diff --git a/Cargo.lock b/Cargo.lock index 2f19ed704b2..7980a9ea4a3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -68,6 +68,7 @@ dependencies = [ "keccak", "libaes", "num-bigint", + "num-prime", "p256", "proptest", "sha2", @@ -158,6 +159,12 @@ dependencies = [ "memchr", ] +[[package]] +name = "allocator-api2" +version = "0.2.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923" + [[package]] name = "android-tzdata" version = "0.1.1" @@ -1584,6 +1591,12 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "foldhash" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f81ec6369c545a7d40e4589b5597581fa1c441fe1cce96dd1de43159910a36a2" + [[package]] name = "form_urlencoded" version = "1.2.1" @@ -1879,6 +1892,11 @@ name = "hashbrown" version = "0.15.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3a9bfc1af68b1726ea47d3d5109de126281def866b33970e10fbab11b5dafab3" +dependencies = [ + "allocator-api2", + "equivalent", + "foldhash", +] [[package]] name = "heck" @@ -2617,6 +2635,15 @@ dependencies = [ "fid-rs", ] +[[package]] +name = "lru" +version = "0.12.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "234cf4f4a04dc1f57e24b96cc0cd600cf2af460d4161ac5ecdd0af8e1f3b2a38" +dependencies = [ + "hashbrown 0.15.1", +] + [[package]] name = "lsp-types" version = "0.88.0" @@ -3259,6 +3286,7 @@ checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9" dependencies = [ "num-integer", "num-traits", + "rand 0.8.5", ] [[package]] @@ -3286,6 +3314,33 @@ dependencies = [ "num-traits", ] +[[package]] +name = "num-modular" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "64a5fe11d4135c3bcdf3a95b18b194afa9608a5f6ff034f5d857bc9a27fb0119" +dependencies = [ + "num-bigint", + "num-integer", + "num-traits", +] + +[[package]] +name = "num-prime" +version = "0.4.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e238432a7881ec7164503ccc516c014bf009be7984cde1ba56837862543bdec3" +dependencies = [ + "bitvec", + "either", + "lru", + "num-bigint", + "num-integer", + "num-modular", + "num-traits", + "rand 0.8.5", +] + [[package]] name = "num-traits" version = "0.2.19" diff --git a/acvm-repo/acvm/src/pwg/blackbox/bigint.rs b/acvm-repo/acvm/src/pwg/blackbox/bigint.rs index edd2bfcac41..64356d9e5a0 100644 --- a/acvm-repo/acvm/src/pwg/blackbox/bigint.rs +++ b/acvm-repo/acvm/src/pwg/blackbox/bigint.rs @@ -24,12 +24,13 @@ impl AcvmBigIntSolver { modulus: &[u8], output: u32, initial_witness: &mut WitnessMap, + pedantic_solving: bool, ) -> Result<(), OpcodeResolutionError> { let bytes = inputs .iter() .map(|input| input_to_value(initial_witness, *input, false).unwrap().to_u128() as u8) .collect::>(); - self.bigint_solver.bigint_from_bytes(&bytes, modulus, output)?; + self.bigint_solver.bigint_from_bytes(&bytes, modulus, output, pedantic_solving)?; Ok(()) } @@ -38,7 +39,11 @@ impl AcvmBigIntSolver { input: u32, outputs: &[Witness], initial_witness: &mut WitnessMap, + pedantic_solving: bool, ) -> Result<(), OpcodeResolutionError> { + if pedantic_solving && outputs.len() != 32 { + panic!("--pedantic-solving: bigint_to_bytes: outputs.len() != 32: {}", outputs.len()); + } let mut bytes = self.bigint_solver.bigint_to_bytes(input)?; while bytes.len() < outputs.len() { bytes.push(0); @@ -55,12 +60,9 @@ impl AcvmBigIntSolver { rhs: u32, output: u32, func: BlackBoxFunc, + pedantic_solving: bool, ) -> Result<(), OpcodeResolutionError> { - self.bigint_solver.bigint_op(lhs, rhs, output, func)?; + self.bigint_solver.bigint_op(lhs, rhs, output, func, pedantic_solving)?; Ok(()) } - - pub(crate) fn is_valid_modulus(&self, modulus: &[u8]) -> bool { - self.bigint_solver.is_valid_modulus(modulus) - } } diff --git a/acvm-repo/acvm/src/pwg/blackbox/embedded_curve_ops.rs b/acvm-repo/acvm/src/pwg/blackbox/embedded_curve_ops.rs index 9e511571275..cb195d32acc 100644 --- a/acvm-repo/acvm/src/pwg/blackbox/embedded_curve_ops.rs +++ b/acvm-repo/acvm/src/pwg/blackbox/embedded_curve_ops.rs @@ -13,6 +13,7 @@ pub(super) fn multi_scalar_mul( points: &[FunctionInput], scalars: &[FunctionInput], outputs: (Witness, Witness, Witness), + pedantic_solving: bool, ) -> Result<(), OpcodeResolutionError> { let points: Result, _> = points.iter().map(|input| input_to_value(initial_witness, *input, false)).collect(); @@ -31,7 +32,7 @@ pub(super) fn multi_scalar_mul( } // Call the backend's multi-scalar multiplication function let (res_x, res_y, is_infinite) = - backend.multi_scalar_mul(&points, &scalars_lo, &scalars_hi)?; + backend.multi_scalar_mul(&points, &scalars_lo, &scalars_hi, pedantic_solving)?; // Insert the resulting point into the witness map insert_value(&outputs.0, res_x, initial_witness)?; diff --git a/acvm-repo/acvm/src/pwg/blackbox/logic.rs b/acvm-repo/acvm/src/pwg/blackbox/logic.rs index 8468b0ca27a..3fa72d9b215 100644 --- a/acvm-repo/acvm/src/pwg/blackbox/logic.rs +++ b/acvm-repo/acvm/src/pwg/blackbox/logic.rs @@ -14,13 +14,14 @@ pub(super) fn and( lhs: &FunctionInput, rhs: &FunctionInput, output: &Witness, + pedantic_solving: bool, ) -> Result<(), OpcodeResolutionError> { assert_eq!( lhs.num_bits(), rhs.num_bits(), "number of bits specified for each input must be the same" ); - solve_logic_opcode(initial_witness, lhs, rhs, *output, |left, right| { + solve_logic_opcode(initial_witness, lhs, rhs, *output, pedantic_solving, |left, right| { bit_and(left, right, lhs.num_bits()) }) } @@ -32,13 +33,14 @@ pub(super) fn xor( lhs: &FunctionInput, rhs: &FunctionInput, output: &Witness, + pedantic_solving: bool, ) -> Result<(), OpcodeResolutionError> { assert_eq!( lhs.num_bits(), rhs.num_bits(), "number of bits specified for each input must be the same" ); - solve_logic_opcode(initial_witness, lhs, rhs, *output, |left, right| { + solve_logic_opcode(initial_witness, lhs, rhs, *output, pedantic_solving, |left, right| { bit_xor(left, right, lhs.num_bits()) }) } @@ -49,11 +51,13 @@ fn solve_logic_opcode( a: &FunctionInput, b: &FunctionInput, result: Witness, + pedantic_solving: bool, logic_op: impl Fn(F, F) -> F, ) -> Result<(), OpcodeResolutionError> { - // TODO(https://github.com/noir-lang/noir/issues/5985): re-enable these once we figure out how to combine these with existing + // TODO(https://github.com/noir-lang/noir/issues/5985): re-enable these by + // default once we figure out how to combine these with existing // noirc_frontend/noirc_evaluator overflow error messages - let skip_bitsize_checks = true; + let skip_bitsize_checks = !pedantic_solving; let w_l_value = input_to_value(initial_witness, *a, skip_bitsize_checks)?; let w_r_value = input_to_value(initial_witness, *b, skip_bitsize_checks)?; let assignment = logic_op(w_l_value, w_r_value); diff --git a/acvm-repo/acvm/src/pwg/blackbox/mod.rs b/acvm-repo/acvm/src/pwg/blackbox/mod.rs index 6ca6e6beeb9..2b91a75e627 100644 --- a/acvm-repo/acvm/src/pwg/blackbox/mod.rs +++ b/acvm-repo/acvm/src/pwg/blackbox/mod.rs @@ -76,14 +76,19 @@ pub(crate) fn solve( )); } - // TODO: check input value sizes when pedantic_solving match bb_func { BlackBoxFuncCall::AES128Encrypt { inputs, iv, key, outputs } => { solve_aes128_encryption_opcode(initial_witness, inputs, iv, key, outputs) } - BlackBoxFuncCall::AND { lhs, rhs, output } => and(initial_witness, lhs, rhs, output), - BlackBoxFuncCall::XOR { lhs, rhs, output } => xor(initial_witness, lhs, rhs, output), - BlackBoxFuncCall::RANGE { input } => solve_range_opcode(initial_witness, input, pedantic_solving), + BlackBoxFuncCall::AND { lhs, rhs, output } => { + and(initial_witness, lhs, rhs, output, pedantic_solving) + } + BlackBoxFuncCall::XOR { lhs, rhs, output } => { + xor(initial_witness, lhs, rhs, output, pedantic_solving) + } + BlackBoxFuncCall::RANGE { input } => { + solve_range_opcode(initial_witness, input, pedantic_solving) + } BlackBoxFuncCall::Blake2s { inputs, outputs } => { solve_generic_256_hash_opcode(initial_witness, inputs, None, outputs, blake2s) } @@ -149,11 +154,7 @@ pub(crate) fn solve( *output, ), BlackBoxFuncCall::MultiScalarMul { points, scalars, outputs } => { - if pedantic_solving && points.len() != scalars.len() { - // TODO: better error or ICE - panic!("MultiScalarMul") - } - multi_scalar_mul(backend, initial_witness, points, scalars, *outputs) + multi_scalar_mul(backend, initial_witness, points, scalars, *outputs, pedantic_solving) } BlackBoxFuncCall::EmbeddedCurveAdd { input1, input2, outputs } => { embedded_curve_add(backend, initial_witness, **input1, **input2, *outputs) @@ -163,31 +164,22 @@ pub(crate) fn solve( BlackBoxFuncCall::BigIntAdd { lhs, rhs, output } | BlackBoxFuncCall::BigIntSub { lhs, rhs, output } | BlackBoxFuncCall::BigIntMul { lhs, rhs, output } - | BlackBoxFuncCall::BigIntDiv { lhs, rhs, output } => { - bigint_solver.bigint_op(*lhs, *rhs, *output, bb_func.get_black_box_func()) - } - BlackBoxFuncCall::BigIntFromLeBytes { inputs, modulus, output } => { - if pedantic_solving && (!bigint_solver.is_valid_modulus(modulus) || inputs.len() > 32) { - // TODO: better error or ICE - panic!("BigIntFromLeBytes") - } - bigint_solver.bigint_from_bytes(inputs, modulus, *output, initial_witness) - } + | BlackBoxFuncCall::BigIntDiv { lhs, rhs, output } => bigint_solver.bigint_op( + *lhs, + *rhs, + *output, + bb_func.get_black_box_func(), + pedantic_solving, + ), + BlackBoxFuncCall::BigIntFromLeBytes { inputs, modulus, output } => bigint_solver + .bigint_from_bytes(inputs, modulus, *output, initial_witness, pedantic_solving), BlackBoxFuncCall::BigIntToLeBytes { input, outputs } => { - if pedantic_solving && outputs.len() != 32 { - // TODO: better error or ICE - panic!("BigIntToLeBytes") - } - bigint_solver.bigint_to_bytes(*input, outputs, initial_witness) + bigint_solver.bigint_to_bytes(*input, outputs, initial_witness, pedantic_solving) } BlackBoxFuncCall::Sha256Compression { inputs, hash_values, outputs } => { solve_sha_256_permutation_opcode(initial_witness, inputs, hash_values, outputs) } BlackBoxFuncCall::Poseidon2Permutation { inputs, outputs, len } => { - if pedantic_solving && inputs.len() != outputs.len() { - // TODO: better error or ICE - panic!