Dear IronMask authors,
while running IronMask, I ran into two minor bugs that cause inaccuracies in the total failure probability:
-
The code-block at coeffs.c:257-261 seems to have been intended to fill coefficients beyond coeff_max with n choose k upper bounds, which matches what compute_leakage_proba() does with mix_max == 1. However, get_failure_proba() receives coeff_max_main_loop instead of the original coeff_max. Thus, the coeff_max != -1 guard inside the function is always true, the upper-bound filling with n_choose_k() runs unconditionally, overwriting correctly computed coefficients. This yields an unintended modification of the leakage coefficients, thus inaccurately computing the total failure probability from said coefficients.
-
According to the original paper, the failure probability is computed as $f(p) = \sum_{i = 1}^{s} c_i \cdot p^i \cdot (1 - p)^{s - i}$. The current code state (coeffs.c:274) is off by one in the exponent for the probability that the remaining wires leak: $f(p) = \sum_{i = 1}^{s} c_i \cdot p^i \cdot (1 - p)^{s - i + 1}$.
Applying fixes to those issues leads to correct failure probabilities, which are in accordance to the values that are computed by e.g. INDIANA.
I have issued a pull-request with a fix to this issue.
Best,
Armand
Dear IronMask authors,
while running IronMask, I ran into two minor bugs that cause inaccuracies in the total failure probability:
The code-block at coeffs.c:257-261 seems to have been intended to fill coefficients beyond
coeff_maxwith n choose k upper bounds, which matches whatcompute_leakage_proba()does withmix_max == 1. However,get_failure_proba()receivescoeff_max_main_loopinstead of the originalcoeff_max. Thus, thecoeff_max != -1guard inside the function is always true, the upper-bound filling withn_choose_k()runs unconditionally, overwriting correctly computed coefficients. This yields an unintended modification of the leakage coefficients, thus inaccurately computing the total failure probability from said coefficients.According to the original paper, the failure probability is computed as$f(p) = \sum_{i = 1}^{s} c_i \cdot p^i \cdot (1 - p)^{s - i}$ . The current code state (coeffs.c:274) is off by one in the exponent for the probability that the remaining wires leak: $f(p) = \sum_{i = 1}^{s} c_i \cdot p^i \cdot (1 - p)^{s - i + 1}$ .
Applying fixes to those issues leads to correct failure probabilities, which are in accordance to the values that are computed by e.g. INDIANA.
I have issued a pull-request with a fix to this issue.
Best,
Armand