From 24ea78180d2ff22b1b0d048cb42b907791c18c79 Mon Sep 17 00:00:00 2001 From: Aaron Feickert <66188213+AaronFeickert@users.noreply.github.com> Date: Tue, 2 Jan 2024 15:25:13 -0600 Subject: [PATCH] Grootle verification hardening --- src/libspark/grootle.cpp | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/src/libspark/grootle.cpp b/src/libspark/grootle.cpp index 67ca20eced..7fd11135e2 100644 --- a/src/libspark/grootle.cpp +++ b/src/libspark/grootle.cpp @@ -281,6 +281,11 @@ void Grootle::prove( for (std::size_t k = 0; k < S_offset.size(); k++) { S_offset[k] += S1_inverse; V_offset[k] += V1_inverse; + + // Neither should be zero + if (S_offset[k].isInfinity() || V_offset[k].isInfinity()) { + throw std::invalid_argument("Commitment offset should not be zero"); + } } // Generate masks @@ -337,6 +342,9 @@ void Grootle::prove( Scalar x_powers(uint64_t(1)); for (std::size_t j = 0; j < m; ++j) { + if (x_powers.isZero()) { + throw std::runtime_error("Challenge power is zero"); + } sumS += (rho_S[j] * x_powers); sumV += (rho_V[j] * x_powers); x_powers *= x; @@ -405,6 +413,16 @@ bool Grootle::verify( return false; } + // Check for zero inputs + for (std::size_t t = 0; t < S1.size(); t++) { + for (std::size_t i = 0; i < S.size(); i++) { + if (S[i] == S1[t] || V[i] == V1[t]) { + LogPrintf("Invalid offset commitment"); + return false; + } + } + } + // Check proof semantics for (std::size_t t = 0; t < M; t++) { GrootleProof proof = proofs[t]; @@ -542,6 +560,10 @@ bool Grootle::verify( // (X), (X1) x_powers = Scalar(uint64_t(1)); for (std::size_t j = 0; j < m; j++) { + if (x_powers.isZero()) { + LogPrintf("Challenge power is zero"); + return false; + } points.emplace_back(proof.X[j] + proof.X1[j] * bind_weight); scalars.emplace_back(x_powers.negate() * w2); x_powers *= x;