Use complete addition in SinsemillaCommit

This is necessary because the blinding factor r can be zero with greater than negligible probability in an adversarial case, which with incomplete addition would cause the circuit to compute a commitment that is not on the curve.
2021-09-28 16:35:35 +01:00 · 2021-09-28 16:35:35 +01:00 · 97c27e3d5a
parent 8c8a12a8df
commit 97c27e3d5a
4 changed files with 7 additions and 14 deletions
--- a/src/circuit/gadget/sinsemilla.rs
+++ b/src/circuit/gadget/sinsemilla.rs
@ -379,7 +379,7 @@ where
        r: Option<C::Scalar>,
    ) -> Result<
        (
-            ecc::NonIdentityPoint<C, EccChip>,
+            ecc::Point<C, EccChip>,
            Vec<SinsemillaChip::RunningSum>,
        ),
        Error,
@ -387,8 +387,7 @@ where
        assert_eq!(self.M.sinsemilla_chip, message.chip);
        let (blind, _) = self.R.mul(layouter.namespace(|| "[r] R"), r)?;
        let (p, zs) = self.M.hash_to_point(layouter.namespace(|| "M"), message)?;
-        let blind = blind.try_into()?;
-        let commitment = p.add_incomplete(layouter.namespace(|| "M ⸭ [r] R"), &blind)?;
+        let commitment = p.add(layouter.namespace(|| "M + [r] R"), &blind)?;
        Ok((commitment, zs))
    }

--- a/src/circuit/gadget/sinsemilla/note_commit.rs
+++ b/src/circuit/gadget/sinsemilla/note_commit.rs
@ -9,7 +9,7 @@ use crate::{
    circuit::gadget::{
        ecc::{
            chip::{EccChip, NonIdentityEccPoint},
-            NonIdentityPoint,
+            Point,
        },
        utilities::{bitrange_subset, bool_check, copy, CellValue, Var},
    },
@ -529,7 +529,7 @@ impl NoteCommitConfig {
        rho: CellValue<pallas::Base>,
        psi: CellValue<pallas::Base>,
        rcm: Option<pallas::Scalar>,
-    ) -> Result<NonIdentityPoint<pallas::Affine, EccChip>, Error> {
+    ) -> Result<Point<pallas::Affine, EccChip>, Error> {
        let (gd_x, gd_y) = (g_d.x().value(), g_d.y().value());
        let (pkd_x, pkd_y) = (pk_d.x().value(), pk_d.y().value());
        let value_val = value.value();
--- a/src/primitives/sinsemilla.rs
+++ b/src/primitives/sinsemilla.rs
@ -174,7 +174,9 @@ impl CommitDomain {
        msg: impl Iterator<Item = bool>,
        r: &pallas::Scalar,
    ) -> CtOption<pallas::Point> {
-        (self.M.hash_to_point_inner(msg) + Wnaf::new().scalar(r).base(self.R)).into()
+        // We use complete addition for the blinding factor.
+        CtOption::<pallas::Point>::from(self.M.hash_to_point_inner(msg))
+            .map(|p| p + Wnaf::new().scalar(r).base(self.R))
    }

    /// $\mathsf{SinsemillaShortCommit}$ from [§ 5.4.8.4][concretesinsemillacommit].
--- a/src/primitives/sinsemilla/addition.rs
+++ b/src/primitives/sinsemilla/addition.rs
@ -46,14 +46,6 @@ impl Add for IncompletePoint {
    }
 }

-impl Add<pallas::Point> for IncompletePoint {
-    type Output = IncompletePoint;
-
-    fn add(self, rhs: pallas::Point) -> Self::Output {
-        self + IncompletePoint(CtOption::new(rhs, 1.into()))
-    }
-}
-
 impl Add<pallas::Affine> for IncompletePoint {
    type Output = IncompletePoint;