20:16:12 ERR error="constraint #106781 is not satisfied: qL⋅xa + qR⋅xb + qO⋅xc + qM⋅(xaxb) + qC != 0 → 143 + 0 + 0 + 0 + -227 != 0" nbConstraints=980154

[mperafan]

Hello! How are you? Im getting the 20:16:12 ERR error="constraint #106781 is not satisfied: qL⋅xa + qR⋅xb + qO⋅xc + qM⋅(xaxb) + qC != 0 → 143 + 0 + 0 + 0 + -227 != 0" nbConstraints=980154 error, but i cant find why. I know the part is giving me the error is this:

type Packet struct {
AggregatedPacketHash [32]uints.U8 gnark:",public" //Public hash
AggregatedPacket []byte gnark:",private" //Packet
}
func bytetouint(PacketBytes []byte) [32]uints.U8 { //function to convert bytes to uint
aux := uints.NewU8Array(PacketBytes)
var Packetaux [32]uints.U8
for j := 0; j < min(32, len(aux)); j++ {
Packetaux[j] = aux[j]
}
return Packetaux
}
func (circuit *Packet) Define(api frontend.API) error {
uapi, err := uints.Newuints.U32
if err != nil {
return err
}
hpacket := sha256.New()
hpacket.Write(circuit.AggregatedPacket)
res := bytetouint(hpacket.Sum(make([]byte, 0)))
for k := range circuit.AggregatedPacketHash {
uapi.ByteAssertEq(circuit.AggregatedPacketHash[k], res[k])
}
return nil
}
func Proof() Packet { //function where i calculate the variable for the proof
var Pack Packet
Pack.AggregatedPacket = getBytes(big.NewInt(rand.Int63n(int64(1e18))))
shaa2 := sha256.New()
shaa2.Write(Pack.AggregatedPacket)
Pack.AggregatedPacketHash = bytetouint(shaa2.Sum(make([]byte, 0)))
return Pack
}
func main(){
packetaux := Proof()
assignment := &packetaux
var myCircuit2 Packet
cs, _ := frontend.Compile(ecc.BN254.ScalarField(), scs.NewBuilder, &myCircuit2)
scs := cs.(*bn254cs.SparseR1CS)
srs, srsLagrange, _ := unsafekzg.NewSRS(scs)
pk, vk, _ := plonk.Setup(cs, srs, srsLagrange)
witness, errNW := frontend.NewWitness(assignment, ecc.BN254.ScalarField())
if errNW != nil {
panic(errNW)
}
proof, errProve := plonk.Prove(cs, pk, witness)
if errProve != nil {
panic(errProve)
}
pubWitness, _ := witness.Public()
err := plonk.Verify(proof, vk, pubWitness)
if err != nil {
panic(err)
}
}

Thank you very much

[mperafan]

the line of uapi, err := uints.Newuints.U32 actually is uapi, err := uints.New [uints.U32] (api) i dont know why github changes it

[ivokub]

The posted example doesn't compile, the function getBytes is not defined.

Please - can you post a minimal repo with your example as main.go? Otherwise there is too much flexibility in dependencies, imports etc. and not worth debugging.

[mperafan]

Sure, https://github.com/mperafan/issue

[ivokub]

Thanks - I'll try to have a look soon.

[ivokub]

And - it seems to be like a question about ZK circuit design. We usually try to keep the discussion and issues separated as we use them for planning.

[mperafan]

Sorry, i didn't know, thank u!

[ivokub]

I had a look. When constructing a SNARK proof, then we have several steps you have to keep in mind. First, we have the compilation step without witness assignment and for proving we then solve the circuit using the witness. Now, when you initialize myCircuit2

packetaux := Proof()
assignment := &packetaux
var myCircuit2 Packet

then the field myCircuit2.AggregatedPacket is empty i.e. []byte{}. During compile time we call:

hpacket := sha256.New()
hpacket.Write(circuit.AggregatedPacket)
res := bytetouint(hpacket.Sum(make([]byte, 0)))

and the res here is a constant (because the input to SHA2 is constant). But for witness assignment you generate a random assignment:

Pack.AggregatedPacket = getBytes(big.NewInt(rand.Int63n(int64(1e18))))
shaa2 := sha256.New()
shaa2.Write(Pack.AggregatedPacket)

And thus during solving time the input is different.

You have to keep in mind that for computing sha2 inside circuit you have to use the circuit version of sha2 i.e. package https://pkg.go.dev/github.com/consensys/[email protected]/std/hash/sha2#New. Please have a look at the test file https://github.com/Consensys/gnark/blob/master/std/hash/sha2/sha2_test.go and try to adapt it.

[readygo67]

I am not sure about this circuit's purpose.
I think you are trying to prove the AggregatedPacketHash is the AggregatedPacket's hash result. If so, the original circuit has the following problemes:

1. AggregatedPacket is a NON-CONSTRAINED
2. Use CONSTRAINED sha256() in Define function.
3. Not init the empty AggregatedPacket in compiling(metioned by ivokub).

The following code is a implementation for your reference.

import (
	"crypto/sha256"
	"encoding/hex"
	"fmt"
	"math/big"
	"math/rand"
	"testing"

	"github.com/consensys/gnark-crypto/ecc"
	"github.com/consensys/gnark-crypto/ecc/bn254/fr"
	"github.com/consensys/gnark/backend/plonk"
	bn254cs "github.com/consensys/gnark/constraint/bn254"
	"github.com/consensys/gnark/frontend"
	"github.com/consensys/gnark/frontend/cs/scs"
	"github.com/consensys/gnark/std/hash/sha2"
	"github.com/consensys/gnark/std/math/uints"
	"github.com/consensys/gnark/test/unsafekzg"
)

type Packet struct { //circuit that represent merkle tree. the output is the proof of that all leafs belongs to the tree
	AggregatedPacketHash [32]uints.U8 `gnark:",public"`  //Public hash
	AggregatedPacket     []uints.U8   `gnark:",private"` // CHANGE NON-CONSTRAINED byte to CONSTRAINED uints.U8
}

func (circuit *Packet) Define(api frontend.API) error { //function where i calculate the root and if the packethash and packet are the same
	uapi, err := uints.New[uints.U32](api)
	if err != nil {
		return err
	}
	h, err := sha2.New(api) // SHOULD USE CONSTRAINED sha256
	if err != nil {
		return err
	}

	h.Write(circuit.AggregatedPacket)
	res := h.Sum()

	for k := range circuit.AggregatedPacketHash {
		uapi.ByteAssertEq(circuit.AggregatedPacketHash[k], res[k])
	}
	return nil
}

func getBytes(b *big.Int) []byte { //function to get bytes
	const SIZE = 32
	bElement := fr.NewElement(b.Uint64())
	res := make([]byte, SIZE)
	bytes := bElement.Bytes()
	for i := 0; i < SIZE; i++ {
		res[i] = bytes[i] //
	}
	return res
}

func bytetouint(PacketBytes []byte) [32]uints.U8 { //function to convert bytes to uint
	aux := uints.NewU8Array(PacketBytes)
	var Packetaux [32]uints.U8
	for j := 0; j < min(32, len(aux)); j++ {
		Packetaux[j] = aux[j]
	}
	return Packetaux
}

func min(a, b int) int { //function of min, necesary for the func bytetouint
	if a > b {
		return b
	}
	return a
}

func Proof() Packet { //function where i calculate the variable for the proof
	var Pack Packet
	bs := getBytes(big.NewInt(rand.Int63n(int64(1e18))))
	fmt.Printf("bs:%v\n", hex.EncodeToString(bs))
	shaa2 := sha256.New()
	shaa2.Write(bs)

	Pack.AggregatedPacketHash = bytetouint(shaa2.Sum(make([]byte, 0)))
	for i := 0; i < len(bs); i++ {
		Pack.AggregatedPacket = append(Pack.AggregatedPacket, uints.NewU8(bs[i]))
	}
	return Pack
}

func TestPacket_Plonk(t *testing.T) {
	for i := 0; i < 10; i++ {
		packetaux := Proof()
		assignment := &packetaux
		myCircuit2 := Packet{
			AggregatedPacket: make([]uints.U8, len(packetaux.AggregatedPacket)), //MUST INIT SLICE
		}

		cs, _ := frontend.Compile(ecc.BN254.ScalarField(), scs.NewBuilder, &myCircuit2)
		fmt.Printf("cs nbConstraints:%v, nbSecretWitness:%v, nbPublicInstance:%v\n", cs.GetNbConstraints(), cs.GetNbSecretVariables(), cs.GetNbPublicVariables())

		scs := cs.(*bn254cs.SparseR1CS)
		srs, srsLagrange, _ := unsafekzg.NewSRS(scs)
		pk, vk, _ := plonk.Setup(cs, srs, srsLagrange)
		witness, errNW := frontend.NewWitness(assignment, ecc.BN254.ScalarField())
		if errNW != nil {
			panic(errNW)
		}
		proof, errProve := plonk.Prove(cs, pk, witness)
		if errProve != nil {
			panic(errProve)
		}
		pubWitness, _ := witness.Public()
		err := plonk.Verify(proof, vk, pubWitness)
		if err != nil {
			panic(err)
		}
	}

}