test for proofVerifyInit failing

src/bbs_verify.sol

@@ -763,7 +763,7 @@ contract BBS_Verifier {
         uint256 l = u + r;
 
         uint8[] memory undisclosedIndices = complement(uint8(u), uint8(r), disclosedIndices);
-        uint256 domain = calculate_domain(pk, uint64(l + 1));
+        uint256 domain = calculate_domain(pk, uint64(l));
         Pairing.G1Point memory t1 = Pairing.scalar_mul(proof.bBar, proof.challenge);
         Pairing.G1Point memory t11 = Pairing.scalar_mul(proof.aBar, proof.eCap);
         Pairing.G1Point memory t12 = Pairing.scalar_mul(proof.d, proof.r1Cap);
@@ -773,9 +773,9 @@ contract BBS_Verifier {
         Pairing.G1Point memory bv1 = Pairing.scalar_mul(BBS.generators()[0], domain);
         Pairing.G1Point memory bv = Pairing.plus(BBS.BP1(), bv1);
 
-        for (uint256 i = 1; i < disclosedIndices.length; i++) {
+        for (uint256 i = 0; i < disclosedIndices.length; i++) {
             uint8 disclosedIndex = disclosedIndices[i] + 1;
-            uint256 disclosedm = disclosedMsg[i - 1];
+            uint256 disclosedm = disclosedMsg[i];
             Pairing.G1Point memory t = Pairing.scalar_mul(BBS.generators()[disclosedIndex], disclosedm);
             bv = Pairing.plus(bv, t);
         }

test/bbs_verify.t.sol

@@ -64,6 +64,53 @@ contract BBS_VerifierTest is Test {
                 uint256(15886074934859455688300902859116025241719978288647494891665273100122551253775)
             ]
         );
+
+        proof.aBar = Pairing.G1Point(
+            uint256(2389859733424702129156888454204363947129790103145727264232242043740634819795),
+            uint256(1097959188506991370624082972495363785392704497493505982994469705407803350963)
+        );
+        proof.bBar = Pairing.G1Point(
+            uint256(5583742200394344059117141975579204392825248477802207110572797814797870159151),
+            uint256(9483599358002031430276889173892716777483137155844013203204704308340368005455)
+        );
+        proof.d = Pairing.G1Point(
+            uint256(3582064199758817395084567888979131399489180310854527659722233373316200088935),
+            uint256(5013664001823222493328983250535695894780415104032411286476938301746177789413)
+        );
+        proof.eCap = uint256(18845685828282296109338653832715366439340731857280092412100502542093238017121);
+        proof.r1Cap = uint256(9407374954518962485998988864037019598594980826080218297998777788535340323505);
+        proof.r3Cap = uint256(5837326718558961775248227894568850849739195076278847619090820141173179156286);
+        proof.challenge = uint256(1591638219516725013719722625634121132371156700165462279008346780516639045559);
+
+        proof.commitments = new uint256[](28);
+        proof.commitments[0] = uint256(19294976838385181770793500356536976137761603712764994792098766193374191876912);
+        proof.commitments[1] = uint256(15665415302100139273532636634079826924901045981054052367536616453496735458217);
+        proof.commitments[2] = uint256(683930125651279685941922347584330726360286383661921413071836909971322658487);
+        proof.commitments[3] = uint256(19139389920714243985207332025043197035989631040457777976356301787011323729276);
+        proof.commitments[4] = uint256(18618858673441963890372012149463249331474633025425724406359200230791204287230);
+        proof.commitments[5] = uint256(2976275943360506885513902927829991119821049217269141554546744125648883808942);
+        proof.commitments[6] = uint256(7741497297544722970404455630072351311578064143715935462570603923441613133744);
+        proof.commitments[7] = uint256(12967032185914576602520344445528015313070963424802156236169192801463223968661);
+        proof.commitments[8] = uint256(6043705854067455577201571917734598072195060225500347736839100243640844147002);
+        proof.commitments[9] = uint256(7975958630214731015881597638148368736223203423519335663374795593972224628115);
+        proof.commitments[10] = uint256(5063917606748444318907002556386444282092995588424392944567946512018789907140);
+        proof.commitments[11] = uint256(128040869348113497802925734488026672154884121598398892285429338520827919187);
+        proof.commitments[12] = uint256(14166237414040449407807471567974813122898634008531680576980068190629841500992);
+        proof.commitments[13] = uint256(10471689082020479049925288784800851938975928999514484173830417499950256354756);
+        proof.commitments[14] = uint256(15442764830050595368343336168542039867667707392169536613884312984553476659334);
+        proof.commitments[15] = uint256(4190278990131177527923939339437262621281884418841174445527841942545704670174);
+        proof.commitments[16] = uint256(16721190604424697547606415666395009966841952016976459857585742817670838860790);
+        proof.commitments[17] = uint256(14019571406538264268957540789616106976608464484428950403832393757541615116503);
+        proof.commitments[18] = uint256(13161687818138085884961868953000174105307154828324712897804198838117049296373);
+        proof.commitments[19] = uint256(6019614396043304926995639315223000477434362157996549649396479567418199051814);
+        proof.commitments[20] = uint256(21398477016991141441638825844804401235924603218228216791095578579507004064104);
+        proof.commitments[21] = uint256(1284175716692509966139981641582834335237711428658302342410234707146408446478);
+        proof.commitments[22] = uint256(6624718910876334988261064022540419708897921318648870734901499422236758644237);
+        proof.commitments[23] = uint256(5020676234843826149023183290373090464129613657687115661309141620371659838114);
+        proof.commitments[24] = uint256(2784673656377231901294632131937418325662199844847647577081445797306124167264);
+        proof.commitments[25] = uint256(2606587054699910611464857084585278905009451516207206420773353623680103150777);
+        proof.commitments[26] = uint256(2908463991346345116779230591032285009421675994539341126361104083742823396510);
+        proof.commitments[27] = uint256(19581358284736034190184981706514887539334457204635337638025215728461147420373);
     }
 
     function test_verify() public {
@@ -73,6 +120,49 @@ contract BBS_VerifierTest is Test {
         bool res = verifier.verifySignature(pk, sig, msgScalar);
         assert(res);
     }
+
+    function test_proof_verify_init() public {
+        BBS_Verifier verifier;
+        verifier = new BBS_Verifier();
+        uint256[] memory disclosed_msg = new uint256[](3);
+        disclosed_msg[0] = 2266124219189018131;
+        disclosed_msg[1] = 15553430782966677989;
+        disclosed_msg[2] = 4743228516788447402;
+
+        uint8[] memory disclosed_indices = new uint8[](3);
+        disclosed_indices[0] = 0;
+        disclosed_indices[1] = 1;
+        disclosed_indices[2] = 5;
+
+        BBS_Verifier.InitProof memory initProof;
+        initProof.points[0] = Pairing.G1Point(
+            uint256(2389859733424702129156888454204363947129790103145727264232242043740634819795),
+            uint256(1097959188506991370624082972495363785392704497493505982994469705407803350963)
+        );
+        initProof.points[1] = Pairing.G1Point(
+            uint256(5583742200394344059117141975579204392825248477802207110572797814797870159151),
+            uint256(9483599358002031430276889173892716777483137155844013203204704308340368005455)
+        );
+        initProof.points[2] = Pairing.G1Point(
+            uint256(3582064199758817395084567888979131399489180310854527659722233373316200088935),
+            uint256(5013664001823222493328983250535695894780415104032411286476938301746177789413)
+        );
+        initProof.points[3] = Pairing.G1Point(
+            uint256(2608558917589104469794946005308295328376354729516260293998541446338037245316),
+            uint256(7380216098169806522493651841483387702118496867918844646938817052216546927834)
+        );
+        initProof.points[4] = Pairing.G1Point(
+            uint256(10970264894326745811902665330882027157454649744995755774915880032341514664640),
+            uint256(2673275558703332757019628075603459814671885523946659461460975817206171298679)
+        );
+        initProof.scalar = uint256(4661402122534330745222086575742781481159552639583525480514127238648290568236);
+
+        BBS_Verifier.InitProof memory init_output =
+            verifier.proofVerifyInit(pk, proof, disclosed_msg, disclosed_indices);
+        assert(initProof.scalar == init_output.scalar);
+        // assert(initProof.points[4].X == init_output.points[4].X);
+        // assert(initProof.points[3].Y == init_output.points[3].Y);
+    }
 }
 
