



**Circom Security**

**Jon Stephens  
CTO, Veridise**

# Veridise. | Why should I care?

 Tornado Cash

Oct 12, 2019 · 3 min read · [Listen](#)

[Twitter](#) [Facebook](#) [LinkedIn](#) [Copy](#) [Share](#) ...

## Tornado.cash got hacked. By us.



# Veridise | Why should I care?

```
2 circuits/mimcsponge.circom ...
@@ -21,7 +21,7 @@ template MiMCSponge(nInputs, nRounds, nOutputs) {
21     }
22     }
23
24 -    outs[0] = S[nInputs - 1].xL_out;
25
26     for (var i = 0; i < nOutputs - 1; i++) {
27         S[nInputs + i] = MiMCFeistel(nRounds);
21     }
22     }
23
24 +    outs[0] <= S[nInputs - 1].xL_out;
25
26     for (var i = 0; i < nOutputs - 1; i++) {
27         S[nInputs + i] = MiMCFeistel(nRounds);

```



# Veridise | Why should I care?

```
2  circuits/mimcsponge.circom ...
@@ -21,7 +21,7 @@ template MiMCSponge(nInputs, nRounds, nOutputs) {
21      }
22  }
23
24 -    outs[0] = S[nInputs - 1].xL_out;
25
26     for (var i = 0; i < nOutputs - 1; i++) {
27         S[nInputs + i] = MiMCFeistel(nRounds);
21      }
22  }
23
24 +    outs[0] <= S[nInputs - 1].xL_out;
25
26     for (var i = 0; i < nOutputs - 1; i++) {
27         S[nInputs + i] = MiMCFeistel(nRounds);

```







## Functional Correctness Violation



$\neq$





## Over-constrained Circuit





# Veridise | Underconstrained Circuits



# Veridise | Underconstrained Circuits



# Veridise | Underconstrained Circuits



Sometimes such circuits are desired, but must be very careful!

# Veridise | Unconstrained Output

```
template ArrayAdd(n) {  
    signal input a[n];  
    signal input b[n];  
    signal output out[n];  
  
    for (var i = 0; i < n - 1; i++) {  
        out[i] <== a[i] + b[i];  
    }  
}
```

# Veridise | Unconstrained Output

```
template ArrayAdd(n) {  
    signal input a[n];  
    signal input b[n];  
    signal output out[n];  
  
    for (var i = 0; i < n - 1; i++) {  
        out[i] <== a[i] + b[i];  
    }  
}
```

ArrayAdd(3) witness:

a = {1, 2, 3}  
b = {6, 5, 4}  
out = {7, 7, 7}

# Veridise | Unconstrained Output

```
template ArrayAdd(n) {  
    signal input a[n];  
    signal input b[n];  
    signal output out[n];  
  
    for (var i = 0; i < n - 1; i++) {  
        out[i] <= a[i] + b[i];  
    }  
}
```

ArrayAdd(3) witness:

a = {1, 2, 3}  
b = {6, 5, 4}  
out = {7, 7, 7}

ArrayAdd(3) witness:

a = {1, 2, 3}  
b = {6, 5, 4}  
out = {7, 7, 0}

# Veridise | Unconstrained Output

```
template ArrayAdd(n) {  
    signal input a[n];  
    signal input b[n];  
    signal output out[n];  
  
    for (var i = 0; i < n - 1; i++) {  
        out[i] <= a[i] + b[i];  
    }  
}
```

ArrayAdd(3) witness:

a = {1, 2, 3}  
b = {6, 5, 4}  
out = {7, 7, 7}

ArrayAdd(3) witness:

a = {1, 2, 3}  
b = {6, 5, 4}  
out = {7, 7, 0}

**Attacker may arbitrarily manipulate the last value of output array!**

# Veridise | <-- Operator

```
template isZero() {  
    signal input in;  
    signal output out;  
  
    out <-- in == 0 ? 1 : 0;  
    in*out === 0;  
}
```

```
template isZero() {  
    signal input in;  
    signal output out;  
  
    out <-- in == 0 ? 1 : 0;  
    in*out === 0;  
}
```

**isZero()** witness:

in = 0

out = 1

# Veridise | <-- Operator

```
template isZero() {  
    signal input in;  
    signal output out;  
  
    out <-- in == 0 ? 1 : 0;  
    in*out === 0;  
}
```

isZero() witness:

in = 0

out = 1

isZero() witness:

in = 0

out = 0

# Veridise | <-- Operator

```
template isZero() {  
    signal input in;  
    signal output out;  
  
    out <-- in == 0 ? 1 : 0;  
    in*out === 0;  
}
```

isZero() witness:

in = 0

out = 1

isZero() witness:

in = 0

out = 0

**Must be careful to ensure constraint matches!**

# Veridise | Finite Field Size

```
template toBase256(l) {
    signal input in;
    signal output out[l];

    var value = in;
    for (var i = 0; i < l; i++) {
        out[i] <-- value & 255;
        value = value \ 256;
    }

    component bitchecks[l];
    for (var i = 0; i < l; i++) {
        bitchecks[i] = Num2Bits(8); // out[i] is in [0, 256)
        bitchecks[i].in <== out[i];
    }

    signal acc[l];
    for (var i = l-1; i >= 0; i--) {
        if (i == l-1) {
            acc[i] <== out[i];
        } else {
            acc[i] <== 256 * acc[i+1] + out[i];
        }
    }
    acc[0] === in; // acc[0] = out[0] + 256*out[1] + .. + 256^{l-1}*out[l-1]
}
```

