Skip to content
This repository has been archived by the owner on Jul 5, 2024. It is now read-only.

fix modulo soundness due to overflow #999

Conversation

hero78119
Copy link
Member

@hero78119 hero78119 commented Dec 21, 2022

Fix issue #996

Changes summary

ModGadget

  • exposing witness k so it's able to be unit-test. With k exposing, therefore also move witness generation logic outside.
  • add test to cover soundness bug.

MulModGadget, op implementation

  • rename k to k2, plus adding k1, also passing k1 for ModGadget to constrain.

MulAddWordsGadget

  • use saturating_sub to avoid underflow panic during carry calculation.
  • add test to cover underflow

@github-actions github-actions bot added the crate-zkevm-circuits Issues related to the zkevm-circuits workspace member label Dec 21, 2022
@hero78119 hero78119 force-pushed the sm/fix_module_soundness branch from 1fbec15 to 3c9636d Compare December 21, 2022 10:25
@hero78119 hero78119 changed the title fix modulo soundness due to overflow (#996) fix modulo soundness due to overflow Dec 21, 2022
@hero78119 hero78119 force-pushed the sm/fix_module_soundness branch 4 times, most recently from b9aeb7a to 545e7d3 Compare December 21, 2022 10:45
@hero78119 hero78119 changed the title fix modulo soundness due to overflow Draft: fix modulo soundness due to overflow Dec 21, 2022
@hero78119 hero78119 marked this pull request as draft December 21, 2022 10:56
@hero78119 hero78119 force-pushed the sm/fix_module_soundness branch from 545e7d3 to 4852883 Compare December 21, 2022 13:10
@hero78119 hero78119 marked this pull request as ready for review December 21, 2022 13:11
@hero78119 hero78119 changed the title Draft: fix modulo soundness due to overflow fix modulo soundness due to overflow Dec 21, 2022
@hero78119 hero78119 force-pushed the sm/fix_module_soundness branch from 4852883 to c570e50 Compare December 22, 2022 02:42
@ChihChengLiang ChihChengLiang self-requested a review December 22, 2022 12:36
@aguzmant103 aguzmant103 added this to the Increase opcode support milestone Dec 22, 2022
Copy link
Collaborator

@ChihChengLiang ChihChengLiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great fix. LGTM. I added a nitpick.

@@ -49,27 +49,31 @@ impl<F: Field> ModGadget<F> {
1.expr() - lt.expr() - n_is_zero.expr(),
);

// Constrain k * n + r no overflow
cb.add_constraint("overflow == 0 for k * n + r", mul_add_words.overflow());
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think use require_zero here for clarity?

@hero78119 hero78119 force-pushed the sm/fix_module_soundness branch from c570e50 to 698ed2b Compare December 27, 2022 13:29
Copy link
Collaborator

@ChihChengLiang ChihChengLiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some more comments to help understand the soundness bug.

Word::from(2),
Word::from(3),
Word::from(0),
/* magic number (2^256 + 2) / 3, and 2^256 + 2 divisible by 3 */
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/* magic number (2^256 + 2) / 3, and 2^256 + 2 divisible by 3 */
/* magic number (2^256 + 2) / 3, and 2^256 + 2 is divisible by 3 */

@@ -183,6 +194,20 @@ mod tests {

#[test]
fn test_mod_n_unexpected_rem() {
// test soundness by manipulating k to make a' = k * n + r and a' >=
// 2^256 lead to overflow and trigger soundness bug: (a' != a) ^ a' ≡ a
// (mod 2^256)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// (mod 2^256)
// (mod 2^256)
// Here, the attacker tries to convince you of a false statement `2 % 3 = 0` by showing you `2 = ((2^256 + 2) / 3) * 3 + 0`. In the `MulAddWordsGadget`, `k * n + r = a (modulo 2**256)` would have been a valid statement. But the gadget would have the overflow=1. Since we constrain the overflow to be 0 in the ModGadget, the statement would be invalid in the ModGadget.

@hero78119 hero78119 force-pushed the sm/fix_module_soundness branch from 698ed2b to 992c216 Compare December 29, 2022 08:41
@ChihChengLiang ChihChengLiang merged commit b51eded into privacy-scaling-explorations:main Dec 29, 2022
noel2004 pushed a commit to noel2004/zkevm-circuits that referenced this pull request Nov 29, 2023
* fix soundness bug in ecdsa circuit

* update parameters

* fix: ec_sub_unequal would have panicked for some edge cases (privacy-scaling-explorations#999)

* update ecdsa parameters

---------

Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
crate-zkevm-circuits Issues related to the zkevm-circuits workspace member
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

4 participants