v1.6.0

This release is a security release. All users on v1.5.0 or earlier are recommended to upgrade.

Security Fixes

This release addresses the following security advisories:

• GHSA-9jfx-4f4f-497j: SHA-256 and Keccak circuits under-constrained.
• GHSA-76mq-v757-53gr: openvm-pairing pairing check missing proper subfield check on scaling factor.
• GHSA-j9m2-fxc5-fr82: Native recursion verifier missing constraints in program and circuit.
• GHSA-fh29-29h9-qm9h: System AIRs missing boolean or zero assertions.

This release also incorporates the upstream Plonky3 fix for GHSA-vj64-rjf3-w3v7 (MultiField32Challenger transcript binding) via the update to Plonky3 v0.4.3.

Changed

• (Transpiler) Reject non-contiguous executable segments in ELF decoder.
• (Circuits/VM) Add boolean constraints to PhantomAir (is_valid) and VmConnectorAir (is_terminate) bus interaction multiplicities.
• (Circuits/SHA-256) Enforce that the Sha256Air trace ends on a padding row.
• (Circuits/SHA-256) Add range checks on byte limbs in Sha256VmAir message length comparison to prevent field-modulus wraparound.
• (Circuits/SHA-256) Enforce is_last_block is constant across all rows within a block in Sha256VmAir.
• (Circuits/SHA-256) Constrain padding block count after the terminal marker in Sha256VmAir to prevent extra padding blocks.
• (Circuits/Keccak) Add terminal finalization constraint to KeccakVmAir to ensure partial tail rows (since 24 never divides a power of two) cannot contain enabled instructions.
• (Circuits/Keccak) Add explicit boolean assertion on is_enabled in KeccakVmAir.
• (Circuits/Memory) Anchor the root node's as_label and address_label to zero in MemoryMerkleAir.
• (Recursion) Constrain air_perm_by_height in the recursive STARK verifier to be a valid permutation of AIR indices.
• (Recursion) Add bounds checks for unchecked builder.get on dynamic arrays in the recursive STARK verifier and continuations verifier to prevent out-of-bounds reads from malicious proof data.
• (Recursion) Zero-fill the mask array in verify_raps to prevent reads of uninitialized memory in the permutation check.
• (Recursion) Validate that each AIR proof's exposed_values_after_challenge length matches verifier key advice, preventing injection of extra post-challenge exposed-value vectors.
• (Recursion) Fix add_felt_exti ASM lowering to correctly compute lhs + rhs[0] for the base coefficient instead of silently dropping rhs[0].
• (Recursion) Constrain VERIFY_BATCH inside-row hashing to start at the correct opened_values index and prevent opened_index from advancing across row boundaries.
• (Recursion) Update Plonky3 to v0.4.3. The static verifier challenger now mirrors MultiField32Challenger from that release: each absorb packs the pending F scalars and tags the block with the number of F elements consumed, and each squeeze splits the PF rate cells into canonical base-|F| limbs. Also adds a DSL primitive (CircuitVarToFieldOrderLimbsF) that constrains the in-circuit base-|F| decomposition to be canonical.
• (Guest Library/IO) Add checked arithmetic to hint stream read and deserialization buffer allocation to prevent integer overflow from untrusted hint lengths.
• (Guest Library/Algebra) Ensure zero is always reported as a perfect square in modular arithmetic.
• (Guest Library/Pairing) Add Fp6 subfield checks for the hinted scalar factor in openvm-pairing BN254/BLS12-381 pairing check optimization.
• (Guest Library/ECC) Make all from_xy_* point constructors unsafe since they do not perform subgroup membership checks.
• (Guest Library/ECC) Reject the identity point (point at infinity) as a valid public key in ECDSA verification.
• (Guest Library/ruint) Restrict zkVM-accelerated bitwise intrinsics (and, or, xor) to 256-bit Uint types only. Fix cmp fallback to avoid infinite recursion on non-256-bit types.
• (Guest Library/ruint) Fix OOB read in ruint shift intrinsics by passing correctly sized buffer.

Removed

• (Recursion) Delete dead and buggy ConstraintCompiler code.

Full Changelog: v1.5.0...v1.6.0