# Veridise | Finite Field Size

```
template toBase256(l) {
    signal input in;
    signal output out[l];

    var value = in;
    for (var i = 0; i < l; i++) {
        out[i] <-- value & 255;
        value = value \ 256;
    }

    component bitchecks[l];
    for (var i = 0; i < l; i++) {
        bitchecks[i] = Num2Bits(8); // out[i] is in [0, 256)
        bitchecks[i].in <== out[i];
    }

    signal acc[l];
    for (var i = l-1; i >= 0; i--) {
        if (i == l-1) {
            acc[i] <== out[i];
        } else {
            acc[i] <== 256 * acc[i+1] + out[i];
        }
    }
    acc[0] === in; // acc[0] = out[0] + 256*out[1] + .. + 256^{l-1}*out[l-1]
}
```

**toBase256() witness:**

in = 0

out = [0, ..., 0]

acc[0] = 0

# Veridise | Finite Field Size

```
template toBase256(l) {
    signal input in;
    signal output out[l];

    var value = in;
    for (var i = 0; i < l; i++) {
        out[i] <-- value & 255;
        value = value \ 256;
    }

    component bitchecks[l];
    for (var i = 0; i < l; i++) {
        bitchecks[i] = Num2Bits(8); // out[i] is in [0, 256)
        bitchecks[i].in <== out[i];
    }

    signal acc[l];
    for (var i = l-1; i >= 0; i--) {
        if (i == l-1) {
            acc[i] <== out[i];
        } else {
            acc[i] <== 256 * acc[i+1] + out[i];
        }
    }
    acc[0] === in; // acc[0] = out[0] + 256*out[1] + .. + 256^{l-1}*out[l-1]
}
```

**toBase256() witness:**

in = 0  
out = [0, ..., 0]  
acc[0] = 0

**toBase256() witness:**

in = 0  
out = encode(p)  
acc[0] = 0

# Veridise | Finite Field Size

```
template toBase256(l) {
    signal input in;
    signal output out[l];

    var value = in;
    for (var i = 0; i < l; i++) {
        out[i] <-- value & 255;
        value = value \ 256;
    }

    component bitchecks[l];
    for (var i = 0; i < l; i++) {
        bitchecks[i] = Num2Bits(8); // out[i] is in [0, 256)
        bitchecks[i].in <== out[i];
    }

    signal acc[l];
    for (var i = l-1; i >= 0; i--) {
        if (i == l-1) {
            acc[i] <== out[i];
        } else {
            acc[i] <== 256 * acc[i+1] + out[i];
        }
    }
    acc[0] === in; // acc[0] = out[0] + 256*out[1] + .. + 256^{l-1}*out[l-1]
}
```

**Overflows can allow the circuit to accept  $n$  and  $n + p$ !**

# Veridise | Overconstrained Circuits



# Veridise | === Operator

```
template isZero() {
    signal input in;
    signal output out;

    out <-- in == 0 ? 1 : 0;
    out === 0;
}
```

# Veridise | === Operator

```
template isZero() {  
    signal input in;  
    signal output out;  
  
    out <-- in == 0 ? 1 : 0;  
    out === 0;  
}
```

***out will always be  
0!***

# Veridise | === Operator

```
template isZero() {  
    signal input in;  
    signal output out;  
  
    out <-- in == 0 ? 1 : 0;  
    out === 0;  
}
```

***out will always be  
0!***

**Must be careful to ensure constraint matches!**

# Veridise | Other Bugs



# Veridise | Variable Shadowing

```
function numberOfBits(a) {  
    var n = 1;  
    var r = 0;  
    while (n - 1 < a) {  
        var r = r + 1;  
        n *= 2;  
    }  
    return r;  
}
```

# Veridise | Variable Shadowing

```
function numberOfBits(a) {  
    var n = 1;  
    var r = 0;  
    while (n - 1 < a) {  
        var r = r + 1;  
        n *= 2;  
    }  
    return r;  
}
```

Will Always return  
0!

# Veridise | Variable Shadowing

```
function numberOfBits(a) {  
    var n = 1;  
    var r = 0;  
    while (n - 1 < a) {  
        var r = r + 1;  
        n *= 2;  
    }  
    return r;  
}
```

Will Always return  
0!

Variable shadowing can cause programming errors!

# Veridise | Logical Errors

```
template withdraw(n) {  
    assert(n <= 252);  
    signal input bal;  
    signal input amt;  
    signal output out;  
  
    component n2b1 = Num2Bits(n); // assert (bal < 2^n)  
    n2b1.in <== bal;  
    component n2b2 = Num2Bits(n); // assert (amt < 2^n)  
    n2b2.in <== amt;  
    component lt = LessThan(n); // check amt < bal  
    lt.in[0] <== bal;  
    lt.in[1] <== amt;  
  
    out <== bal - amt;  
}
```

# Veridise | Logical Errors

```
template withdraw(n) {  
    assert(n <= 252);  
    signal input bal;  
    signal input amt;  
    signal output out;  
  
    component n2b1 = Num2Bits(n); // assert (bal < 2^n)  
    n2b1.in <== bal;  
    component n2b2 = Num2Bits(n); // assert (amt < 2^n)  
    n2b2.in <== amt;  
    component lt = LessThan(n); // check amt < bal  
    lt.in[0] <== bal;  
    lt.in[1] <== amt;  
  
    out <== bal - amt;  
}
```

Withdraw(252) witness:

amt = 4

bal = 5

out = 1

# Veridise | Logical Errors

```
template withdraw(n) {  
    assert(n <= 252);  
    signal input bal;  
    signal input amt;  
    signal output out;  
  
    component n2b1 = Num2  
    n2b1.in <== bal;  
    component n2b2 = Num2  
    n2b2.in <== amt;  
    component lt = LessThan(n); // check amt < bal  
    lt.in[0] <== bal;  
    lt.in[1] <== amt;  
  
    out <== bal - amt;  
}
```

**Missing constraint**  
*lt.out === 0*

Withdraw(252) witness:

amt = 4  
bal = 5  
out = 1

Withdraw(252) witness:

amt = 6  
bal = 5  
out = -1

# Veridise | Logical Errors

```
template withdraw(n) {  
    assert(n <= 252);  
    signal input bal;  
    signal input amt;  
    signal output out;  
  
    component n2b1 = Num2Bin();  
    n2b1.in <== bal;  
    component n2b2 = Num2Bin();  
    n2b2.in <== amt;  
    component lt = LessThan(n); // check amt < bal  
    lt.in[0] <== bal;  
    lt.in[1] <== amt;  
  
    out <== bal - amt;  
}
```

**Missing constraint**  
*lt.out === 0*

Can be simple programming mistakes or behavioral mistakes

# Veridise | Avoiding Bugs

## Testing



- ✓ No Specialty Knowledge
- ✓ Quick Feedback
- ✗ No Guarantees

## Tools



- ✓ Some Guarantees
- ✓ Little Specialty Knowledge
- ✗ Possibly Long Runtimes
- ✗ Weak Guarantees

## Auditing



- ✓ No Specialty Knowledge (For Developer)
- ✓ Expert Reviewer
- ✓ Capable of Complex Logical Reasoning
- ✗ Significant Effort + Wait
- ✗ Varying Quality
- ✗ No Guarantees

## Verification



- ✓ Strong Guarantees
- ✗ Significant Specialty Knowledge
- ✗ Significant Effort + Wait

Helps find common programming errors!



### Detects:

- Variable Shadowing
- Dead Variable
- Use of <-- over <== for quadratic expressions
- Dead Branch
- Code Complexity
- Unconstrained use of Num2Bits and Bits2Num
- Informational hints for manual inspection

| Pros                                                                                                                            | Cons                                                                                                               |
|---------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|
| <ul style="list-style-type: none"><li>✓ Lightweight</li><li>✓ Requires No User Input</li><li>✓ No Specialty Knowledge</li></ul> | <ul style="list-style-type: none"><li>✗ Shallow</li><li>✗ No Custom Properties</li><li>✗ False Positives</li></ul> |

## 1. Static Analysis of Constraints (ECNE)

Apply predefined rules to quickly detect if circuit is properly constrained

$$\begin{cases} \text{input } x \\ \text{output } y \\ z = 3x + 4 \\ y = z + 2x \end{cases}$$

Since  $y$  is linear in  $x, z$  we immediately infer it is not under constrained

## SMT Solver

Underconstrained can be expressed as SMT query

$$\exists y_1, y_2 . Q[y_1/y] \wedge Q[y_2/y] \wedge y_1 \neq y_2$$

SAT means the circuit is underconstrained

| Strategy | Pros     | Cons                 |
|----------|----------|----------------------|
| ECNE     | Scalable | Many False Positives |
| SMT      | Precise  | Can't Scale          |



*Combine the strengths of Static Analysis and SMT!*

*Static Analysis and SMT phases interact in a loop*

| <b>Pros</b>                                                                                               | <b>Cons</b>                                                                                                |
|-----------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------|
| <ul style="list-style-type: none"><li>✓ Requires No User Input</li><li>✓ No Specialty Knowledge</li></ul> | <ul style="list-style-type: none"><li>✗ No Custom Properties</li><li>✗ Potentially Long Runtimes</li></ul> |

**Follow us on Twitter!**



@VeridisInc