Audit of the Stwo-Cairo Verifier

StarkWare • August 6th, 2025 • Technical Report

Introduction

On July 14th, 2025, StarkWare engaged zkSecurity to perform a three-week audit on the Stwo-Cairo verifier, which is a Cairo implementation of a verifier for the Stwo protocol.

Scope

The audit focused on the stwo_cairo_verifier component in the Stwo-Cairo repository, at commit aef7d09. The StarkWare team also provided us with a draft of the Stwo whitepaper, which we used as a reference for the theoretical background of the protocol.

Summary and recommendations

Overall, we found the verifier code to be well written and organized. A caveat is that the Cairo verifier did not successfully compile at the time of audit. As a fallback, we could use a Rust implementation of the same verifier in stwo_cairo_prover to run end-to-end tests and proof-of-concepts.

Apart from the concrete findings listed at the end of this report, we have some strategic recommendations for keeping the code base secure in the longer term:

Validate prover-supplied data structures. We found that the verifier accepts several data structures from the prover without proper validation, as documented in two findings (1, 2). For example, zipping a verifier-validated array with a prover-provided one without validating lengths, or not checking that two different, related Option values provided by the prover are consistent. In general, the rule of thumb should be that whenever data from the proof is allowed to shape the verifier algorithm, it should be subject to some form of validation.
Be careful about hash collisions. We identified multiple sources of hash collisions throughout the codebase, see 1, 2. While we found no direct exploits, these collisions complicate security analysis and could become exploitable in unexpected ways. We recommend to avoid hash collisions more consistently.
Keep consistency between the code and whitepaper. During our audit, we discovered a few divergences between the core verifier implementation and the Stwo whitepaper. Divergences that are not directly exploitable were nonetheless recorded and reported as informational findings. Indeed, they are an indication that the deployed proof system may not fall directly under the security proof in the whitepaper. We recommend (re-)establishing consistency between the two.
Document overall Cairo AIR structure. The Cairo AIR implements a sophisticated flat AIR architecture with multiple tables connected through LogUp arguments, with many interesting variations like opcodes tables, memory, builtins, chained rounds, etc. However, the overall structure, table variations and table relationships are not comprehensively documented, creating a barrier for newcomers to understand and review the code. We recommend creating high-level documentation of the complete AIR structure, including how the lookup relations ensure Cairo program execution correctness.

Overview of Key Concepts

Stwo, Cairo and `stwo-cairo`

Before diving into the report, it may be helpful for readers that we define and differentiate between “Stwo”, “Cairo” and the repository being reviewed, stwo-cairo.

Stwo. “Stwo” refers to two things: a non-interactive STARK (alt. transparent SNARK) protocol and a Rust-based implementation of the protocol. The STARK is based on Circle STARK [HLP24] and allows to prove the satisfaction of an AIR with additional features such as preprocessed and randomized columns. The protocol is described in an upcoming whitepaper which the Client has provided us with a draft version of. To avoid ambiguity throughout the report:

we refer to Stwo, the non-interactive STARK protocol, as the Stwo whitepaper or the Stwo protocol.
we refer to Stwo, the Rust implementation of the Stwo protocol, as stwo-rs.

Cairo. As explained in the Cairo documentation, “Cairo” is a tech stack that comprises multiple elements. Among them, we highlight:

CairoVM, a virtual machine (VM) that is designed in such a way that its valid execution can be efficiently expressed as an AIR. This property is sometimes abbreviated as “SNARK-friendly” or “STARK-friendly”.
Cairo, a Rust-based high-level language that can be compiled to assembly code for the CairoVM.

We stay consistent with the terms defined in the Cairo documentation and will now use Cairo and CairoVM unambiguously and as above. We also define the CairoAIR to be any (preprocessed and randomized) AIR that enforces the valid execution of the CairoVM.

stwo-cairo. As its name indicates, stwo-cairo is a combination of many of the above elements. The repository contains:

the definition of a CairoAIR. This is in fact a particular type of AIR with preprocessed and randomized columns defined in the Stwo whitepaper as a flat AIR.
a Rust-based prover that implements the Stwo protocol prover for the CairoAIR.
a Cairo-based verifier, stwo_cairo_verifier, which implements the Stwo protocol verifier for the CairoAIR. This can be understood as the Cairo counterpart to the verifier in stwo-rs, specialized for the CairoAIR.

The latter component is the object of this audit. Writing a Cairo-based verifier for validity proofs of the CairoVM is of particular interest as it enables recursive proof composition. This technique is highly prevalent in high-performance SNARK/STARK stacks as it allows for proof aggregation (combining many proofs into one) and continuations (breaking up a large program’s execution into multiple sub-proofs).

The M31 Field and Extensions

Following the Stwo whitepaper, we write $M 31 = 𝔽_{q}$ to denote the finite field of order $q = 2^{31} - 1 .$

We assume that readers are familiar with the $M 31$ field, the circle curve and circle polynomials over a prime or extension field $F$ . We direct the interested reader to our introductory material on these topics (Part 1, Mersenne, Part 2, Circles and Part 3, FFT).

Secure extensions. The field $M 31$ is too small to yield the desired security level for the Stwo protocol. To remediate this, the protocol samples challenges from a degree- $4$ extension of $M 31$ . Once again following the Stwo whitepaper, we define the following extensions fields:

the complex extension $C M 31 = 𝔽_{q^{2}}$ is constructed as $𝔽_{q^{2}} = 𝔽_{q} [ζ] / (ζ^{2} + 1) .$ We write $i = \sqrt{- 1}$ and express elements of $C M 31$ as $z = a + i \cdot b, a, b \in M 31 .$
the quartic extension $Q M 31 = 𝔽_{q^{4}}$ is constructed as $𝔽_{q^{4}} = 𝔽_{q^{2}} [χ] / (χ^{2} - 2 - i) .$ We write $j = \sqrt{2 + i}$ and express elements of $Q M 31$ as $w = (a_{0} + i \cdot b_{0}) + j \cdot (a_{1} + i \cdot b_{1}), a_{0}, a_{1}, b_{0}, b_{1} \in M 31 .$

The flat AIR

A flat AIR is a collection of $τ$ AIR tables, each with their own dimensions and constraints. The tables are “connected” by enforcing the equality of partial rows across tables via a lookup argument.

This setup provides a more flexible arithmetization than a classic monolithic AIR. Flat AIRs allow a ZKVM design to dedicate one table per gate, opcode or even full operations such as a hash function. By constraining operations in separate tables, flat AIRs ensure that each table is kept to the minimum number of columns required for its own set of constraints.

This approach is also referred to as a “multi-table STARK” or a “precompile-centric design”, since the notion of dedicating a table to an operation first emerged with the idea of precompiles.

Lookups between the tables

Stwo uses the LogUp lookup argument to verify that every element in one sequence appears in another. Given two sequences $A$ and $B$ , and letting $m (b)$ denote the multiplicity of $b$ in $A$ , the argument relies on the identity:

\sum_{a \in A} \frac{1}{X - a} = \sum_{b \in B} \frac{m (b)}{X - b} .

When $A$ and $B$ reside in different tables, the prover first commits to the vector of multiplicities $m$ (or, in some cases, they are hard-coded to particular constant values). The verifier then samples a random point $ξ \in Q M 31$ , and the prover provides commitments to the interaction columns along with the claimed sums:

\begin{matrix} s_{A} = \sum_{a \in A} \frac{1}{ξ - a}, \\ s_{B} = - \sum_{b \in B} \frac{m (b)}{ξ - b} . \end{matrix}

The verifier enforces AIR constraints on the original tables to confirm these sums and finally checks that $s_{A} + s_{B} = 0$ .

To support lookups across multiple columns simultaneously, Stwo replaces each element by a random linear combination of the original columns. For example, for column pairs $A = (A_{1}, A_{2})$ and $B = (B_{1}, B_{2})$ , it tests:

\sum_{(a_{1}, a_{2}) \in A} \frac{1}{X - (α a_{1} + a_{2})} = \sum_{(b_{1}, b_{2}) \in B} \frac{m (b_{1}, b_{2})}{X - (α b_{1} + b_{2})},

at a random point $ξ$ and a random folding factor $α$ .

When handling several lookup relations, the verifier chooses independent challenges for each pair, aggregates all resulting sums, and checks that their total equals zero. For instance, with lookups $A \to B$ and $C \to D$ , it verifies:

\begin{matrix} \sum_{a \in A} \frac{1}{X - a} - \sum_{b \in B} \frac{m (b)}{X - b} \\ + \sum_{c \in C} \frac{1}{Y - c} - \sum_{d \in D} \frac{m (d)}{Y - d} = 0 . \end{matrix}

We note that soundness follows from applying the Schwartz–Zippel lemma in the multivariate setting, and is only guaranteed if challenges for each lookup pair are distinct.

Circle Polynomials over QM31

Throughout the execution of the protocol, the verifier will be required to evaluate and apply constraints to circle polynomials over $Q M 31$ . These polynomials appear in the LogUp rounds, during the construction of the randomized columns of the components AIRs, and when running the univariate zero test on the composition polynomial.

In order to apply constraints to the LogUp polynomials, these must be added as columns to the component AIRs. However, all AIRs are defined over $M 31$ and columns cannot contain elements of $Q M 31$ .

This tension is resolved by representing a single circle polynomial over $Q M 31$ $P$ as four circle polynomials $p_{0}, \dots, p_{3}$ over $M 31$ with the following joining rule $P = (p_{0} + i \cdot p_{1}) + j \cdot (p_{2} + i \cdot p_{3}) .$ In addition to solving the tension mentioned above, this method of polynomial representation greatly simplifies the verifier’s logic. Every polynomial received by the verifier is now a circle polynomial over $M 31$ , avoiding the need for (and pitfalls of) managing oracles over different alphabets.

Multi-vector Commitment Scheme from Merkle Trees

Protocols for AIR satisfiability usually require to commit to each of the columns in the AIR table. A common optimization, as detailed here, consists in committing the whole table in a single Merkle tree, where the $i$ -th leaf node contains the values of all the columns at row $i$ .

Stwo applies a similar optimization to its flat AIR arithmetization. However, a flat AIR is composed of multiple tables with different column lengths. Naively committing to a flat AIR would result in producing one Merkle root per table.

To avoid this, Stwo uses modified Merkle trees that allow internal tree nodes to also carry data. We give an illustrated example below constructing a tree of depth $3$ that commits to three vectors, two of length $8$ and one of length $4$ .

Multi-vector Merkle tree illustration

Circle FRI

Like univariate FRI, the Circle FRI protocol tests whether a committed function is close to a Reed–Solomon codeword. However, instead of operating on a univariate polynomial, the committed function is defined over a circle domain in $Q M 31$ . The protocol iteratively reduces the domain size by folding the function into its even and odd parts until the domain is small enough for direct testing. In Circle FRI, this folding is achieved using two 2-to-1 maps:

point doubling, which sends a circle group element to its double (denoted $π$ ), and
x-axis projection, which maps a circle group element to its x-coordinate (denoted $π_{x}$ ).

Crucially, the x-coordinate of the doubled point can be computed without the y-coordinate. Therefore, we first apply the x-axis projection and then iteratively apply point doubling. This process is illustrated in the following diagram.

Domains diagram

We also note that the x-axis projection maps each point to its x-coordinate, flattening the domain for folding to a line.

Pipelining Circle FRI

Another consequence of the flat AIR arithmetization is that the proof system now requires to run a batched proximity test for many vectors of different sizes. Padding all vectors to the size of the largest vector would undermine some of the savings provided by the flat AIR. Instead, Stwo implements an optimization that is also present in plonky2/3 and is referred to as pipelining.

The idea stems from the observation that FRI naturally produces domains and vectors of decreasing sizes during the commit phase. Rather than padding all vectors to the size of the largest domain, a pipelined implementation of FRI batches vectors at their corresponding step of the FRI commit phase.

Consider the following example: testing proximity of vectors $v_{0}$ and $v_{1}$ to a Reed-Solomon code, where $| v_{1} | = | v_{0} | / 2$ . Following the folding procedure, the prover computes the even and odd components of $v_{0}$ which we will denote $v_{0, e}$ and $v_{0, o}$ respectively. In the classic FRI protocol, the prover is given a verifier challenge $α$ and would send the oracle $f_{1} = v_{0, e} + α \cdot v_{0, o}$ . However, in a pipelined implementation, we take advantage of the fact that $| v_{0, e} | = | v_{0, o} | = | v_{1} |$ and instead compute:

f_{1} = v_{0, e} + α \cdot v_{0, o} + α^{2} \cdot v_{1} .

The rest of the protocol proceeds as normal, unless there are smaller vectors that need to be inserted.

The above example is shown with regular polynomials. Working with circle polynomials introduces small complications which are explained and dealt with in the Stwo whitepaper. We also note that, to the best of our knowledge, the Stwo whitepaper is the first resource that proves the soundness of this batching method.

Proving polynomial evaluations using FRI

In STARKs, the FRI protocol can be turned into an evaluation proof via a standard quotienting technique. The verifier first receives an oracle for the original polynomial $p (x)$ as a vector of evaluations in $M 31$ . Next, they sample a random out-of-domain circle point $Q \in C (Q M 31) \ C (C M 31)$ and request the evaluation $p (Q)$ . The prover sends the purported value $V$ , and then both prover and verifier engage in a low-degree test using FRI on the quotient:

p^{'} (x) = \frac{p (x) - L_{Q, V} (x)}{V_{Q} (x)} .

Here, $L_{Q, V} (x)$ is the unique linear polynomial interpolating $(Q, V)$ and $(\overset{―}{Q}, \overset{―}{V})$ , while $V_{Q} (x)$ vanishes at $Q$ and $\overset{―}{Q}$ . The notation $\overset{―}{Q}$ denotes the complex conjugate of $Q$ in $Q M 31$ in the second extension. We note that this works because for any polynomial $p (x)$ over the base field $M 31$ , we have $p (\overset{―}{Q}) = \overset{―}{p (Q)}$ . As in the univariate case, if $p^{'} (x)$ is a low-degree polynomial rather than a rational function, the verifier is convinced that the evaluation claim is correct, i.e., that $p (Q) = V$ .

FRI and Pipelining in Stwo-Cairo

In Stwo-Cairo, folding is handled by the fri component. During the commit phase, the prover repeatedly commits to oracle polynomials while the verifier issues a folding challenge $α$ at each step. After the final round, the prover reveals the last polynomial in the clear.

In the decommitment phase, the verifier selects query positions in the initial layer and requests the corresponding evaluations from the prover. For each step, the verifier also checks the Merkle authentication paths for the queried evaluations. It then uses these values to iteratively fold and compute the expected evaluations at each successive layer. At the end, the verifier obtains queries and expected evaluations for the final polynomial, which it verifies by direct evaluation at those points.

To support pipelining, the verifier applies an x-axis projection to all committed columns before performing a pipelined folding of those columns using the point-doubling map.

CairoAIR

CairoAIR is an AIR that proves that a Cairo program was executed correctly (i.e. according to the semantics of the CairoVM).

CairoVM

To give a brief introduction to CairoVM, the CairoVM contains a read-only memory and a CPU with 3 registers (pc, ap, fp) that executes a single Cairo instruction every step. As can be seen in the figure below, a Cairo instruction is composed of 64 bits, where the first 3 16-bits represent the offsets to the 3 operands (dst, op0, op1) that the instruction uses.

The next 15 bits are flags which determine which of the registers to use for the operands and how the 3 registers should be updated after execution. It also determines which opcode to use for the instruction, where each unique opcode defines a custom logic for the instruction. Every Cairo instruction is mapped to a specific opcode, which can range from basic computation (e.g. ADD or MUL opcodes) to programming language specific ones (e.g. CALL, RET). CairoAIR extends the functionality of a Cairo instruction defined in the Cairo paper to define custom opcodes using an opcode_extension field. Essentially, a Cairo instruction is expanded to 72 bits and the last 9 bits (64 to 72) are allocated for the opcode_extension field. Currently, the following opcode extension values are supported:

0: Stone, which are the original opcodes defined in the Cairo paper
1: Blake
2: BlakeFinalize
3: QM31Operation

The AIR

We now give a simplified version of how the CairoAIR proves that the correct execution of a Cairo program.

The verifier is given only the following values:

The initial and final values of the 3 registers (pc, ap, fp)
The Cairo program, which is a set of Cairo instructions

and the prover needs to prove the following:

Each Cairo instruction was executed correctly according to the CairoVM semantics
The Cairo program was executed on the initial register values and resulted in the final register values
The memory values accessed during the execution of the Cairo program do not violate the read-only memory model

The CairoAIR implements these checks using a flat AIR (i.e. multiple tables that are connected to each other using lookups). Below is a simplified diagram of what the CairoAIR looks like.

The rounded rectangles on the right-hand side of the diagram each represent a unique table that the prover constructs as part of the witness. The left-hand side shows the public values that are given to the verifier: the initial and final values of the 3 registers and the Cairo program. Each non-rounded rectangle represents a lookup relation where red edges means a lookup relation with a negative multiplicity and blue edges mean a lookup relation with a positive multiplicity. Each non-rounded rectangle with the same fill colors represent lookup relations that are connected to each other. When verifying the proof, the verifier can simply check that the total sum of the values in all the non-rounded rectangles is equal to zero.

We now show how this AIR can prove what the bullet points mentioned above:

To determine which opcode to use for the instruction, we need to first read the instruction from memory using the pc register value and decompose it into offsets and flags. Reading the instruction and decomposing it is done inside the VerifyInstruction table and the result is looked up by the Opcode table using the (pc, dst_off, op0_off, op1_off, flags1, flags2, opcode_extension) relation. Then, using the offsets and the flags, we read the values of the operands from the Memory table using the (dst_off, dst_value), (op0_off, op0_value), and (op1_off, op1_value) relations. Finally, we check that the computation for the corresponding opcode is done correctly using the constraints in the Opcode table.
The Opcode table also updates the register values according to the flags in the instruction. This means that if we lookup the input register values for an instruction as positive and the output register values for the same instruction as negative, when adding all the lookup relations together, everything will cancel out except for the input to the first instruction and the output of the last instruction. Since these register values are public to the verifier, the verifier can simply subtract (init_pc, init_ap, init_fp) and add (final_pc, final_ap, final_fp) to the total claimed sum and check that it equals zero.
To check the validity of the read-only memory, we need to check that each memory address does not map to multiple values. To do this, the Memory table makes sure that only one row can be defined per address. Whenever we need to access a value in memory, we add a (addr, value) relation, while the Memory table subtracts the same relation. Since there can be multiple accesses to the same memory address, the Memory table also has a multiplicity column that is used to multiply the (addr, value) relation. Note that in the actual stwo-cairo code, the memory address is first mapped to an id and then the id is mapped to the value, but we omit this for brevity.

The `AddOpcode` table

To give an example of how an Opcode table is implemented, we give an overview of the AddOpcode table.

As we saw in the previous section, an Opcode table does the following:

uses the VerifyInstruction table to decompose the instruction into offsets and flags.
verifies that the instruction corresponds to the current opcode using the flags.
uses the Memory table to get the values of the operands op0, op1, and dst.
verifies that the opcode operation is done correctly.
updates the 3 register values (pc, ap, fp) using the flags.

In this section, we go over how the AddOpcode table implements step 4 since the other steps are general for all Opcode tables and were already covered.

Assuming that the operands op0, op1, and dst are correctly accessed from the Memory table, the main constraint of the AddOpcode table is to check that op0 + op1 = dst. But before diving deeper into the constraints, we need to understand that Cairo and Stwo use different fields and thus we need to convert between them. Cairo works over the 252-bit prime field $P = 2^{251} + 17 \cdot 2^{192} + 1$ , while Stwo works over the 31-bit prime field $M 31 = 2^{31} - 1$ . CairoAIR decomposes the 252-bit integers into 28 9-bit limbs and range checks that each limb is in the range $[0, 2^{9})$ .

To check that the two sets of limbs are correctly added, we iterate from the least significant limb to the most significant limb. For each limb except for the first, we also need to take into account the carry from the previous limb. This check of additions over multiple limbs is done over a single constraint as there is no multiplication involved and we don’t need to worry about the degree of the constraint. For example, the first limb computes carry_limb_0 = (op0[0] + op1[0] - dst[0]) / 2^9 and the second limb computes carry_limb_1 = (op0[1] + op1[1] - dst[1] + carry_limb_0) / 2^9 and so on until the last limb.

The division by 2^9 is done since op0[0] + op1[0] - dst[0] should either be 2^9 (if carry exists) or 0 (if carry doesn’t exist) and dividing it by 2^9 will result in a 1 or 0 value. Another thing to note is that in the implementation, we change the division by 2^9 to a multiplication by 2^22 which is the same thing in the M31 field since $2^{9} \cdot 2^{22} = 2^{31} = 1 mod M 31$ .

In addition, we also need to take into account the addition overflowing the 252-bit prime field $P$ (i.e. addition results in op0 + op1 = dst + P). To do this, we use another witness variable sub_p_bit, which is a 1-bit value that is subtracted only in the 3 limbs where $P$ has a non-zero limb. In this case, these are the limbs 0, 22, 27. Revisiting the computation for the first limb, we can see that it is now carry_limb_0 = (op0[0] + op1[0] - dst[0] - sub_p_bit) * 2^22.

A caveat of this approach is that subtracting by sub_p_bit can introduce an underflow, i.e. (op0[0] + op1[0] - dst[0] - sub_p_bit) * 2^22 = -1. This means that carry_limb_0 can also be -1, not just 0 or 1. Thus, we need to update the constraint for each carry to carry_limb_0 * (carry_limb_0 + 1) * (carry_limb_0 - 1) = 0.

Findings

Below are listed the findings found during the engagement. High severity findings can be seen as so-called "priority 0" issues that need fixing (potentially urgently). Medium severity findings are most often serious findings that have less impact (or are harder to exploit) than high-severity findings. Low severity findings are most often exploitable in contrived scenarios, if at all, but still warrant reflection. Findings marked as informational are general comments that did not fit any of the other criteria.

ID	Component	Name	Risk
#00	channel/{poseidon252, blake2s}.cairo	Public Memory ID Values Missing from Fiat-Shamir Transcript, Allowing Proof Forgery	High
#01	cairo_air/src/lib.cairo	Prover Can Manipulate LogUp Relations Because Unused Components Are Not Excluded from the Sum	High
#02	cairo_air, verifier_core	Hash Collisions Due To Zero-Padding and Flexible Data Structures	Medium
#03	channel/poseidon252.cairo	Bias in Challenge Derivation Can Reduce Security Level	Low
#04	stwo_cairo_prover/crates/cairo-air/src/verifier.rs	Rust Verifier Misses Check of Preprocessed Root	Low
#05	pcs/verifier.cairo	Zipping with Prover Input Could Cause Skipped Merkle Verification	Low
#06	Stwo_Whitepaper.pdf	IOP and Soundness Proof in Stwo Whitepaper Incorrectly Handle Vector Lookups of Heterogeneous Dimension	Low
#07	cairo_air/src/lib.cairo	Computation of the Composition Polynomial Differs from Stwo Whitepaper	Informational
#09	cairo_air/src/lib.cairo	Hash Collisions When Hashing Memory Section	Informational
#0a	cairo_air/src/lib.cairo	Combining Multiple LogUp Relations Is Not Covered by Stwo Whitepaper	Informational
#0b	cairo_air/*	LogUp Constraints Differ from Stwo Whitepaper	Informational
#0c	verifier_core/src/vcs/*	Non-Standard Merkle Commitments Require Soundness Proof	Informational
#0d	verifier_core/src/pcs.cairo	Calculation of Security Bits for the PCS Only Refers to the Query Phase and Hard-Codes Conjectures	Informational

#00 - Public Memory ID Values Missing from Fiat-Shamir Transcript, Allowing Proof Forgery

Severity: High Location: channel/{poseidon252, blake2s}.cairo

Description.

Before drawing the interaction challenges, all the public claims about the execution trace are mixed in the Fiat-Shamir channel. This includes, in particular, all the public memory claims.

fn mix_into(self: @PublicMemory, ref channel: Channel) {
    let PublicMemory { program, public_segments, output, safe_call } = self;

    // Program is the bootloader and doesn't need to be mixed into the channel.
    let _ = program;

    // Mix public segments.
    public_segments.mix_into(ref channel);

    // Mix output memory section.
    channel.mix_memory_section(output);

    // Mix safe_call memory section.
    channel.mix_u64(safe_call.len().into());
    for (id, value) in safe_call.span() {
        channel.mix_u64((*id).into());
        // Mix each element of the array individually
        for val_element in (*value).span() {
            channel.mix_u64((*val_element).into());
        }
    }
}

Focusing on the output claim, it is a vector of pairs (memory_id, value). The mix_memory_section function mixes the memory ID values into the channel, but it does not mix the memory ID keys: notice how the first component of the pair is ignored in the following code.

fn mix_memory_section(ref self: Poseidon252Channel, data: @Array<(u32, [u32; 8])>) {
    // TODO(Gali): Make this more efficient.
    let mut flat_data = array![];
    for entry in data.span() {
        let (_, val) = entry;
        flat_data.append_span((*val).span());
    }
    self.mix_u32s(flat_data.span());
}

Later, interaction challenges are drawn from the challenge, and all the public memory claims are transformed into a vector of triples (address, memory_id, value) and are added into the LogUp sum. In particular, for the output claim, each pair (memory_id, value) is transformed into triples (final_ap + i, memory_id, value).

fn get_entries(
    self: @PublicMemory, initial_pc: u32, initial_ap: u32, final_ap: u32,
) -> Array<PubMemoryEntry> {
    let mut entries = array![];

    // [...]

    // Output.
    i = 0;
    for (id, value) in self.output.span() {
        entries.append((final_ap + i, *id, *value));
        i += 1;
    }

    // [...]
    entries
}

Then, for each triple (address, memory_id, value), the following LogUp sum is computed.

for entry in self
    .public_memory
    .get_entries(
        initial_pc: (*self.initial_state.pc).into(),
        initial_ap: (*self.initial_state.ap).into(),
        final_ap: (*self.final_state.ap).into(),
    )
    .span() {
    let (addr, id, val) = *entry;

    let addr_m31 = addr.try_into().unwrap();
    let id_m31 = id.try_into().unwrap();
    let addr_to_id = lookup_elements
        .memory_address_to_id
        .combine([addr_m31, id_m31])
        .inverse();

    // Use handwritten implementation of combine_id_to_value to improve performance.
    let alpha = *lookup_elements.memory_id_to_value.alpha;
    let mut combine_sum = combine::combine_felt252(val, alpha);
    combine_sum = combine_sum * alpha
        + id_m31.into()
        - *lookup_elements.memory_id_to_value.z;
    let id_to_value = combine_sum.inverse();

    sum += addr_to_id + id_to_value;
}

This sum roughly corresponds to the following equation:

\begin{matrix} \frac{1}{α \cdot {addr}_{1} + {id}_{1} - z_{1}} + \frac{1}{\sum_{i = 1}^{n} (β^{i} \cdot {value}_{1, i}) + {id}_{1} - z_{2}} \\ + \frac{1}{α \cdot {addr}_{2} + {id}_{2} - z_{1}} + \frac{1}{\sum_{i = 1}^{n} (β^{i} \cdot {value}_{2, i}) + {id}_{2} - z_{2}} + \dots \end{matrix}

where $α$ , $β$ and $z$ are challenges drawn from QM31. Our observation is that, in particular in the case of the output claim, the memory ID values are not mixed into the Fiat-Shamir channel, and thus can be changed by a malicious prover after knowing the interaction challenges, and in particular after knowing the values of $α$ , $β$ and $z$ .