 contract hashToCurve is Test {

test_vector.txt

@@ -67,4 +67,45 @@ generator : "(189810459381132836124433882517927671070942403512021061448844752803
 generator : "(5849608471641896932689050259307265823896272072351795065590531311030596429007, 21229044712538721502348483276244406588878344472909917768994382101200976203326)"
 generator : "(393432175667211108483070939793661330735615114668362658763611056763370352241, 19985271941600432926866508116673625261827724078554764982827712024353220929168)"
 signature.A : "(16605941458272293469898459593559962462499885703597334825353004900710945536242, 15276896411257112930580737499920866088375905247814230771366087132031781450435)"
-signature.E : "20145301027381071188604537375435971326340204640470956156185142406370688319043"
+signature.E : "20145301027381071188604537375435971326340204640470956156185142406370688319043"
+proof.a : "(2389859733424702129156888454204363947129790103145727264232242043740634819795, 1097959188506991370624082972495363785392704497493505982994469705407803350963)"
+proof.b : "(5583742200394344059117141975579204392825248477802207110572797814797870159151, 9483599358002031430276889173892716777483137155844013203204704308340368005455)"
+proof.d : "(3582064199758817395084567888979131399489180310854527659722233373316200088935, 5013664001823222493328983250535695894780415104032411286476938301746177789413)"
+proof.eCap : "18845685828282296109338653832715366439340731857280092412100502542093238017121"
+proof.r1Cap : "9407374954518962485998988864037019598594980826080218297998777788535340323505"
+proof.r3Cap : "5837326718558961775248227894568850849739195076278847619090820141173179156286"
+proof.challenge : "1591638219516725013719722625634121132371156700165462279008346780516639045559"
+proof.commitments[0] : "19294976838385181770793500356536976137761603712764994792098766193374191876912"
+proof.commitments[1] : "15665415302100139273532636634079826924901045981054052367536616453496735458217"
+proof.commitments[2] : "683930125651279685941922347584330726360286383661921413071836909971322658487"
+proof.commitments[3] : "19139389920714243985207332025043197035989631040457777976356301787011323729276"
+proof.commitments[4] : "18618858673441963890372012149463249331474633025425724406359200230791204287230"
+proof.commitments[5] : "2976275943360506885513902927829991119821049217269141554546744125648883808942"
+proof.commitments[6] : "7741497297544722970404455630072351311578064143715935462570603923441613133744"
+proof.commitments[7] : "12967032185914576602520344445528015313070963424802156236169192801463223968661"
+proof.commitments[8] : "6043705854067455577201571917734598072195060225500347736839100243640844147002"
+proof.commitments[9] : "7975958630214731015881597638148368736223203423519335663374795593972224628115"
+proof.commitments[10] : "5063917606748444318907002556386444282092995588424392944567946512018789907140"
+proof.commitments[11] : "128040869348113497802925734488026672154884121598398892285429338520827919187"
+proof.commitments[12] : "14166237414040449407807471567974813122898634008531680576980068190629841500992"
+proof.commitments[13] : "10471689082020479049925288784800851938975928999514484173830417499950256354756"
+proof.commitments[14] : "15442764830050595368343336168542039867667707392169536613884312984553476659334"
+proof.commitments[15] : "4190278990131177527923939339437262621281884418841174445527841942545704670174"
+proof.commitments[16] : "16721190604424697547606415666395009966841952016976459857585742817670838860790"
+proof.commitments[17] : "14019571406538264268957540789616106976608464484428950403832393757541615116503"
+proof.commitments[18] : "13161687818138085884961868953000174105307154828324712897804198838117049296373"
+proof.commitments[19] : "6019614396043304926995639315223000477434362157996549649396479567418199051814"
+proof.commitments[20] : "21398477016991141441638825844804401235924603218228216791095578579507004064104"
+proof.commitments[21] : "1284175716692509966139981641582834335237711428658302342410234707146408446478"
+proof.commitments[22] : "6624718910876334988261064022540419708897921318648870734901499422236758644237"
+proof.commitments[23] : "5020676234843826149023183290373090464129613657687115661309141620371659838114"
+proof.commitments[24] : "2784673656377231901294632131937418325662199844847647577081445797306124167264"
+proof.commitments[25] : "2606587054699910611464857084585278905009451516207206420773353623680103150777"
+proof.commitments[26] : "2908463991346345116779230591032285009421675994539341126361104083742823396510"
+proof.commitments[27] : "19581358284736034190184981706514887539334457204635337638025215728461147420373"
+points[0] : "(2389859733424702129156888454204363947129790103145727264232242043740634819795, 1097959188506991370624082972495363785392704497493505982994469705407803350963)"
+points[1] : "(5583742200394344059117141975579204392825248477802207110572797814797870159151, 9483599358002031430276889173892716777483137155844013203204704308340368005455)"
+points[2] : "(3582064199758817395084567888979131399489180310854527659722233373316200088935, 5013664001823222493328983250535695894780415104032411286476938301746177789413)"
+points[3] : "(2608558917589104469794946005308295328376354729516260293998541446338037245316, 7380216098169806522493651841483387702118496867918844646938817052216546927834)"
+points[4] : "(10970264894326745811902665330882027157454649744995755774915880032341514664640, 2673275558703332757019628075603459814671885523946659461460975817206171298679)"
+scalar : "4661402122534330745222086575742781481159552639583525480514127238648290568236"