Fix the under-constrained ElGamalEncrypter

[Koukyosyumei]

The assert statement in the ElGamalEncrypter circuit checks a condition during witness generation but does not enforce it as a constraint in the circuit. As a result, a malicious prover can supply a witness that violates the intended check while still satisfying all circuit constraints.

Close #1

Counterexample

Our fuzzing tool, zkFuzz, discovered the following violating witness:

═══════════════╗
║🚨 Counter Example: ║
║ 🧟 UnderConstrained (Unexpected-Input) 🧟
║ Violated Condition: (NEq main.ciphertext[0] 0)
║ 🔍 Assignment Details:
║ ➡️ main.bit_length = 5
║ ➡️ main.generator = 3
║ ➡️ main.pk = 21888242871839275222246405745257275088548364400416034343698204186575808495588
║ ➡️ main.message[1] = 21888242871839275222246405745257275088548364400416034343698204186575808495575
║ ➡️ main.random_factor = 1
║ ➡️ main.ciphertext[1] = 1218
║ ➡️ main.message[0] = 0
║ ➡️ main.ciphertext[0] = 0
║ ➡️ main.exp1.base = 3

Despite main.ciphertext[0] being zero, the constraint system accepts this witness, revealing a correctness vulnerability.

---

Fix

This issue is addressed by replacing the non-constraining assert with an actual constraint using Circomlib’s IsZero circuit, ensuring that ciphertext[0] is explicitly checked at constraint level.

---

Acknowledgment

This vulnerability was first reported through a private channel.
@voidcenter, thank you for your swift response and for confirming the issue!