Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add additional error types to verifier contract and revert early #4464

Merged
merged 5 commits into from
Feb 6, 2024
Merged

feat: add additional error types to verifier contract and revert early #4464

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
76edb3d
feat: add additional error types to verifier contract and revert early
TomAFrench Feb 6, 2024
79c0803
chore: remove memory allocated to success flags
TomAFrench Feb 6, 2024
99d9da1
chore: update contract in cpp
TomAFrench Feb 6, 2024
7ae716c
chore: rename `EC_SCALAR_MUL_FAILURE` to `PAIRING_PREAMBLE_FAILED`
TomAFrench Feb 6, 2024
2e9280b
fix: fix borked failure conditions
TomAFrench Feb 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
98 changes: 43 additions & 55 deletions barretenberg/cpp/src/barretenberg/dsl/acir_proofs/contract.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,58 +218,49 @@ abstract contract BaseUltraVerifier {
uint256 internal constant PAIRING_RHS_X_LOC = 0x3220;
uint256 internal constant PAIRING_RHS_Y_LOC = 0x3240;

// ### SUCCESS FLAG MEMORY LOCATIONS
uint256 internal constant GRAND_PRODUCT_SUCCESS_FLAG = 0x3300;
uint256 internal constant ARITHMETIC_TERM_SUCCESS_FLAG = 0x3020;
uint256 internal constant BATCH_OPENING_SUCCESS_FLAG = 0x3340;
uint256 internal constant OPENING_COMMITMENT_SUCCESS_FLAG = 0x3360;
uint256 internal constant PAIRING_PREAMBLE_SUCCESS_FLAG = 0x3380;
uint256 internal constant PAIRING_SUCCESS_FLAG = 0x33a0;
uint256 internal constant RESULT_FLAG = 0x33c0;

// misc stuff
uint256 internal constant OMEGA_INVERSE_LOC = 0x3400;
uint256 internal constant C_ALPHA_SQR_LOC = 0x3420;
uint256 internal constant C_ALPHA_CUBE_LOC = 0x3440;
uint256 internal constant C_ALPHA_QUAD_LOC = 0x3460;
uint256 internal constant C_ALPHA_BASE_LOC = 0x3480;
uint256 internal constant OMEGA_INVERSE_LOC = 0x3300;
uint256 internal constant C_ALPHA_SQR_LOC = 0x3320;
uint256 internal constant C_ALPHA_CUBE_LOC = 0x3340;
uint256 internal constant C_ALPHA_QUAD_LOC = 0x3360;
uint256 internal constant C_ALPHA_BASE_LOC = 0x3380;

// ### RECURSION VARIABLE MEMORY LOCATIONS
uint256 internal constant RECURSIVE_P1_X_LOC = 0x3500;
uint256 internal constant RECURSIVE_P1_Y_LOC = 0x3520;
uint256 internal constant RECURSIVE_P2_X_LOC = 0x3540;
uint256 internal constant RECURSIVE_P2_Y_LOC = 0x3560;

uint256 internal constant PUBLIC_INPUTS_HASH_LOCATION = 0x3580;
uint256 internal constant RECURSIVE_P1_X_LOC = 0x3400;
uint256 internal constant RECURSIVE_P1_Y_LOC = 0x3420;
uint256 internal constant RECURSIVE_P2_X_LOC = 0x3440;
uint256 internal constant RECURSIVE_P2_Y_LOC = 0x3460;
uint256 internal constant PUBLIC_INPUTS_HASH_LOCATION = 0x3480;

// sub-identity storage
uint256 internal constant PERMUTATION_IDENTITY = 0x3600;
uint256 internal constant PLOOKUP_IDENTITY = 0x3620;
uint256 internal constant ARITHMETIC_IDENTITY = 0x3640;
uint256 internal constant SORT_IDENTITY = 0x3660;
uint256 internal constant ELLIPTIC_IDENTITY = 0x3680;
uint256 internal constant AUX_IDENTITY = 0x36a0;
uint256 internal constant AUX_NON_NATIVE_FIELD_EVALUATION = 0x36c0;
uint256 internal constant AUX_LIMB_ACCUMULATOR_EVALUATION = 0x36e0;
uint256 internal constant AUX_RAM_CONSISTENCY_EVALUATION = 0x3700;
uint256 internal constant AUX_ROM_CONSISTENCY_EVALUATION = 0x3720;
uint256 internal constant AUX_MEMORY_EVALUATION = 0x3740;

uint256 internal constant QUOTIENT_EVAL_LOC = 0x3760;
uint256 internal constant ZERO_POLY_INVERSE_LOC = 0x3780;
uint256 internal constant PERMUTATION_IDENTITY = 0x3500;
uint256 internal constant PLOOKUP_IDENTITY = 0x3520;
uint256 internal constant ARITHMETIC_IDENTITY = 0x3540;
uint256 internal constant SORT_IDENTITY = 0x3560;
uint256 internal constant ELLIPTIC_IDENTITY = 0x3580;
uint256 internal constant AUX_IDENTITY = 0x35a0;
uint256 internal constant AUX_NON_NATIVE_FIELD_EVALUATION = 0x35c0;
uint256 internal constant AUX_LIMB_ACCUMULATOR_EVALUATION = 0x35e0;
uint256 internal constant AUX_RAM_CONSISTENCY_EVALUATION = 0x3600;
uint256 internal constant AUX_ROM_CONSISTENCY_EVALUATION = 0x3620;
uint256 internal constant AUX_MEMORY_EVALUATION = 0x3640;

uint256 internal constant QUOTIENT_EVAL_LOC = 0x3660;
uint256 internal constant ZERO_POLY_INVERSE_LOC = 0x3680;

// when hashing public inputs we use memory at NU_CHALLENGE_INPUT_LOC_A, as the hash input size is unknown at compile time
uint256 internal constant NU_CHALLENGE_INPUT_LOC_A = 0x37a0;
uint256 internal constant NU_CHALLENGE_INPUT_LOC_B = 0x37c0;
uint256 internal constant NU_CHALLENGE_INPUT_LOC_C = 0x37e0;
uint256 internal constant NU_CHALLENGE_INPUT_LOC_A = 0x36a0;
uint256 internal constant NU_CHALLENGE_INPUT_LOC_B = 0x36c0;
uint256 internal constant NU_CHALLENGE_INPUT_LOC_C = 0x36e0;

bytes4 internal constant INVALID_VERIFICATION_KEY_SELECTOR = 0x7e5769bf;
bytes4 internal constant POINT_NOT_ON_CURVE_SELECTOR = 0xa3dad654;
bytes4 internal constant PUBLIC_INPUT_INVALID_BN128_G1_POINT_SELECTOR = 0xeba9f4a6;
bytes4 internal constant PUBLIC_INPUT_GE_P_SELECTOR = 0x374a972f;
bytes4 internal constant MOD_EXP_FAILURE_SELECTOR = 0xf894a7bc;
bytes4 internal constant EC_SCALAR_MUL_FAILURE_SELECTOR = 0xf755f369;
bytes4 internal constant PROOF_FAILURE_SELECTOR = 0x0711fcec;
bytes4 internal constant PAIRING_PREAMBLE_FAILED_SELECTOR = 0x01882d81;
bytes4 internal constant OPENING_COMMITMENT_FAILED_SELECTOR = 0x4e719763;
bytes4 internal constant PAIRING_FAILED_SELECTOR = 0xd71fd263;

uint256 internal constant ETA_INPUT_LENGTH = 0xc0; // W1, W2, W3 = 6 * 0x20 bytes

Expand Down Expand Up @@ -300,8 +291,9 @@ abstract contract BaseUltraVerifier {
error PUBLIC_INPUT_INVALID_BN128_G1_POINT();
error PUBLIC_INPUT_GE_P();
error MOD_EXP_FAILURE();
error EC_SCALAR_MUL_FAILURE();
error PROOF_FAILURE();
error PAIRING_PREAMBLE_FAILED();
error OPENING_COMMITMENT_FAILED();
error PAIRING_FAILED();

function getVerificationKeyHash() public pure virtual returns (bytes32);

Expand Down Expand Up @@ -2651,7 +2643,10 @@ abstract contract BaseUltraVerifier {
// accumulator = accumulator + accumulator_2
success := and(success, staticcall(gas(), 6, ACCUMULATOR_X_LOC, 0x80, ACCUMULATOR_X_LOC, 0x40))

mstore(OPENING_COMMITMENT_SUCCESS_FLAG, success)
if iszero(success) {
mstore(0x0, OPENING_COMMITMENT_FAILED_SELECTOR)
revert(0x00, 0x04)
}
}

/**
Expand Down Expand Up @@ -2756,10 +2751,9 @@ abstract contract BaseUltraVerifier {
}

if iszero(success) {
mstore(0x0, EC_SCALAR_MUL_FAILURE_SELECTOR)
mstore(0x0, PAIRING_PREAMBLE_FAILED_SELECTOR)
revert(0x00, 0x04)
}
mstore(PAIRING_PREAMBLE_SUCCESS_FLAG, success)
}

/**
Expand All @@ -2784,18 +2778,12 @@ abstract contract BaseUltraVerifier {
mstore(0x160, mload(G2X_Y1_LOC))

success := staticcall(gas(), 8, 0x00, 0x180, 0x00, 0x20)
mstore(PAIRING_SUCCESS_FLAG, success)
mstore(RESULT_FLAG, mload(0x00))
}
if iszero(
and(
and(and(mload(PAIRING_SUCCESS_FLAG), mload(RESULT_FLAG)), mload(PAIRING_PREAMBLE_SUCCESS_FLAG)),
mload(OPENING_COMMITMENT_SUCCESS_FLAG)
)
) {
mstore(0x0, PROOF_FAILURE_SELECTOR)
revert(0x00, 0x04)
if iszero(and(success, mload(0x00))) {
mstore(0x0, PAIRING_FAILED_SELECTOR)
revert(0x00, 0x04)
}
}

{
mstore(0x00, 0x01)
return(0x00, 0x20) // Proof succeeded!
Expand Down
98 changes: 43 additions & 55 deletions barretenberg/sol/src/ultra/BaseUltraVerifier.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,58 +215,49 @@ abstract contract BaseUltraVerifier {
uint256 internal constant PAIRING_RHS_X_LOC = 0x3220;
uint256 internal constant PAIRING_RHS_Y_LOC = 0x3240;

// ### SUCCESS FLAG MEMORY LOCATIONS
uint256 internal constant GRAND_PRODUCT_SUCCESS_FLAG = 0x3300;
uint256 internal constant ARITHMETIC_TERM_SUCCESS_FLAG = 0x3020;
uint256 internal constant BATCH_OPENING_SUCCESS_FLAG = 0x3340;
uint256 internal constant OPENING_COMMITMENT_SUCCESS_FLAG = 0x3360;
uint256 internal constant PAIRING_PREAMBLE_SUCCESS_FLAG = 0x3380;
uint256 internal constant PAIRING_SUCCESS_FLAG = 0x33a0;
uint256 internal constant RESULT_FLAG = 0x33c0;

// misc stuff
uint256 internal constant OMEGA_INVERSE_LOC = 0x3400;
uint256 internal constant C_ALPHA_SQR_LOC = 0x3420;
uint256 internal constant C_ALPHA_CUBE_LOC = 0x3440;
uint256 internal constant C_ALPHA_QUAD_LOC = 0x3460;
uint256 internal constant C_ALPHA_BASE_LOC = 0x3480;
uint256 internal constant OMEGA_INVERSE_LOC = 0x3300;
uint256 internal constant C_ALPHA_SQR_LOC = 0x3320;
uint256 internal constant C_ALPHA_CUBE_LOC = 0x3340;
uint256 internal constant C_ALPHA_QUAD_LOC = 0x3360;
uint256 internal constant C_ALPHA_BASE_LOC = 0x3380;

