fix four issues: replace assert with Err; prevent overflow; prevent apnics; verifier validates proof mask counts

nicole-graus · nicole-graus · commit d47a27554121 · 2026-03-06T16:34:57.000-03:00
diff --git a/crates/provers/gkr-logup/examples/range_check.rs b/crates/provers/gkr-logup/examples/range_check.rs
@@ -56,11 +56,16 @@ fn range_check(values: &[u64], n_bits: u32, label: &str) -> bool {
 
     // --- Batch prove ---
     let mut prover_ch = DefaultTranscript::<F>::new(&[]);
-    let (proof, _) = prove_batch(&mut prover_ch, vec![access_layer, table_layer]).unwrap();
+    let (proof, artifact) = prove_batch(&mut prover_ch, vec![access_layer, table_layer]).unwrap();
 
     // --- Batch verify ---
     let mut verifier_ch = DefaultTranscript::<F>::new(&[]);
-    let gkr_result = verify_batch(&[Gate::LogUp, Gate::LogUp], &proof, &mut verifier_ch);
+    let gkr_result = verify_batch(
+        &[Gate::LogUp, Gate::LogUp],
+        &artifact.n_variables_by_instance,
+        &proof,
+        &mut verifier_ch,
+    );
 
     if let Err(e) = &gkr_result {
         println!("  GKR verification: FAILED ({})", e);
diff --git a/crates/provers/gkr-logup/examples/read_only_memory.rs b/crates/provers/gkr-logup/examples/read_only_memory.rs
@@ -77,7 +77,7 @@ fn main() {
     // -------------------------------------------------------
     println!("--- Proving ---");
     let mut prover_transcript = DefaultTranscript::<F>::new(&[]);
-    let (proof, _artifact) =
+    let (proof, artifact) =
         prove_batch(&mut prover_transcript, vec![access_layer, table_layer]).unwrap();
 
     println!(
@@ -94,17 +94,18 @@ fn main() {
     let mut verifier_transcript = DefaultTranscript::<F>::new(&[]);
     let result = verify_batch(
         &[Gate::LogUp, Gate::LogUp],
+        &artifact.n_variables_by_instance,
         &proof,
         &mut verifier_transcript,
     );
 
     match &result {
-        Ok(artifact) => {
+        Ok(gkr_result) => {
             println!("GKR verification: PASSED");
-            println!("  OOD point length: {}", artifact.ood_point.len());
+            println!("  OOD point length: {}", gkr_result.ood_point.len());
             println!(
                 "  Variables by instance: {:?}",
-                artifact.n_variables_by_instance
+                gkr_result.n_variables_by_instance
             );
         }
         Err(e) => {
@@ -156,12 +157,13 @@ fn main() {
     };
 
     let mut prover_transcript = DefaultTranscript::<F>::new(&[]);
-    let (bad_proof, _) =
+    let (bad_proof, bad_artifact) =
         prove_batch(&mut prover_transcript, vec![bad_access_layer, table_layer2]).unwrap();
 
     let mut verifier_transcript = DefaultTranscript::<F>::new(&[]);
     let bad_result = verify_batch(
         &[Gate::LogUp, Gate::LogUp],
+        &bad_artifact.n_variables_by_instance,
         &bad_proof,
         &mut verifier_transcript,
     );
diff --git a/crates/provers/gkr-logup/src/prover.rs b/crates/provers/gkr-logup/src/prover.rs
@@ -271,9 +271,17 @@ fn correct_sum_as_poly_in_first_variable<F: IsField>(
     y: &[FieldElement<F>],
     k: usize,
 ) -> Result<Polynomial<FieldElement<F>>, ProverError> {
-    assert!(k > 0);
+    if k == 0 {
+        return Err(ProverError::InvalidState(
+            "correct_sum_as_poly_in_first_variable: k must be > 0".to_string(),
+        ));
+    }
     let n = y.len();
-    assert!(k <= n);
+    if k > n {
+        return Err(ProverError::InvalidState(format!(
+            "correct_sum_as_poly_in_first_variable: k ({k}) > y.len() ({n})"
+        )));
+    }
 
