Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AssertIsDifferent recovers from panic when using result of Cmp in PLONKFRI+BLS24_317 #523

Closed
akirillo opened this issue Mar 5, 2023 · 4 comments
Closed

AssertIsDifferent recovers from panic when using result of Cmp in PLONKFRI+BLS24_317 #523

akirillo opened this issue Mar 5, 2023 · 4 comments

Comments

@akirillo
Copy link

akirillo commented Mar 5, 2023

I've managed to reproduce a bug where, only for PLONKFRI + BLS24_317, AssertIsDifferent doesn't fail when you'd expect it to. This seems to only happen when comparing the result of api.Cmp, in my case to a constant.
I debugged and followed the stack trace down to test/engine.go:384, where we successfully call panic, but when stepping through the esoteric Go panic code, it seems the panic does successfully recover, where we'd expect it not to.

Here's a reproduction test:

type TestCircuit struct {
	In1 frontend.Variable
	In2 frontend.Variable
}

func (circuit *TestCircuit) Define(api frontend.API) error {
	cmp := api.Cmp(circuit.In1, circuit.In2)
	api.AssertIsDifferent(
		cmp,
		1,
	)
	return nil
}

func TestAssertIsDifferent(t *testing.T) {
	assert := test.NewAssert(t)

	var circuit TestCircuit

	assert.ProverFailed(
		&circuit,
		&TestCircuit{
			In1: -1,
			In2: 1,
		},
		test.NoFuzzing(),
		test.NoSerialization(),
	)
}

Where you'll find that it fails only for PLONKFRI+BLS24_317
@ivokub
Copy link
Collaborator

ivokub commented Apr 5, 2024

PLONK+FRI backend wasn't very well supported. We have omitted the backend for now: #1075

@ivokub ivokub closed this as completed Apr 5, 2024
@TheYangCode
Copy link

Hello, I would like to know the significance of the BLS24-317 curve. I already understand the significance of the other curves provided by Gnark. Why is there a need to provide the BLS24-317 as well?

Image

I have compared BLS12-381 and BLS24-317. I feel that BLS12-381 is sufficient, and I do not understand why Gnark provides BLS24-317. Is it because the BLS24 curve is more suitable for PLONK with KZG? But isn’t BLS24-315 already provided? As a newcomer to this field, I hope to understand it better.

@ivokub
Copy link
Collaborator

ivokub commented Feb 21, 2025

See https://ethresear.ch/t/yet-another-curve-but-the-curve-for-your-kzg/12861

I guess it is mostly experimental and to compare against other curves. I guess for practical applications one would choose either:

  • BN254 (for verifying on Ethereum with current precompiles)
  • BLS12-381 (for veryfing SNARKs on Ethereum with new precompiles)
  • BLS12-377/BW6-761 for 2-chains and efficient proof recursion.

I wouldn't recommend BLS24-317 for new applications right now, maybe @yelhousni has some use cases?

@yelhousni
Copy link
Contributor

Indeed BLS24 were experimental curves introduced in https://eprint.iacr.org/2021/1359. The rationale was for applications that need faster KZG commitment and opening at the cost of slower verification (only once). The difference between BLS24-315 and BLS24-317 is the same difference between BLS12-377 and BLS12-381. The former curves form 2-chains with BW6-633 and BW6-761 respectively and the latter curves are standalone curves. When you construct 2-chains you need to sacrifice some performances (-1 as a quadratic non-residue is not possible, higher Hamming-weight...). BLS24-317 would be the equivalent of BLS12-381 in terms of features in the BLS24 family for 128-bit of security.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ivokub @yelhousni @akirillo @TheYangCode