Closed moCello closed 1 year ago
On further inspection, this behavior is, though highly confusing, actually correct.
We use the default trait to create the circuit descriptions for both the prover and the verifier. Continuing with the protocol, both the prover and the verifier only care about the witness and public input, if they match the circuit that was used for the circuit description, the proof will pass.
In the above example the #[derive(Default)]
caused the selector polynomials zero in the circuit description. Hence any witness satisfies the circuit.
Even though it is correct behavior, it is still highly confusing as well and we should think about re-structuring the Circuit
trait in a way that makes this use impossible.
The issue #715 already thinks along those lines but it needs more thinking still.
Describe the bug When we test a circuit, we first create a circuit description for both the prover and the verifier. This circuit description essentially is the compressed blueprint of the circuit and when we verify certain circuits, they should only pass when they have that same circuit description.
But what seems to happen in the implementation is that only the witness, public input values and the constants are crosschecked with the circuit description, but not the wire selector values.
To Reproduce
Expected behaviour It shouldn't be possible to create a proof for a circuit that is different than the circuit used for the circuit description. (Just like it is not possible to create a proof for a circuit that differs from the circuit used for the circuit description only in the constants or only in the length of the public input vector).
Logs/Screenshot N/A
Platform N/A
Additional context Discovered when adding tests for
append_gate
in #741