From 0350cd803d9bbd96a70a3523ada346482cdf05ba Mon Sep 17 00:00:00 2001 From: Luke Parker Date: Thu, 1 Dec 2022 11:50:03 -0500 Subject: [PATCH] Add debug assertions to CLSAG/Bulletproofs proving --- coins/monero/src/ringct/bulletproofs/original.rs | 11 +++++++---- coins/monero/src/ringct/bulletproofs/plus.rs | 11 +++++++---- coins/monero/src/ringct/clsag/mod.rs | 4 ++++ 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/coins/monero/src/ringct/bulletproofs/original.rs b/coins/monero/src/ringct/bulletproofs/original.rs index f7e40cc1..21abb44f 100644 --- a/coins/monero/src/ringct/bulletproofs/original.rs +++ b/coins/monero/src/ringct/bulletproofs/original.rs @@ -42,7 +42,8 @@ impl OriginalStruct { let (logMN, M, MN) = MN(commitments.len()); let (aL, aR) = bit_decompose(commitments); - let (mut cache, _) = hash_commitments(commitments.iter().map(Commitment::calculate)); + let commitments_points = commitments.iter().map(Commitment::calculate).collect::>(); + let (mut cache, _) = hash_commitments(commitments_points.clone()); let (sL, sR) = ScalarVector((0 .. (MN * 2)).map(|_| Scalar::random(&mut *rng)).collect::>()).split(); @@ -74,7 +75,7 @@ impl OriginalStruct { let t2 = inner_product(&l1, &r1); let mut tau1 = Scalar::random(&mut *rng); - let mut tau2 = Scalar::random(rng); + let mut tau2 = Scalar::random(&mut *rng); let T1 = prove_multiexp(&[(t1, *H), (tau1, EdwardsPoint::generator())]); let T2 = prove_multiexp(&[(t2, *H), (tau2, EdwardsPoint::generator())]); @@ -146,7 +147,7 @@ impl OriginalStruct { } } - OriginalStruct { + let res = OriginalStruct { A: *A, S: *S, T1: *T1, @@ -158,7 +159,9 @@ impl OriginalStruct { a: *a[0], b: *b[0], t: *t, - } + }; + debug_assert!(res.verify(rng, &commitments_points)); + res } #[must_use] diff --git a/coins/monero/src/ringct/bulletproofs/plus.rs b/coins/monero/src/ringct/bulletproofs/plus.rs index bba66a3f..4a23420c 100644 --- a/coins/monero/src/ringct/bulletproofs/plus.rs +++ b/coins/monero/src/ringct/bulletproofs/plus.rs @@ -60,7 +60,8 @@ impl PlusStruct { let (logMN, M, MN) = MN(commitments.len()); let (aL, aR) = bit_decompose(commitments); - let (mut cache, _) = hash_plus(commitments.iter().map(Commitment::calculate)); + let commitments_points = commitments.iter().map(Commitment::calculate).collect::>(); + let (mut cache, _) = hash_plus(commitments_points.clone()); let (mut alpha1, A) = alpha_rho(&mut *rng, &GENERATORS, &aL, &aR); let y = hash_cache(&mut cache, &[A.compress().to_bytes()]); @@ -132,7 +133,7 @@ impl PlusStruct { let mut r = Scalar::random(&mut *rng); let mut s = Scalar::random(&mut *rng); let mut d = Scalar::random(&mut *rng); - let mut eta = Scalar::random(rng); + let mut eta = Scalar::random(&mut *rng); let A1 = prove_multiexp(&[ (r, G_proof[0]), @@ -152,7 +153,7 @@ impl PlusStruct { eta.zeroize(); alpha1.zeroize(); - PlusStruct { + let res = PlusStruct { A: *A, A1: *A1, B: *B, @@ -161,7 +162,9 @@ impl PlusStruct { d1: *d1, L: L.drain(..).map(|L| *L).collect(), R: R.drain(..).map(|R| *R).collect(), - } + }; + debug_assert!(res.verify(rng, &commitments_points)); + res } #[must_use] diff --git a/coins/monero/src/ringct/clsag/mod.rs b/coins/monero/src/ringct/clsag/mod.rs index 8582f6b4..1ba57d02 100644 --- a/coins/monero/src/ringct/clsag/mod.rs +++ b/coins/monero/src/ringct/clsag/mod.rs @@ -265,6 +265,10 @@ impl Clsag { inputs[i].0.zeroize(); nonce.zeroize(); + debug_assert!(clsag + .verify(&inputs[i].2.decoys.ring, &inputs[i].1, &pseudo_out, &msg) + .is_ok()); + res.push((clsag, pseudo_out)); }