For efficiency reasons APK computation is arithmetized using incomplete affined addition formula for SW curves. To make exceptional cases (adding the same/opposite point) impossible, we start the computation from a 'seed' point in G1 complement, E\G1:
It follows that the last bit bitmask[domain_size-1] remains unconstrained by the (conditional) affine addition gate. This doesn't affect 'basic' and 'packed' schemes where verifier has access to the bitmask as a public input. However, in the 'counting' scheme prover can set bitmask[domain_size-1] = true, and falsely prove the statement for count = actual_count + 1.
The issue can be fixed in different ways:
Constraint bitmask[domain_size-1] = false, by showing that bitmask(X) * L_{domain_size-1}(X) = 0 over the domain.
Assume that bitmask[domain_size-1] = true. Then the verifier decrements the count claimed by the prover. In this case the prover still can cheat by claiming count = actual_count - 1, that is better, though not perfect.
For efficiency reasons APK computation is arithmetized using incomplete affined addition formula for SW curves. To make exceptional cases (adding the same/opposite point) impossible, we start the computation from a 'seed' point in G1 complement, E\G1:
It follows that the last bit
bitmask[domain_size-1]remains unconstrained by the (conditional) affine addition gate. This doesn't affect 'basic' and 'packed' schemes where verifier has access to the bitmask as a public input. However, in the 'counting' scheme prover can setbitmask[domain_size-1] = true, and falsely prove the statement forcount = actual_count + 1.The issue can be fixed in different ways:
bitmask[domain_size-1] = false, by showing thatbitmask(X) * L_{domain_size-1}(X) = 0over the domain.bitmask[domain_size-1] = true. Then the verifier decrements the count claimed by the prover. In this case the prover still can cheat by claimingcount = actual_count - 1, that is better, though not perfect.