Add blinding scalars #651
Add blinding scalars #651
Conversation
Codecov Report
@@ Coverage Diff @@
## master #651 +/- ##
==========================================
+ Coverage 80.62% 80.76% +0.14%
==========================================
Files 54 54
Lines 4479 4482 +3
==========================================
+ Hits 3611 3620 +9
+ Misses 868 862 -6
Continue to review full report at Codecov.
|
src/permutation.rs
Outdated
| &self, | ||
| domain: &EvaluationDomain, | ||
| wires: [&[BlsScalar]; 4], | ||
| beta: &BlsScalar, | ||
| gamma: &BlsScalar, | ||
| sigma_polys: [&Polynomial; 4], | ||
| ) -> Polynomial { | ||
| ) -> Vec<dusk_bls12_381::BlsScalar> { |
There was a problem hiding this comment.
You can use Vec<BlsScalar> and don't have to mention the dusk_bls12_381 module path since it is imported on the top of the file already.
More generally though, why do you not use Polynomial here? We have to convert the evals to to their polynomial form at some point, so why do not do it here?
There was a problem hiding this comment.
the function domain.ifft(w_vec) requires a vector, we could compute it into the function but then in the prover, we need to treat each vector to be blinded in a different way. I think is more clear and clean to put the IFFT into the blind_poly(), and treat all inputs in the same way.
src/permutation.rs
Outdated
| @@ -308,7 +308,7 @@ impl Permutation { | |||
| h_2: &[BlsScalar], | |||
| delta: &BlsScalar, | |||
| epsilon: &BlsScalar, | |||
| ) -> Polynomial { | |||
| ) -> Vec<dusk_bls12_381::BlsScalar> { | |||
src/proof_system/prover.rs
Outdated
| /// if hiding degree = 2: (b3*X^(n+2) + b2*X(n+1) + b1*X^n - b3*X^2 - b2*X | ||
| /// - b1) + w_vec | ||
| pub(crate) fn blind_poly<R: RngCore + CryptoRng>( | ||
| w_vec: &Vec<dusk_bls12_381::BlsScalar>, |
There was a problem hiding this comment.
Above dusk_bls12_381::BlsScalar is already imported, so you can simply use &Vec<BlsScalar> here.
src/proof_system/prover.rs
Outdated
| domain: &EvaluationDomain, | ||
| mut rng: &mut R, | ||
| ) -> Polynomial { | ||
| let mut w_vec_i = domain.ifft(w_vec); |
There was a problem hiding this comment.
I find the names w_vec and w_vec_i not so descriptive. Isn't w_vec_i just w_poly and w_vec the poly in evaluation form? What about calling them w_poly and w_poly_evals?
There was a problem hiding this comment.
I just followed the same naming used in the whole code, we should rename the whole code if we want to change it here... And I used w_vec_i where i comes from inverse. I used this name to distinguish the value we get before calling Polynomial::from_coefficients_vec()
There was a problem hiding this comment.
Oh i see, then please call it w_vec_inverse. At first sight I thought that you used the i because you want to loop through the coefficients later on
src/circuit.rs
Outdated
| ) -> Result<Proof, Error> { | ||
| let (ck, _) = pub_params.trim(self.padded_gates())?; | ||
| let (ck, _) = pub_params.trim(self.padded_gates() + 6)?; |
There was a problem hiding this comment.
As @moCello mentioned, we should avoid magic numbers. Since its used in different parts, consider creating a documented constant
src/circuit.rs
Outdated
| @@ -306,7 +308,7 @@ where | |||
|
|
|||
| // Add ProverKey to Prover | |||
| prover.prover_key = Some(prover_key.clone()); | |||
| prover.prove(&ck) | |||
| prover.prove(&ck, &mut rng) | |||
There was a problem hiding this comment.
We take rng as mut rng: &mut R. Mutable references are copy, even if the referred value isn't copy (they are just pointers).
| prover.prove(&ck, &mut rng) | |
| prover.prove(&ck, rng) |
The current code works because &mut R is virtually congruent to &mut &mut R, but I believe this is a nit. We shouldn't take the reference as mutable, since we don't change the reference itself, but the data it points to (RNG).
src/permutation.rs
Outdated
| &self, | ||
| domain: &EvaluationDomain, | ||
| wires: [&[BlsScalar]; 4], | ||
| beta: &BlsScalar, | ||
| gamma: &BlsScalar, | ||
| sigma_polys: [&Polynomial; 4], | ||
| ) -> Polynomial { | ||
| ) -> Vec<dusk_bls12_381::BlsScalar> { |
There was a problem hiding this comment.
Find the last approach better than this one. I think the decision we need to make is, if we want to perform the ifft before calling blind and have blind in part of the Polynomial or if we perform the ifft in blind and have blind part of the Prover as you had before. Your call :)
src/fft/polynomial.rs
Outdated
| /// Adds the blinding scalars to a given vector. Always the same elements | ||
| /// of 'w_vec' are modified at the beginning of it, and appended at the end: | ||
| /// if hiding degree = 1: (b2*X(n+1) + b1*X^n - b2*X - b1) + w_vec | ||
| /// if hiding degree = 2: (b3*X^(n+2) + b2*X(n+1) + b1*X^n - b3*X^2 - b2*X |
There was a problem hiding this comment.
missing the ^ before the (n+1) in both lines
There was a problem hiding this comment.
LGTM
This is an important security fix and we might consider including this in testnet. cc @autholykos
Add blinding scalars in round 1, 2 and 3 of the proof