From 2cf8782e91cd194a2b62b791fca7a5c3cf05c7e8 Mon Sep 17 00:00:00 2001 From: Ben Edgington Date: Wed, 23 Jun 2021 11:51:50 +0100 Subject: [PATCH] Add length check for polynomial commitment --- src/fk20_proofs_test.c | 6 +++--- src/kzg_proofs.c | 10 +++++++--- src/kzg_proofs.h | 2 +- src/kzg_proofs_bench.c | 2 +- src/kzg_proofs_test.c | 28 +++++++++++++++++++++++++--- 5 files changed, 37 insertions(+), 11 deletions(-) diff --git a/src/fk20_proofs_test.c b/src/fk20_proofs_test.c index 79cb868..b98c788 100644 --- a/src/fk20_proofs_test.c +++ b/src/fk20_proofs_test.c @@ -52,7 +52,7 @@ void fk_single(void) { TEST_CHECK(C_KZG_OK == new_fk20_single_settings(&fk, 2 * poly_len, &ks)); // Commit to the polynomial - commit_to_poly(&commitment, &p, &ks); + TEST_CHECK(C_KZG_OK == commit_to_poly(&commitment, &p, &ks)); // 1. First with `da_using_fk20_single` @@ -125,7 +125,7 @@ void fk_single_strided(void) { TEST_CHECK(C_KZG_OK == new_fk20_single_settings(&fk, 2 * poly_len, &ks)); // Commit to the polynomial - commit_to_poly(&commitment, &p, &ks); + TEST_CHECK(C_KZG_OK == commit_to_poly(&commitment, &p, &ks)); // Generate the proofs TEST_CHECK(da_using_fk20_single(all_proofs, &p, &fk) == C_KZG_OK); @@ -211,7 +211,7 @@ void fk_multi_0(void) { fr_negate(&p.coeffs[i * chunk_len + 14], &p.coeffs[i * chunk_len + 14]); } - commit_to_poly(&commitment, &p, &ks); + TEST_CHECK(C_KZG_OK == commit_to_poly(&commitment, &p, &ks)); // Compute the multi proofs, assuming that the polynomial will be extended with zeros TEST_CHECK(C_KZG_OK == new_g1_array(&all_proofs, 2 * chunk_count)); diff --git a/src/kzg_proofs.c b/src/kzg_proofs.c index 6e2e695..a600be8 100644 --- a/src/kzg_proofs.c +++ b/src/kzg_proofs.c @@ -35,9 +35,13 @@ * @param[out] out The commitment to the polynomial, in the form of a G1 group point * @param[in] p The polynomial to be committed to * @param[in] ks The settings containing the secrets, previously initialised with #new_kzg_settings + * @retval C_CZK_OK All is well + * @retval C_CZK_BADARGS Invalid parameters were supplied */ -void commit_to_poly(g1_t *out, const poly *p, const KZGSettings *ks) { +C_KZG_RET commit_to_poly(g1_t *out, const poly *p, const KZGSettings *ks) { + CHECK(p->length <= ks->length); g1_linear_combination(out, ks->secret_g1, p->coeffs, p->length); + return C_KZG_OK; } /** @@ -122,7 +126,7 @@ C_KZG_RET compute_proof_multi(g1_t *out, const poly *p, const fr_t *x0, uint64_t // Calculate q = p / (x^n - x0^n) TRY(new_poly_long_div(&q, p, &divisor)); - commit_to_poly(out, &q, ks); + TRY(commit_to_poly(out, &q, ks)); free_poly(&q); free_poly(&divisor); @@ -177,7 +181,7 @@ C_KZG_RET check_proof_multi(bool *out, const g1_t *commitment, const g1_t *proof g2_sub(&xn_minus_yn, &ks->secret_g2[n], &xn2); // [interpolation_polynomial(s)]_1 - commit_to_poly(&is1, &interp, ks); + TRY(commit_to_poly(&is1, &interp, ks)); // [commitment - interpolation_polynomial(s)]_1 = [commit]_1 - [interpolation_polynomial(s)]_1 g1_sub(&commit_minus_interp, commitment, &is1); diff --git a/src/kzg_proofs.h