Improve the parser

tests/test_zpie.c

@@ -5,6 +5,7 @@
 #include "../gadgets/eddsa.c"
 #include "../gadgets/mimc.c"
 
+// Circuit for testing a single constraint
 void test_single_constraint()
 {
     zpie_element out;
@@ -20,6 +21,87 @@ void test_single_constraint()
     zpie_mul(&out, &a, &b);
 }
 
+// Circuit for testing all API constraints
+void test_all_constraints()
+{
+    zpie_element a, b, c;
+    zpie_init(&a);
+    zpie_init(&b);
+    zpie_init(&c);
+
+    zpie_input(&a, "3");
+    zpie_input(&b, "7");
+    zpie_input(&c, "5");
+
+    // e_mul = a * b = 21
+    zpie_element e_mul;
+    zpie_init(&e_mul);
+    zpie_mul(&e_mul, &a, &b);
+
+    // e_addmul = (a + b) * c = 50
+    zpie_element e_addmul;
+    zpie_init(&e_addmul);
+    zpie_addmul(&e_addmul, &a, &b, &c);
+
+    // e_add3mul = (a + b + c) * a = 45
+    zpie_element e_add3mul;
+    zpie_init(&e_add3mul);
+    zpie_add3mul(&e_add3mul, &a, &b, &c, &a);
+
+    // e_addmuladd = (a + b) * (c + a) = 80
+    zpie_element e_addmuladd;
+    zpie_init(&e_addmuladd);
+    zpie_addmuladd(&e_addmuladd, &a, &b, &c, &a);
+
+    // e_add3muladd3 = (a + b + c) * (a + b + c) = 225
+    zpie_element e_add3muladd3;
+    zpie_init(&e_add3muladd3);
+    zpie_add3muladd3(&e_add3muladd3, &a, &b, &c, &a, &b, &c);
+
+    // e_mul_constants = (2*a) * (3*b) = 126
+    zpie_element e_mulc;
+    zpie_init(&e_mulc);
+    int lc = 2, rc = 3;
+    zpie_mul_constants(&e_mulc, &lc, &a, &rc, &b);
+
+    // e_addmul_constants = (2*a + 3*b) * (4*c) = 540
+    zpie_element e_addmulc;
+    zpie_init(&e_addmulc);
+    int lc1 = 2, lc2 = 3, rc2 = 4;
+    zpie_addmul_constants(&e_addmulc, &lc1, &a, &lc2, &b, &rc2, &c);
+
+    // e_mul_big_constants = (10*a) * (20*b) = 4200
+    zpie_element e_bigc;
+    zpie_init(&e_bigc);
+    mclBnFr big_lc, big_rc;
+    mclBnFr_setInt(&big_lc, 10);
+    mclBnFr_setInt(&big_rc, 20);
+    zpie_mul_big_constants(&e_bigc, &big_lc, &a, &big_rc, &b);
+
+    // e_addsmul = (e_mul + e_addmul + e_add3mul + e_addmuladd + e_add3muladd3 + e_mulc + e_addmulc + e_bigc) * b
+    // = (21 + 50 + 45 + 80 + 225 + 126 + 540 + 4200) * 7 = 37009
+    zpie_element e_addsmul;
+    zpie_init_public(&e_addsmul);
+    zpie_element arr[8];
+    arr[0] = e_mul;
+    arr[1] = e_addmul;
+    arr[2] = e_add3mul;
+    arr[3] = e_addmuladd;
+    arr[4] = e_add3muladd3;
+    arr[5] = e_mulc;
+    arr[6] = e_addmulc;
+    arr[7] = e_bigc;
+    int sz = 8;
+    zpie_addsmul(&e_addsmul, &sz, arr, &b);
+
+    // zpie_assert_equal: e_mul should equal a*b = 21
+    zpie_element e_check;
+    zpie_init(&e_check);
+    zpie_input(&e_check, "21");
+    zpie_assert_equal(&e_check, &e_mul);
+}
+
+// Circuit for testing EdDSA signature verification
 void test_eddsa_verification()
 {
     point B;
@@ -40,21 +122,28 @@ void test_eddsa_verification()
     verify_eddsa(edsig, B, A, msg);
 }
 
+// Circuit for testing MiMC hash
 void test_mimc_hash()
 {
     zpie_element h, x_in, k;
 
-    zpie_init_public(&h);
+    zpie_init(&h);
     zpie_init(&x_in);
     zpie_init(&k);
 
     zpie_input(&x_in, "1234");
     zpie_input(&k, "112233445566");
 
     mimc7(&h, &x_in, &k);
+
+    zpie_element h_check;
+    zpie_init(&h_check);
+    zpie_input(&h_check, "10547064275071378430963758417966601760652600083618672830627388988175151799431");
+    zpie_assert_equal(&h_check, &h);
 }
 
-Test(zpie, prover)
+// Test that the prover produces the same proof when randomness is disabled
+Test(zpie, prover_consistency)
 {
     test_no_rand = 1;
     zpie_setup_keys keys;
@@ -88,130 +177,46 @@ Test(zpie, prover)
     test_no_rand = 0;
 }
 
-Test(zpie, full_circuits)
+// Test all circuits altogether
+Test(zpie, all_circuits)
 {
+    // Perform setup for all test circuits
     zpie_setup_keys keys_sc;
     zpie_perform_setup(&keys_sc, &test_single_constraint);
+    zpie_setup_keys keys_ac;
+    zpie_perform_setup(&keys_ac, &test_all_constraints);
     zpie_setup_keys keys_mh;
     zpie_perform_setup(&keys_mh, &test_mimc_hash);
     zpie_setup_keys keys_ev;
     zpie_perform_setup(&keys_ev, &test_eddsa_verification);
 
+    // Generate proofs for all test circuits
     zpie_proof p_sc;
     zpie_generate_proof(&p_sc, &test_single_constraint, &keys_sc.pk);
+    zpie_proof p_ac;
+    zpie_generate_proof(&p_ac, &test_all_constraints, &keys_ac.pk);
     zpie_proof p_mh;
     zpie_generate_proof(&p_mh, &test_mimc_hash, &keys_mh.pk);
     zpie_proof p_ev;
     zpie_generate_proof(&p_ev, &test_eddsa_verification, &keys_ev.pk);
 
+    // Verify all proofs
     cr_assert(zpie_verify_proof(&test_single_constraint, &p_sc, &keys_sc.vk));
+    cr_assert(zpie_verify_proof(&test_all_constraints, &p_ac, &keys_ac.vk));
     cr_assert(zpie_verify_proof(&test_mimc_hash, &p_mh, &keys_mh.vk));
     cr_assert(zpie_verify_proof(&test_eddsa_verification, &p_ev, &keys_ev.vk));
-}
-
-void test_full_api()
-{
-    zpie_element e_mul, e_addmul, e_add3mul, e_addmuladd;
-    zpie_init(&e_mul);
-    zpie_init(&e_addmul);
-    zpie_init(&e_add3mul);
-    zpie_init(&e_addmuladd);
-
-    zpie_element a, b;
-    zpie_init(&a);
-    zpie_init(&b);
-
-    zpie_input(&a, "5");
-    zpie_input(&b, "10");
 
-    zpie_mul(&e_mul, &a, &b);
-    zpie_addmul(&e_addmul, &a, &b, &b);
-    zpie_add3mul(&e_add3mul, &a, &a, &a, &b);
-    zpie_addmuladd(&e_addmuladd, &a, &a, &b, &b);
-}
-
-void test_all_constraints()
-{
-    zpie_element a, b, c;
-    zpie_init_public(&a);
-    zpie_init(&b);
-    zpie_init(&c);
-
-    zpie_input(&a, "3");
-    zpie_input(&b, "7");
-    zpie_input(&c, "5");
-
-    // zpie_mul: out = a * b = 21
-    zpie_element e_mul;
-    zpie_init(&e_mul);
-    zpie_mul(&e_mul, &a, &b);
-
-    // zpie_addmul: out = (a + b) * c = 50
-    zpie_element e_addmul;
-    zpie_init(&e_addmul);
-    zpie_addmul(&e_addmul, &a, &b, &c);
-
-    // zpie_add3mul: out = (a + b + c) * a = 45
-    zpie_element e_add3mul;
-    zpie_init(&e_add3mul);
-    zpie_add3mul(&e_add3mul, &a, &b, &c, &a);
-
-    // zpie_addmuladd: out = (a + b) * (c + a) = 80
-    zpie_element e_addmuladd;
-    zpie_init(&e_addmuladd);
-    zpie_addmuladd(&e_addmuladd, &a, &b, &c, &a);
-
-    // zpie_add3muladd3: out = (a + b + c) * (a + b + c) = 225
-    zpie_element e_add3muladd3;
-    zpie_init(&e_add3muladd3);
-    zpie_add3muladd3(&e_add3muladd3, &a, &b, &c, &a, &b, &c);
-
-    // zpie_mul_constants: out = (2*a) * (3*b) = 126
-    zpie_element e_mulc;
-    zpie_init(&e_mulc);
-    int lc = 2, rc = 3;
-    zpie_mul_constants(&e_mulc, &lc, &a, &rc, &b);
-
-    // zpie_addmul_constants: out = (2*a + 3*b) * (4*c) = 540
-    zpie_element e_addmulc;
-    zpie_init(&e_addmulc);
-    int lc1 = 2, lc2 = 3, rc2 = 4;
-    zpie_addmul_constants(&e_addmulc, &lc1, &a, &lc2, &b, &rc2, &c);
-
-    // zpie_mul_big_constants: out = (10*a) * (20*b) = 4200
-    zpie_element e_bigc;
-    zpie_init(&e_bigc);
-    mclBnFr big_lc, big_rc;
-    mclBnFr_setInt(&big_lc, 10);
-    mclBnFr_setInt(&big_rc, 20);
-    zpie_mul_big_constants(&e_bigc, &big_lc, &a, &big_rc, &b);
-
-    // zpie_addsmul: out = (a + b + c) * b = 105
-    zpie_element e_addsmul;
-    zpie_init(&e_addsmul);
-    zpie_element arr[3];
-    arr[0] = a;
-    arr[1] = b;
-    arr[2] = c;
-    int sz = 3;
-    zpie_addsmul(&e_addsmul, &sz, arr, &b);
-
-    // zpie_assert_equal: e_mul should equal a*b = 21
-    zpie_element e_check;
-    zpie_init(&e_check);
-    zpie_mul(&e_check, &a, &b);
-    zpie_assert_equal(&e_check, &e_mul);
-}
-
-Test(zpie, all_constraints)
-{
-    zpie_setup_keys keys;
-    zpie_perform_setup(&keys, &test_all_constraints);
-    zpie_proof p;
-    zpie_generate_proof(&p, &test_all_constraints, &keys.pk);
-    cr_assert(zpie_verify_proof(&test_all_constraints, &p, &keys.vk));
+    // Check public inputs in the proofs
+    mclBnFr check_sc;
+    mclBnFr_setInt(&check_sc, 7006652);
+    cr_assert(mclBnFr_isEqual(&check_sc, &p_sc.uwProof[0]));
+    mclBnFr check_ac;
+    mclBnFr_setInt(&check_ac, 37009);
+    cr_assert(mclBnFr_isEqual(&check_ac, &p_ac.uwProof[0]));
 }
 
+// Test that setup keys and proofs can be serialized and deserialized correctly, 
+// and that proofs generated with deserialized keys verify successfully
 Test(zpie, serialization_roundtrip)
 {
     zpie_setup_keys keys;
@@ -237,8 +242,23 @@ Test(zpie, serialization_roundtrip)
     zpie_proof p;
     zpie_generate_proof(&p, &test_mimc_hash, &keys2.pk);
     cr_assert(zpie_verify_proof(&test_mimc_hash, &p, &keys2.vk));
+
+    // same with the proof: serialize and deserialize, then verify
+    zpie_store_proof(&p, "mimc_hash");
+    zpie_proof p2;
+    zpie_read_proof(&p2, "mimc_hash");
+
+    cr_assert(mclBnG1_isEqual(&p.piA, &p2.piA));
+    cr_assert(mclBnG2_isEqual(&p.piB2, &p2.piB2));
+    cr_assert(mclBnG1_isEqual(&p.piC, &p2.piC));
+
+    cr_assert(zpie_verify_proof(&test_mimc_hash, &p2, &keys2.vk));
+
+    // TODO: check why the following passes
+    // cr_assert(zpie_verify_proof(&test_single_constraint, &p2, &keys2.vk));
 }
 
+// Test that an invalid proof is rejected by the verifier
 Test(zpie, invalid_proof_rejected)
 {
     zpie_setup_keys keys;
@@ -258,7 +278,8 @@ Test(zpie, invalid_proof_rejected)
     cr_assert_not(zpie_verify_proof(&test_single_constraint, &p, &keys.vk));
 }
 
-Test(zpie, cross_circuit_rejected)
+// Test that a proof generated for one circuit does not verify against another circuit's vk
+Test(zpie, wrong_vk)
 {
     zpie_setup_keys keys_sc;
     zpie_perform_setup(&keys_sc, &test_single_constraint);
@@ -272,45 +293,16 @@ Test(zpie, cross_circuit_rejected)
     cr_assert_not(zpie_verify_proof(&test_single_constraint, &p_sc, &keys_mh.vk));
 }
 
-Test(zpie, deterministic_mimc)
-{
-    test_no_rand = 1;
-    zpie_setup_keys keys;
-    zpie_perform_setup(&keys, &test_mimc_hash);
-    zpie_proof p;
-    zpie_generate_proof(&p, &test_mimc_hash, &keys.pk);
-
-    // verify the deterministic zpie_proof
-    cr_assert(zpie_verify_proof(&test_mimc_hash, &p, &keys.vk));
-
-    // generate a second time and check reproducibility
-    zpie_proof p2;
-    zpie_generate_proof(&p2, &test_mimc_hash, &keys.pk);
-    cr_assert(mclBnG1_isEqual(&p.piA, &p2.piA));
-    cr_assert(mclBnG2_isEqual(&p.piB2, &p2.piB2));
-    cr_assert(mclBnG1_isEqual(&p.piC, &p2.piC));
-
-    test_no_rand = 0;
-}
-
-Test(zpie, proof_serialization)
+// Test that verifier rejects a proof with incorrect public inputs
+Test(zpie, wrong_pi)
 {
-    zpie_setup_keys keys;
-    zpie_perform_setup(&keys, &test_single_constraint);
-    zpie_store_setup(&keys, "single_constraint");
-
-    zpie_proof p;
-    zpie_generate_proof(&p, &test_single_constraint, &keys.pk);
-    zpie_store_proof(&p, "single_constraint");
+    zpie_setup_keys keys_sc;
+    zpie_perform_setup(&keys_sc, &test_single_constraint);
 
-    zpie_setup_keys keys2;
-    zpie_read_setup(&keys2, &test_single_constraint, "single_constraint");
-    zpie_proof p2;
-    zpie_read_proof(&p2, "single_constraint");
+    zpie_proof p_sc;
+    zpie_generate_proof(&p_sc, &test_single_constraint, &keys_sc.pk);
 
-    cr_assert(mclBnG1_isEqual(&p.piA, &p2.piA));
-    cr_assert(mclBnG2_isEqual(&p.piB2, &p2.piB2));
-    cr_assert(mclBnG1_isEqual(&p.piC, &p2.piC));
+    mclBnFr_setInt(&p_sc.uwProof[0], 12345); // tamper with public input
 
-    cr_assert(zpie_verify_proof(&test_single_constraint, &p2, &keys2.vk));
+    cr_assert_not(zpie_verify_proof(&test_single_constraint, &p_sc, &keys_sc.vk));
 }