Skip to content

Commit

Permalink
Grootle verification hardening (#1387)
Browse files Browse the repository at this point in the history
  • Loading branch information
AaronFeickert authored Jan 15, 2024
1 parent 33c8759 commit 34bd5ff
Showing 1 changed file with 22 additions and 0 deletions.
22 changes: 22 additions & 0 deletions src/libspark/grootle.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,11 @@ void Grootle::prove(
for (std::size_t k = 0; k < S_offset.size(); k++) {
S_offset[k] += S1_inverse;
V_offset[k] += V1_inverse;

// Neither should be zero
if (S_offset[k].isInfinity() || V_offset[k].isInfinity()) {
throw std::invalid_argument("Commitment offset should not be zero");
}
}

// Generate masks
Expand Down Expand Up @@ -337,6 +342,9 @@ void Grootle::prove(

Scalar x_powers(uint64_t(1));
for (std::size_t j = 0; j < m; ++j) {
if (x_powers.isZero()) {
throw std::runtime_error("Challenge power is zero");
}
sumS += (rho_S[j] * x_powers);
sumV += (rho_V[j] * x_powers);
x_powers *= x;
Expand Down Expand Up @@ -405,6 +413,16 @@ bool Grootle::verify(
return false;
}

// Check for zero inputs
for (std::size_t t = 0; t < S1.size(); t++) {
for (std::size_t i = 0; i < S.size(); i++) {
if (S[i] == S1[t] || V[i] == V1[t]) {
LogPrintf("Invalid offset commitment");
return false;
}
}
}

// Check proof semantics
for (std::size_t t = 0; t < M; t++) {
GrootleProof proof = proofs[t];
Expand Down Expand Up @@ -542,6 +560,10 @@ bool Grootle::verify(
// (X), (X1)
x_powers = Scalar(uint64_t(1));
for (std::size_t j = 0; j < m; j++) {
if (x_powers.isZero()) {
LogPrintf("Challenge power is zero");
return false;
}
points.emplace_back(proof.X[j] + proof.X1[j] * bind_weight);
scalars.emplace_back(x_powers.negate() * w2);
x_powers *= x;
Expand Down

0 comments on commit 34bd5ff

Please sign in to comment.