     // a_const = 1 / eq_eval((0^(n-k+1)), y[..n-k+1])
     // eq_eval(0, y_i) = 1 - y_i, so eq_eval(0^m, y) = prod(1 - y_i).
@@ -498,7 +506,9 @@ where
     for (claim, oracle) in claims.iter_mut().zip(oracles.iter()) {
         let n_unused = n_variables - oracle.n_variables();
         if n_unused > 0 {
-            *claim = &*claim * &FieldElement::<F>::from(1u64 << n_unused);
+            let doubling_factor =
+                (0..n_unused).fold(FieldElement::<F>::one(), |acc, _| &acc + &acc);
+            *claim = &*claim * &doubling_factor;
         }
     }
 
@@ -1116,11 +1126,16 @@ mod tests {
         input_layers: Vec<Layer<F>>,
     ) -> verifier::BatchVerificationResult<F> {
         let mut prover_transcript = DefaultTranscript::<F>::new(&[]);
-        let (proof, _artifact) = prove_batch(&mut prover_transcript, input_layers).unwrap();
+        let (proof, artifact) = prove_batch(&mut prover_transcript, input_layers).unwrap();
 
         let mut verifier_transcript = DefaultTranscript::<F>::new(&[]);
-        verifier::verify_batch(&gates, &proof, &mut verifier_transcript)
-            .expect("batch verification should succeed")
+        verifier::verify_batch(
+            &gates,
+            &artifact.n_variables_by_instance,
+            &proof,
+            &mut verifier_transcript,
+        )
+        .expect("batch verification should succeed")
     }
 
     #[test]
@@ -1245,7 +1260,7 @@ mod tests {
         let values1: Vec<FE> = (11u64..=18).map(FE::from).collect();
 
         let mut prover_transcript = DefaultTranscript::<F>::new(&[]);
-        let (mut proof, _) = prove_batch(
+        let (mut proof, artifact) = prove_batch(
             &mut prover_transcript,
             vec![
                 Layer::GrandProduct(DenseMultilinearPolynomial::new(values0)),
@@ -1259,6 +1274,7 @@ mod tests {
         let mut verifier_transcript = DefaultTranscript::<F>::new(&[]);
         let result = verifier::verify_batch(
             &[Gate::GrandProduct, Gate::GrandProduct],
+            &artifact.n_variables_by_instance,
             &proof,
             &mut verifier_transcript,
         );
@@ -1271,7 +1287,7 @@ mod tests {
         let values1: Vec<FE> = (11u64..=18).map(FE::from).collect();
 
         let mut prover_transcript = DefaultTranscript::<F>::new(&[]);
-        let (mut proof, _) = prove_batch(
+        let (mut proof, artifact) = prove_batch(
             &mut prover_transcript,
             vec![
                 Layer::GrandProduct(DenseMultilinearPolynomial::new(values0)),
@@ -1290,6 +1306,7 @@ mod tests {
         let mut verifier_transcript = DefaultTranscript::<F>::new(&[]);
         let result = verifier::verify_batch(
             &[Gate::GrandProduct, Gate::GrandProduct],
+            &artifact.n_variables_by_instance,
             &proof,
             &mut verifier_transcript,
         );
@@ -1302,7 +1319,7 @@ mod tests {
         let values1: Vec<FE> = (11u64..=14).map(FE::from).collect();
 
         let mut prover_transcript = DefaultTranscript::<F>::new(&[]);
-        let (mut proof, _) = prove_batch(
+        let (mut proof, artifact) = prove_batch(
             &mut prover_transcript,
             vec![
                 Layer::GrandProduct(DenseMultilinearPolynomial::new(values0)),
@@ -1316,6 +1333,7 @@ mod tests {
         let mut verifier_transcript = DefaultTranscript::<F>::new(&[]);
         let result = verifier::verify_batch(
             &[Gate::GrandProduct, Gate::GrandProduct],
+            &artifact.n_variables_by_instance,
             &proof,
             &mut verifier_transcript,
         );
@@ -1365,13 +1383,14 @@ mod tests {
 
