Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.9
Plonky3 Hashing Error: Unpredictable Hashes for Non-Multiple Input Lengths
GHSA-3g92-f9ch-qjcm
Summary
A hashing error in Plonky3 allows for the creation of identical hashes from different input lengths, which could lead to unintended consequences in applications relying on hash uniqueness. This issue affects any system using Plonky3 for hashing, particularly those where input lengths may vary. To mitigate this risk, consider using a secure hashing algorithm that is resistant to collisions.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| rust | – | p3-symmetric | <= 0.5.2 |
Original title
Plonky3: The sponge construction used to get a hash function from a cryptographic permutation is not collision resistant for inputs of different lengths
Original description
### Vulnerability
Currently, when hashing, if the number of elements to hash is not a multiple of the rate, `hash_iter` pads by elements of
the current state. This means that it is possible to create iterators of different lengths which lead to an identical hashed state.
Given a simple example using a `PaddingFreeSponge` with width 8 and rate 4.
Start with the zero state: [0, 0, 0, 0, 0, 0, 0, 0]
Take the first 4 elements to hash and insert into the first 4 elements of the state: [h0, h1, h2, h3, 0, 0, 0, 0]
Run the cryptographic permutation on the state: [p00, p10, p20, p30, p40, p50, p60, p70]
Take the next 4 elements to hash and insert into the first 4 elements of the state: [h4, h5, h6, h7, p40, p50, p60, p70]
Run the cryptographic permutation: [p01, p11, p21, p31, p41, p51, p61, p71]
Repeat the above two steps until all elements of the iterator have been consumed.
If the number of elements in the iterator is not a multiple of 4 (say there are 10 elements) then, in the final round,
the first 2 elements are overwritten and so our final hash would be of: [h8, h9, p21, p31, p41, p51, p61, p71]
This means that the iterators over the elements [h0, h1, h2, h3, h4, h5, h6, h7, h8, h9] and [h0, h1, h2, h3, h4, h5, h6, h7, h8, h9, p21] would lead to the same final state of the hasher.
### Impact
The impact of this vulnerability is a little difficult to estimate. It is important to note that, in circumstances where the number of elements to be hashed is known and fixed in advance, (as is the case for most STARKS), the method is collision resistant. This vulnerability only applies if a malicious user is able to manipulate the number of elements to be hashed.
That being said, there are theoretically situations where this could allow for an amortising of grinding costs (if a prover can manipulate things to get the same hasher state across multiple proofs).
### Patches
The fix comes in two parts. The documentation on the current struct `PaddingFreeSponge` has been improved to clarify its intended use case and highlight that it is not collision resistant if an attacker can modify the number of elements being hashed.
In addition we add a new struct `Pad10Sponge` which is slightly less efficient but safe in all cases. The padding strategy of the new struct is as follows:
If the number of elements in the iterator is not a multiple of the rate, use a 10 padding scheme. If it is a multiple of the rate add 1 to the first secret state element. In the above example, for hashes of length 9, 10, 11, 12, the final state to be permuted would be
[h8, 1, 0, 0, p41, p51, p61, p71]
[h8, h9, 1, 0, p41, p51, p61, p71]
[h8, h9, h10, 1, p41, p51, p61, p71]
[h8, h9, h10, h11, p41 + 1, p51, p61, p71]
As can be seen, it is now impossible for iterators of different lengths to produce the same "final state" to be hashed which restores collision resistance. (See the following for more details [padding-in-sponge.pdf](https://github.com/user-attachments/files/24465342/padding-in-sponge.pdf))
### Thanks
Many thanks to Benedikt Wagner, Dmitry Khovratovich and Bart Mennink for reporting this issue.
Currently, when hashing, if the number of elements to hash is not a multiple of the rate, `hash_iter` pads by elements of
the current state. This means that it is possible to create iterators of different lengths which lead to an identical hashed state.
Given a simple example using a `PaddingFreeSponge` with width 8 and rate 4.
Start with the zero state: [0, 0, 0, 0, 0, 0, 0, 0]
Take the first 4 elements to hash and insert into the first 4 elements of the state: [h0, h1, h2, h3, 0, 0, 0, 0]
Run the cryptographic permutation on the state: [p00, p10, p20, p30, p40, p50, p60, p70]
Take the next 4 elements to hash and insert into the first 4 elements of the state: [h4, h5, h6, h7, p40, p50, p60, p70]
Run the cryptographic permutation: [p01, p11, p21, p31, p41, p51, p61, p71]
Repeat the above two steps until all elements of the iterator have been consumed.
If the number of elements in the iterator is not a multiple of 4 (say there are 10 elements) then, in the final round,
the first 2 elements are overwritten and so our final hash would be of: [h8, h9, p21, p31, p41, p51, p61, p71]
This means that the iterators over the elements [h0, h1, h2, h3, h4, h5, h6, h7, h8, h9] and [h0, h1, h2, h3, h4, h5, h6, h7, h8, h9, p21] would lead to the same final state of the hasher.
### Impact
The impact of this vulnerability is a little difficult to estimate. It is important to note that, in circumstances where the number of elements to be hashed is known and fixed in advance, (as is the case for most STARKS), the method is collision resistant. This vulnerability only applies if a malicious user is able to manipulate the number of elements to be hashed.
That being said, there are theoretically situations where this could allow for an amortising of grinding costs (if a prover can manipulate things to get the same hasher state across multiple proofs).
### Patches
The fix comes in two parts. The documentation on the current struct `PaddingFreeSponge` has been improved to clarify its intended use case and highlight that it is not collision resistant if an attacker can modify the number of elements being hashed.
In addition we add a new struct `Pad10Sponge` which is slightly less efficient but safe in all cases. The padding strategy of the new struct is as follows:
If the number of elements in the iterator is not a multiple of the rate, use a 10 padding scheme. If it is a multiple of the rate add 1 to the first secret state element. In the above example, for hashes of length 9, 10, 11, 12, the final state to be permuted would be
[h8, 1, 0, 0, p41, p51, p61, p71]
[h8, h9, 1, 0, p41, p51, p61, p71]
[h8, h9, h10, 1, p41, p51, p61, p71]
[h8, h9, h10, h11, p41 + 1, p51, p61, p71]
As can be seen, it is now impossible for iterators of different lengths to produce the same "final state" to be hashed which restores collision resistance. (See the following for more details [padding-in-sponge.pdf](https://github.com/user-attachments/files/24465342/padding-in-sponge.pdf))
### Thanks
Many thanks to Benedikt Wagner, Dmitry Khovratovich and Bart Mennink for reporting this issue.
ghsa CVSS4.0
2.9
Vulnerability type
CWE-328
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026