Prevent trivial subversion attack against prover.

This commit is contained in:
Sean Bowe 2018-04-02 22:21:42 -06:00
parent d14f2af8fa
commit 96b2d3e41a

@ -290,6 +290,12 @@ pub fn create_proof<E, C, P: ParameterSource<E>>(
let b_g2_inputs = multiexp(&worker, b_g2_inputs_source, b_input_density, input_assignment); let b_g2_inputs = multiexp(&worker, b_g2_inputs_source, b_input_density, input_assignment);
let b_g2_aux = multiexp(&worker, b_g2_aux_source, b_aux_density, aux_assignment); let b_g2_aux = multiexp(&worker, b_g2_aux_source, b_aux_density, aux_assignment);
if vk.delta_g1.is_zero() || vk.delta_g2.is_zero() {
// If this element is zero, someone is trying to perform a
// subversion-CRS attack.
return Err(SynthesisError::UnexpectedIdentity);
}
let mut g_a = vk.delta_g1.mul(r); let mut g_a = vk.delta_g1.mul(r);
g_a.add_assign_mixed(&vk.alpha_g1); g_a.add_assign_mixed(&vk.alpha_g1);
let mut g_b = vk.delta_g2.mul(s); let mut g_b = vk.delta_g2.mul(s);