Mode-explicit verification, y_com accessor, hardened arkworks deserialization#21
Draft
0xAndoroid wants to merge 1 commit into
Draft
Mode-explicit verification, y_com accessor, hardened arkworks deserialization#210xAndoroid wants to merge 1 commit into
0xAndoroid wants to merge 1 commit into
Conversation
Signed-off-by: Andrew Tretyakov <42178850+0xAndoroid@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements SPEC.md — closing the Dory/Jolt boundary issues surfaced in the Jolt review.
verify_with_mode<…, Mo>is the new primitive;verify_transparentandverify_zkare convenience wrappers;verifyremains as a documented autodetect/compat entry point. Cross-mode proofs (and partial ZK proofs) are rejected before any transcript challenge that depends on optional fields is drawn.y_comownership:DoryProof::y_com()accessor (andis_zk/is_transparent/zk_fields_present/zk_fields_absent) make the proof the single source of truth for the evaluation hiding commitment. Outer protocols MUST bind to this value.ArkGTdeserialization: rejectsFq12::ZEROand any element outside the BN254 r-torsion subgroup (inner.pow(Fr::MODULUS) == Fq12::ONE). The check covers bothDoryDeserializeand arkworksCanonicalDeserializepaths — the derive onArkGTwas removed and replaced with a manual impl so proofs deserialized through<ArkDoryProof as CanonicalDeserialize>validate inner GT fields too.MAX_SERIALIZED_PROOF_ROUNDS = 64rejects oversizednum_roundsbefore any per-roundVec::with_capacityallocation.validate_serialized_proof_shapealso enforcesnu ≤ sigma,sigma == num_rounds, and overflow-safenu + sigma/sigma < usize::BITS.get_prepared_cache_for_g1/_for_g2now require the requested vec to be a prefix of the cached vec before reuse, preventing cross-setup misuse of prepared points afterinit_cacheis called for a different setup.Test plan
cargo nextest run --all-featurespasses (cross-mode acceptance, partial-ZK rejection,ArkGTzero/non-r-torsion rejection on both deser paths, oversized/u32::MAX/sigma-mismatch proof rejection, ZK roundtrip & verify, transparent roundtrip & verify)cargo clippy --all-targets --all-features -- -D warningscleancargo fmt --checkcleanNotes for Jolt
DoryScheme::verifyshould callverify_transparent;DoryScheme::verify_zkshould callverify_zk.y_com; read it from the proof viaDoryProof::y_com().repr(transparent)wrapper change (chore: mark arkworks wrappers repr(transparent) #20) is in this checkout — Jolt remains exposed until it depends on a release containing it.