Fix bugs in Zero Balance Verification #6
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dssei
approved these changes
Dec 6, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the fix for the audit, we added validations to ensure that none of the fields of proofs should be Zero or the Identity Point. This makes sense for most fields since they are computed via randomly generated scalars and it is near impossible for them to be zero (Those fields being zero would suggest tampering with the proof)
However, in this one case, it is possible and even common for the Yd field of a zero proof to be the identity point.
Since Yd is computed as D.Mul(y) where D is the D component of a ciphertext and y is a randomly generated scalar, Yd is zero when y is generated as zero (no longer possible) or if D is zero.
D of a ciphertext is zero (identity point) when we perform a subtraction of a ciphertext on itself. This is what we do to zero out fields in apply pending balances and is not an uncommon scenario. This means that we it is possible for Yd to be identity point and we should remove that validation.
Also checked other fields and added tests for other fields where this could be possible and confirmed that this doesn't apply apply to other fields, so we can leave the rest of the validations in place.