("Poseidon2Permutation") - } solve_poseidon2_permutation_opcode(backend, initial_witness, inputs, outputs, *len) } } diff --git a/acvm-repo/acvm/src/pwg/brillig.rs b/acvm-repo/acvm/src/pwg/brillig.rs index a5f5783478e..e3502cfc04f 100644 --- a/acvm-repo/acvm/src/pwg/brillig.rs +++ b/acvm-repo/acvm/src/pwg/brillig.rs @@ -67,6 +67,7 @@ impl<'b, B: BlackBoxFunctionSolver, F: AcirField> BrilligSolver<'b, F, B> { acir_index: usize, brillig_function_id: BrilligFunctionId, profiling_active: bool, + pedantic_solving: bool, ) -> Result> { let vm = Self::setup_brillig_vm( initial_witness, @@ -75,6 +76,7 @@ impl<'b, B: BlackBoxFunctionSolver, F: AcirField> BrilligSolver<'b, F, B> { brillig_bytecode, bb_solver, profiling_active, + pedantic_solving, )?; Ok(Self { vm, acir_index, function_id: brillig_function_id }) } @@ -86,6 +88,7 @@ impl<'b, B: BlackBoxFunctionSolver, F: AcirField> BrilligSolver<'b, F, B> { brillig_bytecode: &'b [BrilligOpcode], bb_solver: &'b B, profiling_active: bool, + pedantic_solving: bool, ) -> Result, OpcodeResolutionError> { // Set input values let mut calldata: Vec = Vec::new(); @@ -133,7 +136,14 @@ impl<'b, B: BlackBoxFunctionSolver, F: AcirField> BrilligSolver<'b, F, B> { // Instantiate a Brillig VM given the solved calldata // along with the Brillig bytecode. - let vm = VM::new(calldata, brillig_bytecode, vec![], bb_solver, profiling_active); + let vm = VM::new( + calldata, + brillig_bytecode, + vec![], + bb_solver, + profiling_active, + pedantic_solving, + ); Ok(vm) } diff --git a/acvm-repo/acvm/src/pwg/memory_op.rs b/acvm-repo/acvm/src/pwg/memory_op.rs index fcf94360d99..9409ee36249 100644 --- a/acvm-repo/acvm/src/pwg/memory_op.rs +++ b/acvm-repo/acvm/src/pwg/memory_op.rs @@ -85,7 +85,8 @@ impl MemoryOpSolver { // Fetch whether or not the predicate is false (e.g. equal to zero) let opcode_location = ErrorLocation::Unresolved; - let skip_operation = is_predicate_false(initial_witness, predicate, pedantic_solving, &opcode_location)?; + let skip_operation = + is_predicate_false(initial_witness, predicate, pedantic_solving, &opcode_location)?; if is_read_operation { // `value_read = arr[memory_index]` @@ -152,7 +153,10 @@ mod tests { block_solver.init(&init, &initial_witness).unwrap(); for op in trace { - block_solver.solve_memory_op(&op, &mut initial_witness, &None).unwrap(); + let pedantic_solving = true; + block_solver + .solve_memory_op(&op, &mut initial_witness, &None, pedantic_solving) + .unwrap(); } assert_eq!(initial_witness[&Witness(4)], FieldElement::from(2u128)); @@ -177,7 +181,10 @@ mod tests { let mut err = None; for op in invalid_trace { if err.is_none() { - err = block_solver.solve_memory_op(&op, &mut initial_witness, &None).err(); + let pedantic_solving = true; + err = block_solver + .solve_memory_op(&op, &mut initial_witness, &None, pedantic_solving) + .err(); } } @@ -210,8 +217,14 @@ mod tests { let mut err = None; for op in invalid_trace { if err.is_none() { + let pedantic_solving = true; err = block_solver - .solve_memory_op(&op, &mut initial_witness, &Some(Expression::zero())) + .solve_memory_op( + &op, + &mut initial_witness, + &Some(Expression::zero()), + pedantic_solving, + ) .err(); } } @@ -242,8 +255,14 @@ mod tests { let mut err = None; for op in invalid_trace { if err.is_none() { + let pedantic_solving = true; err = block_solver - .solve_memory_op(&op, &mut initial_witness, &Some(Expression::zero())) + .solve_memory_op( + &op, + &mut initial_witness, + &Some(Expression::zero()), + pedantic_solving, + ) .err(); } } diff --git a/acvm-repo/acvm/src/pwg/mod.rs b/acvm-repo/acvm/src/pwg/mod.rs index c5ad72302b4..0237afd7e5e 100644 --- a/acvm-repo/acvm/src/pwg/mod.rs +++ b/acvm-repo/acvm/src/pwg/mod.rs @@ -145,10 +145,7 @@ pub enum OpcodeResolutionError { #[error("{results_size:?} result values were provided for {outputs_size:?} call output witnesses, most likely due to bad ACIR codegen")] AcirCallOutputsMismatch { opcode_location: ErrorLocation, results_size: u32, outputs_size: u32 }, #[error("(--pedantic): Predicates are expected to be 0 or 1, but found: {predicate_value}")] - PredicateLargerThanOne { - opcode_location: ErrorLocation, - predicate_value: F, - }, + PredicateLargerThanOne { opcode_location: ErrorLocation, predicate_value: F }, } impl From for OpcodeResolutionError { @@ -242,7 +239,7 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> ACVM<'a, F, B> { assertion_payloads, profiling_active: false, profiling_samples: Vec::new(), - pedantic_solving: pedantic_solving, + pedantic_solving, } } @@ -489,10 +486,14 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> ACVM<'a, F, B> { unreachable!("Not executing a BrilligCall opcode"); }; - let opcode_location = ErrorLocation::Resolved(OpcodeLocation::Acir( - self.instruction_pointer(), - )); - if is_predicate_false(&self.witness_map, predicate, self.pedantic_solving, &opcode_location)? { + let opcode_location = + ErrorLocation::Resolved(OpcodeLocation::Acir(self.instruction_pointer())); + if is_predicate_false( + &self.witness_map, + predicate, + self.pedantic_solving, + &opcode_location, + )? { return BrilligSolver::::zero_out_brillig_outputs(&mut self.witness_map, outputs) .map(|_| None); } @@ -510,6 +511,7 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> ACVM<'a, F, B> { self.instruction_pointer, *id, self.profiling_active, + self.pedantic_solving, )?, }; @@ -560,14 +562,14 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> ACVM<'a, F, B> { return StepResult::Status(self.solve_opcode()); }; - let opcode_location = ErrorLocation::Resolved(OpcodeLocation::Acir( - self.instruction_pointer(), - )); + let opcode_location = + ErrorLocation::Resolved(OpcodeLocation::Acir(self.instruction_pointer())); let witness = &mut self.witness_map; - let should_skip = match is_predicate_false(witness, predicate, self.pedantic_solving, &opcode_location) { - Ok(result) => result, - Err(err) => return StepResult::Status(self.handle_opcode_resolution(Err(err))), - }; + let should_skip = + match is_predicate_false(witness, predicate, self.pedantic_solving, &opcode_location) { + Ok(result) => result, + Err(err) => return StepResult::Status(self.handle_opcode_resolution(Err(err))), + }; if should_skip { let resolution = BrilligSolver::::zero_out_brillig_outputs(witness, outputs); return StepResult::Status(self.handle_opcode_resolution(resolution)); @@ -582,6 +584,7 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> ACVM<'a, F, B> { self.instruction_pointer, *id, self.profiling_active, + self.pedantic_solving, ); match solver { Ok(solver) => StepResult::IntoBrillig(solver), @@ -606,16 +609,18 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> ACVM<'a, F, B> { unreachable!("Not executing a Call opcode"); }; - let opcode_location = ErrorLocation::Resolved(OpcodeLocation::Acir( - self.instruction_pointer(), - )); + let opcode_location = + ErrorLocation::Resolved(OpcodeLocation::Acir(self.instruction_pointer())); if *id == AcirFunctionId(0) { - return Err(OpcodeResolutionError::AcirMainCallAttempted { - opcode_location, - }); + return Err(OpcodeResolutionError::AcirMainCallAttempted { opcode_location }); } - if is_predicate_false(&self.witness_map, predicate, self.pedantic_solving, &opcode_location)? { + if is_predicate_false( + &self.witness_map, + predicate, + self.pedantic_solving, + &opcode_location, + )? { // Zero out the outputs if we have a false predicate for output in outputs { insert_value(output, F::zero(), &mut self.witness_map)?; @@ -767,7 +772,7 @@ pub(crate) fn is_predicate_false( } else if predicate_value.is_one() { Ok(false) } else { - let opcode_location = opcode_location.clone(); + let opcode_location = *opcode_location; Err(OpcodeResolutionError::PredicateLargerThanOne { opcode_location, predicate_value, @@ -777,7 +782,7 @@ pub(crate) fn is_predicate_false( } else { pred_value.map(|pred_value| pred_value.is_zero()) } - }, + } // If the predicate is `None`, then we treat it as an unconditional `true` None => Ok(false), } diff --git a/acvm-repo/acvm/tests/solver.rs b/acvm-repo/acvm/tests/solver.rs index 8b164b7c0f2..b6e9c151be1 100644 --- a/acvm-repo/acvm/tests/solver.rs +++ b/acvm-repo/acvm/tests/solver.rs @@ -15,7 +15,7 @@ use acir::{ }; use acvm::pwg::{ACVMStatus, ErrorLocation, ForeignCallWaitInfo, OpcodeResolutionError, ACVM}; -use acvm_blackbox_solver::StubbedBlackBoxSolver; +use acvm_blackbox_solver::{BigIntSolver, StubbedBlackBoxSolver}; use bn254_blackbox_solver::{field_from_hex, Bn254BlackBoxSolver, POSEIDON2_CONFIG}; use brillig_vm::brillig::HeapValueType; @@ -47,7 +47,15 @@ fn bls12_381_circuit() { ]) .into(); - let mut acvm = ACVM::new(&StubbedBlackBoxSolver, &opcodes, witness_assignments, &[], &[]); + let pedantic_solving = true; + let mut acvm = ACVM::new( + &StubbedBlackBoxSolver, + &opcodes, + witness_assignments, + &[], + &[], + pedantic_solving, + ); // use the partial witness generation solver with our acir program let solver_status = acvm.solve(); assert_eq!(solver_status, ACVMStatus::Solved, "should be fully solved"); @@ -169,12 +177,14 @@ fn inversion_brillig_oracle_equivalence() { ]) .into(); let unconstrained_functions = vec![brillig_bytecode]; + let pedantic_solving = true; let mut acvm = ACVM::new( &StubbedBlackBoxSolver, &opcodes, witness_assignments, &unconstrained_functions, &[], + pedantic_solving, ); // use the partial witness generation solver with our acir program let solver_status = acvm.solve(); @@ -335,12 +345,14 @@ fn double_inversion_brillig_oracle() { ]) .into(); let unconstrained_functions = vec![brillig_bytecode]; + let pedantic_solving = true; let mut acvm = ACVM::new( &StubbedBlackBoxSolver, &opcodes, witness_assignments, &unconstrained_functions, &[], + pedantic_solving, ); // use the partial witness generation solver with our acir program @@ -492,12 +504,14 @@ fn oracle_dependent_execution() { let witness_assignments = BTreeMap::from([(w_x, FieldElement::from(2u128)), (w_y, FieldElement::from(2u128))]).into(); let unconstrained_functions = vec![brillig_bytecode]; + let pedantic_solving = true; let mut acvm = ACVM::new( &StubbedBlackBoxSolver, &opcodes, witness_assignments, &unconstrained_functions, &[], + pedantic_solving, ); // use the partial witness generation solver with our acir program @@ -614,12 +628,14 @@ fn brillig_oracle_predicate() { ]) .into(); let unconstrained_functions = vec![brillig_bytecode]; + let pedantic_solving = true; let mut acvm = ACVM::new( &StubbedBlackBoxSolver, &opcodes, witness_assignments, &unconstrained_functions, &[], + pedantic_solving, ); let solver_status = acvm.solve(); assert_eq!