Require that ak in FullViewingKey is prime order
This commit is contained in:
parent
75bede4bc8
commit
6846ac5f9e
|
@ -62,6 +62,7 @@ impl<E: JubjubEngine> ProofGenerationKey<E> {
|
|||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub struct ViewingKey<E: JubjubEngine> {
|
||||
pub ak: edwards::Point<E, PrimeOrder>,
|
||||
pub nk: edwards::Point<E, PrimeOrder>
|
||||
|
|
|
@ -27,7 +27,7 @@ pub fn prf_expand_vec(sk: &[u8], ts: &[&[u8]]) -> Blake2bResult {
|
|||
}
|
||||
|
||||
/// An outgoing viewing key
|
||||
#[derive(Clone, Copy, PartialEq)]
|
||||
#[derive(Clone, Copy, Debug, PartialEq)]
|
||||
pub struct OutgoingViewingKey(pub [u8; 32]);
|
||||
|
||||
/// A Sapling expanded spending key
|
||||
|
@ -39,6 +39,7 @@ pub struct ExpandedSpendingKey<E: JubjubEngine> {
|
|||
}
|
||||
|
||||
/// A Sapling full viewing key
|
||||
#[derive(Debug)]
|
||||
pub struct FullViewingKey<E: JubjubEngine> {
|
||||
pub vk: ViewingKey<E>,
|
||||
pub ovk: OutgoingViewingKey,
|
||||
|
@ -134,10 +135,16 @@ impl<E: JubjubEngine> FullViewingKey<E> {
|
|||
None => {
|
||||
return Err(io::Error::new(
|
||||
io::ErrorKind::InvalidData,
|
||||
"ak not of prime order",
|
||||
"ak not in prime-order subgroup",
|
||||
));
|
||||
}
|
||||
};
|
||||
if ak == edwards::Point::zero() {
|
||||
return Err(io::Error::new(
|
||||
io::ErrorKind::InvalidData,
|
||||
"ak not of prime order",
|
||||
));
|
||||
}
|
||||
|
||||
let nk = edwards::Point::<E, Unknown>::read(&mut reader, params)?;
|
||||
let nk = match nk.as_prime_order(params) {
|
||||
|
@ -145,7 +152,7 @@ impl<E: JubjubEngine> FullViewingKey<E> {
|
|||
None => {
|
||||
return Err(io::Error::new(
|
||||
io::ErrorKind::InvalidData,
|
||||
"nk not of prime order",
|
||||
"nk not in prime-order subgroup",
|
||||
));
|
||||
}
|
||||
};
|
||||
|
@ -174,3 +181,38 @@ impl<E: JubjubEngine> FullViewingKey<E> {
|
|||
result
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use pairing::bls12_381::Bls12;
|
||||
use sapling_crypto::jubjub::{edwards, FixedGenerators, JubjubParams, PrimeOrder};
|
||||
use std::error::Error;
|
||||
|
||||
use super::FullViewingKey;
|
||||
use crate::JUBJUB;
|
||||
|
||||
#[test]
|
||||
fn ak_must_be_prime_order() {
|
||||
let mut buf = [0; 96];
|
||||
let identity = edwards::Point::<Bls12, PrimeOrder>::zero();
|
||||
|
||||
// Set both ak and nk to the identity.
|
||||
identity.write(&mut buf[0..32]).unwrap();
|
||||
identity.write(&mut buf[32..64]).unwrap();
|
||||
|
||||
// ak is not allowed to be the identity.
|
||||
assert_eq!(
|
||||
FullViewingKey::<Bls12>::read(&buf[..], &JUBJUB)
|
||||
.unwrap_err()
|
||||
.description(),
|
||||
"ak not of prime order"
|
||||
);
|
||||
|
||||
// Set ak to a basepoint.
|
||||
let basepoint = JUBJUB.generator(FixedGenerators::SpendingKeyGenerator);
|
||||
basepoint.write(&mut buf[0..32]).unwrap();
|
||||
|
||||
// nk is allowed to be the identity.
|
||||
assert!(FullViewingKey::<Bls12>::read(&buf[..], &JUBJUB).is_ok());
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue