Merge branch 'main' of github.com:dalek-cryptography/bulletproofs into main

Author: oleganza

src/inner_product_proof.rs

@@ -177,12 +177,21 @@ impl InnerProductProof {
 
     /// Computes three vectors of verification scalars \\([u\_{i}^{2}]\\), \\([u\_{i}^{-2}]\\) and \\([s\_{i}]\\) for combined multiscalar multiplication
     /// in a parent protocol. See [inner product protocol notes](index.html#verification-equation) for details.
+    /// The verifier must provide the input length \\(n\\) explicitly to avoid unbounded allocation within the inner product proof.
     pub(crate) fn verification_scalars(
         &self,
+        n: usize,
         transcript: &mut Transcript,
-    ) -> (Vec<Scalar>, Vec<Scalar>, Vec<Scalar>) {
+    ) -> Result<(Vec<Scalar>, Vec<Scalar>, Vec<Scalar>), ProofError> {
         let lg_n = self.L_vec.len();
-        let n = 1 << lg_n;
+        if lg_n >= 32 {
+            // 4 billion multiplications should be enough for anyone
+            // and this check prevents overflow in 1<<lg_n below.
+            return Err(ProofError::VerificationError);
+        }
+        if n != (1 << lg_n) {
+            return Err(ProofError::VerificationError);
+        }
 
         transcript.innerproduct_domain_sep(n as u64);
 
@@ -223,7 +232,7 @@ impl InnerProductProof {
             s.push(s[i - k] * u_lg_i_sq);
         }
 
-        (challenges_sq, challenges_inv_sq, s)
+        Ok((challenges_sq, challenges_inv_sq, s))
     }
 
     /// This method is for testing that proof generation work,
@@ -233,6 +242,7 @@ impl InnerProductProof {
     #[allow(dead_code)]
     pub fn verify<I>(
         &self,
+        n: usize,
         transcript: &mut Transcript,
         Hprime_factors: I,
         P: &RistrettoPoint,
@@ -244,7 +254,7 @@ impl InnerProductProof {
         I: IntoIterator,
         I::Item: Borrow<Scalar>,
     {
-        let (u_sq, u_inv_sq, s) = self.verification_scalars(transcript);
+        let (u_sq, u_inv_sq, s) = self.verification_scalars(n, transcript)?;
 
         let a_times_s = s.iter().map(|s_i| self.a * s_i);
 
@@ -430,15 +440,15 @@ mod tests {
         let mut verifier = Transcript::new(b"innerproducttest");
         assert!(
             proof
-                .verify(&mut verifier, util::exp_iter(y_inv), &P, &Q, &G, &H)
+                .verify(n, &mut verifier, util::exp_iter(y_inv), &P, &Q, &G, &H)
                 .is_ok()
         );
 
         let proof = InnerProductProof::from_bytes(proof.to_bytes().as_slice()).unwrap();
         let mut verifier = Transcript::new(b"innerproducttest");
         assert!(
             proof
-                .verify(&mut verifier, util::exp_iter(y_inv), &P, &Q, &G, &H)
+                .verify(n, &mut verifier, util::exp_iter(y_inv), &P, &Q, &G, &H)
                 .is_ok()
         );
     }

src/range_proof/mod.rs

@@ -312,7 +312,7 @@ impl RangeProof {
         // Challenge value for batching statements to be verified
         let c = Scalar::random(&mut rng);
 
-        let (x_sq, x_inv_sq, s) = self.ipp_proof.verification_scalars(transcript);
+        let (x_sq, x_inv_sq, s) = self.ipp_proof.verification_scalars(n * m, transcript)?;
         let s_inv = s.iter().rev();
 
         let a = self.ipp_proof.a;
@@ -556,13 +556,6 @@ mod tests {
             (bincode::serialize(&proof).unwrap(), value_commitments)
         };
 
-        println!(
-            "Aggregated rangeproof of m={} proofs of n={} bits has size {} bytes",
-            m,
-            n,
-            proof_bytes.len(),
-        );
-
         // Verifier's scope
         {
             // 3. Deserialize