Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modify constraint in decompose_running_sum #789

Open
enricobottazzi opened this issue Aug 9, 2023 · 0 comments
Open

Modify constraint in decompose_running_sum #789

enricobottazzi opened this issue Aug 9, 2023 · 0 comments

Comments

@enricobottazzi
Copy link

This issue originated from a discussion with @therealyingtong.

halo2/halo2_gadgets/src/utilities/decompose_running_sum.rs

Lines 197 to 202 in f9838c1

assert_eq!(zs.len(), num_windows + 1);
if strict {
// Constrain the final running sum output to be zero.
region.constrain_constant(zs.last().unwrap().cell(), F::ZERO)?;
}

This constraint assumes that the length of zs is equal to num_windows + 1.

If the length of zs is not constrained to be equal to num_windows + 1 an attacker could add an extra zero-value to zs and this would cause the constrain_constant(zs.last().unwrap().cell(), F::ZERO)? to trivially pass, even in the case of a word decomposition that doesn't fit in WINDOW_NUM_BITS * num_windows bits.

What we concluded is this attack is not possible since the loop that builds zs goes over words which is a vector of dimension num_windows so the length of zs is known at keygen time (and it is equal to num_windows + 1).

Despite that, we believe that removing the expression assert_eq!(zs.len(), num_windows + 1); and adding the constraint
region.constrain_constant(zs[num_windows].cell(), F::ZERO)?; would make it clearer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@enricobottazzi