Skip to content

Reject malformed verifier inputs instead of panicking / misverifying#4

Open
aryaethn wants to merge 1 commit into
succinctlabs:mainfrom
aryaethn:harden/verifier-input-validation
Open

Reject malformed verifier inputs instead of panicking / misverifying#4
aryaethn wants to merge 1 commit into
succinctlabs:mainfrom
aryaethn:harden/verifier-input-validation

Conversation

@aryaethn

Copy link
Copy Markdown

Summary

Two small verifier-entrypoint hardening fixes from the audit (#1) — "verifier panic risks" and "generic R1CS assumes C = I". Both make the verifier reject malformed or unsupported input with a structured error instead of misbehaving.

1. Reject non-identity C_0

verify_core builds the c-claim as a direct z-claim, which is only correct for the circuit-R1CS shape C = I. BlockR1cs::c0_is_identity() already exists and the prover branches on it, but the verifier assumed C = I with no check — so an instance with C_0 != I would be checked against the wrong relation. Added a guard up front returning VerifyError::NonIdentityC0. No-op for every production instance (all C = I).

2. Don't panic on an unsupported Ligerito config

verify_claims_ligerito derived its security config via verifier_config_for(...).expect("Ligerito default verifier config"). verifier_config_for returns Err for an (m, profile) with no embedded security config — and in the chain path that triple comes from the proof bundle's commitment.params — so a malformed bundle would panic the verifier. Now mapped to VerifyError::UnsupportedConfig(_) and returned.

Tests

  • verify_core_rejects_non_identity_c0: a zero-C_0 instance is rejected with NonIdentityC0 (junk sub-proofs are fine — the guard fires before they're touched).
  • verify_claims_ligerito_rejects_unsupported_config: a commitment with m = 8 (no embedded config) yields UnsupportedConfig instead of panicking.
  • Full flock-core suite (257) + end-to-end roundtrip green; honest proofs unaffected.

Note

This is the transcript-independent half of those two audit items. The deeper part of the Ligerito params item — the verifier currently trusts the proof-supplied profile for its security schedule, so a downgrade isn't prevented yet — needs a trust-model decision (enforce an expected/minimum profile) and is left for a follow-up.

Two verifier-entrypoint hardening fixes from the audit (succinctlabs#1):

- verify_core now rejects a non-identity C_0 with VerifyError::NonIdentityC0.
  The pipeline assumes the circuit-R1CS shape C = I (the c-claim is built as a
  direct z-claim); c0_is_identity() already existed but was only used by the
  prover, while the verifier assumed it without checking. No-op for all real
  instances, which are C = I.

- verify_claims_ligerito maps verifier_config_for's error into a structured
  VerifyError::UnsupportedConfig instead of .expect()-panicking, so a bundle
  claiming an (m, profile) with no embedded security config is rejected rather
  than crashing the verifier.

Adds regression tests for both.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
SipengXie2024 added a commit to SipengXie2024/flock that referenced this pull request Jul 2, 2026
Review findings (36 agents, 86 candidates, 15 confirmed):

Fixed:
- succinctlabs#7: SSE2 convert-table dispatch missing in s_hat_v partial path
  (copy-paste omission — x86 fell back to scalar in boundary window)
- succinctlabs#8/#12: multi_base.rs imported route.rs (FANOUT=4) instead of
  route_f32.rs (FANOUT=32). Any fanout>4 would panic. Fixed import
  + updated acceptance test to use RouteF32Witness.

Skipped (documented, not fixable without larger changes):
- succinctlabs#1/succinctlabs#3/succinctlabs#6: route_single.rs 3 soundness gaps (documented in header,
  needs wiring sumcheck)
- succinctlabs#2/succinctlabs#4/succinctlabs#9/succinctlabs#10: files >700 LOC (route 810, route_f32 936, route_single
  950 — needs structural refactor, separate PR)
- succinctlabs#5: multi_base missing padding skip (perf-only, not correctness)
- succinctlabs#11: PaddingSpec inconsistency in hash_only PCS open (no effect —
  padding skip only applies to zerocheck, not PCS)
- #13/#14/#15: Ligerito floor magic number, PCS PaddingSpec, target_feature
  annotation — all by-design or no-impact

338 tests pass (279 flock-core + 50 mhot unit + 8 acceptance + 1 profile).
SipengXie2024 added a commit to SipengXie2024/flock that referenced this pull request Jul 2, 2026
Review findings (36 agents, 86 candidates, 15 confirmed):

Fixed:
- succinctlabs#7: SSE2 convert-table dispatch missing in s_hat_v partial path
  (copy-paste omission — x86 fell back to scalar in boundary window)
- succinctlabs#8/#12: multi_base.rs imported route.rs (FANOUT=4) instead of
  route_f32.rs (FANOUT=32). Any fanout>4 would panic. Fixed import
  + updated acceptance test to use RouteF32Witness.

Skipped (documented, not fixable without larger changes):
- succinctlabs#1/succinctlabs#3/succinctlabs#6: route_single.rs 3 soundness gaps (documented in header,
  needs wiring sumcheck)
- succinctlabs#2/succinctlabs#4/succinctlabs#9/succinctlabs#10: files >700 LOC (route 810, route_f32 936, route_single
  950 — needs structural refactor, separate PR)
- succinctlabs#5: multi_base missing padding skip (perf-only, not correctness)
- succinctlabs#11: PaddingSpec inconsistency in hash_only PCS open (no effect —
  padding skip only applies to zerocheck, not PCS)
- #13/#14/#15: Ligerito floor magic number, PCS PaddingSpec, target_feature
  annotation — all by-design or no-impact

338 tests pass (279 flock-core + 50 mhot unit + 8 acceptance + 1 profile).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant