fixing a bug for rescue/solidity transcript #70
Conversation
|
|
|
this is a stale PR. iirc, the original motivation was just defense in depth in the light of trailofbits' disclosure on FrozenHeart where some FS transcripts forget taking in all the public inputs (especially the vk), but our library has always hashed all PI into our transcript, and adding a domain separator (the label) for each field may not have a security impact, just good-to-have. Adding this to I personally don't find this necessary from security perspective, am I missing anything? Just want to bring this out for discussion. @EspressoSystems/jellyfish |
|
Is there any reference for old discussion about this issue? Also is the gas cost increase going to be significant if we add those domain separators? @alxiong |
Sorry, I can't recall. @chancharles92 do you have anything to add beyond my comments above?
yes, it's non-neglible cuz we are hashing using rescue which is expensive in Solidity (in absolute gas cost, but somewhat manageable in relative gas cost), the more pressing problem is the contract bytecode size will increase. I remember we have a lots of trouble trying to keep CAPE contract under size limit. |
My impression is that Zhenfei mentioned that our SNARK/Circuit transcript implementations are secure, but I don't remember clearly whether the solidity transcript is correct or not. |
|
Found the context here: https://www.notion.so/espressosys/Potential-vulnerability-on-Jellyfish-s-transcript-91e810dd59c849aba7bab4ef9baaffb9 @mrain @alxiong TL; DR: it's not a bug in Jellyfish because Jellyfish code has an implicit data length field. But for general usage (e.g. if some external users want to use it and want to support dynamic data length fields), it'll be better to patch this PR. |
|
Thanks for finding the notion page. I have a question, so it's probably a good idea to fix "rescue transcript". But is it necessary to also add label to "solidity transcript"? The scenario described where 3 BN254 points turn out to be identical to 2 BLS12-381 points are not possible in our CAPE contract. Also I remember Aztec's plonk verifier contract doesn't add label, neither does matter-lab. |
Yes, check TL; DR. We didn't need to merge this PR now. OTOH, fixing the "rescue transcript" also has some costs because the SNARK circuit will have more constraints. |
mrain
changed the title
I pushed a commit for fixing the rescue transcript. Please check @alxiong @chancharles92 |
If we fix the rescue transcript, should we also sync the change in the circuit? E.g., in (It's strange that the tests didn't fail after the changes.) |
Sure we should. But it's not easy in the current gadget design. I'll try to do it today. |
Thanks, it's not in a hurry as we do not plan to merge this PR very soon. |
COULD NOT PASS THE TESTS. Details are described in the comments. Pls search for "TODO".
| let mut f = bytes_to_field_elements(&msg); | ||
| self.transcript.append(&mut f); | ||
| /// Append the message to the transcript. | ||
| /// TODO(Chengyu): fix the bug here, current design brings trouble to the |
There was a problem hiding this comment.
I updated the gadget implementation for rescue transcript. However, I encountered trouble passing the tests. The reason is described here.
I would also suggest remove this from the current release plan.
@alxiong @chancharles92
There was a problem hiding this comment.
Agree, we can include this change in a patch release afterwards.
|
Also could someone check the CI here? It failed test on my local computer. But CI passed. |
@Ancient123 Can we do similar changes in Jellyfish as we did to the HyperPlonk repo? |
This is part of the reason I consider it bad practice to call testing scripts versus having them embedded in the github |
…nto bug-disclaimer
Description
closes: #XXXX
Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.
Pendingsection inCHANGELOG.mdFiles changedin the GitHub PR explorer