diff --git a/src/gtest/test_joinsplit.cpp b/src/gtest/test_joinsplit.cpp index 18f293f1d..17ac7ecb2 100644 --- a/src/gtest/test_joinsplit.cpp +++ b/src/gtest/test_joinsplit.cpp @@ -15,6 +15,9 @@ using namespace libzcash; void test_full_api(ZCJoinSplit* js) { + // Create verification context. + auto verifier = libzcash::ProofVerifier::Strict(); + // The recipient's information. SpendingKey recipient_key = SpendingKey::random(); PaymentAddress recipient_addr = recipient_key.address(); @@ -69,6 +72,7 @@ void test_full_api(ZCJoinSplit* js) // Verify the transaction: ASSERT_TRUE(js->verify( proof, + verifier, pubKeyHash, randomSeed, macs, @@ -143,6 +147,7 @@ void test_full_api(ZCJoinSplit* js) // Verify the transaction: ASSERT_TRUE(js->verify( proof, + verifier, pubKeyHash, randomSeed, macs, diff --git a/src/gtest/test_proofs.cpp b/src/gtest/test_proofs.cpp index dd7755677..c6ffbf144 100644 --- a/src/gtest/test_proofs.cpp +++ b/src/gtest/test_proofs.cpp @@ -336,6 +336,29 @@ TEST(proofs, zksnark_serializes_properly) auto example = libsnark::generate_r1cs_example_with_field_input(250, 4); example.constraint_system.swap_AB_if_beneficial(); auto kp = libsnark::r1cs_ppzksnark_generator(example.constraint_system); + auto vkprecomp = libsnark::r1cs_ppzksnark_verifier_process_vk(kp.vk); + + for (size_t i = 0; i < 20; i++) { + auto badproof = ZCProof::random_invalid(); + auto proof = badproof.to_libsnark_proof>(); + + auto verifierEnabled = ProofVerifier::Strict(); + auto verifierDisabled = ProofVerifier::Disabled(); + // This verifier should catch the bad proof + ASSERT_FALSE(verifierEnabled.check( + kp.vk, + vkprecomp, + example.primary_input, + proof + )); + // This verifier won't! + ASSERT_TRUE(verifierDisabled.check( + kp.vk, + vkprecomp, + example.primary_input, + proof + )); + } for (size_t i = 0; i < 20; i++) { auto proof = libsnark::r1cs_ppzksnark_prover( @@ -345,6 +368,23 @@ TEST(proofs, zksnark_serializes_properly) example.constraint_system ); + { + auto verifierEnabled = ProofVerifier::Strict(); + auto verifierDisabled = ProofVerifier::Disabled(); + ASSERT_TRUE(verifierEnabled.check( + kp.vk, + vkprecomp, + example.primary_input, + proof + )); + ASSERT_TRUE(verifierDisabled.check( + kp.vk, + vkprecomp, + example.primary_input, + proof + )); + } + ASSERT_TRUE(libsnark::r1cs_ppzksnark_verifier_strong_IC( kp.vk, example.primary_input, diff --git a/src/main.cpp b/src/main.cpp index 36b265758..491714f95 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -844,8 +844,9 @@ bool CheckTransaction(const CTransaction& tx, CValidationState &state) return false; } else { // Ensure that zk-SNARKs verify + auto verifier = libzcash::ProofVerifier::Strict(); BOOST_FOREACH(const JSDescription &joinsplit, tx.vjoinsplit) { - if (!joinsplit.Verify(*pzcashParams, tx.joinSplitPubKey)) { + if (!joinsplit.Verify(*pzcashParams, verifier, tx.joinSplitPubKey)) { return state.DoS(100, error("CheckTransaction(): joinsplit does not verify"), REJECT_INVALID, "bad-txns-joinsplit-verification-failed"); } diff --git a/src/primitives/transaction.cpp b/src/primitives/transaction.cpp index d1e969360..f6236a2f8 100644 --- a/src/primitives/transaction.cpp +++ b/src/primitives/transaction.cpp @@ -70,10 +70,12 @@ JSDescription JSDescription::Randomized( bool JSDescription::Verify( ZCJoinSplit& params, + libzcash::ProofVerifier& verifier, const uint256& pubKeyHash ) const { return params.verify( proof, + verifier, pubKeyHash, randomSeed, macs, diff --git a/src/primitives/transaction.h b/src/primitives/transaction.h index 1b144dc45..829588371 100644 --- a/src/primitives/transaction.h +++ b/src/primitives/transaction.h @@ -95,7 +95,11 @@ public: ); // Verifies that