iden3/circom

Possible bug in cpp witness generation

Stentonian opened this issue · 5 comments

Stentonian commented

Hi I'm getting this error when trying to generate the witness using C++:

fr.cpp:166: void Fr_fail(): Assertion `false' failed.

But witness generation works for wasm. It's happening in a library that I'm using and I'm hesitant to spend time debugging because it seems to be an issue with the finite field code in circom.

I'm using circom CLI version 2.1.7

You can reproduce this error by running the script here: https://github.com/puma314/batch-ecdsa/blob/ff080ca1bcae3dedab9de46a0a4fa8ad6248a039/scripts/batch_ecdsa/fast_build.sh

I see this has happened before #121

Any advice?

Stentonian commented

I've tried changing all the pragmas in the circuits to 2.1.7 but the failure still happens

Stentonian commented

I also tried using version 2.0.4 of circom CLI, but I got the same error

clararod9 commented

Hi! Thanks for reporting this issue.

We have located the lines of code in the circuit that generate the unexpected behavior (lines 275-277 in file batch_ecdsa.circom) and we are working to fix it, we hope to be able to do it soon.

Meanwhile, a possible way to prevent the unexpected behavior is to replace the lines 275- 277:

adders[coord_idx][batch_idx-1].a[x_or_y][reg_idx] <==
     are_points_equal[coord_idx][batch_idx-1].out * (dummy2[x_or_y][reg_idx] - partial[coord_idx][batch_idx-1][x_or_y][reg_idx])
      + partial[coord_idx][batch_idx-1][x_or_y][reg_idx];

by

var aux1 = dummy2[x_or_y][reg_idx] - partial[coord_idx][batch_idx-1][x_or_y][reg_idx];
var aux2 = are_points_equal[coord_idx][batch_idx-1].out * aux1
          + partial[coord_idx][batch_idx-1][x_or_y][reg_idx];
adders[coord_idx][batch_idx-1].a[x_or_y][reg_idx] <== aux2;

We have tried this solution for the circuit test_batch_ecdsa_verify_2.circom and it does not crash and produces the same witness as the original circuit when executed via WASM.

Stentonian commented

@clararod9 thanks so much for digging into this! Really appreciate it. Can confirm that the fix works.

I will test that the fix works for larger circuits (greater number of ecdsa sigs) and then post a PR on the repo (unless you'd like to that?).