Advisories for Cargo/Plonky2 package

2025

Soundness issue with Plonky2 look up tables

Lookup tables, whose length is not divisible by 26 = floor(num_routed_wires / 3) always include the 0 -> 0 input-output pair. Thus a malicious prover can always prove that f(0) = 0 for any lookup table f (unless its length happens to be divisible by 26). The cause of problem is that the LookupTableGate-s are padded with zeros. The fix is done by padding with an existing table pair, similarly …