address Federico's comments

suyash67 · suyash67 · commit f8a5dbbc336b · 2026-05-14T11:24:15.000Z
diff --git a/barretenberg/cpp/src/barretenberg/bbapi/bbapi_srs.cpp b/barretenberg/cpp/src/barretenberg/bbapi/bbapi_srs.cpp
@@ -34,13 +34,12 @@ SrsInitSrs::Response SrsInitSrs::execute(BB_UNUSED BBApiRequest& request) &&
             }
         });
     } else if (bytes_per_point == COMPRESSED_POINT_SIZE) {
-        // Verify SHA-256 of every fully-present 4 MB chunk against the in-binary pin
-        // BN254_G1_CHUNK_HASHES before decompression. This is the same defense as
-        // verify_bn254_crs_integrity used by get_bn254_g1_data on the C++ download path; without
-        // it, bb.js (which downloads g1_compressed.dat externally and forwards the bytes here)
-        // would have no cryptographic gate against a tampered or wrong-trusted-setup payload.
-        // Partial trailing data is not chunk-hash-verified — instead the post-parse generator and
-        // tau·G checks below close the small-num_points gap.
+        // Verify SHA-256 of every 4 MB chunk against the in-binary pin BN254_G1_CHUNK_HASHES.
+        // Require chunk-aligned input so every byte is covered (no partial trailing chunk).
+        if (points_buf.size() == 0 || points_buf.size() % bb::srs::SRS_CHUNK_SIZE_BYTES != 0) {
+            throw_or_abort("SrsInitSrs: compressed points_buf size " + std::to_string(points_buf.size()) +
+                           " must be a positive multiple of " + std::to_string(bb::srs::SRS_CHUNK_SIZE_BYTES));
+        }
         size_t num_full_chunks = points_buf.size() / bb::srs::SRS_CHUNK_SIZE_BYTES;
         size_t chunks_to_verify = std::min(num_full_chunks, static_cast<size_t>(bb::srs::SRS_NUM_FULL_CHUNKS));
         for (size_t i = 0; i < chunks_to_verify; ++i) {
@@ -72,10 +71,8 @@ SrsInitSrs::Response SrsInitSrs::execute(BB_UNUSED BBApiRequest& request) &&
                        std::to_string(bytes_per_point));
     }
 
-    // Parsed-form sanity check that pins the first two G1 points to their canonical trusted-setup
-    // values. Catches a wrong-SRS swap even when num_points is below one chunk (where the
-    // compressed-chunk hash loop above has nothing to verify) and runs identically for the
-    // uncompressed input path.
+    // Pin the first two G1 points to their canonical trusted-setup values. Defense in depth on the
+    // compressed path; the only gate on the uncompressed (cached) path.
     if (num_points >= 1 && g1_points[0] != bb::srs::BN254_G1_FIRST_ELEMENT) {
         throw_or_abort("SrsInitSrs: g1_points[0] is not the canonical BN254 generator");
     }
diff --git a/barretenberg/cpp/src/barretenberg/ecc/groups/affine_element.test.cpp b/barretenberg/cpp/src/barretenberg/ecc/groups/affine_element.test.cpp
@@ -375,16 +375,11 @@ TYPED_TEST(TestAffineElement, AddAffine)
     TestFixture::test_add_affine();
 }
 
-// Regression test for element +/- affine_element when the affine operand is the infinity sentinel
-// on the large-modulus path. The small-modulus path uses a different sentinel (MSB-of-x) and was
-// not affected.
+// Regression test for `element +/- affine_element` when the affine operand is the infinity sentinel.
+// Exercises both the large-modulus and small-modulus branches of `element::operator+=(affine)`.
 TYPED_TEST(TestAffineElement, MixedAddInfinityRegression)
 {
-    if constexpr (TypeParam::Fq::modulus.data[3] >= MODULUS_TOP_LIMB_LARGE_THRESHOLD) {
-        TestFixture::test_mixed_add_infinity_regression();
-    } else {
-        GTEST_SKIP();
-    }
+    TestFixture::test_mixed_add_infinity_regression();
 }
 
 TYPED_TEST(TestAffineElement, ReadWrite)
diff --git a/barretenberg/cpp/src/barretenberg/ecc/groups/element_impl.hpp b/barretenberg/cpp/src/barretenberg/ecc/groups/element_impl.hpp
@@ -416,9 +416,9 @@ element<Fq, Fr, T> element<Fq, Fr, T>::mul_const_time(const Fr& scalar, numeric:
     // DPA: per-bit traces of two signings with the same k decorrelate because the bit pattern of k'
     // differs across calls.
     //
-    // We force the high bit of r so that r is sampled uniformly from [2^63, 2^64). This guarantees
-    // r * n has a fixed-width range (MSB at position M+63 or M+64 for n with MSB at M), so the
-    // iteration count remains exactly NUM_BITS regardless of the sampled r.
+    // We force the high bit of r to be 1 so that r is sampled uniformly from [2^63, 2^64). This
+    // guarantees r * n has a fixed-width range (MSB at position M+63 or M+64 for n with MSB at M),
+    // so the iteration count remains exactly NUM_BITS regardless of the sampled r.
     const uint64_t r = engine->get_random_uint64() | (UINT64_C(1) << 63);
     const uint512_t r_times_n = uint512_t(uint256_t(Fr::modulus)) * uint512_t(uint256_t(r));
     const uint512_t k_blinded = uint512_t(k) + r_times_n;

Original file line number	Diff line number	Diff line change
`@@ -375,16 +375,11 @@ TYPED_TEST(TestAffineElement, AddAffine)`
`375`	`375`	`TestFixture::test_add_affine();`
`376`	`376`	`}`
`377`	`377`
`378`		`-// Regression test for element +/- affine_element when the affine operand is the infinity sentinel`
`379`		`-// on the large-modulus path. The small-modulus path uses a different sentinel (MSB-of-x) and was`
`380`		`-// not affected.`
	`378`	+// Regression test for `element +/- affine_element` when the affine operand is the infinity sentinel.
	`379`	+// Exercises both the large-modulus and small-modulus branches of `element::operator+=(affine)`.
`381`	`380`	`TYPED_TEST(TestAffineElement, MixedAddInfinityRegression)`
`382`	`381`	`{`
`383`		`- if constexpr (TypeParam::Fq::modulus.data[3] >= MODULUS_TOP_LIMB_LARGE_THRESHOLD) {`
`384`		`- TestFixture::test_mixed_add_infinity_regression();`
`385`		`- } else {`
`386`		`- GTEST_SKIP();`
`387`		`- }`
	`382`	`+ TestFixture::test_mixed_add_infinity_regression();`
`388`	`383`	`}`
`389`	`384`
`390`	`385`	`TYPED_TEST(TestAffineElement, ReadWrite)`