[zk-token-sdk] Restrict Edwards and Ristretto multiscalar multiplication vector length to at most 512 #34763
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #34763 +/- ##
=======================================
Coverage 81.7% 81.8%
=======================================
Files 825 825
Lines 223126 223164 +38
=======================================
+ Hits 182507 182585 +78
+ Misses 40619 40579 -40 |
samkim-crypto
added
v1.17
|
Backports to the beta branch are to be avoided unless absolutely necessary for fixing bugs, security issues, and perf regressions. Changes intended for backport should be structured such that a minimum effective diff can be committed separately from any refactoring, plumbing, cleanup, etc that are not strictly necessary to achieve the goal. Any of the latter should go only into master and ride the normal stabilization schedule. Exceptions include CI/metrics changes, CLI improvements and documentation updates on a case by case basis. |
t-nelson
reviewed
Jan 12, 2024
t-nelson
reviewed
Jan 17, 2024
Co-authored-by: Trent Nelson <trent.a.b.nelson@gmail.com>
Lichtso
approved these changes
Jan 18, 2024
t-nelson
approved these changes
Jan 18, 2024
mergify bot
pushed a commit
that referenced
this pull request
Jan 18, 2024
…ion vector length to at most 512 (#34763) * restrict curve25519 multiscalar multiplication vector length to 512 * add syscall tests for msm vector length * add new feature gate `curve25519_restrict_msm_length` * update tests for feature new gate * Update programs/bpf_loader/src/syscalls/mod.rs Co-authored-by: Trent Nelson <trent.a.b.nelson@gmail.com> * remove length guard on the multisicalar mult lib function --------- Co-authored-by: Trent Nelson <trent.a.b.nelson@gmail.com> (cherry picked from commit 7321859) # Conflicts: # sdk/src/feature_set.rs
samkim-crypto
added a commit
that referenced
this pull request
Jan 20, 2024
…iplication vector length to at most 512 (backport of #34763) (#34849) * [zk-token-sdk] Restrict Edwards and Ristretto multiscalar multiplication vector length to at most 512 (#34763) * restrict curve25519 multiscalar multiplication vector length to 512 * add syscall tests for msm vector length * add new feature gate `curve25519_restrict_msm_length` * update tests for feature new gate * Update programs/bpf_loader/src/syscalls/mod.rs Co-authored-by: Trent Nelson <trent.a.b.nelson@gmail.com> * remove length guard on the multisicalar mult lib function --------- Co-authored-by: Trent Nelson <trent.a.b.nelson@gmail.com> (cherry picked from commit 7321859) # Conflicts: # sdk/src/feature_set.rs * resolve conflict --------- Co-authored-by: samkim-crypto <skim13@cs.stanford.edu>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
The curve25519 syscalls have an operation called the multiscalar multiplication (MSM), which computes the inner product of a vector scalar and curve points. The larger the vectors are, the more expensive the MSM operation becomes. The assigned compute units for MSM's do take this growing cost into account, but there is no concrete bound on the size of the vectors.
Theoretically, an attacker could craft a number of txs with very large MSM inputs, which could lead to either:
It would be good to define the max size of the vectors for MSM for safety. For most practical applications, MSM of vector length 512 should be sufficient.
Summary of Changes
Fixes #