Skip to content

Commit 66c4a72

Browse files
hdevalencehdevalence
committed
Add additional validation to R1CS proof points.
This follows the same logic as in the rangeproof case: we don't have an a priori reason to think that there's a security problem with allowing these points to be the identity, but this is an area where people make mistakes in under-specification of assumptions, etc., and there is no valid reason for these points to be the identity, so this works as a defense-in-depth mechanism. The extra validation is not applied to the value commitments, in order to allow commitments to the zero value with zero blinding factor.
1 parent 459e928 commit 66c4a72

File tree

1 file changed

+9
-8
lines changed

1 file changed

+9
-8
lines changed

src/r1cs/verifier.rs

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -331,9 +331,9 @@ impl<'t> Verifier<'t> {
331331
self.transcript.append_u64(b"m", self.V.len() as u64);
332332

333333
let n1 = self.num_vars;
334-
self.transcript.append_point(b"A_I1", &proof.A_I1);
335-
self.transcript.append_point(b"A_O1", &proof.A_O1);
336-
self.transcript.append_point(b"S1", &proof.S1);
334+
self.transcript.validate_and_append_point(b"A_I1", &proof.A_I1)?;
335+
self.transcript.validate_and_append_point(b"A_O1", &proof.A_O1)?;
336+
self.transcript.validate_and_append_point(b"S1", &proof.S1)?;
337337

338338
// Process the remaining constraints.
339339
self = self.create_randomized_constraints()?;
@@ -354,18 +354,19 @@ impl<'t> Verifier<'t> {
354354
// We are performing a single-party circuit proof, so party index is 0.
355355
let gens = bp_gens.share(0);
356356

357+
// These points are the identity in the 1-phase unrandomized case.
357358
self.transcript.append_point(b"A_I2", &proof.A_I2);
358359
self.transcript.append_point(b"A_O2", &proof.A_O2);
359360
self.transcript.append_point(b"S2", &proof.S2);
360361

361362
let y = self.transcript.challenge_scalar(b"y");
362363
let z = self.transcript.challenge_scalar(b"z");
363364

364-
self.transcript.append_point(b"T_1", &proof.T_1);
365-
self.transcript.append_point(b"T_3", &proof.T_3);
366-
self.transcript.append_point(b"T_4", &proof.T_4);
367-
self.transcript.append_point(b"T_5", &proof.T_5);
368-
self.transcript.append_point(b"T_6", &proof.T_6);
365+
self.transcript.validate_and_append_point(b"T_1", &proof.T_1)?;
366+
self.transcript.validate_and_append_point(b"T_3", &proof.T_3)?;
367+
self.transcript.validate_and_append_point(b"T_4", &proof.T_4)?;
368+
self.transcript.validate_and_append_point(b"T_5", &proof.T_5)?;
369+
self.transcript.validate_and_append_point(b"T_6", &proof.T_6)?;
369370

370371
let u = self.transcript.challenge_scalar(b"u");
371372
let x = self.transcript.challenge_scalar(b"x");

0 commit comments

Comments
 (0)