From 25dc1fc6e311f47ba5fa5378bfcc383f15ec74f4 Mon Sep 17 00:00:00 2001
From: Kobi Gurkan <kobigurk@gmail.com>
Date: Fri, 26 Jul 2019 15:07:46 +0300
Subject: [PATCH] Ensures public inputs are less than the scalar field size

---
 templates/verifier_groth.sol    | 2 ++
 templates/verifier_kimleeoh.sol | 2 ++
 templates/verifier_original.sol | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/templates/verifier_groth.sol b/templates/verifier_groth.sol
index ed890d9..a2019eb 100644
--- a/templates/verifier_groth.sol
+++ b/templates/verifier_groth.sol
@@ -182,11 +182,13 @@ contract Verifier {
         <%vk_ic_pts%>
     }
     function verify(uint[] memory input, Proof memory proof) internal view returns (uint) {
+        uint256 snark_scalar_field = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
         VerifyingKey memory vk = verifyingKey();
         require(input.length + 1 == vk.IC.length,"verifier-bad-input");
         // Compute the linear combination vk_x
         Pairing.G1Point memory vk_x = Pairing.G1Point(0, 0);
         for (uint i = 0; i < input.length; i++)
+            require(input[i] < snark_scalar_field);
             vk_x = Pairing.addition(vk_x, Pairing.scalar_mul(vk.IC[i + 1], input[i]));
         vk_x = Pairing.addition(vk_x, vk.IC[0]);
         if (!Pairing.pairingProd4(
diff --git a/templates/verifier_kimleeoh.sol b/templates/verifier_kimleeoh.sol
index d1dd1c2..af528e2 100644
--- a/templates/verifier_kimleeoh.sol
+++ b/templates/verifier_kimleeoh.sol
@@ -173,11 +173,13 @@ contract Verifier {
         <%vk_ic_pts%>
     }
     function verify(uint[] input, Proof proof) view internal returns (uint) {
+        uint256 snark_scalar_field = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
         VerifyingKey memory vk = verifyingKey();
         require(input.length + 1 == vk.IC.length);
         // Compute the linear combination vk_x
         Pairing.G1Point memory vk_x = Pairing.G1Point(0, 0);
         for (uint i = 0; i < input.length; i++)
+            require(input[i] < snark_scalar_field);
             vk_x = Pairing.addition(vk_x, Pairing.scalar_mul(vk.IC[i + 1], input[i]));
         vk_x = Pairing.addition(vk_x, vk.IC[0]);
         if (!Pairing.pairingProd4(
diff --git a/templates/verifier_original.sol b/templates/verifier_original.sol
index addc9b0..a1c1672 100644
--- a/templates/verifier_original.sol
+++ b/templates/verifier_original.sol
@@ -183,11 +183,13 @@ contract Verifier {
         <%vk_ic_pts%>
     }
     function verify(uint[] memory input, Proof memory proof) internal view returns (uint) {
+        uint256 snark_scalar_field = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
         VerifyingKey memory vk = verifyingKey();
         require(input.length + 1 == vk.IC.length,"verifier-bad-input");
         // Compute the linear combination vk_x
         Pairing.G1Point memory vk_x = Pairing.G1Point(0, 0);
         for (uint i = 0; i < input.length; i++)
+            require(input[i] < snark_scalar_field);
             vk_x = Pairing.addition(vk_x, Pairing.scalar_mul(vk.IC[i + 1], input[i]));
         vk_x = Pairing.addition(vk_x, vk.IC[0]);
         if (!Pairing.pairingProd2(proof.A, vk.A, Pairing.negate(proof.A_p), Pairing.P2())) return 1;