-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nargo producing proofs which cannot be verified. #466
Comments
I just checked this with my old implementation (below) and I get the same behaviour.
|
I am unable to reproduce this bug on the Noir master branch or the specific commit listed in the issue. When using the correct inputs I generate a proof and then I get a verify true upon running
for which I still got @guipublic @jfecher would you be able to try and reproduce this bug? |
I just tried again and could reproduce on 44872e2. Just to make sure there's no miscommunication, the issue only arises if you change the return value from
|
Thank you for clarifying as there was a miscommunication. I was able to produce false proofs. This does look like a bug. |
I guess this issue is the same as #358 |
It looks as though this issue could be related to how we are handling bit decomposition and range constraints when solving a circuit. If we change the code snippets provided to use Field types for the bit masks we get the expected false proof. For the snippet below
While the same snippet in the original post where we use
|
I am facing the same problem. Is this still an outgoing issue? I think the proof is valid, since if I change any parameter in |
This issue has not yet been solved. Are you doing something similar to the code snippet above? Is it possible to post what you are working on here? |
A merkle proof based only in Pedersen hash. use dep::std;
fn main(
public_key: [Field; 2],
index: Field,
merkle_path: [Field; 3],
merkle_root : pub Field,
) -> pub Field {
// Compute leaf
let leaf = std::hash::pedersen(public_key);
let is_member = std::merkle::check_membership(merkle_root, leaf[0] , index, merkle_path);
constrain is_member == 1;
merkle_root
} |
And with which |
With this configuration, let me know if you can replicate the issue. public_key = ["0x0ba51a3fd0f698edf85d1a55056c9455184ffcf5bcad55ff12f5c7add823ed82", "0x2a68c3e25eaf46478c6820fc885a65b12241c8c10a9d9153cd4058cdf0d1aaed"]
index = "1"
merkle_path = ["0x125814ef721abadfee11d76feed2b096edacb999d3fc71fea94e5a1ef1f2bf78",
"0x14ff5b0c5e2d284a2d15d9c0b7cec6ebc1a8a5f95642e8604e4e3b74ec499cb2",
"0x187769436d5bab97500f1b0f301fb1b94913154e979a66b28d70b739199fa31a"]
merkle_root = "0x0e1801493bdf93b75e8f3e1b9c0b679d1da475ef1c5529b21938ed4ae9b7bb41"
return = "0x0e1801493bdf93b75e8f3e1b9c0b679d1da475ef1c5529b21938ed4ae9b7bb41" |
Confirming that this is still an issue for me as well when building on 673249f when using Fields or integers. |
@TomAFrench This is giving false proofs for you? |
I get no difference between both implementations. I've been using
I've changed the circuit to have a public input and an explicit constrain and can create false proofs so it's not a return value specific issue. |
Probably worth checking after #731 |
I'm going to close this issue as I can only create valid proofs now so this is fixed as far as I'm aware. @Fantoni0 I've run your example and can verify a proof with the return value you specified. Please feel free to reopen if you still run into the issue on a current version of Nargo/Noir. |
@TomAFrench |
Tracking issue : #1252 |
@TomAFrench what is the status of this issue? |
This is almost certainly fixed at this point as the backend related code has completely changed since I opened this. I'll check and close this tonight though. |
I have tried the new nargo version (0.7.1) on #358 as it's easy and fast to verify. |
Yes this is the expected functionality. We decided to follow the unix methodology that no output == no problems. If you see output it means there has been an error |
Thanks @Fantoni0! I'm going to close this issue as resolved in this case. |
Description
Aim
I'm attempting to create a function which when given a value in the range 0..64, will return a bit mask with the bit at that position and all subsequent bits turned on, i.e.
f(0) -> 0xfffffffffffffff
,f(1) -> 0x3fffffffffffffff
,f(63) -> 0x0000000000000001
Expected behavior
To start with, lets create a bitmap which only contains the bit at the given position for which we use the below function:
This circuit works as expected. Given a value for
bit_position
, I can prove the return value is the corresponding entry in the array. To get the function we want we then just need to swap the return value out for2 * bit_mask - 1
. This is slightly wrong as we'll get an overflow ifbit_position = 0
but we can ignore that for now (we can always adjust the for-loop range to avoid pulling out this value and not passbit_position = 0
).Bug
If I swap out the return value for
2 * bit_mask - 1
and attempt to prove the circuit with the simplest case of just turning on the last bit in theu64
with theProver.toml
file above, thenargo prove
step works as expected but if I try to verify the produced proof then I get the output below.Unless I'm making a really silly mistake somewhere I don't see how this could happen. In the first circuit we can prove that for
bit_position = 63
results inbit_mask == 1
.2*1 - 1 = 1
so we should be able to create a valid proof for the provided inputs but we can't.To reproduce
2 * bit_mask - 1
nargo prove
andnargo verify
using the sampleProver.toml
below.Environment
For
nargo
usersAdditional context
You might be wondering why I don't just update the bitmaps in the array rather than doing
2 * bit_mask - 1
, I actually need both bitmasks.The text was updated successfully, but these errors were encountered: