Incompleteness of ECDSA verification when the predicate is witness false

[federicobarbacovi]

ECDSA verification (used as an ACIR opcode) is conditional on a predicate. If the predicate is a witness with value false then ECDSA verification should not invalidate the circuit. We protect against certain constraints failing by overriding the inputs values to ECDSA verification. However, there is one edge case that we do not handle: the possibility that the result of the scalar multiplication happening during ECDSA verification returns the point at infinity.

More precisely, ECDSA verification checks that $u_1 * G + u_2 * P$ is not the point at infinity. When the predicate is witness false, we set $P = 2G$, so the result of the scalar multiplication is the point at infinity when $u_1 + 2 u_2 = H(m) * s^{-1} + 2 * r * s^{-1} = 0 mod n$, which means $H(m) + 2 * r = 0 mod $. Given that $r$ and $H(m)$ are both random 256-bit numbers, the probability of this happening is negligible.

We keep this issue to remind ourselves of this edge case

[federicobarbacovi]

We now set $r = s = H(m) = 1$ (as of here: AztecProtocol/aztec-packages#17838, so this is closed.