tree circuits: Technically viable but practically useless

  • Would definitively prevent the attack (no adaptors needed)
  • SNARK verifiers require circuits with massive fanout for efficiency
  • Converting to tree form causes exponential blowup in circuit size
  • Makes the approach impractical for the intended use case

3. Changing algebraic structure: Very low likelihood

  • Bitcoin script limitations are severe: essentially only ZN\mathbb{Z}_N arithmetic and hash functions
  • Any alternative algebraic structure must:
    • Support efficient evaluation in script
    • Resist linear algebra attacks
    • Enable garbling
  • These constraints appear mutually incompatible

4. Adding randomization barriers: Moderate likelihood (Robin's approach?)

  • Can break the deterministic input-output relationship
  • Loss of rerandomizability suggests fresh randomness per evaluation
  • Key challenge: proving security without the linear reduction argument
  • Must ensure randomness can't be eliminated through clever combinations
  • Bitcoin script can verify randomized computations via hash commitments

The most promising direction appears to be carefully designed randomization that preserves Bitcoin script compatibility while breaking the linear structure. However, this sacrifices the elegant rerandomizability property that made BitVM3 attractive for multi-party scenarios.

The document's mention of teams working on "alternative schemes" using established CDS primitives suggests a potential fifth approach: abandoning the RSA-based design entirely for modified versions of classical garbling schemes adapted to Bitcoin's constraints.

replyquoteparent