Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
eccvm.fuzzer.cpp
Go to the documentation of this file.
1// === AUDIT STATUS ===
2// internal: { status: not started, auditors: [], commit: }
3// external_1: { status: not started, auditors: [], commit: }
4// external_2: { status: not started, auditors: [], commit: }
5// =====================
6
7#include "barretenberg/crypto/generators/generator_data.hpp"
8#include "barretenberg/ecc/curves/bn254/bn254.hpp"
9#include "barretenberg/ecc/fields/field.fuzzer.hpp"
10#include "barretenberg/eccvm/eccvm_circuit_builder.hpp"
11#include "barretenberg/eccvm/eccvm_trace_checker.hpp"
12#include "barretenberg/op_queue/ecc_op_queue.hpp"
13#include <cassert>
14#include <cstdint>
15#include <iostream>
16#include <vector>
17
18using namespace bb;
19using G1 = bb::g1;
20using Fr = typename G1::Fr;
21using Element = bb::curve::BN254::Element;
22
23// Security note: This fuzzer generates random ECC operations to test the ECCVM circuit builder
24// and trace checker. It focuses on the check_circuit mechanism without full proving to avoid
25// potential security issues with proving key generation or proof verification.
26
27// Operation types for the fuzzer
28enum class OpType : uint8_t { ADD = 0, MUL = 1, EQ_AND_RESET = 2, MERGE = 3, EMPTY_ROW = 4, MAX_OP = 5 };
29struct FieldVMDataChunk {
30 std::array<uint8_t, 64> data;
31};
32
38
43
44struct OperationDetail {
45 size_t op_index;
46 OpType op_type;
47 size_t generator_index;
48 Fr scalar;
49 bool is_infinity;
50 bool should_negate;
51
52 OperationDetail(size_t idx, OpType type, size_t gen_idx, const Fr& sc, bool infinity, bool negate = false)
53 : op_index(idx)
54 , op_type(type)
55 , generator_index(gen_idx)
56 , scalar(sc)
57 , is_infinity(infinity)
58 , should_negate(negate)
59 {}
60};
61static constexpr size_t NUM_GENERATORS = 4;
62// Helper function to print operation details
63void print_operation_details(size_t op_index,
64 OpType op_type,
65 size_t generator_index,
66 const Fr& scalar,
67 bool is_infinity,
68 bool should_negate = false)
69{
70 std::cout << "Operation " << op_index << ": ";
71 switch (op_type) {
72 case OpType::ADD:
73 std::cout << "ADD(generator=" << generator_index << (should_negate ? ", negated" : "")
74 << (is_infinity ? ", infinity" : "") << ")";
75 break;
76 case OpType::MUL:
77 std::cout << "MUL(generator=" << generator_index << ", scalar=" << scalar << (should_negate ? ", negated" : "")
78 << (is_infinity ? ", infinity" : "") << ")";
79 break;
80 case OpType::EQ_AND_RESET:
81 std::cout << "EQ_AND_RESET";
82 break;
83 case OpType::MERGE:
84 std::cout << "MERGE";
85 break;
86 case OpType::EMPTY_ROW:
87 std::cout << "EMPTY_ROW";
88 break;
89 default:
90 std::cout << "UNKNOWN(" << static_cast<int>(op_type) << ")";
91 break;
92 }
93 std::cout << std::endl;
94}
95
96extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size)
97{
98
99 if (Size < sizeof(FuzzerTuple)) {
100 return 0; // Invalid input size
101 }
102
103 const FuzzerTuple* input = reinterpret_cast<const FuzzerTuple*>(Data);
104
105 // Validate input parameters
106 size_t num_operations = (Size) / sizeof(FuzzerTuple);
107 if (num_operations == 0) {
108 return 0;
109 }
110
111 auto total_fieldvm_data_size = num_operations * sizeof(FieldVMDataChunk);
112 std::vector<uint8_t> all_fieldvm_data(total_fieldvm_data_size);
113 for (size_t i = 0; i < num_operations; ++i) {
114 std::memcpy(
115 all_fieldvm_data.data() + i * sizeof(FieldVMDataChunk), &input[i].fieldvm_data, sizeof(FieldVMDataChunk));
116 }
117
