-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consistency of RAM Table #12
Comments
Credit for the attack goes to @yczhangsjtu. |
This solution looks like a patch specific to this very attack. However, I’m afraid that there are potentially more attacks beyond this, if the For example, still in the example processor table provided in The Processor Table:
The RAM table:
I can’t say for sure that the sorting is really unavoidable. It might be possible to add more patches to avoid all such attacks, but I would suggest rigorous security proof for the soundness of the constraints (and I believe that trying to prove the soundness will reveal more attacks). |
Looks like this attack works 👏 |
yes!
hopefully not, but probably: yes. |
Sparked by your attacks, @aszepieniec and I have revisited Triton VM's RAM design. Summarizing, all attacks that we can think of, including the two you present, can be thwarted if
Having considered a few options, the easiest way to do this seems to be using the U32 Table's
Since this might grow said U32 Table a lot, we should definitely consider incorporating byte-wise lookups for the U32 Table, as suggested in #8. |
Cf. Issue 12 on Triton VM, TritonVM/triton-vm#12, there is an attack on the memory consistency that is supposed to be guaranteed by the memory table. If it is not guaranteed that the clock cycle is monotonically increasing within a region in the memory table (a region being defined as a constant memory pointer value), then memory consitency can be broken by rearranging rows in the memory table. To thwart this attack we insert rows in the memory table such that the clock cycle always increases by one. This gives rise to a new base column in the memory table. This new column is used to indicate if the row is also present in the processor table or if it's inserted as an interweaved row prove that the next row that is also present in the processor table has a higher clock cycle than the previous one. This new base column is used to modify the transition constraint on the extension column of the memory table which by this commits goes from degree 2 to degree 3. These changes means that for some programs the max degree is now found on the extension column for the memory table (since the memory table can be quite a lot longer than the processor table which previously was usually defining for the max degree). So when we calculate the max degree of all tables we have to take extension columns into account which wasn't the case previously.
Superseded by #24. |
There is an attack whereby the malicious prover can read a zero from a given memory location when the last time he wrote to it, the written value wasn't zero. Here is an example trace that illustrates the attack:
clk
ramp
ramv
The boundary constraints are satisfied, because they state that the first row should consist of all zeros. The
hv6
column is omitted because it is not relevant for the attack, but there is a valid assignment to this column. The remaining transition constraints areramp
changes thenramv
is zero – this constraint is satisfied;ramp
does not change andramv
does change thenclk
increases by one – this constraint is also satisfied.Therefore the above trace is a valid trace. But the problem is that the memory cell at location 0 is accessed again in cycle 6. At this point it should have the value that it was set to in cycle 1, but it has the value 0 instead.
We came up with the following solution: we disallow reads from uninitialized memory. Specifically:
ci
in the RAM table. This adds one column.init
which contains only 0 or 1, adding a second column.ramp
changes,init
is set to zero.ci
iswrite_mem
,init
is set to one.ci
isread_mem
,init
has to be one.Tasks
simulate
: add columnsRamTable
: add constraints and update permutation argument.The text was updated successfully, but these errors were encountered: