search

personaelabs / spartan-ecdsa

The fastest in-browser verification of ECDSA signatures in ZK, using Spartan on the secq256k1 curve
199 stars 28 forks source link

False Proof Verifies #40

Open mottla opened 1 year ago

mottla commented 1 year ago

In wasm.rs, the check_nizk() test, also accepts, when changing the public inputs. This should not be the case right?

In general: I really want to use your project, but as a non rust programmer I am having a hard time. Would you be so kind and add a little more documentation on how to go from a circom file down to proof generation and verification?

So far I managed to: 1) Install your project (which was a long process since your .cargo file seems to be for mac. After hours I figured when I replace the config file with [build] rustflags = [ "-C", "target-cpu=native", ] then it worked.

2)Then, in the file compile_circuit.sh I found the necessary commands how to compile to .circuit.

3)I used the standard circom commands to generate a .wtns file. Is this correct, or should this be done differently?

4)In the file wasm.rs I found tests that take the before generated .circuit and .wtns file, to generate proof and verify it. Is there a command line for that? I was hoping to find something like snarkjs spartan prove/verify ...

If you could help me a bit to understand how to use your project I would be deeply thankful.

Thanks for your fantastic work!

DanTehrani commented 1 year ago

@mottla

The circuit used in this test doesn't constrain anything, so it'll work for any public inputs. The test is only meant to check if prove/verify works at a high level, and not meant to test correctness or soundness.

In wasm.rs, the check_nizk() test, also accepts, when changing the public inputs. This should not be the case right?

Could you describe how you would like to use this project?

If you want to use it in a web app, you can install the npm package that is published here.

mottla commented 1 year ago

Thanks for your quick response!

Maybe my understanding of the <= operator was wrong. I thought that the circuit computes the product of the public inputs a*b_1*b_2, and then you assign it to c, so my understanding was that at least in the witness, the c is contained and hence by changing the input, for the same witness, must lead to rejection. EDIT: apparently the R1CS has only two constraints for the multiplication. Still, I think that it should not be possible that for changed public inputs, the proof accepts for the same witness..

EDIT2: I tried different circuits and again, public inputs have no impact and proofs verify. What could be the reason?

My goal is to implement Schnorr signatures over the secp256k1 and then benchmark proofsize, times,etc.. So all I have so far is some circom circuits, and I managed to parse them into a spartan circuit (as described above), but now I am a bit stuck.

If you could guide me a bit from here, I would be very thankful! Cheers

DanTehrani commented 1 year ago

@mottla Sorry about the lag! Somehow I missed your res.

Can you share the code you used to test check_nizk?

I see!

My goal is to implement Schnorr signatures over the secp256k1 and then benchmark proofsize, times,etc.. So all I have so far is some circom circuits, and I managed to parse them into a spartan circuit (as described above), but now I am a bit stuck.

Do you have a repo you're working on the Schnorr sig circuit? I think I can give feedback if I can check out the code