Additional well-formedness check for G2 elements #1938
Conversation
|
ut(ACK+cov). I have not checked the libsnark parameters satisfy the intended definitions. |
|
Looks good! |
|
|
@zkbot r+ |
|
📌 Commit c4fce3f has been approved by |
Additional well-formedness check for G2 elements libsnark currently checks that G<sub>1</sub> and G<sub>2</sub> elements are well-formed by ensuring that they satisfy their respective curve equations, and although this is enough for G<sub>1</sub> (which is instantiated as an order r curve E/F<sub>p</sub>: y^2 = x^3 + b), G<sub>2</sub> is the order r *subgroup* of the composite order r(2q-r) curve E'/Fp<sup>2</sup>: y^2 = x^3 + b/e constructed via a sextic twisting isomorphism. This means we need to ensure these points are order r as well. None of the proofs on the Zcash blockchain violate this check, and it may not even be possible for them to violate this check (bilinearity is not preserved). Let's be cautious and do it anyway.
|
☀️ Test successful - zcash |
| if (alt_bn128_modulus_r * r != curve_G2::zero()) { | ||
| throw std::runtime_error("point is not in G2"); | ||
| } | ||
|
|
There was a problem hiding this comment.
Should is_well_formed include this check, rather than making it separately?
There was a problem hiding this comment.
I think so, though when/if libsnark changes those semantics we'll need to make sure we go through our codebase and understand the implications and assumptions broken by it.
There was a problem hiding this comment.
This check is now included in the protocol spec (2016.0-beta-1.11): zcash/zips@c791075
There was a problem hiding this comment.
Except that I described it incorrectly in the spec. The check itself is correct. Will fix the spec.
|
ut(ACK+cov) |
libsnark currently checks that G1 and G2 elements are well-formed by ensuring that they satisfy their respective curve equations, and although this is enough for G1 (which is instantiated as an order r curve E/Fp: y^2 = x^3 + b), G2 is the order r subgroup of the composite order r(2q-r) curve E'/Fp2: y^2 = x^3 + b/e constructed via a sextic twisting isomorphism. This means we need to ensure these points are order r as well.
None of the proofs on the Zcash blockchain violate this check, and it may not even be possible for them to violate this check (bilinearity is not preserved). Let's be cautious and do it anyway.