118 // Pre-compute scalars using FieldVM
119 std::vector<Fr> precomputed_scalars;
120 // Create FieldVM instance for scalar computation
121 FieldVM<Fr> field_vm(false, 65536); // Disable debug, max 65536 steps
122
123 // Disable heavy operations for better performance
124 field_vm.settings.enable_inv = false; // Disable inversion
125 field_vm.settings.enable_sqrt = false; // Disable square root
126 field_vm.settings.enable_batch_invert = false; // Disable batch inversion
127 field_vm.settings.enable_pow = false; // Disable power operation
128 field_vm.settings.enable_div = false; // Disable division
129 field_vm.settings.enable_div_assign = false; // Disable division assignment
130
131 // Run FieldVM with the controlled amount of data
132 field_vm.run(all_fieldvm_data.data(), total_fieldvm_data_size);
133
134 // Extract all field elements from FieldVM state as potential scalars
135 for (size_t i = 0; i < 32; ++i) { // Use all 32 internal state elements
136 Fr scalar = field_vm.field_internal_state[i];
137 precomputed_scalars.push_back(scalar);
138 }
139
140 // Create base generators (always create 4 base generators)
141 auto base_generators = G1::derive_generators("eccvm_fuzzer_generators", NUM_GENERATORS);
142 std::vector<typename G1::element> points;
143
144 // Use the first 16 FieldVM elements to create 4 linear combinations of base generators
145 for (size_t i = 0; i < 4; ++i) {
146 // Create linear combination: sum of base_generators[j] * precomputed_scalars[i*4 + j]
147 typename G1::element combined_point = G1::point_at_infinity;
148 for (size_t j = 0; j < 4; ++j) {
149 Fr scalar = precomputed_scalars[i * 4 + j];
150 combined_point = combined_point + (base_generators[j] * scalar);
151 }
152 points.push_back(combined_point);
153 }
154
155 // Create op queue
156 std::shared_ptr<ECCOpQueue> op_queue = std::make_shared<ECCOpQueue>();
157
158 // Add the required hiding op for ZK (row 1 of the transcript)
159 // Use some of the precomputed scalars for the hiding op Px, Py values
160 // These don't need to be on the curve - they're just random field elements for ZK hiding
161 using Fq = curve::BN254::BaseField;
162 Fq hiding_Px = Fq(precomputed_scalars[0]);
163 Fq hiding_Py = Fq(precomputed_scalars[1]);
164 op_queue->append_hiding_op(hiding_Px, hiding_Py);
165
166 // Store operation details for potential failure reporting
167 std::vector<OperationDetail> operation_details;
168
169 // Process operations
170 for (size_t i = 0; i < num_operations; ++i) {
171 const auto& op = input[i].operation;
172 OpType op_type = op.op_type;
173
174 switch (op_type) {
175 case OpType::ADD: {
176 // Use modulo to ensure valid generator index (lower 7 bits)
177 size_t generator_index = (op.generator_index & 0x7F) % points.size();
178 bool should_negate = (op.generator_index & 0x80) != 0; // Top bit controls negation
179
180 typename G1::element point_to_add = points[generator_index];
181 if (should_negate) {
182 point_to_add = -point_to_add; // Negate the point
183 }
184
185 bool is_infinity = point_to_add.is_point_at_infinity();
186 operation_details.emplace_back(i, op_type, generator_index, Fr(0), is_infinity, should_negate);
187 op_queue->add_accumulate(point_to_add);
188 break;
189 }
190 case OpType::MUL: {
191 // Use modulo to ensure valid generator index (lower 7 bits)
192 size_t generator_index = (op.generator_index & 0x7F) % points.size();
193 bool should_negate = (op.generator_index & 0x80) != 0; // Top bit controls negation
194
195 // Use pre-computed scalar selected by scalar_indices
196 Fr scalar = precomputed_scalars[op.scalar_index % precomputed_scalars.size()];
197
198 typename G1::element point_to_multiply = points[generator_index];
199 if (should_negate) {
200 point_to_multiply = -point_to_multiply; // Negate the point
201 }
202
203 bool is_infinity = point_to_multiply.is_point_at_infinity();
204 operation_details.emplace_back(i, op_type, generator_index, scalar, is_infinity, should_negate);
205 op_queue->mul_accumulate(point_to_multiply, scalar);
206 break;
207 }
208 case OpType::EQ_AND_RESET: {
209 operation_details.emplace_back(i, op_type, 0, Fr(0), false, false);
210 op_queue->eq_and_reset();
211 break;
212 }
213 case OpType::MERGE: {
214 operation_details.emplace_back(i, op_type, 0, Fr(0), false, false);
215
216 op_queue->eq_and_reset();
217 op_queue->merge();
218 break;
219 }
220 case OpType::EMPTY_ROW: {
221 operation_details.emplace_back(i, op_type, 0, Fr(0), false, false);
222 op_queue->empty_row_for_testing();
223 break;
224 }
225 default:
226 operation_details.emplace_back(i, op_type, 0, Fr(0), false, false);
227 break;
228 }
229 }
230
231 // Always merge at the end to finalize the circuit
232 operation_details.emplace_back(num_operations, OpType::EQ_AND_RESET, 0, Fr(0), false, false);
233 op_queue->eq_and_reset();
234
235 operation_details.emplace_back(num_operations + 1, OpType::MERGE, 0, Fr(0), false, false);
236 op_queue->merge();
237
238 // Create circuit builder
239 ECCVMCircuitBuilder circuit{ op_queue };
240
241 // Test the check_circuit mechanism
242 bool result = ECCVMTraceChecker::check(circuit, nullptr, /* disable_fixed_dyadic_trace_size= */ true);
243 // The circuit should always be valid if our operations are well-formed
244 // If check fails, it might indicate a bug in the circuit builder or trace checker
245 if (!result) {
246 std::cout << "ERROR: ECCVMTraceChecker::check returned false!" << std::endl;
247 std::cout << "Input parameters:" << std::endl;
248 std::cout << " num_operations: " << num_operations << std::endl;
249 std::cout << " operations: ";
250 for (size_t i = 0; i < num_operations; ++i) {
251 std::cout << static_cast<int>(input[i].operation.op_type) << " ";
252 }
253 std::cout << std::endl;
254 std::cout << " generator_indices: ";
255 for (size_t i = 0; i < num_operations; ++i) {
256 std::cout << static_cast<int>(input[i].operation.generator_index) << " ";
257 }
258 std::cout << std::endl;
259
260 // Print operation details that led to the failure
261 std::cout << "Operation sequence that caused failure:" << std::endl;
262 for (const auto& op : operation_details) {
263 print_operation_details(
264 op.op_index, op.op_type, op.generator_index, op.scalar, op.is_infinity, op.should_negate);
265 }
266 }
267
268 assert(result == true);
269
270 return 0;
271}
bb::ECCVMTraceChecker::check
static bool check(ECCVMCircuitBuilder &, numeric::RNG *engine_ptr=nullptr)
Definition eccvm_trace_checker.cpp:12
bb::curve::BN254::Element
typename Group::element Element
Definition bn254.hpp:21
bb::curve::BN254::BaseField
bb::fq BaseField
Definition bn254.hpp:19
bb::group::point_at_infinity
static constexpr element point_at_infinity
Definition group.hpp:47
bb::group::element
group_elements::element< Fq, Fr, Params > element
Definition group.hpp:41
bb::group::Fr
Fr_ Fr
Definition group.hpp:40
bb::group::derive_generators
static std::vector< affine_element > derive_generators(const std::vector< uint8_t > &domain_separator_bytes, const size_t num_generators, const size_t starting_index=0)
Derives generator points via hash-to-curve.
