Index at 1, not 0, the main loop of PedersenHashToPoint, to match spec math
This commit is contained in:
parent
e5c07721b4
commit
9d9491c4e8
|
@ -47,9 +47,9 @@ where
|
||||||
/// https://zips.z.cash/protocol/protocol.pdf#concretepedersenhash
|
/// https://zips.z.cash/protocol/protocol.pdf#concretepedersenhash
|
||||||
#[allow(non_snake_case)]
|
#[allow(non_snake_case)]
|
||||||
pub fn pedersen_hash_to_point(domain: [u8; 8], M: &BitVec<Lsb0, u8>) -> jubjub::ExtendedPoint {
|
pub fn pedersen_hash_to_point(domain: [u8; 8], M: &BitVec<Lsb0, u8>) -> jubjub::ExtendedPoint {
|
||||||
// Expects i to be 0-indexed
|
// Expects i to be 1-indexed from the loop it's called in.
|
||||||
fn I_i(domain: [u8; 8], i: u32) -> jubjub::ExtendedPoint {
|
fn I_i(domain: [u8; 8], i: u32) -> jubjub::ExtendedPoint {
|
||||||
find_group_hash(domain, &i.to_le_bytes())
|
find_group_hash(domain, &(i - 1).to_le_bytes())
|
||||||
}
|
}
|
||||||
|
|
||||||
/// ⟨Mᵢ⟩
|
/// ⟨Mᵢ⟩
|
||||||
|
@ -101,8 +101,14 @@ pub fn pedersen_hash_to_point(domain: [u8; 8], M: &BitVec<Lsb0, u8>) -> jubjub::
|
||||||
// Split M into n segments of 3 * c bits, where c = 63, padding the last
|
// Split M into n segments of 3 * c bits, where c = 63, padding the last
|
||||||
// segment with zeros.
|
// segment with zeros.
|
||||||
//
|
//
|
||||||
|
// This loop is 1-indexed per the math definitions in the spec.
|
||||||
|
//
|
||||||
// https://zips.z.cash/protocol/protocol.pdf#concretepedersenhash
|
// https://zips.z.cash/protocol/protocol.pdf#concretepedersenhash
|
||||||
for (i, segment) in M.chunks(189).enumerate() {
|
for (i, segment) in M
|
||||||
|
.chunks(189)
|
||||||
|
.enumerate()
|
||||||
|
.map(|(i, segment)| (i + 1, segment))
|
||||||
|
{
|
||||||
result += I_i(domain, i as u32) * M_i(&segment);
|
result += I_i(domain, i as u32) * M_i(&segment);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue