-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Additional well-formedness check for G2 elements #1938
Conversation
ut(ACK+cov). I have not checked the libsnark parameters satisfy the intended definitions. |
Looks good! |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ut(ACK+cov) (for benefit of the new review system)
@zkbot r+ |
📌 Commit c4fce3f has been approved by |
Additional well-formedness check for G2 elements libsnark currently checks that G<sub>1</sub> and G<sub>2</sub> elements are well-formed by ensuring that they satisfy their respective curve equations, and although this is enough for G<sub>1</sub> (which is instantiated as an order r curve E/F<sub>p</sub>: y^2 = x^3 + b), G<sub>2</sub> is the order r *subgroup* of the composite order r(2q-r) curve E'/Fp<sup>2</sup>: y^2 = x^3 + b/e constructed via a sextic twisting isomorphism. This means we need to ensure these points are order r as well. None of the proofs on the Zcash blockchain violate this check, and it may not even be possible for them to violate this check (bilinearity is not preserved). Let's be cautious and do it anyway.
☀️ Test successful - zcash |
if (alt_bn128_modulus_r * r != curve_G2::zero()) { | ||
throw std::runtime_error("point is not in G2"); | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should is_well_formed
include this check, rather than making it separately?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think so, though when/if libsnark changes those semantics we'll need to make sure we go through our codebase and understand the implications and assumptions broken by it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check is now included in the protocol spec (2016.0-beta-1.11): zcash/zips@c791075
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Except that I described it incorrectly in the spec. The check itself is correct. Will fix the spec.
ut(ACK+cov) |
libsnark currently checks that G1 and G2 elements are well-formed by ensuring that they satisfy their respective curve equations, and although this is enough for G1 (which is instantiated as an order r curve E/Fp: y^2 = x^3 + b), G2 is the order r subgroup of the composite order r(2q-r) curve E'/Fp2: y^2 = x^3 + b/e constructed via a sextic twisting isomorphism. This means we need to ensure these points are order r as well.
None of the proofs on the Zcash blockchain violate this check, and it may not even be possible for them to violate this check (bilinearity is not preserved). Let's be cautious and do it anyway.