fix: note hash collision #11869
fix: note hash collision #11869
Conversation
This stack of pull requests is managed by Graphite. Learn more about stacking. |
benesjan
force-pushed
the
02-10-fix_note_hash_collision
branch
from
5de5cce to
9fc6507
Compare
Changes to public function bytecode sizes
🧾 Summary (100% most significant diffs)
Full diff report 👇
|
| let generators: [Point; 6] = derive_generators("aztec_nr_generators".as_bytes(), 0); | ||
| // We use "aztec_nr_generators_fixed" instead of "aztec_nr_generators" to avoid collisions with generators | ||
| // that are generated dynamically by `generate_multi_scalar_mul(...)` | ||
| let generators: [Point; 7] = derive_generators("aztec_nr_generators_fixed".as_bytes(), 0); |
There was a problem hiding this comment.
I think a more future-proof solution might be to put G_slot and G_len at the beginning (indexes 0 and 1) instead of at the end. Then if we ever grow the number of fields in a partial note, the "slot" and "len" generators won't change. What do you think?
There was a problem hiding this comment.
I wonder if the G_len should be the exact same G_len that is used by the pedersen_hash bberg function. I'm not actually sure how we could reliably get hold of that value and use it here, though.
There was a problem hiding this comment.
Are the generators_fixed reserved for other things? I actually don't know about how we derive generators at the mo.
Edit: I took a look at aztec-packages/noir/noir-repo/noir_stdlib/src/hash/mod.nr: notice the function
Should we be using this pedersen_commitment_with_separator function? Should we be using the DEFAULT_DOMAIN_SEPARATOR and pedersen_hash_length, or would that collide with other pedersen hashes in the stack?
There was a problem hiding this comment.
I decided to do a few things here. First I nuked the generators.nr file as it was now only used for the import o G_slot and G_len and by custom implemenation of 2 note types: MockNote (used only for testing) and the EcdsaPublicKeyNote. Both of these are not partial notes so I just modified the note hash func to use poseidon2.
Regarding the G_slot and G_len I know generate them inside the macros and with this change they are next to the function that generates the other generators for the MSM used in note hashes. This I think makes it safer as we have 1 place where we generate the generators and they are only used by macros.
If devs for whatever reason will want their own generators they will need to generate them on their own.
Also as you proposed the G_slot and G_len now are at the beginning and the rest of the generators start at start_index 2 for this reason (derive_generators("aztec_nr_generators".as_bytes(), **2**)).
Should we be using this pedersen_commitment_with_separator function?
I don't think it works because we don't want the length to be included when finalizing the partial note (computing the commitment of the publicly added values and then adding that to the original partial_note_commitment).
Should we be using the DEFAULT_DOMAIN_SEPARATOR and pedersen_hash_length, or would that collide with other pedersen hashes in the stack?
I don't really see the value in this and would keep that separate just for the peace of mind.
There was a problem hiding this comment.
Thanks Jan! I've written some comments. I'm not sure which can actually easily be solved now, versus deferred to the dedicated "rigorous domain separation" epic in github. Perhaps if you don't think you'll be able to implement one of my suggested changes in this PR, please can you write a TODO in the code, and paraphrase my concern, and then point to the "domain separation" github epic.
| let generators: [Point; 6] = derive_generators("aztec_nr_generators".as_bytes(), 0); | ||
| // We use "aztec_nr_generators_fixed" instead of "aztec_nr_generators" to avoid collisions with generators | ||
| // that are generated dynamically by `generate_multi_scalar_mul(...)` | ||
| let generators: [Point; 7] = derive_generators("aztec_nr_generators_fixed".as_bytes(), 0); |
There was a problem hiding this comment.
