fix: bind RSA public exponent to fixed values [LA-E]#367
Open
x-senpai-x wants to merge 2 commits intomainfrom
Open
fix: bind RSA public exponent to fixed values [LA-E]#367x-senpai-x wants to merge 2 commits intomainfrom
x-senpai-x wants to merge 2 commits intomainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Addresses LA-E by preventing prover-controlled RSA public exponents from bypassing signature verification (e.g., e = 1), ensuring e is either authenticated from certificate bytes or committed via a public hash.
Changes:
- Introduces an RSA exponent allowlist (
assert_allowed_rsa_exponent) and enforces it in RSA verification helpers. - Binds
ein the DSC→SOD path by byte-comparing the claimed exponent against the authenticated TBS certificate bytes at a prover-supplied offset. - Binds
ein the CSCA→DSC path by adding a Poseidon2 commitment over(n || e)and asserting it against a new public inputcsc_key_ne_hash.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| noir-examples/noir-passport/utils/sig-check/rsa/src/lib.nr | Adds `(n |
| noir-examples/noir-passport/utils/sig-check/rsa/Nargo.toml | Adds Poseidon dependency for the new key commitment hash. |
| noir-examples/noir-passport/utils/sig-check/fragmented-rsa/src/lib.nr | Enforces exponent allowlist in fragmented RSA verification. |
| noir-examples/noir-passport/utils/sig-check/fragmented-rsa/Nargo.toml | Adds dependency on common for exponent allowlist. |
| noir-examples/noir-passport/utils/sig-check/common/src/lib.nr | Introduces assert_allowed_rsa_exponent allowlist helper. |
| noir-examples/noir-passport/utils/data-check/tbs-pubkey/src/lib.nr | Extends TBS pubkey check to also authenticate exponent bytes at an offset. |
| noir-examples/noir-passport/utils/data-check/tbs-pubkey/Nargo.toml | Renames package and adds common dependency. |
| noir-examples/noir-passport/merkle_age_check/t_add_id_data_720/src/main.nr | Adds exponent + exponent-offset inputs and checks exponent bytes in TBS. |
| noir-examples/noir-passport/merkle_age_check/t_add_id_data_1300/src/main.nr | Adds exponent + exponent-offset inputs and checks exponent bytes in TBS. |
| noir-examples/noir-passport/merkle_age_check/t_add_dsc_verify_1300/src/main.nr | Adds public csc_key_ne_hash and asserts it equals `H(n |
| noir-examples/noir-passport/merkle_age_check/t_add_dsc_verify_1300/Nargo.toml | Adds dependency on sig_check_rsa for compute_key_ne_hash. |
| noir-examples/noir-passport/merkle_age_check/t_add_dsc_720/src/main.nr | Adds public csc_key_ne_hash and asserts it equals `H(n |
| noir-examples/noir-passport/merkle_age_check/benchmark-inputs/tbs_720/t_add_id_data_720.toml | Adds exponent + exponent offset proving inputs. |
| noir-examples/noir-passport/merkle_age_check/benchmark-inputs/tbs_720/t_add_dsc_720.toml | Adds csc_key_ne_hash public input. |
| noir-examples/noir-passport/merkle_age_check/benchmark-inputs/tbs_1300/t_add_id_data_1300.toml | Adds exponent + exponent offset proving inputs. |
| noir-examples/noir-passport/merkle_age_check/benchmark-inputs/tbs_1300/t_add_dsc_verify_1300.toml | Adds csc_key_ne_hash public input. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes LA-E: Unbound RSA Exponent Witness Enables Forged Passport Signature Verification.
A malicious prover could supply
exponent = 1(or any arbitrary value) as afree witness. With
e = 1, RSA verification degenerates tosig^1 mod n = sig,so a prover can forge a valid PKCS#1 v1.5 message without knowledge of any
private key.
Changes
DSC → SOD path (
t_add_id_data_720,t_add_id_data_1300)verify_rsa_pubkey_in_tbsnow acceptsexponentandexponent_offset_in_dsc_certas inputs and byte-compares the claimed exponent value against the authenticated
TBS certificate bytes at the given offset, mirroring the existing modulus check.
the prover cannot alter its bytes.
CSC → DSC path (
t_add_dsc_720,t_add_dsc_verify_1300)compute_key_ne_hash, which produces aPoseidon2 hash over
(modulus || exponent)asserted against the public inputcsc_key_ne_hash. The prover cannot substitute an alternative exponent withoutinvalidating this commitment.
Exponent allowlist (
assert_allowed_rsa_exponent)verify_rsa_pubkey_in_tbsandcompute_key_ne_hash, blockinge = 1,e = 2, and all values outside the set of known ICAO-compliantexponents
{3, 38129, 56611, 65537, 107903, 109729, 122125, 130689}.