Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: revert early in verifier contract for malformed proof inputs #4453

Merged
merged 7 commits into from
Feb 6, 2024
81 changes: 64 additions & 17 deletions barretenberg/cpp/src/barretenberg/dsl/acir_proofs/contract.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,7 @@ abstract contract BaseUltraVerifier {
uint256 internal constant NU_CHALLENGE_INPUT_LOC_C = 0x37e0;

bytes4 internal constant INVALID_VERIFICATION_KEY_SELECTOR = 0x7e5769bf;
bytes4 internal constant POINT_NOT_ON_CURVE_SELECTOR = 0xa3dad654;
bytes4 internal constant PUBLIC_INPUT_INVALID_BN128_G1_POINT_SELECTOR = 0xeba9f4a6;
bytes4 internal constant PUBLIC_INPUT_GE_P_SELECTOR = 0x374a972f;
bytes4 internal constant MOD_EXP_FAILURE_SELECTOR = 0xf894a7bc;
Expand Down Expand Up @@ -294,6 +295,7 @@ abstract contract BaseUltraVerifier {
uint256 internal constant GRUMPKIN_CURVE_B_PARAMETER_NEGATED = 17;

error INVALID_VERIFICATION_KEY();
error POINT_NOT_ON_CURVE();
error PUBLIC_INPUT_COUNT_INVALID(uint256 expected, uint256 actual);
error PUBLIC_INPUT_INVALID_BN128_G1_POINT();
error PUBLIC_INPUT_GE_P();
Expand Down Expand Up @@ -1929,7 +1931,10 @@ abstract contract BaseUltraVerifier {
let y := mload(T1_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(ACCUMULATOR_X_LOC, x)
mstore(add(ACCUMULATOR_X_LOC, 0x20), y)
}
Expand All @@ -1939,13 +1944,16 @@ abstract contract BaseUltraVerifier {
let y := mload(T2_Y_LOC) // 0x1420
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
mstore(0x40, mload(ZETA_POW_N_LOC))
// accumulator_2 = [T2].zeta^n
success := and(success, staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40))
success := staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40)
TomAFrench marked this conversation as resolved.
Show resolved Hide resolved
// accumulator = [T1] + accumulator_2
success := and(success, staticcall(gas(), 6, ACCUMULATOR_X_LOC, 0x80, ACCUMULATOR_X_LOC, 0x40))

Expand All @@ -1955,7 +1963,10 @@ abstract contract BaseUltraVerifier {
let y := mload(T3_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -1971,7 +1982,10 @@ abstract contract BaseUltraVerifier {
let y := mload(T4_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -1987,7 +2001,10 @@ abstract contract BaseUltraVerifier {
let y := mload(W1_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -2003,7 +2020,10 @@ abstract contract BaseUltraVerifier {
let y := mload(W2_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -2019,7 +2039,10 @@ abstract contract BaseUltraVerifier {
let y := mload(W3_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -2035,7 +2058,10 @@ abstract contract BaseUltraVerifier {
let y := mload(W4_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -2051,7 +2077,10 @@ abstract contract BaseUltraVerifier {
let y := mload(S_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -2067,7 +2096,10 @@ abstract contract BaseUltraVerifier {
let y := mload(Z_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -2083,7 +2115,10 @@ abstract contract BaseUltraVerifier {
let y := mload(Z_LOOKUP_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand Down Expand Up @@ -2631,13 +2666,16 @@ abstract contract BaseUltraVerifier {
let y := mload(PI_Z_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
// compute zeta.[PI_Z] and add into accumulator
mstore(0x40, zeta)
success := and(success, staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40))
success := staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40)
TomAFrench marked this conversation as resolved.
Show resolved Hide resolved
// accumulator = accumulator + accumulator_2
success := and(success, staticcall(gas(), 6, ACCUMULATOR_X_LOC, 0x80, ACCUMULATOR_X_LOC, 0x40))

Expand All @@ -2647,7 +2685,10 @@ abstract contract BaseUltraVerifier {
let y := mload(PI_Z_OMEGA_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand Down Expand Up @@ -2675,7 +2716,10 @@ abstract contract BaseUltraVerifier {
let y := mload(RECURSIVE_P1_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -2689,7 +2733,10 @@ abstract contract BaseUltraVerifier {
let y := mload(RECURSIVE_P2_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand Down
Loading
Loading