prevent nullifier griefing

2025-05-02 06:16:03 -04:00 · 2019-07-19 19:37:38 +03:00 · 2019-07-19 19:37:38 +03:00 · 14e15ba6c0
commit 14e15ba6c0
parent e6d103b875
2 changed files with 17 additions and 9 deletions
--- a/circuits/withdraw.circom
+++ b/circuits/withdraw.circom
@ -4,31 +4,36 @@ include "merkleTree.circom";

 // computes Pedersen(nullifier + secret)
 template CommitmentHasher() {
-    signal input nullifier;
+    signal private input nullifier;
    signal private input secret;

-    signal output hash;
+    signal output commitment;
+    signal output nullifierHash;

-    component commitment = Pedersen(512);
+    component commitmentHasher = Pedersen(512);
+    component nullifierHasher = Pedersen(256);
    component nullifierBits = Num2Bits(256);
    component secretBits = Num2Bits(256);
    nullifierBits.in <== nullifier;
    secretBits.in <== secret;
    for (var i = 0; i < 256; i++) {
-        commitment.in[i] <== nullifierBits.out[i];
-        commitment.in[i + 256] <== secretBits.out[i];
+        nullifierHasher.in[i] <== nullifierBits.out[i];
+        commitmentHasher.in[i] <== nullifierBits.out[i];
+        commitmentHasher.in[i + 256] <== secretBits.out[i];
    }

-    hash <== commitment.out[0];
+    commitment <== commitmentHasher.out[0];
+    nullifierHash <== nullifierHasher.out[0];
 }

 // Verifies that commitment that corresponds to given secret and nullifier is included in the merkle tree of deposits
 template Withdraw(levels, rounds) {
    signal input root;
-    signal input nullifier;
+    signal input nullifierHash;
    // TODO: Check if we need some kind of explicit constraints or something for those 2 inputs
    signal input receiver; // not taking part in any computations
    signal input fee; // not taking part in any computations
+    signal private input nullifier;
    signal private input secret;
    signal private input pathElements[levels];
    signal private input pathIndex[levels];
@ -37,8 +42,10 @@ template Withdraw(levels, rounds) {
    hasher.nullifier <== nullifier;
    hasher.secret <== secret;

+    nullifierHash === hasher.nullifierHash;
+
    component tree = MerkleTree(levels, rounds);
-    tree.leaf <== hasher.hash;
+    tree.leaf <== hasher.commitment;
    tree.root <== root;
    for (var i = 0; i < levels; i++) {
        tree.pathElements[i] <== pathElements[i];