the JoinSplit proof is correct. - bool Verify(ZCJoinSplit& params, const uint256& pubKeyHash) const; + bool Verify( + ZCJoinSplit& params, + libzcash::ProofVerifier& verifier, + const uint256& pubKeyHash + ) const; // Returns the calculated h_sig uint256 h_sig(ZCJoinSplit& params, const uint256& pubKeyHash) const; diff --git a/src/test/transaction_tests.cpp b/src/test/transaction_tests.cpp index 672a20d8a..86d59e809 100644 --- a/src/test/transaction_tests.cpp +++ b/src/test/transaction_tests.cpp @@ -341,9 +341,11 @@ BOOST_AUTO_TEST_CASE(test_basic_joinsplit_verification) libzcash::JSOutput(addr, 50) }; + auto verifier = libzcash::ProofVerifier::Strict(); + { JSDescription jsdesc(*p, pubKeyHash, rt, inputs, outputs, 0, 0); - BOOST_CHECK(jsdesc.Verify(*p, pubKeyHash)); + BOOST_CHECK(jsdesc.Verify(*p, verifier, pubKeyHash)); CDataStream ss(SER_DISK, CLIENT_VERSION); ss << jsdesc; @@ -352,7 +354,7 @@ BOOST_AUTO_TEST_CASE(test_basic_joinsplit_verification) ss >> jsdesc_deserialized; BOOST_CHECK(jsdesc_deserialized == jsdesc); - BOOST_CHECK(jsdesc_deserialized.Verify(*p, pubKeyHash)); + BOOST_CHECK(jsdesc_deserialized.Verify(*p, verifier, pubKeyHash)); } { @@ -365,7 +367,7 @@ BOOST_AUTO_TEST_CASE(test_basic_joinsplit_verification) // Ensure that it won't verify if the root is changed. auto test = JSDescription(*p, pubKeyHash, rt, inputs, outputs, 0, 0); test.anchor = GetRandHash(); - BOOST_CHECK(!test.Verify(*p, pubKeyHash)); + BOOST_CHECK(!test.Verify(*p, verifier, pubKeyHash)); } } diff --git a/src/wallet/asyncrpcoperation_sendmany.cpp b/src/wallet/asyncrpcoperation_sendmany.cpp index 67d30d0cc..c65664eae 100644 --- a/src/wallet/asyncrpcoperation_sendmany.cpp +++ b/src/wallet/asyncrpcoperation_sendmany.cpp @@ -948,8 +948,11 @@ Object AsyncRPCOperation_sendmany::perform_joinsplit( info.vpub_new, !this->testmode); - if (!(jsdesc.Verify(*pzcashParams, joinSplitPubKey_))) { - throw std::runtime_error("error verifying joinsplit"); + { + auto verifier = libzcash::ProofVerifier::Strict(); + if (!(jsdesc.Verify(*pzcashParams, verifier, joinSplitPubKey_))) { + throw std::runtime_error("error verifying joinsplit"); + } } mtx.vjoinsplit.push_back(jsdesc); diff --git a/src/wallet/rpcwallet.cpp b/src/wallet/rpcwallet.cpp index 3cc75daa5..139ccb3f0 100644 --- a/src/wallet/rpcwallet.cpp +++ b/src/wallet/rpcwallet.cpp @@ -2707,7 +2707,10 @@ Value zc_raw_joinsplit(const json_spirit::Array& params, bool fHelp) vpub_old, vpub_new); - assert(jsdesc.Verify(*pzcashParams, joinSplitPubKey)); + { + auto verifier = libzcash::ProofVerifier::Strict(); + assert(jsdesc.Verify(*pzcashParams, verifier, joinSplitPubKey)); + } mtx.vjoinsplit.push_back(jsdesc); diff --git a/src/zcash/JoinSplit.cpp b/src/zcash/JoinSplit.cpp index dad15316e..590700cd9 100644 --- a/src/zcash/JoinSplit.cpp +++ b/src/zcash/JoinSplit.cpp @@ -5,7 +5,6 @@ #include "zcash/util.h" #include -#include #include #include @@ -25,8 +24,6 @@ namespace libzcash { #include "zcash/circuit/gadget.tcc" -std::once_flag init_public_params_once_flag; - CCriticalSection cs_ParamsIO; CCriticalSection cs_LoadKeys; @@ -80,10 +77,6 @@ public: JoinSplitCircuit() {} ~JoinSplitCircuit() {} - static void initialize() { - std::call_once (init_public_params_once_flag, ppzksnark_ppT::init_public_params); - } - void setProvingKeyPath(std::string path) { pkPath = path; } @@ -151,6 +144,7 @@ public: bool verify( const ZCProof& proof, + ProofVerifier& verifier, const uint256& pubKeyHash, const uint256& randomSeed, const boost::array& macs, @@ -179,7 +173,12 @@ public: vpub_new ); - return r1cs_ppzksnark_online_verifier_strong_IC(*vk_precomp, witness, r1cs_proof); + return verifier.check( + *vk, + *vk_precomp, + witness, + r1cs_proof + ); } catch (...) { return false; } @@ -358,7 +357,7 @@ public: template JoinSplit* JoinSplit::Generate() { - JoinSplitCircuit::initialize(); + initialize_curve_params(); auto js = new JoinSplitCircuit(); js->generate(); @@ -368,7 +367,7 @@ JoinSplit* JoinSplit::Generate() template JoinSplit* JoinSplit::Unopened() { - JoinSplitCircuit::initialize(); + initialize_curve_params(); return new JoinSplitCircuit(); } diff --git a/src/zcash/JoinSplit.hpp b/src/zcash/JoinSplit.hpp index 8f17a4c46..a8c08d21b 100644 --- a/src/zcash/JoinSplit.hpp +++ b/src/zcash/JoinSplit.hpp @@ -83,6 +83,7 @@ public: virtual bool verify( const ZCProof& proof, + ProofVerifier& verifier, const uint256& pubKeyHash, const uint256& randomSeed, const boost::array& hmacs, diff --git a/src/zcash/Proof.cpp b/src/zcash/Proof.cpp index ab7c64483..8a0ff2167 100644 --- a/src/zcash/Proof.cpp +++ b/src/zcash/Proof.cpp @@ -1,6 +1,7 @@ #include "Proof.hpp" #include +#include #include "crypto/common.h" #include "libsnark/common/default_types/r1cs_ppzksnark_pp.hpp" @@ -211,4 +212,36 @@ ZCProof ZCProof::random_invalid() return p; } +std::once_flag init_public_params_once_flag; + +void initialize_curve_params() +{ + std::call_once (init_public_params_once_flag, curve_pp::init_public_params); +} + +ProofVerifier ProofVerifier::Strict() { + initialize_curve_params(); + return ProofVerifier(true); +} + +ProofVerifier ProofVerifier::Disabled() { + initialize_curve_params(); + return ProofVerifier(false); +} + +template<> +bool ProofVerifier::check( + const r1cs_ppzksnark_verification_key& vk, + const r1cs_ppzksnark_processed_verification_key& pvk, + const r1cs_primary_input& primary_input, + const r1cs_ppzksnark_proof& proof +) +{ + if (perform_verification) { + return r1cs_ppzksnark_online_verifier_strong_IC(pvk, primary_input, proof); + } else { + return true; + } +} + } diff --git a/src/zcash/Proof.hpp b/src/zcash/Proof.hpp index b4fdf93b6..3b6b5e568 100644 --- a/src/zcash/Proof.hpp +++ b/src/zcash/Proof.hpp @@ -235,6 +235,42 @@ public: } }; +void initialize_curve_params(); + +class ProofVerifier { +private: + bool perform_verification; + + ProofVerifier(bool perform_verification) : perform_verification(perform_verification) { } + +public: + // ProofVerifier should never be copied + ProofVerifier(const ProofVerifier&) = delete; + ProofVerifier& operator=(const ProofVerifier&) = delete; + ProofVerifier(ProofVerifier&&); + ProofVerifier& operator=(ProofVerifier&&); + + // Creates a verification context that strictly verifies + // all proofs using libsnark's API. + static ProofVerifier Strict(); + + // Creates a verification context that performs no + // verification, used when avoiding duplicate effort + // such as during reindexing. + static ProofVerifier Disabled(); + + template + bool check( + const VerificationKey& vk, + const ProcessedVerificationKey& pvk, + const PrimaryInput& pi, + const Proof& p + ); +}; } diff --git a/src/zcbenchmarks.cpp b/src/zcbenchmarks.cpp index 1d60fdde7..dac7bf764 100644 --- a/src/zcbenchmarks.cpp +++ b/src/zcbenchmarks.cpp @@ -89,7 +89,8 @@ double benchmark_create_joinsplit() 0); double ret = timer_stop(tv_start); - assert(jsdesc.Verify(*pzcashParams, pubKeyHash)); + auto verifier = libzcash::ProofVerifier::Strict(); + assert(jsdesc.Verify(*pzcashParams, verifier, pubKeyHash)); return ret; } @@ -98,7 +99,8 @@ double benchmark_verify_joinsplit(const JSDescription &joinsplit) struct timeval tv_start; timer_start(tv_start); uint256 pubKeyHash; - joinsplit.Verify(*pzcashParams, pubKeyHash); + auto verifier = libzcash::ProofVerifier::Strict(); + joinsplit.Verify(*pzcashParams, verifier, pubKeyHash); return timer_stop(tv_start); }