From 619ea8369e4ba16d1a4318bfbf9c1a8d61dd0564 Mon Sep 17 00:00:00 2001 From: xevisalle Date: Tue, 17 Mar 2026 18:15:41 +0100 Subject: [PATCH 1/2] Improve tests --- tests/test_zpie.c | 271 ++++++++++++++++++++++------------------------ 1 file changed, 129 insertions(+), 142 deletions(-) diff --git a/tests/test_zpie.c b/tests/test_zpie.c index 058ff14..cce1646 100644 --- a/tests/test_zpie.c +++ b/tests/test_zpie.c @@ -5,6 +5,7 @@ #include "../gadgets/eddsa.c" #include "../gadgets/mimc.c" +// Circuit for testing a single constraint void test_single_constraint() { zpie_element out; @@ -20,6 +21,87 @@ void test_single_constraint() zpie_mul(&out, &a, &b); } +// Circuit for testing all API constraints +void test_all_constraints() +{ + zpie_element a, b, c; + zpie_init(&a); + zpie_init(&b); + zpie_init(&c); + + zpie_input(&a, "3"); + zpie_input(&b, "7"); + zpie_input(&c, "5"); + + // e_mul = a * b = 21 + zpie_element e_mul; + zpie_init(&e_mul); + zpie_mul(&e_mul, &a, &b); + + // e_addmul = (a + b) * c = 50 + zpie_element e_addmul; + zpie_init(&e_addmul); + zpie_addmul(&e_addmul, &a, &b, &c); + + // e_add3mul = (a + b + c) * a = 45 + zpie_element e_add3mul; + zpie_init(&e_add3mul); + zpie_add3mul(&e_add3mul, &a, &b, &c, &a); + + // e_addmuladd = (a + b) * (c + a) = 80 + zpie_element e_addmuladd; + zpie_init(&e_addmuladd); + zpie_addmuladd(&e_addmuladd, &a, &b, &c, &a); + + // e_add3muladd3 = (a + b + c) * (a + b + c) = 225 + zpie_element e_add3muladd3; + zpie_init(&e_add3muladd3); + zpie_add3muladd3(&e_add3muladd3, &a, &b, &c, &a, &b, &c); + + // e_mul_constants = (2*a) * (3*b) = 126 + zpie_element e_mulc; + zpie_init(&e_mulc); + int lc = 2, rc = 3; + zpie_mul_constants(&e_mulc, &lc, &a, &rc, &b); + + // e_addmul_constants = (2*a + 3*b) * (4*c) = 540 + zpie_element e_addmulc; + zpie_init(&e_addmulc); + int lc1 = 2, lc2 = 3, rc2 = 4; + zpie_addmul_constants(&e_addmulc, &lc1, &a, &lc2, &b, &rc2, &c); + + // e_mul_big_constants = (10*a) * (20*b) = 4200 + zpie_element e_bigc; + zpie_init(&e_bigc); + mclBnFr big_lc, big_rc; + mclBnFr_setInt(&big_lc, 10); + mclBnFr_setInt(&big_rc, 20); + zpie_mul_big_constants(&e_bigc, &big_lc, &a, &big_rc, &b); + + // e_addsmul = (e_mul + e_addmul + e_add3mul + e_addmuladd + e_add3muladd3 + e_mulc + e_addmulc + e_bigc) * b + // = (21 + 50 + 45 + 80 + 225 + 126 + 540 + 4200) * 7 = 37009 + zpie_element e_addsmul; + zpie_init_public(&e_addsmul); + zpie_element arr[8]; + arr[0] = e_mul; + arr[1] = e_addmul; + arr[2] = e_add3mul; + arr[3] = e_addmuladd; + arr[4] = e_add3muladd3; + arr[5] = e_mulc; + arr[6] = e_addmulc; + arr[7] = e_bigc; + int sz = 8; + zpie_addsmul(&e_addsmul, &sz, arr, &b); + + // zpie_assert_equal: e_mul should equal a*b = 21 + zpie_element e_check; + zpie_init(&e_check); + zpie_input(&e_check, "21"); + zpie_assert_equal(&e_check, &e_mul); +} + +// Circuit for testing EdDSA signature verification void test_eddsa_verification() { point B; @@ -40,6 +122,7 @@ void test_eddsa_verification() verify_eddsa(edsig, B, A, msg); } +// Circuit for testing MiMC hash void test_mimc_hash() { zpie_element h, x_in, k; @@ -54,7 +137,8 @@ void test_mimc_hash() mimc7(&h, &x_in, &k); } -Test(zpie, prover) +// Test that the prover produces the same proof when randomness is disabled +Test(zpie, prover_consistency) { test_no_rand = 1; zpie_setup_keys keys; @@ -88,130 +172,46 @@ Test(zpie, prover) test_no_rand = 0; } -Test(zpie, full_circuits) +// Test all circuits altogether +Test(zpie, all_circuits) { + // Perform setup for all test circuits zpie_setup_keys keys_sc; zpie_perform_setup(&keys_sc, &test_single_constraint); + zpie_setup_keys keys_ac; + zpie_perform_setup(&keys_ac, &test_all_constraints); zpie_setup_keys keys_mh; zpie_perform_setup(&keys_mh, &test_mimc_hash); zpie_setup_keys keys_ev; zpie_perform_setup(&keys_ev, &test_eddsa_verification); + // Generate proofs for all test circuits zpie_proof p_sc; zpie_generate_proof(&p_sc, &test_single_constraint, &keys_sc.pk); + zpie_proof p_ac; + zpie_generate_proof(&p_ac, &test_all_constraints, &keys_ac.pk); zpie_proof p_mh; zpie_generate_proof(&p_mh, &test_mimc_hash, &keys_mh.pk); zpie_proof p_ev; zpie_generate_proof(&p_ev, &test_eddsa_verification, &keys_ev.pk); + // Verify all proofs cr_assert(zpie_verify_proof(&test_single_constraint, &p_sc, &keys_sc.vk)); + cr_assert(zpie_verify_proof(&test_all_constraints, &p_ac, &keys_ac.vk)); cr_assert(zpie_verify_proof(&test_mimc_hash, &p_mh, &keys_mh.vk)); cr_assert(zpie_verify_proof(&test_eddsa_verification, &p_ev, &keys_ev.vk)); -} - -void test_full_api() -{ - zpie_element e_mul, e_addmul, e_add3mul, e_addmuladd; - zpie_init(&e_mul); - zpie_init(&e_addmul); - zpie_init(&e_add3mul); - zpie_init(&e_addmuladd); - - zpie_element a, b; - zpie_init(&a); - zpie_init(&b); - - zpie_input(&a, "5"); - zpie_input(&b, "10"); - - zpie_mul(&e_mul, &a, &b); - zpie_addmul(&e_addmul, &a, &b, &b); - zpie_add3mul(&e_add3mul, &a, &a, &a, &b); - zpie_addmuladd(&e_addmuladd, &a, &a, &b, &b); -} - -void test_all_constraints() -{ - zpie_element a, b, c; - zpie_init_public(&a); - zpie_init(&b); - zpie_init(&c); - - zpie_input(&a, "3"); - zpie_input(&b, "7"); - zpie_input(&c, "5"); - - // zpie_mul: out = a * b = 21 - zpie_element e_mul; - zpie_init(&e_mul); - zpie_mul(&e_mul, &a, &b); - - // zpie_addmul: out = (a + b) * c = 50 - zpie_element e_addmul; - zpie_init(&e_addmul); - zpie_addmul(&e_addmul, &a, &b, &c); - - // zpie_add3mul: out = (a + b + c) * a = 45 - zpie_element e_add3mul; - zpie_init(&e_add3mul); - zpie_add3mul(&e_add3mul, &a, &b, &c, &a); - - // zpie_addmuladd: out = (a + b) * (c + a) = 80 - zpie_element e_addmuladd; - zpie_init(&e_addmuladd); - zpie_addmuladd(&e_addmuladd, &a, &b, &c, &a); - - // zpie_add3muladd3: out = (a + b + c) * (a + b + c) = 225 - zpie_element e_add3muladd3; - zpie_init(&e_add3muladd3); - zpie_add3muladd3(&e_add3muladd3, &a, &b, &c, &a, &b, &c); - - // zpie_mul_constants: out = (2*a) * (3*b) = 126 - zpie_element e_mulc; - zpie_init(&e_mulc); - int lc = 2, rc = 3; - zpie_mul_constants(&e_mulc, &lc, &a, &rc, &b); - - // zpie_addmul_constants: out = (2*a + 3*b) * (4*c) = 540 - zpie_element e_addmulc; - zpie_init(&e_addmulc); - int lc1 = 2, lc2 = 3, rc2 = 4; - zpie_addmul_constants(&e_addmulc, &lc1, &a, &lc2, &b, &rc2, &c); - - // zpie_mul_big_constants: out = (10*a) * (20*b) = 4200 - zpie_element e_bigc; - zpie_init(&e_bigc); - mclBnFr big_lc, big_rc; - mclBnFr_setInt(&big_lc, 10); - mclBnFr_setInt(&big_rc, 20); - zpie_mul_big_constants(&e_bigc, &big_lc, &a, &big_rc, &b); - - // zpie_addsmul: out = (a + b + c) * b = 105 - zpie_element e_addsmul; - zpie_init(&e_addsmul); - zpie_element arr[3]; - arr[0] = a; - arr[1] = b; - arr[2] = c; - int sz = 3; - zpie_addsmul(&e_addsmul, &sz, arr, &b); - - // zpie_assert_equal: e_mul should equal a*b = 21 - zpie_element e_check; - zpie_init(&e_check); - zpie_mul(&e_check, &a, &b); - zpie_assert_equal(&e_check, &e_mul); -} -Test(zpie, all_constraints) -{ - zpie_setup_keys keys; - zpie_perform_setup(&keys, &test_all_constraints); - zpie_proof p; - zpie_generate_proof(&p, &test_all_constraints, &keys.pk); - cr_assert(zpie_verify_proof(&test_all_constraints, &p, &keys.vk)); + // Check public inputs in the proofs + mclBnFr check_sc; + mclBnFr_setInt(&check_sc, 7006652); + cr_assert(mclBnFr_isEqual(&check_sc, &p_sc.uwProof[0])); + mclBnFr check_ac; + mclBnFr_setInt(&check_ac, 37009); + cr_assert(mclBnFr_isEqual(&check_ac, &p_ac.uwProof[0])); } +// Test that setup keys and proofs can be serialized and deserialized correctly, +// and that proofs generated with deserialized keys verify successfully Test(zpie, serialization_roundtrip) { zpie_setup_keys keys; @@ -237,8 +237,23 @@ Test(zpie, serialization_roundtrip) zpie_proof p; zpie_generate_proof(&p, &test_mimc_hash, &keys2.pk); cr_assert(zpie_verify_proof(&test_mimc_hash, &p, &keys2.vk)); + + // same with the proof: serialize and deserialize, then verify + zpie_store_proof(&p, "mimc_hash"); + zpie_proof p2; + zpie_read_proof(&p2, "mimc_hash"); + + cr_assert(mclBnG1_isEqual(&p.piA, &p2.piA)); + cr_assert(mclBnG2_isEqual(&p.piB2, &p2.piB2)); + cr_assert(mclBnG1_isEqual(&p.piC, &p2.piC)); + + cr_assert(zpie_verify_proof(&test_mimc_hash, &p2, &keys2.vk)); + + // TODO: check why the following passes + // cr_assert(zpie_verify_proof(&test_single_constraint, &p2, &keys2.vk)); } +// Test that an invalid proof is rejected by the verifier Test(zpie, invalid_proof_rejected) { zpie_setup_keys keys; @@ -258,7 +273,8 @@ Test(zpie, invalid_proof_rejected) cr_assert_not(zpie_verify_proof(&test_single_constraint, &p, &keys.vk)); } -Test(zpie, cross_circuit_rejected) +// Test