zecfoundation
/
bellman
mirror of https://github.com/ZcashFoundation/bellman.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Random z MUST be {1..2^128-1}, so we loop in case we (rarely) randomly generate a zero

This commit is contained in:
Deirdre Connolly 2021-02-05 15:12:10 -05:00
parent 9becaf5079
commit b9737fc0e8
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/groth16/verifier/batch.rs
View File

@ -112,7 +112,17 @@ where
let mut acc_Y = E::Fr::zero();
for Item { proof, inputs } in self.items.into_iter() {
let z = E::Fr::random(&mut rng);
// The spec is explicit that z != 0. Field::random is defined to
// return a uniformly-random field element (which may be 0), so we
// loop until it's not, avoiding needing an assert or throwing an
// error through no fault of the batch items. This will likely never
// actually loop, but handles the edge case.
let z = loop {
let z = E::Fr::random(&mut rng);
if !z.is_zero() {
break z;
}
};
ml_terms.push(((proof.a * &z).into(), (-proof.b).into()));