Impact. Since the memory ID values are not mixed into the Fiat-Shamir channel, the potential impact is that a malicious prover can manipulate the LogUp sum to be zero, even if the lookup relations are not satisfied. For the purposes of the attack, all address and values can be considered “fixed”, as they are included in the Fiat-Shamir channel before the interaction challenges are drawn. This means that the attacker succeeds in forging a proof if they can find values ${id}_{1}, {id}_{2}, \dots, {id}_{k}$ such that the following equation holds:

\begin{matrix} \frac{1}{{id}_{1} + γ_{1}} + \frac{1}{{id}_{1} + χ_{1}} \\ + \frac{1}{{id}_{2} + γ_{2}} + \frac{1}{{id}_{2} + χ_{2}} + \dots \\ + \frac{1}{{id}_{k} + γ_{k}} + \frac{1}{{id}_{k} + χ_{k}} = c \end{matrix}

where $γ_{i}$ and $χ_{i}$ are constants over QM31 which can be computed after drawing the challenges, and $c$ is a target sum value also over QM31. The interesting part is that the values ${id}_{1}, {id}_{2}, \dots, {id}_{k}$ have to be from the base field M31, which makes this equation non-trivial to solve. Therefore, intuitively for a solution to exist, the number of memory IDs $k$ must be at least $4$ to cover the degrees of freedom of the equation.

We provide one generic attack strategy, which can be used to solve this equation: the idea is to use a generic birthday paradox attack to find a $k$ -sum. This attack is based on the Wagner’s attack described in this paper.

The attacker precomputes lists of values $1 / ({id}_{i} + γ_{i}) + 1 / ({id}_{i} + χ_{i})$ for all $i$ . Since the values $γ_{i}$ and $χ_{i}$ are effectively random, the list values can be thought as random.
Now, the attacker needs to find values in those lists that sum to $c$ , which is exactly an instance of the $k$ -sum problem.

Interestingly, for a $4$ -sum problem, the Wagner’s attack can be used to find a solution in $O (2^{n / 3})$ time, where $n$ is the number of bits of the challenge space. In this case, the work required is roughly $2^{41}$ . However, we conjecture that if we increase $k$ to be $2^{10}$ , then the cost of the attack is reduced to approximately $2^{22}$ , which is feasible on a modern computer.

As a final remark, this particular attack is completely generic, and we believe that more efficient attacks may exist, e.g., based on solving the equation directly using Groebner bases or other algebraic techniques.

Recommendation. We recommend to mix the memory ID values into the Fiat-Shamir channel, so that they cannot be manipulated after the interaction challenges are drawn.

#01 - Prover Can Manipulate LogUp Relations Because Unused Components Are Not Excluded from the Sum

Severity: High Location: cairo_air/src/lib.cairo

Description. Several components of the Cairo AIR are optional. Whether or not the verifier adds those components is determined by the CairoClaim that is part of a Cairo proof:

pub struct CairoProof {
    pub claim: CairoClaim,
    pub interaction_pow: u64,
    pub interaction_claim: CairoInteractionClaim,
    pub stark_proof: StarkProof,
}

For example, claim.blake_context.claim is of type Option<BlakeClaim>, and if the option is None, the Blake components are not added; which means the verifier will not include the components’ constraints in the composition polynomial.

impl BlakeContextComponentsImpl of BlakeContextComponentsTrait {
    fn new(
        claim: @BlakeContextClaim,
        interaction_elements: @CairoInteractionElements,
        interaction_claim: @BlakeContextInteractionClaim,
    ) -> BlakeContextComponents {
        if let Some(claim) = claim.claim {
            BlakeContextComponents {
                components: Some(
                    BlakeComponentsImpl::new(
                        claim,
                        interaction_elements,
                        interaction_claim.interaction_claim.as_snap().unwrap(),
                    ),
                ),
            }
        } else {
            BlakeContextComponents { components: None }
        }
    }

A CairoProof also holds a CairoInteractionClaim that contains the claimed LogUp sums of all components, and similarly contains options for sums of optional components. If the claimed sum of an optional component is present, it is added to the overall LogUp sum:

pub fn lookup_sum(
    claim: @CairoClaim,
    elements: @CairoInteractionElements,
    interaction_claim: @CairoInteractionClaim,
) -> QM31 {
    // ...

    sum += interaction_claim.blake_context.sum();

    // ...
}

// ...

impl BlakeContextInteractionClaimImpl of BlakeContextInteractionClaimTrait {
    // ...

    fn sum(self: @BlakeContextInteractionClaim) -> QM31 {
        if let Some(interaction_claim) = self.interaction_claim {
            interaction_claim.sum()
        } else {
            Zero::zero()
        }
    }
}

The issue is that the verifier never checks that optionality of components and their corresponding sums is consistent with each other. Specifically, the prover can set the Blake interaction claim to Some(value) even if the Blake claim is None. In that case, the interaction claim is added to the overall sum but is not constrained in any way, because the components that would normally constrain it are missing. That makes it easy for the prover to manipulate the total LogUp sum.

Almost all optional components are affected by this issue:

Pedersen
Poseidon
Blake
Opcodes
all builtins

The case of Pedersen, Poseidon, and builtins is similar to Blake, where options for claim and interaction claim are not checked to be consistent.

For opcode components, the proof contains a vector of claims, which leads to a vector of components to be added, and similarly there’s a vector of interaction claims. However, the lengths of claims and interactions claims are not checked to be equal, so the prover can add extra unconstrained terms to the LogUp sum by appending them to the interaction claims vector.

The only optional components not vulnerable are the memory_id_to_value components, that also come with vectors of claims and interaction claims. In this case, the issue is prevented by the following consistency check (in CairoAirNewImpl::new()):

assert!(
    cairo_claim
        .memory_id_to_value
        .big_log_sizes
        .len() == interaction_claim
        .memory_id_to_value
        .big_claimed_sums
        .len(),
);

Impact. The issue enables attackers to forge proofs that are invalid in a number of ways.

As a proof-of-concept, we modify the prove_cairo() function to generate a valid proof for an incorrect output claim of the example Cairo program included in the repository. The modified prover performs the following operations:

It arbitrarily changes the first output value claim.
It computes the interaction challenges, and then compute the original LogUp sum, which will not be zero.
At this point, it adds a claimed_sum value in an unused interaction claim set to exactly the negative of the modified LogUp sum, so that the final LogUp sum is zero.

In the end, verification passes thanks to the zero LogUp sum, despite the incorrect output claim.

pub fn prove_cairo<MC: MerkleChannel>(
    input: ProverInput,
    pcs_config: PcsConfig,
    preprocessed_trace: PreProcessedTraceVariant,
) -> Result<CairoProof<MC::H>, ProvingError>
where
    SimdBackend: BackendForChannel<MC>,
{
    // [...]

    // Run Cairo.
    let cairo_claim_generator = CairoClaimGenerator::new(input);
    // Base trace.
    let mut tree_builder = commitment_scheme.tree_builder();
    let span = span!(Level::INFO, "Base trace").entered();
-   let (claim, interaction_generator) = cairo_claim_generator.write_trace(&mut tree_builder);
+   let (mut claim, interaction_generator) = cairo_claim_generator.write_trace(&mut tree_builder);
    span.exit();
+
+    // Modify the first output value claim to be another value, e.g., 0x41.
+    claim.public_data.public_memory.output[0].1 = [0x41, 0, 0, 0, 0, 0, 0, 0];

    claim.mix_into(channel);

    // [...]

-    let interaction_claim =
+    let mut interaction_claim =
        interaction_generator.write_interaction_trace(&mut tree_builder, &interaction_elements);
+
+   // since we modified an output claim, the lookup sum will not be zero
+   let modified_lookup_sum = lookup_sum(&claim, &interaction_elements, &interaction_claim);
+   println!(
+       "Modified lookup sum: {}",
+       modified_lookup_sum.to_string()
+   );
+
+   // Add an unused claimed sum to make it zero.
+   // In this specific case, the add_mod_builtin is null in the
+   // original proof.
+   interaction_claim.builtins.add_mod_builtin = Some(InteractionClaim {
+       claimed_sum: -modified_lookup_sum
+   });

    // [...]

    // Validate lookup argument.
    debug_assert_eq!(
        lookup_sum(&claim, &interaction_elements, &interaction_claim),
        SecureField::zero()
    );

    interaction_claim.mix_into(channel);
    tree_builder.commit(channel);

    // [...]

    Ok(CairoProof {
        claim,
        interaction_pow,
        interaction_claim,
        stark_proof: proof,
    })
}

The output of the prover is the following:

Modified lookup sum: (704398217 + 987329512i) + (1683849168 + 1389614104i)u
New lookup sum: (0 + 0i) + (0 + 0i)u

and the modified proof is accepted by the verifier.

Recommendation. Add consistency checks for all optional components, which guarantee that if a component is not used, its LogUp sum contribution is zero.

#02 - Hash Collisions Due To Zero-Padding and Flexible Data Structures

Severity: Medium Location: cairo_air, verifier_core

Description. Some instances of hashes in the code base exhibit collisions due to zero padding. For example, hash_node() in poseidon_hasher.cairo:

    if !column_values.is_empty() {
        let mut word = (*column_values.pop_front().unwrap_or(@BaseField { inner: 0 }))
            .inner
            .into();

        for _ in 1..M31_ELEMENTS_IN_HASH {
            let v = (*column_values.pop_front().unwrap_or(@BaseField { inner: 0 }))
                .inner
                .into();
            word = word * M31_SHIFT + v;
        }

        hash_array.append(word);
    }

Note that zeros replace any elements missing to make the input length a multiple of M31_ELEMENTS_IN_HASH = 8. In particular, inputs like [1] and [1,0] and [1,0,0] will all yield the same hash value.

This particular zero-extension collision was fixed in a commit shortly after the audit freeze, but another collision is still present in the same function : The special case where there are no child nodes and exactly 4 column values [v0, v1, v2, v3] seems to collide with the case of 8 column values [v0, v1, v2, v3, 0, 0, 0, 0].

A similar zero-extension collision happens in mix_u32s() in the Poseidon channel implementation, where input u32s are zero-padded up to a multiple of 7. In current usage of mix_u32s(), this should not present an issue.

A slightly different type of hash collision is prevalent throughout cairo_air/src/lib.cairo: Collisions due to flexible data structures, where only the content but not the exact structure serves as hash input. For example, this is how the PublicSegmentRanges are mixed into the channel:

impl PublicSegmentRangesImpl of PublicSegmentRangesTrait {
    fn mix_into(self: @PublicSegmentRanges, ref channel: Channel) {
        for segment in self.present_segments() {
            segment.mix_into(ref channel);
        }
    }

The return value of present_segments() is some sublist of 11 different public memory segments, 10 of which are optional. The hash cannot distinguish which of the segments are present.

Similarly, when optional claims are mixed into the channel, it looks like this:

impl BuiltinsClaimImpl of BuiltinsClaimTrait {
    fn mix_into(self: @BuiltinsClaim, ref channel: Channel) {
        if let Some(claim) = self.add_mod_builtin {
            claim.mix_into(ref channel);
        }
        if let Some(claim) = self.bitwise_builtin {
            claim.mix_into(ref channel);
        }
        if let Some(claim) = self.mul_mod_builtin {
            claim.mix_into(ref channel);
        }
        // ...

There are hash collisions because, for example, values of self.add_mod_builtin = Some(X) and self.bitwise_builtin = None yield the same hash as self.add_mod_builtin = None and self.bitwise_builtin = Some(X).

Other optional claims like BlakeContextClaim, PoseidonContextClaim and memory_id_to_big::Claim have the same issue. On the other hand, OpcodeClaim avoids the issue by mixing the length of vectors into the channel together with their content.

Impact and recommendation. We did not find a way to exploit any of the hash collisions found. However, given how prevalent these collisions are and how they could interact in complex ways, we believe it would be safer to remove them. In general, this is easily accomplished by hashing an indicator of the data structure along with the data itself, such as the length of an input array or a bit in the case of an option.

#03 - Bias in Challenge Derivation Can Reduce Security Level

Severity: Low Location: channel/poseidon252.cairo

Description. In the Poseidon channel implementation, draw_base_felts() first draws a felt252 and from that extracts 8 M31 elements:

fn draw_base_felts(ref channel: Poseidon252Channel) -> [M31; FELTS_PER_HASH] {
    let mut cur: u256 = draw_secure_felt252(ref channel).into();
    [
        extract_m31(ref cur), extract_m31(ref cur), extract_m31(ref cur), extract_m31(ref cur),
        extract_m31(ref cur), extract_m31(ref cur), extract_m31(ref cur), extract_m31(ref cur),
    ]
}

// ...

fn extract_m31(ref num: u256) -> M31 {
    let (q, r) = DivRem::div_rem(num, M31_SHIFT_NZ_U256);
    num = q;
    M31Trait::reduce_u128(r.low)
}

extract_m31() works by

extracting the first 31 bits of the input: div_rem() by M31_SHIFT_NZ_U256 $= 2^{31}$ in the code above, and
reducing the result modulo the M31 field; this happens inside reduce_u128().

Since $(2^{31} - 1) mod M31 = 0$ while $x mod M31 = x$ for all other 31-bit strings, this operation introduces a bias: Drawing 0 is twice as likely as drawing any other M31 element.

Impact. The chance for the prover to draw a zero base felt is $2^{- 30}$ instead of the ideal $2^{- 31}$ . When drawing a QM31 extension field element, which uses the first 4 outputs of draw_base_felts(), the chance of drawing an overall zero is $2^{- 120}$ instead of $2^{- 124}$ . Drawing 0 for a challenge in any place likely lets an attacker forge an invalid proof, so the bias reduces the maximum security level that Stwo can target, by 4 bits.

Recommendation. The blake2s channel implementation already handles the bias correctly by rejecting samples that fall outside a multiple of the M31 range. We recommend to do the same for Poseidon.

#04 - Rust Verifier Misses Check of Preprocessed Root

Severity: Low Location: stwo_cairo_prover/crates/cairo-air/src/verifier.rs

Description. In the Cairo version of verify_cairo(), the validity of preprocessed traces is checked by comparing the preprocessed root to a hard-coded value (which depends on the blowup factor).

// Preprocessed trace.
let expected_preprocessed_root = preprocessed_root(pcs_config.fri_config.log_blowup_factor);
let preprocessed_root = stark_proof.commitment_scheme_proof.commitments[0].clone();
assert!(preprocessed_root == expected_preprocessed_root);

The same check is missing from the Rust version of verify_cairo().

Impact. The values in preprocessed traces are not determined by polynomial constraints, but hard-coded to specific values. A check like the above is therefore essential, otherwise the prover can set the values in preprocessed traces arbitrarily.

The issue is only marked with low severity because the Rust verifier was outside the audit scope and we are told it is mainly intended for debugging.

Recommendation. Add the missing check in the Rust verifier.

#05 - Zipping with Prover Input Could Cause Skipped Merkle Verification

Severity: Low Location: pcs/verifier.cairo

Description. In verify_values(), the implementation zips self.trees (an array of length 4, created by the verifier) with queried_values which is taken from the proof. If the prover supplies queried_values shorter than self.trees, zip() will only iterate up to the shorter length. This causes the verifier to skip tree.verify() on some of the trees, which is one of the core checks in the protocol.

for (tree, queried_values) in self.trees.span().into_iter().zip(queried_values.span()) {
    let decommitment = decommitments.next().unwrap();

    // The Merkle implementation pops values from the query position dict so it has to
    // be duplicated.
    let query_positions = query_positions_by_log_size.clone_subset(unique_column_log_sizes);

    tree.verify(query_positions, *queried_values, decommitment);
}

Impact. There is no concrete impact, because insufficient numbers of trees in queried_values will later cause queried_values_at_row in accumulate_row_quotients() to be shorter than expected, and cause an array out-of-bounds error. This can’t be circumvented by the prover, so it is not possible to get the verifier to succeed after skipping Merkle opening checks.

However, this failure seems coincidental and could be accidentally removed by refactoring accumulate_row_quotients(), in which case the skipped checks would be catastrophic.

Recommendation. In general, data from the proof should be validated before it is allowed to structure the verifier algorithm. In the case of zip(), we recommend to assert that the lengths of the zipped arrays are equal.

assert!(self.trees.len() == queried_values.len());

for (tree, queried_values) in self.trees.span().into_iter().zip(queried_values.span()) {
  // ...

#06 - IOP and Soundness Proof in Stwo Whitepaper Incorrectly Handle Vector Lookups of Heterogeneous Dimension

Severity: Low Location: Stwo_Whitepaper.pdf

Description. The Stwo whitepaper features the concept of a channel $ℒ$ that captures communication between AIR tables: Each gate/table can use a number of elements from the channel, as well as yield other elements to the channel:

{\vec{w}}_{i, 0}, \dots, {\vec{w}}_{i, r} \leftarrow ℒ,

{\vec{z}}_{i, 0}, \dots, {\vec{z}}_{i, s} \to ℒ .

The paper allows each of these vectors to be of its own dimension.

The flat AIR relation requires that the set of all used elements, from all tables, is contained in the set of all yielded elements:

⋃_{i, j, t} {{\vec{w}}_{i, j, t}} \subseteq ⋃_{i, j, t} {{\vec{z}}_{i, j, t}} .

Note that here we are potentially trying to equate vectors of different dimension.

In the IOP, vectors $(z_{0}, \dots, z_{n - 1})$ are reduced to scalars by summing over elements times powers of a challenge, $z_{0} + α z_{1} + \dots + α^{n - 1} z_{n - 1}$ . These scalars participate in a shared LogUp protocol.

The problem is that vectors of different dimensions can interact in the LogUp sum if one of them has trailing zeros, e.g. a vector $(z_{0}, 0)$ interacts with a scalar $z_{0}$ because $z_{0} + α 0 = z_{0}$ . On the other hand, $(z_{0}, 0)$ can not interact with $z_{0}$ in the original “uses $\subseteq$ yields” inclusion.

This means we have a soundness issue: the LogUp relation can be satisfied even if the original inclusion relation isn’t.

In particular, Lemma 5 (Soundness, Round 1a) in Appendix A.4 of the paper is false. To give a simple counter-example, assume that we have a single table of two columns $(x_{i}, y_{i})$ of length $N$ , a single “use” constraint $U (x, y) = (x, y)$ , a single “yield” constraint $V (x) = x$ , and constant yield multiplicities $m_{i} = 1$ . Then Lemma 5 claims that the equality of rational functions

\sum_{i < N} \frac{1}{X + x_{i} + Y y_{i}} = \sum_{i < N} \frac{1}{X + x_{i}}

implies the set inclusion ${(x_{i}, y_{i}) : i < N} \subseteq {x_{i} : i < N}$ . This is clearly not true because the rational function equation can be satisfied with $y_{i} = 0$ for all $i$ , while the set inclusion is never satisfied (for $N > 0$ ).

Impact. Implementing lookup channels of heterogeneous dimension as specified by the whitepaper would not be secure. For stwo-cairo, there is no impact, because all existing lookup relations use the same dimension everywhere.

Recommendation. There are ways to fix the IOP to incorporate multiple dimensions. For example, the dimension could be aggregated into the scalar: $n + α z_{0} + \dots + α^{n} z_{n - 1}$ .

However, it’s questionable to us if different dimensions in one lookup relation are even useful. An alternative would be to remove this possibility from the flat AIR definition.

#07 - Computation of the Composition Polynomial Differs from Stwo Whitepaper

Severity: Informational Location: cairo_air/src/lib.cairo

Description. The zero check (composition) round of the Stwo protocol as implemented in code deviates from the description given in the Stwo whitepaper (Protocol 1).

In particular, the whitepaper specifies that the prover sends commitments to the quotient polynomials $q^{(1)}, \dots, q^{(τ)}$ corresponding to each of the $τ$ AIR components. The verifier then performs the point evaluation and zero check for each table individually.

On the other hand, the stwo-rs and stwo-cairo provers both send a single commitment to the batched composition quotient.

Impact. The security analysis of the protocol implemented in code differs from that presented on paper.

Our intuition is that the paper version of the protocol admits a simple, straightline method for extracting individual composition quotients by leveraging the extractability of Merkle tree in the ROM. In contrast, the code version might require a rewinding argument to recover the individual composition quotients from the batched composition quotients. We do not assess whether the (round-by-round) security proof requires to extract individual composition quotients or whether rewinding security proofs are suitable to prove the desired real-world security properties of Stwo.