Definition group.hpp:87
field.fuzzer.hpp
Field arithmetic fuzzer for testing cryptographic field operations.
ecc_op_queue.hpp
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
Definition eccvm.fuzzer.cpp:96
print_operation_details
void print_operation_details(size_t op_index, OpType op_type, size_t generator_index, const Fr &scalar, bool is_infinity, bool should_negate=false)
Definition eccvm.fuzzer.cpp:63
Fr
typename G1::Fr Fr
Definition eccvm.fuzzer.cpp:20
OpType
OpType
Definition eccvm.fuzzer.cpp:28
OpType::EQ_AND_RESET
@ EQ_AND_RESET
eccvm_circuit_builder.hpp
eccvm_trace_checker.hpp
generator_data.hpp
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::g1
group< fq, fr, Bn254G1Params > g1
Definition g1.hpp:33
bb::Instruction::MUL
@ MUL
Multiply two field elements.
bb::Instruction::ADD
@ ADD
Add two field elements.
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13
Element
Curve::Element Element
Definition pippenger.bench.cpp:30
G1
Curve::AffineElement G1
Definition pippenger.bench.cpp:29
FieldVMDataChunk::data
std::array< uint8_t, 64 > data
Definition eccvm.fuzzer.cpp:30
FuzzerTuple::fieldvm_data
FieldVMDataChunk fieldvm_data
Definition eccvm.fuzzer.cpp:40
FuzzerTuple::operation
SingleOp operation
Definition eccvm.fuzzer.cpp:41
OperationDetail::OperationDetail
OperationDetail(size_t idx, OpType type, size_t gen_idx, const Fr &sc, bool infinity, bool negate=false)
Definition eccvm.fuzzer.cpp:52
SingleOp::op_type
OpType op_type
Definition eccvm.fuzzer.cpp:34
SingleOp::scalar_index
uint8_t scalar_index
Definition eccvm.fuzzer.cpp:36
SingleOp::generator_index
uint8_t generator_index
Definition eccvm.fuzzer.cpp:35
bb::FieldVM
Virtual machine for field arithmetic operations.
Definition field.fuzzer.hpp:146
bb::FieldVM::run
size_t run(const unsigned char *Data, size_t Size, bool reset_steps=true)
Run the VM on input data.
Definition field.fuzzer.hpp:1197
bb::FieldVM::field_internal_state
std::array< Field, INTERNAL_STATE_SIZE > field_internal_state
Internal state array of field elements.
Definition field.fuzzer.hpp:174
bb::FieldVM::settings
VMSettings settings
VM settings controlling which operations are enabled.
Definition field.fuzzer.hpp:191
bb::VMSettings::enable_inv
bool enable_inv
Enable INV operations.
Definition field.fuzzer.hpp:49
bb::VMSettings::enable_batch_invert
bool enable_batch_invert
Enable BATCH_INVERT operations.
Definition field.fuzzer.hpp:62
bb::VMSettings::enable_div
bool enable_div
Enable DIV operations.
Definition field.fuzzer.hpp:47
bb::VMSettings::enable_div_assign
bool enable_div_assign
Enable DIV_ASSIGN operations.
Definition field.fuzzer.hpp:48
bb::VMSettings::enable_sqrt
bool enable_sqrt
Enable SQRT operations.
Definition field.fuzzer.hpp:54
bb::VMSettings::enable_pow
bool enable_pow
Enable POW operations.
Definition field.fuzzer.hpp:53
Fq
curve::BN254::BaseField Fq
Definition translator.fuzzer.hpp:21