Bring in QED-it Tests #93
Conversation
|
This needs some cleanup and improvements before it can be merged. In particular the group_hash tests are incomplete. Edit: Done! |
sapling-crypto/src/circuit/ecc.rs
Outdated
|
|
||
| // take all the points from the script | ||
| // assert should be different than multiplying by cofactor, which is the solution | ||
| // is user input verified? https://github.com/zcash/librustzcash/blob/f5d2afb4eabac29b1b1cc860d66e45a5b48b4f88/src/rustzcash.rs#L299 |
There was a problem hiding this comment.
I think this is talking about how we're missing an explicit check that ask != 0 in our code? Should I just delete these comments?
|
Uh oh I accidentally pushed the branch to this repo, deleted it, then rebased and now Travis is broken: https://travis-ci.org/zcash/librustzcash/builds/566534948?utm_source=github_status&utm_medium=notification Why does it think there should be a |
|
I've started rebasing this, and I've decided that I'm not going to preserve all history because there is a lot of cruft within the commits, and in particular there are some commits that are clearly mislabeled (the code they refer to appears in an adjacent commit, or spread across several commits). I will refactor retaining the intention of the changes, and as much authorship as I can. |
|
Rebased on master, cleaned up some of the commits (so they match what they say on the tin), and formatted most of the commits. The PR will probably need to be rebased again once #113 lands. |
|
Added a commit to make use of all the test vectors. That required increasing the number of Pedersen hash generators to 6. Someone should check that I did so correctly. Alternatively I can delete the test vectors that are too long. I ran the entire suite of tests and they pass. :-) Edit: Errrr what? I guess not?? Edit2: Oh, Travis is testing the merge with master not the PR by itself, it just needs to be rebased again (there are a few places |
zcash_primitives/src/group_hash.rs
Outdated
| let domain = domains[i]; | ||
| let msg = msgs[i]; | ||
|
|
||
| let gh: edwards::Point<Bls12, _> = find_group_hash(&msg, &domain, ¶ms); |
There was a problem hiding this comment.
This is unused. The test appears to actually be testing that edwards::Point::get_for_y returns one of the expected x-coordinates, and not the output of find_group_hash at all.
(Edit: I see the test is deleted later.)
zcash_primitives/src/group_hash.rs
Outdated
| .write_u32::<LittleEndian>(m) | ||
| .unwrap(); | ||
| let p: edwards::Point<Bls12, _> = | ||
| find_group_hash(&segment_number, b"Zcash_PH", ¶ms); |
There was a problem hiding this comment.
p is unused.
(Edit: I see the test is deleted later.)
| @@ -0,0 +1,716 @@ | |||
| //! Test vectors from https://github.com/zcash-hackworks/zcash-test-vectors/blob/master/sapling_pedersen.py | |||
There was a problem hiding this comment.
Usually this means that the linked file can be used to generate the test vectors. We don't have the generation process for these test vectors yet; it would be good to find it. Non-blocking, because we can always update the test vectors later if there is a mismatch (although note that one of the commits from the audit explicitly tweaked some test vectors to test edge cases, so there may not be a simple generation process).
There was a problem hiding this comment.
I think they're made by https://github.com/QED-it/go-jubjub
| check_small_order_from_strs( | ||
| "948411088638444611740115537621561973758360269817276634325562542866802143934", | ||
| "19260245455242183936012133194672327304390353749328020389743628630787497879844", | ||
| ); |
There was a problem hiding this comment.
We could extend this to test all points in all small-order subgroups, since there are so few of them (i.e. raise this to the power of 0..8 and check each one).
| } | ||
|
|
||
| // check for a generator being the sum of any other two | ||
| for (j, p2) in pedersen_hash_generators.iter().enumerate() { |
There was a problem hiding this comment.
I experimented with trying to combine this loop with the one above, but wasn't able to get it to work properly. If this function were performance critical, we could first add all of the items to a HashSet, and then check if combinations of p1+p2 were in that set.
Bring in QED-it Tests
2279da4 Merge pull request zcash#38 from debris/docs 2e57190 Remove documentation entry from Cargo.toml 346d540 bellman 0.2.0 8d79665 Merge pull request zcash#93 from defuse/qed-it-lrz f50079f Crate docs 701cb2b Update READMEs ccf1ee9 CI: Check intra-doc links ddd390a Add READMEs to Cargo.toml files 54d3122 Add missing cs.is_satisfied() to bellman test 52bf23c Fix build warnings 581ad35 boolean: adds tests for alloc_conditionally 0403396 blake2s: adds test vectors from go-jubjub 9f24e47 Fix blake2s test data length assertion. 42d5b3b Add blake2s test vectors for varying sizes from go-jubjub b2597de pedersen_hash: removes debug prints c903fad pedersen hashes: example of size limit bug bc697c1 bellman: Fix compile errors without multicore feature a4e5df9 Upgrade to hex-literal 0.2 c063509 Migrate bellman to crossbeam 0.7 1775843 Take self directly in into_* functions 614d784 Rename into_ -> to_ where &self is used. 08664b1 Address various clippy warnings/errors in bellman bb11ef2 cargo fmt cff2e2f cargo fix --edition-idioms for bellman dc2a280 Add edition = 2018 1a2bc19 cargo fmt ad37878 cargo fix --edition for bellman e73d1a2 cargo fmt bellman dfb86fc Move generic circuit gadgets into bellman 9b3d766 Migrate to rand 0.7 055280f Migrate ff, group, pairing, and bellman to rand 0.6 533d586 Migrate bellman to rand 0.5 bfa9aaf Merge pull request zcash#61 from rex4539/fix-typos 3dd8490 Place bellman multicore operations behind a (default) feature flag 955e679 Merge pull request zcash#46 from str4d/ff-traits d4ddaa9 Fix typos 12f93f2 Add ff and group crates to Cargo workspace 2e35a32 Update sapling-crypto crate to use ff crate 2019e63 Update workspace after pulling in external crates git-subtree-dir: bellman git-subtree-split: 2279da4
This PR was originally submitted here: zcash/sapling-crypto#101
This pulls in a bunch of tests QED-it wrote during their audit that were spread across many branches in their sapling-crypto-internal repository. I've left their history intact so the best way to review it is to just look at the final diff, except for...
find_group_hashtest since it didn't look like it was doing anything useful, and I don't want merging to block on me figuring out how to implement that test well. Raise a separate issue and assign me if you would like somefind_group_hashunit tests!I did not bring in this change to the circuit code, because I don't understand it. I also did not bring in a bunch of changes to comments and variable renamings in the aurel_comments branch and the sum_bug branch, but I did bring in the new tests from those branches.