Add a transcript protocol function that checks for identity points.

Author: hdevalence

Cargo.toml

@@ -12,7 +12,7 @@ keywords = ["cryptography", "ristretto", "zero-knowledge", "bulletproofs"]
 description = "A pure-Rust implementation of Bulletproofs using Ristretto"
 
 [dependencies]
-curve25519-dalek = { version = "1", features = ["serde"] }
+curve25519-dalek = { version = "1.0.3", features = ["serde"] }
 subtle = "2"
 sha3 = "0.8"
 digest = "0.8"

src/inner_product_proof.rs

@@ -205,8 +205,8 @@ impl InnerProductProof {
 
         let mut challenges = Vec::with_capacity(lg_n);
         for (L, R) in self.L_vec.iter().zip(self.R_vec.iter()) {
-            transcript.commit_point(b"L", L);
-            transcript.commit_point(b"R", R);
+            transcript.validate_and_commit_point(b"L", L)?;
+            transcript.validate_and_commit_point(b"R", R)?;
             challenges.push(transcript.challenge_scalar(b"u"));
         }
 

src/range_proof/mod.rs

@@ -287,18 +287,19 @@ impl RangeProof {
         transcript.rangeproof_domain_sep(n as u64, m as u64);
 
         for V in value_commitments.iter() {
-            transcript.commit_point(b"V", V);
+            transcript.validate_and_commit_point(b"V", V)?;
         }
-        transcript.commit_point(b"A", &self.A);
-        transcript.commit_point(b"S", &self.S);
+
+        transcript.validate_and_commit_point(b"A", &self.A)?;
+        transcript.validate_and_commit_point(b"S", &self.S)?;
 
         let y = transcript.challenge_scalar(b"y");
         let z = transcript.challenge_scalar(b"z");
         let zz = z * z;
         let minus_z = -z;
 
-        transcript.commit_point(b"T_1", &self.T_1);
-        transcript.commit_point(b"T_2", &self.T_2);
+        transcript.validate_and_commit_point(b"T_1", &self.T_1)?;
+        transcript.validate_and_commit_point(b"T_2", &self.T_2)?;
 
         let x = transcript.challenge_scalar(b"x");
 

src/transcript.rs

@@ -5,19 +5,35 @@ use curve25519_dalek::ristretto::CompressedRistretto;
 use curve25519_dalek::scalar::Scalar;
 use merlin::Transcript;
 
+use errors::ProofError;
+
 pub trait TranscriptProtocol {
     /// Commit a domain separator for an `n`-bit, `m`-party range proof.
     fn rangeproof_domain_sep(&mut self, n: u64, m: u64);
+
     /// Commit a domain separator for a length-`n` inner product proof.
     fn innerproduct_domain_sep(&mut self, n: u64);
+
     /// Commit a domain separator for a constraint system.
     fn r1cs_domain_sep(&mut self);
+
     /// Commit a 64-bit integer.
     fn commit_u64(&mut self, label: &'static [u8], n: u64);
+
     /// Commit a `scalar` with the given `label`.
     fn commit_scalar(&mut self, label: &'static [u8], scalar: &Scalar);
+
     /// Commit a `point` with the given `label`.
     fn commit_point(&mut self, label: &'static [u8], point: &CompressedRistretto);
+
+    /// Check that a point is not the identity, then commit it to the
+    /// transcript.  Otherwise, return an error.
+    fn validate_and_commit_point(
+        &mut self,
+        label: &'static [u8],
+        point: &CompressedRistretto,
+    ) -> Result<(), ProofError>;
+
     /// Compute a `label`ed challenge variable.
     fn challenge_scalar(&mut self, label: &'static [u8]) -> Scalar;
 }
@@ -56,6 +72,20 @@ impl TranscriptProtocol for Transcript {
         self.commit_bytes(label, point.as_bytes());
     }
 
+    fn validate_and_commit_point(
+        &mut self,
+        label: &'static [u8],
+        point: &CompressedRistretto,
+    ) -> Result<(), ProofError> {
+        use curve25519_dalek::traits::IsIdentity;
+
+        if point.is_identity() {
+            Err(ProofError::VerificationError)
+        } else {
+            Ok(self.commit_bytes(label, point.as_bytes()))
+        }
+    }
+
     fn challenge_scalar(&mut self, label: &'static [u8]) -> Scalar {
         let mut buf = [0u8; 64];
         self.challenge_bytes(label, &mut buf);