🚓Circom-Pairing: Missing Output Check Constraint
Summary
Related Vulnerabilities: 1. Under-constrained Circuits, 2. Nondeterministic Circuits, 4. Mismatching Bit Lengths
Identified By: Veridise Team
The Circom-Pairing circuits, written in circom, are used for the Succinct Labs' bridge that is based on cryptographic protocols. However, the circuits were missing a constraint to ensure proper range checks.
Background
The Circom-Pairing circuit needs to use integers larger than the prime field (254 bits), so it uses the circom big-int library. Therefore, numbers are represented as k
-length arrays of n
-bit numbers to represent a much larger number. Even though Circom-Pairing uses very large numbers, there is still a max range of expected numbers to be used. To ensure that numbers are constrained to the expected max range, the following circuit is often used:
The output of this circuit will be 1
if a < b
, and 0
otherwise.
The Vulnerability
The vulnerability arose in the CoreVerifyPubkeyG1
circuit:
The BigLessThan
circuit is used to constrain pubkey < q
to ensure that the pubkey values are correctly formatted bigints. However, the rest of the circuit never actually checks the output of these BigLessThan
circuits. So, even if a proof has pubkey >= q
and BigLessThan
outputs 0
, the proof will successfully be verified. This could cause unexpected behavior as the cryptographic protocol depends on these numbers being within the expected range.
The Fix
The fix required a constraint on all of the outputs of the BigLessThan
circuits to ensure that each one had an output of 1
. The following snippet was added to fix this:
Once this was added, each BigLessThan
circuit was then constrained to equal 1
. Now, the pubkey
inputs can be trusted to be in the expected range.
Conclusion
Purpose of the CoreVerifyPubkeyG1 Circuit: Within this circuit, there's a function to ensure that the
pubkey
values (probably public keys in the cryptographic protocol) are indeed less than a particular valueq
(a given prime number, likely a significant threshold in the protocol). This is to ensure that public keys are within a specific valid range.The Oversight: While the circuit does make a comparison between
pubkey
andq
using the BigLessThan circuit, it doesn't do anything with the result. In simpler terms, the circuit checks if the public key is too big but then doesn't act upon that information. This means even if the public key is too large (an invalid input), the overall protocol would still accept it, which is a significant vulnerability.
References
Last updated