fix(aztec-nr): range-check auth witness fields before byte cast#22624
fix(aztec-nr): range-check auth witness fields before byte cast#22624nchamo merged 4 commits intomerge-train/fairiesfrom
Conversation
There was a problem hiding this comment.
Henlo 👋
Currently auth_witness_to_byte_signature is executed as constrained code but there is no reason for this to be constrained since witness is only a magical value that needs to be provided from wherever that makes the signature verification pass - we are wasting constraints there on the assertions.
I think it makes sense to return the casted and range checked values directly from the get_auth_witness oracle wrapper function and nuke the signature_witness file.
Actually I would leave get_auth_witness as is as I think we might eventually genuinely have field based witnesses so would create a wrapper function in that file that would do what auth_witness_to_byte_signature does. get_auth_witness_bytes or smt.
| // Safety: the witness is only a magical value that makes signature verification pass. | ||
| // A fabricated or wrong-hash witness is rejected by the signature scheme below. |
There was a problem hiding this comment.
| // Safety: the witness is only a magical value that makes signature verification pass. | |
| // A fabricated or wrong-hash witness is rejected by the signature scheme below. | |
| // Safety: The witness is only used as a "magical value" that makes the signature verification below pass. | |
| // Hence it's safe. |
Did you do this change from the original intentionally? I like the original more
There was a problem hiding this comment.
The original felt unclear to me, but I can go back
|
✅ Successfully backported to backport-to-v4-next-staging #22580. |
BEGIN_COMMIT_OVERRIDE fix(pxe): stop block synchronizer on PXE shutdown (#22604) fix(aztec): respect TEST_ACCOUNTS env var in local network mode (#22600) fix: check all aztec-nr dependency tags, not just aztec (#22483) fix: reuse anchor block in kernel oracle (#22631) refactor: unify contract compilation pipeline via bb aztec_process (#22590) fix(pxe): queue registerSender wipe to avoid racing with in-flight jobs (#22623) fix(pxe): bounds-check PropertySelector in pick_notes (#22614) fix(pxe): guard private event store rollback against in-flight jobs (#22615) refactor(pxe): rename sideEffectCounter to initialSideEffectCounter (#22599) fix(pxe): correct stale authwitness comment and inverted tagging error (#22537) fix(aztec-nr): range-check auth witness fields before byte cast (#22624) fix(pxe): serialize block stream event handling to prevent race conditions (#22635) fix(pxe): throw error on origin/contract address mismatch in simulation (#22637) END_COMMIT_OVERRIDE
3 participants
Problem
Account contracts cast auth witness fields from
Fieldtou8without range-checking. SinceFieldvalues can exceed 255, a value likeb + 256truncates to the same byte asb, producing a different witness encoding that passes signature verification identically to the original.Fix
Adds
auth_witness_to_byte_signatureinaztec-nr/authwit, which asserts each field is in[0, 256)before casting. All four account contracts (ecdsa k1, ecdsa r1, schnorr, schnorr hardcoded) now use this function instead of inline cast loops. Includes a Noir unit test for the range check and an e2e test that verifies aliased witness fields are rejected.Fixes https://github.com/AztecProtocol/aztec-claude/issues/461