mirror of https://github.com/zcash/halo2.git
Use complete addition in SinsemillaCommit
This is necessary because the blinding factor r can be zero with greater than negligible probability in an adversarial case, which with incomplete addition would cause the circuit to compute a commitment that is not on the curve.
This commit is contained in:
parent
8c8a12a8df
commit
97c27e3d5a
|
@ -379,7 +379,7 @@ where
|
||||||
r: Option<C::Scalar>,
|
r: Option<C::Scalar>,
|
||||||
) -> Result<
|
) -> Result<
|
||||||
(
|
(
|
||||||
ecc::NonIdentityPoint<C, EccChip>,
|
ecc::Point<C, EccChip>,
|
||||||
Vec<SinsemillaChip::RunningSum>,
|
Vec<SinsemillaChip::RunningSum>,
|
||||||
),
|
),
|
||||||
Error,
|
Error,
|
||||||
|
@ -387,8 +387,7 @@ where
|
||||||
assert_eq!(self.M.sinsemilla_chip, message.chip);
|
assert_eq!(self.M.sinsemilla_chip, message.chip);
|
||||||
let (blind, _) = self.R.mul(layouter.namespace(|| "[r] R"), r)?;
|
let (blind, _) = self.R.mul(layouter.namespace(|| "[r] R"), r)?;
|
||||||
let (p, zs) = self.M.hash_to_point(layouter.namespace(|| "M"), message)?;
|
let (p, zs) = self.M.hash_to_point(layouter.namespace(|| "M"), message)?;
|
||||||
let blind = blind.try_into()?;
|
let commitment = p.add(layouter.namespace(|| "M + [r] R"), &blind)?;
|
||||||
let commitment = p.add_incomplete(layouter.namespace(|| "M ⸭ [r] R"), &blind)?;
|
|
||||||
Ok((commitment, zs))
|
Ok((commitment, zs))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -9,7 +9,7 @@ use crate::{
|
||||||
circuit::gadget::{
|
circuit::gadget::{
|
||||||
ecc::{
|
ecc::{
|
||||||
chip::{EccChip, NonIdentityEccPoint},
|
chip::{EccChip, NonIdentityEccPoint},
|
||||||
NonIdentityPoint,
|
Point,
|
||||||
},
|
},
|
||||||
utilities::{bitrange_subset, bool_check, copy, CellValue, Var},
|
utilities::{bitrange_subset, bool_check, copy, CellValue, Var},
|
||||||
},
|
},
|
||||||
|
@ -529,7 +529,7 @@ impl NoteCommitConfig {
|
||||||
rho: CellValue<pallas::Base>,
|
rho: CellValue<pallas::Base>,
|
||||||
psi: CellValue<pallas::Base>,
|
psi: CellValue<pallas::Base>,
|
||||||
rcm: Option<pallas::Scalar>,
|
rcm: Option<pallas::Scalar>,
|
||||||
) -> Result<NonIdentityPoint<pallas::Affine, EccChip>, Error> {
|
) -> Result<Point<pallas::Affine, EccChip>, Error> {
|
||||||
let (gd_x, gd_y) = (g_d.x().value(), g_d.y().value());
|
let (gd_x, gd_y) = (g_d.x().value(), g_d.y().value());
|
||||||
let (pkd_x, pkd_y) = (pk_d.x().value(), pk_d.y().value());
|
let (pkd_x, pkd_y) = (pk_d.x().value(), pk_d.y().value());
|
||||||
let value_val = value.value();
|
let value_val = value.value();
|
||||||
|
|
|
@ -174,7 +174,9 @@ impl CommitDomain {
|
||||||
msg: impl Iterator<Item = bool>,
|
msg: impl Iterator<Item = bool>,
|
||||||
r: &pallas::Scalar,
|
r: &pallas::Scalar,
|
||||||
) -> CtOption<pallas::Point> {
|
) -> CtOption<pallas::Point> {
|
||||||
(self.M.hash_to_point_inner(msg) + Wnaf::new().scalar(r).base(self.R)).into()
|
// We use complete addition for the blinding factor.
|
||||||
|
CtOption::<pallas::Point>::from(self.M.hash_to_point_inner(msg))
|
||||||
|
.map(|p| p + Wnaf::new().scalar(r).base(self.R))
|
||||||
}
|
}
|
||||||
|
|
||||||
/// $\mathsf{SinsemillaShortCommit}$ from [§ 5.4.8.4][concretesinsemillacommit].
|
/// $\mathsf{SinsemillaShortCommit}$ from [§ 5.4.8.4][concretesinsemillacommit].
|
||||||
|
|
|
@ -46,14 +46,6 @@ impl Add for IncompletePoint {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Add<pallas::Point> for IncompletePoint {
|
|
||||||
type Output = IncompletePoint;
|
|
||||||
|
|
||||||
fn add(self, rhs: pallas::Point) -> Self::Output {
|
|
||||||
self + IncompletePoint(CtOption::new(rhs, 1.into()))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
impl Add<pallas::Affine> for IncompletePoint {
|
impl Add<pallas::Affine> for IncompletePoint {
|
||||||
type Output = IncompletePoint;
|
type Output = IncompletePoint;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue