Skip to content

fix(ICofhe): add securityZone parameter to Utils.inputFromHashAndProof#67

Open
amathxbt wants to merge 1 commit into
FhenixProtocol:masterfrom
amathxbt:fix/input-from-hash-security-zone-parameter
Open

fix(ICofhe): add securityZone parameter to Utils.inputFromHashAndProof#67
amathxbt wants to merge 1 commit into
FhenixProtocol:masterfrom
amathxbt:fix/input-from-hash-security-zone-parameter

Conversation

@amathxbt
Copy link
Copy Markdown

@amathxbt amathxbt commented May 3, 2026

Summary

Utils.inputFromHashAndProof in contracts/ICofhe.sol always constructs an EncryptedInput with securityZone: 0, regardless of the actual security zone the ciphertext was created for. This silently breaks any caller that uses a non-zero security zone.

Bug

// Before
function inputFromHashAndProof(bytes32 hash, bytes memory signature, uint8 utype)
    internal pure returns (EncryptedInput memory)
{
    return EncryptedInput({
        ctHash: uint256(hash),
        securityZone: 0,    // ← always 0, ignores multi-zone configurations
        utype: utype,
        signature: signature
    });
}

Impact: When a ciphertext is created on security zone 1 (or any zone ≠ 0) and the caller builds its EncryptedInput via inputFromHashAndProof, the resulting struct has securityZone: 0. The CoFHE task manager then validates the input against zone 0's public key rather than zone 1's, causing verifyInput to fail with a cryptographic verification error that is difficult to diagnose.

All other inputFrom* helpers (inputFromEuint8, inputFromEuint64, etc.) correctly propagate securityZone from the input struct. inputFromHashAndProof is the only outlier.

Fix

Add a four-argument overload that accepts an explicit securityZone parameter. The original three-argument signature is kept as a backward-compatible convenience wrapper defaulting to zone 0.

@amathxbt
fix: add securityZone parameter to inputFromHashAndProof in Utils lib…
e346b75 
…rary

The existing inputFromHashAndProof(hash, signature, utype) always created
an EncryptedInput with securityZone=0, ignoring the actual security zone
of the underlying ciphertext. Callers using security zones other than 0
(multi-zone deployments) would submit inputs with the wrong zone, causing
verifyInput to fail on-chain with no clear error.

Add a securityZone-aware four-argument overload that exposes the full
EncryptedInput constructor. Preserve backward compatibility by keeping
the original three-argument signature as a convenience wrapper that
forwards securityZone=0 to the new overload.
@amathxbt amathxbt requested a review from a team as a code owner May 3, 2026 10:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amathxbt