// ### RECURSION VARIABLE MEMORY LOCATIONS
uint256 internal constant RECURSIVE_P1_X_LOC = 0x3500;
uint256 internal constant RECURSIVE_P1_Y_LOC = 0x3520;
uint256 internal constant RECURSIVE_P2_X_LOC = 0x3540;
uint256 internal constant RECURSIVE_P2_Y_LOC = 0x3560;

uint256 internal constant PUBLIC_INPUTS_HASH_LOCATION = 0x3580;
uint256 internal constant RECURSIVE_P1_X_LOC = 0x3400;
uint256 internal constant RECURSIVE_P1_Y_LOC = 0x3420;
uint256 internal constant RECURSIVE_P2_X_LOC = 0x3440;
uint256 internal constant RECURSIVE_P2_Y_LOC = 0x3460;
uint256 internal constant PUBLIC_INPUTS_HASH_LOCATION = 0x3480;

// sub-identity storage
uint256 internal constant PERMUTATION_IDENTITY = 0x3600;
uint256 internal constant PLOOKUP_IDENTITY = 0x3620;
uint256 internal constant ARITHMETIC_IDENTITY = 0x3640;
uint256 internal constant SORT_IDENTITY = 0x3660;
uint256 internal constant ELLIPTIC_IDENTITY = 0x3680;
uint256 internal constant AUX_IDENTITY = 0x36a0;
uint256 internal constant AUX_NON_NATIVE_FIELD_EVALUATION = 0x36c0;
uint256 internal constant AUX_LIMB_ACCUMULATOR_EVALUATION = 0x36e0;
uint256 internal constant AUX_RAM_CONSISTENCY_EVALUATION = 0x3700;
uint256 internal constant AUX_ROM_CONSISTENCY_EVALUATION = 0x3720;
uint256 internal constant AUX_MEMORY_EVALUATION = 0x3740;

uint256 internal constant QUOTIENT_EVAL_LOC = 0x3760;
uint256 internal constant ZERO_POLY_INVERSE_LOC = 0x3780;
uint256 internal constant PERMUTATION_IDENTITY = 0x3500;
uint256 internal constant PLOOKUP_IDENTITY = 0x3520;
uint256 internal constant ARITHMETIC_IDENTITY = 0x3540;
uint256 internal constant SORT_IDENTITY = 0x3560;
uint256 internal constant ELLIPTIC_IDENTITY = 0x3580;
uint256 internal constant AUX_IDENTITY = 0x35a0;
uint256 internal constant AUX_NON_NATIVE_FIELD_EVALUATION = 0x35c0;
uint256 internal constant AUX_LIMB_ACCUMULATOR_EVALUATION = 0x35e0;
uint256 internal constant AUX_RAM_CONSISTENCY_EVALUATION = 0x3600;
uint256 internal constant AUX_ROM_CONSISTENCY_EVALUATION = 0x3620;
uint256 internal constant AUX_MEMORY_EVALUATION = 0x3640;

uint256 internal constant QUOTIENT_EVAL_LOC = 0x3660;
uint256 internal constant ZERO_POLY_INVERSE_LOC = 0x3680;