that a proof generated for one circuit does not verify against another circuit's vk +Test(zpie, wrong_vk) { zpie_setup_keys keys_sc; zpie_perform_setup(&keys_sc, &test_single_constraint); @@ -272,45 +288,16 @@ Test(zpie, cross_circuit_rejected) cr_assert_not(zpie_verify_proof(&test_single_constraint, &p_sc, &keys_mh.vk)); } -Test(zpie, deterministic_mimc) -{ - test_no_rand = 1; - zpie_setup_keys keys; - zpie_perform_setup(&keys, &test_mimc_hash); - zpie_proof p; - zpie_generate_proof(&p, &test_mimc_hash, &keys.pk); - - // verify the deterministic zpie_proof - cr_assert(zpie_verify_proof(&test_mimc_hash, &p, &keys.vk)); - - // generate a second time and check reproducibility - zpie_proof p2; - zpie_generate_proof(&p2, &test_mimc_hash, &keys.pk); - cr_assert(mclBnG1_isEqual(&p.piA, &p2.piA)); - cr_assert(mclBnG2_isEqual(&p.piB2, &p2.piB2)); - cr_assert(mclBnG1_isEqual(&p.piC, &p2.piC)); - - test_no_rand = 0; -} - -Test(zpie, proof_serialization) +// Test that verifier rejects a proof with incorrect public inputs +Test(zpie, wrong_pi) { - zpie_setup_keys keys; - zpie_perform_setup(&keys, &test_single_constraint); - zpie_store_setup(&keys, "single_constraint"); - - zpie_proof p; - zpie_generate_proof(&p, &test_single_constraint, &keys.pk); - zpie_store_proof(&p, "single_constraint"); + zpie_setup_keys keys_sc; + zpie_perform_setup(&keys_sc, &test_single_constraint); - zpie_setup_keys keys2; - zpie_read_setup(&keys2, &test_single_constraint, "single_constraint"); - zpie_proof p2; - zpie_read_proof(&p2, "single_constraint"); + zpie_proof p_sc; + zpie_generate_proof(&p_sc, &test_single_constraint, &keys_sc.pk); - cr_assert(mclBnG1_isEqual(&p.piA, &p2.piA)); - cr_assert(mclBnG2_isEqual(&p.piB2, &p2.piB2)); - cr_assert(mclBnG1_isEqual(&p.piC, &p2.piC)); + mclBnFr_setInt(&p_sc.uwProof[0], 12345); // tamper with public input - cr_assert(zpie_verify_proof(&test_single_constraint, &p2, &keys2.vk)); + cr_assert_not(zpie_verify_proof(&test_single_constraint, &p_sc, &keys_sc.vk)); } From 681862830f21ceea7ca3a792b1221c6deb7640b7 Mon Sep 17 00:00:00 2001 From: xevisalle Date: Tue, 17 Mar 2026 18:27:11 +0100 Subject: [PATCH 2/2] Verify MiMC digest --- tests/test_zpie.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/test_zpie.c b/tests/test_zpie.c index cce1646..4291708 100644 --- a/tests/test_zpie.c +++ b/tests/test_zpie.c @@ -127,7 +127,7 @@ void test_mimc_hash() { zpie_element h, x_in, k; - zpie_init_public(&h); + zpie_init(&h); zpie_init(&x_in); zpie_init(&k); @@ -135,6 +135,11 @@ void test_mimc_hash() zpie_input(&k, "112233445566"); mimc7(&h, &x_in, &k); + + zpie_element h_check; + zpie_init(&h_check); + zpie_input(&h_check, "10547064275071378430963758417966601760652600083618672830627388988175151799431"); + zpie_assert_equal(&h_check, &h); } // Test that the prover produces the same proof when randomness is disabled