mirror of https://github.com/zcash/halo2.git
Use complete addition in SinsemillaCommit
This is necessary because the blinding factor r can be zero with greater than negligible probability in an adversarial case, which with incomplete addition would cause the circuit to compute a commitment that is not on the curve.
This commit is contained in:
parent
8c8a12a8df
commit
97c27e3d5a
|
@ -379,7 +379,7 @@ where
|
|||
r: Option<C::Scalar>,
|
||||
) -> Result<
|
||||
(
|
||||
ecc::NonIdentityPoint<C, EccChip>,
|
||||
ecc::Point<C, EccChip>,
|
||||
Vec<SinsemillaChip::RunningSum>,
|
||||
),
|
||||
Error,
|
||||
|
@ -387,8 +387,7 @@ where
|
|||
assert_eq!(self.M.sinsemilla_chip, message.chip);
|
||||
let (blind, _) = self.R.mul(layouter.namespace(|| "[r] R"), r)?;
|
||||
let (p, zs) = self.M.hash_to_point(layouter.namespace(|| "M"), message)?;
|
||||
let blind = blind.try_into()?;
|
||||
let commitment = p.add_incomplete(layouter.namespace(|| "M ⸭ [r] R"), &blind)?;
|
||||
let commitment = p.add(layouter.namespace(|| "M + [r] R"), &blind)?;
|
||||
Ok((commitment, zs))
|
||||
}
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ use crate::{
|
|||
circuit::gadget::{
|
||||
ecc::{
|
||||
chip::{EccChip, NonIdentityEccPoint},
|
||||
NonIdentityPoint,
|
||||
Point,
|
||||
},
|
||||
utilities::{bitrange_subset, bool_check, copy, CellValue, Var},
|
||||
},
|
||||
|
@ -529,7 +529,7 @@ impl NoteCommitConfig {
|
|||
rho: CellValue<pallas::Base>,
|
||||
psi: CellValue<pallas::Base>,
|
||||
rcm: Option<pallas::Scalar>,
|
||||
) -> Result<NonIdentityPoint<pallas::Affine, EccChip>, Error> {
|
||||
) -> Result<Point<pallas::Affine, EccChip>, Error> {
|
||||
let (gd_x, gd_y) = (g_d.x().value(), g_d.y().value());
|
||||
let (pkd_x, pkd_y) = (pk_d.x().value(), pk_d.y().value());
|
||||
let value_val = value.value();
|
||||
|
|
|
@ -174,7 +174,9 @@ impl CommitDomain {
|
|||
msg: impl Iterator<Item = bool>,
|
||||
r: &pallas::Scalar,
|
||||
) -> CtOption<pallas::Point> {
|
||||
(self.M.hash_to_point_inner(msg) + Wnaf::new().scalar(r).base(self.R)).into()
|
||||
// We use complete addition for the blinding factor.
|
||||
CtOption::<pallas::Point>::from(self.M.hash_to_point_inner(msg))
|
||||
.map(|p| p + Wnaf::new().scalar(r).base(self.R))
|
||||
}
|
||||
|
||||
/// $\mathsf{SinsemillaShortCommit}$ from [§ 5.4.8.4][concretesinsemillacommit].
|
||||
|
|
|
@ -46,14 +46,6 @@ impl Add for IncompletePoint {
|
|||
}
|
||||
}
|
||||
|
||||
impl Add<pallas::Point> for IncompletePoint {
|
||||
type Output = IncompletePoint;
|
||||
|
||||
fn add(self, rhs: pallas::Point) -> Self::Output {
|
||||
self + IncompletePoint(CtOption::new(rhs, 1.into()))
|
||||
}
|
||||
}
|
||||
|
||||
impl Add<pallas::Affine> for IncompletePoint {
|
||||
type Output = IncompletePoint;
|
||||
|
||||
|
|
Loading…
Reference in New Issue