a16z
Prover can provide larger `proof.trace_length` value that is still valid
The verifier only uses the padded_trace_length to verify the proof:
let padded_trace_length = proof.trace_length.next_power_of_two();
The prover can provide a larger proof.trace_length value (e.g. proof.trace_length + 1) that is still valid. In this way the proof.trace_length won't reflect the real trace length.
A simple proof of concept is that in the Jolt prove function we change the trace length and the test still works.
- let trace_length = trace.len();
+ let trace_length = trace.len() + 1;
We may need to either verify the trace length in the verifier or specify proof.trace_length to be proof.padded_trace_length.
hmm I think in theory the verifier shouldn't need the trace length at all; it's currently being passed around to generate the Spartan key but I think that's an artifact of how that code is being reused between prover and verifier... so with some refactoring we should hopefully be able to avoid sending the trace length entirely