(solver_status, ACVMStatus::Solved, "should be fully solved"); @@ -655,8 +671,15 @@ fn unsatisfied_opcode_resolved() { let opcodes = vec![Opcode::AssertZero(opcode_a)]; let unconstrained_functions = vec![]; - let mut acvm = - ACVM::new(&StubbedBlackBoxSolver, &opcodes, values, &unconstrained_functions, &[]); + let pedantic_solving = true; + let mut acvm = ACVM::new( + &StubbedBlackBoxSolver, + &opcodes, + values, + &unconstrained_functions, + &[], + pedantic_solving, + ); let solver_status = acvm.solve(); assert_eq!( solver_status, @@ -779,8 +802,15 @@ fn unsatisfied_opcode_resolved_brillig() { Opcode::AssertZero(opcode_a), ]; let unconstrained_functions = vec![brillig_bytecode]; - let mut acvm = - ACVM::new(&StubbedBlackBoxSolver, &opcodes, values, &unconstrained_functions, &[]); + let pedantic_solving = true; + let mut acvm = ACVM::new( + &StubbedBlackBoxSolver, + &opcodes, + values, + &unconstrained_functions, + &[], + pedantic_solving, + ); let solver_status = acvm.solve(); assert_eq!( solver_status, @@ -829,8 +859,15 @@ fn memory_operations() { let opcodes = vec![init, read_op, expression]; let unconstrained_functions = vec![]; - let mut acvm = - ACVM::new(&StubbedBlackBoxSolver, &opcodes, initial_witness, &unconstrained_functions, &[]); + let pedantic_solving = true; + let mut acvm = ACVM::new( + &StubbedBlackBoxSolver, + &opcodes, + initial_witness, + &unconstrained_functions, + &[], + pedantic_solving, + ); let solver_status = acvm.solve(); assert_eq!(solver_status, ACVMStatus::Solved); let witness_map = acvm.finalize(); @@ -838,39 +875,6 @@ fn memory_operations() { assert_eq!(witness_map[&Witness(8)], FieldElement::from(6u128)); } -fn allowed_bigint_moduli() -> Vec> { - let bn254_fq: Vec = vec![ - 0x47, 0xFD, 0x7C, 0xD8, 0x16, 0x8C, 0x20, 0x3C, 0x8d, 0xca, 0x71, 0x68, 0x91, 0x6a, 0x81, - 0x97, 0x5d, 0x58, 0x81, 0x81, 0xb6, 0x45, 0x50, 0xb8, 0x29, 0xa0, 0x31, 0xe1, 0x72, 0x4e, - 0x64, 0x30, - ]; - let bn254_fr: Vec = vec![ - 1, 0, 0, 240, 147, 245, 225, 67, 145, 112, 185, 121, 72, 232, 51, 40, 93, 88, 129, 129, - 182, 69, 80, 184, 41, 160, 49, 225, 114, 78, 100, 48, - ]; - let secpk1_fr: Vec = vec![ - 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF, 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, - 0xBA, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, - ]; - let secpk1_fq: Vec = vec![ - 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, - ]; - let secpr1_fq: Vec = vec![ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, - 0xFF, 0xFF, - ]; - let secpr1_fr: Vec = vec![ - 81, 37, 99, 252, 194, 202, 185, 243, 132, 158, 23, 167, 173, 250, 230, 188, 255, 255, 255, - 255, 255, 255, 255, 255, 0, 0, 0, 0, 255, 255, 255, 255, - ]; - - vec![bn254_fq, bn254_fr, secpk1_fr, secpk1_fq, secpr1_fq, secpr1_fr] -} - /// Whether to use a FunctionInput::constant or FunctionInput::witness: /// /// (value, use_constant) @@ -917,6 +921,7 @@ fn solve_array_input_blackbox_call( inputs: Vec, num_outputs: usize, num_bits: Option, + pedantic_solving: bool, f: F, ) -> Result, OpcodeResolutionError> where @@ -935,8 +940,14 @@ where let op = Opcode::BlackBoxFuncCall(f((inputs.clone(), outputs.clone()))?); let opcodes = vec![op]; let unconstrained_functions = vec![]; - let mut acvm = - ACVM::new(&Bn254BlackBoxSolver, &opcodes, initial_witness, &unconstrained_functions, &[]); + let mut acvm = ACVM::new( + &Bn254BlackBoxSolver, + &opcodes, + initial_witness, + &unconstrained_functions, + &[], + pedantic_solving, + ); let solver_status = acvm.solve(); assert_eq!(solver_status, ACVMStatus::Solved); let witness_map = acvm.finalize(); @@ -948,7 +959,7 @@ where } prop_compose! { - fn bigint_with_modulus()(modulus in select(allowed_bigint_moduli())) + fn bigint_with_modulus()(modulus in select(BigIntSolver::allowed_bigint_moduli())) (inputs in proptest::collection::vec(any::<(u8, bool)>(), modulus.len()), modulus in Just(modulus)) -> (Vec, Vec) { let inputs = inputs.into_iter().zip(modulus.iter()).map(|((input, use_constant), modulus_byte)| { @@ -1029,6 +1040,7 @@ fn bigint_solve_binary_op_opt( modulus: Vec, lhs: Vec, rhs: Vec, + pedantic_solving: bool, ) -> Result, OpcodeResolutionError> { let initial_witness_vec: Vec<_> = lhs .iter() @@ -1071,8 +1083,14 @@ fn bigint_solve_binary_op_opt( opcodes.push(bigint_to_op); let unconstrained_functions = vec![]; - let mut acvm = - ACVM::new(&StubbedBlackBoxSolver, &opcodes, initial_witness, &unconstrained_functions, &[]); + let mut acvm = ACVM::new( + &StubbedBlackBoxSolver, + &opcodes, + initial_witness, + &unconstrained_functions, + &[], + pedantic_solving, + ); let solver_status = acvm.solve(); assert_eq!(solver_status, ACVMStatus::Solved); let witness_map = acvm.finalize(); @@ -1114,8 +1132,15 @@ fn solve_blackbox_func_call( let op = Opcode::BlackBoxFuncCall(blackbox_func_call(lhs_opt, rhs_opt)?); let opcodes = vec![op]; let unconstrained_functions = vec![]; - let mut acvm = - ACVM::new(&StubbedBlackBoxSolver, &opcodes, initial_witness, &unconstrained_functions, &[]); + let pedantic_solving = true; + let mut acvm = ACVM::new( + &StubbedBlackBoxSolver, + &opcodes, + initial_witness, + &unconstrained_functions, + &[], + pedantic_solving, + ); let solver_status = acvm.solve(); assert_eq!(solver_status, ACVMStatus::Solved); let witness_map = acvm.finalize(); @@ -1213,10 +1238,12 @@ where fn run_both_poseidon2_permutations( inputs: Vec, ) -> Result<(Vec, Vec), OpcodeResolutionError> { + let pedantic_solving = true; let result = solve_array_input_blackbox_call( inputs.clone(), inputs.len(), None, + pedantic_solving, poseidon2_permutation_op, )?; @@ -1256,8 +1283,9 @@ fn bigint_solve_binary_op( modulus: Vec, lhs: Vec, rhs: Vec, + pedantic_solving: bool, ) -> Vec { - bigint_solve_binary_op_opt(Some(middle_op), modulus, lhs, rhs).unwrap() + bigint_solve_binary_op_opt(Some(middle_op), modulus, lhs, rhs, pedantic_solving).unwrap() } // Using the given BigInt modulus, solve the following circuit: @@ -1267,8 +1295,38 @@ fn bigint_solve_binary_op( fn bigint_solve_from_to_le_bytes( modulus: Vec, inputs: Vec, + pedantic_solving: bool, ) -> Vec { - bigint_solve_binary_op_opt(None, modulus, inputs, vec![]).unwrap() + bigint_solve_binary_op_opt(None, modulus, inputs, vec![], pedantic_solving).unwrap() +} + +// Test bigint_solve_from_to_le_bytes with a guaranteed-invalid modulus +// and optional pedantic_solving +fn bigint_from_to_le_bytes_disallowed_modulus_helper( + modulus: &mut Vec, + patch_location: usize, + patch_amount: u8, + zero_or_ones_constant: bool, + use_constant: bool, + pedantic_solving: bool, +) -> (Vec, Vec) { + let allowed_moduli: HashSet> = + BigIntSolver::allowed_bigint_moduli().into_iter().collect(); + let mut patch_location = patch_location % modulus.len(); + let patch_amount = patch_amount.clamp(1, u8::MAX); + while allowed_moduli.contains(modulus) { + modulus[patch_location] = patch_amount.wrapping_add(modulus[patch_location]); + patch_location += 1; + patch_location %= modulus.len(); + } + + let zero_function_input = + if zero_or_ones_constant { FieldElement::zero() } else { FieldElement::one() }; + let zero: Vec<_> = modulus.iter().map(|_| (zero_function_input, use_constant)).collect(); + let expected_results: Vec<_> = drop_use_constant(&zero); + let results = bigint_solve_from_to_le_bytes(modulus.clone(), zero, pedantic_solving); + + (results, expected_results) } fn function_input_from_option( @@ -1361,6 +1419,7 @@ fn prop_assert_injective( distinct_inputs: Vec, num_outputs: usize, num_bits: Option, + pedantic_solving: bool, op: F, ) -> (bool, String) where @@ -1372,11 +1431,22 @@ where { let equal_inputs = drop_use_constant_eq(&inputs, &distinct_inputs); let message = format!("not injective:\n{:?}\n{:?}", &inputs, &distinct_inputs); - let outputs_not_equal = - solve_array_input_blackbox_call(inputs, num_outputs, num_bits, op.clone()) - .expect("injectivity test operations to have valid input") - != solve_array_input_blackbox_call(distinct_inputs, num_outputs, num_bits, op) - .expect("injectivity test operations to have valid input"); + let outputs_not_equal = solve_array_input_blackbox_call( + inputs, + num_outputs, + num_bits, + pedantic_solving, + op.clone(), + ) + .expect("injectivity test operations to have valid input") + != solve_array_input_blackbox_call( + distinct_inputs, + num_outputs, + num_bits, + pedantic_solving, + op, + ) + .expect("injectivity test operations to have valid input"); (equal_inputs || outputs_not_equal, message) } @@ -1456,10 +1526,12 @@ fn poseidon2_permutation_zeroes() { #[test] fn sha256_compression_zeros() { + let pedantic_solving = true; let results = solve_array_input_blackbox_call( [(FieldElement::zero(), false); 24].try_into().unwrap(), 8, None, + pedantic_solving, sha256_compression_op, ); let expected_results: Vec<_> = vec![ @@ -1474,7 +1546,8 @@ fn sha256_compression_zeros() { #[test] fn blake2s_zeros() { - let results = solve_array_input_blackbox_call(vec![], 32, None, blake2s_op); + let pedantic_solving = true; + let results = solve_array_input_blackbox_call(vec![], 32, None, pedantic_solving, blake2s_op); let expected_results: Vec<_> = vec![ 105, 33, 122, 48, 121, 144, 128, 148, 225, 17, 33, 208, 66, 53, 74, 124, 31, 85, 182, 72, 44, 161, 165, 30, 27, 37, 13, 253, 30, 208, 238, 249, @@ -1487,7 +1560,8 @@ fn blake2s_zeros() { #[test] fn blake3_zeros() { - let results = solve_array_input_blackbox_call(vec![], 32, None, blake3_op); + let pedantic_solving = true; + let results = solve_array_input_blackbox_call(vec![], 32, None, pedantic_solving, blake3_op); let expected_results: Vec<_> = vec![ 175, 19, 73, 185, 245, 249, 161, 166, 160, 64, 77, 234, 54, 220, 201, 73, 155, 203, 37, 201, 173, 193, 18, 183, 204, 154, 147, 202, 228, 31, 50, 98, @@ -1500,10 +1574,12 @@ fn blake3_zeros() { #[test] fn keccakf1600_zeros() { + let pedantic_solving = true; let results = solve_array_input_blackbox_call( [(FieldElement::zero(), false); 25].into(), 25, Some(64), + pedantic_solving, keccakf1600_op, ); let expected_results: Vec<_> = vec![ @@ -1619,7 +1695,8 @@ proptest! { fn sha256_compression_injective(inputs_distinct_inputs in any_distinct_inputs(None, 24, 24)) { let (inputs, distinct_inputs) = inputs_distinct_inputs; if inputs.len() == 24 && distinct_inputs.len() == 24 { - let (result, message) = prop_assert_injective(inputs, distinct_inputs, 8, None, sha256_compression_op); + let pedantic_solving = true; + let (result, message) = prop_assert_injective(inputs, distinct_inputs, 8, None, pedantic_solving, sha256_compression_op); prop_assert!(result, "{}", message); } } @@ -1627,14 +1704,16 @@ proptest! { #[test] fn blake2s_injective(inputs_distinct_inputs in any_distinct_inputs(None, 0, 32)) { let (inputs, distinct_inputs) = inputs_distinct_inputs; - let (result, message) = prop_assert_injective(inputs, distinct_inputs, 32, None, blake2s_op); + let pedantic_solving = true; + let (result, message) = prop_assert_injective(inputs, distinct_inputs, 32, None, pedantic_solving, blake2s_op); prop_assert!(result, "{}", message); } #[test] fn blake3_injective(inputs_distinct_inputs in any_distinct_inputs(None, 0, 32)) { let (inputs, distinct_inputs) = inputs_distinct_inputs; - let (result, message) = prop_assert_injective(inputs, distinct_inputs, 32, None, blake3_op); + let pedantic_solving = true; + let (result, message) = prop_assert_injective(inputs, distinct_inputs, 32, None, pedantic_solving, blake3_op); prop_assert!(result, "{}", message); } @@ -1643,7 +1722,8 @@ proptest! { let (inputs, distinct_inputs) = inputs_distinct_inputs; assert_eq!(inputs.len(), 25); assert_eq!(distinct_inputs.len(), 25); - let (result, message) = prop_assert_injective(inputs, distinct_inputs, 25, Some(64), keccakf1600_op); + let pedantic_solving = true; + let (result, message) = prop_assert_injective(inputs, distinct_inputs, 25, Some(64), pedantic_solving, keccakf1600_op); prop_assert!(result, "{}", message); } @@ -1652,12 +1732,13 @@ proptest! { #[should_panic(expected = "Failure(BlackBoxFunctionFailed(Poseidon2Permutation, \"the number of inputs does not match specified length. 6 != 7\"))")] fn poseidon2_permutation_invalid_size_fails(inputs_distinct_inputs in any_distinct_inputs(None, 6, 6)) { let (inputs, distinct_inputs) = inputs_distinct_inputs; - let (result, message) = prop_assert_injective(inputs, distinct_inputs, 1, None, poseidon2_permutation_invalid_len_op); + let pedantic_solving = true; + let (result, message) = prop_assert_injective(inputs, distinct_inputs, 1, None, pedantic_solving, poseidon2_permutation_invalid_len_op); prop_assert!(result, "{}", message); } #[test] - fn bigint_from_to_le_bytes_zero_one(modulus in select(allowed_bigint_moduli()), zero_or_ones_constant: bool, use_constant: bool) { + fn bigint_from_to_le_bytes_zero_one(modulus in select(BigIntSolver::allowed_bigint_moduli()), zero_or_ones_constant: bool, use_constant: bool) { let zero_function_input = if zero_or_ones_constant { FieldElement::one() } else { @@ -1665,25 +1746,46 @@ proptest! { }; let zero_or_ones: Vec<_> = modulus.iter().map(|_| (zero_function_input, use_constant)).collect(); let expected_results = drop_use_constant(&zero_or_ones); - let results = bigint_solve_from_to_le_bytes(modulus.clone(), zero_or_ones); + let pedantic_solving = true; + let results = bigint_solve_from_to_le_bytes(modulus.clone(), zero_or_ones, pedantic_solving); prop_assert_eq!(results, expected_results) } #[test] fn bigint_from_to_le_bytes((input, modulus) in bigint_with_modulus()) { let expected_results: Vec<_> = drop_use_constant(&input); - let results = bigint_solve_from_to_le_bytes(modulus.clone(), input); + let pedantic_solving = true; + let results = bigint_solve_from_to_le_bytes(modulus.clone(), input, pedantic_solving); prop_assert_eq!(results, expected_results) } #[test] // TODO(https://github.com/noir-lang/noir/issues/5580): desired behavior? - fn bigint_from_to_le_bytes_extra_input_bytes((input, modulus) in bigint_with_modulus(), extra_bytes_len: u8, extra_bytes in proptest::collection::vec(any::<(u8, bool)>(), u8::MAX as usize)) { - let mut input = input; - let mut extra_bytes: Vec<_> = extra_bytes.into_iter().take(extra_bytes_len as usize).map(|(x, use_constant)| (FieldElement::from(x as u128), use_constant)).collect(); + fn bigint_from_to_le_bytes_extra_input_bytes((mut input, modulus) in bigint_with_modulus(), extra_bytes_len: u8, extra_bytes in proptest::collection::vec(any::<(u8, bool)>(), u8::MAX as usize)) { + let mut extra_bytes: Vec<_> = extra_bytes + .into_iter() + .take(extra_bytes_len as usize) + .map(|(x, use_constant)| (FieldElement::from(x as u128), use_constant)) + .collect(); input.append(&mut extra_bytes); let expected_results: Vec<_> = drop_use_constant(&input); - let results = bigint_solve_from_to_le_bytes(modulus.clone(), input); + let pedantic_solving = false; + let results = bigint_solve_from_to_le_bytes(modulus.clone(), input, pedantic_solving); + prop_assert_eq!(results, expected_results) + } + + #[test] + #[should_panic(expected = "--pedantic-solving: bigint_from_bytes: inputs.len() > modulus.len()")] + fn bigint_from_to_le_bytes_extra_input_bytes_with_pedantic((mut input, modulus) in bigint_with_modulus(), extra_bytes_len: u8, extra_bytes in proptest::collection::vec(any::<(u8, bool)>(), u8::MAX as usize)) { + let mut extra_bytes: Vec<_> = extra_bytes + .into_iter() + .take(extra_bytes_len as usize) + .map(|(x, use_constant)| (FieldElement::from(x as u128), use_constant)) + .collect(); + input.append(&mut extra_bytes); + let expected_results: Vec<_> = drop_use_constant(&input); + let pedantic_solving = true; + let results = bigint_solve_from_to_le_bytes(modulus.clone(), input, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1696,94 +1798,109 @@ proptest! { let larger_value = FieldElement::from(std::cmp::max((u8::MAX as u16) + 1, larger_value) as u128); input[patch_location] = (larger_value, use_constant); let expected_results: Vec<_> = drop_use_constant(&input); - let results = bigint_solve_from_to_le_bytes(modulus.clone(), input); + let pedantic_solving = true; + let results = bigint_solve_from_to_le_bytes(modulus.clone(), input, pedantic_solving); prop_assert_eq!(results, expected_results) } #[test] // TODO(https://github.com/noir-lang/noir/issues/5578): this test attempts to use a guaranteed-invalid BigInt modulus // #[should_panic(expected = "attempt to add with overflow")] - fn bigint_from_to_le_bytes_disallowed_modulus(mut modulus in select(allowed_bigint_moduli()), patch_location: usize, patch_amount: u8, zero_or_ones_constant: bool, use_constant: bool) { - let allowed_moduli: HashSet> = allowed_bigint_moduli().into_iter().collect(); - let mut patch_location = patch_location % modulus.len(); - let patch_amount = patch_amount.clamp(1, u8::MAX); - while allowed_moduli.contains(&modulus) { - modulus[patch_location] = patch_amount.wrapping_add(modulus[patch_location]); - patch_location += 1; - patch_location %= modulus.len(); - } - - let zero_function_input = if zero_or_ones_constant { - FieldElement::zero() - } else { - FieldElement::one() - }; - let zero: Vec<_> = modulus.iter().map(|_| (zero_function_input, use_constant)).collect(); - let expected_results: Vec<_> = drop_use_constant(&zero); - let results = bigint_solve_from_to_le_bytes(modulus.clone(), zero); + fn bigint_from_to_le_bytes_disallowed_modulus(mut modulus in select(BigIntSolver::allowed_bigint_moduli()), patch_location: usize, patch_amount: u8, zero_or_ones_constant: bool, use_constant: bool) { + let pedantic_solving = false; + let (results, expected_results) = bigint_from_to_le_bytes_disallowed_modulus_helper( + &mut modulus, + patch_location, + patch_amount, + zero_or_ones_constant, + use_constant, + pedantic_solving, + ); + prop_assert_eq!(results, expected_results) + } + #[test] + #[should_panic(expected = "--pedantic-solving: bigint_from_bytes: disallowed modulus [")] + fn bigint_from_to_le_bytes_disallowed_modulus_panics_with_pedantic(mut modulus in select(BigIntSolver::allowed_bigint_moduli()), patch_location: usize, patch_amount: u8, zero_or_ones_constant: bool, use_constant: bool) { + let pedantic_solving = true; + let (results, expected_results) = bigint_from_to_le_bytes_disallowed_modulus_helper( + &mut modulus, + patch_location, + patch_amount, + zero_or_ones_constant, + use_constant, + pedantic_solving, + ); prop_assert_eq!(results, expected_results) } #[test] fn bigint_add_commutative((xs, ys, modulus) in bigint_pair_with_modulus()) { - let lhs_results = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs.clone(), ys.clone()); - let rhs_results = bigint_solve_binary_op(bigint_add_op(), modulus, ys, xs); + let pedantic_solving = true; + let lhs_results = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs.clone(), ys.clone(), pedantic_solving); + let rhs_results = bigint_solve_binary_op(bigint_add_op(), modulus, ys, xs, pedantic_solving); prop_assert_eq!(lhs_results, rhs_results) } #[test] fn bigint_mul_commutative((xs, ys, modulus) in bigint_pair_with_modulus()) { - let lhs_results = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), ys.clone()); - let rhs_results = bigint_solve_binary_op(bigint_mul_op(), modulus, ys, xs); + let pedantic_solving = true; + let lhs_results = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), ys.clone(), pedantic_solving); + let rhs_results = bigint_solve_binary_op(bigint_mul_op(), modulus, ys, xs, pedantic_solving); prop_assert_eq!(lhs_results, rhs_results) } #[test] fn bigint_add_associative((xs, ys, zs, modulus) in bigint_triple_with_modulus()) { + let pedantic_solving = true; + // f(f(xs, ys), zs) == - let op_xs_ys = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs.clone(), ys.clone()); + let op_xs_ys = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs.clone(), ys.clone(), pedantic_solving); let xs_ys = use_witnesses(op_xs_ys); - let op_xs_ys_op_zs = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs_ys, zs.clone()); + let op_xs_ys_op_zs = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs_ys, zs.clone(), pedantic_solving); // f(xs, f(ys, zs)) - let op_ys_zs = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), ys.clone(), zs.clone()); + let op_ys_zs = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), ys.clone(), zs.clone(), pedantic_solving); let ys_zs = use_witnesses(op_ys_zs); - let op_xs_op_ys_zs = bigint_solve_binary_op(bigint_add_op(), modulus, xs, ys_zs); + let op_xs_op_ys_zs = bigint_solve_binary_op(bigint_add_op(), modulus, xs, ys_zs, pedantic_solving); prop_assert_eq!(op_xs_ys_op_zs, op_xs_op_ys_zs) } #[test] fn bigint_mul_associative((xs, ys, zs, modulus) in bigint_triple_with_modulus()) { + let pedantic_solving = true; + // f(f(xs, ys), zs) == - let op_xs_ys = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), ys.clone()); + let op_xs_ys = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), ys.clone(), pedantic_solving); let xs_ys = use_witnesses(op_xs_ys); - let op_xs_ys_op_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs_ys, zs.clone()); + let op_xs_ys_op_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs_ys, zs.clone(), pedantic_solving); // f(xs, f(ys, zs)) - let op_ys_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), ys.clone(), zs.clone()); + let op_ys_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), ys.clone(), zs.clone(), pedantic_solving); let ys_zs = use_witnesses(op_ys_zs); - let op_xs_op_ys_zs = bigint_solve_binary_op(bigint_mul_op(), modulus, xs, ys_zs); + let op_xs_op_ys_zs = bigint_solve_binary_op(bigint_mul_op(), modulus, xs, ys_zs, pedantic_solving); prop_assert_eq!(op_xs_ys_op_zs, op_xs_op_ys_zs) } #[test] fn bigint_mul_add_distributive((xs, ys, zs, modulus) in bigint_triple_with_modulus()) { + let pedantic_solving = true; + // xs * (ys + zs) == - let add_ys_zs = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), ys.clone(), zs.clone()); + let add_ys_zs = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), ys.clone(), zs.clone(), pedantic_solving); let add_ys_zs = use_witnesses(add_ys_zs); - let mul_xs_add_ys_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), add_ys_zs); + let mul_xs_add_ys_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), add_ys_zs, pedantic_solving); // xs * ys + xs * zs - let mul_xs_ys = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), ys); + let mul_xs_ys = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), ys, pedantic_solving); let mul_xs_ys = use_witnesses(mul_xs_ys); - let mul_xs_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs, zs); + let mul_xs_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs, zs, pedantic_solving); let mul_xs_zs = use_witnesses(mul_xs_zs); - let add_mul_xs_ys_mul_xs_zs = bigint_solve_binary_op(bigint_add_op(), modulus, mul_xs_ys, mul_xs_zs); + let add_mul_xs_ys_mul_xs_zs = bigint_solve_binary_op(bigint_add_op(), modulus, mul_xs_ys, mul_xs_zs, pedantic_solving); prop_assert_eq!(mul_xs_add_ys_zs, add_mul_xs_ys_mul_xs_zs) } @@ -1793,7 +1910,8 @@ proptest! { fn bigint_add_zero_l((xs, modulus) in bigint_with_modulus()) { let zero = bigint_zeroed(&xs); let expected_results = drop_use_constant(&xs); - let results = bigint_solve_binary_op(bigint_add_op(), modulus, zero, xs); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_add_op(), modulus, zero, xs, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1802,7 +1920,8 @@ proptest! { fn bigint_mul_zero_l((xs, modulus) in bigint_with_modulus()) { let zero = bigint_zeroed(&xs); let expected_results = drop_use_constant(&zero); - let results = bigint_solve_binary_op(bigint_mul_op(), modulus, zero, xs); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_mul_op(), modulus, zero, xs, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1810,14 +1929,16 @@ proptest! { fn bigint_mul_one_l((xs, modulus) in bigint_with_modulus()) { let one = bigint_to_one(&xs); let expected_results: Vec<_> = drop_use_constant(&xs); - let results = bigint_solve_binary_op(bigint_mul_op(), modulus, one, xs); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_mul_op(), modulus, one, xs, pedantic_solving); prop_assert_eq!(results, expected_results) } #[test] fn bigint_sub_self((xs, modulus) in bigint_with_modulus()) { let expected_results = drop_use_constant(&bigint_zeroed(&xs)); - let results = bigint_solve_binary_op(bigint_sub_op(), modulus, xs.clone(), xs); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_sub_op(), modulus, xs.clone(), xs, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1825,7 +1946,8 @@ proptest! { fn bigint_sub_zero((xs, modulus) in bigint_with_modulus()) { let zero = bigint_zeroed(&xs); let expected_results: Vec<_> = drop_use_constant(&xs); - let results = bigint_solve_binary_op(bigint_sub_op(), modulus, xs, zero); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_sub_op(), modulus, xs, zero, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1833,14 +1955,16 @@ proptest! { fn bigint_sub_one((xs, modulus) in bigint_with_modulus()) { let one = bigint_to_one(&xs); let expected_results: Vec<_> = drop_use_constant(&xs); - let results = bigint_solve_binary_op(bigint_sub_op(), modulus, xs, one); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_sub_op(), modulus, xs, one, pedantic_solving); prop_assert!(results != expected_results, "{:?} == {:?}", results, expected_results) } #[test] fn bigint_div_self((xs, modulus) in bigint_with_modulus()) { let one = drop_use_constant(&bigint_to_one(&xs)); - let results = bigint_solve_binary_op(bigint_div_op(), modulus, xs.clone(), xs); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_div_op(), modulus, xs.clone(), xs, pedantic_solving); prop_assert_eq!(results, one) } @@ -1849,7 +1973,18 @@ proptest! { fn bigint_div_by_zero((xs, modulus) in bigint_with_modulus()) { let zero = bigint_zeroed(&xs); let expected_results = drop_use_constant(&zero); - let results = bigint_solve_binary_op(bigint_div_op(), modulus, xs, zero); + let pedantic_solving = false; + let results = bigint_solve_binary_op(bigint_div_op(), modulus, xs, zero, pedantic_solving); + prop_assert_eq!(results, expected_results) + } + + #[test] + #[should_panic(expected = "--pedantic-solving: BigIntDiv by zero")] + fn bigint_div_by_zero_with_pedantic((xs, modulus) in bigint_with_modulus()) { + let zero = bigint_zeroed(&xs); + let expected_results = drop_use_constant(&zero); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_div_op(), modulus, xs, zero, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1857,7 +1992,8 @@ proptest! { fn bigint_div_one((xs, modulus) in bigint_with_modulus()) { let one = bigint_to_one(&xs); let expected_results = drop_use_constant(&xs); - let results = bigint_solve_binary_op(bigint_div_op(), modulus, xs, one); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_div_op(), modulus, xs, one, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1865,16 +2001,18 @@ proptest! { fn bigint_div_zero((xs, modulus) in bigint_with_modulus()) { let zero = bigint_zeroed(&xs); let expected_results = drop_use_constant(&zero); - let results = bigint_solve_binary_op(bigint_div_op(), modulus, zero, xs); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_div_op(), modulus, zero, xs, pedantic_solving); prop_assert_eq!(results, expected_results) } #[test] fn bigint_add_sub((xs, ys, modulus) in bigint_pair_with_modulus()) { let expected_results = drop_use_constant(&xs); - let add_results = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs, ys.clone()); + let pedantic_solving = true; + let add_results = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs, ys.clone(), pedantic_solving); let add_bigint = use_witnesses(add_results); - let results = bigint_solve_binary_op(bigint_sub_op(), modulus, add_bigint, ys); + let results = bigint_solve_binary_op(bigint_sub_op(), modulus, add_bigint, ys, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1882,9 +2020,10 @@ proptest! { #[test] fn bigint_sub_add((xs, ys, modulus) in bigint_pair_with_modulus()) { let expected_results = drop_use_constant(&xs); - let sub_results = bigint_solve_binary_op(bigint_sub_op(), modulus.clone(), xs, ys.clone()); + let pedantic_solving = true; + let sub_results = bigint_solve_binary_op(bigint_sub_op(), modulus.clone(), xs, ys.clone(), pedantic_solving); let add_bigint = use_witnesses(sub_results); - let results = bigint_solve_binary_op(bigint_add_op(), modulus, add_bigint, ys); + let results = bigint_solve_binary_op(bigint_add_op(), modulus, add_bigint, ys, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1892,9 +2031,10 @@ proptest! { #[test] fn bigint_div_mul((xs, ys, modulus) in bigint_pair_with_modulus()) { let expected_results = drop_use_constant(&xs); - let div_results = bigint_solve_binary_op(bigint_div_op(), modulus.clone(), xs, ys.clone()); + let pedantic_solving = true; + let div_results = bigint_solve_binary_op(bigint_div_op(), modulus.clone(), xs, ys.clone(), pedantic_solving); let div_bigint = use_witnesses(div_results); - let results = bigint_solve_binary_op(bigint_mul_op(), modulus, div_bigint, ys); + let results = bigint_solve_binary_op(bigint_mul_op(), modulus, div_bigint, ys, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1902,9 +2042,10 @@ proptest! { #[test] fn bigint_mul_div((xs, ys, modulus) in bigint_pair_with_modulus()) { let expected_results = drop_use_constant(&xs); - let mul_results = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs, ys.clone()); + let pedantic_solving = true; + let mul_results = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs, ys.clone(), pedantic_solving); let mul_bigint = use_witnesses(mul_results); - let results = bigint_solve_binary_op(bigint_div_op(), modulus, mul_bigint, ys); + let results = bigint_solve_binary_op(bigint_div_op(), modulus, mul_bigint, ys, pedantic_solving); prop_assert_eq!(results, expected_results) } diff --git a/acvm-repo/blackbox_solver/Cargo.toml b/acvm-repo/blackbox_solver/Cargo.toml index fe3a938c503..0ec7267506a 100644 --- a/acvm-repo/blackbox_solver/Cargo.toml +++ b/acvm-repo/blackbox_solver/Cargo.toml @@ -43,6 +43,7 @@ libaes = "0.7.0" [dev-dependencies] proptest.workspace = true +num-prime = { version = "0.4.4", default-features = false, features = ["big-int"] } [features] bn254 = ["acir/bn254"] diff --git a/acvm-repo/blackbox_solver/src/bigint.rs b/acvm-repo/blackbox_solver/src/bigint.rs index 30c92af15f5..c50b88e4043 100644 --- a/acvm-repo/blackbox_solver/src/bigint.rs +++ b/acvm-repo/blackbox_solver/src/bigint.rs @@ -50,7 +50,18 @@ impl BigIntSolver { inputs: &[u8], modulus: &[u8], output: u32, + pedantic_solving: bool, ) -> Result<(), BlackBoxResolutionError> { + if pedantic_solving && (!self.is_valid_modulus(modulus) || inputs.len() > modulus.len()) { + if !self.is_valid_modulus(modulus) { + panic!("--pedantic-solving: bigint_from_bytes: disallowed modulus {:?}", modulus); + } else { + panic!( + "--pedantic-solving: bigint_from_bytes: inputs.len() > modulus.len() {:?}", + (inputs.len(), modulus.len()) + ); + } + } let bigint = BigUint::from_bytes_le(inputs); self.bigint_id_to_value.insert(output, bigint); let modulus = BigUint::from_bytes_le(modulus); @@ -69,6 +80,7 @@ impl BigIntSolver { rhs: u32, output: u32, func: BlackBoxFunc, + pedantic_solving: bool, ) -> Result<(), BlackBoxResolutionError> { let modulus = self.get_modulus(lhs, func)?; let lhs = self.get_bigint(lhs, func)?; @@ -84,8 +96,11 @@ impl BigIntSolver { } BlackBoxFunc::BigIntMul => lhs * rhs, BlackBoxFunc::BigIntDiv => { + if pedantic_solving && rhs == BigUint::ZERO { + panic!("--pedantic-solving: BigIntDiv by zero"); + } lhs * rhs.modpow(&(&modulus - BigUint::from(2_u32)), &modulus) - } //TODO ensure that modulus is prime + } _ => unreachable!("ICE - bigint_op must be called for an operation"), }; if result > modulus { @@ -97,9 +112,40 @@ impl BigIntSolver { Ok(()) } + pub fn allowed_bigint_moduli() -> Vec> { + let bn254_fq: Vec = vec![ + 0x47, 0xFD, 0x7C, 0xD8, 0x16, 0x8C, 0x20, 0x3C, 0x8d, 0xca, 0x71, 0x68, 0x91, 0x6a, + 0x81, 0x97, 0x5d, 0x58, 0x81, 0x81, 0xb6, 0x45, 0x50, 0xb8, 0x29, 0xa0, 0x31, 0xe1, + 0x72, 0x4e, 0x64, 0x30, + ]; + let bn254_fr: Vec = vec![ + 1, 0, 0, 240, 147, 245, 225, 67, 145, 112, 185, 121, 72, 232, 51, 40, 93, 88, 129, 129, + 182, 69, 80, 184, 41, 160, 49, 225, 114, 78, 100, 48, + ]; + let secpk1_fr: Vec = vec![ + 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF, 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, + 0xAE, 0xBA, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, + ]; + let secpk1_fq: Vec = vec![ + 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, + ]; + let secpr1_fq: Vec = vec![ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xFF, 0xFF, 0xFF, 0xFF, + ]; + let secpr1_fr: Vec = vec![ + 81, 37, 99, 252, 194, 202, 185, 243, 132, 158, 23, 167, 173, 250, 230, 188, 255, 255, + 255, 255, 255, 255, 255, 255, 0, 0, 0, 0, 255, 255, 255, 255, + ]; + vec![bn254_fq, bn254_fr, secpk1_fr, secpk1_fq, secpr1_fq, secpr1_fr] + } + pub fn is_valid_modulus(&self, modulus: &[u8]) -> bool { - let modulus = BigUint::from_bytes_le(modulus); - self.bigint_id_to_modulus.values().any(|value| modulus == *value) + Self::allowed_bigint_moduli().into_iter().any(|allowed_modulus| allowed_modulus == modulus) } } @@ -121,9 +167,10 @@ impl BigIntSolverWithId { &mut self, inputs: &[u8], modulus: &[u8], + pedantic_solving: bool, ) -> Result { let id = self.create_bigint_id(); - self.solver.bigint_from_bytes(inputs, modulus, id)?; + self.solver.bigint_from_bytes(inputs, modulus, id, pedantic_solving)?; Ok(id) } @@ -136,6 +183,7 @@ impl BigIntSolverWithId { lhs: u32, rhs: u32, func: BlackBoxFunc, + pedantic_solving: bool, ) -> Result { let modulus_lhs = self.solver.get_modulus(lhs, func)?; let modulus_rhs = self.solver.get_modulus(rhs, func)?; @@ -146,7 +194,27 @@ impl BigIntSolverWithId { )); } let id = self.create_bigint_id(); - self.solver.bigint_op(lhs, rhs, id, func)?; + self.solver.bigint_op(lhs, rhs, id, func, pedantic_solving)?; Ok(id) } } + +#[test] +fn all_allowed_bigint_moduli_are_prime() { + use num_prime::nt_funcs::is_prime; + use num_prime::Primality; + + for modulus in BigIntSolver::allowed_bigint_moduli() { + let modulus = BigUint::from_bytes_le(&modulus); + let prime_test_config = None; + match is_prime(&modulus, prime_test_config) { + Primality::Yes => (), + Primality::No => panic!("not all allowed_bigint_moduli are prime"), + Primality::Probable(probability) => { + if probability < 0.90 { + panic!("not all allowed_bigint_moduli are prime within the allowed probability: {} < 0.90", probability); + } + } + } + } +} diff --git a/acvm-repo/blackbox_solver/src/curve_specific_solver.rs b/acvm-repo/blackbox_solver/src/curve_specific_solver.rs index 869017f52ee..77fc54ac133 100644 --- a/acvm-repo/blackbox_solver/src/curve_specific_solver.rs +++ b/acvm-repo/blackbox_solver/src/curve_specific_solver.rs @@ -19,6 +19,7 @@ pub trait BlackBoxFunctionSolver { points: &[F], scalars_lo: &[F], scalars_hi: &[F], + pedantic_solving: bool, ) -> Result<(F, F, F), BlackBoxResolutionError>; fn ec_add( &self, @@ -62,6 +63,7 @@ impl BlackBoxFunctionSolver for StubbedBlackBoxSolver { _points: &[F], _scalars_lo: &[F], _scalars_hi: &[F], + _pedantic_solving: bool, ) -> Result<(F, F, F), BlackBoxResolutionError> { Err(Self::fail(BlackBoxFunc::MultiScalarMul)) } diff --git a/acvm-repo/bn254_blackbox_solver/src/lib.rs b/acvm-repo/bn254_blackbox_solver/src/lib.rs index d74c17a52b5..d76ac85c12b 100644 --- a/acvm-repo/bn254_blackbox_solver/src/lib.rs +++ b/acvm-repo/bn254_blackbox_solver/src/lib.rs @@ -48,6 +48,8 @@ impl BlackBoxFunctionSolver for Bn254BlackBoxSolver { points: &[FieldElement], scalars_lo: &[FieldElement], scalars_hi: &[FieldElement], + // check in local multi_scalar_mul + _pedantic_solving: bool, ) -> Result<(FieldElement, FieldElement, FieldElement), BlackBoxResolutionError> { multi_scalar_mul(points, scalars_lo, scalars_hi) } diff --git a/acvm-repo/brillig_vm/src/black_box.rs b/acvm-repo/brillig_vm/src/black_box.rs index 19e2dd7553d..8107cc00ad2 100644 --- a/acvm-repo/brillig_vm/src/black_box.rs +++ b/acvm-repo/brillig_vm/src/black_box.rs @@ -45,6 +45,7 @@ pub(crate) fn evaluate_black_box solver: &Solver, memory: &mut Memory, bigint_solver: &mut BrilligBigIntSolver, + pedantic_solving: bool, ) -> Result<(), BlackBoxResolutionError> { match op { BlackBoxOp::AES128Encrypt { inputs, iv, key, outputs } => { @@ -178,7 +179,8 @@ pub(crate) fn evaluate_black_box scalars_hi.push(*scalar); } } - let (x, y, is_infinite) = solver.multi_scalar_mul(&points, &scalars_lo, &scalars_hi)?; + let (x, y, is_infinite) = + solver.multi_scalar_mul(&points, &scalars_lo, &scalars_hi, pedantic_solving)?; memory.write_slice( memory.read_ref(result.pointer), &[ @@ -226,7 +228,8 @@ pub(crate) fn evaluate_black_box let lhs = memory.read(*lhs).try_into().unwrap(); let rhs = memory.read(*rhs).try_into().unwrap(); - let new_id = bigint_solver.bigint_op(lhs, rhs, BlackBoxFunc::BigIntAdd)?; + let new_id = + bigint_solver.bigint_op(lhs, rhs, BlackBoxFunc::BigIntAdd, pedantic_solving)?; memory.write(*output, new_id.into()); Ok(()) } @@ -234,7 +237,8 @@ pub(crate) fn evaluate_black_box let lhs = memory.read(*lhs).try_into().unwrap(); let rhs = memory.read(*rhs).try_into().unwrap(); - let new_id = bigint_solver.bigint_op(lhs, rhs, BlackBoxFunc::BigIntSub)?; + let new_id = + bigint_solver.bigint_op(lhs, rhs, BlackBoxFunc::BigIntSub, pedantic_solving)?; memory.write(*output, new_id.into()); Ok(()) } @@ -242,7 +246,8 @@ pub(crate) fn evaluate_black_box let lhs = memory.read(*lhs).try_into().unwrap(); let rhs = memory.read(*rhs).try_into().unwrap(); - let new_id = bigint_solver.bigint_op(lhs, rhs, BlackBoxFunc::BigIntMul)?; + let new_id = + bigint_solver.bigint_op(lhs, rhs, BlackBoxFunc::BigIntMul, pedantic_solving)?; memory.write(*output, new_id.into()); Ok(()) } @@ -250,7 +255,8 @@ pub(crate) fn evaluate_black_box let lhs = memory.read(*lhs).try_into().unwrap(); let rhs = memory.read(*rhs).try_into().unwrap(); - let new_id = bigint_solver.bigint_op(lhs, rhs, BlackBoxFunc::BigIntDiv)?; + let new_id = + bigint_solver.bigint_op(lhs, rhs, BlackBoxFunc::BigIntDiv, pedantic_solving)?; memory.write(*output, new_id.into()); Ok(()) } @@ -260,7 +266,7 @@ pub(crate) fn evaluate_black_box let modulus = read_heap_vector(memory, modulus); let modulus: Vec = modulus.iter().map(|&x| x.try_into().unwrap()).collect(); - let new_id = bigint_solver.bigint_from_bytes(&input, &modulus)?; + let new_id = bigint_solver.bigint_from_bytes(&input, &modulus, pedantic_solving)?; memory.write(*output, new_id.into()); Ok(()) diff --git a/acvm-repo/brillig_vm/src/lib.rs b/acvm-repo/brillig_vm/src/lib.rs index 5b3688339b5..dda381e6226 100644 --- a/acvm-repo/brillig_vm/src/lib.rs +++ b/acvm-repo/brillig_vm/src/lib.rs @@ -100,6 +100,8 @@ pub struct VM<'a, F, B: BlackBoxFunctionSolver> { profiling_active: bool, // Samples for profiling the VM execution. profiling_samples: BrilligProfilingSamples, + // Use pedantic ACVM solving + pedantic_solving: bool, } impl<'a, F: AcirField, B: BlackBoxFunctionSolver> VM<'a, F, B> { @@ -110,6 +112,7 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> VM<'a, F, B> { foreign_call_results: Vec>, black_box_solver: &'a B, profiling_active: bool, + pedantic_solving: bool, ) -> Self { Self { calldata, @@ -124,6 +127,7 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> VM<'a, F, B> { bigint_solver: Default::default(), profiling_active, profiling_samples: Vec::with_capacity(bytecode.len()), + pedantic_solving, } } @@ -405,6 +409,7 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> VM<'a, F, B> { self.black_box_solver, &mut self.memory, &mut self.bigint_solver, + self.pedantic_solving, ) { Ok(()) => self.increment_program_counter(), Err(e) => self.fail(e.to_string()), diff --git a/compiler/noirc_driver/src/lib.rs b/compiler/noirc_driver/src/lib.rs index 29a46fdca2d..4cf97fccf08 100644 --- a/compiler/noirc_driver/src/lib.rs +++ b/compiler/noirc_driver/src/lib.rs @@ -314,6 +314,7 @@ pub fn check_crate( context, options.debug_comptime_in_file.as_deref(), error_on_unused_imports, + options.pedantic_solving, ); errors.extend(diagnostics.into_iter().map(|(error, file_id)| { let diagnostic = CustomDiagnostic::from(&error); diff --git a/compiler/noirc_evaluator/src/acir/acir_variable.rs b/compiler/noirc_evaluator/src/acir/acir_variable.rs index 9f2c649ee3e..089e5a7a81f 100644 --- a/compiler/noirc_evaluator/src/acir/acir_variable.rs +++ b/compiler/noirc_evaluator/src/acir/acir_variable.rs @@ -134,6 +134,9 @@ pub(crate) struct AcirContext> { expression_width: ExpressionWidth, pub(crate) warnings: Vec, + + // Use pedantic ACVM solving + pedantic_solving: bool, } impl> AcirContext { @@ -1893,7 +1896,9 @@ impl> AcirContext { inputs: &[BrilligInputs], outputs_types: &[AcirType], ) -> Option> { - let mut memory = (execute_brillig(code, &self.blackbox_solver, inputs)?).into_iter(); + let mut memory = + (execute_brillig(code, &self.blackbox_solver, inputs, self.pedantic_solving)?) + .into_iter(); let outputs_var = vecmap(outputs_types.iter(), |output| match output { AcirType::NumericType(_) => { @@ -2190,6 +2195,7 @@ fn execute_brillig>( code: &[BrilligOpcode], blackbox_solver: &B, inputs: &[BrilligInputs], + pedantic_solving: bool, ) -> Option>> { // Set input values let mut calldata: Vec = Vec::new(); @@ -2215,7 +2221,8 @@ fn execute_brillig>( // Instantiate a Brillig VM given the solved input registers and memory, along with the Brillig bytecode. let profiling_active = false; - let mut vm = VM::new(calldata, code, Vec::new(), blackbox_solver, profiling_active); + let mut vm = + VM::new(calldata, code, Vec::new(), blackbox_solver, profiling_active, pedantic_solving); // Run the Brillig VM on these inputs, bytecode, etc! let vm_status = vm.process_opcodes(); diff --git a/compiler/noirc_evaluator/src/ssa/ir/instruction/call/blackbox.rs b/compiler/noirc_evaluator/src/ssa/ir/instruction/call/blackbox.rs index 301b75e0bd4..60444b91cce 100644 --- a/compiler/noirc_evaluator/src/ssa/ir/instruction/call/blackbox.rs +++ b/compiler/noirc_evaluator/src/ssa/ir/instruction/call/blackbox.rs @@ -99,8 +99,9 @@ pub(super) fn simplify_msm( } } + let pedantic_solving = true; let Ok((result_x, result_y, result_is_infinity)) = - solver.multi_scalar_mul(&points, &scalars_lo, &scalars_hi) + solver.multi_scalar_mul(&points, &scalars_lo, &scalars_hi, pedantic_solving) else { return SimplifyResult::None; }; diff --git a/compiler/noirc_evaluator/src/ssa/opt/constant_folding.rs b/compiler/noirc_evaluator/src/ssa/opt/constant_folding.rs index d1d84c305d2..3e216893e6b 100644 --- a/compiler/noirc_evaluator/src/ssa/opt/constant_folding.rs +++ b/compiler/noirc_evaluator/src/ssa/opt/constant_folding.rs @@ -620,8 +620,15 @@ impl<'brillig> Context<'brillig> { let foreign_call_results = Vec::new(); let black_box_solver = Bn254BlackBoxSolver; let profiling_active = false; - let mut vm = - VM::new(calldata, bytecode, foreign_call_results, &black_box_solver, profiling_active); + let pedantic_solving = true; + let mut vm = VM::new( + calldata, + bytecode, + foreign_call_results, + &black_box_solver, + profiling_active, + pedantic_solving, + ); let vm_status: VMStatus<_> = vm.process_opcodes(); let VMStatus::Finished { return_data_offset, return_data_size } = vm_status else { return EvaluationResult::CannotEvaluate(*func_id); diff --git a/compiler/noirc_frontend/src/elaborator/comptime.rs b/compiler/noirc_frontend/src/elaborator/comptime.rs index 962356d6dd9..bbbb1063529 100644 --- a/compiler/noirc_frontend/src/elaborator/comptime.rs +++ b/compiler/noirc_frontend/src/elaborator/comptime.rs @@ -94,6 +94,7 @@ impl<'context> Elaborator<'context> { self.crate_id, self.debug_comptime_in_file, self.interpreter_call_stack.clone(), + self.pedantic_solving, ); elaborator.function_context.push(FunctionContext::default()); @@ -479,7 +480,7 @@ impl<'context> Elaborator<'context> { Some(DependencyId::Function(function)) => Some(function), _ => None, }; - Interpreter::new(self, self.crate_id, current_function) + Interpreter::new(self, self.crate_id, current_function, self.pedantic_solving) } pub(super) fn debug_comptime T>( diff --git a/compiler/noirc_frontend/src/elaborator/mod.rs b/compiler/noirc_frontend/src/elaborator/mod.rs index 478504a79be..fa5903e4718 100644 --- a/compiler/noirc_frontend/src/elaborator/mod.rs +++ b/compiler/noirc_frontend/src/elaborator/mod.rs @@ -170,6 +170,9 @@ pub struct Elaborator<'context> { /// like `Foo { inner: 5 }`: in that case we already elaborated the code that led to /// that comptime value and any visibility errors were already reported. silence_field_visibility_errors: usize, + + /// Use pedantic ACVM solving + pedantic_solving: bool, } #[derive(Default)] @@ -194,6 +197,7 @@ impl<'context> Elaborator<'context> { crate_id: CrateId, debug_comptime_in_file: Option, interpreter_call_stack: im::Vector, + pedantic_solving: bool, ) -> Self { Self { scopes: ScopeForest::default(), @@ -220,6 +224,7 @@ impl<'context> Elaborator<'context> { interpreter_call_stack, in_comptime_context: false, silence_field_visibility_errors: 0, + pedantic_solving, } } @@ -227,6 +232,7 @@ impl<'context> Elaborator<'context> { context: &'context mut Context, crate_id: CrateId, debug_comptime_in_file: Option, + pedantic_solving: bool, ) -> Self { Self::new( &mut context.def_interner, @@ -235,6 +241,7 @@ impl<'context> Elaborator<'context> { crate_id, debug_comptime_in_file, im::Vector::new(), + pedantic_solving, ) } @@ -243,8 +250,16 @@ impl<'context> Elaborator<'context> { crate_id: CrateId, items: CollectedItems, debug_comptime_in_file: Option, + pedantic_solving: bool, ) -> Vec<(CompilationError, FileId)> { - Self::elaborate_and_return_self(context, crate_id, items, debug_comptime_in_file).errors + Self::elaborate_and_return_self( + context, + crate_id, + items, + debug_comptime_in_file, + pedantic_solving, + ) + .errors } pub fn elaborate_and_return_self( @@ -252,8 +267,10 @@ impl<'context> Elaborator<'context> { crate_id: CrateId, items: CollectedItems, debug_comptime_in_file: Option, + pedantic_solving: bool, ) -> Self { - let mut this = Self::from_context(context, crate_id, debug_comptime_in_file); + let mut this = + Self::from_context(context, crate_id, debug_comptime_in_file, pedantic_solving); this.elaborate_items(items); this.check_and_pop_function_context(); this diff --git a/compiler/noirc_frontend/src/hir/comptime/interpreter.rs b/compiler/noirc_frontend/src/hir/comptime/interpreter.rs index 49fd86b73bb..e7b40528137 100644 --- a/compiler/noirc_frontend/src/hir/comptime/interpreter.rs +++ b/compiler/noirc_frontend/src/hir/comptime/interpreter.rs @@ -66,6 +66,9 @@ pub struct Interpreter<'local, 'interner> { /// Stateful bigint calculator. bigint_solver: BigIntSolverWithId, + + /// Use pedantic ACVM solving + pedantic_solving: bool, } #[allow(unused)] @@ -74,6 +77,7 @@ impl<'local, 'interner> Interpreter<'local, 'interner> { elaborator: &'local mut Elaborator<'interner>, crate_id: CrateId, current_function: Option, + pedantic_solving: bool, ) -> Self { Self { elaborator, @@ -82,6 +86,7 @@ impl<'local, 'interner> Interpreter<'local, 'interner> { bound_generics: Vec::new(), in_loop: false, bigint_solver: BigIntSolverWithId::default(), + pedantic_solving, } } diff --git a/compiler/noirc_frontend/src/hir/comptime/interpreter/foreign.rs b/compiler/noirc_frontend/src/hir/comptime/interpreter/foreign.rs index d2611f72535..5c9520981af 100644 --- a/compiler/noirc_frontend/src/hir/comptime/interpreter/foreign.rs +++ b/compiler/noirc_frontend/src/hir/comptime/interpreter/foreign.rs @@ -40,6 +40,7 @@ impl<'local, 'context> Interpreter<'local, 'context> { arguments, return_type, location, + self.pedantic_solving, ) } } @@ -52,19 +53,33 @@ fn call_foreign( args: Vec<(Value, Location)>, return_type: Type, location: Location, + pedantic_solving: bool, ) -> IResult { use BlackBoxFunc::*; match name { "aes128_encrypt" => aes128_encrypt(interner, args, location), - "bigint_from_le_bytes" => { - bigint_from_le_bytes(interner, bigint_solver, args, return_type, location) - } + "bigint_from_le_bytes" => bigint_from_le_bytes( + interner, + bigint_solver, + args, + return_type, + location, + pedantic_solving, + ), "bigint_to_le_bytes" => bigint_to_le_bytes(bigint_solver, args, location), - "bigint_add" => bigint_op(bigint_solver, BigIntAdd, args, return_type, location), - "bigint_sub" => bigint_op(bigint_solver, BigIntSub, args, return_type, location), - "bigint_mul" => bigint_op(bigint_solver, BigIntMul, args, return_type, location), - "bigint_div" => bigint_op(bigint_solver, BigIntDiv, args, return_type, location), + "bigint_add" => { + bigint_op(bigint_solver, BigIntAdd, args, return_type, location, pedantic_solving) + } + "bigint_sub" => { + bigint_op(bigint_solver, BigIntSub, args, return_type, location, pedantic_solving) + } + "bigint_mul" => { + bigint_op(bigint_solver, BigIntMul, args, return_type, location, pedantic_solving) + } + "bigint_div" => { + bigint_op(bigint_solver, BigIntDiv, args, return_type, location, pedantic_solving) + } "blake2s" => blake_hash(interner, args, location, acvm::blackbox_solver::blake2s), "blake3" => blake_hash(interner, args, location, acvm::blackbox_solver::blake3), "ecdsa_secp256k1" => ecdsa_secp256_verify( @@ -80,7 +95,7 @@ fn call_foreign( acvm::blackbox_solver::ecdsa_secp256r1_verify, ), "embedded_curve_add" => embedded_curve_add(args, location), - "multi_scalar_mul" => multi_scalar_mul(interner, args, location), + "multi_scalar_mul" => multi_scalar_mul(interner, args, location, pedantic_solving), "poseidon2_permutation" => poseidon2_permutation(interner, args, location), "keccakf1600" => keccakf1600(interner, args, location), "range" => apply_range_constraint(args, location), @@ -148,6 +163,7 @@ fn bigint_from_le_bytes( arguments: Vec<(Value, Location)>, return_type: Type, location: Location, + pedantic_solving: bool, ) -> IResult { let (bytes, modulus) = check_two_arguments(arguments, location)?; @@ -155,7 +171,7 @@ fn bigint_from_le_bytes( let (modulus, _) = get_slice_map(interner, modulus, get_u8)?; let id = solver - .bigint_from_bytes(&bytes, &modulus) + .bigint_from_bytes(&bytes, &modulus, pedantic_solving) .map_err(|e| InterpreterError::BlackBoxError(e, location))?; Ok(to_bigint(id, return_type)) @@ -191,6 +207,7 @@ fn bigint_op( arguments: Vec<(Value, Location)>, return_type: Type, location: Location, + pedantic_solving: bool, ) -> IResult { let (lhs, rhs) = check_two_arguments(arguments, location)?; @@ -198,7 +215,7 @@ fn bigint_op( let rhs = get_bigint_id(rhs)?; let id = solver - .bigint_op(lhs, rhs, func) + .bigint_op(lhs, rhs, func, pedantic_solving) .map_err(|e| InterpreterError::BlackBoxError(e, location))?; Ok(to_bigint(id, return_type)) @@ -293,6 +310,7 @@ fn multi_scalar_mul( interner: &mut NodeInterner, arguments: Vec<(Value, Location)>, location: Location, + pedantic_solving: bool, ) -> IResult { let (points, scalars) = check_two_arguments(arguments, location)?; @@ -308,7 +326,7 @@ fn multi_scalar_mul( } let (x, y, inf) = Bn254BlackBoxSolver - .multi_scalar_mul(&points, &scalars_lo, &scalars_hi) + .multi_scalar_mul(&points, &scalars_lo, &scalars_hi, pedantic_solving) .map_err(|e| InterpreterError::BlackBoxError(e, location))?; Ok(to_field_array(&[x, y, inf])) @@ -436,6 +454,7 @@ mod tests { for blackbox in BlackBoxFunc::iter() { let name = blackbox.name(); + let pedantic_solving = true; match call_foreign( interpreter.elaborator.interner, &mut interpreter.bigint_solver, @@ -443,6 +462,7 @@ mod tests { Vec::new(), Type::Unit, no_location, + pedantic_solving, ) { Ok(_) => { // Exists and works with no args (unlikely) diff --git a/compiler/noirc_frontend/src/hir/comptime/tests.rs b/compiler/noirc_frontend/src/hir/comptime/tests.rs index 2d3bf928917..ce8d43e56d5 100644 --- a/compiler/noirc_frontend/src/hir/comptime/tests.rs +++ b/compiler/noirc_frontend/src/hir/comptime/tests.rs @@ -58,8 +58,14 @@ pub(crate) fn with_interpreter( let main = context.get_main_function(&krate).expect("Expected 'main' function"); - let mut elaborator = - Elaborator::elaborate_and_return_self(&mut context, krate, collector.items, None); + let pedantic_solving = true; + let mut elaborator = Elaborator::elaborate_and_return_self( + &mut context, + krate, + collector.items, + None, + pedantic_solving, + ); let errors = elaborator.errors.clone(); diff --git a/compiler/noirc_frontend/src/hir/def_collector/dc_crate.rs b/compiler/noirc_frontend/src/hir/def_collector/dc_crate.rs index 51e62599b05..8d53af3b7f1 100644 --- a/compiler/noirc_frontend/src/hir/def_collector/dc_crate.rs +++ b/compiler/noirc_frontend/src/hir/def_collector/dc_crate.rs @@ -273,6 +273,7 @@ impl DefCollector { ast: SortedModule, root_file_id: FileId, debug_comptime_in_file: Option<&str>, + pedantic_solving: bool, error_on_unused_items: bool, ) -> Vec<(CompilationError, FileId)> { let mut errors: Vec<(CompilationError, FileId)> = vec![]; @@ -291,6 +292,7 @@ impl DefCollector { dep.crate_id, context, debug_comptime_in_file, + pedantic_solving, error_on_usage_tracker, )); @@ -457,8 +459,13 @@ impl DefCollector { }) }); - let mut more_errors = - Elaborator::elaborate(context, crate_id, def_collector.items, debug_comptime_in_file); + let mut more_errors = Elaborator::elaborate( + context, + crate_id, + def_collector.items, + debug_comptime_in_file, + pedantic_solving, + ); errors.append(&mut more_errors); diff --git a/compiler/noirc_frontend/src/hir/def_map/mod.rs b/compiler/noirc_frontend/src/hir/def_map/mod.rs index 3bb16a92fdb..e87779a0efa 100644 --- a/compiler/noirc_frontend/src/hir/def_map/mod.rs +++ b/compiler/noirc_frontend/src/hir/def_map/mod.rs @@ -78,6 +78,7 @@ impl CrateDefMap { crate_id: CrateId, context: &mut Context, debug_comptime_in_file: Option<&str>, + pedantic_solving: bool, error_on_unused_imports: bool, ) -> Vec<(CompilationError, FileId)> { // Check if this Crate has already been compiled @@ -121,6 +122,7 @@ impl CrateDefMap { ast, root_file_id, debug_comptime_in_file, + pedantic_solving, error_on_unused_imports, )); diff --git a/compiler/noirc_frontend/src/tests.rs b/compiler/noirc_frontend/src/tests.rs index cba29d58ea3..abbfcdff260 100644 --- a/compiler/noirc_frontend/src/tests.rs +++ b/compiler/noirc_frontend/src/tests.rs @@ -114,6 +114,7 @@ pub(crate) fn get_program_with_maybe_parser_errors( }; let debug_comptime_in_file = None; + let pedantic_solving = true; let error_on_unused_imports = true; // Now we want to populate the CrateDefMap using the DefCollector @@ -123,6 +124,7 @@ pub(crate) fn get_program_with_maybe_parser_errors( program.clone().into_sorted(), root_file_id, debug_comptime_in_file, + pedantic_solving, error_on_unused_imports, )); } diff --git a/tooling/acvm_cli/src/cli/execute_cmd.rs b/tooling/acvm_cli/src/cli/execute_cmd.rs index c5795714545..7d2abd9fc37 100644 --- a/tooling/acvm_cli/src/cli/execute_cmd.rs +++ b/tooling/acvm_cli/src/cli/execute_cmd.rs @@ -45,7 +45,8 @@ pub(crate) struct ExecuteCommand { fn run_command(args: ExecuteCommand) -> Result { let bytecode = read_bytecode_from_file(&args.working_directory, &args.bytecode)?; let circuit_inputs = read_inputs_from_file(&args.working_directory, &args.input_witness)?; - let output_witness = execute_program_from_witness(circuit_inputs, &bytecode, args.pedantic_solving)?; + let output_witness = + execute_program_from_witness(circuit_inputs, &bytecode, args.pedantic_solving)?; assert_eq!(output_witness.length(), 1, "ACVM CLI only supports a witness stack of size 1"); let output_witness_string = create_output_witness_string( &output_witness.peek().expect("Should have a witness stack item").witness, diff --git a/tooling/lsp/src/solver.rs b/tooling/lsp/src/solver.rs index 3c2d7499880..8cdcb6cb658 100644 --- a/tooling/lsp/src/solver.rs +++ b/tooling/lsp/src/solver.rs @@ -21,11 +21,12 @@ impl BlackBoxFunctionSolver for WrapperSolver { points: &[acvm::FieldElement], scalars_lo: &[acvm::FieldElement], scalars_hi: &[acvm::FieldElement], + pedantic_solving: bool, ) -> Result< (acvm::FieldElement, acvm::FieldElement, acvm::FieldElement), acvm::BlackBoxResolutionError, > { - self.0.multi_scalar_mul(points, scalars_lo, scalars_hi) + self.0.multi_scalar_mul(points, scalars_lo, scalars_hi, pedantic_solving) } fn ec_add( diff --git a/tooling/nargo_cli/src/cli/dap_cmd.rs b/tooling/nargo_cli/src/cli/dap_cmd.rs index 7c2977fd50d..2f20625da25 100644 --- a/tooling/nargo_cli/src/cli/dap_cmd.rs +++ b/tooling/nargo_cli/src/cli/dap_cmd.rs @@ -277,5 +277,6 @@ pub(crate) fn run(args: DapCommand, _config: NargoConfig) -> Result<(), CliError let input = BufReader::new(std::io::stdin()); let server = Server::new(input, output); - loop_uninitialized_dap(server, args.expression_width, args.pedantic_solving).map_err(CliError::DapError) + loop_uninitialized_dap(server, args.expression_width, args.pedantic_solving) + .map_err(CliError::DapError) } diff --git a/tooling/nargo_cli/src/cli/debug_cmd.rs b/tooling/nargo_cli/src/cli/debug_cmd.rs index 00fa6739c19..0ec689b591a 100644 --- a/tooling/nargo_cli/src/cli/debug_cmd.rs +++ b/tooling/nargo_cli/src/cli/debug_cmd.rs @@ -85,7 +85,14 @@ pub(crate) fn run(args: DebugCommand, config: NargoConfig) -> Result<(), CliErro let compiled_program = nargo::ops::transform_program(compiled_program, target_width); - run_async(package, compiled_program, &args.prover_name, &args.witness_name, target_dir, args.compile_options.pedantic_solving) + run_async( + package, + compiled_program, + &args.prover_name, + &args.witness_name, + target_dir, + args.compile_options.pedantic_solving, + ) } pub(crate) fn compile_bin_package_for_debugging( @@ -235,6 +242,11 @@ pub(crate) fn debug_program( ) -> Result>, CliError> { let initial_witness = compiled_program.abi.encode(inputs_map, None)?; - noir_debugger::run_repl_session(&Bn254BlackBoxSolver, compiled_program, initial_witness, pedantic_solving) - .map_err(CliError::from) + noir_debugger::run_repl_session( + &Bn254BlackBoxSolver, + compiled_program, + initial_witness, + pedantic_solving, + ) + .map_err(CliError::from) } diff --git a/tooling/nargo_cli/src/cli/execute_cmd.rs b/tooling/nargo_cli/src/cli/execute_cmd.rs index 556392e9b4d..c4971f6a97b 100644 --- a/tooling/nargo_cli/src/cli/execute_cmd.rs +++ b/tooling/nargo_cli/src/cli/execute_cmd.rs @@ -106,8 +106,14 @@ fn execute_program_and_decode( // Parse the initial witness values from Prover.toml let (inputs_map, _) = read_inputs_from_file(&package.root_dir, prover_name, Format::Toml, &program.abi)?; - let witness_stack = - execute_program(&program, &inputs_map, foreign_call_resolver_url, root_path, package_name, pedantic_solving)?; + let witness_stack = execute_program( + &program, + &inputs_map, + foreign_call_resolver_url, + root_path, + package_name, + pedantic_solving, + )?; // Get the entry point witness for the ABI let main_witness = &witness_stack.peek().expect("Should have at least one witness on the stack").witness;