Vulnerable File: circuits/sbox128.circom
commit: 4984d68467b87ddf14c2e725dcfb753be3c92528
The input in is never constrained to be a byte. Meanwhile, Num2Bits(8)(inv) forces inv to lie in [0, 255]. Combined with inv = in^{-1} (over the prime field), this restricts in to the set of prime-field elements whose inverse is < 256, making the circuit unsatisfiable for most intended byte inputs and not implementing a proper 8-bit S-box mapping.
Vulnerable File:
circuits/sbox128.circomcommit:
4984d68467b87ddf14c2e725dcfb753be3c92528The input in is never constrained to be a byte. Meanwhile, Num2Bits(8)(inv) forces inv to lie in [0, 255]. Combined with inv = in^{-1} (over the prime field), this restricts in to the set of prime-field elements whose inverse is < 256, making the circuit unsatisfiable for most intended byte inputs and not implementing a proper 8-bit S-box mapping.