[Protocol3] Verifier fixes + snark field overflow checks (#310)

* [Protocol3] Verifier fixes + snark field overflow checks

* [Protocol3] Improvements to snark field checks + tests

* [Protocol3] Fixed some comments

* [Protocol3] Added comment for the snark scalar field prime

* [Protocol3] Fixed typo

* Update ExchangeData.sol

* Update ExchangeData.sol

* Update BatchVerifier.sol

Author: Brechtpd

packages/loopring_v3/contracts/impl/libexchange/ExchangeBlocks.sol

@@ -122,8 +122,9 @@ library ExchangeBlocks
                 "PROOF_TOO_LATE"
             );
 
-            // Maybe we should strip the highest bits of the public input so we don't have any overflow (uint/prime field)
-            publicInputs[i] = uint(specifiedBlock.publicDataHash);
+            // Strip the 3 least significant bits of the public data hash
+            // so we don't have any overflow in the snark field
+            publicInputs[i] = uint(specifiedBlock.publicDataHash) >> 3;
             if (i == 0) {
                 blockSize = specifiedBlock.blockSize;
                 blockType = specifiedBlock.blockType;

packages/loopring_v3/contracts/impl/libexchange/ExchangeData.sol

@@ -164,6 +164,11 @@ library ExchangeData
     function GENESIS_MERKLE_ROOT() internal pure returns (bytes32) {
         return 0x2b4827daf74c0ab30deb68b1c337dec40579bb3ff45ce9478288e1a2b83a3a01;
     }
+
+    function SNARK_SCALAR_FIELD() internal pure returns (uint) {
+        // This is the prime number that is used for the alt_bn128 elliptic curve, see EIP-196.
+        return 21888242871839275222246405745257275088548364400416034343698204186575808495617;
+    }
     function MAX_PROOF_GENERATION_TIME_IN_SECONDS() internal pure returns (uint32) { return 1 hours; }
     function MAX_GAP_BETWEEN_FINALIZED_AND_VERIFIED_BLOCKS() internal pure returns (uint32) { return 2500; }
     function MAX_OPEN_DEPOSIT_REQUESTS() internal pure returns (uint16) { return 1024; }

packages/loopring_v3/contracts/impl/libexchange/ExchangeDeposits.sol

@@ -118,6 +118,10 @@ library ExchangeDeposits
             feeETH
         );
 
+        // Make sure the public key can be stored in the SNARK field
+        require(account.pubKeyX < ExchangeData.SNARK_SCALAR_FIELD(), "INVALID_PUBKEY");
+        require(account.pubKeyY < ExchangeData.SNARK_SCALAR_FIELD(), "INVALID_PUBKEY");
+
         // Add the request to the deposit chain
         ExchangeData.Request storage prevRequest = S.depositChain[S.depositChain.length - 1];
         ExchangeData.Request memory request = ExchangeData.Request(

packages/loopring_v3/contracts/lib/Poseidon.sol

@@ -34,6 +34,14 @@ library Poseidon
         pure
         returns (uint)
     {
+        uint q = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
+        // Make sure the inputs can be stored in the SNARK field
+        require(t0 < q, "INVALID_INPUT");
+        require(t1 < q, "INVALID_INPUT");
+        require(t2 < q, "INVALID_INPUT");
+        require(t3 < q, "INVALID_INPUT");
+        require(t4 < q, "INVALID_INPUT");
+
         assembly {
             function mix(t0, t1, t2, t3, t4, q) -> nt0, nt1, nt2, nt3, nt4 {
                 nt0 := mulmod(t0, 4977258759536702998522229302103997878600602264560359702680165243908162277980, q)
@@ -95,8 +103,6 @@ library Poseidon
                 nt := mulmod(t, nt, q)
             }
 
-            let q := 21888242871839275222246405745257275088548364400416034343698204186575808495617
-
             // round 0
             t0, t1, t2, t3, t4 := ark(t0, t1, t2, t3, t4, q, 14397397413755236225575615486459253198602422701513067526754101844196324375522)
             t0, t1, t2, t3, t4 := sbox_full(t0, t1, t2, t3, t4, q)

packages/loopring_v3/contracts/thirdparty/BatchVerifier.sol

@@ -27,6 +27,7 @@ library BatchVerifier {
     )
         internal pure returns (uint256)
     {
+        // Truncate the least significant 3 bits from the 256bit entropy so it fits the scalar field
         return uint256(
             keccak256(
                 abi.encodePacked(
@@ -35,7 +36,7 @@ library BatchVerifier {
                     proof_inputs[proofNumber]
                 )
             )
-        );
+        ) >> 3;
     }
 
