r1cs-compiler: AND/XOR black-box panics on witnesses wider than 32 bits (u64) #377
Description
Description
ProveKit's R1CS compiler hardcodes AND/XOR decomposition to 32 bits. Any Noir program that passes u64 (or wider) witnesses to a bitwise AND/XOR/OR operation causes provekit to panic at runtime with "Higher order bits are not zero". The same program runs fine under nargo execute, making this an incompatibility between provekit and the Noir toolchain.
Reproducer
// src/main.nr
fn main(a: u64, b: u64) -> pub u64 {
a ^ b
}# Prover.toml
a = "109953116273223783" # > u32::MAX
b = "18446744073709551614"Description
nargo execute # succeeds — nargo's ACVM handles u64 natively
provekit prepare
provekit prove # panics: thread '...' panicked at 'Higher order bits are not zero'Root Cause
BINOP_BITS = 32 is hardcoded in provekit/common/src/witness/binops.rs:
pub const BINOP_BITS: usize = 32;
pub const NUM_DIGITS: usize = BINOP_BITS / BINOP_ATOMIC_BITS; // = 4 bytesIn process_binop_opcode, the witness-witness path allocates exactly 4 bytes (32 bits) for decomposition:
let log_bases = vec![BINOP_ATOMIC_BITS; NUM_DIGITS]; // [8, 8, 8, 8]
let dd = add_digital_decomposition(self, log_bases, vec![lhs_witness, rhs_witness, out_idx]);At runtime, decompose_into_digits asserts that no bits remain after the 32-bit decomposition:
assert!(remaining_bits.all(|bit| !bit), "Higher order bits are not zero");A u64 witness value > u32::MAX has bits set above position 31, triggering this panic.
Affected Files
| File | Notes |
|---|---|
provekit/common/src/witness/binops.rs |
BINOP_BITS = 32 constant |
provekit/r1cs-compiler/src/noir_to_r1cs.rs#L428-L438 |
witness-witness decomposition path |
provekit/common/src/witness/digits.rs#L46 |
panic site |