Audit of zk-email
May 27, 2024

Description

The complement regex (e.g., [^0] which matches any character that is not 0) is not properly enforced in the current implementation. When a regex utilizing such a pattern, the resulting circuit may incorrectly accept inputs that do not match the intended pattern. For example, the following JSON defines a pattern that should reject strings containing "a" or "b":

{
  "parts": [
    {
      "is_public": true,
      "regex_def": "[^ab]"
    }
  ]
}

However, when instantiated in a circuit with the input corresponding to abb:

component main { public [ msg ] } = SimpleRegex(3);

/* INPUT = {
 * "msg": ["97", "98", "98"]
 * }
 */

The circuit erroneously accepts this input (out is 1), indicating a pass, even though the input clearly includes a non-matching string. Interestingly, the reveal0 array does not reveal the non-matching pattern as it should (since it matches it).

Impact

This flaw could lead to significant soundness vulnerabilities in systems relying on these circuits for validation or verification processes.

Recommendation

Fix the compiler to properly handling complement regexes or throw an error to prevent soundness issues.

Client response

The issue was fixed in commit 6f2a5d0. We suggest adding further tests to catch any potential errors in corner cases.

Description

The zk-regex compiler, which translates regular expressions into Circom circuits, has multiple significant issues affecting its reliability and functionality. The compiler crashes or produces errors on multiple occasions, indicating a robustness problem. Furthermore, in some cases it produces circuits with soundness issues. Some of the uncovered issues are very simple to trigger, meaning that they might cover other significant bugs. A lack of documentation and specifications adds to the problem by forcing developers into a trial-and-error approach, leading to usability issues and potential misconceptions about the zk-regex compiler. Additionally, the absence of formal documentation on the Regex features supported by the compiler leads to ambiguity in its functionality. This, combined with an unclear description of the internal process and algorithm of the compiler, results in a lack of clarity on how regex patterns are processed and converted into circuits. Finally, the compiler's test coverage is insufficient -- lacking both positive and negative tests and automated testing techniques -- raising concerns about the robustness of the compiler.

More specifically, both the generated Circom code and the zk-regex library itself lack specifications and documentation. It is extremely hard to understand the generated Circom code:

• What are the formats of input and outputs of the generated code? What assumptions are made about the input?
• The generated code is not structured well, nor commented, so it's very challenging to understand what it does, and more importantly, why.

The zk-regex library implementation code is also hard to understand. All public functions have clear signatures, but their implementations are poorly structured and completely undocumented. This applies both to internal data structure preparation and Circom code generation. On the data structure preparation side: there are two functions that are always called together, parse_dfa_output and dfa_to_graph.

    let mut graph = dfa_to_graph(&parse_dfa_output(&re_str));

These should be combined into one function (even if it'll end up as short as the one-liner above). More importantly, dfa_to_graph seems to be re-doing some of the work of parse_dfa_output (also, regex_automata::dfa API could be used directly instead of parsing its textual printout). Notably, these two are not enough, because gen_circom_allstr still needs more pre-processing before it can get to its actual purpose: it first prepares rev_graph, which could easily be passed to it (could be a part of RegexAndDFA struct). On the Circom code generation side: gen_circom_allstr is a function of 420+ lines of code, with 12 total loops and conditionals on the top level alone, occasionally very deeply nested (up to 6 levels). There's no documentation or comments.

Impact

Due to the aforementioned issues, the compiler's usability is greatly affected, and there's a high risk of unexpected behaviours leading to security vulnerability. Furthermore, it's hard to maintain this code. It is very hard to understand the generated Circom code, which makes it hard to trust. Due to the lack of specifications, the complexity of the code, and the lack of testing, we believe that there are potentially more bugs in the code.

Recommendation

To address these concerns, the following steps are recommended:

• Refactoring: All mentioned functions could use refactoring, ideally such that they could be read in a single glance, calling to meaningfully named helper functions, each doing one thing. Finite state machines are a simple, well-known concept, and the generated code could reflect that: essentially, the generated circuit is a single pass through the FSM, feeding it the input string one byte at a time. The transition function could be factored out into a separate template, which would make the main template much simpler. Both the main template and the transition template should be either well-structured or well-commented (or both), explaining what they do and why.
• Specification and Documentation: Clearly define and document the supported regex features and syntax. Define which are the expected behaviors to enable users to securely use the compiler.
• Process and Algorithm Documentation: Describe the internal algorithm and steps the compiler takes in converting regex patterns to Circom circuits, to help auditors an developers alike.
• Test Suite Enhancement: Develop a comprehensive test suite, including both correct and incorrect cases, to validate all supported features and any additional functionalities, like revealing sub-regexes.
• Automated Testing: Implement automated testing techniques to systematically uncover subtle bugs and regressions, ensuring the compiler's reliability.

Client response

The issues described here were acknowledged by the client.

Description

Both custom SHA256 templates Sha256General and Sha256Partial, as well as their bytes variants Sha256Bytes and Sha256BytesPartial, are vulnerable to an attack where the prover passes in a maliciously crafted paddedInLength which causes the returned hash result to be the all-zeros bit array.

In Sha256General and Sha256Partial, paddedInLength represents the bit length of the input message. It is connected to a newly created signal inBlockIndex by the constraint

inBlockIndex <-- (paddedInLength >> 9);
paddedInLength === inBlockIndex * 512;

SHA2 operates on the input in chunks, and inBlockIndex represents the number of chunks to be hashed. To support inputs of dynamic length, the template stores the intermediate hash result after each chunk, and at the end selects which one to return, using the ItemAtIndex template. This is done for each output bit:

component arraySelectors[256];
for (k=0; k<256; k++) {
    arraySelectors[k] = ItemAtIndex(maxBlocks);
    for (j=0; j<maxBlocks; j++) {
        arraySelectors[k].in[j] <== sha256compression[j].out[k];
    }
    arraySelectors[k].index <== inBlockIndex - 1; // The index is 0 indexed and the block numbers are 1 indexed.
    out[k] <== arraySelectors[k].out;
}

The exploit we found manages to set inBlockIndex - 1 to a large number close to the native modulus. In particular, the index is larger than the array size maxBlocks. On an index that exceeds the array bounds, the output of ItemAtIndex is zero. Therefore, the hash result ends up being an array of 0 bits -- regardless of the input value.

The issue is that ItemAtIndex does not properly constrain the index to lie in its intended range:

template ItemAtIndex(maxArrayLen) {
    // ...
    signal input index;
    // ...

    // Ensure that index < maxArrayLen
    component lessThan = LessThan(bitLength);
    lessThan.in[0] <== index;
    lessThan.in[1] <== maxArrayLen;
    lessThan.out === 1;

As we can see in this code excerpt, index is passed to LessThan(bitLength). For LessThan to be sound, both inputs have to fit in bitLength bits. However, this property is never checked on the index.

Adding to the misfortune, the SHA2 input bit length paddedInLength is passed to an instance of LessThan as well, with the same mistake of not constraining its bit range (in Sha256General and Sha256Partial).

Generally speaking, when using LessThan without a bit constraint, small "negatives" modulo the field size $p$, like $-1 \equiv p-1$, are treated as being less than a small positive value. A detailed analysis of the SHA256 templates reveals that no constraints prevent inBlockIndex to be one of the following values:

These values are able to trick both instances of LessThan (the one for paddedInLength and the one for index) into returning 1, which is incorrect.

To exploit this in an isolated instance of Sha256Bytes, the prover just has to:

• pass in one of $-5 \cdot 64, \ldots, -64, 0$ as paddedInLength (note: this is multiplied by 8 in Sha256Bytes)
• change the inBlockIndex witness generation code to work for the negative case:

- inBlockIndex <-- (paddedInLength >> 9);
+ inBlockIndex <-- (paddedInLength / 512);

With this simple attack, we are able to create a valid proof that the SHA256 output consists of all zeros, regardless of its input.

Impact

Meaningfully exploiting this issue in EmailVerifer is infeasible, because AssertZeroPadding is also used on the two SHA256 input lengths (emailHeaderLength and emailBodyLength), and given small negative lengths implies that the email header or body consists of all zeros. However, consumers of the zk-email-verify library which use SHA256 templates in a different context may be vulnerable to the attack.

Recommendation

• In ItemAtIndex, remove LessThan and instead add an assertion that the sum of all eqs[i] equals 1. This proves that the index to select is one of the array indices.
• In all SHA256 templates, document the assumption that paddedInLength is constrained to a certain number of bits:
  • ceil(log2(maxBitLength)) bits in the case of Sha256General and Sha256Partial
  • ceil(log2(8 * maxByteLength)) bits in the case of Sha256Bytes and Sha256BytesPartial
• In EmailVerifier, use Num2Bits to constrain both emailHeaderLength and emailBodyLength to appropriate bit lengths, right after those signals are introduced.

