You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I substituted the 673 line in hyperplonk/src/snark.rs with
let permutation = vec![E::ScalarField::from(1u128),E::ScalarField::from(2u128),E::ScalarField::from(3u128),E::ScalarField::from(4u128),E::ScalarField::from(5u128),E::ScalarField::from(6u128),E::ScalarField::from(7u128),E::ScalarField::from(0u128),];
and ran the corresponding test test_hyperplonk_e2e, with the result _verify in line 716 being true. In my understanding, the permutation check shouldn't pass and we should have the result as false. I guess there might be vulnerability in the batch opening part of HyperPlonkSNARK::verify. Please let me know if I made any mistake here. Looking forward to your reply.
The text was updated successfully, but these errors were encountered:
Hi @zhenfeizhang , this does seem to be a bad permutation given that the witness is w1 := [0, 1, 2, 3] and w2 := [0^5, 1^5, 2^5, 3^5]. Do you have time to take a look? Thanks!
I've found the problem.
In batch opening of multilinear kzg, we commit to a series of tuples of (multilinear polynomial, points, evaluation on the point).
Also note that we have an inheritance relationship of Sumcheck < Zerocheck < Prodcheck < Permcheck, and so do their subclaims. The subclaim of sumcheck requires a check on some point of a polynomial, which gives relationships on evaluations of multilinear polynomials we committed. These relationships are checked by function hyperplonk::utils::eval_f for "wiring identity constraints" and eval_perm_gate for "gate identity constraints".
However, we note that The subclaim of permcheck poses a further requirement, that the product polynomial should be evaluated to 1 at (0, 1, 1, ..., 1). The relationship isn't checked in verify function in hyperplonk/src/snark.rs. What's more, the relationship shall be also checked by prover, to ensure that the proof is correct.
Sophiamer2002
changed the title
A question on hyperplonk/src/snark.rs test
A question about hyperplonk/src/snark.rs test
Sep 27, 2024
I substituted the 673 line in
hyperplonk/src/snark.rs
withand ran the corresponding test
test_hyperplonk_e2e
, with the result_verify
in line 716 being true. In my understanding, the permutation check shouldn't pass and we should have the result as false. I guess there might be vulnerability in the batch opening part ofHyperPlonkSNARK::verify
. Please let me know if I made any mistake here. Looking forward to your reply.The text was updated successfully, but these errors were encountered: