-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: assert that the binary decomposition of a variable is less than the modulus #835
Conversation
Even though the method is public this method is not listable as we export interfaces with smaller method sets. The method can be accessed by implicitly implementing interface with the method `MustBeLessOrEqCst(aBits []frontend.Variable, bound *big.Int, aForDebug frontend.Variable)`. We use the method for checking in `std/math/bits` package that the binary decomposition of the bound returned by hint is less than the modulus.
Summary✅ Passed: 5709 🚧 Skipped
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure about the IsTestEngine()
part but other than that the PR looks good to me! 👍
Yeah, it was ugly. I'll see if I can do without. |
Removed |
Summary✅ Passed: 5709 🚧 Skipped
|
|
fix/cmp-reducecheck |
|
The following issue was reported by Marcin Kostrzewa @ Reilabs (@kustosz). We really appreciate the detailed report!
Description
When doing a binary decomposition of a value, we compute the bit values inside the hint and then assert that the linear combination of the bits adds up to the initial value:
However, as the sum is computed inside the circuit, then for many values there actually exists two valid decompositions:
value
andvalue+Fr
whereFr
is the modulus of the scalar field. Depending on the applications, the non-uniqueness either may or may not be an issue, but this problem affects comparison and inequality assertion where we had this assumption. This may lead to non-sound comparisons if a malicious prover replaces the binary decomposition hint function.Fixes #836
Type of change
How has this been tested?
api.AssertIsLessEq
,api.Cmp
which failed before bugfixes and succeeded after.std/math/cmp
How has this been benchmarked?
The fixes have impact on AssertIsLessEq and Cmp. Recommendation is to use
std/math/cmp
if the bound is known. We are also looking at more efficient comparison methods (see #831).Checklist:
golangci-lint
does not output errors locally