fix: R1CS binding in transcript [LA - I]#363
Merged
Merged
Conversation
ocdbytes
approved these changes
Mar 23, 2026
dcbuild3r
pushed a commit
that referenced
this pull request
May 16, 2026
fix: R1CS binding in transcript [LA - I]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The Fiat-Shamir domain separator was initialized with an empty instance (
Empty), so the transcript never absorbed a digest of the concrete R1CS or the public inputs being proven. In a setting where a verifier could be presented with different circuits or verification keys, challenges would be identical across them, allowing cross-circuit or cross-key confusion.Fix
Added
R1CS::hash()(SHA3-256 over the serialized R1CS) and stored the hash inWhirR1CSSchemeat prepare time.Changed the domain separator instance from
Emptytopublic_inputs.hash_bytes()in both prover and verifier, binding the public statement to the transcript.Added
PublicInputs::hash_bytes()for the byte-level hash used as instance data.Moved public input extraction earlier in the prover (derived from the ACIR witness map before witness solve) so it's available for transcript setup.