Skip to content

Commit

Permalink
Merge pull request zkcrypto#78 from alex-ozdemir/filter-zeros
Browse files Browse the repository at this point in the history
Fix zero-coefficient bug
  • Loading branch information
ebfull authored May 4, 2022
2 parents f0639ed + 2ad80cd commit 5396ba0
Show file tree
Hide file tree
Showing 2 changed files with 83 additions and 14 deletions.
30 changes: 16 additions & 14 deletions src/groth16/prover.rs
Original file line number Diff line number Diff line change
Expand Up @@ -28,25 +28,27 @@ fn eval<S: PrimeField>(
for &(index, coeff) in lc.0.iter() {
let mut tmp;

match index {
Variable(Index::Input(i)) => {
tmp = input_assignment[i];
if let Some(ref mut v) = input_density {
v.inc(i);
if !coeff.is_zero_vartime() {
match index {
Variable(Index::Input(i)) => {
tmp = input_assignment[i];
if let Some(ref mut v) = input_density {
v.inc(i);
}
}
}
Variable(Index::Aux(i)) => {
tmp = aux_assignment[i];
if let Some(ref mut v) = aux_density {
v.inc(i);
Variable(Index::Aux(i)) => {
tmp = aux_assignment[i];
if let Some(ref mut v) = aux_density {
v.inc(i);
}
}
}
}

if coeff != S::one() {
tmp *= coeff;
if coeff != S::one() {
tmp *= coeff;
}
acc += tmp;
}
acc += tmp;
}

acc
Expand Down
67 changes: 67 additions & 0 deletions src/groth16/tests/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -379,3 +379,70 @@ fn test_xordemo() {

assert!(verify_proof(&pvk, &proof, &[Fr::one()]).is_ok());
}

struct MultWithZeroCoeffs<F> {
a: Option<F>,
b: Option<F>,
c: Option<F>,
/// Whether to attach the zero coefficient to the "1" variable, or a different variable.
one_var: bool,
}

impl<F: ff::PrimeField> Circuit<F> for &MultWithZeroCoeffs<F> {
fn synthesize<CS: ConstraintSystem<F>>(self, cs: &mut CS) -> Result<(), SynthesisError> {
let a = cs.alloc(|| "a", || Ok(self.a.unwrap()))?;
let b = cs.alloc(|| "b", || Ok(self.b.unwrap()))?;
let c = cs.alloc(|| "c", || Ok(self.c.unwrap()))?;
if self.one_var {
cs.enforce(
|| "cs",
// notice the zero coefficient on the B term
|z| z + a,
|z| z + (F::from(0), CS::one()) + b,
|z| z + c,
);
} else {
cs.enforce(
|| "cs",
// notice the zero coefficient on the B term
|z| z + a,
|z| z + (F::from(0), a) + b,
|z| z + c,
);
}
Ok(())
}
}

fn zero_coeff_test(one_var: bool) {
let m = MultWithZeroCoeffs {
a: Some(Fr::from(5)),
b: Some(Fr::from(6)),
c: Some(Fr::from(30)),
one_var,
};
let g1 = Fr::one();
let g2 = Fr::one();
let alpha = Fr::from(48577);
let beta = Fr::from(22580);
let gamma = Fr::from(53332);
let delta = Fr::from(5481);
let tau = Fr::from(3673);
let pk =
generate_parameters::<DummyEngine, _>(&m, g1, g2, alpha, beta, gamma, delta, tau).unwrap();
let r = Fr::from(27134);
let s = Fr::from(17146);
let pf = create_proof(&m, &pk, r, s).unwrap();
let pvk = prepare_verifying_key(&pk.vk);
verify_proof(&pvk, &pf, &[]).unwrap();
}

#[test]
fn zero_coeff_one_var() {
zero_coeff_test(true);
}

#[test]
fn zero_coeff_non_one_var() {
zero_coeff_test(false);
}

0 comments on commit 5396ba0

Please sign in to comment.