Vulnerable File: circuits/sbox128.circom
commit: 4984d68467b87ddf14c2e725dcfb753be3c92528
AES/S-box-style constructions require inversion in GF(2^8). FieldInv()(in) will compute the multiplicative inverse in the circuit’s prime field (the SNARK field), not in GF(2^8). Bit-decomposing that prime-field inverse and applying an affine map does not implement the AES S-box (or any GF(2^8) S-box). This yields incorrect behavior and can invalidate any protocol relying on the standard S-box semantics.
Vulnerable File:
circuits/sbox128.circomcommit:
4984d68467b87ddf14c2e725dcfb753be3c92528AES/S-box-style constructions require inversion in GF(2^8). FieldInv()(in) will compute the multiplicative inverse in the circuit’s prime field (the SNARK field), not in GF(2^8). Bit-decomposing that prime-field inverse and applying an affine map does not implement the AES S-box (or any GF(2^8) S-box). This yields incorrect behavior and can invalidate any protocol relying on the standard S-box semantics.