Lately we’ve been analyzing the RSA-based garbling schemes used in BitVM3 and related designs.

Our research shows that, even with a very small circuit, malicious evaluators can forge wire labels and break the security of the system.

This affects both the original scheme and the alternative proposed by Alva Fu, Stephen Duan, and Ethan Zhu.

A minimal example demonstrates how a malicious evaluator can exploit the scheme. The attack uses a small circuit consisting of two AND gates and three inputs, and doesn’t depend on reblinding nor sub-circuit reuse.

Check out our findings in the following links:

Technical description 🔗here: A note on the security of the BitVM3 garbling scheme

Example implementation & demo:

FairgateLabs 🔗BitVM3-garbling-toy