feat: merge-train/barretenberg (#23269)

BEGIN_COMMIT_OVERRIDE
fix(bb): push missing q_5 in QArith3Gate test to unbreak nightly debug
build (#23229)
fix: ecc/groups audit findings (#22864)
chore: add tests around MSM invalid scalar handling (#23176)
END_COMMIT_OVERRIDE

Author: AztecBot

barretenberg/cpp/src/barretenberg/bbapi/bbapi_srs.cpp

@@ -5,11 +5,15 @@
 #include "barretenberg/bbapi/bbapi_srs.hpp"
 #include "barretenberg/common/serialize.hpp"
 #include "barretenberg/common/thread.hpp"
+#include "barretenberg/crypto/sha256/sha256.hpp"
 #include "barretenberg/ecc/curves/bn254/g1.hpp"
 #include "barretenberg/ecc/curves/bn254/g2.hpp"
 #include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
 #include "barretenberg/numeric/uint256/uint256.hpp"
+#include "barretenberg/srs/factories/bn254_crs_data.hpp"
+#include "barretenberg/srs/factories/bn254_g1_chunk_hashes.hpp"
 #include "barretenberg/srs/global_crs.hpp"
+#include <span>
 
 namespace bb::bbapi {
 
@@ -30,6 +34,23 @@ SrsInitSrs::Response SrsInitSrs::execute(BB_UNUSED BBApiRequest& request) &&
             }
         });
     } else if (bytes_per_point == COMPRESSED_POINT_SIZE) {
+        // Verify SHA-256 of every 4 MB chunk against the in-binary pin BN254_G1_CHUNK_HASHES.
+        // Require chunk-aligned input so every byte is covered (no partial trailing chunk).
+        if (points_buf.size() == 0 || points_buf.size() % bb::srs::SRS_CHUNK_SIZE_BYTES != 0) {
+            throw_or_abort("SrsInitSrs: compressed points_buf size " + std::to_string(points_buf.size()) +
+                           " must be a positive multiple of " + std::to_string(bb::srs::SRS_CHUNK_SIZE_BYTES));
+        }
+        size_t num_full_chunks = points_buf.size() / bb::srs::SRS_CHUNK_SIZE_BYTES;
+        size_t chunks_to_verify = std::min(num_full_chunks, static_cast<size_t>(bb::srs::SRS_NUM_FULL_CHUNKS));
+        for (size_t i = 0; i < chunks_to_verify; ++i) {
+            auto chunk = std::span<const uint8_t>(points_buf.data() + i * bb::srs::SRS_CHUNK_SIZE_BYTES,
+                                                  bb::srs::SRS_CHUNK_SIZE_BYTES);
+            auto hash = bb::crypto::sha256(chunk);
+            if (hash != bb::srs::BN254_G1_CHUNK_HASHES[i]) {
+                throw_or_abort("SrsInitSrs: g1 compressed chunk " + std::to_string(i) + " SHA-256 mismatch");
+            }
+        }
+
         // Compressed: decompress and return uncompressed bytes for caller to cache
         parallel_for([&](ThreadChunk chunk) {
             for (auto i : chunk.range(static_cast<size_t>(num_points))) {
@@ -50,11 +71,23 @@ SrsInitSrs::Response SrsInitSrs::execute(BB_UNUSED BBApiRequest& request) &&
                        std::to_string(bytes_per_point));
     }
 
