fix: Add free witness tag to field constructor (#16827)

Missed setting free witness in one of constructors before

Author: Rumata888

barretenberg/cpp/src/barretenberg/stdlib/primitives/bigfield/bigfield.test.cpp

@@ -100,6 +100,8 @@ template <typename Builder> class stdlib_bigfield : public testing::Test {
         fr elt_native_lo = fr(uint256_t(elt_native).slice(0, fq_ct::NUM_LIMB_BITS * 2));
         fr elt_native_hi = fr(uint256_t(elt_native).slice(fq_ct::NUM_LIMB_BITS * 2, fq_ct::NUM_LIMB_BITS * 4));
         fq_ct elt_ct(witness_ct(builder, elt_native_lo), witness_ct(builder, elt_native_hi));
+        // UNset free witness tag so we don't have to unset it in every test
+        elt_ct.unset_free_witness_tag();
         return std::make_pair(elt_native, elt_ct);
     }
 

barretenberg/cpp/src/barretenberg/stdlib/primitives/bigfield/bigfield_impl.hpp

@@ -223,6 +223,8 @@ template <typename Builder, typename T> bigfield<Builder, T>::bigfield(const byt
         const uint256_t hi_nibble_shift = uint256_t(1) << 4;
         const field_t<Builder> sum = lo_nibble + (hi_nibble * hi_nibble_shift);
         sum.assert_equal(split_byte);
+        lo_nibble.set_origin_tag(split_byte.tag);
+        hi_nibble.set_origin_tag(split_byte.tag);
         return std::make_pair(lo_nibble, hi_nibble);
     };
 
@@ -1892,7 +1894,6 @@ template <typename Builder, typename T> void bigfield<Builder, T>::assert_less_t
 template <typename Builder, typename T> void bigfield<Builder, T>::assert_equal(const bigfield& other) const
 {
     Builder* ctx = this->context ? this->context : other.context;
-    (void)OriginTag(get_origin_tag(), other.get_origin_tag());
     if (is_constant() && other.is_constant()) {
         std::cerr << "bigfield: calling assert equal on 2 CONSTANT bigfield elements...is this intended?" << std::endl;
         BB_ASSERT_EQ(get_value(), other.get_value(), "We expect constants to be less than the target modulus");
@@ -1922,6 +1923,12 @@ template <typename Builder, typename T> void bigfield<Builder, T>::assert_equal(
         return;
     } else {
 
+        // Remove tags, we don't want to cause violations on assert_equal
+        const auto original_tag = get_origin_tag();
+        const auto other_original_tag = other.get_origin_tag();
+        set_origin_tag(OriginTag());
+        other.set_origin_tag(OriginTag());
+
         bigfield diff = *this - other;
         const uint512_t diff_val = diff.get_value();
         const uint512_t modulus(target_basis.modulus);
@@ -1938,6 +1945,10 @@ template <typename Builder, typename T> void bigfield<Builder, T>::assert_equal(
                             false,
                             num_quotient_bits);
         unsafe_evaluate_multiply_add(diff, { one() }, {}, quotient, { zero() });
+
+        // Restore tags
+        set_origin_tag(original_tag);
+        other.set_origin_tag(other_original_tag);
     }
 }
 

barretenberg/cpp/src/barretenberg/stdlib/primitives/field/field.cpp

@@ -29,7 +29,9 @@ field_t<Builder>::field_t(const witness_t<Builder>& value)
     , additive_constant(bb::fr::zero())
     , multiplicative_constant(bb::fr::one())
     , witness_index(value.witness_index)
-{}
+{
+    set_free_witness_tag();
+}
 
 template <typename Builder>
 field_t<Builder>::field_t(Builder* parent_context, const bb::fr& value)

barretenberg/cpp/src/barretenberg/stdlib/primitives/field/field.test.cpp

@@ -1326,8 +1326,8 @@ template <typename Builder> class stdlib_field : public testing::Test {
             uint256_t(bb::fr::random_element()) & ((uint256_t(1) << grumpkin::MAX_NO_WRAP_INTEGER_BIT_LENGTH) - 1);
         auto a = field_ct(witness_ct(&builder, a_val));
         auto b = field_ct(witness_ct(&builder, bb::fr::random_element()));
-        EXPECT_TRUE(a.get_origin_tag().is_empty());
-        EXPECT_TRUE(b.get_origin_tag().is_empty());
+        EXPECT_TRUE(a.get_origin_tag().is_free_witness());
+        EXPECT_TRUE(b.get_origin_tag().is_free_witness());
         const size_t parent_id = 0;
 
         const auto submitted_value_origin_tag = OriginTag(parent_id, /*round_id=*/0, /*is_submitted=*/true);

barretenberg/cpp/src/barretenberg/stdlib/primitives/safe_uint/safe_uint.cpp

@@ -127,6 +127,10 @@ safe_uint_t<Builder> safe_uint_t<Builder>::divide(
     safe_uint_t<Builder> remainder(
         remainder_field, remainder_bit_size, format("divide method remainder: ", description));
 