b/src/kzg_proofs.h index 1bf8308..c13a58e 100644 --- a/src/kzg_proofs.h +++ b/src/kzg_proofs.h @@ -31,7 +31,7 @@ typedef struct { uint64_t length; /**< The number of elements in secret_g1 and secret_g2 */ } KZGSettings; -void commit_to_poly(g1_t *out, const poly *p, const KZGSettings *ks); +C_KZG_RET commit_to_poly(g1_t *out, const poly *p, const KZGSettings *ks); C_KZG_RET compute_proof_single(g1_t *out, const poly *p, const fr_t *x0, const KZGSettings *ks); C_KZG_RET check_proof_single(bool *out, const g1_t *commitment, const g1_t *proof, const fr_t *x, fr_t *y, const KZGSettings *ks); diff --git a/src/kzg_proofs_bench.c b/src/kzg_proofs_bench.c index 8fac96d..56f272a 100644 --- a/src/kzg_proofs_bench.c +++ b/src/kzg_proofs_bench.c @@ -48,7 +48,7 @@ long run_bench(int scale, int max_seconds) { g1_t commitment; clock_gettime(CLOCK_REALTIME, &t0); - commit_to_poly(&commitment, &p, &ks); + assert(C_KZG_OK == commit_to_poly(&commitment, &p, &ks)); clock_gettime(CLOCK_REALTIME, &t1); nits++; diff --git a/src/kzg_proofs_test.c b/src/kzg_proofs_test.c index aafed35..83c0267 100644 --- a/src/kzg_proofs_test.c +++ b/src/kzg_proofs_test.c @@ -46,7 +46,7 @@ void proof_single(void) { // Compute the proof for x = 25 fr_from_uint64(&x, 25); - commit_to_poly(&commitment, &p, &ks); + TEST_CHECK(C_KZG_OK == commit_to_poly(&commitment, &p, &ks)); TEST_CHECK(C_KZG_OK == compute_proof_single(&proof, &p, &x, &ks)); eval_poly(&value, &p, &x); @@ -97,7 +97,7 @@ void proof_multi(void) { TEST_CHECK(C_KZG_OK == new_kzg_settings(&ks1, s1, s2, secrets_len, &fs1)); // Commit to the polynomial - commit_to_poly(&commitment, &p, &ks1); + TEST_CHECK(C_KZG_OK == commit_to_poly(&commitment, &p, &ks1)); TEST_CHECK(C_KZG_OK == new_fft_settings(&fs2, coset_scale)); TEST_CHECK(C_KZG_OK == new_kzg_settings(&ks2, s1, s2, secrets_len, &fs2)); @@ -143,17 +143,39 @@ void commit_to_nil_poly(void) { TEST_CHECK(C_KZG_OK == new_kzg_settings(&ks, s1, s2, secrets_len, &fs)); new_poly(&a, 0); - commit_to_poly(&result, &a, &ks); + TEST_CHECK(C_KZG_OK == commit_to_poly(&result, &a, &ks)); TEST_CHECK(g1_equal(&g1_identity, &result)); free_fft_settings(&fs); free_kzg_settings(&ks); } +void commit_to_too_long_poly(void) { + poly a; + FFTSettings fs; + KZGSettings ks; + uint64_t poly_len = 32, secrets_len = 16; // poly is longer than secrets! + g1_t s1[secrets_len]; + g2_t s2[secrets_len]; + g1_t result; + + // Initialise the (arbitrary) secrets and data structures + generate_trusted_setup(s1, s2, &secret, secrets_len); + TEST_CHECK(C_KZG_OK == new_fft_settings(&fs, 4)); + TEST_CHECK(C_KZG_OK == new_kzg_settings(&ks, s1, s2, secrets_len, &fs)); + + new_poly(&a, poly_len); + TEST_CHECK(C_KZG_BADARGS == commit_to_poly(&result, &a, &ks)); + + free_fft_settings(&fs); + free_kzg_settings(&ks); +} + TEST_LIST = { {"KZG_PROOFS_TEST", title}, {"proof_single", proof_single}, {"proof_multi", proof_multi}, {"commit_to_nil_poly", commit_to_nil_poly}, + {"commit_to_too_long_poly", commit_to_too_long_poly}, {NULL, NULL} /* zero record marks the end of the list */ };