Merge pull request #846 from zcash/bugfix

Reject two queries with the same point and commitment, but different evaluations

Author: str4d

.github/workflows/ci.yml

@@ -103,6 +103,7 @@ jobs:
       - uses: ./.github/actions/prepare
         with:
           toolchain: stable
+      - run: sudo apt-get -y install libfontconfig1-dev
       # Build benchmarks and all-features to prevent bitrot
       - name: Build benchmarks
         uses: actions-rs/cargo@v1

Cargo.lock

@@ -7,6 +7,22 @@ and this project adheres to Rust's notion of
 
 ## [Unreleased]
 
+## [0.3.1] - 2025-07-07
+### Security
+`halo2_proofs` uses a multiopen argument in its proofs, which takes the sequence
+of circuit queries and evaluations, and groups them into query sets for proof
+efficiency. The previous implementation had a bug where two queries within the
+sequence could provide the same evaluation point and commitment, but different
+evaluations. A vulnerable circuit with a bug resulting in such a sequence of
+evaluations is unsound, but a verifier for this circuit would previously not
+reject these proofs.
+
+The multiopen logic has been updated to detect and reject this case; both provers
+and verifiers now return an error instead. The multiopen logic now also uses the
+`indexmap` crate to further reduce its complexity.
+
+The bug was found by Suneal from zkSecurity.
+
 ## [0.3.0] - 2023-03-21
 ### Breaking circuit changes
 - `halo2_proofs::circuit::floor_planner::V1` was relying internally on the Rust

halo2_proofs/CHANGELOG.md

@@ -1,6 +1,6 @@
 [package]
 name = "halo2_proofs"
-version = "0.3.0"
+version = "0.3.1"
 authors = [
     "Sean Bowe <[email protected]>",
     "Ying Tong Lai <[email protected]>",
@@ -47,6 +47,7 @@ harness = false
 backtrace = { version = "0.3", optional = true }
 ff = "0.13"
 group = "0.13"
+indexmap = "1"
 pasta_curves = "0.5"
 rand_core = { version = "0.6", default-features = false }
 tracing = "0.1"