I have been playing with ZoKrates for a few days but I can't achieve a verification process with a true statement. It is alway FALSE I tried to follow the tutorial of the readme but I encountered some difficulties: the verification always returns "false". I mean, of course, I should use the toolbox with a wrong way

This is the basic code I want to test:

def main(x,private s1,private s2):
    s1 + s2 + x == 15
    return 1

Then when I generate proof I have this output:

Generating proof...
Using Witness: {"~one": 1, "x": 5, "~out_0": 1, "s2": 5, "s1": 5}
Public inputs: [1, 5, 1]
Private inputs: [5, 5]
* Elements of w skipped: 0 (-nan%)
* Elements of w processed with special addition: 0 (-nan%)
* Elements of w remaining: 0 (-nan%)
* Elements of w skipped: 0 (-nan%)
* Elements of w processed with special addition: 0 (-nan%)
* Elements of w remaining: 0 (-nan%)
* Elements of w skipped: 0 (0.00%)
* Elements of w processed with special addition: 1 (25.00%)
* Elements of w remaining: 3 (75.00%)
* Elements of w skipped: 0 (0.00%)
* Elements of w processed with special addition: 1 (25.00%)
* Elements of w remaining: 3 (75.00%)
* G1 elements in proof: 7
* G2 elements in proof: 1
* Proof size in bits: 2294
Proof:
A = 0x17ae0464d4c0d1937fee027b520ca9ec7ee4f2abf70b52a75c636d6735005392, 0x281134f906ab1cb3011cb6207a1f9ef5398045af52c3eff8e9db9f50c8cf3828
A_p = 0x1ac693cdd14a1206f930729a929b3b39721f838446061af6311c4ed30c428426, 0x2712e90c78ec9e0e5ccf3356e23855484c4073bb274194635b612b63f4ac8be3
B = [0x883a4f310a3966a5cb139b59288c78aa8a8a9a8b4bf48792420d5184f8fb8b5, 0x201d60787fd856c24e7b45dab7cb41a79ff348153683dbf82b5d77d14e168ae5], [0x1d9ccf0e5d091b85a795d74abc13625e531cb65115589b999c9c0e05b7310920, 0x21a3beba1014556c091197668c9380cc37e420b4232fa5c35a175ee00bfe92f4]
B_p = 0x1d0c580e2431894c97e6bee5de2e396477beabebeb4606c21d241328d0ca139d, 0x2add4d48ef20738cf6540cc530bf80948bd6cb8b180cf4a3ec412e0dc58fe3de
C = 0x20ba1cacf4ebbc3c1c29d11946b1c38151cb44d0803d628fa69e1ae8e930e7c7, 0x1dc6686abe23aa65b1653fab516386b86d7deae2ac817cf7fb3d89ad4d1da8ca
C_p = 0xb292b7ab8b91c84eb61338fa9837465d94e3e82c1e029c55b4d754161242b13, 0x15f60d3a7192a31f6da6804e960cbd13198a710f14c4860fd5ea1453eb2cf131
H = 0x2621bd887a4e502ae5d9660a56702be8a7567bee0507d8af711be5fca888ff88, 0x2e905b72b811929ea2475d8c0df0a5815e329aebe787a37cf62a60ba4dad0c5c
K = 0xf1bd7f2d6fe7efcb5480bd8743c359153dc73153039f0c76c90b62431ca1ac2, 0x151b78bf375d6d20a2f242e70db41d25183a594632e553f97d27570d15551ff
generate-proof successful: true

(I used as value for x = 5, s1 = 5, s2 = 5 )

Here I am confused, the length of public inputs is 3 but in my verifier.sol generated the array expected in verifyTx is of length 2 ...

Then, I deploy verifier.sol & SumsToFifteen.sol (please find them attached), and I try to test the result of my proof with the web3js script verifier.js (but it is always false):

proof: 0
success: false

Please, could you help me to find a way to make all this stuff working?

Thank's in advance

Note:

• in verifier.js I try all kind of mix for I (I=[1, 5 ,1], I=[1, 5], I=[5,1], ...)

  eth.contract(abi).at("0xfc1684a8af3e6bf532482c356e5b2cef9cad144f")

  referenced obviously to the contract address of the SumsToFifteen.sol

• I've also tried to change the length of the input both files SumToFifteen.sol and verify.sol to 2 without any success

verifier.js verifier.sol SumsToFifteen.sol

MiMCSponge:

This implements the MiMCSponge hashing into the stdlib. The reference implementation this is based on, can be found here. For testing I've created a quick repo that runs the reference implementation with circom, can be found here.

Configuration:

I'm a bit unsure what the input and output configurations should be set to. Currently, like in the reference, two inputs and three outputs, with 220 feistel rounds are configured, but I'm not sure what the proper settings should be, so it's up for discussion.

