Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Guarantee usernames stays inside field #13

Open
sebastiantf opened this issue Feb 27, 2024 · 3 comments
Open

Guarantee usernames stays inside field #13

sebastiantf opened this issue Feb 27, 2024 · 3 comments

Comments

@sebastiantf
Copy link
Collaborator

Description

usernames are being converted into BigUint and then to into field elements:

summa-solvency-schneier/zk_prover/src/circuits/merkle_sum_tree.rs

Line 252 in 95d63fe

big_uint_to_fp(self.entry.username_as_big_uint()),

iirc, Summa is not really bothered about how the usernames are constructed, but it is expected to be a hash of a unique combination of user id and/or email address (not fully sure)

What happens if an exchange settles on a format for constructing the usernames, uses Summa a few times, but at some point in the future for specific usernames, the BigUint conversion overflows the field? Would they have to change the username construction procedure? Is that possible considering the previous rounds they've already committed? Hence should Summa also consider the username construction procedure and have some restrictions around that procedure?
@sifnoc
Copy link
Contributor

sifnoc commented Apr 4, 2024

What happens if an exchange settles on a format for constructing the usernames, uses Summa a few times, but at some point in the future for specific usernames, the BigUint conversion overflows the field? Would they have to change the username construction procedure? Is that possible considering the previous rounds they've already committed? Hence should Summa also consider the username construction procedure and have some restrictions around that procedure?

As discussed with Parsley in early Mar, a Custodian can intentionally create an overflow on a username to hide the exclusion of a user entry from the MST.
For example, consider two users, A and B, who have the same balance (which is a common occurrence on exchanges). The Custodian can generate the same leaf-hash for both users with different usernames - one under the modulus and the other over the modulus. This allows the Custodian to exclude one of the entries from the MST.

However, we can mitigate the Custodian's motivation to cause an overflow by adding a verification step to the verifyInclusionProof function.

@0xalizk
Copy link
Member

0xalizk commented May 30, 2024

Should overflow be checked in circuit as well in cases where core Summa is imported as lib in some external zkDapps which may miss checking in-contract?

It can be modularized as an optional feature with default=true so it can be switched off for better performance.

@sifnoc
Copy link
Contributor

sifnoc commented Jun 12, 2024

Should overflow be checked in circuit as well in cases where core Summa is imported as lib in some external zkDapps which may miss checking in-contract?

It can be modularized as an optional feature with default=true so it can be switched off for better performance.

I think this is a good idea to add an optional feature enabling range checks for usernames in the circuit. I will create an issue with details for any contributors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sifnoc @sebastiantf @0xalizk