diff --git a/barretenberg/cpp/src/barretenberg/dsl/acir_proofs/contract.hpp b/barretenberg/cpp/src/barretenberg/dsl/acir_proofs/contract.hpp index 2fe2ebe3c98..4d60226ce46 100644 --- a/barretenberg/cpp/src/barretenberg/dsl/acir_proofs/contract.hpp +++ b/barretenberg/cpp/src/barretenberg/dsl/acir_proofs/contract.hpp @@ -264,6 +264,7 @@ abstract contract BaseUltraVerifier { uint256 internal constant NU_CHALLENGE_INPUT_LOC_C = 0x37e0; bytes4 internal constant INVALID_VERIFICATION_KEY_SELECTOR = 0x7e5769bf; + bytes4 internal constant POINT_NOT_ON_CURVE_SELECTOR = 0xa3dad654; bytes4 internal constant PUBLIC_INPUT_INVALID_BN128_G1_POINT_SELECTOR = 0xeba9f4a6; bytes4 internal constant PUBLIC_INPUT_GE_P_SELECTOR = 0x374a972f; bytes4 internal constant MOD_EXP_FAILURE_SELECTOR = 0xf894a7bc; @@ -294,6 +295,7 @@ abstract contract BaseUltraVerifier { uint256 internal constant GRUMPKIN_CURVE_B_PARAMETER_NEGATED = 17; error INVALID_VERIFICATION_KEY(); + error POINT_NOT_ON_CURVE(); error PUBLIC_INPUT_COUNT_INVALID(uint256 expected, uint256 actual); error PUBLIC_INPUT_INVALID_BN128_G1_POINT(); error PUBLIC_INPUT_GE_P(); @@ -1929,7 +1931,10 @@ abstract contract BaseUltraVerifier { let y := mload(T1_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(ACCUMULATOR_X_LOC, x) mstore(add(ACCUMULATOR_X_LOC, 0x20), y) } @@ -1939,13 +1944,16 @@ abstract contract BaseUltraVerifier { let y := mload(T2_Y_LOC) // 0x1420 let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } mstore(0x40, mload(ZETA_POW_N_LOC)) // accumulator_2 = [T2].zeta^n - success := and(success, staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40)) + success := staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40) // accumulator = [T1] + accumulator_2 success := and(success, staticcall(gas(), 6, ACCUMULATOR_X_LOC, 0x80, ACCUMULATOR_X_LOC, 0x40)) @@ -1955,7 +1963,10 @@ abstract contract BaseUltraVerifier { let y := mload(T3_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -1971,7 +1982,10 @@ abstract contract BaseUltraVerifier { let y := mload(T4_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -1987,7 +2001,10 @@ abstract contract BaseUltraVerifier { let y := mload(W1_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2003,7 +2020,10 @@ abstract contract BaseUltraVerifier { let y := mload(W2_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2019,7 +2039,10 @@ abstract contract BaseUltraVerifier { let y := mload(W3_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2035,7 +2058,10 @@ abstract contract BaseUltraVerifier { let y := mload(W4_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2051,7 +2077,10 @@ abstract contract BaseUltraVerifier { let y := mload(S_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2067,7 +2096,10 @@ abstract contract BaseUltraVerifier { let y := mload(Z_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2083,7 +2115,10 @@ abstract contract BaseUltraVerifier { let y := mload(Z_LOOKUP_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2631,13 +2666,16 @@ abstract contract BaseUltraVerifier { let y := mload(PI_Z_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } // compute zeta.[PI_Z] and add into accumulator mstore(0x40, zeta) - success := and(success, staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40)) + success := staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40) // accumulator = accumulator + accumulator_2 success := and(success, staticcall(gas(), 6, ACCUMULATOR_X_LOC, 0x80, ACCUMULATOR_X_LOC, 0x40)) @@ -2647,7 +2685,10 @@ abstract contract BaseUltraVerifier { let y := mload(PI_Z_OMEGA_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2675,7 +2716,10 @@ abstract contract BaseUltraVerifier { let y := mload(RECURSIVE_P1_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2689,7 +2733,10 @@ abstract contract BaseUltraVerifier { let y := mload(RECURSIVE_P2_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } diff --git a/barretenberg/sol/src/ultra/BaseUltraVerifier.sol b/barretenberg/sol/src/ultra/BaseUltraVerifier.sol