I think a more future-proof solution might be to put G_slot and G_len at the beginning (indexes 0 and 1) instead of at the end. Then if we ever grow the number of fields in a partial note, the "slot" and "len" generators won't change. What do you think?
| let generators: [Point; 6] = derive_generators("aztec_nr_generators".as_bytes(), 0); | ||
| // We use "aztec_nr_generators_fixed" instead of "aztec_nr_generators" to avoid collisions with generators | ||
| // that are generated dynamically by `generate_multi_scalar_mul(...)` | ||
| let generators: [Point; 7] = derive_generators("aztec_nr_generators_fixed".as_bytes(), 0); |
There was a problem hiding this comment.
I wonder if the G_len should be the exact same G_len that is used by the pedersen_hash bberg function. I'm not actually sure how we could reliably get hold of that value and use it here, though.
| let generators: [Point; 6] = derive_generators("aztec_nr_generators".as_bytes(), 0); | ||
| // We use "aztec_nr_generators_fixed" instead of "aztec_nr_generators" to avoid collisions with generators | ||
| // that are generated dynamically by `generate_multi_scalar_mul(...)` | ||
| let generators: [Point; 7] = derive_generators("aztec_nr_generators_fixed".as_bytes(), 0); |
There was a problem hiding this comment.
Are the generators_fixed reserved for other things? I actually don't know about how we derive generators at the mo.
Edit: I took a look at aztec-packages/noir/noir-repo/noir_stdlib/src/hash/mod.nr: notice the function
Should we be using this pedersen_commitment_with_separator function? Should we be using the DEFAULT_DOMAIN_SEPARATOR and pedersen_hash_length, or would that collide with other pedersen hashes in the stack?
noir-projects/noir-contracts/contracts/ecdsa_public_key_note/src/lib.nr
Outdated
Show resolved
Hide resolved
noir-projects/noir-contracts/contracts/ecdsa_public_key_note/src/lib.nr
Outdated
Show resolved
Hide resolved
benesjan
force-pushed
the
02-10-fix_note_hash_collision
branch
from
9fc6507 to
eaf340d
Compare
| 0x00af91db798fa320746831a59b74362dfd0cf9e7c239f6aad11a4b47d0d870ee, | ||
| 0x00d25a054613a83be7be8512f2c09664bc4f7ab60a127b06584f476918581b8a, | ||
| 0x003840d100d8c1d78d4b68b787ed353ebfb8cd2987503d3b472f614f25799a18, | ||
| 0x003f38322629d401010101010101010101010101010101010101010101010101, |
There was a problem hiding this comment.
This change got triggered by me moving the generator indices by 1:
| @@ -84,7 +84,7 @@ describe('EncryptedLogPayload', () => { | |||
| const payload = await log.generatePayload(ephSk, recipientCompleteAddress.address, fixedRand); | |||
|
|
|||
| expect(payload.toBuffer().toString('hex')).toMatchInlineSnapshot( | |||
| `"0e9cffc3ddd746affb02410d8f0a823e89939785bcc8e88ee4f3cae05e737c360d460c0e434d846ec1ea286e4090eb56376ff27bddc1aacae1d856549f701fa700010577790aeabcc2d81ec8d0c99e7f5d2bf2f1452025dc777a178404f851d9003de81cde78411f27a921e16ebbfba71a5570d3f62f1134c90daced33663ba000856cb19c7d563da183a40a6f8bd4988d1696ad6bf0c717c8fb8f6294bd0366001ed04e4f77a111c7090fcd34c61cfae744e8589a42defba4d0d927dd4679fe00ec09b49d8d4cf548ea62d44c8839b2fd14664e9d1439b199a8d5166e362348004a69de2d410e010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101"`, | |||
| `"0e9cffc3ddd746affb02410d8f0a823e89939785bcc8e88ee4f3cae05e737c360d460c0e434d846ec1ea286e4090eb56376ff27bddc1aacae1d856549f701fa7000194e6d7872db8f61e8e59f23580f4db45d13677f873ec473a409cf61fd04d00334e5fb6083721f3eb4eef500876af3c9acfab0a1cb1804b930606fdb0b28300af91db798fa320746831a59b74362dfd0cf9e7c239f6aad11a4b47d0d870ee00d25a054613a83be7be8512f2c09664bc4f7ab60a127b06584f476918581b8a003840d100d8c1d78d4b68b787ed353ebfb8cd2987503d3b472f614f25799a18003f38322629d4010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101"`, | |||
There was a problem hiding this comment.
