GHSA-3G92-F9CH-QJCM
Vulnerability from github – Published: 2026-04-16 22:52 – Updated: 2026-04-16 22:52Vulnerability
Currently, when hashing, if the number of elements to hash is not a multiple of the rate, hash_iter pads by elements of
the current state. This means that it is possible to create iterators of different lengths which lead to an identical hashed state.
Given a simple example using a PaddingFreeSponge with width 8 and rate 4.
Start with the zero state: [0, 0, 0, 0, 0, 0, 0, 0]
Take the first 4 elements to hash and insert into the first 4 elements of the state: [h0, h1, h2, h3, 0, 0, 0, 0]
Run the cryptographic permutation on the state: [p00, p10, p20, p30, p40, p50, p60, p70]
Take the next 4 elements to hash and insert into the first 4 elements of the state: [h4, h5, h6, h7, p40, p50, p60, p70] Run the cryptographic permutation: [p01, p11, p21, p31, p41, p51, p61, p71]
Repeat the above two steps until all elements of the iterator have been consumed.
If the number of elements in the iterator is not a multiple of 4 (say there are 10 elements) then, in the final round, the first 2 elements are overwritten and so our final hash would be of: [h8, h9, p21, p31, p41, p51, p61, p71]
This means that the iterators over the elements [h0, h1, h2, h3, h4, h5, h6, h7, h8, h9] and [h0, h1, h2, h3, h4, h5, h6, h7, h8, h9, p21] would lead to the same final state of the hasher.
Impact
The impact of this vulnerability is a little difficult to estimate. It is important to note that, in circumstances where the number of elements to be hashed is known and fixed in advance, (as is the case for most STARKS), the method is collision resistant. This vulnerability only applies if a malicious user is able to manipulate the number of elements to be hashed.
That being said, there are theoretically situations where this could allow for an amortising of grinding costs (if a prover can manipulate things to get the same hasher state across multiple proofs).
Patches
The fix comes in two parts. The documentation on the current struct PaddingFreeSponge has been improved to clarify its intended use case and highlight that it is not collision resistant if an attacker can modify the number of elements being hashed.
In addition we add a new struct Pad10Sponge which is slightly less efficient but safe in all cases. The padding strategy of the new struct is as follows:
If the number of elements in the iterator is not a multiple of the rate, use a 10 padding scheme. If it is a multiple of the rate add 1 to the first secret state element. In the above example, for hashes of length 9, 10, 11, 12, the final state to be permuted would be [h8, 1, 0, 0, p41, p51, p61, p71] [h8, h9, 1, 0, p41, p51, p61, p71] [h8, h9, h10, 1, p41, p51, p61, p71] [h8, h9, h10, h11, p41 + 1, p51, p61, p71]
As can be seen, it is now impossible for iterators of different lengths to produce the same "final state" to be hashed which restores collision resistance. (See the following for more details padding-in-sponge.pdf)
Thanks
Many thanks to Benedikt Wagner, Dmitry Khovratovich and Bart Mennink for reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "p3-symmetric"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-328"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T22:52:41Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Vulnerability\nCurrently, when hashing, if the number of elements to hash is not a multiple of the rate, `hash_iter` pads by elements of\nthe current state. This means that it is possible to create iterators of different lengths which lead to an identical hashed state.\n\nGiven a simple example using a `PaddingFreeSponge` with width 8 and rate 4.\nStart with the zero state: [0, 0, 0, 0, 0, 0, 0, 0]\nTake the first 4 elements to hash and insert into the first 4 elements of the state: [h0, h1, h2, h3, 0, 0, 0, 0]\nRun the cryptographic permutation on the state: [p00, p10, p20, p30, p40, p50, p60, p70]\n\nTake the next 4 elements to hash and insert into the first 4 elements of the state: [h4, h5, h6, h7, p40, p50, p60, p70]\nRun the cryptographic permutation: [p01, p11, p21, p31, p41, p51, p61, p71]\n\nRepeat the above two steps until all elements of the iterator have been consumed.\n\nIf the number of elements in the iterator is not a multiple of 4 (say there are 10 elements) then, in the final round,\nthe first 2 elements are overwritten and so our final hash would be of: [h8, h9, p21, p31, p41, p51, p61, p71]\n\nThis means that the iterators over the elements [h0, h1, h2, h3, h4, h5, h6, h7, h8, h9] and [h0, h1, h2, h3, h4, h5, h6, h7, h8, h9, p21] would lead to the same final state of the hasher.\n\n### Impact\n\nThe impact of this vulnerability is a little difficult to estimate. It is important to note that, in circumstances where the number of elements to be hashed is known and fixed in advance, (as is the case for most STARKS), the method is collision resistant. This vulnerability only applies if a malicious user is able to manipulate the number of elements to be hashed.\n\nThat being said, there are theoretically situations where this could allow for an amortising of grinding costs (if a prover can manipulate things to get the same hasher state across multiple proofs).\n\n### Patches\n\nThe fix comes in two parts. The documentation on the current struct `PaddingFreeSponge` has been improved to clarify its intended use case and highlight that it is not collision resistant if an attacker can modify the number of elements being hashed.\n\nIn addition we add a new struct `Pad10Sponge` which is slightly less efficient but safe in all cases. The padding strategy of the new struct is as follows:\n\nIf the number of elements in the iterator is not a multiple of the rate, use a 10 padding scheme. If it is a multiple of the rate add 1 to the first secret state element. In the above example, for hashes of length 9, 10, 11, 12, the final state to be permuted would be\n[h8, 1, 0, 0, p41, p51, p61, p71]\n[h8, h9, 1, 0, p41, p51, p61, p71]\n[h8, h9, h10, 1, p41, p51, p61, p71]\n[h8, h9, h10, h11, p41 + 1, p51, p61, p71]\n\nAs can be seen, it is now impossible for iterators of different lengths to produce the same \"final state\" to be hashed which restores collision resistance. (See the following for more details [padding-in-sponge.pdf](https://github.com/user-attachments/files/24465342/padding-in-sponge.pdf))\n\n### Thanks\nMany thanks to Benedikt Wagner, Dmitry Khovratovich and Bart Mennink for reporting this issue.",
"id": "GHSA-3g92-f9ch-qjcm",
"modified": "2026-04-16T22:52:41Z",
"published": "2026-04-16T22:52:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Plonky3/Plonky3/security/advisories/GHSA-3g92-f9ch-qjcm"
},
{
"type": "WEB",
"url": "https://github.com/Plonky3/Plonky3/commit/5c1dc1d64c0516a8911bbf3ea40f173c21d6ae47"
},
{
"type": "PACKAGE",
"url": "https://github.com/Plonky3/Plonky3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Plonky3: The sponge construction used to get a hash function from a cryptographic permutation is not collision resistant for inputs of different lengths"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.