feat(aztec-nr)!: app-silo getSharedSecret oracle#22020
Merged
Merged
Conversation
nchamo
added
ci-no-fail-fast
nchamo
changed the title
nventuro
approved these changes
Mar 25, 2026
…pp-silo-shared-secret # Conflicts: # yarn-project/pxe/src/oracle_version.ts
Collaborator
|
❌ Failed to cherry-pick to |
AztecBot
pushed a commit
that referenced
this pull request
Mar 25, 2026
Cherry-pick of 1c74bf6 with conflicts in yarn-project/pxe/src/oracle_version.ts
AztecBot
added a commit
that referenced
this pull request
Mar 25, 2026
The cherry-pick of PR #22020 modified domain separators in constants.nr but the generated files (constants.gen.ts, aztec_constants.hpp, constants_gen.pil) were not regenerated. Run remake-constants to sync.
nventuro
added a commit
that referenced
this pull request
Mar 25, 2026
…ckport] (#22025) ## Summary Backport of #22020 to v4-next. The `getSharedSecret` oracle now app-silos the shared secret by hashing it with the calling contract's address, preventing cross-contract decryption attacks. Key derivation uses new domain separators (`DOM_SEP__APP_SILOED_ECDH_SHARED_SECRET`, `DOM_SEP__ECDH_SUBKEY`, `DOM_SEP__ECDH_FIELD_MASK`). ## Cherry-pick conflicts Only one conflict in `yarn-project/pxe/src/oracle_version.ts` — the oracle interface hash differs between `next` and `v4-next` because the Oracle class has diverged. Regenerated the hash for the v4-next Oracle interface. ## Commits 1. **Cherry-pick with conflicts** — raw cherry-pick of 1c74bf6 with conflict markers 2. **Conflict resolution** — resolved hash conflict in oracle_version.ts 3. **Build fix** — regenerated oracle interface hash for v4-next (`09ca7d52...`) ClaudeBox log: https://claudebox.work/s/c95bc78416dda66e?run=1
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Mar 26, 2026
BEGIN_COMMIT_OVERRIDE feat(aztec-nr): add initialization check to utility functions (#21751) refactor(aztec-nr): remove storage from init_test_contract (#21996) chore: remove claude file (#22012) refactor!: more consistent oracle names (#22018) feat(aztec-nr)!: app-silo getSharedSecret oracle (#22020) fix: disallow infinite pubkeys (#22026) feat: aztecnr log prefixing (#22027) feat(aztec-nr)!: domain-separated tags on log emission (#21910) END_COMMIT_OVERRIDE
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why we are doing this
The
getSharedSecretoracle returns a raw ECDH shared secretS = addressSecret * ephPk. Since bothaddressandephPkare public, any contract can call this oracle and get the sameS. A malicious contract could trick a user into executing it, call the oracle for every known ephemeral public key, and decrypt messages intended for other contracts.Our fix
We app-silo the shared secret by hashing it with the calling contract's address before returning it from the oracle:
Each contract now receives a different
s_appfrom the same raw ECDH exchange, making cross-contract decryption impossible. The oracle validates that the passed contract address matches its execution context.Key derivation (AES keys/IVs, field masks) is restructured to use separate domain separators instead of index offsets, strengthening the independence argument:
DOM_SEP__ECDH_SUBKEYfor AES symmetric key/IV derivationDOM_SEP__ECDH_FIELD_MASKfor ciphertext field maskingThe old domain separators (
DOM_SEP__SYMMETRIC_KEY,DOM_SEP__SYMMETRIC_KEY_2,DOM_SEP__CIPHERTEXT_FIELD_MASK) are removed.The oracle interface changes from returning a
Pointto returning aField, and now requires acontract_addressparameter. TheMessageEncryptiontrait'sencryptanddecryptsignatures also gain acontract_addressparameter. Oracle version is bumped to 20.Fixes F-477
Fixes #12656