Add RingVRF padding points (#109)

Zero'd out bandersnatch public keys need to be replaced with padding points that actually exist on the curve.
eigerco · Nov 14, 2024 · f7ecbd8 · f7ecbd8
1 parent f6965e5
commit f7ecbd8
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/bandersnatch/src/lib.rs b/bandersnatch/src/lib.rs
@@ -472,9 +472,18 @@ pub unsafe extern "C" fn new_ring_vrf_verifier(
     let public_keys_slice = std::slice::from_raw_parts(public_keys, public_keys_len);
     let num_keys = public_keys_len / PUBLIC_KEY_LENGTH;
 
+    let padding_point = ring_context().padding_point();
+    let zero_chunk = [0u8; PUBLIC_KEY_LENGTH];
     let ring: Vec<Public> = public_keys_slice
         .chunks(PUBLIC_KEY_LENGTH)
-        .filter_map(|chunk| Public::deserialize_compressed(chunk).ok())
+        .map(|chunk| {
+            // Replace any zero'd out public keys with a padding point.
+            if chunk == zero_chunk {
+                Public::from(padding_point)
+            } else {
+                Public::deserialize_compressed(chunk).unwrap()
+            }
+        })
         .collect();
 
     if ring.len() != num_keys {
@@ -655,9 +664,18 @@ pub unsafe extern "C" fn new_ring_vrf_prover(
 
     let num_keys = public_keys_len / PUBLIC_KEY_LENGTH;
 
+    let padding_point = ring_context().padding_point();
+    let zero_chunk = [0u8; PUBLIC_KEY_LENGTH];
     let ring: Vec<Public> = public_keys_slice
         .chunks(PUBLIC_KEY_LENGTH)
-        .filter_map(|chunk| Public::deserialize_compressed(chunk).ok())
+        .map(|chunk| {
+            // Replace any zero'd out public keys with a padding point.
+            if chunk == zero_chunk {
+                Public::from(padding_point)
+            } else {
+                Public::deserialize_compressed(chunk).unwrap()
+            }
+        })
         .collect();
 
     if ring.len() != num_keys {

diff --git a/internal/crypto/bandersnatch/bandersnatch_test.go b/internal/crypto/bandersnatch/bandersnatch_test.go
@@ -54,6 +54,11 @@ func TestRingSignAndVerify(t *testing.T) {
 		ring = append(ring, pk)
 	}
 
+	// Including some zero'd out public keys that should be replaced with
+	// padding points.
+	ring[4] = crypto.BandersnatchPublicKey{}
+	ring[5] = crypto.BandersnatchPublicKey{}
+
 	var proverIdx uint = 3
 	proverSk, err := NewPrivateKeyFromSeed(uintToSeed(proverIdx))
 	require.NoError(t, err)