Merge upstream into add_non_identity_constant_point#59
Merged
ConstanceBeguier merged 9 commits intoJun 9, 2026
Merged
Conversation
Pin every third-party and first-party action to a commit SHA (with a
version comment) so workflows are reproducible and resistant to tag
hijacking, and update outdated/archived actions:
- actions/checkout -> 08c6903 # v5.0.0
- dtolnay/rust-toolchain -> 3c5f7ea (master HEAD), toolchain moved
to the `toolchain:` input
- codecov/codecov-action -> e79a696 # v6.0.1 (was v3.1.4)
- benchmark-action/... -> 52576c9 # v1.22.1
- actions-rs/clippy-check -> auguwu/clippy-action@9817d07 # 1.5.0
(actions-rs is archived); lint jobs gain
`contents: read` + `checks: write`
Also resolve the remaining zizmor audits at their source:
- excessive-permissions: scope the book `deploy` job to `contents: write`.
- dependabot-cooldown: add a 7-day cooldown before pulling new releases.
- template-injection: stop expanding the `feature-flags` output directly
into `run:` scripts. The prepare action now emits repeated
`--features <name>` tokens (cargo unions them) and consumers splat it
via a `$FEATURE_FLAGS` env var, so the value never re-enters shell
parsing. Feature set is unchanged.
zizmor now reports no findings. The zizmor job's SARIF upload still
requires GitHub code scanning to be enabled on the repository, and
codecov v6 requires a CODECOV_TOKEN secret for this private repo.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The incomplete double-and-add loop in `ecc::chip::mul` kept the per-iteration base `(x_p, y_p)` constant across loop rows via `q_mul_2`, but never tied it to the real base: the coordinates were written with `assign_advice`, and the constancy chain reached neither the doubling-row nor the complete-addition base anchors. A prover could therefore run the incomplete loop against a free constant `B' != base`, making the gadget output `[a] base + [b] B'` rather than `[scalar] base`. Anchor the base by `copy_advice`-ing it into the first incomplete row; `q_mul_2` then propagates the equality to every loop row. The `hi` and `lo` halves share the `x_p`/`y_p` columns and run on the same rows, so the single anchor covers both. The fix changes the verifying key, so introduce `CircuitVersion` (`AnchoredBase` / `InsecureUnanchoredBase`): one binary can build both the fixed VK and the prior unanchored VK, the latter only to verify proofs created before the fix. `EccChip::construct` now takes the version explicitly. Add a regression test that drives the real `mul::Config` synthesis through a copy-recording `Assignment`: the fixed circuit's equality constraints are a superset of the prior version's, and the only additions are the two base anchors at the first incomplete-addition row. Rename the stored ECC-chip vk/proof fixtures to `*_insecure` and check them against the `InsecureUnanchoredBase` circuit, which reproduces the historical (deployed) verifying key exactly and still verifies the pre-fix proof under it — so a node can sync from before the fix. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Pin the verifying key and a proof for the fixed (anchored) ECC-chip circuit as `*_fixed`, checked by `test_ecc_chip_fixed_against_stored_circuit` and `test_against_stored_ecc_chip_4_5b_fixed`. With the `*_insecure` fixtures from the previous commit this covers both directions: a proof for the fixed circuit verifies under the new verifying key, and the deployed pre-fix proof verifies under the old one. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
halo2_gadgets: Anchor variable-base scalar-mul incomplete-addition base
Bump the crate version to 0.5.0 and record the API changes since 0.4.0 in the CHANGELOG: the new `ecc::CircuitVersion` enum, the `EccChip::construct` signature change, and the critical variable-base scalar-multiplication incomplete-addition soundness fix. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Release halo2 gadgets 0.5.0
PaulLaux
approved these changes
Jun 9, 2026
ConstanceBeguier
merged commit 7bfd002
into
add_non_identity_constant_point
45 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.