Description

The KeccakMultiVarHasher (in circuits/src/keccak/multivar.rs) is intended to compute the Keccak hash of a concatenation of first zero or more fixed-length inputs, given in bytes, and zero or more variable-length inputs, which are assumed to be field elements, represented by NUM_LIMBS limbs. Usage involves the caller passing a circuit variable len for each of the variable-length inputs, which determines how much of the variable-length input (which comes in padded form) to hash. The value len is the number of limbs to use, not the number of field elements those limbs represent. It is checked in circuit that the sum of len for the various variable-length inputs is divisible by NUM_LIMBS. However, there is no check that each of the individual values of len are divisible by NUM_LIMBS. Thus, it is possible to mix limbs from multiple variable-length inputs. For example, only the first limb from NUM_LIMBS different variable-length inputs could be used, with those NUM_LIMBS limbs being interpreted as a single field element. This is not intended usage.

The way KeccakMultiVarHasher is used in the remainder of the codebase ensures in each case that each value of len is in fact divisible by NUM_LIMBS.

Impact

The KeccakMultiVarHasher can be used in an unintended way that is not prevented by KeccakMultiVarHasher itself. There is no impact for the reviewed codebase itself, however, as the unintended usage cannot occur from the actual callers.

Recommendations

We recommend to add a comment to the documentation comments for KeccakMultiVarHasher explaining that the lengths being multiples of NUM_LIMBS is not checked and that the caller must ensure this.

Remediation