Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No need for range check #8

Open
enricobottazzi opened this issue Jan 5, 2023 · 5 comments
Open

No need for range check #8

enricobottazzi opened this issue Jan 5, 2023 · 5 comments

Comments

@enricobottazzi
Copy link

enricobottazzi commented Jan 5, 2023

The range check performed here on sourceValue and claimedValue is not necessary in my opinion.

This range check would only fail if:

  • 2 ** 252 <= sourceValue < p
  • 2 ** 252 <= claimedValue < p

And these are not actually cases of overflow.

I performed the test included in the library after having removed these 4 lines and they all pass successfully.

You can check these 2 gists here (circuit and test) to test out my hypotheses.

It would be interesting to understand if the LessOrEqual operation is sufficient to prevent any overflow

@leosayous21
Copy link
Member

Hey @enricobottazzi Thanks for this!
Did you check the discussion on this PR #1 when we added it?
@BlakeMScurr did you have some update on the iden3 issue you created on this subject?

@leosayous21
Copy link
Member

@enricobottazzi, @BlakeMScurr created a repo to test this case normally, you can find it here https://github.com/BlakeMScurr/comparator-overflow

@enricobottazzi
Copy link
Author

Thanks for the material provided. The context is clearer now, and the implementation you applied seems correct. Wondering if you and @BlakeMScurr have any suggestions on how to fix this at the circomlib level

@BlakeMScurr
Copy link
Contributor

@enricobottazzi well the algorithm is still sound for numbers in the right range, and it's probably pretty optimal, so I wouldn't change it. Maybe I'd just rename it to LessThanUnsafe, and a new LessThan that does a range check on the inputs.

That way:

  • users will choose the safe way by default
  • we might catch some bugs when users pull the new version
  • it's still easy to use the old optimised version

What do you think?

@BlakeMScurr
Copy link
Contributor

@enricobottazzi by the way, while we're discussing LessThan, I just realised you might be able to remove a constraint by doing

n2b.in <== in[1]+ (1<<n) - in[0];
out <== n2b.out[n];

instead of

n2b.in <== in[0]+ (1<<n) - in[1];
out <== 1-n2b.out[n];

I think that's right. Might try a PR some time. Although, the constraint count might end up being the same due to compile time optimisations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants