Zellic - Audit Reports

MiMC hash-length extension attack

The MiMC hash implementation in Noir stdlib is prone to a possible hash-length extension attack. Someone is able to create a hash of a secret value concatenated with values they control without knowing the secret values themself.

I f t h ey kn o wt h e ha s h h_{1} = H (ρ) o f a secre t v a l u e ρ, t h eyc an co m p u t e an e w ha s h h_{2} = H (ρ, x) f or an y v a l u e x j u s t kn o w in g t h e v a l u eo f h_{1} .

Here is an example in JavaScript using the TypeScript implementation of Singularity:

> h1 = singularity.mimc_bn254([secret])
6330754968575099758421459477990008027487643103853686899483588894031458107821n
> ht = (h1 + 2n + singularity.mimc(2n, h1, singularity.constants, 7n)) % singularity.P
14068749358199635716244899654758139174543955001947899909971002288403713001091n
> h2 = singularity.mimc_bn254([secret, 2n])
14068749358199635716244899654758139174543955001947899909971002288403713001091n
> h2 == ht
true

This primitive is also implemented in Mimc254 to be compatible with the Noir language circuit calls to this primitive in the Noir standard library. Therefore, the Noir language implementation is impacted and the Noir developers have been contacted.

No practical exploitation in the circuits has been found in the current implementation. Nevertheless, this needs to be taken into account for further development of the project. The same issue has been reported to the gnark-crypto↗ project.

The documentation and code comments should warn about this property to avoid misusage. To avoid this threat, the Poseidon hash function, implemented in Noir, can be used.

Singularity added a warning to the code in commit .