         // Batch prove both instances
         let mut prover_transcript = DefaultTranscript::<F>::new(&[]);
-        let (proof, _artifact) =
+        let (proof, artifact) =
             prove_batch(&mut prover_transcript, vec![access_layer, table_layer]).unwrap();
 
         // Batch verify
         let mut verifier_transcript = DefaultTranscript::<F>::new(&[]);
         let result = verifier::verify_batch(
             &[Gate::LogUp, Gate::LogUp],
+            &artifact.n_variables_by_instance,
             &proof,
             &mut verifier_transcript,
         );
@@ -1413,13 +1432,14 @@ mod tests {
         };
 
         let mut prover_transcript = DefaultTranscript::<F>::new(&[]);
-        let (proof, _artifact) =
+        let (proof, artifact) =
             prove_batch(&mut prover_transcript, vec![access_layer, table_layer]).unwrap();
 
         // GKR itself verifies fine (each instance is internally consistent)
         let mut verifier_transcript = DefaultTranscript::<F>::new(&[]);
         let result = verifier::verify_batch(
             &[Gate::LogUp, Gate::LogUp],
+            &artifact.n_variables_by_instance,
             &proof,
             &mut verifier_transcript,
         );
@@ -1467,8 +1487,12 @@ mod tests {
         assert_eq!(artifact.claims_to_verify_by_instance[0], vec![FE::from(42)]);
 
         let mut verifier_transcript = DefaultTranscript::<F>::new(&[]);
-        let result =
-            verifier::verify_batch(&[Gate::GrandProduct], &proof, &mut verifier_transcript);
+        let result = verifier::verify_batch(
+            &[Gate::GrandProduct],
+            &artifact.n_variables_by_instance,
+            &proof,
+            &mut verifier_transcript,
+        );
         assert!(
             result.is_ok(),
             "batch verification of size-1 instance should succeed"
@@ -1527,10 +1551,15 @@ mod tests {
         let single = Layer::GrandProduct(DenseMultilinearPolynomial::new(vec![FE::from(42)]));
 
         let mut prover_transcript = DefaultTranscript::<F>::new(&[]);
-        let (proof, _) = prove_batch(&mut prover_transcript, vec![single]).unwrap();
+        let (proof, artifact) = prove_batch(&mut prover_transcript, vec![single]).unwrap();
 
         let mut verifier_transcript = DefaultTranscript::<F>::new(&[]);
-        let result = verifier::verify_batch(&[Gate::LogUp], &proof, &mut verifier_transcript);
+        let result = verifier::verify_batch(
+            &[Gate::LogUp],
+            &artifact.n_variables_by_instance,
+            &proof,
+            &mut verifier_transcript,
+        );
         assert!(
             result.is_err(),
             "wrong gate on 0-layer batch instance should be rejected"
@@ -1552,7 +1581,12 @@ mod tests {
         assert!(artifact.claims_to_verify_by_instance.is_empty());
 
         let mut verifier_transcript = DefaultTranscript::<F>::new(&[]);
-        let result = verifier::verify_batch(&[], &proof, &mut verifier_transcript);
+        let result = verifier::verify_batch(
+            &[],
+            &artifact.n_variables_by_instance,
+            &proof,
+            &mut verifier_transcript,
+        );
         assert!(result.is_ok(), "empty batch should verify successfully");
 
         let vr = result.unwrap();
diff --git a/crates/provers/gkr-logup/src/verifier.rs b/crates/provers/gkr-logup/src/verifier.rs
@@ -274,6 +274,7 @@ pub struct BatchVerificationResult<F: IsField> {
 /// layer MLE evaluations.
 pub fn verify_batch<F, T>(
     gates: &[Gate],
+    n_variables_by_instance: &[usize],
     proof: &BatchProof<F>,
     transcript: &mut T,
 ) -> Result<BatchVerificationResult<F>, VerifierError<F>>
@@ -297,11 +298,21 @@ where
         return Err(VerifierError::MalformedProof);
     }
 