Client response

The issue was fixed in commits ad0ad6, e14e88 and d667a1.

Description

The start and end of line regexes, ^ and $ respectively, do not function as expected. In zk-regex, both the regexes a and ^a produce a DFA that accepts the string "ba", despite the expectation that ^a should not. This issue might arise because each regex is wrapped in a "^...$" pattern before generating the DFA. The following DFAs are produced the compiler.

RegexAndDFA { regex_str: "a", dfa_val: DFAGraph { states: [DFAState { type: "", state: 0, edges: {1: {97}} }, DFAState { type: "accept", state: 1, edges: {} }] }, substrs_defs: SubstrsDefs { substr_defs_array: [], substr_endpoints_array: None } }

RegexAndDFA { regex_str: "^a", dfa_val: DFAGraph { states: [DFAState { type: "", state: 0, edges: {1: {97}} }, DFAState { type: "accept", state: 1, edges: {} }] }, substrs_defs: SubstrsDefs { substr_defs_array: [], substr_endpoints_array: None } }

which are identical.

A pattern for testing this issue can be defined as follows:

{
  "parts": [
    {
      "is_public": false,
      "regex_def": "^a"
    }
  ]
}

The test can be instantiated in a circuit with:

component main { public [ msg ] } = SimpleRegex(3);

/* INPUT = {
 *  "msg": ["98", "97", "0"]
 * }
 */

which will return out=1.

Impact

This malfunction can lead to severe consequences for circuits that rely on accurate string boundary matching. A verifier could incorrectly accept strings that do not meet specified criteria, leading to potential security and functionality flaws. This bug impacts various circuits within the circuits/common/ directory, which are utilized by zk-email circuits.

Recommendation

It is critical to address this issue either by correctly supporting ^ and $ patterns in regexes or by generating an error when these patterns are used. A refactoring might be required to support this feature that seems critical in some of the example circuits.

Client response

The issue was partially fixed in commit 6aac440. Furthermore, the README was updated to outline some limitations. We suggest adding further tests to catch any potential errors in corner cases.

Description

When a non-matching input is processed against a defined regex pattern, the reveal array erroneously exposes part of the input data. For instance, in a pattern meant to match "aba", an input of "aca" should not match. Hence, the circuit should not reveal any characters. However, the reveal array incorrectly exposes the character a in the last position.

E.g.,

{
  "parts": [
    {
      "is_public": true,
      "regex_def": "aba"
    }
  ]
}

Input:

component main { public [ msg ] } = SimpleRegex(3);

/* INPUT = {
    "msg": ["97", "99", "97"]
} */

Output:

Output:
out = 0
reveal0[0] = 0
reveal0[1] = 0
reveal0[2] = 97

Impact

This behavior could lead to unintended behavior leaking private information.

Recommendation

The issue should be corrected to ensure the reveal array remains empty when the pattern does not match the input.

Client response

The issue was fixed in commit 0a5943a. We suggest adding further tests to catch any potential errors in corner cases.

Description

When the regex pattern partially matches the input, the reveal array unexpectedly exposes more characters than those involved in the match. For example, when matching "a[ab]" against "aba", the third character should not be revealed as it is not part of the accepted match sequence.

Example:

{
  "parts": [
    {
      "is_public": true,
      "regex_def": "a[ab]"
    }
  ]
}

Input:

component main { public [ msg ] } = SimpleRegex(3);

/* INPUT = {
    "msg": ["97", "98", "97"]
} */

Result:

Output:
out = 1
reveal0[0] = 97
reveal0[1] = 98
reveal0[2] = 97

Impact

This could lead to erroneous behaviors where more data than necessary is revealed.

Recommendation

Ensure that only the characters from the matching sequence are revealed.

Client response

The issue was fixed in commit 0a5943a. We suggest adding further tests to catch any potential errors in corner cases.

Description

We found a number of templates throughout the zk-email-verify codebase which implicitly assume inputs to be constrained in a certain way, but don't document that assumption anywhere.

What follows is a list of undocumented assumptions:

• Sha256General
  • paddedIn consists of bits
• Sha256Partial
  • preHash consists of bits
  • paddedIn consists of bits
• Sha256General, Sha256Partial, Sha256Bytes, Sha256BytesPartial
  • paddedInLength fits in a certain number of bits, see the SHA256 finding
• PackBytes
  • in elements fit in 8 bits
• PackBytesSubArray
  • in elements fit in 8 bits
  • length fits in ceil(log2(maxSubArrayLen)) bits
• PackRegexReveal
  • in elements fit in 8 bits
• SelectSubArray
  • length fits in ceil(log2(maxSubArrayLen)) bits
• CalculateTotal
  • nums[n] are small enough that their sum does not overflow the field
• AssertZeroPadding
  • startIndex - 1 fits in ceil(log2(maxArrayLen)) bits
  • This one is not exploitable, because the only way it can behave incorrectly is to constrain a larger number of array elements to be 0 than expected
• DigitBytesToInt
  • inputs are between 48 and 57
• FpPow65537Mod
  • base and modulus consist of k limbs, each of which must fit in n bits
• FpMul
  • a, b and p consist of k limbs, each of which must fit in n bits
• BigLessThan
  • a and b consist of k limbs, each of which must fit in n bits
• PoseidonLarge
  • in elements must fit in bytesPerChunk bits to avoid hash collisions
  • Note: bytesPerChunk refers to the number of bits per chunk (!), should be renamed
• EmailVerifier
  • emailHeaderLength fits in ceil(log2(maxHeadersLength)) bits
  • emailBodyLength fits in ceil(log2(maxBodyLength)) bits

This list attempts to be exhaustive, but excludes unused templates that we recommend to remove.

We also want mention a few counter-examples: cases where on the surface it seems that a template makes an implicit assumption, but when looking closer, it turns out that the input already gets fully constrained.

• Base64Lookup
  • fully constrains in to consist of valid base64 characters, even though LessThan and GreaterThan are used without bit range checks.
  • by extension, the same is true for Base64Decode
• RSAVerifier65537
  • fully constrains message, signature and modulus to consist of n-bit limbs. Note that the bit decompositions of message and modulus are buried inside RSAPad.
• SelectRegexReveal
  • is sound for all practically relevant values of the maxRevealLen static parameter, even though it uses GreaterThan on a value (startIndex + maxRevealLen - 1) that can overflow the target bit length.
  • Note that startIndex is bit-constrained by VarShiftLeft

Impact

As our SHA256 finding demonstrates, it is easy to forget to implicit assumptions. All of the templates listed above are potentially used by developers that consume zk-email-verify as a library. It seems likely that developers will skip undocumented constraints, and might end up with critical bugs in their applications.

Recommendation

A safe way to defend against unsatisfied assumptions is to remove them: constrain inputs within every single template that makes assumptions on them.

The downside of constraining inputs is that as the same input gets passed to multiple templates, it will be constrained multiple times, which is inefficient.

Therefore, our general recommendation for a mature circuit library is to constrain outputs, but not inputs. Signals that carry a range-check or other assumption should be constrained in the most top-level template where they originate, right next to their definition -- and nowhere else.

When following this style of not constraining inputs, it is of highest importance that input assumptions are always clearly documented as part of the comment preceding a template. We recommend the following:

• Add documentation in comments for all the assumptions listed above.
• In addition, mention the policy of not constraining inputs in the high-level documentation of the library -- for example, as a section in packages/circuits/README.md.

Exceptions to the "never constrain inputs" rule make sense when a template should be usable directly as the main component. If that is desired, inputs should be constrained within the template. See EmailVerifier, where we recommend to constrain emailHeaderLength and emailBodyLength.

Client response

The issue was addressed in commits f4d0eba, ea2226, 4a0572 and 4b17ae.

Description

Base64Lookup returns 0 when passing into it 'A' (i.e., 65) -- as expected --, but also when passing '=' (i.e., 61 which is used for padding). That means that when we use Base64Decode, the result will be the same for aS== and aSA=. Furthermore, someone could replace occurrences of A with =.

Impact

This is a low-severity issue, as it does not seem to be easily exploited in a practical scenario. Nevertheless, as this template is supposed to be used as a library, we propose to fix it.

Recommendation

You should specially handle the padding character (=) in the Base64Lookup template.

Client response

The client chose to document the behaviour of the template instead of changing it (commit 27ccac). We think this is appropriate.

Description

Certain valid regex patterns, such as those specifying a range of repetitions like {2,3}, are being rejected by the compiler with an error message about the size of accept nodes. Oddly, similar patterns with quantifiers such as * or + are accepted. Note that we have also observed this behavior with regexes like: (^|h)$.

