Author: Avaneesh
Scope: Pairing VM extension Commit: latest main at time of writing
Severity: Low
Context: guest/src/bn254/mod.rs
Description: The FROBENIUS_COEFF_FQ6_C1[0] constant is incorrect.
However, the impact is low since this constant is not currently used.
Proof of concept: See the failing test in this PR
Recommendation: Update the constant
Resolution: fixed in this PR https://github.com/openvm-org/openvm/commit/179294ae7249cee1a54680377e18a8da7785c6f6
Severity: High
Description:
We use the fact that the pairing is equal to 1 iff there exist c and u satisfying certain conditions.
The values c and u are hinted by the prover.
However, a malicious prover can provide an invalid hint and cause the pairing check to fail.
The problem is that the guest code trusts the hint.
Proof of concept: N/A
Recommendation: Add a fallback that uses square-and-multiply for final exponentiation when the hint is invalid.
Resolution: fixed by this commit
Added a fallback for final exponentiation in the pairing extension for the case that the hint fails to prove that the final exponentiation is equal to 1.
This is a temporary fix. We will scope out a better approach after the security reviews.
Severity: High
Description: The pairing check for both BLS12-381 and BN254 panics if the c part of the pairing check hint is 0, when it tries to invert it.
So, a malicious prover can cause a panic in the guest code by providing a hint with c = 0.
This means the prover can prove that the guest code panics when it shouldn't.
Proof of concept: N/A
Recommendation: Use the fallback from Finding 2.2 when c = 0.
Resolution: fixed by this commit