Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
tamper_proof.hpp
Go to the documentation of this file.
1#pragma once
2
3#include "barretenberg/commitment_schemes/ipa/ipa.hpp"
4#include "barretenberg/commitment_schemes/pairing_points.hpp"
5#include "barretenberg/flavor/flavor_concepts.hpp"
6#include "barretenberg/flavor/test_utils/proof_structures.hpp"
7#include "barretenberg/honk/proof_length.hpp"
8
9namespace bb {
10
11enum class TamperType {
12 MODIFY_SUMCHECK_UNIVARIATE, // Tamper with coefficients of a Sumcheck Round Univariate
13 MODIFY_SUMCHECK_EVAL, // Tamper with a multilinear evaluation of an entity
14 MODIFY_Z_PERM_COMMITMENT, // Tamper with the commitment to z_perm
15 MODIFY_GEMINI_WITNESS, // Tamper with a fold polynomial
16 END
17};
18
25template <typename Flavor> size_t compute_proof_length_for_export(size_t num_public_inputs, size_t log_n)
26{
27 return ProofLength::Honk<Flavor>::LENGTH_WITHOUT_PUB_INPUTS(log_n) + num_public_inputs;
28}
29
35template <typename InnerProver, typename InnerFlavor, typename ProofType>
36void tamper_with_proof(InnerProver& inner_prover, ProofType& inner_proof, TamperType type)
37{
38 using FF = typename InnerFlavor::FF;
39 static constexpr size_t FIRST_WITNESS_INDEX = InnerFlavor::NUM_PRECOMPUTED_ENTITIES;
40
41 // Deserialize proof into structured form
42 StructuredProof<InnerFlavor> structured_proof;
43 const auto num_public_inputs = inner_prover.prover_instance->num_public_inputs();
44 const size_t log_n =
45 InnerFlavor::USE_PADDING ? CONST_PROOF_SIZE_LOG_N : inner_prover.prover_instance->log_dyadic_size();
46 structured_proof.deserialize(inner_prover.transcript->test_get_proof_data(), num_public_inputs, log_n);
47
48 // Apply tampering based on type
49 switch (type) {
50 case TamperType::MODIFY_SUMCHECK_UNIVARIATE: {
51 FF delta = FF::random_element();
52 // Preserve S_0(0) + S_0(1) = target_total_sum, but S_0(u_0) = S_1(0) + S_1(1) will fail
53 structured_proof.sumcheck_univariates[0].value_at(0) += delta;
54 structured_proof.sumcheck_univariates[0].value_at(1) -= delta;
55 break;
56 }
57 case TamperType::MODIFY_SUMCHECK_EVAL:
58 structured_proof.sumcheck_evaluations[FIRST_WITNESS_INDEX] = FF::random_element();
59 break;
60 case TamperType::MODIFY_Z_PERM_COMMITMENT:
61 structured_proof.z_perm_comm = structured_proof.z_perm_comm * FF::random_element();
62 break;
63 case TamperType::MODIFY_GEMINI_WITNESS:
64 structured_proof.gemini_fold_comms[0] = structured_proof.gemini_fold_comms[0] * FF::random_element();
65 structured_proof.gemini_fold_evals[0] = FF::zero();
66 break;
67 case TamperType::END:
68 break;
69 }
70
71 // Serialize back and re-export the tampered proof
72 structured_proof.serialize(inner_prover.transcript->test_get_proof_data(), log_n);
73 inner_prover.transcript->test_set_proof_parsing_state(
74 0, compute_proof_length_for_export<InnerFlavor>(num_public_inputs, log_n));
75 inner_proof = inner_prover.export_proof();
76}
77
83template <typename InnerFlavor, typename ProofType = typename InnerFlavor::Transcript::Proof>
84void tamper_with_proof(ProofType& inner_proof, bool end_of_proof)
85{
86 using Commitment = typename InnerFlavor::Curve::AffineElement;
87 using FF = typename InnerFlavor::FF;
88 using Codec = typename InnerFlavor::Transcript::Codec;
89
90 static constexpr size_t NUM_FRS_PER_COMMITMENT = Codec::template calc_num_fields<Commitment>();
91
92 if (end_of_proof) {
93 // Tamper with the last commitment in the proof
94 size_t offset = inner_proof.size() - NUM_FRS_PER_COMMITMENT;
95 auto element_span = std::span{ inner_proof }.subspan(offset, NUM_FRS_PER_COMMITMENT);
96 auto commitment = Codec::template deserialize_from_fields<Commitment>(element_span);
97 commitment = commitment * FF(2);
98 auto serialized = Codec::serialize_to_fields(commitment);
99 std::copy(serialized.begin(), serialized.end(), inner_proof.begin() + static_cast<std::ptrdiff_t>(offset));
100 } else {
101 // Tamper with the first pairing point (P0) by adding the generator
102 using PP = bb::PairingPoints<typename InnerFlavor::Curve>;
103 static constexpr size_t NUM_FRS = Codec::template calc_num_fields<PP>();
104
105 if (inner_proof.size() >= NUM_FRS) {
106 auto pp_span = std::span{ inner_proof }.subspan(0, NUM_FRS);
107 PP pairing_points = Codec::template deserialize_from_fields<PP>(pp_span);
108 pairing_points.P0() = pairing_points.P0() + Commitment::one();
109 auto serialized = Codec::serialize_to_fields(pairing_points);
110 std::copy(serialized.begin(), serialized.end(), inner_proof.begin());
111 }
112 }
113}
114
115} // namespace bb
FF
bb::field< bb::Bn254FrParams > FF
Definition field.cpp:24
bb::PairingPoints
An object storing two EC points that represent the inputs to a pairing check.
Definition pairing_points.hpp:22
pairing_points.hpp
offset
ssize_t offset
Definition engine.cpp:50
flavor_concepts.hpp
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::TamperType::MODIFY_SUMCHECK_UNIVARIATE
@ MODIFY_SUMCHECK_UNIVARIATE
bb::tamper_with_proof
void tamper_with_proof(InnerProver &inner_prover, ProofType &inner_proof, TamperType type)
Test method that provides several ways to tamper with a proof. TODO(https://github....
Definition tamper_proof.hpp:36
bb::compute_proof_length_for_export
size_t compute_proof_length_for_export(size_t num_public_inputs, size_t log_n)
Compute the proof length for re-exporting after tampering.
Definition tamper_proof.hpp:25
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
proof_length.hpp
proof_structures.hpp
bb::ProofLength::Honk::LENGTH_WITHOUT_PUB_INPUTS
static constexpr size_t LENGTH_WITHOUT_PUB_INPUTS(size_t log_n)
Definition proof_length.hpp:101
bb::StructuredProof
Test utility for deserializing/serializing proof data into typed structures.
Definition proof_structures.hpp:26
bb::field< bb::Bn254FrParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:677