fix for V-SCT-VUL-007 and V-SCT-VUL-011

goldilocks/base.go

@@ -237,18 +237,21 @@ func ReduceHint(_ *big.Int, inputs []*big.Int, results []*big.Int) error {
 }
 
 // Computes the inverse of a field element x such that x * x^-1 = 1.
-func (p *Chip) Inverse(x Variable) Variable {
-	result, err := p.api.Compiler().NewHint(InverseHint, 1, x.Limb)
+func (p *Chip) Inverse(x Variable) (Variable, frontend.Variable) {
+	result, err := p.api.Compiler().NewHint(InverseHint, 2, x.Limb)
 	if err != nil {
 		panic(err)
 	}
 
 	inverse := NewVariable(result[0])
+	hasInv := frontend.Variable(result[1])
 	p.RangeCheck(inverse)
 
 	product := p.Mul(inverse, x)
-	p.api.AssertIsEqual(product.Limb, frontend.Variable(1))
-	return inverse
+	productToCheck := p.api.Select(hasInv, product.Limb, frontend.Variable(1))
+	p.api.AssertIsEqual(productToCheck, frontend.Variable(1))
+
+	return inverse, hasInv
 }
 
 // The hint used to compute Inverse.
@@ -264,11 +267,19 @@ func InverseHint(_ *big.Int, inputs []*big.Int, results []*big.Int) error {
 
 	inputGl := goldilocks.NewElement(input.Uint64())
 	resultGl := goldilocks.NewElement(0)
+
+	// Will set resultGL if inputGL == 0
 	resultGl.Inverse(&inputGl)
 
 	result := big.NewInt(0)
 	results[0] = resultGl.BigInt(result)
 
+	hasInvInt64 := int64(0)
+	if !inputGl.IsZero() {
+		hasInvInt64 = 1
+	}
+	results[1] = big.NewInt(hasInvInt64)
+
 	return nil
 }
 

goldilocks/quadratic_extension.go

@@ -126,7 +126,7 @@ func (p *Chip) InnerProductExtension(
 }
 
 // Computes the inverse of a quadratic extension variable in the Goldilocks field.
-func (p *Chip) InverseExtension(a QuadraticExtensionVariable) QuadraticExtensionVariable {
+func (p *Chip) InverseExtension(a QuadraticExtensionVariable) (QuadraticExtensionVariable, frontend.Variable) {
 	a0IsZero := p.api.IsZero(a[0].Limb)
 	a1IsZero := p.api.IsZero(a[1].Limb)
 	p.api.AssertIsEqual(p.api.Mul(a0IsZero, a1IsZero), frontend.Variable(0))
@@ -135,12 +135,15 @@ func (p *Chip) InverseExtension(a QuadraticExtensionVariable) QuadraticExtension
 		p.Mul(a[1], NewVariable(DTH_ROOT)),
 	}
 	aPowR := p.MulExtension(aPowRMinus1, a)
-	return p.ScalarMulExtension(aPowRMinus1, p.Inverse(aPowR[0]))
+
+	aPowRInv, hasInv := p.Inverse(aPowR[0])
+	return p.ScalarMulExtension(aPowRMinus1, aPowRInv), hasInv
 }
 
 // Divides two quadratic extension variables in the Goldilocks field.
-func (p *Chip) DivExtension(a, b QuadraticExtensionVariable) QuadraticExtensionVariable {
-	return p.MulExtension(a, p.InverseExtension(b))
+func (p *Chip) DivExtension(a, b QuadraticExtensionVariable) (QuadraticExtensionVariable, frontend.Variable) {
+	bInv, hasInv := p.InverseExtension(b)
+	return p.MulExtension(a, bInv), hasInv
 }
 
 // Exponentiates a quadratic extension variable to some exponent in the Golidlocks field.

goldilocks/quadratic_extension_test.go

@@ -59,7 +59,7 @@ type TestQuadraticExtensionDivCircuit struct {
 
 func (c *TestQuadraticExtensionDivCircuit) Define(api frontend.API) error {
 	glAPI := New(api)
-	actualRes := glAPI.DivExtension(c.Operand1, c.Operand2)
+	actualRes, _ := glAPI.DivExtension(c.Operand1, c.Operand2)
 	glAPI.AssertIsEqual(actualRes[0], c.ExpectedResult[0])
 	glAPI.AssertIsEqual(actualRes[1], c.ExpectedResult[1])
 	return nil