From 601e8e38f861a98102b4a81c4fb333dc190eddbf Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Mon, 19 Mar 2018 18:06:44 -0600 Subject: [PATCH] Little-endian byte order interpretation of the output of CRH^ivk. --- src/circuit/sapling/mod.rs | 8 +++++--- src/primitives/mod.rs | 3 +++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/circuit/sapling/mod.rs b/src/circuit/sapling/mod.rs index 159381f..4e2ea40 100644 --- a/src/circuit/sapling/mod.rs +++ b/src/circuit/sapling/mod.rs @@ -221,8 +221,10 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { constants::CRH_IVK_PERSONALIZATION )?; - // Little endian bit order - ivk.reverse(); + // Swap bit-endianness in each byte + for ivk_byte in ivk.chunks_mut(8) { + ivk_byte.reverse(); + } // drop_5 to ensure it's in the field ivk.truncate(E::Fs::CAPACITY as usize); @@ -621,7 +623,7 @@ fn test_input_circuit_with_bls12_381() { assert!(cs.is_satisfied()); assert_eq!(cs.num_constraints(), 98776); - assert_eq!(cs.hash(), "ba8b2232a910b00399e90030c87c16a770e6e692fe3b4316675bdd7795df6e50"); + assert_eq!(cs.hash(), "8211d52b5ad2618b2f8106c7c3f9ab213f6206e3ddbbb39e786167de5ea85dc3"); assert_eq!(cs.num_inputs(), 8); assert_eq!(cs.get_input(0, "ONE"), Fr::one()); diff --git a/src/primitives/mod.rs b/src/primitives/mod.rs index d631eea..825aed5 100644 --- a/src/primitives/mod.rs +++ b/src/primitives/mod.rs @@ -96,6 +96,9 @@ impl ViewingKey { h.update(&preimage); let mut h = h.finalize().as_ref().to_vec(); + // Reverse the bytes to interpret it in little-endian byte order + h.reverse(); + // Drop the first five bits, so it can be interpreted as a scalar. h[0] &= 0b0000_0111;