Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Circuit verification doesn't fail when wires selectors are different than the ones in the circuit description #742

Closed
moCello opened this issue Feb 13, 2023 · 1 comment
Labels
fix:bug Something isn't working team:Core Low Level Core Development Team (Rust)

Comments

@moCello
Copy link
Member

moCello commented Feb 13, 2023

Describe the bug
When we test a circuit, we first create a circuit description for both the prover and the verifier. This circuit description essentially is the compressed blueprint of the circuit and when we verify certain circuits, they should only pass when they have that same circuit description.

But what seems to happen in the implementation is that only the witness, public input values and the constants are crosschecked with the circuit description, but not the wire selector values.

To Reproduce

use dusk_plonk::prelude::*;
use rand::rngs::StdRng;
use rand::SeedableRng;

// Because we derive the default trait, the circuit description will have zeros for all the wire selectors,
// and the values of all witnesses don't matter
#[derive(Default)]
pub struct TestCircuit {
    q_l: BlsScalar,
    q_r: BlsScalar,
    a: BlsScalar,
    b: BlsScalar,
}

impl TestCircuit {
    pub fn new(q_l: BlsScalar, q_r: BlsScalar, a: BlsScalar, b: BlsScalar) -> Self {
        Self { q_l, q_r, a, b }
    }
}

impl Circuit for TestCircuit {
    fn circuit<C>(&self, composer: &mut C) -> Result<(), Error>
    where
        C: Composer,
    {
        let w_a = composer.append_witness(self.a);
        let w_b = composer.append_witness(self.b);

        let constraint = Constraint::new()
            .left(self.q_l)
            .right(self.q_r)
            .a(w_a)
            .b(w_b);

        composer.append_gate(constraint);

        Ok(())
    }
}

fn main() {
    // Compile common circuit descriptions for the prover and verifier using
    // the `default` circuit representation
    let label = b"append_gate_with_constant";
    let rng = &mut StdRng::seed_from_u64(0x1ab);
    let capacity = 1 << 4;
    let pp = PublicParameters::setup(capacity, rng)
        .expect("Creation of public parameter shouldn't fail");
    let (prover, _verifier) = Compiler::compile(&pp, label)
        .expect("It should be possible to create the prover and verifier circuit descriptions");

    // Test unsatisfied circuit, the following expression doesn't equal 0:
    // q_l·a + q_r·b != 0
    let msg = "Proof creation of unsatisfied circuit should fail";
    let q_l = BlsScalar::one();
    let q_r = BlsScalar::one();
    let a = BlsScalar::random(rng);
    let b = BlsScalar::random(rng);
    let circuit = TestCircuit::new(q_l, q_r, a, b);
    let result = prover.prove(rng, &circuit);
    match result {
        Ok(_) => panic!("{}", msg),
        _ => println!("Test fails as expected"),
    }
}

Expected behaviour
It shouldn't be possible to create a proof for a circuit that is different than the circuit used for the circuit description. (Just like it is not possible to create a proof for a circuit that differs from the circuit used for the circuit description only in the constants or only in the length of the public input vector).

Logs/Screenshot
N/A

Platform
N/A

Additional context
Discovered when adding tests for append_gate in #741

@moCello moCello added fix:bug Something isn't working team:Core Low Level Core Development Team (Rust) labels Feb 13, 2023
@moCello
Copy link
Member Author

moCello commented Feb 27, 2023

On further inspection, this behavior is, though highly confusing, actually correct.

We use the default trait to create the circuit descriptions for both the prover and the verifier. Continuing with the protocol, both the prover and the verifier only care about the witness and public input, if they match the circuit that was used for the circuit description, the proof will pass.

In the above example the #[derive(Default)] caused the selector polynomials zero in the circuit description. Hence any witness satisfies the circuit.

Even though it is correct behavior, it is still highly confusing as well and we should think about re-structuring the Circuit trait in a way that makes this use impossible.

The issue #715 already thinks along those lines but it needs more thinking still.

@moCello moCello closed this as completed Feb 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
fix:bug Something isn't working team:Core Low Level Core Development Team (Rust)
Projects
None yet
Development

No branches or pull requests

1 participant