// when hashing public inputs we use memory at NU_CHALLENGE_INPUT_LOC_A, as the hash input size is unknown at compile time
uint256 internal constant NU_CHALLENGE_INPUT_LOC_A = 0x37a0;
uint256 internal constant NU_CHALLENGE_INPUT_LOC_B = 0x37c0;
uint256 internal constant NU_CHALLENGE_INPUT_LOC_C = 0x37e0;
uint256 internal constant NU_CHALLENGE_INPUT_LOC_A = 0x36a0;
uint256 internal constant NU_CHALLENGE_INPUT_LOC_B = 0x36c0;
uint256 internal constant NU_CHALLENGE_INPUT_LOC_C = 0x36e0;

bytes4 internal constant INVALID_VERIFICATION_KEY_SELECTOR = 0x7e5769bf;
bytes4 internal constant POINT_NOT_ON_CURVE_SELECTOR = 0xa3dad654;
bytes4 internal constant PUBLIC_INPUT_INVALID_BN128_G1_POINT_SELECTOR = 0xeba9f4a6;
bytes4 internal constant PUBLIC_INPUT_GE_P_SELECTOR = 0x374a972f;
bytes4 internal constant MOD_EXP_FAILURE_SELECTOR = 0xf894a7bc;
bytes4 internal constant EC_SCALAR_MUL_FAILURE_SELECTOR = 0xf755f369;
bytes4 internal constant PROOF_FAILURE_SELECTOR = 0x0711fcec;
bytes4 internal constant PAIRING_PREAMBLE_FAILED_SELECTOR = 0x01882d81;
bytes4 internal constant OPENING_COMMITMENT_FAILED_SELECTOR = 0x4e719763;
bytes4 internal constant PAIRING_FAILED_SELECTOR = 0xd71fd263;

uint256 internal constant ETA_INPUT_LENGTH = 0xc0; // W1, W2, W3 = 6 * 0x20 bytes

Expand Down Expand Up @@ -297,8 +288,9 @@ abstract contract BaseUltraVerifier {
error PUBLIC_INPUT_INVALID_BN128_G1_POINT();
error PUBLIC_INPUT_GE_P();
error MOD_EXP_FAILURE();
error EC_SCALAR_MUL_FAILURE();
error PROOF_FAILURE();
error PAIRING_PREAMBLE_FAILED();
error OPENING_COMMITMENT_FAILED();
error PAIRING_FAILED();

function getVerificationKeyHash() public pure virtual returns (bytes32);

Expand Down Expand Up @@ -2625,7 +2617,10 @@ abstract contract BaseUltraVerifier {
// accumulator = accumulator + accumulator_2
success := and(success, staticcall(gas(), 6, ACCUMULATOR_X_LOC, 0x80, ACCUMULATOR_X_LOC, 0x40))

mstore(OPENING_COMMITMENT_SUCCESS_FLAG, success)
if iszero(success) {
mstore(0x0, OPENING_COMMITMENT_FAILED_SELECTOR)
revert(0x00, 0x04)
}
}

/**
Expand Down Expand Up @@ -2730,10 +2725,9 @@ abstract contract BaseUltraVerifier {
}

if iszero(success) {
mstore(0x0, EC_SCALAR_MUL_FAILURE_SELECTOR)
mstore(0x0, PAIRING_PREAMBLE_FAILED_SELECTOR)
revert(0x00, 0x04)
}
mstore(PAIRING_PREAMBLE_SUCCESS_FLAG, success)
}

/**
Expand All @@ -2758,18 +2752,12 @@ abstract contract BaseUltraVerifier {
mstore(0x160, mload(G2X_Y1_LOC))

success := staticcall(gas(), 8, 0x00, 0x180, 0x00, 0x20)
mstore(PAIRING_SUCCESS_FLAG, success)
mstore(RESULT_FLAG, mload(0x00))
}
if iszero(
and(
and(and(mload(PAIRING_SUCCESS_FLAG), mload(RESULT_FLAG)), mload(PAIRING_PREAMBLE_SUCCESS_FLAG)),
mload(OPENING_COMMITMENT_SUCCESS_FLAG)
)
) {
mstore(0x0, PROOF_FAILURE_SELECTOR)
revert(0x00, 0x04)
if iszero(and(success, mload(0x00))) {
mstore(0x0, PAIRING_FAILED_SELECTOR)
revert(0x00, 0x04)
}
}

{
mstore(0x00, 0x01)
return(0x00, 0x20) // Proof succeeded!
Expand Down
Loading