Merge pull request #244 from davidnevadoc/nev@fix/vk-deser-check

Add check for `k` in vk deserialization.
privacy-scaling-explorations · Jan 10, 2024 · 687590a · 687590a
2 parents 5b2f5f6 + 76a86f0
commit 687590a
Showing 1 changed file with 23 additions and 6 deletions.
diff --git a/halo2_proofs/src/plonk.rs b/halo2_proofs/src/plonk.rs
@@ -60,6 +60,9 @@ pub struct VerifyingKey<C: CurveAffine> {
     compress_selectors: bool,
 }
 
+// Current version of the VK
+const VERSION: u8 = 0x03;
+
 impl<C: SerdeCurveAffine> VerifyingKey<C>
 where
     C::Scalar: SerdePrimeField + FromUniformBytes<64>,
@@ -75,8 +78,11 @@ where
     /// WITHOUT performing the expensive Montgomery reduction.
     pub fn write<W: io::Write>(&self, writer: &mut W, format: SerdeFormat) -> io::Result<()> {
         // Version byte that will be checked on read.
-        writer.write_all(&[0x02])?;
-        writer.write_all(&self.domain.k().to_le_bytes())?;
+        writer.write_all(&[VERSION])?;
+        let k = &self.domain.k();
+        assert!(*k <= C::Scalar::S);
+        // k value fits in 1 byte
+        writer.write_all(&[*k as u8])?;
         writer.write_all(&[self.compress_selectors as u8])?;
         writer.write_all(&(self.fixed_commitments.len() as u32).to_le_bytes())?;
         for commitment in &self.fixed_commitments {
@@ -114,15 +120,26 @@ where
     ) -> io::Result<Self> {
         let mut version_byte = [0u8; 1];
         reader.read_exact(&mut version_byte)?;
-        if 0x02 != version_byte[0] {
+        if VERSION != version_byte[0] {
             return Err(io::Error::new(
                 io::ErrorKind::InvalidData,
                 "unexpected version byte",
             ));
         }
-        let mut k = [0u8; 4];
+
+        let mut k = [0u8; 1];
         reader.read_exact(&mut k)?;
-        let k = u32::from_le_bytes(k);
+        let k = u8::from_le_bytes(k);
+        if k as u32 > C::Scalar::S {
+            return Err(io::Error::new(
+                io::ErrorKind::InvalidData,
+                format!(
+                    "circuit size value (k): {} exceeds maxium: {}",
+                    k,
+                    C::Scalar::S
+                ),
+            ));
+        }
         let mut compress_selectors = [0u8; 1];
         reader.read_exact(&mut compress_selectors)?;
         if compress_selectors[0] != 0 && compress_selectors[0] != 1 {
@@ -133,7 +150,7 @@ where
         }
         let compress_selectors = compress_selectors[0] == 1;
         let (domain, cs, _) = keygen::create_domain::<C, ConcreteCircuit>(
-            k,
+            k as u32,
             #[cfg(feature = "circuit-params")]
             params,
         );