Unsound subtraction in the primary input packing · Issue #170 · clearmatics/zeth · GitHub

8000 Unsound subtraction in the primary input packing · Issue #170 · clearmatics/zeth · GitHub

More Web Proxy on the site http://driver.im/

Unsound subtraction in the primary input packing #170

Closed

Closed

Unsound subtraction in the primary input packing#170

Assignees

Labels

arithmetic-circuit/R1CSbug

AntoineRondelet

See here: https://github.com/clearmatics/zeth/blob/develop/src/circuits/joinsplit.tcc#L269

HashT::get_digest_len() returns a size_t (https://github.com/clearmatics/zeth/blob/develop/src/circuits/blake2s/blake2s_comp.hpp#L105)
FieldT:: capacity() returns a size_t (https://github.com/scipr-lab/libff/blob/master/libff/algebra/fields/fp.hpp#L115)

As such, the difference: https://github.com/clearmatics/zeth/blob/develop/src/circuits/joinsplit.tcc#L269 is a dangerous operation since it corresponds to a difference of unsigned integers (size_t is unsigned, see: https://en.cppreference.com/w/cpp/types/size_t). As such unexpected behavior will arise if FieldT:: capacity() > HashT::get_digest_len()

Metadata

Assignees

AntoineRondelet

Labels

arithmetic-circuit/R1CSbug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

0