-    // Parse G2 point from buffer (128 bytes). `serialize_from_buffer` validates that the bytes
-    // decode to a curve point but does NOT enforce subgroup membership. BN254 G2 has a non-trivial
-    // cofactor (h2 ≈ 2^254), so a curve point may lie in a small cofactor subgroup of order
-    // dividing h2 rather than the prime-order subgroup of order r. Reject anything outside
-    // the prime-order subgroup before it reaches the SRS factory.
+    // Pin the first two G1 points to their canonical trusted-setup values. Defense in depth on the
+    // compressed path; the only gate on the uncompressed (cached) path.
+    if (num_points >= 1 && g1_points[0] != bb::srs::BN254_G1_FIRST_ELEMENT) {
+        throw_or_abort("SrsInitSrs: g1_points[0] is not the canonical BN254 generator");
+    }
+    if (num_points >= 2 && g1_points[1] != bb::srs::get_bn254_g1_second_element()) {
+        throw_or_abort("SrsInitSrs: g1_points[1] does not match the canonical trusted-setup tau·G");
+    }
+
+    // Defense in depth: hash-pin AND subgroup-check the G2 input. Hash equality alone is sufficient
+    // for the canonical case (it implies prime-order membership); the subgroup check is kept so
+    // that any future relaxation of the hash gate (e.g. a flag to allow a different trusted setup)
+    // does not silently reopen audit finding #7's small-subgroup attack.
+    auto g2_hash = bb::crypto::sha256(std::span<const uint8_t>(g2_point.data(), g2_point.size()));
+    if (g2_hash != bb::srs::BN254_G2_ELEMENT_SHA256) {
+        throw_or_abort("SrsInitSrs: g2_point bytes do not match the canonical Aztec [x]_2 SHA-256");
+    }
     auto g2_point_elem = from_buffer<g2::affine_element>(g2_point.data());
     if (!g2_point_elem.is_in_prime_subgroup()) {
         throw_or_abort("SrsInitSrs: g2_point is not in the BN254 G2 prime-order subgroup");

barretenberg/cpp/src/barretenberg/circuit_checker/ultra_circuit_builder_arithmetic.test.cpp

@@ -549,6 +549,7 @@ TEST_F(UltraCircuitBuilderArithmetic, QArith3Gate)
         builder.blocks.arithmetic.q_2().emplace_back(q_2);
         builder.blocks.arithmetic.q_3().emplace_back(q_3);
         builder.blocks.arithmetic.q_4().emplace_back(q_4);
+        builder.blocks.arithmetic.q_5().emplace_back(0);
         builder.blocks.arithmetic.q_c().emplace_back(q_c);
         builder.blocks.arithmetic.set_gate_selector(3);
         builder.check_selector_length_consistency();
@@ -561,6 +562,7 @@ TEST_F(UltraCircuitBuilderArithmetic, QArith3Gate)
         builder.blocks.arithmetic.q_2().emplace_back(0);
         builder.blocks.arithmetic.q_3().emplace_back(0);
         builder.blocks.arithmetic.q_4().emplace_back(0);
+        builder.blocks.arithmetic.q_5().emplace_back(0);
         builder.blocks.arithmetic.q_c().emplace_back(0);
         builder.blocks.arithmetic.set_gate_selector(1);
         builder.check_selector_length_consistency();

barretenberg/cpp/src/barretenberg/crypto/ecdsa/ecdsa_impl.hpp

@@ -29,8 +29,9 @@ ecdsa_signature ecdsa_construct_signature(const std::string& message, const ecds
     Fr k = crypto::deterministic_nonce_rfc6979<Hash, Fr>(message, pkey_buffer);
     secure_erase(pkey_buffer);
 
-    // Compute R = k * G
-    typename G1::affine_element R(G1::one * k);
+    // Compute R = k * G. k is the secret RFC6979 nonce, so use the constant-time multiplication
+    // to defend against the Hamming-weight / bit-length timing leak in operator*.
+    typename G1::affine_element R(typename G1::element(G1::one).mul_const_time(k));
 
     // Compute the signature
     Fr r = Fr(R.x);

barretenberg/cpp/src/barretenberg/crypto/schnorr/schnorr.tcc

@@ -90,7 +90,9 @@ schnorr_signature schnorr_construct_signature(const std::string& message, const
     //
     Fr k = Fr::random_element();
 
-    typename G1::affine_element R(G1::one * k);
+    // k is a secret nonce; use the constant-time multiplication to defend against the
+    // Hamming-weight / bit-length timing leak in operator*.
+    typename G1::affine_element R(typename G1::element(G1::one).mul_const_time(k));
 
     auto e_raw = schnorr_generate_challenge<Hash, G1>(message, public_key, R);
     // the conversion from e_raw results in a biased field element e

barretenberg/cpp/src/barretenberg/dsl/acir_format/multi_scalar_mul.test.cpp

@@ -341,7 +341,9 @@ struct MsmScalar {
     }
 };
 
-template <typename Builder> class MultiScalarMulInfinityTests : public ::testing::Test {
+// Shared single-term MSM circuit helpers: build a one point/one scalar MSM constraint with predicate=1
+// from explicit witness values, and run the resulting circuit.
+template <typename Builder> class MsmSingleTermFixture : public ::testing::Test {
   protected:
     static void SetUpTestSuite() { bb::srs::init_file_crs_factory(bb::srs::bb_crs_path()); }
 
