pairing check fail in solidity

[chokobole]

In solidity template, there are get_target_circuit_g2_s and get_target_circuit_g2_n. I think they should be populated with params from target circuit.

function get_target_circuit_g2_s() internal pure returns (G2Point memory s) {
    s.x[0] = uint256({{target_circuit_s_g2_x0}});
    s.x[1] = uint256({{target_circuit_s_g2_x1}});
    s.y[0] = uint256({{target_circuit_s_g2_y0}});
    s.y[1] = uint256({{target_circuit_s_g2_y1}});
}

function get_target_circuit_g2_n() internal pure returns (G2Point memory n) {
    n.x[0] = uint256({{target_circuit_n_g2_x0}});
    n.x[1] = uint256({{target_circuit_n_g2_x1}});
    n.y[0] = uint256({{target_circuit_n_g2_y0}});
    n.y[1] = uint256({{target_circuit_n_g2_y1}});
}

But in the code, they are written with params form verify circuit and I think this is the reason why the example failed when running waffle test.

impl<'a, E: MultiMillerLoop + Debug> MultiCircuitSolidityGenerate<'a, E> {
    pub fn call(&self, template_folder: std::path::PathBuf) -> String {
        let target_circuit_s_g2 = get_xy_from_g2point::<E>(self.verify_params.s_g2());
        let target_circuit_n_g2 = get_xy_from_g2point::<E>(-self.verify_params.g2());
}

The failed case is this.

    function verify(
        uint256[] calldata proof,
        uint256[] calldata target_circuit_final_pair
    ) public view {
       // ...

        g1_points[0].x = target_circuit_final_pair[0];
        g1_points[0].y = target_circuit_final_pair[1];
        g1_points[1].x = target_circuit_final_pair[2];
        g1_points[1].y = target_circuit_final_pair[3];
        g2_points[0] = get_target_circuit_g2_s();
        g2_points[1] = get_target_circuit_g2_n();

        checked = pairing(g1_points, g2_points);
        require(checked);
    }
}

[dajuguan]

I've met the same issue.

[lispc]

i will check this issue

[xgaozoyoe]

May I know the process of how you generated the solidity?

[dajuguan]

May I know the process of how you generated the solidity?

I just run all the 5 steps following the instructions decribed in halo2-snark-aggregator-sdk's README.md. The --nproofs 2 option is removed in all commands, otherwise it will fail. Then, I copy the two files output/verify_circuit_proof.data and output/verify_circuit_final_pair.data generated in the above steps to /halo2-snark-aggregator-solidity/output/ folder. Finally, I run the step2 and step3 commands following halo2-snark-aggregator-solidity's README.md

[chokobole]

I think this is because of the assumption that the params of target circuit and verifier circuit share s in common. i.e, they both share G2 and s*G2. It would be helpful to generate params of the circuits based on the same random seed or something.

[lispc]

oh yes.. we assumed they are same in our deployment.

[dajuguan]

I think this is because of the assumption that the params of target circuit and verifier circuit share s in common. i.e, they both share G2 and s*G2. It would be helpful to generate params of the circuits based on the same random seed or something.

I'm new to Halo 2. Could you please share your code to help me resolve this problem? I would greatly appreciate it. Thanks.

[chokobole]

I think the perfect solution is the comment above, but for temporary solition, you can try this one.

[lispc]

btw use downsize in params will generate params with same s_g2 https://github.com/scroll-tech/halo2/blob/9bf3562083dd9bed8a19f651b52bc810f5e2235f/halo2_proofs/src/poly/kzg/commitment.rs#L279