pub fn handle_aead_decrypt(
process: &ProcessorState<'_>,
) -> Result<Vec<AdviceMutation>, EventError>Expand description
Event handler for AEAD decryption.
This handler is called when the VM emits an AEAD_DECRYPT_EVENT. It reads the full ciphertext (including padding block) and tag from memory, performs decryption and tag verification using AEAD-Poseidon2, then pushes the plaintext onto the advice stack.
Process:
- Reads full ciphertext from memory at src_ptr ((num_blocks + 1) * 8 elements)
- Reads authentication tag from memory at src_ptr + (num_blocks + 1) * 8
- Constructs EncryptedData and decrypts using AEAD-Poseidon2
- Extracts only the data blocks (first num_blocks * 8 elements) from plaintext
- Pushes the data blocks (WITHOUT padding) onto the advice stack in reverse order
Memory layout at src_ptr:
- [ciphertext_blocks(num_blocks * 8), encrypted_padding(8), tag(4)]
- This handler reads ALL elements: data blocks + padding + tag
The MASM decrypt procedure will then:
- Load the plaintext data blocks from advice stack and write to dst_ptr using adv_pipe
- Call encrypt which reads the data blocks and adds padding automatically
- Re-encrypt data + padding to compute authentication tag
- Compare computed tag with expected tag and halt if they don’t match
Non-determinism soundness: Using advice for decryption is cryptographically sound because:
- The MASM procedure re-verifies the tag when decrypting
- The deterministic encryption creates a bijection between plaintext and ciphertext
- A malicious prover cannot provide incorrect plaintext without causing tag mismatch