sonobe-audit - HackMD

# Sonobe audit brief Repo: https://github.com/privacy-ethereum/sonobe/tree/dev Sonobe's Nova/cycleFold implementation will be the focus of the upcoming security audit. This implementation combines the Nova folding scheme from the canonical Nova paper (https://eprint.iacr.org/2021/370) with cyclefold (https://eprint.iacr.org/2023/1192). The implementation spans three distinct modules: `fs`, `ivc` and `primitives`. This implementation will be deployed in production as it will serve as Intmax's framework to deploy their zERC20 protocol (https://ethereum-magicians.org/t/zerc20-cross-chain-private-erc-20-based-on-zk-proof-of-burn/26452). Note that the library is still in wip state. The audit will be done on code within the `dev` branch, which will be become `main` before the start of the work. Folder paths are written with respect to the `dev` branch. They might change once this revamp will have been pushed to `main`. ## Components We list components in their respective order of priority. We do not particularly expect to audit point `III. Primitives` but add it for the sake of exhausitivity. ### I. Nova folding scheme (`wip/fs/nova/`) Size: ~1.2k LOC This is the folding scheme itself. We would like auditors to ensure the following: 1. Configuration: auditors should confirm that any specified configuration match the user's desired security level. 2. Instance and witness: auditors should confirm that running instance-witness and incoming instance-witness structures follow the expected paper's specification. 3. Folding prover (`nova/algorithms/prover.rs`): implements the core folding operation. One of the most critical component. The audit should verify things like challenge generation, folded witness computation, folded error vector derivation.. 4. Folding verifier (`nova/algorithms/verifier.rs`): auditors should check things like: verifier correctly reconstructs the challenge, all verifier checks are implemented, .. 5. Circuit gadgets (`nova/circuits/verifier.rs`): auditors should make sure that constraints match the native verification algorithm. ### II. IVC compiler (`wip/ivc`) Size: ~1.4k LOC 1. CycleFold implementation (`ivc/compilers/cyclefold/`): ensure correct cyclefold implementation 2. Nova cycleFold adapter (`ivc/compilers/cyclefold/adapters/nova.rs`) 3. Augmented circuit (`ivc/compilers/cyclefold/circuits.rs`): performs one IVC step. Auditor should verify that the step circuit's constraints are correctly specified. 4. CycleFold circuit (`ivc/compilers/cyclefold/circuits.rs`) 5. Key and proof ops: audit should verify that keys are correctly generated and used. The audit should verify that the proof represents the IVC state, that no information is missing from the verification to be carried out correctly. ### III. Primitives (`wip/primitives`) Size: ~2.5k LOC The primitives layer provides core cryptographic building blocks later on used within nova. We would like the following components to be audited: 1. R1CS arithmetization (`primitives/arithmetizations/r1cs/`): auditors should ensure that R1CS and relaxed R1CS related methods are correctly implemented. Circuit representation of R1CS constraints must be verified to match the native implementation. 2. Field ops with non-native arithmetic (`primitives/algebra/field/`) 3. Group operations (`primitives/algebra/group/`): constraints should be verified against the native implementations. 4. Pedersen commitment implementation (`primitives/commitments/`): auditors should verify that pedersen commitments are correctly implemented: that includes pubkey generation, commitment and opening computation, verification. The audit should confirm that the gadget implementation matches the native verification algorithm. 5. Transcript implementation (`primitives/transcripts/`): sonobe's transcript implementation should be checked. Auditors should ensure that absorption and challenge derivation logic is correct. The circuit gadget version of the transcript must be verified to produce identical outputs to the native implementation. ## Expectations Auditors should state clearly which methods they are employing to carry out the audit. We expect them to perform line-by-line review of critical algorithms. They should state clearly where and how much AI has been used for the audit. We also expect them to test the IVC implementation with various step circuits, especially with edge-case circuits and adversarially crafted inputs. ## Priority Areas Given our audit resources, we would prioritize the following components for the audit: 1. Nova folding prover and verifier algorithms 2. Augmented circuit 3. Non-native field arithmetic 4. Transcript logic 5. R1CS and relaxed R1CS implementations