Skip to content

Commit

Permalink
feat: revert early in verifier contract for malformed proof inputs (A…
Browse files Browse the repository at this point in the history
  • Loading branch information
TomAFrench authored Feb 6, 2024
1 parent f0a0863 commit b22619e
Show file tree
Hide file tree
Showing 2 changed files with 128 additions and 34 deletions.
81 changes: 64 additions & 17 deletions barretenberg/cpp/src/barretenberg/dsl/acir_proofs/contract.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,7 @@ abstract contract BaseUltraVerifier {
uint256 internal constant NU_CHALLENGE_INPUT_LOC_C = 0x37e0;
bytes4 internal constant INVALID_VERIFICATION_KEY_SELECTOR = 0x7e5769bf;
bytes4 internal constant POINT_NOT_ON_CURVE_SELECTOR = 0xa3dad654;
bytes4 internal constant PUBLIC_INPUT_INVALID_BN128_G1_POINT_SELECTOR = 0xeba9f4a6;
bytes4 internal constant PUBLIC_INPUT_GE_P_SELECTOR = 0x374a972f;
bytes4 internal constant MOD_EXP_FAILURE_SELECTOR = 0xf894a7bc;
Expand Down Expand Up @@ -294,6 +295,7 @@ abstract contract BaseUltraVerifier {
uint256 internal constant GRUMPKIN_CURVE_B_PARAMETER_NEGATED = 17;
error INVALID_VERIFICATION_KEY();
error POINT_NOT_ON_CURVE();
error PUBLIC_INPUT_COUNT_INVALID(uint256 expected, uint256 actual);
error PUBLIC_INPUT_INVALID_BN128_G1_POINT();
error PUBLIC_INPUT_GE_P();
Expand Down Expand Up @@ -1929,7 +1931,10 @@ abstract contract BaseUltraVerifier {
let y := mload(T1_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(ACCUMULATOR_X_LOC, x)
mstore(add(ACCUMULATOR_X_LOC, 0x20), y)
}
Expand All @@ -1939,13 +1944,16 @@ abstract contract BaseUltraVerifier {
let y := mload(T2_Y_LOC) // 0x1420
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
mstore(0x40, mload(ZETA_POW_N_LOC))
// accumulator_2 = [T2].zeta^n
success := and(success, staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40))
success := staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40)
// accumulator = [T1] + accumulator_2
success := and(success, staticcall(gas(), 6, ACCUMULATOR_X_LOC, 0x80, ACCUMULATOR_X_LOC, 0x40))
Expand All @@ -1955,7 +1963,10 @@ abstract contract BaseUltraVerifier {
let y := mload(T3_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -1971,7 +1982,10 @@ abstract contract BaseUltraVerifier {
let y := mload(T4_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -1987,7 +2001,10 @@ abstract contract BaseUltraVerifier {
let y := mload(W1_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -2003,7 +2020,10 @@ abstract contract BaseUltraVerifier {
let y := mload(W2_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -2019,7 +2039,10 @@ abstract contract BaseUltraVerifier {
let y := mload(W3_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -2035,7 +2058,10 @@ abstract contract BaseUltraVerifier {
let y := mload(W4_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -2051,7 +2077,10 @@ abstract contract BaseUltraVerifier {
let y := mload(S_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -2067,7 +2096,10 @@ abstract contract BaseUltraVerifier {
let y := mload(Z_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -2083,7 +2115,10 @@ abstract contract BaseUltraVerifier {
let y := mload(Z_LOOKUP_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand Down Expand Up @@ -2631,13 +2666,16 @@ abstract contract BaseUltraVerifier {
let y := mload(PI_Z_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
// compute zeta.[PI_Z] and add into accumulator
mstore(0x40, zeta)
success := and(success, staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40))
success := staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40)
// accumulator = accumulator + accumulator_2
success := and(success, staticcall(gas(), 6, ACCUMULATOR_X_LOC, 0x80, ACCUMULATOR_X_LOC, 0x40))
Expand All @@ -2647,7 +2685,10 @@ abstract contract BaseUltraVerifier {
let y := mload(PI_Z_OMEGA_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand Down Expand Up @@ -2675,7 +2716,10 @@ abstract contract BaseUltraVerifier {
let y := mload(RECURSIVE_P1_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand All @@ -2689,7 +2733,10 @@ abstract contract BaseUltraVerifier {
let y := mload(RECURSIVE_P2_Y_LOC)
let xx := mulmod(x, x, q)
// validate on curve
success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) {
mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR)
revert(0x00, 0x04)
}
mstore(0x00, x)
mstore(0x20, y)
}
Expand Down
Loading

0 comments on commit b22619e

Please sign in to comment.