Less than fix

AztecProtocol · Jun 8, 2023 · d46389e · d46389e
1 parent c04d137
commit d46389e
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 7 deletions.
diff --git a/cpp/src/barretenberg/stdlib/encryption/ecdsa/ecdsa_impl.hpp b/cpp/src/barretenberg/stdlib/encryption/ecdsa/ecdsa_impl.hpp
@@ -75,7 +75,7 @@ bool_t<Composer> verify_signature(const stdlib::byte_array<Composer>& message,
 
     // s should be less than |Fr| / 2
     // Read more about this at: https://www.derpturkey.com/inherent-malleability-of-ecdsa-signatures/amp/
-    s.assert_less_than(Fr::modulus / 2);
+    s.assert_less_than((Fr::modulus + 1) / 2);
 
     Fr u1 = z / s;
     Fr u2 = r / s;
@@ -148,7 +148,7 @@ bool_t<Composer> verify_signature_prehashed_message_noassert(const stdlib::byte_
 
     // s should be less than |Fr| / 2
     // Read more about this at: https://www.derpturkey.com/inherent-malleability-of-ecdsa-signatures/amp/
-    s.assert_less_than(Fr::modulus / 2);
+    s.assert_less_than((Fr::modulus + 1) / 2);
 
     Fr u1 = z / s;
     Fr u2 = r / s;

diff --git a/cpp/src/barretenberg/stdlib/primitives/bigfield/bigfield.test.cpp b/cpp/src/barretenberg/stdlib/primitives/bigfield/bigfield.test.cpp
@@ -746,6 +746,17 @@ template <typename Composer> class stdlib_bigfield : public testing::Test {
         }
         bool result = composer.check_circuit();
         EXPECT_EQ(result, true);
+        // Checking edge conditions
+        fq random_input = fq::random_element();
+        fq_ct a(witness_ct(&composer, fr(uint256_t(random_input).slice(0, fq_ct::NUM_LIMB_BITS * 2))),
+                witness_ct(&composer,
+                           fr(uint256_t(random_input).slice(fq_ct::NUM_LIMB_BITS * 2, fq_ct::NUM_LIMB_BITS * 4))));
+
+        a.assert_less_than(random_input + 1);
+        EXPECT_EQ(composer.check_circuit(), true);
+
+        a.assert_less_than(random_input);
+        EXPECT_EQ(composer.check_circuit(), false);
     }
 
     static void test_byte_array_constructors()

diff --git a/cpp/src/barretenberg/stdlib/primitives/bigfield/bigfield_impl.hpp b/cpp/src/barretenberg/stdlib/primitives/bigfield/bigfield_impl.hpp
@@ -1671,14 +1671,17 @@ template <typename C, typename T> void bigfield<C, T>::assert_less_than(const ui
     if (is_constant()) {
         return;
     }
-
+    ASSERT(upper_limit != 0);
+    // The circuit checks that limit - this >= 0, so if we are doing a less_than comparison, we need to subtract 1 from
+    // the limit
+    uint256_t strict_upper_limit = upper_limit - uint256_t(1);
     self_reduce(); // this method in particular enforces limb vals are <2^b - needed for logic described above
     uint256_t value = get_value().lo;
 
-    const uint256_t upper_limit_value_0 = upper_limit.slice(0, NUM_LIMB_BITS);
-    const uint256_t upper_limit_value_1 = upper_limit.slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2);
-    const uint256_t upper_limit_value_2 = upper_limit.slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3);
-    const uint256_t upper_limit_value_3 = upper_limit.slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4);
+    const uint256_t upper_limit_value_0 = strict_upper_limit.slice(0, NUM_LIMB_BITS);
+    const uint256_t upper_limit_value_1 = strict_upper_limit.slice(NUM_LIMB_BITS, NUM_LIMB_BITS * 2);
+    const uint256_t upper_limit_value_2 = strict_upper_limit.slice(NUM_LIMB_BITS * 2, NUM_LIMB_BITS * 3);
+    const uint256_t upper_limit_value_3 = strict_upper_limit.slice(NUM_LIMB_BITS * 3, NUM_LIMB_BITS * 4);
 
     bool borrow_0_value = value.slice(0, NUM_LIMB_BITS) > upper_limit_value_0;
     bool borrow_1_value =