Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Barretenberg Bigfield>Discussion>Assumptions regarding bit width of the modulus
GeneralOverview
Findings
Critical (7)
Medium (2)
Low (6)
Informational (2)
DiscussionMaturity of the codebase and lack of specificationsConcrete examples for assumptions for bounds and how to document themUndocumented assumption regarding meaning of bigfield fieldsFunctioning of evaluate_non_native_field_multiplicationAssumptions regarding bit width of the modulusBehavior in simulator modeHandling of too large ranges in uint256_t::sliceMissing maximum-bit number checks in constructorFix for decompose_into_bitsOverflow checks for unreduced elementsPrime limb witness indexes equality check in operator- and operator+Inefficient loopsPossible shaper boundsUnnecessary assert in mul_product_overflows_crt_modulusUnnecessary reductons in operator+Unreachable codeMisleading names of functions or variablesImprovements for comments/documentation
Audit ResultsAssessment Results

Assumptions regarding bit width of the modulus

The implementation of the bigfield class assumes that the emulated modulus has a bit width between 204 and 256 bits, as can be seen from these lines:

// code assumes modulus is at most 256 bits so good to define it via a uint256_t
static constexpr uint256_t modulus = (uint256_t(T::modulus_0, T::modulus_1, T::modulus_2, T::modulus_3));
// ...
static constexpr uint64_t NUM_LAST_LIMB_BITS = modulus_u512.get_msb() + 1 - (NUM_LIMB_BITS * 3);

Here, NUM_LIMB_BITS has value 68, so the bit width of the modulus must be at least 3*68 = 204. We recommend documenting this requirement. Optimally, a compile-time check that the modulus is in the required range would also be added.

Zellic © 2025Back to top ↑