A new paper "How to Prove False Statements: Practical Attacks on Fiat-Shamir" (https://eprint.iacr.org/2025/118.pdf) shows attacks on GKR-based protocols.
We should analyze if these attacks apply in the bulletproofs-r1cs setting. Namely, there are some "tricks" which allow you to make intermediate variables that don't require commitments (for example, the bulletproofs range proof does not commit to each bit in the value, only the total value). This is a similar shape to what enables the attack on GKR-based protocols. From the paper:
"GKR-based protocol has the key property that the prover does not commit to the full computation trace (indeed, this is one of the most compelling features of this protocol). Unfortunately, the fact that the computation is not committed to also enables our attack."
However, maybe this attack only becomes relevant if the depth of the circuit is large enough to encode the hash function - so, not a practical attack for this proof system. But this is still worth looking into further.
A new paper "How to Prove False Statements: Practical Attacks on Fiat-Shamir" (https://eprint.iacr.org/2025/118.pdf) shows attacks on GKR-based protocols.
We should analyze if these attacks apply in the bulletproofs-r1cs setting. Namely, there are some "tricks" which allow you to make intermediate variables that don't require commitments (for example, the bulletproofs range proof does not commit to each bit in the value, only the total value). This is a similar shape to what enables the attack on GKR-based protocols. From the paper:
"GKR-based protocol has the key property that the prover does not commit to the full computation trace (indeed, this is one of the most compelling features of this protocol). Unfortunately, the fact that the computation is not committed to also enables our attack."
However, maybe this attack only becomes relevant if the depth of the circuit is large enough to encode the hash function - so, not a practical attack for this proof system. But this is still worth looking into further.