Proxying is enough

$\mathsf{AEAD.Gen}(\tau) \rightarrow (k, n)$: Generates a secret key $k$ and nonce $n$ from transcript $\tau$. We refer to the pair $(k, n)$ as the context.

$\mathsf{AEAD.Enc}_k(n, a, m) \rightarrow (c, \sigma)$: Encrypts plaintext $m$ using key $k$, nonce $n$, and associated data $a$, producing ciphertext $c$ and authentication tag $\sigma$.

$\mathsf{AEAD.Dec}_k(n, a, c, \sigma) \rightarrow m\ \text{or}\ \mathsf{FAILED}$: Verifies $\sigma$ using $k$, $n$, and $a$. If valid, decrypts $c$ to recover plaintext $m$; otherwise, returns $\mathsf{FAILED}$.

-: A stream cipher method for encrypting plaintext.

: A function used to compute an authentication tag from the ciphertext and associated data.

$m = (m_1, \dots, m_{\ell_m})$

$a = (a_1, \dots, a_{\ell_a})$

where $\ell_m$ and $\ell_a$ are the number of blocks in the plaintext and AD, respectively.

$\mathsf{AES\text{-}GCM.Enc}_k(n, a, m) \rightarrow (c, \sigma)$

$\mathsf{AES\text{-}GCM.Dec}_k(n, a, c, \sigma) \rightarrow m \text{ or } \mathsf{FAILED}$

is an AEAD (Authenticated Encryption with Associated Data) algorithm that combines the following two components:

: A fast stream cipher used for encrypting plaintext.

: A universal hash function that generates an authentication tag from the ciphertext and associated data.

$\mathsf{ChaCha20\text{-}Poly1305.Enc}_k(n, a, m) \rightarrow (c, \sigma)$

Here, $r$ and $s$ are derived as follows:

$\mathsf{ChaCha20\text{-}Poly1305.Dec}_k( n, a, c, \sigma) \rightarrow m \text{ or } \mathsf{FAILED}$

A Context Discovery Attack (CDY) refers to an adversary’s ability to find a valid decryption context $(k, n)$ for a given $(c, a, \sigma)$, even if it is not the original context used during encryption.

The goal is not to recover the plaintext itself, but rather to find any context $(k, n)$ for which decryption succeeds without error.

A Context Commitment Attack (CMT) occurs when an adversary can find two different contexts—say $(k_1, n_1)$ and $(k_2, n_2)$ with $(k_1, n_1) \ne (k_2, n_2)$—that both successfully decrypt the same $(c, a,\sigma)$.

Even if $\mathsf{AES}_{k_1}(n_1) = \mathsf{AES}_{k_2}(n_2)$, it’s possible that $(k_1, n_1) \ne (k_2, n_2)$.

It is also possible that $\mathsf{ChaCha20}_{k_1}(n_1, 0) = \mathsf{ChaCha20}_{k_2}(n_2, 0)$, even if $(k_1, n_1) \ne (k_2, n_2)$.

According to the referenced paper, in AEAD schemes like AES-GCM and ChaCha20-Poly1305, an adversary $\mathcal{A}$ making at most $q$ queries to the oracle can succeed in a CMT (Context Commitment) attack with probability at least $\frac{q}{2^{32}}$.

As illustrated above, when the verifier $\mathcal{V}$ acts as a proxy between the prover (or TLS client) $\mathcal{P}$ and the TLS server $\mathcal{S}$, the following advantages arise:

Since $\mathcal{V}$ only relays messages, this design maintains compatibility with various versions of TLS.

In DECO, since $\mathcal{P}$ knows $k^\mathsf{MAC}$, it can forge a ciphertext $c'$ instead of relaying the actual server response $c$ from $\mathcal{S}$ using $k^\mathsf{MAC}$. To prevent this, DECO splits $k^\mathsf{MAC}$ between $\mathcal{P}$ and $\mathcal{V}$, and only allows $\mathcal{V}$ to reveal its share after $\mathcal{P}$ commits to $c$.

This issue can also be addressed in the proxy-based approach. Because $\mathcal{V}$, acting as a proxy, observes all encrypted requests and responses exchanged between $\mathcal{P}$ and $\mathcal{S}$, it can detect if $\mathcal{P}$ attempts to tamper with the response and use a forged $c'$ instead of the genuine $c$.

In DECO, the issue of forgery arises from $\mathcal{P}$’s knowledge of $k^\mathsf{MAC}$, allowing it to manipulate the ciphertext using that key. To mitigate this, the key was split between $\mathcal{P}$ and $\mathcal{V}$, and $\mathcal{V}$ would only reveal its key share after receiving a commitment to $c$ from $\mathcal{P}$.

Here, $\mathsf{Pred}$ is a user-defined predicate representing the condition the user wants to prove about $\hat{m}$.

However, the constraint $\mathsf{AEAD.Gen(\tau)} \stackrel{?}= (k, n)$ introduces significant complexity. To simplify the circuit, we may omit this constraint and instead define the circuit as:

This is because AEADs used in TLS 1.2/1.3 do not satisfy Key Commitment, making it possible to find two different combinations $(k_1, n_1, m_1)$ and $(k_2, n_2, m_2)$ that decrypt the same triple $(a, c, \sigma)$. For example:

$r_1 = (x: \{ \hat{m}_1, a, c, \sigma \}, w: \{k_1, n_1, m_1\}) \in R$

$r_2 = (x: \{ \hat{m}_2, a, c, \sigma \}, w: \{k_2, n_2, m_2\}) \in R$

If $\hat{m}_1 \ne \hat{m}_2$, and particularly if $\mathsf{Pred}(\hat{m}_1) \ne \mathsf{Pred}(\hat{m}_2)$, then multiple conflicting claims can be proven over the same ciphertext, leading to critical security failures.

According to the paper “,” the key commitment issue can be mitigated using fixed padding. For example, consider prepending 128 bytes of 0x00 to the plaintext as padding. Decrypting to exactly 128 bytes of zeros is extremely difficult. The decryption process of AES-GCM works as follows:

Assume that $b$ fixed padding blocks are inserted at the beginning of the plaintext. For the decrypted output to exactly match the padding, the following condition must hold:

In other words, different key/nonce pairs $(k_1, n_1) \ne (k_2, n_2)$ must produce identical key streams for $b$ blocks—an extremely unlikely event.

An ideal cipher is defined as a collection of functions $\mathcal{E} = \{ E_k : \mathcal{M} \to \mathcal{C} \}$ from a message space $\mathcal{M}$ to a ciphertext space $\mathcal{C}$.

Each $E_k$ is a random permutation over $\mathcal{M}$.

That is, for each key $k$, the function $E_k$ is assumed to be independent and completely random.

💡 In other words, under the ideal cipher model, even when the same input is used with different keys $k_1$ and $k_2$, the outputs are almost certainly unrelated.

As shown in the image above, many web servers—including those of Google and Twitter—prepend HTTP responses with consistently structured data such as the HTTP status code and Date fields. This formatting is considered best practice under , and widely adopted by major web servers like Apache and Nginx. According to the paper, more than 85% of webpages begin with this kind of pattern.

There are approximately 63 HTTP status codes, based on the (excluding unassigned codes). (Interestingly, when I counted them myself, there were 64 HTTP status codes. )

If the HTTP status code and Date header together form a 54-byte string, this effectively corresponds to having $2^{54 \times 8}$ possible padding values. It means that forcing a decryption result to match one of these valid patterns is statistically infeasible for an attacker. In this sense, such structural padding acts as a practical substitute for full key commitment and can offer meaningful protection. (For a detailed analysis, refer to of the paper.)

A CFY attack aims to find a different context $(k_2, n_2)$ such that a given $(c, a, \sigma)$, originally generated under a key and nonce $(k_1, n_1)$, can still be successfully decrypted.

The constraint is that $(k_1, n_1) \ne (k_2, n_2)$.

In other words, the attacker tries to determine whether the ciphertext can be decrypted under a different $(k, n)$ pair than the one originally used.

The structure of a CFY attack closely resembles that of a Second Preimage Attack in cryptographic hash functions. In a Second Preimage Attack, the attacker is given an input $x$ and seeks a different input $x' \ne x$ that hashes to the same value:

This is different from a Preimage Attack, where one is given only a hash output $h$ and must find any corresponding input $x$:

One valid that produces

A second valid that produces

Two valid and that produce a same

The zkTLS attacker must perform a CFY attack, not a CDY attack. This is because $(k_1, n_1)$ is already a valid decryption context, and the attacker’s goal is to find a different context $(k_2, n_2)$ that also successfully decrypts the ciphertext.

For simplicity, let’s assume the ciphertext $c$ consists of a single block and there is no associated data $a$. Under these conditions, the AES-GCM tag $\sigma$ is computed as follows:

Now, suppose an attacker randomly samples a different key $k' \ne k$, and attempts to generate the same tag $\sigma$ using a new context $(k', n')$:

Assuming AES behaves as an ideal cipher, each key defines a reversible permutation. Thus, the attacker can rearrange the above equation to solve for $n'$:

In other words, given $\sigma$, $c$, and $\mathsf{AES}_{k'}(0)$, the attacker can compute a candidate nonce $n'$ that would yield the same tag.

⚠️ However, in TLS, nonces must follow a specific format: among the 64-bit nonce, the last 32 bits must equal $(0^{31}‖1)$. Therefore, the probability that a randomly generated $n'$ satisfies this constraint by chance is:

Each attempt with a new $k'$ requires two AES invocations: one for $\mathsf{AES}_{k'}(0)$ and one for $\mathsf{AES}_{k'}(n')$. If the attacker is limited to a total of $q$ AES queries, they can make approximately $\frac{q}{2}$ attempts.

To simplify the discussion, assume the ciphertext $c$ consists of a single block and there is no associated data $a$. Under this assumption, the ChaCha20-Poly1305 tag $\sigma$ is computed as:

Here, $r$ and $s$ are computed as follows:

The attacker randomly samples a different key and nonce pair $(k', n') \ne (k, n)$ and attempts to generate the same tag $\sigma$ using this new context. For the attack to succeed, the following condition must hold:

Since $\mathsf{ChaCha20}$ behaves as a , different $(k, n)$ pairs will produce independent and uniformly random $(r, s)$ values. Therefore, $s - s'$ is uniformly distributed over $\mathbb{Z}/2^{128}\mathbb{Z}$.

$\mathsf{Poly1305}$ is a , meaning that its output is also uniformly distributed. Hence, if we define:

then $\Delta p(r')$ is uniformly distributed over $\mathbb{Z}/2^{128}\mathbb{Z}$ as well.

Therefore, if the attacker is allowed to make $q$ queries, the upper bound on the total success probability is: