zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Return errors from verifier instead of assuming points aren't at infinity in the proof.

This commit is contained in:
Sean Bowe 2020-09-19 13:47:37 -06:00
parent 73d494a72d
commit 6620817d81
No known key found for this signature in database
GPG Key ID: 95684257D8F8B031
1 changed files with 5 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/plonk/verifier.rs
View File

@ -33,14 +33,12 @@ impl<'a, C: CurveAffine> Proof<C> {
// Hash the aux (external) commitments into the transcript
for commitment in aux_commitments {
hash_point(&mut transcript, commitment)
.expect("proof cannot contain points at infinity"); // TODO
hash_point(&mut transcript, commitment)?;
}
// Hash the prover's advice commitments into the transcript
for commitment in &self.advice_commitments {
hash_point(&mut transcript, commitment)
.expect("proof cannot contain points at infinity");
hash_point(&mut transcript, commitment)?;
}
// Sample x_0 challenge
@ -51,7 +49,7 @@ impl<'a, C: CurveAffine> Proof<C> {
// Hash each permutation product commitment
for c in &self.permutation_product_commitments {
hash_point(&mut transcript, c).expect("proof cannot contain points at infinity");
hash_point(&mut transcript, c)?;
}
// Sample x_2 challenge, which keeps the gates linearly independent.
@ -59,7 +57,7 @@ impl<'a, C: CurveAffine> Proof<C> {
// Obtain a commitment to h(X) in the form of multiple pieces of degree n - 1
for c in &self.h_commitments {
hash_point(&mut transcript, c).expect("proof cannot contain points at infinity");
hash_point(&mut transcript, c)?;
}
// Sample x_3 challenge, which is used to ensure the circuit is
@ -248,8 +246,7 @@ impl<'a, C: CurveAffine> Proof<C> {
let x_5: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
// Obtain the commitment to the multi-point quotient polynomial f(X).
hash_point(&mut transcript, &self.f_commitment)
.expect("proof cannot contain points at infinity");
hash_point(&mut transcript, &self.f_commitment)?;
// Sample a challenge x_6 for checking that f(X) was committed to
// correctly.