+    const auto merged_tag = OriginTag(get_origin_tag(), other.get_origin_tag());
+    quotient.set_origin_tag(merged_tag);
+    remainder.set_origin_tag(merged_tag);
+
     // This line implicitly checks we are not overflowing
     safe_uint_t int_val = quotient * other + remainder;
 
@@ -138,7 +142,6 @@ safe_uint_t<Builder> safe_uint_t<Builder>::divide(
 
     this->assert_equal(int_val, "divide method quotient and/or remainder incorrect");
 
-    quotient.set_origin_tag(OriginTag(get_origin_tag(), other.get_origin_tag()));
     return quotient;
 }
 
@@ -161,6 +164,10 @@ template <typename Builder> safe_uint_t<Builder> safe_uint_t<Builder>::operator/
     safe_uint_t<Builder> remainder(
         remainder_field, (size_t)(other.current_max.get_msb() + 1), format("/ operator remainder"));
 
+    const auto merged_tag = OriginTag(get_origin_tag(), other.get_origin_tag());
+    quotient.set_origin_tag(merged_tag);
+    remainder.set_origin_tag(merged_tag);
+
     // This line implicitly checks we are not overflowing
     safe_uint_t int_val = quotient * other + remainder;
 
@@ -172,7 +179,6 @@ template <typename Builder> safe_uint_t<Builder> safe_uint_t<Builder>::operator/
 
     this->assert_equal(int_val, "/ operator quotient and/or remainder incorrect");
 
-    quotient.set_origin_tag(OriginTag(get_origin_tag(), other.get_origin_tag()));
     return quotient;
 }
 

barretenberg/cpp/src/barretenberg/stdlib/primitives/safe_uint/safe_uint.test.cpp

@@ -437,6 +437,8 @@ TYPED_TEST(SafeUintTest, TestDivideMethod)
 
     field_ct a1(witness_ct(&builder, 2));
     field_ct b1(witness_ct(&builder, 9));
+    a1.unset_free_witness_tag();
+    b1.unset_free_witness_tag();
     suint_ct c1(a1, 2);
     c1.set_origin_tag(submitted_value_origin_tag);
     suint_ct d1(b1, 4);

barretenberg/cpp/src/barretenberg/stdlib/transcript/transcript.hpp

@@ -22,7 +22,6 @@ template <typename Builder> struct StdlibTranscriptParams {
     {
 
         ASSERT(!data.empty());
-
         return stdlib::poseidon2<Builder>::hash(data);
     }
     /**

barretenberg/cpp/src/barretenberg/transcript/transcript.hpp

@@ -385,6 +385,15 @@ template <typename TranscriptParams> class BaseTranscript {
             manifest.add_challenge(round_number, labels...);
         }
 
+        // In case the transcript is used for recursive verification, we need to sanitize current round data so we don't
+        // get an origin tag violation inside the hasher. We are doing this to ensure that the free witness tagged
+        // elements that are sent to the transcript and are assigned tags externally, don't trigger the origin tag
+        // security mechanism while we are hashing them
+        if constexpr (in_circuit) {
+            for (auto& element : current_round_data) {
+                element.unset_free_witness_tag();
+            }
+        }
         // Compute the new challenge buffer from which we derive the challenges.
 
         // Create challenges from Frs.
@@ -500,6 +509,13 @@ template <typename TranscriptParams> class BaseTranscript {
      */
     DataType hash_independent_buffer()
     {
+        // In case the transcript is used for recursive verification, we need to sanitize current round data so we don't
+        // get an origin tag violation inside the hasher
+        if constexpr (in_circuit) {
+            for (auto& element : independent_hash_buffer) {
+                element.unset_free_witness_tag();
+            }
+        }
         DataType buffer_hash = TranscriptParams::hash(independent_hash_buffer);
         independent_hash_buffer.clear();
         return buffer_hash;