From d21ff081767e08593044d7613a47636f1013e7d0 Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Mon, 5 Mar 2018 18:08:49 -0700 Subject: [PATCH] Group hash should use a first block containing random data as per spec. --- src/circuit/mod.rs | 4 ++-- src/group_hash.rs | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/circuit/mod.rs b/src/circuit/mod.rs index 34fadfd..f057a83 100644 --- a/src/circuit/mod.rs +++ b/src/circuit/mod.rs @@ -515,7 +515,7 @@ fn test_input_circuit_with_bls12_381() { assert!(cs.is_satisfied()); assert_eq!(cs.num_constraints(), 97395); - assert_eq!(cs.hash(), "29aee738a11546a94c3dde68cede66eebcf2b447104a199aab22bf571735092a"); + assert_eq!(cs.hash(), "cdd3cde0a4e076b46a59ef85fb70369eb14e3ee921a06d88bad6be4f78b5f261"); } } @@ -553,6 +553,6 @@ fn test_output_circuit_with_bls12_381() { assert!(cs.is_satisfied()); assert_eq!(cs.num_constraints(), 7827); - assert_eq!(cs.hash(), "155b1aaf4ed4abb1af67481c7e099adafd6a7edd097926b1f9f6b68b1cbe2742"); + assert_eq!(cs.hash(), "67518baade37a3cf76453fa474cb8c9b2ee4223ed5502151e3b83dd1ec98a261"); } } diff --git a/src/group_hash.rs b/src/group_hash.rs index 04faecb..7d04e36 100644 --- a/src/group_hash.rs +++ b/src/group_hash.rs @@ -2,6 +2,10 @@ use jubjub::*; use pairing::*; use blake2_rfc::blake2s::Blake2s; +/// This is chosen to be some random string that we couldn't have anticipated when we designed +/// the algorithm, for rigidity purposes. +pub const FIRST_BLOCK: &'static [u8; 64] = b"0000000000000000002ffe76b973aabaff1d1557d79acf2c3795809c83caf580"; + /// Produces an (x, y) pair (Montgomery) for a /// random point in the Jubjub curve. The point /// is guaranteed to be prime order and not the @@ -15,6 +19,7 @@ pub fn group_hash( assert!(E::Fr::NUM_BITS == 255); let mut h = Blake2s::new(32); + h.update(FIRST_BLOCK); h.update(tag); let mut h = h.finalize().as_ref().to_vec(); assert!(h.len() == 32);