From 97c27e3d5a27599a3e2fa90810698116df80bf6c Mon Sep 17 00:00:00 2001
From: Jack Grigg <jack@electriccoin.co>
Date: Tue, 28 Sep 2021 16:35:35 +0100
Subject: [PATCH] Use complete addition in SinsemillaCommit

This is necessary because the blinding factor r can be zero with greater
than negligible probability in an adversarial case, which with incomplete
addition would cause the circuit to compute a commitment that is not on
the curve.
---
 src/circuit/gadget/sinsemilla.rs             | 5 ++---
 src/circuit/gadget/sinsemilla/note_commit.rs | 4 ++--
 src/primitives/sinsemilla.rs                 | 4 +++-
 src/primitives/sinsemilla/addition.rs        | 8 --------
 4 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/src/circuit/gadget/sinsemilla.rs b/src/circuit/gadget/sinsemilla.rs
index be1f7ba9..de562d8d 100644
--- a/src/circuit/gadget/sinsemilla.rs
+++ b/src/circuit/gadget/sinsemilla.rs
@@ -379,7 +379,7 @@ where
         r: Option<C::Scalar>,
     ) -> Result<
         (
-            ecc::NonIdentityPoint<C, EccChip>,
+            ecc::Point<C, EccChip>,
             Vec<SinsemillaChip::RunningSum>,
         ),
         Error,
@@ -387,8 +387,7 @@ where
         assert_eq!(self.M.sinsemilla_chip, message.chip);
         let (blind, _) = self.R.mul(layouter.namespace(|| "[r] R"), r)?;
         let (p, zs) = self.M.hash_to_point(layouter.namespace(|| "M"), message)?;
-        let blind = blind.try_into()?;
-        let commitment = p.add_incomplete(layouter.namespace(|| "M ⸭ [r] R"), &blind)?;
+        let commitment = p.add(layouter.namespace(|| "M + [r] R"), &blind)?;
         Ok((commitment, zs))
     }
 
diff --git a/src/circuit/gadget/sinsemilla/note_commit.rs b/src/circuit/gadget/sinsemilla/note_commit.rs
index c56e8b03..47e7fca9 100644
--- a/src/circuit/gadget/sinsemilla/note_commit.rs
+++ b/src/circuit/gadget/sinsemilla/note_commit.rs
@@ -9,7 +9,7 @@ use crate::{
     circuit::gadget::{
         ecc::{
             chip::{EccChip, NonIdentityEccPoint},
-            NonIdentityPoint,
+            Point,
         },
         utilities::{bitrange_subset, bool_check, copy, CellValue, Var},
     },
@@ -529,7 +529,7 @@ impl NoteCommitConfig {
         rho: CellValue<pallas::Base>,
         psi: CellValue<pallas::Base>,
         rcm: Option<pallas::Scalar>,
-    ) -> Result<NonIdentityPoint<pallas::Affine, EccChip>, Error> {
+    ) -> Result<Point<pallas::Affine, EccChip>, Error> {
         let (gd_x, gd_y) = (g_d.x().value(), g_d.y().value());
         let (pkd_x, pkd_y) = (pk_d.x().value(), pk_d.y().value());
         let value_val = value.value();
diff --git a/src/primitives/sinsemilla.rs b/src/primitives/sinsemilla.rs
index f4409ab5..aedc49b3 100644
--- a/src/primitives/sinsemilla.rs
+++ b/src/primitives/sinsemilla.rs
@@ -174,7 +174,9 @@ impl CommitDomain {
         msg: impl Iterator<Item = bool>,
         r: &pallas::Scalar,
     ) -> CtOption<pallas::Point> {
-        (self.M.hash_to_point_inner(msg) + Wnaf::new().scalar(r).base(self.R)).into()
+        // We use complete addition for the blinding factor.
+        CtOption::<pallas::Point>::from(self.M.hash_to_point_inner(msg))
+            .map(|p| p + Wnaf::new().scalar(r).base(self.R))
     }
 
     /// $\mathsf{SinsemillaShortCommit}$ from [§ 5.4.8.4][concretesinsemillacommit].
diff --git a/src/primitives/sinsemilla/addition.rs b/src/primitives/sinsemilla/addition.rs
index 3342f3f8..3949adda 100644
--- a/src/primitives/sinsemilla/addition.rs
+++ b/src/primitives/sinsemilla/addition.rs
@@ -46,14 +46,6 @@ impl Add for IncompletePoint {
     }
 }
 
-impl Add<pallas::Point> for IncompletePoint {
-    type Output = IncompletePoint;
-
-    fn add(self, rhs: pallas::Point) -> Self::Output {
-        self + IncompletePoint(CtOption::new(rhs, 1.into()))
-    }
-}
-
 impl Add<pallas::Affine> for IncompletePoint {
     type Output = IncompletePoint;