@@ -402,6 +404,8 @@ template <typename Builder> class MultiScalarMulInfinityTests : public ::testing
     }
 };
 
+template <typename Builder> class MultiScalarMulInfinityTests : public MsmSingleTermFixture<Builder> {};
+
 TYPED_TEST_SUITE(MultiScalarMulInfinityTests, BuilderTypes);
 
 // scalar=0 → result = ∞: valid proof with out_point_is_infinite=1.
@@ -449,3 +453,135 @@ TYPED_TEST(MultiScalarMulInfinityTests, ForgedFiniteFlagOnInfinityResultFails)
     EXPECT_TRUE(!ok || err.find("assert_eq") != std::string::npos)
         << "Forged finite flag on infinity result should fail";
 }
+
+// ============================================================
+// Scalar field-bounds tests
+// ============================================================
+//
+// The MSM opcode receives a Grumpkin scalar as two field limbs: lo (low 128 bits) and hi (next 126
+// bits), reconstructing v = lo + hi * 2^128. cycle_scalar's public constructor adds an in-circuit
+// check that v < r, where r == bb::fq::modulus is the Grumpkin scalar field modulus (and also the
+// order of the Grumpkin group, since Grumpkin's scalar field is BN254's base field). batch_mul
+// additionally range-constrains the limbs to lo < 2^128 and hi < 2^126. These tests pin behaviour
+// at and beyond the modulus boundary: an out-of-range scalar must make the circuit unsatisfiable,
+// and the group law's s ≡ s + r equivalence must not let a caller smuggle a non-canonical scalar
+// through to barretenberg.
+
+namespace {
+// r = order of the Grumpkin group = bb::fq::modulus.
+const uint256_t grumpkin_scalar_modulus = bb::fq::modulus;
+
+// Build an MsmScalar straight from a uint256_t value, splitting at the 128-bit limb boundary with no
+// modular reduction (so out-of-field values can be expressed).
+MsmScalar msm_scalar_from_u256(const uint256_t& v)
+{
+    return { MsmFF(v.slice(0, 128)), MsmFF(v.slice(128, 256)) };
+}
+} // namespace
+
+template <typename Builder> class MultiScalarMulScalarBoundsTests : public MsmSingleTermFixture<Builder> {};
+
+TYPED_TEST_SUITE(MultiScalarMulScalarBoundsTests, BuilderTypes);
+
+// scalar == r: rejected. The in-circuit "scalar < r" check fails. (r·P = O, so the caller gains
+// nothing by claiming the point at infinity as the result.)
+TYPED_TEST(MultiScalarMulScalarBoundsTests, ScalarEqualToModulusFails)
+{
+    BB_DISABLE_ASSERTS();
+    MsmGrumpkinPoint point = MsmGrumpkinPoint::random_element();
+    auto [constraint, witness] = TestFixture::make_msm(
+        MsmAcirPoint::from_native(point), msm_scalar_from_u256(grumpkin_scalar_modulus), MsmAcirPoint::infinity());
+
+    auto [ok, err] = TestFixture::run_circuit(constraint, witness);
+    EXPECT_FALSE(ok) << "scalar == Grumpkin scalar modulus must not produce a satisfiable circuit";
+}
+
+// scalar == r + 1: rejected, even though (r + 1)·P == 1·P == P. The in-circuit "scalar < r" check
+// fails despite both limbs being within their range constraints.
+TYPED_TEST(MultiScalarMulScalarBoundsTests, ScalarModulusPlusOneFails)
+{
+    BB_DISABLE_ASSERTS();
+    MsmGrumpkinPoint point = MsmGrumpkinPoint::random_element();
+    auto [constraint, witness] = TestFixture::make_msm(MsmAcirPoint::from_native(point),
+                                                       msm_scalar_from_u256(grumpkin_scalar_modulus + uint256_t(1)),
+                                                       MsmAcirPoint::from_native(point));
+
+    auto [ok, err] = TestFixture::run_circuit(constraint, witness);
+    EXPECT_FALSE(ok) << "scalar == Grumpkin scalar modulus + 1 must not produce a satisfiable circuit";
+}
+
+// scalar == r - 1: the largest in-field scalar. This must prove fine.
+TYPED_TEST(MultiScalarMulScalarBoundsTests, ScalarModulusMinusOneProves)
+{
+    BB_DISABLE_ASSERTS();
+    MsmGrumpkinPoint point = MsmGrumpkinPoint::random_element();
+    bb::fq scalar_native = bb::fq(grumpkin_scalar_modulus - uint256_t(1));