This change got triggered by me moving the generator indices by 1:
🤖 I have created a release *beep* *boop* --- <details><summary>aztec-package: 0.76.2</summary> ## [0.76.2](aztec-package-v0.76.1...aztec-package-v0.76.2) (2025-02-11) ### Miscellaneous * **logging:** Support explicit FORCE_COLOR parameter ([#11902](#11902)) ([3b3f859](3b3f859)) </details> <details><summary>barretenberg.js: 0.76.2</summary> ## [0.76.2](barretenberg.js-v0.76.1...barretenberg.js-v0.76.2) (2025-02-11) ### Miscellaneous * **barretenberg.js:** Synchronize aztec-packages versions </details> <details><summary>aztec-packages: 0.76.2</summary> ## [0.76.2](aztec-packages-v0.76.1...aztec-packages-v0.76.2) (2025-02-11) ### Features * Batch writes to the proving broker database ([#11900](#11900)) ([608f887](608f887)) ### Bug Fixes * Cleanup also post test_kind.sh ([#11886](#11886)) ([50cdb15](50cdb15)) * Dont skip wasm civc tests ([#11909](#11909)) ([0395e0b](0395e0b)) * Note hash collision ([#11869](#11869)) ([f289b7c](f289b7c)) * Orchestrator test ([#11901](#11901)) ([f1bb51c](f1bb51c)) * Smt_verification: negative bitvecs, changed gates indicies. acir_formal_proofs: noir-style signed division ([#11649](#11649)) ([4146496](4146496)) * Update path of stern logs ([#11906](#11906)) ([05afb5b](05afb5b)) ### Miscellaneous * Arm runner start fix ([#11903](#11903)) ([6c83c40](6c83c40)) * Fixing the sizes of VMs in CIVC ([#11793](#11793)) ([1afddbd](1afddbd)) * **logging:** Support explicit FORCE_COLOR parameter ([#11902](#11902)) ([3b3f859](3b3f859)) * Misc fixes to devnet deploy flow ([#11738](#11738)) ([bc4cca7](bc4cca7)) * Remove warnings from noir protocol circuits ([#11803](#11803)) ([c6cc3d3](c6cc3d3)) * Replace relative paths to noir-protocol-circuits ([74d6e6a](74d6e6a)) * Replacing use of capsules 1.0 with pxe_db + nuking capsules 1.0 ([#11885](#11885)) ([72be678](72be678)) </details> <details><summary>barretenberg: 0.76.2</summary> ## [0.76.2](barretenberg-v0.76.1...barretenberg-v0.76.2) (2025-02-11) ### Bug Fixes * Note hash collision ([#11869](#11869)) ([f289b7c](f289b7c)) * Smt_verification: negative bitvecs, changed gates indicies. acir_formal_proofs: noir-style signed division ([#11649](#11649)) ([4146496](4146496)) ### Miscellaneous * Fixing the sizes of VMs in CIVC ([#11793](#11793)) ([1afddbd](1afddbd)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
🤖 I have created a release *beep* *boop* --- <details><summary>aztec-package: 0.76.2</summary> ## [0.76.2](AztecProtocol/aztec-packages@aztec-package-v0.76.1...aztec-package-v0.76.2) (2025-02-11) ### Miscellaneous * **logging:** Support explicit FORCE_COLOR parameter ([#11902](AztecProtocol/aztec-packages#11902)) ([3b3f859](AztecProtocol/aztec-packages@3b3f859)) </details> <details><summary>barretenberg.js: 0.76.2</summary> ## [0.76.2](AztecProtocol/aztec-packages@barretenberg.js-v0.76.1...barretenberg.js-v0.76.2) (2025-02-11) ### Miscellaneous * **barretenberg.js:** Synchronize aztec-packages versions </details> <details><summary>aztec-packages: 0.76.2</summary> ## [0.76.2](AztecProtocol/aztec-packages@aztec-packages-v0.76.1...aztec-packages-v0.76.2) (2025-02-11) ### Features * Batch writes to the proving broker database ([#11900](AztecProtocol/aztec-packages#11900)) ([608f887](AztecProtocol/aztec-packages@608f887)) ### Bug Fixes * Cleanup also post test_kind.sh ([#11886](AztecProtocol/aztec-packages#11886)) ([50cdb15](AztecProtocol/aztec-packages@50cdb15)) * Dont skip wasm civc tests ([#11909](AztecProtocol/aztec-packages#11909)) ([0395e0b](AztecProtocol/aztec-packages@0395e0b)) * Note hash collision ([#11869](AztecProtocol/aztec-packages#11869)) ([f289b7c](AztecProtocol/aztec-packages@f289b7c)) * Orchestrator test ([#11901](AztecProtocol/aztec-packages#11901)) ([f1bb51c](AztecProtocol/aztec-packages@f1bb51c)) * Smt_verification: negative bitvecs, changed gates indicies. acir_formal_proofs: noir-style signed division ([#11649](AztecProtocol/aztec-packages#11649)) ([4146496](AztecProtocol/aztec-packages@4146496)) * Update path of stern logs ([#11906](AztecProtocol/aztec-packages#11906)) ([05afb5b](AztecProtocol/aztec-packages@05afb5b)) ### Miscellaneous * Arm runner start fix ([#11903](AztecProtocol/aztec-packages#11903)) ([6c83c40](AztecProtocol/aztec-packages@6c83c40)) * Fixing the sizes of VMs in CIVC ([#11793](AztecProtocol/aztec-packages#11793)) ([1afddbd](AztecProtocol/aztec-packages@1afddbd)) * **logging:** Support explicit FORCE_COLOR parameter ([#11902](AztecProtocol/aztec-packages#11902)) ([3b3f859](AztecProtocol/aztec-packages@3b3f859)) * Misc fixes to devnet deploy flow ([#11738](AztecProtocol/aztec-packages#11738)) ([bc4cca7](AztecProtocol/aztec-packages@bc4cca7)) * Remove warnings from noir protocol circuits ([#11803](AztecProtocol/aztec-packages#11803)) ([c6cc3d3](AztecProtocol/aztec-packages@c6cc3d3)) * Replace relative paths to noir-protocol-circuits ([74d6e6a](AztecProtocol/aztec-packages@74d6e6a)) * Replacing use of capsules 1.0 with pxe_db + nuking capsules 1.0 ([#11885](AztecProtocol/aztec-packages#11885)) ([72be678](AztecProtocol/aztec-packages@72be678)) </details> <details><summary>barretenberg: 0.76.2</summary> ## [0.76.2](AztecProtocol/aztec-packages@barretenberg-v0.76.1...barretenberg-v0.76.2) (2025-02-11) ### Bug Fixes * Note hash collision ([#11869](AztecProtocol/aztec-packages#11869)) ([f289b7c](AztecProtocol/aztec-packages@f289b7c)) * Smt_verification: negative bitvecs, changed gates indicies. acir_formal_proofs: noir-style signed division ([#11649](AztecProtocol/aztec-packages#11649)) ([4146496](AztecProtocol/aztec-packages@4146496)) ### Miscellaneous * Fixing the sizes of VMs in CIVC ([#11793](AztecProtocol/aztec-packages#11793)) ([1afddbd](AztecProtocol/aztec-packages@1afddbd)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Fixes #11862
+ fixes generator collision vulnerability spotted by Nico. The issue was that G_slot value was sometimes accidentally generated by the macros an used for other non-storage-slot note field. I fixed that in this PR by nuking separate
generators.nrfile and making the auto-generated generators start at index 2, whileG_slotandG_lenhave indices 0 and 1 (talking about indices inderive_generators("aztec_nr_generators".as_bytes(), INDEX).