+    // HIGH-003: validate trusted statement matches proof structure
+    if n_variables_by_instance.len() != n_instances {
+        return Err(VerifierError::MalformedProof);
+    }
+    for instance in 0..n_instances {
+        if layer_masks_by_instance[instance].len() != n_variables_by_instance[instance] {
+            return Err(VerifierError::MalformedProof);
+        }
+    }
+
     // Domain separation: must match prover (see prove_batch).
     transcript.append_bytes(b"gkr_batch");
     transcript.append_bytes(&(n_instances as u64).to_le_bytes());
 
-    let instance_n_layers = |instance: usize| layer_masks_by_instance[instance].len();
+    let instance_n_layers = |instance: usize| n_variables_by_instance[instance];
     let n_layers = (0..n_instances).map(instance_n_layers).max().unwrap_or(0);
 
     if n_layers != sumcheck_proofs.len() {
@@ -362,7 +373,8 @@ where
                     continue;
                 }
                 let n_unused = n_layers - instance_n_layers(instance);
-                let doubling_factor = FieldElement::<F>::from(1u64 << n_unused);
+                let doubling_factor =
+                    (0..n_unused).fold(FieldElement::<F>::one(), |acc, _| &acc + &acc);
                 let claim = &random_linear_combination(claims, &lambda) * &doubling_factor;
                 sumcheck_claims.push(claim);
                 sumcheck_instances.push(instance);
@@ -383,7 +395,12 @@ where
         let mut layer_evals = Vec::new();
         for &instance in &sumcheck_instances {
             let n_unused = n_layers - instance_n_layers(instance);
-            let mask = &layer_masks_by_instance[instance][layer - n_unused];
+            if layer < n_unused {
+                return Err(VerifierError::MalformedProof);
+            }
+            let mask = layer_masks_by_instance[instance]
+                .get(layer - n_unused)
+                .ok_or(VerifierError::MalformedProof)?;
             let gate_output = gates[instance].eval(mask)?;
 
             // eq evaluation uses the relevant suffix of the OOD point.
@@ -416,7 +433,12 @@ where
         // Seed transcript with masks (same order as prover).
         for &instance in &sumcheck_instances {
             let n_unused = n_layers - instance_n_layers(instance);
-            let mask = &layer_masks_by_instance[instance][layer - n_unused];
+            if layer < n_unused {
+                return Err(VerifierError::MalformedProof);
+            }
+            let mask = layer_masks_by_instance[instance]
+                .get(layer - n_unused)
+                .ok_or(VerifierError::MalformedProof)?;
             for col in mask.columns() {
                 transcript.append_field_element(&col[0]);
                 transcript.append_field_element(&col[1]);
@@ -427,7 +449,12 @@ where
         let challenge: FieldElement<F> = transcript.sample_field_element();
         for instance in sumcheck_instances {
             let n_unused = n_layers - instance_n_layers(instance);
-            let mask = &layer_masks_by_instance[instance][layer - n_unused];
+            if layer < n_unused {
+                return Err(VerifierError::MalformedProof);
+            }
+            let mask = layer_masks_by_instance[instance]
+                .get(layer - n_unused)
+                .ok_or(VerifierError::MalformedProof)?;
             claims_to_verify_by_instance[instance] = Some(mask.reduce_at_point(&challenge));
         }
 
@@ -444,6 +471,6 @@ where
     Ok(BatchVerificationResult {
         ood_point,
         claims_to_verify_by_instance,
-        n_variables_by_instance: (0..n_instances).map(instance_n_layers).collect(),
+        n_variables_by_instance: n_variables_by_instance.to_vec(),
     })
 }
