Blake2s hashing in `sphincs-plus` incorrectly drops most hashing steps

[scaraven]

Overview

There is a bug in the blake2s hashing functionality within the sphincs-plus blake2s.cairo file. The blake2s hasher ignores most hash operations, and only hashes the suffixes of input messages. Therefore, the package does not verify most of hashing operations, leading to incorrect public key output and a massive drop in the number of operations.

Root Cause

pub fn hash_update(ref state: HashState, mut data: Span<u32>) {
    while let Some(chunk) = data.multi_pop_front::<16>() {
        state.byte_len += 64;
        blake2s_compress(state.h, state.byte_len, *chunk);

link to code

The blake2s hasher calls blake2s_compress with state.h as an argument to ensure that we accumulate state. However, blake2s_compress does not modify state.h in place but instead returns a new state which represents the state of the hasher after hashing the current chunk. For that reason blake2s_compress has no side effects and so this line is ignored, this means that the Cairo package incorrectly verifies SPHINCS+ signatures and actually ignores most of the hashing operations.

Fix

pub fn hash_update(ref state: HashState, mut data: Span<u32>) {
    while let Some(chunk) = data.multi_pop_front::<16>() {
        state.byte_len += 64;
+      state.h = blake2s_compress(state.h, state.byte_len, *chunk);
-       blake2s_compress(state.h, state.byte_len, *chunk);

[m-kus]

Thank you for spotting!