Qortal/pirate-librustzcash
3
0
Fork 0
mirror of https://github.com/Qortal/pirate-librustzcash.git synced 2025-02-07 14:54:10 +00:00
Code Issues Projects Releases Wiki Activity

Perform ak group order check in Spend circuit.

Browse Source
This commit is contained in:
Sean Bowe 2018-03-05 17:46:12 -07:00
parent 7bb630a4b1
commit 2e846844e7
No known key found for this signature in database
GPG Key ID: 95684257D8F8B031
2 changed files with 40 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/circuit/ecc.rs
View File

@ -84,6 +84,35 @@ pub fn fixed_base_multiplication<E, CS>(
} }
impl<E: JubjubEngine> EdwardsPoint<E> { impl<E: JubjubEngine> EdwardsPoint<E> {
pub fn assert_not_small_order<CS>(
&self,
mut cs: CS,
params: &E::Params
) -> Result<(), SynthesisError>
where CS: ConstraintSystem<E>
{
let tmp = self.double(
cs.namespace(|| "first doubling"),
params
)?;
let tmp = tmp.double(
cs.namespace(|| "second doubling"),
params
)?;
let tmp = tmp.double(
cs.namespace(|| "third doubling"),
params
)?;
// (0, -1) is a small order point, but won't ever appear here
// because cofactor is 2^3, and we performed three doublings.
// (0, 1) is the neutral element, so checking if x is nonzero
// is sufficient to prevent small order points here.
tmp.x.assert_nonzero(cs.namespace(|| "check x != 0"))?;
Ok(())
}
pub fn inputize<CS>( pub fn inputize<CS>(
&self, &self,
mut cs: CS mut cs: CS

30
src/circuit/mod.rs
View File

@ -131,6 +131,11 @@ impl<'a, E: JubjubEngine> Circuit<E> for Spend<'a, E> {
self.params self.params
)?; )?;
ak.assert_not_small_order(
cs.namespace(|| "ak not small order"),
self.params
)?;
// Unpack ak and rk for input to BLAKE2s // Unpack ak and rk for input to BLAKE2s
let mut vk = vec![]; let mut vk = vec![];
let mut rho_preimage = vec![]; let mut rho_preimage = vec![];
@ -382,27 +387,10 @@ impl<'a, E: JubjubEngine> Circuit<E> for Output<'a, E> {
self.params self.params
)?; )?;
// Check that g_d is not of small order g_d.assert_not_small_order(
{ cs.namespace(|| "g_d not small order"),
let g_d = g_d.double(
cs.namespace(|| "first doubling of g_d"),
self.params self.params
)?; )?;
let g_d = g_d.double(
cs.namespace(|| "second doubling of g_d"),
self.params
)?;
let g_d = g_d.double(
cs.namespace(|| "third doubling of g_d"),
self.params
)?;
// (0, -1) is a small order point, but won't ever appear here
// because cofactor is 2^3, and we performed three doublings.
// (0, 1) is the neutral element, so checking if x is nonzero
// is sufficient to prevent small order points here.
g_d.x.assert_nonzero(cs.namespace(|| "check not inf"))?;
}
note_contents.extend( note_contents.extend(
g_d.repr(cs.namespace(|| "representation of g_d"))? g_d.repr(cs.namespace(|| "representation of g_d"))?
@ -526,8 +514,8 @@ fn test_input_circuit_with_bls12_381() {
instance.synthesize(&mut cs).unwrap(); instance.synthesize(&mut cs).unwrap();
assert!(cs.is_satisfied()); assert!(cs.is_satisfied());
assert_eq!(cs.num_constraints(), 97379); assert_eq!(cs.num_constraints(), 97395);
assert_eq!(cs.hash(), "3920570cfb4c9cec807d09f996d6d0745176d50e8adea0e66709628b1dd31267"); assert_eq!(cs.hash(), "29aee738a11546a94c3dde68cede66eebcf2b447104a199aab22bf571735092a");
} }
} }