Invalid proof for circuits more than half the size of the ptau #60
Description
Summary of Bug
Apologies if this is not the correct repo for this.
I'm proving circom circuits on the bls12-381 curve using ark-groth16. I've run into a bug where ark-groth16 generates invalid proofs for zkeys that are built against powers of tau ceremonies that are not at least twice as big.
e.g. i have a circuit with 2500 constraints. I build the zkey using a ptau with 2^12 powers. snarkjs generates valid proofs, ark-groth16 generates invalid proofs. I build the same circuit against a ptau with 2^13 powers and both snarkjs and ark-groth16 generate valid proofs.
I've confirmed that the proofs generated by ark-groth16 are invalid in snarkjs as well. This bug does not exist for the alt_bn128 curve.
I'm using the R1CS QAP reduction in ark-circom.
I know there's lots of places where the inconsistency could come from. I wanted to post here to see if anyone has ideas off the top of their head.
Version
Steps to Reproduce
Build a circuit over the bls12-381 curve with N constraints and < 2*N ptau powers. Use the R1CS QAP mapping in ark-circom to generate a proof. Try to validate the proof.
This is implemented here, the relevant zkeys/witness logic is committed in the same repo. I'll break this into a minimal repro example if there's any interest.