+    MsmGrumpkinPoint result = point * scalar_native;
+    ASSERT_FALSE(result.is_point_at_infinity());
+    auto [constraint, witness] = TestFixture::make_msm(MsmAcirPoint::from_native(point),
+                                                       msm_scalar_from_u256(grumpkin_scalar_modulus - uint256_t(1)),
+                                                       MsmAcirPoint::from_native(result));
+
+    auto [ok, err] = TestFixture::run_circuit(constraint, witness);
+    EXPECT_TRUE(ok) << "scalar == Grumpkin scalar modulus - 1 (largest in-field scalar) should prove. err: " << err;
+}
+
+// scalar == 2^254 - 1: the largest value the (128 + 126)-bit limb encoding can represent. Both limbs
+// satisfy their range constraints, so the only thing rejecting it is the in-circuit "scalar < r"
+// check — exercising the "limbs in range but value out of field" path.
+TYPED_TEST(MultiScalarMulScalarBoundsTests, MaxRepresentableScalarFails)
+{
+    BB_DISABLE_ASSERTS();
+    MsmGrumpkinPoint point = MsmGrumpkinPoint::random_element();
+    uint256_t max_representable = (uint256_t(1) << 254) - uint256_t(1);
+    MsmGrumpkinPoint result = point * bb::fq(max_representable); // (2^254 - 1) mod r
+    auto [constraint, witness] = TestFixture::make_msm(
+        MsmAcirPoint::from_native(point), msm_scalar_from_u256(max_representable), MsmAcirPoint::from_native(result));
+
+    auto [ok, err] = TestFixture::run_circuit(constraint, witness);
+    EXPECT_FALSE(ok) << "scalar == 2^254 - 1 (> Grumpkin modulus) must not produce a satisfiable circuit";
+}
+
+// hi limb == 2^126 (one bit too wide), lo == 0, i.e. scalar value 2^254. Both the limb range
+// constraint (hi < 2^126) and the "scalar < r" check reject it.
+TYPED_TEST(MultiScalarMulScalarBoundsTests, ScalarWithOversizedHiLimbFails)
+{
+    BB_DISABLE_ASSERTS();
+    MsmGrumpkinPoint point = MsmGrumpkinPoint::random_element();
+    uint256_t two_pow_254 = uint256_t(1) << 254;
+    MsmGrumpkinPoint result = point * bb::fq(two_pow_254);
+    MsmScalar scalar{ MsmFF(0), MsmFF(uint256_t(1) << 126) }; // hi has 127 bits
+    auto [constraint, witness] =
+        TestFixture::make_msm(MsmAcirPoint::from_native(point), scalar, MsmAcirPoint::from_native(result));
+
+    auto [ok, err] = TestFixture::run_circuit(constraint, witness);
+    EXPECT_FALSE(ok) << "scalar hi limb of 127 bits (value 2^254) must not produce a satisfiable circuit";
+}
+
+// Group-law equivalence does not transfer: s·P == (s + r)·P, but the circuit accepts only the
+// canonical scalar s. Adding the Grumpkin modulus to a scalar cannot reprove the same output.
+TYPED_TEST(MultiScalarMulScalarBoundsTests, AddingGrumpkinModulusDoesNotReproveSameOutput)
+{
+    BB_DISABLE_ASSERTS();
+    MsmGrumpkinPoint point = MsmGrumpkinPoint::random_element();
+    bb::fq scalar_native = bb::fq(5);
+    MsmGrumpkinPoint result = point * scalar_native;
+    ASSERT_FALSE(result.is_point_at_infinity());
+
+    // Sanity: the canonical scalar proves the result.
+    {
+        auto [constraint, witness] = TestFixture::make_msm(
+            MsmAcirPoint::from_native(point), MsmScalar::from_native(scalar_native), MsmAcirPoint::from_native(result));
+        auto [ok, err] = TestFixture::run_circuit(constraint, witness);
+        EXPECT_TRUE(ok) << "canonical scalar should prove the MSM result. err: " << err;
+    }
+
+    // The non-canonical scalar s + r yields the same point mathematically, but the circuit rejects it.
+    {
+        auto [constraint, witness] = TestFixture::make_msm(MsmAcirPoint::from_native(point),
+                                                           msm_scalar_from_u256(uint256_t(5) + grumpkin_scalar_modulus),
+                                                           MsmAcirPoint::from_native(result));
+        auto [ok, err] = TestFixture::run_circuit(constraint, witness);
+        EXPECT_FALSE(ok) << "scalar s + r must not reprove the output of scalar s";
+    }
+}

