feat: hybrid CRS hash verification — 8MB chunks, parallel, span-based#21113
Merged
ludamad merged 7 commits intoMar 4, 2026
Merged
Conversation
Adds integrity verification for BN254 G1 SRS downloads using SHA-256 chunk hashes. The SRS is divided into 2MB chunks (2^15 points each), and the SHA-256 hash of each chunk is embedded in the binary. After downloading, every chunk is verified against the hash table. Downloads are rounded up to the next chunk boundary so every downloaded byte falls within a complete chunk and is hash-verified. The worst-case over-download is 2MB (<0.05% for typical downloads). Closes AztecProtocol/barretenberg#1628
johnathan79717
approved these changes
Mar 4, 2026
ludamad
approved these changes
Mar 4, 2026
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Mar 6, 2026
BEGIN_COMMIT_OVERRIDE fix: add -g0 to zig presets to eliminate 11GB debug info bloat (#21071) fix: resolve flaky p2p_client test race condition on ARM64 (#21088) chore: remove domain iteration macros and address backing memory race (#20988) fix: [ECCVM] added domain separation for the multiset equality check. (#20352) feat: hybrid CRS hash verification — 8MB chunks, parallel, span-based (#21113) chore: unify splitting scalars interface (#20805) chore: add a unique id to each origin tag (#20924) chore: Native curve audit (#20936) chore: Update bootstrap in test vk haven't changed script (#21153) fix: use reduced form in WASM FromMontgomeryForm test (#21164) chore: erase ephemeral secrets from memory in schnorr and aes (#21106) chore: suppress clangd target triple version diagnostic (#21180) feat: Optimise new claim calculation (#21179) docs: add Quick Start build instructions to barretenberg README (#20951) feat: batched chonk verification (#21083) fix: link libc++ instead of libstdc++ for Rust FFI on Linux (#21203) fix: [ECCVM] in the transcript table, no-ops force the next accumulator to be 0. (#20849) fix: resolve merge-train conflict with next (zig wrapper scripts + -g0) (#21201) fix: [ECCVM] rare edge case completeness issue when `z1 == 0` but `z2 != 0` (#20858) fix: use actual data extent for CommitmentKey in HypernovaDeciderProver (#21206) END_COMMIT_OVERRIDE
4 tasks
johnathan79717
added a commit
that referenced
this pull request
Apr 2, 2026
### Audit Context Addresses findings from the "Aztec - Cryptographic Primitives" external audit. This is response 0, covering the findings that have straightforward fixes. ### Changes Made **Finding 1: Off-Curve Proof Commitment Crashes WASM Verifier** Replace `BB_ASSERT(val.on_curve())` with explicit `throw_or_abort` in both FrCodec and U256Codec deserialization paths (`field_conversion.hpp`). This routes the error through the standard error path that is catchable by bbapi's try-catch in native builds, rather than going through `assert_failure`. **Finding 2: WASM Process DOS via Oversized Polynomial in Prover Commit Path** No changes in this PR. Requires a WASM-compatible recovery boundary (setjmp/longjmp or extending try_catch_shim.hpp). Will be addressed in a follow-up. **Finding 3: SRS Downloaded Using HTTP** No changes in this PR. Already mitigated by SHA-256 chunk hash verification (PR #21113). Switching to HTTPS requires resolving the OpenSSL cross-compilation dependency. Deferred. **Finding 4: bbapi Unix Socket Accepts Unauthenticated SRS Replacement** - Add `chmod(socket_path, 0600)` after `bind()` on both macOS and Linux socket paths, matching the 0600 mode already used for the SHM transport. - Add null-guard to `init_bn254_mem_crs_factory()` to prevent replacing an already-initialized SRS, matching the existing guards on `init_bn254_net_crs_factory` and `init_bn254_file_crs_factory`. **Finding 5: Latent Shift-UB in get_scalar_slice** Add `static_assert(MAX_SLICE_BITS < 64, ...)` to encode the invariant that the shift in `get_scalar_slice` remains well-defined. **Finding 6: batch_commit() Subspan Constructed Before Bounds Check** Move the SRS bounds check before the `subspan()` call in `batch_commit()`. `std::span::subspan()` has UB when offset > size(). This brings `batch_commit` in line with `commit()` which already validates first. **Finding 7: Witness Polynomial Coefficients Vulnerable to Leakage** No changes. Threat model does not support this being a real vector: PXE in an extension runs in a separate origin, and for embedded wallets there is no trust boundary. Not prioritized. **Finding 8: BitVector::set() Non-Atomic RMW Has No Thread-Safety Guard** Add NOT THREAD-SAFE documentation to `BitVector` class noting that concurrent `set()` calls on indices in the same 64-bit word will race. Current usage is safe due to per-thread `BucketAccumulators` ownership. **Finding 9: batch_mul Mutates Scalars Through const Interface** Change `batch_mul`'s public interface from `std::span<const Fr>` to `std::span<Fr>`, making the mutation contract explicit. The MSM internally converts scalars from/to Montgomery form, so callers must provide mutable scalars. Updated HyperNova prover/verifier wrappers (drop const) and IPA `reduce_batch_opening_claim` (mutable copy). ### Checklist - [x] Confirmed and documented security issues found - [x] Verified that tests cover all critical paths - [x] Verified build passes (`ninja` clean build) - [x] Ran ecc_tests (830 passed), srs_tests (29 passed), commitment_schemes_tests (88 passed), hypernova_tests (9 passed)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds SHA-256 chunk hash verification for BN254 CRS downloads, combining the best of #21087 and #20864.
std::span-based hashing (zero per-chunk allocation)