Git-Mirrors/tornado-core
1
0
Fork 0
mirror of https://github.com/tornadocash/tornado-core.git synced 2024-10-01 01:06:17 -04:00
Code Issues Packages Projects Releases Wiki Activity

prevent nullifier griefing

Browse Source
This commit is contained in:
poma 2019-07-19 19:37:38 +03:00
parent e6d103b875
commit 14e15ba6c0
No known key found for this signature in database
GPG Key ID: 530BBEE4AE8C3604
2 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
circuits/withdraw.circom
View File

@ -4,31 +4,36 @@ include "merkleTree.circom";
// computes Pedersen(nullifier + secret) // computes Pedersen(nullifier + secret)
template CommitmentHasher() { template CommitmentHasher() {
signal input nullifier; signal private input nullifier;
signal private input secret; signal private input secret;
signal output hash; signal output commitment;
signal output nullifierHash;
component commitment = Pedersen(512); component commitmentHasher = Pedersen(512);
component nullifierHasher = Pedersen(256);
component nullifierBits = Num2Bits(256); component nullifierBits = Num2Bits(256);
component secretBits = Num2Bits(256); component secretBits = Num2Bits(256);
nullifierBits.in <== nullifier; nullifierBits.in <== nullifier;
secretBits.in <== secret; secretBits.in <== secret;
for (var i = 0; i < 256; i++) { for (var i = 0; i < 256; i++) {
commitment.in[i] <== nullifierBits.out[i]; nullifierHasher.in[i] <== nullifierBits.out[i];
commitment.in[i + 256] <== secretBits.out[i]; commitmentHasher.in[i] <== nullifierBits.out[i];
commitmentHasher.in[i + 256] <== secretBits.out[i];
} }
hash <== commitment.out[0]; commitment <== commitmentHasher.out[0];
nullifierHash <== nullifierHasher.out[0];
} }
// Verifies that commitment that corresponds to given secret and nullifier is included in the merkle tree of deposits // Verifies that commitment that corresponds to given secret and nullifier is included in the merkle tree of deposits
template Withdraw(levels, rounds) { template Withdraw(levels, rounds) {
signal input root; signal input root;
signal input nullifier; signal input nullifierHash;
// TODO: Check if we need some kind of explicit constraints or something for those 2 inputs // TODO: Check if we need some kind of explicit constraints or something for those 2 inputs
signal input receiver; // not taking part in any computations signal input receiver; // not taking part in any computations
signal input fee; // not taking part in any computations signal input fee; // not taking part in any computations
signal private input nullifier;
signal private input secret; signal private input secret;
signal private input pathElements[levels]; signal private input pathElements[levels];
signal private input pathIndex[levels]; signal private input pathIndex[levels];
@ -37,8 +42,10 @@ template Withdraw(levels, rounds) {
hasher.nullifier <== nullifier; hasher.nullifier <== nullifier;
hasher.secret <== secret; hasher.secret <== secret;
nullifierHash === hasher.nullifierHash;
component tree = MerkleTree(levels, rounds); component tree = MerkleTree(levels, rounds);
tree.leaf <== hasher.hash; tree.leaf <== hasher.commitment;
tree.root <== root; tree.root <== root;
for (var i = 0; i < levels; i++) { for (var i = 0; i < levels; i++) {
tree.pathElements[i] <== pathElements[i]; tree.pathElements[i] <== pathElements[i];

3
cli.js
View File

@ -64,11 +64,12 @@ async function withdraw(note, receiver) {
const input = { const input = {
// public // public
root: root, root: root,
nullifier: deposit.nullifier, nullifierHash: pedersenHash(deposit.nullifier.leInt2Buff(32)),
receiver: bigInt(receiver), receiver: bigInt(receiver),
fee: bigInt(0), fee: bigInt(0),
// private // private
nullifier: deposit.nullifier,
secret: deposit.secret, secret: deposit.secret,
pathElements: path_elements, pathElements: path_elements,
pathIndex: path_index, pathIndex: path_index,