aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormoneromooo-monero <moneromooo-monero@users.noreply.github.com>2018-07-24 19:56:48 +0100
committermoneromooo-monero <moneromooo-monero@users.noreply.github.com>2018-09-11 13:38:08 +0000
commitfe0fa3b9c5098ae61f9c60ddc9f1f3dd5b008ec6 (patch)
tree8328ae0ee04d78d75e743dae24c0e70752aa477f
parentv8: per byte fee, pad bulletproofs, fixed 11 ring size (diff)
downloadmonero-fe0fa3b9c5098ae61f9c60ddc9f1f3dd5b008ec6.tar.xz
bulletproofs: reject x, y, z, or w[i] being zero
Also try again when we're generate a proof with those characteristics Reported by QuarksLab.
Diffstat (limited to '')
-rw-r--r--src/ringct/bulletproofs.cc65
1 files changed, 63 insertions, 2 deletions
diff --git a/src/ringct/bulletproofs.cc b/src/ringct/bulletproofs.cc
index d3822c454..3f4a6fd10 100644
--- a/src/ringct/bulletproofs.cc
+++ b/src/ringct/bulletproofs.cc
@@ -473,6 +473,7 @@ Bulletproof bulletproof_PROVE(const rct::key &sv, const rct::key &gamma)
CHECK_AND_ASSERT_THROW_MES(test_aR == v_test, "test_aR failed");
#endif
+try_again:
PERF_TIMER_START_BP(PROVE_step1);
// PAPER LINES 38-39
rct::key alpha = rct::skGen();
@@ -489,7 +490,19 @@ Bulletproof bulletproof_PROVE(const rct::key &sv, const rct::key &gamma)
// PAPER LINES 43-45
rct::key y = hash_cache_mash(hash_cache, A, S);
+ if (y == rct::zero())
+ {
+ PERF_TIMER_STOP(PROVE_step1);
+ MINFO("y is 0, trying again");
+ goto try_again;
+ }
rct::key z = hash_cache = rct::hash_to_scalar(y);
+ if (z == rct::zero())
+ {
+ PERF_TIMER_STOP(PROVE_step1);
+ MINFO("z is 0, trying again");
+ goto try_again;
+ }
// Polynomial construction before PAPER LINE 46
rct::key t0 = rct::zero();
@@ -552,6 +565,12 @@ Bulletproof bulletproof_PROVE(const rct::key &sv, const rct::key &gamma)
// PAPER LINES 49-51
rct::key x = hash_cache_mash(hash_cache, z, T1, T2);
+ if (x == rct::zero())
+ {
+ PERF_TIMER_STOP(PROVE_step2);
+ MINFO("x is 0, trying again");
+ goto try_again;
+ }
// PAPER LINES 52-53
rct::key taux = rct::zero();
@@ -625,6 +644,12 @@ Bulletproof bulletproof_PROVE(const rct::key &sv, const rct::key &gamma)
// PAPER LINES 21-22
w[round] = hash_cache_mash(hash_cache, L[round], R[round]);
+ if (w[round] == rct::zero())
+ {
+ PERF_TIMER_STOP(PROVE_step4);
+ MINFO("w[round] is 0, trying again");
+ goto try_again;
+ }
// PAPER LINES 24-25
const rct::key winv = invert(w[round]);
@@ -713,8 +738,6 @@ Bulletproof bulletproof_PROVE(const rct::keyV &sv, const rct::keyV &gamma)
}
PERF_TIMER_STOP(PROVE_aLaR);
- rct::key hash_cache = rct::hash_to_scalar(V);
-
// DEBUG: Test to ensure this recovers the value
#ifdef DEBUG_BP
for (size_t j = 0; j < M; ++j)
@@ -735,6 +758,9 @@ Bulletproof bulletproof_PROVE(const rct::keyV &sv, const rct::keyV &gamma)
}
#endif
+try_again:
+ rct::key hash_cache = rct::hash_to_scalar(V);
+
PERF_TIMER_START_BP(PROVE_step1);
// PAPER LINES 38-39
rct::key alpha = rct::skGen();
@@ -751,7 +777,19 @@ Bulletproof bulletproof_PROVE(const rct::keyV &sv, const rct::keyV &gamma)
// PAPER LINES 43-45
rct::key y = hash_cache_mash(hash_cache, A, S);
+ if (y == rct::zero())
+ {
+ PERF_TIMER_STOP(PROVE_step1);
+ MINFO("y is 0, trying again");
+ goto try_again;
+ }
rct::key z = hash_cache = rct::hash_to_scalar(y);
+ if (z == rct::zero())
+ {
+ PERF_TIMER_STOP(PROVE_step1);
+ MINFO("z is 0, trying again");
+ goto try_again;
+ }
// Polynomial construction by coefficients
const auto zMN = vector_dup(z, MN);
@@ -799,6 +837,12 @@ Bulletproof bulletproof_PROVE(const rct::keyV &sv, const rct::keyV &gamma)
// PAPER LINES 49-51
rct::key x = hash_cache_mash(hash_cache, z, T1, T2);
+ if (x == rct::zero())
+ {
+ PERF_TIMER_STOP(PROVE_step2);
+ MINFO("x is 0, trying again");
+ goto try_again;
+ }
// PAPER LINES 52-53
rct::key taux;
@@ -835,6 +879,12 @@ Bulletproof bulletproof_PROVE(const rct::keyV &sv, const rct::keyV &gamma)
// PAPER LINES 32-33
rct::key x_ip = hash_cache_mash(hash_cache, x, taux, mu, t);
+ if (x_ip == rct::zero())
+ {
+ PERF_TIMER_STOP(PROVE_step3);
+ MINFO("x_ip is 0, trying again");
+ goto try_again;
+ }
// These are used in the inner product rounds
size_t nprime = MN;
@@ -879,6 +929,12 @@ Bulletproof bulletproof_PROVE(const rct::keyV &sv, const rct::keyV &gamma)
// PAPER LINES 21-22
w[round] = hash_cache_mash(hash_cache, L[round], R[round]);
+ if (w[round] == rct::zero())
+ {
+ PERF_TIMER_STOP(PROVE_step4);
+ MINFO("w[round] is 0, trying again");
+ goto try_again;
+ }
// PAPER LINES 24-25
const rct::key winv = invert(w[round]);
@@ -985,9 +1041,13 @@ bool bulletproof_VERIFY(const std::vector<const Bulletproof*> &proofs)
PERF_TIMER_START_BP(VERIFY_start);
rct::key hash_cache = rct::hash_to_scalar(proof.V);
rct::key y = hash_cache_mash(hash_cache, proof.A, proof.S);
+ CHECK_AND_ASSERT_MES(!(y == rct::zero()), false, "y == 0");
rct::key z = hash_cache = rct::hash_to_scalar(y);
+ CHECK_AND_ASSERT_MES(!(z == rct::zero()), false, "z == 0");
rct::key x = hash_cache_mash(hash_cache, z, proof.T1, proof.T2);
+ CHECK_AND_ASSERT_MES(!(x == rct::zero()), false, "x == 0");
rct::key x_ip = hash_cache_mash(hash_cache, x, proof.taux, proof.mu, proof.t);
+ CHECK_AND_ASSERT_MES(!(x_ip == rct::zero()), false, "x_ip == 0");
PERF_TIMER_STOP(VERIFY_start);
PERF_TIMER_START_BP(VERIFY_line_61);
@@ -1082,6 +1142,7 @@ bool bulletproof_VERIFY(const std::vector<const Bulletproof*> &proofs)
for (size_t i = 0; i < rounds; ++i)
{
w[i] = hash_cache_mash(hash_cache, proof.L[i], proof.R[i]);
+ CHECK_AND_ASSERT_MES(!(w[i] == rct::zero()), false, "w[i] == 0");
}
PERF_TIMER_STOP(VERIFY_line_21_22);