Skip to content

Disprove execution #142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lucidLuckylee merged 7 commits into from
Dec 10, 2024
Merged

Disprove execution #142

lucidLuckylee merged 7 commits into from
Dec 10, 2024

Conversation

@wz14
Copy link
Contributor

@wz14 wz14 commented Dec 3, 2024

This PR offers a function to find which chunk is available when the operator did some malicious thing. This function re-runs chunker using the wrong proof to get a wrong-proof assigner, then checks the inconsistency between the wrong-proof assigner and the assigner recovered by assert transaction.

There are two cases a malicious operator can do.

  • Operator put a wrong proof to generate all intermediate values, say $$S$$. In this case, the final accumulator will be wrong, and the challenger can take collateral by executing the "accumulator verifier" chunk. This case is covered by unit test test_wrong_proof.
  • Operator put a wrong proof and modify some intermediate values to make some chunks pass, say $$S'$$. In this case, there must be a chunk whose parameter is the same as in $$S$$, but the result is different in $$S$$. The challenger can execute this chunk. This case is covered by unit test test_wrong_proof_and_modify_intermediates.

lucidLuckylee
lucidLuckylee reviewed Dec 3, 2024
View reviewed changes
lucidLuckylee
lucidLuckylee reviewed Dec 3, 2024
View reviewed changes
lucidLuckylee
lucidLuckylee reviewed Dec 3, 2024
View reviewed changes
src/chunker/disprove_execution.rs
*result = Rc::new(Box::new(dummy_element(
&result.id(),
hash_map.get(result.id()).unwrap().clone(),
)));
Copy link
Contributor

@lucidLuckylee lucidLuckylee Dec 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't you return when you find the first incorrect param or result? Why go on with the correct hash?

Copy link
Contributor Author

@wz14 wz14 Dec 4, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function is used when the operator has released all intermediate state hashes, and a segment will first check bit commitment and then run the chunk. So for the inconsistent result, it needs to replace all inconsistent results to make sure that the bit commitment check can pass.

The incorrect param is useless, because we don't know the behavior of segment with incorrect params. But, we can always find the segment containing correct param and incorrect result, because of the continuity of verify algorithms (a input of a segment must be an output of another segment).

Copy link
Contributor

@lucidLuckylee lucidLuckylee Dec 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. So the verifier is supposed to create its own assigner by executing the segments without the Winternitz part and retrieve the hashes that way. Then they can check for errors in the bit commited hashes from the operator. Do I understand that correctly?

Copy link
Contributor Author

@wz14 wz14 Dec 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you're right. A different type of assigner is needed as a challenger. Running the chunk one by one is another obvious solution, but I think this way is more efficient.

@lucidLuckylee
Copy link
Contributor

lucidLuckylee commented Dec 3, 2024

I think if we use OP_VERIFY in the script then we have to execute the actual script to check if the operator lied. Otherwise, they can provide a proof that has all correct bit commitments in the execution trace while failing an OP_VERIFY check for them.

@wz14 wz14 force-pushed the disprove_execution branch from e38644b to c0d39be Compare December 4, 2024 14:47
@wz14
Copy link
Contributor Author

wz14 commented Dec 7, 2024

Fix repeated variable name {}_loop_{}_piece_1 induced from #139

BitVM/src/chunker/chunk_scalar_mul.rs

Lines 73 to 79 in c00a487

let mut update = G1PointType::new(assigner, &format!("{}_{}_piece_1", prefix, i));
update.fill_with_data(crate::chunker::elements::DataType::G1PointData(c));
let segment = Segment::new_with_name(
format!("{}_loop_{}_piece_1", prefix, i),
segment_script,
)

@lucidLuckylee lucidLuckylee merged commit cbfdd60 into BitVM:main Dec 10, 2024
wz14 added a commit to bitlayer-org/BitVM that referenced this pull request Dec 16, 2024
@wz14
Disprove execution (BitVM#142)
e084236 
* finish

* add test

* fix test

* remove unuse unit test

* fix typo

* clean todo and panic

* fix bug
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lucidLuckylee lucidLuckylee lucidLuckylee left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wz14 @lucidLuckylee