barretenberg/cpp/src/barretenberg/ecc/curves/bn254/pairing.test.cpp

@@ -268,10 +268,11 @@ TEST(pairing, PairingLinearityCheck)
 TEST(pairing, FinalExponentiation)
 {
     auto pow = [](const fq12& a, const fq& b) {
+        const uint256_t exponent(b);
         fq12 result = fq12::one();
         fq12 base = a;
         for (size_t i = 0; i < 256; ++i) {
-            if ((b.data[0] >> i) & 1) {
+            if (exponent.get_bit(i)) {
                 result *= base;
             }
             base = base.sqr();
@@ -291,10 +292,11 @@ TEST(pairing, FinalExponentiation)
     fq12 result = pairing::final_exponentiation_easy_part(element);
     result = pairing::final_exponentiation_tricky_part(result);
 
-    fq12 expected = element;
-    expected = pairing::final_exponentiation_easy_part(expected);
-    expected = pow(expected, mu0) + pow(expected, mu1).frobenius_map_one() + pow(expected, mu2).frobenius_map_two() +
+    fq12 expected = pairing::final_exponentiation_easy_part(element);
+    expected = pow(expected, mu0) * pow(expected, mu1).frobenius_map_one() * pow(expected, mu2).frobenius_map_two() *
                pow(expected, mu3).frobenius_map_three();
+
+    EXPECT_EQ(result, expected);
 }
 
 TEST(pairing, Constants)

barretenberg/cpp/src/barretenberg/ecc/fields/field_impl.hpp

@@ -752,8 +752,13 @@ template <class T> constexpr uint64_t field<T>::is_msb_set_word() const noexcept
 
 template <class T> constexpr bool field<T>::is_zero() const noexcept
 {
-    return ((data[0] | data[1] | data[2] | data[3]) == 0) ||
-           (data[0] == T::modulus_0 && data[1] == T::modulus_1 && data[2] == T::modulus_2 && data[3] == T::modulus_3);
+    // Use bitwise OR (not || or && operator) so neither chain short-circuits: the running time must not depend on
+    // whether the value is zero, on which limb of the modulus first matches/diverges, or on which form
+    // (raw 0 vs the modulus) is being tested.
+    const uint64_t raw_zero = data[0] | data[1] | data[2] | data[3];
+    const uint64_t mod_zero =
+        (data[0] ^ T::modulus_0) | (data[1] ^ T::modulus_1) | (data[2] ^ T::modulus_2) | (data[3] ^ T::modulus_3);
+    return static_cast<bool>(static_cast<uint64_t>(raw_zero == 0) | static_cast<uint64_t>(mod_zero == 0));
 }
 
 template <class T> constexpr field<T> field<T>::get_root_of_unity(size_t subgroup_size) noexcept

barretenberg/cpp/src/barretenberg/ecc/fields/prime_field.test.cpp

@@ -117,6 +117,20 @@ TYPED_TEST(PrimeFieldTest, CompileTimeEquality)
     static_assert(!(a == f));
 }
 
+TYPED_TEST(PrimeFieldTest, IsZeroOnModulusForm)
+{
+    using F = TypeParam;
+
+    F modulus_form{ F::modulus.data[0], F::modulus.data[1], F::modulus.data[2], F::modulus.data[3] };
+    EXPECT_TRUE(modulus_form.is_zero());
+
+    F prefix_match{ F::modulus.data[0], F::modulus.data[1], F::modulus.data[2], F::modulus.data[3] - 1 };
+    EXPECT_FALSE(prefix_match.is_zero());
+
+    F first_limb_only{ F::modulus.data[0], 0, 0, 0 };
+    EXPECT_FALSE(first_limb_only.is_zero());
+}
+
 TYPED_TEST(PrimeFieldTest, CompileTimeSmallAddSubMul)
 {
     using F = TypeParam;