feat(fuzz): session 59 — combined-slot fuzzers complete (PLONK + Phase-3) + docs

kh0ra · kh0ra · commit 7b4aaee4bf68 · 2026-04-27T15:23:52.000+03:00
Closes the combined-slot fuzz harness gap from session 56 — adds
4 more combined harnesses (one per Phase-2/Phase-3 system),
refactors the slot-splitting helper into the lib so all 5
combined fuzzers share it, and updates the audit-pack docs to
mirror sessions 58 + 59.

mosaic-fuzz/src/lib.rs
- New `pub fn split_three_slots(data: &amp;[u8])` — extracted from
  the session-56 Halo2 combined fuzzer; returns the same
  `(vk, proof, public_inputs)` triple from a length-prefixed
  layout (`[vk_len: u16 LE] [vk_bytes] [proof_len: u16 LE]
  [proof_bytes] [public_inputs ...]`). Returns `None` if any
  length prefix runs off the buffer.

mosaic-fuzz/fuzz_targets/fuzz_halo2_combined.rs
- Rewritten to import `split_three_slots` from the lib instead
  of defining a private copy, eliminating the duplicate parser.

4 new combined fuzz_target files in `fuzz_targets/`:
- fuzz_plonk_combined — narrowest cross-slot surface (744 B / 768
  B fixed envelopes); value is in catching parser confusions
  between them.
- fuzz_hyperplonk_combined — pins the
  `vk.num_variables == proof.sumcheck_rounds` cross-check.
- fuzz_nova_combined — pins both `vk.variant == proof.variant`
  (FoldingVariant 3-way tag) AND
  `vk.n_public == proof.n_public == public_inputs.len() / 32`.
- fuzz_stark_combined — richest cross-check fingerprint:
  field_id, trace_log_height, trace_width, log_blowup must all
  agree across slots; a coordinated lie on any would route to a
  wrong-shape Merkle path or FRI fold chain.

mosaic-fuzz/Cargo.toml
- 4 new `[[bin]]` entries plus the 5 from session 58.

README.md (Status table)
- Fuzz row updated to "23 targets across all 6 production
  verifiers" with the new 4×4 + 3 inventory breakdown.

CHANGELOG.md
- New [Unreleased] subsection "Added — sessions 58-59" with
  per-session breakdowns and the full 23-target inventory table.
- "Planned beyond session 59" block trimmed — both fuzz follow-ups
  (per-system PI fuzzers + remaining combined fuzzers) are now
  done. The remaining named pre-audit gaps are Phase-3 differential
  testing, chunked::dispatch integration, HyperPlonk Zeromorph
  reduction, and external audit commission.

After sessions 47-59 the audit-coverage milestone has these dimensions:

  - Property tests: 137 across 12 crates (sessions 36-52)
  - BPF CU bench: 7 systems (sessions 47, 49)
  - Host criterion bench: 5 systems (session 51)
  - Fuzz harnesses: 23 targets across 6 systems (sessions 54-59)

Local sanity: `cargo check -p mosaic-fuzz --lib` clean.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -169,16 +169,72 @@ After sessions 54-56 the fuzz harness inventory is **14 targets**:
 - 5 per-system vk_bytes (same five)
 - 1 combined-slot Halo2
 
-### Planned beyond session 56
+### Added — sessions 58-59 (fuzz harness completion)
+
+#### Session 58 — per-system public-input fuzzers
+Added 5 more harnesses targeting the public-input parser of each
+Phase-2 / Phase-3 system: `fuzz_{plonk, hyperplonk, halo2, nova,
+stark}_public_inputs`. Each pins its system's PI invariants:
+
+- PLONK + HyperPlonk + Halo2 + Nova: `len % 32 == 0`,
+  `len / 32 == vk.n_public`, every 32-byte chunk in Fr range.
+- STARK: length must be a multiple of
+  `field_id.field_elem_bytes()` (8 for Goldilocks, 4 for
+  BabyBear / Mersenne31).
+
+Halo2's PI feeds round-1 of the Fiat-Shamir absorb sequence — a
+regression in PI parsing would cascade into every challenge and
+break the verifier's identity check. The session-37 challenges
+proptests already pin the cascade for valid PI; this fuzzer pins
+the rejection path for invalid PI across the full byte-buffer space.
+
+#### Session 59 — combined-slot fuzzers for the remaining 4 systems
+Adds combined-slot harnesses for PLONK, HyperPlonk, Nova, and
+FRI-STARK, completing the cross-slot interaction surface coverage
+the session-56 Halo2 template demonstrated. Refactored the
+`split_three_slots` helper out of the Halo2 dump-target into
+`mosaic-fuzz::lib` so all 5 combined-fuzzer binaries share the
+same length-prefix parser.
+
+Each new combined fuzzer pins system-specific cross-checks that
+single-slot harnesses can't reach (because both slots must lie
+in a coordinated way for the bug to surface):
+
+- PLONK: 744 B / 768 B fixed envelopes (narrowest cross-slot
+  surface; value is in catching parser confusions between the
+  two envelopes).
+- HyperPlonk: `vk.num_variables == proof.sumcheck_rounds`
+  cross-check.
+- Nova: `vk.variant == proof.variant` (FoldingVariant 3-way) +
+  `vk.n_public == proof.n_public == public_inputs.len() / 32`.
+- STARK: richest cross-check fingerprint of any verifier:
+  `vk.field_id == proof.field_id`,
+  `vk.trace_log_height == proof.trace_log_height`,
+  `vk.trace_width == proof.trace_width`,
+  `vk.log_blowup == proof.log_blowup`. A coordinated lie on any
+  of these would route the verifier to a wrong-shape Merkle path
+  or FRI fold chain.
+
+After sessions 58-59 the fuzz harness inventory is **23 targets**
+across all 6 production verifier surfaces:
+
+  Phase-1 Groth16 (3 original)
+    fuzz_groth16_proof_bytes, fuzz_vk_bytes, fuzz_public_inputs
+
+  Phase-2 KZG-PLONK (4)
+    fuzz_plonk_{proof_bytes, vk_bytes, public_inputs, combined}
+
+  Phase-3 HyperPlonk + Halo2 + Nova + FRI-STARK (16)
+    fuzz_hyperplonk_{proof_bytes, vk_bytes, public_inputs, combined}
+    fuzz_halo2_{proof_bytes, vk_bytes, public_inputs, combined}
+    fuzz_nova_{proof_bytes, vk_bytes, public_inputs, combined}
+    fuzz_stark_{proof_bytes, vk_bytes, public_inputs, combined}
+
+### Planned beyond session 59
 
 - Fixture-driven differential testing for the four Phase-3 bodies
   (Espresso HyperPlonk, PSE Halo2, sonobe Nova, Plonky3 STARK).
   **Last named pre-audit gap on the Phase-3 verifier track.**
-- Per-system public-input fuzzers (PLONK + Phase-3) — near-trivial
-  follow-up to session 55, deferred only to keep commit boundaries
-  clean.
-- Combined-slot fuzzers for the remaining 4 systems (HyperPlonk,
-  Nova, STARK, PLONK) — copy of the session-56 Halo2 template.
 - `mosaic-program::chunked::dispatch` integration tests via
   `solana-program-test` with synthesized `AccountInfo`.
 - HyperPlonk full Zeromorph / PST / Gemini reduction (canonical
diff --git a/README.md b/README.md
@@ -59,7 +59,7 @@ frozen CU budgets.
 | Property-test coverage (proptest, sessions 36-52) | ✅ 534 lib tests across 12 crates (+137 proptest in audit-coverage sweep) | — |
 | BPF CU regression bench (`bpf-bench`) | ✅ 7 systems: Groth16 (single + batch), KZG-PLONK, HyperPlonk, Halo2, Nova, FRI-STARK | — |
 | Host criterion bench (wall-clock baseline) | ✅ 5 systems: Groth16, HyperPlonk, Halo2, Nova, FRI-STARK | — |
-| Fuzz harnesses (sessions 54-56) | ✅ 14 targets across all 6 production verifiers (5 proof-bytes, 5 vk-bytes, 1 combined-slot Halo2, 3 original Groth16) | — |
+| Fuzz harnesses (sessions 54-59) | ✅ 23 targets across all 6 production verifiers (5 proof-bytes + 5 vk-bytes + 5 public-inputs + 5 combined-slot for PLONK + 4 Phase-3, plus 3 original Groth16) | — |
 | External audit | 🔴 Not yet commissioned | — |
 
 See [`AUDIT.md`](AUDIT.md) for audit history and [`SECURITY.md`](SECURITY.md)
diff --git a/crates/mosaic-fuzz/Cargo.toml b/crates/mosaic-fuzz/Cargo.toml
@@ -160,5 +160,33 @@ path = "fuzz_targets/fuzz_stark_public_inputs.rs"
 test = false
 doc = false
 
+# ───────────────────────────────────────────────────────────────────────
+# Session 59 — combined-slot fuzzers for the remaining 4 systems
+# ───────────────────────────────────────────────────────────────────────
+
+[[bin]]
+name = "fuzz_plonk_combined"
+path = "fuzz_targets/fuzz_plonk_combined.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_hyperplonk_combined"
+path = "fuzz_targets/fuzz_hyperplonk_combined.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_nova_combined"
+path = "fuzz_targets/fuzz_nova_combined.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_stark_combined"
+path = "fuzz_targets/fuzz_stark_combined.rs"
+test = false
+doc = false
+
 [lints]
 workspace = true
diff --git a/crates/mosaic-fuzz/fuzz_targets/fuzz_halo2_combined.rs b/crates/mosaic-fuzz/fuzz_targets/fuzz_halo2_combined.rs
@@ -37,40 +37,11 @@
 
 use libfuzzer_sys::fuzz_target;
 use mosaic_core::{proof_system::ProofSystem, syscall::host::HostBackend};
+use mosaic_fuzz::split_three_slots;
 use mosaic_halo2::Halo2KzgBn254;
 
-fn split_three(data: &[u8]) -> Option<(&[u8], &[u8], &[u8])> {
-    let mut cursor = data;
-
-    // vk_len (u16 LE).
-    if cursor.len() < 2 {
-        return None;
-    }
-    let (lp, rest) = cursor.split_at(2);
-    let vk_len = u16::from_le_bytes([lp[0], lp[1]]) as usize;
-    if rest.len() < vk_len {
-        return None;
-    }
-    let (vk, rest) = rest.split_at(vk_len);
-    cursor = rest;
-
-    // proof_len (u16 LE).
-    if cursor.len() < 2 {
-        return None;
-    }
-    let (lp, rest) = cursor.split_at(2);
-    let proof_len = u16::from_le_bytes([lp[0], lp[1]]) as usize;
-    if rest.len() < proof_len {
-        return None;
-    }
-    let (proof, public_inputs) = rest.split_at(proof_len);
-
-    // Whatever remains is the public-inputs slot.
-    Some((vk, proof, public_inputs))
-}
-
 fuzz_target!(|data: &[u8]| {
-    let Some((vk, proof, public_inputs)) = split_three(data) else {
+    let Some((vk, proof, public_inputs)) = split_three_slots(data) else {
         return;
     };
     let backend = HostBackend::new();
diff --git a/crates/mosaic-fuzz/fuzz_targets/fuzz_hyperplonk_combined.rs b/crates/mosaic-fuzz/fuzz_targets/fuzz_hyperplonk_combined.rs
@@ -0,0 +1,24 @@
+//! Fuzz harness — HyperPlonk-KZG combined-slot fuzzer.
+//!
+//! Session 59 — cross-slot interaction surface for HyperPlonk. The
+//! `vk.num_variables == proof.sumcheck_rounds` cross-check is the
+//! core invariant a combined fuzzer can hit that single-slot
+//! harnesses can't: both slots must lie about the same shape
+//! parameter for the bug to surface. The harness explores that
+//! coordinated misalignment automatically.
+
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use mosaic_core::{proof_system::ProofSystem, syscall::host::HostBackend};
+use mosaic_fuzz::split_three_slots;
+use mosaic_hyperplonk::HyperPlonkKzgBn254;
+
+fuzz_target!(|data: &[u8]| {
+    let Some((vk, proof, public_inputs)) = split_three_slots(data) else {
+        return;
+    };
+    let backend = HostBackend::new();
+    let v = HyperPlonkKzgBn254::new(&backend);
+    let _ = ProofSystem::verify(&v, vk, proof, public_inputs);
+});
diff --git a/crates/mosaic-fuzz/fuzz_targets/fuzz_nova_combined.rs b/crates/mosaic-fuzz/fuzz_targets/fuzz_nova_combined.rs
@@ -0,0 +1,27 @@
+//! Fuzz harness — Nova folding combined-slot fuzzer.
+//!
+//! Session 59 — cross-slot interaction surface for Nova. Two cross-
+//! checks need coordinated misalignment to surface:
+//!
+//! - `vk.variant == proof.variant` (FoldingVariant 3-way tag must
+//!   agree across both slots).
+//! - `vk.n_public == proof.n_public == public_inputs.len() / 32`.
+//!
+//! The combined fuzzer can vary all three slots independently and
+//! hit coordinated lies that single-slot harnesses can't reach.
+
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use mosaic_core::{proof_system::ProofSystem, syscall::host::HostBackend};
+use mosaic_fuzz::split_three_slots;
+use mosaic_nova::NovaFolding;
+
+fuzz_target!(|data: &[u8]| {
+    let Some((vk, proof, public_inputs)) = split_three_slots(data) else {
+        return;
+    };
+    let backend = HostBackend::new();
+    let v = NovaFolding::new(&backend);
+    let _ = ProofSystem::verify(&v, vk, proof, public_inputs);
+});
diff --git a/crates/mosaic-fuzz/fuzz_targets/fuzz_plonk_combined.rs b/crates/mosaic-fuzz/fuzz_targets/fuzz_plonk_combined.rs
@@ -0,0 +1,26 @@
+//! Fuzz harness — KZG-PLONK combined-slot fuzzer.
+//!
+//! Session 59 — cross-slot interaction surface for PLONK. Mirrors
+//! the session-56 Halo2 combined-fuzzer template with PLONK as the
+//! verifier under test. Both PLONK's VK (744 B fixed) and proof
+//! (768 B fixed) are fixed-length envelopes, so the cross-slot
+//! interaction surface is narrower than Halo2's; the value is in
+//! catching length-mismatch routing bugs that the per-slot harnesses
+//! can't reach (e.g. a parser that confuses the two 744 B / 768 B
+//! envelopes).
+
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use mosaic_core::{proof_system::ProofSystem, syscall::host::HostBackend};
+use mosaic_fuzz::split_three_slots;
+use mosaic_plonk::PlonkKzgBn254;
+
+fuzz_target!(|data: &[u8]| {
+    let Some((vk, proof, public_inputs)) = split_three_slots(data) else {
+        return;
+    };
+    let backend = HostBackend::new();
+    let v = PlonkKzgBn254::new(&backend);
+    let _ = ProofSystem::verify(&v, vk, proof, public_inputs);
+});
diff --git a/crates/mosaic-fuzz/fuzz_targets/fuzz_stark_combined.rs b/crates/mosaic-fuzz/fuzz_targets/fuzz_stark_combined.rs
@@ -0,0 +1,30 @@
+//! Fuzz harness — FRI-STARK combined-slot fuzzer.
+//!
+//! Session 59 — cross-slot interaction surface for FRI-STARK. The
+//! richest cross-check fingerprint of any verifier in the workspace:
+//!
+//! - `vk.field_id == proof.field_id` (StarkFieldId 3-way tag).
+//! - `vk.trace_log_height == proof.trace_log_height`
+//! - `vk.trace_width == proof.trace_width`
+//! - `vk.log_blowup == proof.log_blowup`
+//!
+//! Each must agree across slots; a coordinated lie on any of these
+//! would route the verifier to a wrong-shape Merkle path or FRI
+//! fold chain. The combined fuzzer explores every such coordinated
+//! misalignment automatically.
+
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use mosaic_core::{proof_system::ProofSystem, syscall::host::HostBackend};
+use mosaic_fuzz::split_three_slots;
+use mosaic_stark::FriStark;
+
+fuzz_target!(|data: &[u8]| {
+    let Some((vk, proof, public_inputs)) = split_three_slots(data) else {
+        return;
+    };
+    let backend = HostBackend::new();
+    let v = FriStark::new(&backend);
+    let _ = ProofSystem::verify(&v, vk, proof, public_inputs);
+});
diff --git a/crates/mosaic-fuzz/src/lib.rs b/crates/mosaic-fuzz/src/lib.rs
@@ -60,6 +60,47 @@ impl Default for SharedFixtures {
     }
 }
 
