Possible Bug: Wrong counter carry-forward (row/column mix-up) #115
Description
Vulnerable File: circuits/aes-gcm/aes-gctr-foldable.circom
commit: 65f823fc5606fca74440fb0de939ae07a3c39a80
The code increment the last 32-bit word (the last column in the AES state) via IncrementWord() and set J0[3] to that value, which is correct.
But you then export the fold “counter” as:
for (var i = 0; i < 4; i++) {
counter[i] <== J0[i][3];
}
This takes the last byte of each column (a row) instead of the 4 bytes of the last column. The correct carry-forward for CTR is the last column, i.e. the 32-bit counter word you just incremented.
Effect: the next fold will ingest an incorrect counter, mixing IV bytes with only one counter byte. This can desynchronize the counter, cause keystream block reuse or otherwise break the intended CTR sequence.
Fix: output the last column, not the last row. For example:
counter <== J0[3];
for (var i = 0; i < 4; i++) {
counter[i] <== J0[3][i];
}