Recommendation. Align the paper and code to follow the same method. The choice of method should be dictated by the proven security properties that are required of the real-world deployment of stwo-cairo.

#09 - Hash Collisions When Hashing Memory Section

Severity: Informational Location: cairo_air/src/lib.cairo

Description. In the Poseidon version of hash_memory_section(), individual memory values represented as 8 u32s are concatenated into a single felt252 by construct_f252(), to compute the hash input.

The concatenation effectively takes the input modulo the 252-bit field, and therefore causes hash collisions between memory values that are a multiple of $p_{252}$ (the felt252 prime) apart.

This could have an impact in two possible scenarios:

The input memory values are unchecked and can occupy the full 256-bit range. In this case, there are up to $⌈ 2^{256} / p_{252} ⌉ = 32$ collisions per unique memory value.
The input memory values are independently checked to fit in 28 9-bit limbs, as is done in the “memory id to big value” tables. In this case, since $9 \cdot 28 = 252$ and $p_{252}$ is just slightly larger than $2^{251}$ , there are 2 collisions for most unique memory values.

Impact. In the code base at the time of audit, there is no issue, because the only memory values fed to hash_memory_section() are the contents of the public program, which are forced to consist of small values by the constraints of the verify_instruction table. However, the function seems to be intended to hash any memory section, and care will be required when applying it to arbitrary memory values in the future.

Recommendation. Only pack 7 u32s into one felt252 instead of 8, as is already done in mix_u32s().

#0a - Combining Multiple LogUp Relations Is Not Covered by Stwo Whitepaper

Severity: Informational Location: cairo_air/src/lib.cairo

Description. The Stwo whitepaper’s presentation of the LogUp part of Protocol 1 is less general than what is actually implemented.

The whitepaper (in Definition 6) specifies a flat AIR to consist of a single lookup relation where the union over all “uses” are contained in the union over all “yields”:

⋃_{t} 𝒰_{t} \subseteq ⋃_{t} 𝒴_{t}

However, to implement the Cairo AIR, stwo-cairo needs multiple lookup relations, each with their own independent use-yield inclusion. (In the code, independent relations are tagged with identifiers like “Opcodes”, “MemoryIdToBig”, “VerifyInstruction”.) Using terminology from the paper, the Cairo AIR actually features multiple lookup channels $ℒ$ .

This generalization is not as straight-forward as it sounds, because instead of constraining the LogUp sums of each channel separately, the implementation sums them all together. Therefore, the claimed sum for every table combines the LogUp terms of all channels appearing in that table. In the end, the verifier checks that the sum total of these claimed sums equals zero.

As we argue in the introduction, this is sound if a unique pair of interaction challenges is used for each lookup channel. This is exactly what the code does.

Impact. The soundness analysis of the paper doesn’t cover the case of combining multiple lookup channels in the same LogUp sum, so it falls short of establishing soundness of the implemented protocol.

Recommendation. Align the paper with the code and cover the case of multiple lookup channels.

#0b - LogUp Constraints Differ from Stwo Whitepaper

Severity: Informational Location: cairo_air/*

Description. The whitepaper specifies the following constraints to verify the LogUp relation:

\begin{matrix} L_{Q_{n_{t} + 1}} \cdot w^{(t)} = 0, \\ T_{Q_{n_{t}}} w^{(t)} - w^{(t)} = \sum_{j = 1}^{r_{t}} u_{j}^{(t)} - \sum_{k = 1}^{s_{t}} v_{k}^{(t)}, \\ L_{Q_{n_{t} + 1}^{- 1}} \cdot (w^{(t)} - γ_{t}) = 0 \end{matrix}

In particular, there are boundary constraints to fix running sums $w^{(t)}$ to the initial value of $0$ and final value of $γ_{t}$ .

Instead, stwo-cairo uses the following, single constraint:

T_{Q_{n_{t}}} w^{(t)} - w^{(t)} + \frac{γ_{t}}{N_{t}} = \sum_{j = 1}^{r_{t}} u_{j}^{(t)} - \sum_{k = 1}^{s_{t}} v_{k}^{(t)},

where $N_{t} = 2^{n_{t}}$ is the column size. This works as well because, when summing that equation over all rows, the $w^{(t)}$ terms wrap around and cancel out, resulting in the correct equation for $γ_{t}$ :

γ_{t} = \sum_{x \in D_{t}} (\sum_{j = 1}^{r_{t}} u_{j}^{(t)} (x) - \sum_{k = 1}^{s_{t}} v_{k}^{(t)} (x)) .

Interestingly, in this formulation the verifier doesn’t care about the values of $w^{(t)}$ modulo any constant added to the entire column.

Recommendation. Update the paper to follow the same method as the code.

#0c - Non-Standard Merkle Commitments Require Soundness Proof

Severity: Informational Location: verifier_core/src/vcs/*

Description. The vector commitment scheme being used is a non-standard variant of Merkle trees. To the best of our knowledge, there are no security proofs for the extractability of such commitments or whether an IOP can be compiled to a SNARK/STARK using such commitments.

Impact. The code’s security properties may differ from the proven security in the whitepaper.

Recommendation. Prove that these multi-vector and multi-sized Merkle commitments are extractable.

#0d - Calculation of Security Bits for the PCS Only Refers to the Query Phase and Hard-Codes Conjectures

Severity: Informational Location: verifier_core/src/pcs.cairo

Description. The formula used to compute the security level of the polynomial commitment scheme (PCS) makes multiple assumptions:

the calculation assumes that the PCS soundness error is dominated by the ${(1 - θ)}^{s}$ term from the FRI soundness error.
the calculation assumes that a strengthened version of the cross-domain correlated agreement theorem holds for distance parameters up to the capacity bound for Reed-Solomon codes (and therefore Circle codes).

See fn security_bits in verifier_core/src/pcs.cairo.

Impact. These assumptions will lead to a miscalculation of the security level for users who want to operate within proven security regimes or who wish to target higher security guarantees.

For example, a user may increase the number of repetitions of the FRI query phase n_queries in hope of increasing the security level by log_blowup_factor * n_queries bits. However, it may be the case that eventually n_queries becomes large enough that the FRI soundness error is dominated by other terms (e.g., the folding phase). In an extreme scenario, the increase in n_queries might not change the security level at all.

Recommendation. Clearly document the assumptions underlying the security bits calculation and provide users with guidance on how to set parameters to achieve their desired security level.

← Back to Index

Audit of the Stwo-Cairo Verifier

Introduction

Scope

Summary and recommendations

Overview of Key Concepts

Stwo, Cairo and stwo-cairo

The M31 Field and Extensions

The flat AIR

Lookups between the tables

Circle Polynomials over QM31

Multi-vector Commitment Scheme from Merkle Trees

Circle FRI

Pipelining Circle FRI

Proving polynomial evaluations using FRI

FRI and Pipelining in Stwo-Cairo

CairoAIR

CairoVM

The AIR

The AddOpcode table

Stwo, Cairo and `stwo-cairo`

The `AddOpcode` table