Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Barretenberg Bigfield>Discussion>Unnecessary reductons in operator+
GeneralOverview
Findings
Critical (7)
Medium (2)
Low (6)
Informational (2)
DiscussionMaturity of the codebase and lack of specificationsConcrete examples for assumptions for bounds and how to document themUndocumented assumption regarding meaning of bigfield fieldsFunctioning of evaluate_non_native_field_multiplicationAssumptions regarding bit width of the modulusBehavior in simulator modeHandling of too large ranges in uint256_t::sliceMissing maximum-bit number checks in constructorFix for decompose_into_bitsOverflow checks for unreduced elementsPrime limb witness indexes equality check in operator- and operator+Inefficient loopsPossible shaper boundsUnnecessary assert in mul_product_overflows_crt_modulusUnnecessary reductons in operator+Unreachable codeMisleading names of functions or variablesImprovements for comments/documentation
Audit ResultsAssessment Results

Unnecessary reductons in operator+

The implementation of operator+ essentially obtains the limbs of the result by adding the relevant limbs of the two summands. A problem can occur should addition of any of the prime limbs cause a wraparound modulo the native circuit prime modulus (which is a 254-bit prime). This is prevented by carrying out a reduction check on both summands at the start:

template <typename Builder, typename T>
bigfield<Builder, T> bigfield<Builder, T>::operator+(const bigfield& other) const
{
    reduction_check();
    other.reduction_check();

This will, if necessary, use a reduction to ensure that all binary limbs are at most about 117 bits. Note that as the sum of two 117-bit values can at most be a 118-bit value, there is a very large buffer between this and the 254-bit number . It is also unlikely that normal usage of bigfield binary limbs with maximum values close to would occur. It thus might make sense to remove these two reduction checks and instead only assert that the sum of binary limbs is less than , or perhaps reduce the two summands conditionally on this occurring. This could save on unnecessary reductions.

Zellic © 2025Back to top ↑