From 8e2214de27a548cdf5903614b64c774bf5c4dafa Mon Sep 17 00:00:00 2001 From: Ming Date: Fri, 11 Oct 2024 11:16:27 +0800 Subject: [PATCH] fix soundness: include public input to transcript (#355) public input should be included to transcript. we may also need to include verifier key digest, which involve widely change to derive Serialize/Deserializa on ConstrainSystem/Expression/etc. ~~Will raise a ticket for that~~ https://github.com/scroll-tech/ceno/issues/356 --- ceno_zkvm/examples/riscv_opcodes.rs | 35 +++++++++++++++++++++++++---- ceno_zkvm/src/scheme/prover.rs | 3 +++ ceno_zkvm/src/scheme/verifier.rs | 3 +++ 3 files changed, 37 insertions(+), 4 deletions(-) diff --git a/ceno_zkvm/examples/riscv_opcodes.rs b/ceno_zkvm/examples/riscv_opcodes.rs index 771357044..9e6997a90 100644 --- a/ceno_zkvm/examples/riscv_opcodes.rs +++ b/ceno_zkvm/examples/riscv_opcodes.rs @@ -1,4 +1,4 @@ -use std::{iter, time::Instant}; +use std::{iter, panic, time::Instant}; use ceno_zkvm::{ instructions::riscv::{arith::AddInstruction, branch::BltuInstruction}, @@ -256,8 +256,35 @@ fn main() { // change public input maliciously should cause verifier to reject proof zkvm_proof.pv[0] = ::BaseField::ONE; zkvm_proof.pv[1] = ::BaseField::ONE; - verifier - .verify_proof(zkvm_proof, transcript) - .expect_err("verify proof should return with error"); + + // capture panic message, if have + let default_hook = panic::take_hook(); + panic::set_hook(Box::new(|_info| { + // by default it will print msg to stdout/stderr + // we override it to avoid print msg since we will capture the msg by our own + })); + let result = panic::catch_unwind(|| verifier.verify_proof(zkvm_proof, transcript)); + panic::set_hook(default_hook); + match result { + Ok(res) => { + res.expect_err("verify proof should return with error"); + } + Err(err) => { + let msg: String = if let Some(message) = err.downcast_ref::<&str>() { + message.to_string() + } else if let Some(message) = err.downcast_ref::() { + message.to_string() + } else if let Some(message) = err.downcast_ref::<&String>() { + message.to_string() + } else { + unreachable!() + }; + + if !msg.starts_with("0th round's prover message is not consistent with the claim") { + println!("unknown panic {msg:?}"); + panic::resume_unwind(err); + }; + } + }; } } diff --git a/ceno_zkvm/src/scheme/prover.rs b/ceno_zkvm/src/scheme/prover.rs index da896499c..dc07bda6a 100644 --- a/ceno_zkvm/src/scheme/prover.rs +++ b/ceno_zkvm/src/scheme/prover.rs @@ -57,6 +57,9 @@ impl> ZKVMProver { let mut vm_proof = ZKVMProof::empty(pi); let pi = &vm_proof.pv; + // including public input to transcript + pi.iter().for_each(|v| transcript.append_field_element(v)); + // commit to fixed commitment for (_, pk) in self.pk.circuit_pks.iter() { if let Some(fixed_commit) = &pk.vk.fixed_commit { diff --git a/ceno_zkvm/src/scheme/verifier.rs b/ceno_zkvm/src/scheme/verifier.rs index f78ccaf5b..379c76de5 100644 --- a/ceno_zkvm/src/scheme/verifier.rs +++ b/ceno_zkvm/src/scheme/verifier.rs @@ -63,6 +63,9 @@ impl> ZKVMVerifier } } + // including public input to transcript + pi.iter().for_each(|v| transcript.append_field_element(v)); + // write fixed commitment to transcript for (_, vk) in self.vk.circuit_vks.iter() { if let Some(fixed_commit) = vk.fixed_commit.as_ref() {