fix bigint sign calc

ChainSafe · Feb 23, 2024 · 30bb484 · 30bb484
1 parent d3fefe7
commit 30bb484
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 9 deletions.
diff --git a/lightclient-circuits/src/committee_update_circuit.rs b/lightclient-circuits/src/committee_update_circuit.rs
@@ -141,13 +141,13 @@ impl<S: Spec, F: Field> CommitteeUpdateCircuit<S, F> {
                 // assertion check for assigned_uncompressed vector to be equal to S::PubKeyCurve::BYTES_COMPRESSED from specification
                 assert_eq!(assigned_bytes.len(), 48);
                 // masked byte from compressed representation
-                let masked_byte = &assigned_bytes[48 - 1];
+                let masked_byte = &assigned_bytes[47];
                 // clear the flag bits from a last byte of compressed pubkey.
                 // we are using [`clear_3_bits`] function which appears to be just as useful here as for public input commitment.
                 let (cleared_byte, y_sign) = {
                     let bits = gate.num_to_bits(ctx, *masked_byte, 8);
                     let cleared = gate.bits_to_num(ctx, &bits[..5]);
-                    (cleared, bits[5]) // 3 MSB bits are cleared, 3th bit is a sign bit
+                    (cleared, bits[5]) // 3 MSB bits are cleared, 3-rd of those is a sign bit
                 };
                 // Use the cleared byte to construct the x coordinate
                 let assigned_x_bytes_cleared =

diff --git a/lightclient-circuits/src/poseidon.rs b/lightclient-circuits/src/poseidon.rs
@@ -5,16 +5,15 @@
 use eth_types::{Field, NUM_LIMBS};
 use halo2_base::{
     gates::GateInstructions,
-    halo2_proofs::{
-        halo2curves::bn256::{self},
-        plonk::Error,
-    },
+    halo2_proofs::{halo2curves::bn256, plonk::Error},
     poseidon::hasher::PoseidonSponge,
+    utils::modulus,
     AssignedValue, Context, QuantumCell,
 };
 use halo2_ecc::{bigint::ProperCrtUint, bls12_381::FpChip, fields::FieldChip};
 use halo2curves::bls12_381::{self, Fq, G1Affine};
 use itertools::Itertools;
+use num_bigint::BigUint;
 use pse_poseidon::Poseidon as PoseidonNative;
 
 // Using recommended parameters from whitepaper https://eprint.iacr.org/2019/458.pdf (table 2, table 8)
@@ -149,7 +148,11 @@ pub fn poseidon_committee_commitment_from_uncompressed(
         .iter()
         .cloned()
         .map(|bytes| G1Affine::from_uncompressed_be(&bytes.as_slice().try_into().unwrap()).unwrap())
-        .map(|p| (p.x, (p.y.to_bytes()[0] & 1) == 1))
+        .map(|p| {
+            let y = BigUint::from_bytes_le(p.y.to_repr().as_ref()) * BigUint::from(2u64);
+            let sign = y > modulus::<halo2curves::bls12_381::Fq>();
+            (p.x, sign)
+        })
         .unzip();
 
     poseidon_hash_g1_array::<bn256::Fr>(x_coords, y_signs, limb_bits)

diff --git a/lightclient-circuits/src/sync_step_circuit.rs b/lightclient-circuits/src/sync_step_circuit.rs
@@ -27,18 +27,21 @@ use halo2_base::{
         plonk::Error,
         poly::{commitment::Params, kzg::commitment::ParamsKZG},
     },
+    utils::modulus,
     AssignedValue, Context, QuantumCell,
 };
 use halo2_ecc::{
+    bigint::big_less_than,
     bls12_381::{bls_signature::BlsSignatureChip, pairing::PairingChip, Fp2Chip, Fp2Point, FpChip},
     ecc::{
         hash_to_curve::{ExpandMsgXmd, HashToCurveChip},
         EcPoint, EccChip,
     },
-    fields::{FieldChip, FieldChipExt},
+    fields::FieldChip,
 };
 use halo2curves::bls12_381::{G1Affine, G2Affine};
 use itertools::Itertools;
+use num_bigint::BigUint;
 use ssz_rs::Merkleized;
 use std::{env::var, marker::PhantomData, vec};
 
@@ -336,7 +339,20 @@ impl<S: Spec, F: Field> StepCircuit<S, F> {
 
             let assigned_affine = g1_chip.assign_point(ctx, pk);
 
-            let y_sign = fp_chip.sgn0(ctx, assigned_affine.y());
+            let half_p = fp_chip.load_constant_uint(
+                ctx,
+                modulus::<halo2curves::bls12_381::Fq>() / BigUint::from(2u64),
+            );
+            // y_sign = pk.y * 2 > p
+            // due to the limiation of halo2lib api we perform an equivalent operation: y_sign = pk.y < p/2
+            let y_sign = big_less_than::assign(
+                fp_chip.range(),
+                ctx,
+                half_p,
+                assigned_affine.y().clone(),
+                fp_chip.limb_bits,
+                fp_chip.limb_bases[1],
+            );
 
             assigned_pubkeys.push(assigned_affine);
             participation_bits.push(participation_bit);

diff --git a/lightclient-circuits/tests/step.rs b/lightclient-circuits/tests/step.rs
@@ -108,6 +108,9 @@ fn run_test_eth2_spec_mock<const K_ROTATION: u32, const K_SYNC: u32>(path: PathB
     let prover = MockProver::<bn256::Fr>::run(K_SYNC, &sync_circuit, instance).unwrap();
     prover.assert_satisfied();
     end_timer!(timer);
+
+    // check that sync committee poseidon commits match in both circuits
+    assert_eq!(sync_circuit.instances()[0][1], rotation_circuit.instances()[0][0]);
 }
 
 #[rstest]