Impact

This could lead to developers not being able to describe their regexes.

Description

The compiler produces a circuit that cannot be compiled due to a signal initialization error when processing the universal matching pattern .*.

stderr:
error[T3001]: Exception caused by invalid access: trying to access to a signal that is not initialized
    ┌─ "untitled3.circom":299:32
    │
299 │         final_state_result.in[i] <== states[i][0];
    │                                      ^^^^^^^^^^^^ found here
    │
    = call trace:
      ->SimpleRegex

previous errors were found

Impact

Users cannot use a valid regex.

Client response

The client acknowledged the issue. The compiler currently does not support it, and the README has been updated.

Description

The compiler crashes when the regex pattern includes the alternation operator (|). Patterns that should be valid, such as "a|b", are causing compiler crashes.

Impact

The crash affects the compiler's usability, preventing users from utilizing certain valid regex patterns.

Description

The files fp.circom, bigint.circom and bigint-func.circom, which originally were taken from other Circom projects, contain a large number of templates and functions which are neither currently used in zk-email-verify nor likely to be useful to consumers of the library.

Furthermore, some of these templates have since received security patches as part of other projects, for example:

• ModSumThree() accepts unexpected solutions, from a circom-ecdsa PR
• ModSumFour() uses an incorrect assertion, from the Veridise Succinct audit
• BigMod() and BigModInv() do not work for k >= 50, from the same Veridise audit
• Templates Split() and SplitThree() have non-deterministic instantiations, from the same Veridise audit

No template in this list is actually used, so it seems to be an unnecessary burden to continue maintaining them and keeping up to date with fixes.

Recommendation

We recommend to remove the following templates from the project:

• fp.circom: Remove everything except FpMul
• bigint.circom : Remove everything except BigLessThanand CheckCarryToZero
• bigint-func.circom: Remove isNegative, SplitFn, SplitThreeFn, prod, mod_exp, mod_inv, long_sub_mod_p, prod_mod_p

Client response

The recommended changes were made in commit 5e7a5f.

Description

Given an empty regex (or ^$, ^ or $), the Circom generation succeeds, but generates invalid code.

To reproduce, run

zk-regex decomposed -d ./empty.json -c ./empty.circom -t EmptyRegex -g true

with the following empty.json:

{
  "parts": [
    {
      "is_public": false,
      "regex_def": ""
    }
  ]
}

The resulting empty.circom will contain the following snippet:

    for (var i = 0; i < num_bytes; i++) {
        state_changed[i] = MultiOR(0);
        states[i][0] <== 1;
        from_zero_enabled[i] <== MultiNOR(0)([]);
    }

Circom compiler will print out the following error:

error[P1012]: illegal expression
   ┌─ "./empty.circom":30:41
   │
30 │         from_zero_enabled[i] <== MultiNOR(0)([]);
   │                                               ^ here

Impact

Probably not a high severity issue, as empty regexes are not used a lot. However, an empty regex is still a valid regex, without the caveats mentioned in the project README.md (certain characters, lookaheads, lookbehinds), so it's expected to produce valid Circom. With programmatic use of the zk-regex library, this could lead to unexpected behavior.

Recommendation

The Circom generation should be fixed to handle empty regexes correctly.

Description

zk-regex public functions throw panics instead of returning compile errors.

For example, run

RUST_BACKTRACE=1 zk-regex decomposed -d ./panic.json -c ./oh-no.circom -t NoWayRegex -g true

with the following panic.json:

{
  "parts": [
    {
      "is_public": false,
      "regex_def": "^(hey|there$"
    }
  ]
}

The regex_def above is invalid, as the group is not closed.

This will result in panic:

thread 'main' panicked at packages/compiler/src/regex.rs:265:14:
called `Result::unwrap()` on an `Err` value: BuildError { kind: NFA(BuildError { kind: Syntax(Parse(Error { kind: GroupUnclosed, pattern: "^(hey|there$", span: Span(Position(o: 1, l: 1, c: 2), Position(o: 2, l: 1, c: 3)) })) }) }
stack backtrace:
   0: _rust_begin_unwind
   1: core::panicking::panic_fmt
   2: core::result::unwrap_failed
   3: zk_regex_compiler::regex::regex_and_dfa
   4: zk_regex_compiler::gen_from_decomposed
   5: zk_regex::main
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Impact

This will lead to crashes of programs using zk-regex as a library.

Recommendation

Consider replacing panics with returning error Results.