Skip to content

Audit Fixes: Issue (L, M, N, P, R) - Added evaluation bindings to the transcript#4

Closed
ocdbytes wants to merge 4 commits into
aj/opt/proof-size-v1from
aj/opt/proof-size-v1-audit-fixes
Closed

Audit Fixes: Issue (L, M, N, P, R) - Added evaluation bindings to the transcript#4
ocdbytes wants to merge 4 commits into
aj/opt/proof-size-v1from
aj/opt/proof-size-v1-audit-fixes

Conversation

@ocdbytes

@ocdbytes ocdbytes commented Apr 23, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

  • Fix evaluation binding soundness bug: Public evaluations are now absorbed into the Fiat-Shamir transcript as prover messages before any batching/combination challenges (α, ρ, constraint_rlc) are sampled. The verifier reads them back and checks verify!(read == expected), rejecting any mismatch immediately.
  • Add audit soundness regression tests (src/protocols/audit_soundness_tests.rs) covering three classes of evaluation forgery identified in the security audit, with exact exploit constructions that extract challenge values from the transcript.

Root Cause

Evaluations were not bound in the Fiat-Shamir transcript before the challenges that depend on them. A malicious prover could generate an honest proof, replay the transcript to extract α/ρ/constraint_rlc, then forge evaluations that preserve the challenge-weighted sums the verifier checks.

Audit Issues Addressed

Issue Description Fix Location Tests
L zkWHIR Batch Proofs Accept Alpha-Cancelled Forged Evaluations Evaluations absorbed into transcript before alpha_coeffs sampling (whir_zk/verifier.rs:133-136) test_rejects_alpha_cancelling_forgery (whir_zk/mod.rs:807), test_rejects_all_forgery_patterns_n2_f2 (whir_zk/mod.rs:1163)
M Unbound Step-2 G_j Claims Allow Rho-Adaptive Forged Evaluations Evaluations absorbed into transcript before rho sampling (whir_zk/verifier.rs:133-136) test_rejects_g_claim_forgery_via_rho (whir_zk/mod.rs:866)
N zkWHIR Multi-Form Proofs Accept Form-RLC-Preserving Forged Evaluations Evaluations absorbed into transcript before constraint_rlc_coeffs sampling (whir_zk/verifier.rs:133-136) test_rejects_constraint_rlc_cancelling_forgery (whir_zk/mod.rs:1101), test_rejects_all_forgery_patterns_n2_f2 (whir_zk/mod.rs:1163)
P WHIR Batched Verifier Accepts Vector-RLC-Cancelled Forged Evaluations Evaluations absorbed into transcript before vector_rlc_coeffs sampling (whir/verifier.rs:85-88) test_rejects_forged_eval_separate_commits (whir/mod.rs:1061), test_rejects_forged_eval_batched_commit (whir/mod.rs:1101), test_rejects_alpha_cancelling_forgery (whir/mod.rs:1143)
R WHIR Multi-Form Proofs Accept Form-RLC-Preserving Forged Evaluations Evaluations absorbed into transcript before constraint_rlc_coeffs sampling (whir/verifier.rs:85-88) test_rejects_constraint_rlc_cancelling_forgery (whir/mod.rs:1190)

@Bisht13 Bisht13 marked this pull request as ready for review April 23, 2026 14:20
@ocdbytes ocdbytes changed the title Audit Fixes: Issue (#1, #2, #3) - Added evaluation bindings to the transcript Audit Fixes: Issue (L, M, N, O, P, Q, R) - Added evaluation bindings to the transcript Apr 27, 2026
@ocdbytes ocdbytes changed the title Audit Fixes: Issue (L, M, N, O, P, Q, R) - Added evaluation bindings to the transcript Audit Fixes: Issue (L, M, N, P, R) - Added evaluation bindings to the transcript Apr 27, 2026
@ocdbytes ocdbytes closed this Apr 27, 2026
@ocdbytes ocdbytes deleted the aj/opt/proof-size-v1-audit-fixes branch April 27, 2026 06:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ocdbytes