Merge pull request #1617 from o1-labs/audit-fixes

o1-labs · Apr 25, 2024 · c2f7609 · c2f7609
2 parents 1dcb02f + ea09b98
commit c2f7609
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,11 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ## [Unreleased](https://github.com/o1-labs/o1js/compare/02c5e8d4d...HEAD)
 
+### Fixed
+
+- Fixed issue in `UInt64.rightShift()` where it incorrectly performed a left shift instead of a right shift. https://github.com/o1-labs/o1js/pull/1617
+- Fixed issue in `ForeignField.toBits()` where high limbs were under-constrained for input length less than 176. https://github.com/o1-labs/o1js/pull/1617
+
 ### Added
 
 - Exposed sideloaded verification keys https://github.com/o1-labs/o1js/pull/1606 [@rpanic](https://github.com/rpanic)

diff --git a/src/bindings b/src/bindings
diff --git a/src/lib/provable/foreign-field.ts b/src/lib/provable/foreign-field.ts
@@ -357,10 +357,19 @@ class ForeignField {
     let limbSize = Number(l);
     let xBits = l0.toBits(Math.min(length, limbSize));
     length -= limbSize;
-    if (length <= 0) return xBits;
+    if (length <= 0) {
+      // constrain the remaining two high-limbs to be zero, return the first limb
+      l1.assertEquals(0);
+      l2.assertEquals(0);
+      return xBits;
+    }
     let yBits = l1.toBits(Math.min(length, limbSize));
     length -= limbSize;
-    if (length <= 0) return [...xBits, ...yBits];
+    if (length <= 0) {
+      // constrain the highest limb to be zero, return the first two limbs
+      l2.assertEquals(0);
+      return [...xBits, ...yBits];
+    }
     let zBits = l2.toBits(Math.min(length, limbSize));
     return [...xBits, ...yBits, ...zBits];
   }

diff --git a/src/lib/provable/int.ts b/src/lib/provable/int.ts
@@ -354,7 +354,7 @@ class UInt64 extends CircuitValue {
   }
 
   /**
-   * Performs a left right operation on the provided {@link UInt64} element.
+   * Performs a right shift operation on the provided {@link UInt64} element.
    * This operation is similar to the `>>` shift operation in JavaScript,
    * where bits are shifted to the right, and the overflowing bits are discarded.
    *
@@ -366,12 +366,12 @@ class UInt64 extends CircuitValue {
    * @example
    * ```ts
    * const x = UInt64.from(0b001100); // 12 in binary
-   * const y = x.rightShift(2); // left shift by 2 bits
-   * y.assertEquals(0b000011); // 48 in binary
+   * const y = x.rightShift(2); // right shift by 2 bits
+   * y.assertEquals(0b000011); // 3 in binary
    * ```
    */
   rightShift(bits: number) {
-    return new UInt64(Bitwise.leftShift64(this.value, bits).value);
+    return new UInt64(Bitwise.rightShift64(this.value, bits).value);
   }
 
   /**