From c1784f0fdf2870ad0475d4fd59f93639fe391e3f Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Fri, 9 Mar 2018 14:08:01 -0700 Subject: [PATCH] Check g_d is not small order in Spend circuit. --- src/circuit/mod.rs | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/circuit/mod.rs b/src/circuit/mod.rs index 828fa31..f12ad9e 100644 --- a/src/circuit/mod.rs +++ b/src/circuit/mod.rs @@ -233,8 +233,6 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { // manages to witness a commitment in the // tree, then the Output circuit would have // already guaranteed this. - // TODO: We might as well just perform the - // check again here, since it's not expensive. let g_d = { // This binding is to avoid a weird edge case in Rust's // ownership/borrowing rules. self is partially moved @@ -250,6 +248,12 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { )? }; + // Check that g_d is not small order. Technically, this check + // is already done in the Output circuit, and this proof ensures + // g_d is bound to a product of that check, but for defense in + // depth let's check it anyway. It's cheap. + g_d.assert_not_small_order(cs.namespace(|| "g_d not small order"), self.params)?; + // Compute pk_d = g_d^ivk let pk_d = g_d.mul( cs.namespace(|| "compute pk_d"), @@ -623,8 +627,8 @@ fn test_input_circuit_with_bls12_381() { instance.synthesize(&mut cs).unwrap(); assert!(cs.is_satisfied()); - assert_eq!(cs.num_constraints(), 101550); - assert_eq!(cs.hash(), "3cc6d9383ca882ae3666267618e826e9d51a3177fc89ef6d42d9f63b84179f77"); + assert_eq!(cs.num_constraints(), 101566); + assert_eq!(cs.hash(), "e3d226975c99e17ef30f5a4b7e87d355ef3dbd80eed0c8de43780f3028946d82"); let expected_value_cm = value_commitment.cm(params).into_xy();