Performance:

Using this, with the configuration stated above, 2647 constraints are created

MiMC7:

Adds mimc7 hashing algo to the stdlib. The reference implementation this is based on can be found here

Things to note:

• The reference implementation is slightly more efficient (regarding constraints). Because ZoKrates doesn't support lazy evaluation, the t7 array has to be one element longer and a separate index counter has to be defined in the loop to prevent an out of bounds error. It's not the prettiest solution, but it was the most efficient solution I could come up with.
• Implementation was tested with comparing hashes to the reference implementation, which were always the same, also with overflows, passing p and other edge cases.
• The number of rounds can be set up to 91. I wasn't sure how many rounds are optimal, so I created a number of them.

Constraints for hashing:

• mimc7R10: 42
• mimc7R20: 82
• mimc7R50: 202
• mimc7R90: 362

This is best demonstrated by a test case:

def x() -> (field):
  return 3

def main() -> (field):
  // These all work
  7 == 10 - x()
  8 == 10 + 1 - x()
  8 == 10 - 3 + 1
  8 == (10 - 3) + 1
  8 == (10 - x()) + 1
  8 == 10 - (x() - 1)

  // These are wrong
  8 == 10 - x() + 1
  6 == 10 - x() - 1

  return 1

All of these assertions should pass; however the final two fail:

setup successful: true
Computing witness for:
def main():
        7 == 7
        8 == 8
        8 == 8
        8 == 8
        8 == 8
        8 == 8
        8 == 6
        6 == 8
        return 1
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Error { message: "Condition not satisfied: 8 should equal 6" }', libcore/result.rs:945:5
note: Run with `RUST_BACKTRACE=1` for a backtrace.

It seems that 10 - x() + 1 is interpreted as 10 - (x() + 1) rather than (10 - x()) + 1. I guess it's a problem with the way associativity is handled in combination with subtraction. Taking a wild guess, maybe it's an issue with flatten_field_expression()? But I never looked at Zokrates before this weekend, and only looked at the implementation for 30 minutes or so, so take that guess with a large pinch of salt ;-)

This bug was found in partnership with @GuthL, so thanks to him for being a great partner in crime :-)

I am using truffle to export the generated smart contract for factorization.code. Versions

Truffle v4.1.5 (core: 4.1.5)
Solidity v0.4.21 (solc-js)

I am able to compile (with warning though but are addressed here https://github.com/JacobEberhardt/ZoKrates/pull/49) and deploy the contract but when i try to test it, i get error

...../contracts/Verifier.sol:1
(function (exports, require, module, __filename, __dirname) { pragma solidity ^0.4.14;

The test is here and the contract is here

Also i don't understand which contracts are being called at https://github.com/lovesh/ZoKrates/blob/develop/src/verification.rs#L49, https://github.com/lovesh/ZoKrates/blob/develop/src/verification.rs#L64 and https://github.com/lovesh/ZoKrates/blob/develop/src/verification.rs#L91

As i understand, the second argument to call is supposed to be contract address, but they don't seem like contract address, are they? If yes, then can you please point me to those contracts or relevant sections of solidity documentation. Thanks

Just checking whether this is wanted in the project, I'm using it locally anyway.

In case it is, this PR is still missing

• [x] Conjunction on the function level
• [x] Header including variable declaration
• [x] Tests

I think *.ztf files should be always generated, but the light flag should be a way to disable logging bigger programs to the console (so the output is less verbose).

Current implementation skips the generation of the *.ztf file when light flag is used. Other solution would be to introduce a new flag verbose for the logging but keep the light flag as is.

The .code file extension is generic and users asked for a change. I propose to change the file ending to .zok

Before that, we should remove file extensions from import statements.

Updates the ABIEncoder to v2, which enables us to pass structs as parameters to functions. Simplifies the Verifier.sol a bit and is also needed for application tests (takes a lot of complexity out of the testing script because I can simply pass the proof object from the proof.json instead of parsing every value separately when calling verifyTx)

Assume the following sample code I want to create a witness for (I stripped off meaningful things for simplicity):

def sub():
  foo = if 1 < 2 then 1 else 2 fi
  return 1

def main():
   return sub()

It compiles fine. However computing a witness leads to the following error:

thread 'main' panicked at 'no entry found for key', libcore/option.rs:917:5
note: Run with `RUST_BACKTRACE=1` for a backtrace.

In particular I believe that this line causes the crash. Printing var_name and inputs, I can see that:

Inputs: {"sub_i0o1_1_sym_0": 1, "sub_i0o1_1_sym_1": 2, "sub_i0o1_1_sym_2": 21888242871839275222246405745257275088548364400416034343698204186575808495615, "~one": 1}
Variable name: "sym_2"

sym_2 does not exist and we therefore crash. I assume that either sub_i0o1_1_sym_2 in inputs should be sym_2 (without the subroutine prefix) or sym_2 should be prefixed accordingly.

This PR adds sha256 witness generation, constraint generation directly from libsnark. Thanks to @kobigurk for help with this.

It also includes wraplibsnark.cpp upgrade to support the latest version of libsnark.

This brakes ZoKrates as exportInput , _setup and _generate_proof functions were replaced with place holders as i could not see easily how to port this code.

The build process is changed slightly so remember to run git submodule update --init --recursive before cargo +nightly build

This change breaks the docker setup.

The thinking is that @JacobEberhardt will take over from here and use the _sha256Constraints and _sha256Witness functions i provide to integrate sha256 in ZoKrates at a cost of ~27k constraints. Which is much better than our native implementation ~500k constraints. Which will hopefully make merkle trees practical in ZoKrates.

Problem

The way private inputs are treated is different from public ones:

• Private inputs are implicit, public inputs are explicit:

def main(c):
  c == a * b
  return 1

• Public inputs are passed as arguments in compute-witness, while private inputs are passed interactively
• It makes it hard to use compute-witness programatically
• It gives no way to list private inputs without solving the R1CS

Solution

We think they should be explicit:

def main(c | a,b):
  c == a * b
  return 1

Roadmap

1. Make it possible to pass private inputs as arguments in compute-witness rather than interactively (the interactive mode should be activated by a flag)
2. Make it possible to specify explicit private inputs in .code files
3. Ban implicit private inputs from .code files

Thoughts welcome :)

Depends on #1249

To make the Groth16 MPC trusted setup work, we need to depend on two versions of bellman_ce. I implemented this by splitting the zokrates_bellman crate.

Also, I went through the failing tests and fixed as many as possible.

This is an overview of the changes:

• zokrates_bellman: Now depends on the matter-labs version of bellman again, commented in code in the Groth16 scheme, removed PlonK
• zokrates_bellman_plonk: A new crate that depends on our fork of bellman
  • lib.rs: Is essentially a copy of zokrates_bellman/src/lib.rs, except that it depends on a different bellman crate and uses the BellmanPlonkFieldExtensions instead of BellmanFieldExtensions
  • plonk.rs: Implementation of the PlonK scheme
• zokrates_cli: Now depends also on the zokrates_bellman_plonk crate, commented in the MPC implementation of the Groth16 trusted setup, added PlonK to integration tests
• zokrates_field:
  • Now depends on both bellman crates and defines the BellmanPlonkFieldExtensions trait in addition to BellmanFieldExtensions
  • Adjusted the bellman_extensions! macro and implemented BellmanPlonkFieldExtensions for all curves that previously implemented the BellmanFieldExtensions
• zokrates_proof_systems: Fixed a bug where solidity verifiers were rendered incorrectly, triggered by a previous refactoring of the Fq2 and GAffine data types.
• Fixed a few clippy errors

The diff between zokrates_bellman/src/lib.rs and zokrates_bellman_plonk/src/lib.rs is quite small. It could be implemented using a macro (although I'm not sure in which crate it should be defined), let me know if I should do that :)

Bumps secp256k1 from 0.22.1 to 0.22.2.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Abstract

Zokrates supports proof generation based on the bl12_381 curve. However, in order verify a signature on the bl12_381 a user have to implement the jubjub embedded curve from scratch. There is also

Motivation

Similarly to the baby jujub, the adding an instance of the jubjub curve in the stdlib would simplify the signature verification for the curve bl12_381.

Specification

Add jubjubParams.zok in the ecc package of zokrates_stdlib

Backwards Compatibility

This feature should not introduce any backward compatibility. Users who would like to use this feature would have to update Zokrates to a newer version, or copy and edit the source code according to their local version.

The main changes are:

• zokrates_bellman:
  • plonk.rs: serialize_vk() now pre-computes omega. This is redundant, but needed to render the solidity verifier.
• zokrates_cli:
  • tests/integration.rs: Adjusted the test_compile_and_witness_dir test to run only for plonk. It should pass now, testing the full pipeline, including proof verification in solidity.
• zokrates_proof_systems:
  • Added solidity_renderer.rs, which is an adjusted version from this code from matter-labs.
    • See this link for a comparison between 037ec0acc82b23e782ee0243e0b0405e48ca7062 (when I copied the original file from the matter-labs repo) and the current head of georgwiese:plonk-add-verifier.
  • PlonkVerifier.sol: The Plonk solidity template, copied and adjusted from this code from matter-labs.
  • scheme/plonk.rs: This file moved to the zokrates_bellman create, as mentioned above.
  • to_token.rs: Some refactorings
• Removed some unused imports.

To test, run:

$ cargo test --package zokrates_cli -- --nocapture test_compile_and_witness_dir --ignored