Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Resolution of bugs from bigfield audits #9547

Merged
merged 36 commits into from
Oct 31, 2024
Merged

fix: Resolution of bugs from bigfield audits #9547

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
7f47f71
cmake fix
Rumata888 Oct 29, 2024
d67b760
Fix for issue 1 (ZKS.00) "Deduplicating Cached Multiplications Leaves
Rumata888 Jul 15, 2024
2babdcd
Fix for issue 2 (ZKS.02, SPB.3.1.1) Unconstrained exponent
Rumata888 Jul 16, 2024
8ffcc6c
Fix for issue 3 (ZKS.03, SPB.3.2.1) Unconstrained limbs in exponentia…
Rumata888 Jul 17, 2024
7d0c73e
Fix for issue 4 (ZKS.01, ZLC.3.4, SPB 3.1.2) Broken bigfield construc…
Rumata888 Jul 16, 2024
a8ee595
Fix for issue 5 (ZKS.04, ZLC.3.1, ZLC.3.2, SPB3.3.2) Maximum Limb Siz…
Rumata888 Jul 30, 2024
35b0114
Fix for issue 6 (ZKS.05) Broken Bigfield Constructor for Fields of Od…
Rumata888 Jul 17, 2024
0d6d7ed
Fix for issue 7 (ZKS.06, SPB.3.4.1) Swapped Range Constraints on Carries
Rumata888 Jul 17, 2024
ceaa933
Fix for issue 8 (ZKS.07, ZLC3.5, ZLC3.6, SPB3.5.6) Unsafe Constructor…
Rumata888 Jul 17, 2024
9172f9e
Fix for issue 9 (ZLC.3.3) Underflow possible in evaluate_non_native_f…
Sarkoxed Aug 7, 2024
122757e
Fix for issue 10 (SPB.3.3.1) to_byte_array can have aliases
Rumata888 Sep 26, 2024
1c29e5e
Fix for issue 11 (ZKS.0b, ZLC.3.7) Proving that multiples of p are un…
Rumata888 Jul 31, 2024
4ae02d4
Fix for issue 12 (ZKS.09) Maximum High Carry Too Small
Rumata888 Jul 17, 2024
975290f
Fix for issue 13 (ZLC.3.8) Equation checks not enforced
Rumata888 Jul 31, 2024
a2ed963
Fix for issue 14 (ZLC.3.11) Null-pointer dereference
Rumata888 Aug 1, 2024
202bdf3
Fix for issue 16 (ZKS.0e, ZLC.3.12) Handling of max argument to Limb …
Rumata888 Jul 17, 2024
3d2a454
Fix for issue 17 (SPB.3.4.2) Assertion needed to prevent bypass range…
Rumata888 Sep 26, 2024
f508f3c
Fix for issue 19 (ZLC.3.9) Large limbs for constant inputs to conditi…
Rumata888 Aug 1, 2024
8880b4b
Fix for issue 20 (ZLC.3.10) Incomplete constant check
Rumata888 Aug 1, 2024
6cf1389
Fix for issue 22 (ZLC.3.14) Behavior of assert_equal for constant ope…
Rumata888 Aug 6, 2024
0291f09
Fix for issue 23 (ZLC.3.15) Assert for add_to_lower_limb could be ine…
Rumata888 Aug 6, 2024
14b006d
Fix for informational issue Missing limb maximum-value check
Rumata888 Aug 6, 2024
707bcc5
Fix for informational issue Equality comparison for null-pointer context
Rumata888 Aug 6, 2024
3bfae51
Fix for informational issue Maximum Carry Size Can Underflow 0
Rumata888 Jul 17, 2024
edee027
Fix for informational issue Redundant Normalize (also fixed a soundne…
Rumata888 Jul 17, 2024
dd351ff
Fix for informational issue Redundant Bigfield Reduction
Rumata888 Jul 17, 2024
e899394
Fix for informational issue Mixing Constant and Variable Limbs Is Not…
Rumata888 Jul 18, 2024
e1cedf0
Fix for informational issue Moduli With 249 Bits Or Less Are Not Supp…
Rumata888 Jul 18, 2024
455a6ca
Fix for informational issue Unnecessary duplicated code in assert_equal
Rumata888 Sep 25, 2024
52b1c37
Fix for informational issue Unnecessary duplicated code
Rumata888 Oct 30, 2024
105f33f
Fix for informational issue Operator overloading for division is dang…
Rumata888 Sep 26, 2024
2e0d33f
Fix for informational issue Code duplication in assert_*
Rumata888 Sep 26, 2024
7bdb3f3
Fix for informational issue assert_equal with a constant without self…
Rumata888 Sep 26, 2024
e33472c
format fix
Rumata888 Oct 30, 2024
a695988
fix
Rumata888 Oct 31, 2024
a728268
Merge branch 'master' into is/bigfield_fixes_from_3_venodors
Rumata888 Oct 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 6 additions & 10 deletions barretenberg/cpp/src/barretenberg/circuit_checker/ultra_circuit_builder.test.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -611,22 +611,20 @@ TEST(UltraCircuitConstructor, NonNativeFieldMultiplication)

const auto split_into_limbs = [&](const uint512_t& input) {
constexpr size_t NUM_BITS = 68;
std::array<fr, 5> limbs;
std::array<fr, 4> limbs;
limbs[0] = input.slice(0, NUM_BITS).lo;
limbs[1] = input.slice(NUM_BITS * 1, NUM_BITS * 2).lo;
limbs[2] = input.slice(NUM_BITS * 2, NUM_BITS * 3).lo;
limbs[3] = input.slice(NUM_BITS * 3, NUM_BITS * 4).lo;
limbs[4] = fr(input.lo);
return limbs;
};

const auto get_limb_witness_indices = [&](const std::array<fr, 5>& limbs) {
std::array<uint32_t, 5> limb_indices;
const auto get_limb_witness_indices = [&](const std::array<fr, 4>& limbs) {
std::array<uint32_t, 4> limb_indices;
limb_indices[0] = circuit_constructor.add_variable(limbs[0]);
limb_indices[1] = circuit_constructor.add_variable(limbs[1]);
limb_indices[2] = circuit_constructor.add_variable(limbs[2]);
limb_indices[3] = circuit_constructor.add_variable(limbs[3]);
limb_indices[4] = circuit_constructor.add_variable(limbs[4]);
return limb_indices;
};
const uint512_t BINARY_BASIS_MODULUS = uint512_t(1) << (68 * 4);
Expand Down Expand Up @@ -671,22 +669,20 @@ TEST(UltraCircuitConstructor, NonNativeFieldMultiplicationSortCheck)

const auto split_into_limbs = [&](const uint512_t& input) {
constexpr size_t NUM_BITS = 68;
std::array<fr, 5> limbs;
std::array<fr, 4> limbs;
limbs[0] = input.slice(0, NUM_BITS).lo;
limbs[1] = input.slice(NUM_BITS * 1, NUM_BITS * 2).lo;
limbs[2] = input.slice(NUM_BITS * 2, NUM_BITS * 3).lo;
limbs[3] = input.slice(NUM_BITS * 3, NUM_BITS * 4).lo;
limbs[4] = fr(input.lo);
return limbs;
};

const auto get_limb_witness_indices = [&](const std::array<fr, 5>& limbs) {
std::array<uint32_t, 5> limb_indices;
const auto get_limb_witness_indices = [&](const std::array<fr, 4>& limbs) {
std::array<uint32_t, 4> limb_indices;
limb_indices[0] = circuit_constructor.add_variable(limbs[0]);
limb_indices[1] = circuit_constructor.add_variable(limbs[1]);
limb_indices[2] = circuit_constructor.add_variable(limbs[2]);
limb_indices[3] = circuit_constructor.add_variable(limbs[3]);
limb_indices[4] = circuit_constructor.add_variable(limbs[4]);
return limb_indices;
};
const uint512_t BINARY_BASIS_MODULUS = uint512_t(1) << (68 * 4);
Expand Down
2 changes: 1 addition & 1 deletion barretenberg/cpp/src/barretenberg/dsl/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ set(DSL_DEPENDENCIES
stdlib_schnorr
stdlib_honk_verifier)

if (NOT WASM)
if (NOT WASM AND NOT DISABLE_AZTEC_VM)
list(APPEND DSL_DEPENDENCIES libdeflate::libdeflate_static vm)
endif()

Expand Down
11 changes: 6 additions & 5 deletions barretenberg/cpp/src/barretenberg/dsl/acir_format/recursion_constraint.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,11 +114,12 @@ AggregationObjectIndices create_recursion_constraints(Builder& builder,
if (!inner_aggregation_indices_all_zero) {
std::array<bn254::BaseField, 4> aggregation_elements;
for (size_t i = 0; i < 4; ++i) {
aggregation_elements[i] =
bn254::BaseField(field_ct::from_witness_index(&builder, aggregation_input[4 * i]),
field_ct::from_witness_index(&builder, aggregation_input[4 * i + 1]),
field_ct::from_witness_index(&builder, aggregation_input[4 * i + 2]),
field_ct::from_witness_index(&builder, aggregation_input[4 * i + 3]));
aggregation_elements[i] = bn254::BaseField::construct_from_limbs(
field_ct::from_witness_index(&builder, aggregation_input[4 * i]),
field_ct::from_witness_index(&builder, aggregation_input[4 * i + 1]),
field_ct::from_witness_index(&builder, aggregation_input[4 * i + 2]),
field_ct::from_witness_index(&builder, aggregation_input[4 * i + 3]));

aggregation_elements[i].assert_is_in_field();
}
// If we have a previous aggregation object, assign it to `previous_aggregation` so that it is included
Expand Down
8 changes: 3 additions & 5 deletions barretenberg/cpp/src/barretenberg/plonk/composer/ultra_composer.test.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -593,22 +593,20 @@ TYPED_TEST(ultra_plonk_composer, non_native_field_multiplication)

const auto split_into_limbs = [&](const uint512_t& input) {
constexpr size_t NUM_BITS = 68;
std::array<fr, 5> limbs;
std::array<fr, 4> limbs;
limbs[0] = input.slice(0, NUM_BITS).lo;
limbs[1] = input.slice(NUM_BITS * 1, NUM_BITS * 2).lo;
limbs[2] = input.slice(NUM_BITS * 2, NUM_BITS * 3).lo;
limbs[3] = input.slice(NUM_BITS * 3, NUM_BITS * 4).lo;
limbs[4] = fr(input.lo);
return limbs;
};

const auto get_limb_witness_indices = [&](const std::array<fr, 5>& limbs) {
std::array<uint32_t, 5> limb_indices;
const auto get_limb_witness_indices = [&](const std::array<fr, 4>& limbs) {
std::array<uint32_t, 4> limb_indices;
limb_indices[0] = builder.add_variable(limbs[0]);
limb_indices[1] = builder.add_variable(limbs[1]);
limb_indices[2] = builder.add_variable(limbs[2]);
limb_indices[3] = builder.add_variable(limbs[3]);
limb_indices[4] = builder.add_variable(limbs[4]);
return limb_indices;
};
const uint512_t BINARY_BASIS_MODULUS = uint512_t(1) << (68 * 4);
Expand Down
5 changes: 3 additions & 2 deletions barretenberg/cpp/src/barretenberg/stdlib/encryption/ecdsa/ecdsa_impl.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,9 @@ bool_t<Builder> ecdsa_verify_signature(const stdlib::byte_array<Builder>& messag
// Read more about this at: https://www.derpturkey.com/inherent-malleability-of-ecdsa-signatures/amp/
s.assert_less_than((Fr::modulus + 1) / 2);

Fr u1 = z / s;
Fr u2 = r / s;
// We already checked that s is nonzero
Fr u1 = z.div_without_denominator_check(s);
Fr u2 = r.div_without_denominator_check(s);

public_key.validate_on_curve();

Expand Down
4 changes: 2 additions & 2 deletions barretenberg/cpp/src/barretenberg/stdlib/honk_verifier/ultra_recursive_verifier.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,8 @@ UltraRecursiveVerifier_<Flavor>::AggregationObject UltraRecursiveVerifier_<Flavo
bigfield_limbs[k] = verification_key->public_inputs[key->recursive_proof_public_input_indices[idx]];
idx++;
}
base_field_vals[j] =
typename Curve::BaseField(bigfield_limbs[0], bigfield_limbs[1], bigfield_limbs[2], bigfield_limbs[3]);
base_field_vals[j] = Curve::BaseField::construct_from_limbs(
bigfield_limbs[0], bigfield_limbs[1], bigfield_limbs[2], bigfield_limbs[3]);
}
nested_pairing_points[i] = typename Curve::Group(base_field_vals[0], base_field_vals[1]);
}
Expand Down
10 changes: 5 additions & 5 deletions ...nberg/cpp/src/barretenberg/stdlib/plonk_recursion/aggregation_state/aggregation_state.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,11 +109,11 @@ aggregation_state<Curve> convert_witness_indices_to_agg_obj(Builder& builder,
{
std::array<typename Curve::BaseField, 4> aggregation_elements;
for (size_t i = 0; i < 4; ++i) {
aggregation_elements[i] =
typename Curve::BaseField(Curve::ScalarField::from_witness_index(&builder, witness_indices[4 * i]),
Curve::ScalarField::from_witness_index(&builder, witness_indices[4 * i + 1]),
Curve::ScalarField::from_witness_index(&builder, witness_indices[4 * i + 2]),
Curve::ScalarField::from_witness_index(&builder, witness_indices[4 * i + 3]));
aggregation_elements[i] = Curve::BaseField::construct_from_limbs(
Curve::ScalarField::from_witness_index(&builder, witness_indices[4 * i]),
Curve::ScalarField::from_witness_index(&builder, witness_indices[4 * i + 1]),
Curve::ScalarField::from_witness_index(&builder, witness_indices[4 * i + 2]),
Curve::ScalarField::from_witness_index(&builder, witness_indices[4 * i + 3]));
aggregation_elements[i].assert_is_in_field();
}

Expand Down
2 changes: 1 addition & 1 deletion barretenberg/cpp/src/barretenberg/stdlib/plonk_recursion/verifier/verifier.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -345,7 +345,7 @@ aggregation_state<Curve> verify_proof_(typename Curve::Builder* context,
l1.create_range_constraint(fq_ct::NUM_LIMB_BITS, "l1");
l2.create_range_constraint(fq_ct::NUM_LIMB_BITS, "l2");
l3.create_range_constraint(fq_ct::NUM_LAST_LIMB_BITS, "l3");
return fq_ct(l0, l1, l2, l3, false);
return fq_ct::unsafe_construct_from_limbs(l0, l1, l2, l3, false);
};

fr_ct recursion_separator_challenge = transcript.get_challenge_field_element("separator", 2);
Expand Down
Loading
Loading