     function accumulate(
@@ -64,6 +65,7 @@ library BatchVerifier {
             // here multiplication by 1 is implied
             inputAccumulators[0] = addmod(inputAccumulators[0], entropy[proofNumber], q);
             for (uint256 i = 0; i < numPublicInputs; i++) {
+                require(proof_inputs[proofNumber * numPublicInputs + i] < q, "INVALID_INPUT");
                 // accumulate the exponent with extra entropy mod q
                 inputAccumulators[i+1] = addmod(inputAccumulators[i+1], mulmod(entropy[proofNumber], proof_inputs[proofNumber * numPublicInputs + i], q), q);
             }
@@ -81,6 +83,7 @@ library BatchVerifier {
         proofsAandC[1] = in_proof[1];
 
         for (uint256 proofNumber = 1; proofNumber < num_proofs; proofNumber++) {
+            require(entropy[proofNumber] < q, "INVALID_INPUT");
             mul_input[0] = in_proof[proofNumber*8];
             mul_input[1] = in_proof[proofNumber*8 + 1];
             mul_input[2] = entropy[proofNumber];
@@ -269,4 +272,4 @@ library BatchVerifier {
         }
         return success && out[0] == 1;
     }
-}
+}

packages/loopring_v3/contracts/thirdparty/Pairing.sol

@@ -1,45 +1,18 @@
+// This code is taken from https://github.com/HarryR/ethsnarks/blob/master/contracts/Verifier.sol
 // this code is taken from https://github.com/JacobEberhardt/ZoKrates
 
 pragma solidity 0.5.7;
 
-import "./Pairing.sol";
-
 library Verifier
 {
-    using Pairing for Pairing.G1Point;
-    using Pairing for Pairing.G2Point;
-
     function ScalarField ()
-        public
+        internal
         pure
         returns (uint256)
     {
         return 21888242871839275222246405745257275088548364400416034343698204186575808495617;
     }
 
-    struct VerifyingKey
-    {
-        Pairing.G1Point alpha;
-        Pairing.G2Point beta;
-        Pairing.G2Point gamma;
-        Pairing.G2Point delta;
-        Pairing.G1Point[] gammaABC;
-    }
-
-    struct Proof
-    {
-        Pairing.G1Point A;
-        Pairing.G2Point B;
-        Pairing.G1Point C;
-    }
-
-    struct ProofWithInput
-    {
-        Proof proof;
-        uint256[] input;
-    }
-
-
     function NegateY( uint256 Y )
         internal pure returns (uint256)
     {
@@ -102,6 +75,7 @@ library Verifier
         view
         returns (bool)
     {
+        uint256 snark_scalar_field = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
         require(((vk_gammaABC.length / 2) - 1) == proof_inputs.length, "INVALID_VALUE");
 
         // Compute the linear combination vk_x
@@ -116,6 +90,7 @@ library Verifier
 
         // Performs a sum of gammaABC[0] + sum[ gammaABC[i+1]^proof_inputs[i] ]
         for (uint i = 0; i < proof_inputs.length; i++) {
+            require(proof_inputs[i] < snark_scalar_field, "INVALID_INPUT");
             mul_input[0] = vk_gammaABC[m++];
             mul_input[1] = vk_gammaABC[m++];
             mul_input[2] = proof_inputs[i];
@@ -161,41 +136,4 @@ library Verifier
         }
         return success && out[0] != 0;
     }
-
-
-    function Verify(
-        VerifyingKey memory vk,
-        ProofWithInput memory pwi
-        )
-        internal
-        view
-        returns (bool)
-    {
-        return Verify(vk, pwi.proof, pwi.input);
-    }
-
-
-    function Verify(
-        VerifyingKey memory vk,
-        Proof memory proof,
-        uint256[] memory input
-        )
-        internal
-        view
-        returns (bool)
-    {
-        require(input.length + 1 == vk.gammaABC.length, "INVALID_VALUE");
-
-        // Compute the linear combination vk_x
-        Pairing.G1Point memory vk_x = vk.gammaABC[0];
-        for (uint i = 0; i < input.length; i++)
-            vk_x = Pairing.pointAdd(vk_x, Pairing.pointMul(vk.gammaABC[i + 1], input[i]));
-
-        // Verify proof
-        return Pairing.pairingProd4(
-            proof.A, proof.B,
-            vk_x.negate(), vk.gamma,
-            proof.C.negate(), vk.delta,
-            vk.alpha.negate(), vk.beta);
-    }
 }