Merge pull request #26 from kobigurk/fix/public_inputs_size

Ensures public inputs are less than the scalar field size
This commit is contained in:
Jordi Baylina 2019-07-26 14:14:09 +02:00 committed by GitHub
commit 0349d90824
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 6 additions and 0 deletions

View File

@ -182,11 +182,13 @@ contract Verifier {
<%vk_ic_pts%> <%vk_ic_pts%>
} }
function verify(uint[] memory input, Proof memory proof) internal view returns (uint) { function verify(uint[] memory input, Proof memory proof) internal view returns (uint) {
uint256 snark_scalar_field = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
VerifyingKey memory vk = verifyingKey(); VerifyingKey memory vk = verifyingKey();
require(input.length + 1 == vk.IC.length,"verifier-bad-input"); require(input.length + 1 == vk.IC.length,"verifier-bad-input");
// Compute the linear combination vk_x // Compute the linear combination vk_x
Pairing.G1Point memory vk_x = Pairing.G1Point(0, 0); Pairing.G1Point memory vk_x = Pairing.G1Point(0, 0);
for (uint i = 0; i < input.length; i++) for (uint i = 0; i < input.length; i++)
require(input[i] < snark_scalar_field);
vk_x = Pairing.addition(vk_x, Pairing.scalar_mul(vk.IC[i + 1], input[i])); vk_x = Pairing.addition(vk_x, Pairing.scalar_mul(vk.IC[i + 1], input[i]));
vk_x = Pairing.addition(vk_x, vk.IC[0]); vk_x = Pairing.addition(vk_x, vk.IC[0]);
if (!Pairing.pairingProd4( if (!Pairing.pairingProd4(

View File

@ -173,11 +173,13 @@ contract Verifier {
<%vk_ic_pts%> <%vk_ic_pts%>
} }
function verify(uint[] input, Proof proof) view internal returns (uint) { function verify(uint[] input, Proof proof) view internal returns (uint) {
uint256 snark_scalar_field = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
VerifyingKey memory vk = verifyingKey(); VerifyingKey memory vk = verifyingKey();
require(input.length + 1 == vk.IC.length); require(input.length + 1 == vk.IC.length);
// Compute the linear combination vk_x // Compute the linear combination vk_x
Pairing.G1Point memory vk_x = Pairing.G1Point(0, 0); Pairing.G1Point memory vk_x = Pairing.G1Point(0, 0);
for (uint i = 0; i < input.length; i++) for (uint i = 0; i < input.length; i++)
require(input[i] < snark_scalar_field);
vk_x = Pairing.addition(vk_x, Pairing.scalar_mul(vk.IC[i + 1], input[i])); vk_x = Pairing.addition(vk_x, Pairing.scalar_mul(vk.IC[i + 1], input[i]));
vk_x = Pairing.addition(vk_x, vk.IC[0]); vk_x = Pairing.addition(vk_x, vk.IC[0]);
if (!Pairing.pairingProd4( if (!Pairing.pairingProd4(

View File

@ -183,11 +183,13 @@ contract Verifier {
<%vk_ic_pts%> <%vk_ic_pts%>
} }
function verify(uint[] memory input, Proof memory proof) internal view returns (uint) { function verify(uint[] memory input, Proof memory proof) internal view returns (uint) {
uint256 snark_scalar_field = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
VerifyingKey memory vk = verifyingKey(); VerifyingKey memory vk = verifyingKey();
require(input.length + 1 == vk.IC.length,"verifier-bad-input"); require(input.length + 1 == vk.IC.length,"verifier-bad-input");
// Compute the linear combination vk_x // Compute the linear combination vk_x
Pairing.G1Point memory vk_x = Pairing.G1Point(0, 0); Pairing.G1Point memory vk_x = Pairing.G1Point(0, 0);
for (uint i = 0; i < input.length; i++) for (uint i = 0; i < input.length; i++)
require(input[i] < snark_scalar_field);
vk_x = Pairing.addition(vk_x, Pairing.scalar_mul(vk.IC[i + 1], input[i])); vk_x = Pairing.addition(vk_x, Pairing.scalar_mul(vk.IC[i + 1], input[i]));
vk_x = Pairing.addition(vk_x, vk.IC[0]); vk_x = Pairing.addition(vk_x, vk.IC[0]);
if (!Pairing.pairingProd2(proof.A, vk.A, Pairing.negate(proof.A_p), Pairing.P2())) return 1; if (!Pairing.pairingProd2(proof.A, vk.A, Pairing.negate(proof.A_p), Pairing.P2())) return 1;