fix: KZG proof verification for edge cases (#1567)

ivokub · web-flow · commit 6e2fc627ded8 · 2025-08-28T14:04:05.000+02:00
diff --git a/std/commitments/kzg/verifier.go b/std/commitments/kzg/verifier.go
@@ -426,14 +426,15 @@ func (v *Verifier[FR, G1El, G2El, GTEl]) CheckOpeningProof(commitment Commitment
 
 	// [f(a)]G1 + [-a]([H(α)]G₁) = [f(a) - a*H(α)]G₁
 	pointNeg := v.scalarApi.Neg(&point)
-	totalG1, err := v.curve.MultiScalarMul([]*G1El{&vk.G1, &proof.Quotient}, []*emulated.Element[FR]{&proof.ClaimedValue, pointNeg})
+	// we use complete arithmetic to allow verifying commitment to 0 polynomial.
+	totalG1, err := v.curve.MultiScalarMul([]*G1El{&vk.G1, &proof.Quotient}, []*emulated.Element[FR]{&proof.ClaimedValue, pointNeg}, algopts.WithCompleteArithmetic())
 	if err != nil {
 		return fmt.Errorf("check opening proof: %w", err)
 	}
 
 	// [f(a) - a*H(α)]G₁ + [-f(α)]G₁  = [f(a) - f(α) - a*H(α)]G₁
 	commitmentNeg := v.curve.Neg(&commitment.G1El)
-	totalG1 = v.curve.Add(totalG1, commitmentNeg)
+	totalG1 = v.curve.AddUnified(totalG1, commitmentNeg)
 
 	// e([f(a)-f(α)-a*H(α)]G₁], G₂).e([H(α)]G₁, [α]G₂) == 1
 	if err := v.pairing.PairingCheck(
diff --git a/std/commitments/kzg/verifier_test.go b/std/commitments/kzg/verifier_test.go
@@ -110,39 +110,60 @@ func TestKZGVerificationEmulated2(t *testing.T) {
 	srs, err := kzg_bls12381.NewSRS(kzgSize, alpha)
 	assert.NoError(err)
 
-	f := make([]fr_bls12381.Element, polynomialSize)
-	for i := range f {
-		f[i].SetRandom()
-	}
-
-	com, err := kzg_bls12381.Commit(f, srs.Pk)
-	assert.NoError(err)
-
-	var point fr_bls12381.Element
-	point.SetRandom()
-	proof, err := kzg_bls12381.Open(f, point, srs.Pk)
-	assert.NoError(err)
+	check := func(assert *test.Assert, f fr_bls12381.Vector, point fr_bls12381.Element) {
+		com, err := kzg_bls12381.Commit(f, srs.Pk)
+		assert.NoError(err)
+		proof, err := kzg_bls12381.Open(f, point, srs.Pk)
+		assert.NoError(err)
+		if err = kzg_bls12381.Verify(&com, &proof, point, srs.Vk); err != nil {
+			t.Fatal("verify proof", err)
+		}
+		wCmt, err := ValueOfCommitment[sw_bls12381.G1Affine](com)
+		assert.NoError(err)
+		wVk, err := ValueOfVerifyingKey[sw_bls12381.G1Affine, sw_bls12381.G2Affine](srs.Vk)
+		assert.NoError(err)
+		wProof, err := ValueOfOpeningProof[sw_bls12381.ScalarField, sw_bls12381.G1Affine](proof)
+		assert.NoError(err)
+		wPt, err := ValueOfScalar[sw_bls12381.ScalarField](point)
+		assert.NoError(err)
 
-	if err = kzg_bls12381.Verify(&com, &proof, point, srs.Vk); err != nil {
-		t.Fatal("verify proof", err)
+		assignment := KZGVerificationCircuit[sw_bls12381.ScalarField, sw_bls12381.G1Affine, sw_bls12381.G2Affine, sw_bls12381.GTEl]{
+			VerifyingKey: wVk,
+			Commitment:   wCmt,
+			OpeningProof: wProof,
+			Point:        wPt,
+		}
+		assert.CheckCircuit(&KZGVerificationCircuit[sw_bls12381.ScalarField, sw_bls12381.G1Affine, sw_bls12381.G2Affine, sw_bls12381.GTEl]{}, test.WithValidAssignment(&assignment))
 	}
 
-	wCmt, err := ValueOfCommitment[sw_bls12381.G1Affine](com)
-	assert.NoError(err)
-	wProof, err := ValueOfOpeningProof[sw_bls12381.ScalarField, sw_bls12381.G1Affine](proof)
-	assert.NoError(err)
-	wVk, err := ValueOfVerifyingKey[sw_bls12381.G1Affine, sw_bls12381.G2Affine](srs.Vk)
-	assert.NoError(err)
-	wPt, err := ValueOfScalar[sw_bls12381.ScalarField](point)
-	assert.NoError(err)
-
-	assignment := KZGVerificationCircuit[sw_bls12381.ScalarField, sw_bls12381.G1Affine, sw_bls12381.G2Affine, sw_bls12381.GTEl]{
-		VerifyingKey: wVk,
-		Commitment:   wCmt,
-		OpeningProof: wProof,
-		Point:        wPt,
-	}
-	assert.CheckCircuit(&KZGVerificationCircuit[sw_bls12381.ScalarField, sw_bls12381.G1Affine, sw_bls12381.G2Affine, sw_bls12381.GTEl]{}, test.WithValidAssignment(&assignment))
+	assert.Run(func(assert *test.Assert) {
+		f := make(fr_bls12381.Vector, polynomialSize)
+		f.MustSetRandom()
+		var point fr_bls12381.Element
+		point.MustSetRandom()
+		check(assert, f, point)
+	})
+	assert.Run(func(assert *test.Assert) {
+		f := make(fr_bls12381.Vector, polynomialSize)
+		var point fr_bls12381.Element
+		point.MustSetRandom()
+		check(assert, f, point)
+	}, "case=zero_polynomial")
+	assert.Run(func(assert *test.Assert) {
+		f := make(fr_bls12381.Vector, polynomialSize)
+		f.MustSetRandom()
+		var point fr_bls12381.Element
+		point.SetZero()
+		check(assert, f, point)
+	}, "case=zero_point")
+	assert.Run(func(assert *test.Assert) {
+		f := make(fr_bls12381.Vector, polynomialSize)
+		f.MustSetRandom()
+		f[0].SetZero()
+		var point fr_bls12381.Element
+		point.SetZero()
+		check(assert, f, point)
+	}, "case=zero_first_coeff_zero_point")
 }
 
 func TestKZGVerificationEmulated3(t *testing.T) {