+/// Split a libfuzzer input buffer into three length-prefixed slots
+/// `(vk_bytes, proof_bytes, public_inputs_bytes)`. Returns `None` if
+/// any length prefix runs off the end of the buffer.
+///
+/// Layout: `[vk_len: u16 LE] [vk_bytes] [proof_len: u16 LE]
+/// [proof_bytes] [public_inputs ...]`
+///
+/// Used by `fuzz_*_combined.rs` (sessions 56, 59) to explore a
+/// coordinate in `(vk, proof, pi)` space rather than the 1-D slice
+/// the per-slot harnesses cover. See the rationale comment in
+/// `fuzz_halo2_combined.rs` for why combined fuzzers complement
+/// the single-slot variants.
+pub fn split_three_slots(data: &[u8]) -> Option<(&[u8], &[u8], &[u8])> {
+    let cursor = data;
+
+    // vk_len (u16 LE).
+    if cursor.len() < 2 {
+        return None;
+    }
+    let (lp, rest) = cursor.split_at(2);
+    let vk_len = u16::from_le_bytes([lp[0], lp[1]]) as usize;
+    if rest.len() < vk_len {
+        return None;
+    }
+    let (vk, rest) = rest.split_at(vk_len);
+
+    // proof_len (u16 LE).
+    if rest.len() < 2 {
+        return None;
+    }
+    let (lp, rest) = rest.split_at(2);
+    let proof_len = u16::from_le_bytes([lp[0], lp[1]]) as usize;
+    if rest.len() < proof_len {
+        return None;
+    }
+    let (proof, public_inputs) = rest.split_at(proof_len);
+
+    // Whatever remains is the public-inputs slot.
+    Some((vk, proof, public_inputs))
+}
+
 // ─────────────────────────────────────────────────────────────────────
 // Session 54 — Phase-2 + Phase-3 fixture builders.
 //
