Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ECDSA signature verification panics if provided invalid signature/public key #2755

Closed
colinnielsen opened this issue Sep 20, 2023 · 4 comments · Fixed by #2783
Closed

ECDSA signature verification panics if provided invalid signature/public key #2755

colinnielsen opened this issue Sep 20, 2023 · 4 comments · Fixed by #2783
Assignees
@TomAFrench
Labels
bug Something isn't working

Comments

@colinnielsen
Copy link

colinnielsen commented Sep 20, 2023
edited
Loading

Aim

I am trying to wrap up my dark-safe circuit:

I need a variable amount of items in an input array, so I'm using loop with some fixed MAX_ITERATIONS, then an should_calculate boolean in the input structs as a "no-op" flag.

There is an if block within the for loop, which looks for a should_calculate flag in the struct, and no-ops otherwise.

Screenshot 2023-09-19 at 7 30 11 PM

Expected Behavior

The program should not panic

Bug

Given a Prover.toml with 4 valid inputs and with 4 "empty" structs, running nargo execute, I see 4 println statements echo the array index, and "computing", then the program crashes at the blackbox-solver file.
Screenshot 2023-09-19 at 7 15 52 PM

Running the nargo execute -p provers/Prover_full.toml with a full array Prover_full.toml works as expected
Screenshot 2023-09-19 at 7 18 16 PM

NOTE:

  • If I place the "empty" structs first in the Prover.toml, it will crash on the first iteration in the no-op Screenshot 2023-09-19 at 7 21 16 PM
  • I have also tried "flipping" the if statement, and putting the computation in the else branch. This makes no difference to either above case. The program crashes whenever it hits an empty struct in the loop.
  • Interestingly enough, if I only pass empty structs in via nargo execute, the program will fail on the first iteration

To Reproduce

  1. git clone https://github.com/colinnielsen/dark-safe.git && cd dark-safe/circuits
  2. either nargo execute, nargo execute -p provers/Prover_completely_empty.toml, nargo execute -p provers/Prover_full.toml, or nargo execute -p provers/Prover_empty_first.toml

If you want to play with your own Prover.toml, (with a valid polynomial and array of signatures) run:

  1. yarn install
  2. yarn build
  3. follow the cli prompt

Installation Method

Binary

Nargo Version

nargo 0.12.0 (git version hash: 13cc23b, is dirty: false)

Additional Context

No response

Would you like to submit a PR for this Issue?

No

Support Needs

No response
@colinnielsen colinnielsen added the bug Something isn't working label Sep 20, 2023
@github-project-automation github-project-automation bot moved this to 📋 Backlog in Noir Sep 20, 2023
@TomAFrench
Copy link
Member

TomAFrench commented Sep 20, 2023
edited
Loading

Thanks for reporting this @colinnielsen. The underlying issue is that verify_secp256k1_ecdsa_signature panics rather than returning false if we provide invalid signatures like you're doing here due to an error within the k256 crate.

I'll go through and update this function to return false in this case rather than panicking.

@TomAFrench TomAFrench self-assigned this Sep 20, 2023
@TomAFrench TomAFrench mentioned this issue Sep 20, 2023
Closed
2 tasks
@TomAFrench
Copy link
Member

@colinnielsen I've tested dark-safe with the fix in noir-lang/acvm#557 and I now get a failed constraint when asserting the polynomial evaluates to zero rather than a panic.

@TomAFrench TomAFrench changed the title Panic occurs during if-else branch in for loop ECDSA signature verification panics if provided invalid signature/public key Sep 20, 2023
@colinnielsen
Copy link
Author

colinnielsen commented Sep 20, 2023
edited
Loading

@colinnielsen I've tested dark-safe with the fix in noir-lang/acvm#557 and I now get a failed constraint when asserting the polynomial evaluates to zero rather than a panic.

Awesome! Thank you, @TomAFrench

@TomAFrench TomAFrench mentioned this issue Sep 22, 2023
Merged
5 tasks
@github-project-automation github-project-automation bot moved this from 📋 Backlog to ✅ Done in Noir Sep 22, 2023
@TomAFrench
Copy link
Member

This issue is closed now but Noir isn't currently pulling from the ACVM code in this repository yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TomAFrench TomAFrench

Labels
bug Something isn't working
Projects
Noir
Archived in project
Milestone
No milestone
2 participants
@TomAFrench @colinnielsen