-
Notifications
You must be signed in to change notification settings - Fork 213
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add SafeLessThan
template to comparators with range checks over inputs
#86
base: master
Are you sure you want to change the base?
Conversation
SafeLessThan
template to comparators with range proofs over inputsSafeLessThan
template to comparators with range checks over inputs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Couple of minor comments.
circuits/comparators.circom
Outdated
signal input in[2]; | ||
signal output out; | ||
|
||
component aInRange = Num2Bits(252); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can save some constraints by restricting to n
bits instead. It will always be safe since n <= 252
anyway. Also, that way we can interpret SafeLessThan(n)
as meaning "safely compare two n-bit numbers." This makes it easier to understand why in[0]+ (1<<n) - in[1]
should be an n+1 bit number.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the comment. Good point. Added to the PR.
circuits/comparators.circom
Outdated
|
||
n2b.in <== in[0]+ (1<<n) - in[1]; | ||
|
||
out <== 1-n2b.out[n]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps we could use a normal LessThan
component here to avoid code reuse. It makes it clearer what the difference between LessThan
and SafeLessThan
is, and if LessThan
changes in the future we don't risk two difference implementations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, applied change in this commit
@enricobottazzi , @BlakeMScurr if I don't miss something, you can have only 2 additional constraints instead of 252*2 by having this:
instead of this:
Although I haven't checked it yet. |
Hi all! Everything looks good! @AndriianChestnykh I am not sure, but I think that your proposal would not be safe: it is using the operator <-- for the first assignment which does not introduce any constraint. This way, the R1CS system will only contain the check |
@clararod9 , thanks. I totally missed that my proposal won't work.
The Num2Bits template solves this task but it adds excessive amount of constraints (+252) than what is needed for the goal as it needs to "split" the bits in addition.
|
@AndriianChestnykh yes the I haven't tried it, but I think |
@BlakeMScurr, yes I'm wrong here as well. |
@BlakeMScurr recently spotted an anomalous behavior in the
LessThan(n)
template when the first input doesn't fit in n bits. This issue was discussed in Sismo, Iden3 and fully analysed and tested by Blake.After discussing with Blake and @clararod9 we propose a
SafeLessThan(n)
template that usesNum2Bits(252)
toperform a range check over the two inputs. As long as both the inputs don't overflow 252 bits, the operation is safe.
Performing
SafeLessThan(n)
adds 252*2 constraints compared to LessThan(n) therefore, it should be used either if the range check over the inputs has already been performed outside the template or the inputs are not expected to overflow 252 bits.