You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Apologies if this is not the correct repo for this.
I'm proving circom circuits on the bls12-381 curve using ark-groth16. I've run into a bug where ark-groth16 generates invalid proofs for zkeys that are built against powers of tau ceremonies that are not at least twice as big.
e.g. i have a circuit with 2500 constraints. I build the zkey using a ptau with 2^12 powers. snarkjs generates valid proofs, ark-groth16 generates invalid proofs. I build the same circuit against a ptau with 2^13 powers and both snarkjs and ark-groth16 generate valid proofs.
I've confirmed that the proofs generated by ark-groth16 are invalid in snarkjs as well. This bug does not exist for the alt_bn128 curve.
I'm using the R1CS QAP reduction in ark-circom.
I know there's lots of places where the inconsistency could come from. I wanted to post here to see if anyone has ideas off the top of their head.
Build a circuit over the bls12-381 curve with N constraints and < 2*N ptau powers. Use the R1CS QAP mapping in ark-circom to generate a proof. Try to validate the proof.
This is implemented here, the relevant zkeys/witness logic is committed in the same repo. I'll break this into a minimal repro example if there's any interest.
The text was updated successfully, but these errors were encountered:
Summary of Bug
Apologies if this is not the correct repo for this.
I'm proving circom circuits on the bls12-381 curve using ark-groth16. I've run into a bug where ark-groth16 generates invalid proofs for zkeys that are built against powers of tau ceremonies that are not at least twice as big.
e.g. i have a circuit with 2500 constraints. I build the zkey using a ptau with 2^12 powers.
snarkjsgenerates valid proofs,ark-groth16generates invalid proofs. I build the same circuit against a ptau with 2^13 powers and bothsnarkjsandark-groth16generate valid proofs.I've confirmed that the proofs generated by
ark-groth16are invalid insnarkjsas well. This bug does not exist for thealt_bn128curve.I'm using the R1CS QAP reduction in
ark-circom.I know there's lots of places where the inconsistency could come from. I wanted to post here to see if anyone has ideas off the top of their head.
Version
[email protected]Steps to Reproduce
Build a circuit over the bls12-381 curve with
Nconstraints and< 2*Nptau powers. Use the R1CS QAP mapping in ark-circom to generate a proof. Try to validate the proof.This is implemented here, the relevant zkeys/witness logic is committed in the same repo. I'll break this into a minimal repro example if there's any interest.
The text was updated successfully, but these errors were encountered: