Underconstrained selector
Vulnerable File: circuits/aes-gcm/utils.circom
commit: 65f823fc5606fca74440fb0de939ae07a3c39a80
ArrayMux(n)
sel is never constrained to be boolean. As written, out[i] = a[i] + sel·(b[i] − a[I]) allows arbitrary affine mixtures for non-binary sel. Constrain sel with sel·(sel−1) = 0 (or a Bool/IsBoolean component).
Underconstrained selector
Vulnerable File:
circuits/aes-gcm/utils.circomcommit:
65f823fc5606fca74440fb0de939ae07a3c39a80ArrayMux(n)selis never constrained to be boolean. As written,out[i] = a[i] + sel·(b[i] − a[I])allows arbitrary affine mixtures for non-binary sel. Constrain sel withsel·(sel−1) = 0(or a Bool/IsBoolean component).