Skip to content

[zk-sdk] Add input validation to sigma proof generation functions#199

Merged
samkim-crypto merged 4 commits intosolana-program:mainfrom
samkim-crypto:sigma-proof-input-validation
Jan 8, 2026
Merged

[zk-sdk] Add input validation to sigma proof generation functions#199
samkim-crypto merged 4 commits intosolana-program:mainfrom
samkim-crypto:sigma-proof-input-validation

Conversation

@samkim-crypto
Copy link
Copy Markdown
Contributor

@samkim-crypto samkim-crypto commented Jan 4, 2026
edited
Loading

Summary of Changes

I added some extra sanity / safety checks on sigma proof logic.

  1. Currently, the proof generation logic does not reject invalid inputs. For example, the zero ciphertext validity proof certifies that a ciphertext encrypts the value of 0. If a ciphertext that does not encrypt 0 is provided as input, it still goes ahead and generate a proof that is invalid. It is a better API if the function rejects these invalid inputs at the beginning, so I added these checks in the proof constructors (33c662a).

I added tests for this behavior, but I realized that it is difficult to test because the proof types actually don't derive some of the basic traits like Debug, PartialEq, and Eq. So I derived these for the proof types as well (b1c5982).

This change in behavior ended up breaking a unit test in the wasm crate, so I updated it in 89b5b87.

  1. I also added a sanity check on the verification functions to reject identity point inputs. For example, in practice, one would never generate a zero ciphertext validity proof for an all zero ciphertext (i.e. ciphertext consisting of identity points). These identity points can sometimes cause some subtle behavior that prevents the proof algebraic conditions from being checked, so it is safer to just outright reject these points. So I added these checks.

The only proofs where we allow identity inputs is the ciphertext validity proofs. Here, a public key can be the auditor's ElGamal public key in token-2022, which can be zero (identity) when the auditor is set to None.

@samkim-crypto samkim-crypto force-pushed the sigma-proof-input-validation branch from a754c77 to 89e198a Compare January 7, 2026 07:21
@samkim-crypto samkim-crypto marked this pull request as ready for review January 7, 2026 09:12
joncinque
joncinque approved these changes Jan 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@joncinque joncinque left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

Comment thread zk-sdk/src/sigma_proofs/errors.rs
Comment on lines +14 to +15
#[error("input point is the identity")]
IdentityPoint,
Copy link
Copy Markdown
Contributor

@joncinque joncinque Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just noting that this is a breaking change

@samkim-crypto samkim-crypto merged commit f0b1283 into solana-program:main Jan 8, 2026
11 checks passed
PaulLaux
PaulLaux reviewed Jan 12, 2026
View reviewed changes
Copy link
Copy Markdown

@PaulLaux PaulLaux left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I confirm that this fixes #b13 from the QEDIT audit for the public API in proof_data/.

Consider adding a docstring to calls in sigma_proofs/ in the style of

  - Invalid inputs will produce cryptographically invalid proofs
  - Callers are responsible for ensuring input consistency

PaulLaux
PaulLaux reviewed Jan 12, 2026
View reviewed changes
Copy link
Copy Markdown

@PaulLaux PaulLaux left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also fixes #b14 from the same audit.
Great work.

@samkim-crypto samkim-crypto mentioned this pull request Jan 14, 2026
Merged
@samkim-crypto samkim-crypto mentioned this pull request Feb 11, 2026
Merged
This was referenced Apr 16, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joncinque joncinque joncinque approved these changes

+1 more reviewer

@PaulLaux PaulLaux PaulLaux left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@samkim-crypto @joncinque @PaulLaux