index 6e9a6e2836b..10f739f3894 100644 --- a/barretenberg/sol/src/ultra/BaseUltraVerifier.sol +++ b/barretenberg/sol/src/ultra/BaseUltraVerifier.sol @@ -261,6 +261,7 @@ abstract contract BaseUltraVerifier { uint256 internal constant NU_CHALLENGE_INPUT_LOC_C = 0x37e0; bytes4 internal constant INVALID_VERIFICATION_KEY_SELECTOR = 0x7e5769bf; + bytes4 internal constant POINT_NOT_ON_CURVE_SELECTOR = 0xa3dad654; bytes4 internal constant PUBLIC_INPUT_INVALID_BN128_G1_POINT_SELECTOR = 0xeba9f4a6; bytes4 internal constant PUBLIC_INPUT_GE_P_SELECTOR = 0x374a972f; bytes4 internal constant MOD_EXP_FAILURE_SELECTOR = 0xf894a7bc; @@ -291,6 +292,7 @@ abstract contract BaseUltraVerifier { uint256 internal constant GRUMPKIN_CURVE_B_PARAMETER_NEGATED = 17; error INVALID_VERIFICATION_KEY(); + error POINT_NOT_ON_CURVE(); error PUBLIC_INPUT_COUNT_INVALID(uint256 expected, uint256 actual); error PUBLIC_INPUT_INVALID_BN128_G1_POINT(); error PUBLIC_INPUT_GE_P(); @@ -1903,7 +1905,10 @@ abstract contract BaseUltraVerifier { let y := mload(T1_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(ACCUMULATOR_X_LOC, x) mstore(add(ACCUMULATOR_X_LOC, 0x20), y) } @@ -1913,13 +1918,16 @@ abstract contract BaseUltraVerifier { let y := mload(T2_Y_LOC) // 0x1420 let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } mstore(0x40, mload(ZETA_POW_N_LOC)) // accumulator_2 = [T2].zeta^n - success := and(success, staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40)) + success := staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40) // accumulator = [T1] + accumulator_2 success := and(success, staticcall(gas(), 6, ACCUMULATOR_X_LOC, 0x80, ACCUMULATOR_X_LOC, 0x40)) @@ -1929,7 +1937,10 @@ abstract contract BaseUltraVerifier { let y := mload(T3_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -1945,7 +1956,10 @@ abstract contract BaseUltraVerifier { let y := mload(T4_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -1961,7 +1975,10 @@ abstract contract BaseUltraVerifier { let y := mload(W1_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -1977,7 +1994,10 @@ abstract contract BaseUltraVerifier { let y := mload(W2_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -1993,7 +2013,10 @@ abstract contract BaseUltraVerifier { let y := mload(W3_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2009,7 +2032,10 @@ abstract contract BaseUltraVerifier { let y := mload(W4_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2025,7 +2051,10 @@ abstract contract BaseUltraVerifier { let y := mload(S_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2041,7 +2070,10 @@ abstract contract BaseUltraVerifier { let y := mload(Z_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2057,7 +2089,10 @@ abstract contract BaseUltraVerifier { let y := mload(Z_LOOKUP_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2605,13 +2640,16 @@ abstract contract BaseUltraVerifier { let y := mload(PI_Z_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } // compute zeta.[PI_Z] and add into accumulator mstore(0x40, zeta) - success := and(success, staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40)) + success := staticcall(gas(), 7, 0x00, 0x60, ACCUMULATOR2_X_LOC, 0x40) // accumulator = accumulator + accumulator_2 success := and(success, staticcall(gas(), 6, ACCUMULATOR_X_LOC, 0x80, ACCUMULATOR_X_LOC, 0x40)) @@ -2621,7 +2659,10 @@ abstract contract BaseUltraVerifier { let y := mload(PI_Z_OMEGA_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2649,7 +2690,10 @@ abstract contract BaseUltraVerifier { let y := mload(RECURSIVE_P1_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) } @@ -2663,7 +2707,10 @@ abstract contract BaseUltraVerifier { let y := mload(RECURSIVE_P2_Y_LOC) let xx := mulmod(x, x, q) // validate on curve - success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) + if iszero(eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q))) { + mstore(0x0, POINT_NOT_ON_CURVE_SELECTOR) + revert(0x00, 0x04) + } mstore(0x00, x) mstore(0x20, y) }