Skip to content
This repository has been archived by the owner on Jul 5, 2024. It is now read-only.

fix modulo soundness due to overflow #999

Merged
merged 2 commits into from
Dec 29, 2022
Merged

fix modulo soundness due to overflow #999

merged 2 commits into from
Dec 29, 2022

Conversation

hero78119
Copy link
Member

@hero78119 hero78119 commented Dec 21, 2022
edited
Loading

Fix issue #996

Changes summary

ModGadget

  • exposing witness k so it's able to be unit-test. With k exposing, therefore also move witness generation logic outside.
  • add test to cover soundness bug.

MulModGadget, op implementation

  • rename k to k2, plus adding k1, also passing k1 for ModGadget to constrain.

MulAddWordsGadget

  • use saturating_sub to avoid underflow panic during carry calculation.
  • add test to cover underflow

@github-actions github-actions bot added the crate-zkevm-circuits Issues related to the zkevm-circuits workspace member label Dec 21, 2022
@hero78119 hero78119 changed the title fix modulo soundness due to overflow (#996) fix modulo soundness due to overflow Dec 21, 2022
@hero78119 hero78119 force-pushed the sm/fix_module_soundness branch 4 times, most recently from b9aeb7a to 545e7d3 Compare December 21, 2022 10:45
@hero78119 hero78119 changed the title fix modulo soundness due to overflow Draft: fix modulo soundness due to overflow Dec 21, 2022
@hero78119 hero78119 marked this pull request as draft December 21, 2022 10:56
@hero78119 hero78119 marked this pull request as ready for review December 21, 2022 13:11
@hero78119 hero78119 changed the title Draft: fix modulo soundness due to overflow fix modulo soundness due to overflow Dec 21, 2022
@aguzmant103 aguzmant103 added this to the Increase opcode support milestone Dec 22, 2022
ChihChengLiang
ChihChengLiang approved these changes Dec 27, 2022
View reviewed changes
Copy link
Collaborator

@ChihChengLiang ChihChengLiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great fix. LGTM. I added a nitpick.

zkevm-circuits/src/evm_circuit/util/math_gadget/modulo.rs
@@ -49,27 +49,31 @@ impl<F: Field> ModGadget<F> {
1.expr() - lt.expr() - n_is_zero.expr(),
);

// Constrain k * n + r no overflow
cb.add_constraint("overflow == 0 for k * n + r", mul_add_words.overflow());
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think use require_zero here for clarity?

ChihChengLiang
ChihChengLiang approved these changes Dec 28, 2022
View reviewed changes
Copy link
Collaborator

@ChihChengLiang ChihChengLiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some more comments to help understand the soundness bug.

zkevm-circuits/src/evm_circuit/util/math_gadget/modulo.rs Outdated
Word::from(2),
Word::from(3),
Word::from(0),
/* magic number (2^256 + 2) / 3, and 2^256 + 2 divisible by 3 */
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/* magic number (2^256 + 2) / 3, and 2^256 + 2 divisible by 3 */
/* magic number (2^256 + 2) / 3, and 2^256 + 2 is divisible by 3 */

zkevm-circuits/src/evm_circuit/util/math_gadget/modulo.rs
@@ -183,6 +194,20 @@ mod tests {

#[test]
fn test_mod_n_unexpected_rem() {
// test soundness by manipulating k to make a' = k * n + r and a' >=
// 2^256 lead to overflow and trigger soundness bug: (a' != a) ^ a' ≡ a
// (mod 2^256)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// (mod 2^256)
// (mod 2^256)
// Here, the attacker tries to convince you of a false statement `2 % 3 = 0` by showing you `2 = ((2^256 + 2) / 3) * 3 + 0`. In the `MulAddWordsGadget`, `k * n + r = a (modulo 2**256)` would have been a valid statement. But the gadget would have the overflow=1. Since we constrain the overflow to be 0 in the ModGadget, the statement would be invalid in the ModGadget.

@ChihChengLiang ChihChengLiang merged commit b51eded into privacy-scaling-explorations:main Dec 29, 2022
@ChihChengLiang ChihChengLiang mentioned this pull request Dec 29, 2022
Closed
noel2004 pushed a commit to noel2004/zkevm-circuits that referenced this pull request Nov 29, 2023
@zhenfeizhang @roynalnaruto
Fix/tob wave3 ecdsa circuit review (privacy-scaling-explorations#992)
8cc8d83 
* fix soundness bug in ecdsa circuit

* update parameters

* fix: ec_sub_unequal would have panicked for some edge cases (privacy-scaling-explorations#999)

* update ecdsa parameters

---------

Co-authored-by: Rohit Narurkar <[email protected]>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@KimiWu123 KimiWu123 KimiWu123 approved these changes

@ChihChengLiang ChihChengLiang ChihChengLiang approved these changes

Assignees
No one assigned
Labels
crate-zkevm-circuits Issues related to the zkevm-circuits workspace member
Projects
zkEVM Community Edition
Status: Done
Milestone
Increase opcode/error support
Development

Successfully merging this pull request may close these issues.
4 participants
@hero78119 @ChihChengLiang @KimiWu123 @aguzmant103