Merge pull request #3 from peppersec/prevent-griefing

prevent nullifier griefing
This commit is contained in:
Pertsev Alexey 2019-07-24 17:58:43 +03:00 committed by GitHub
commit 46165bafc1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 29 additions and 13 deletions

1
.nvmrc Normal file
View File

@ -0,0 +1 @@
11

View File

@ -32,8 +32,8 @@ spent since it has the same nullifier and it will prevent you from withdrawing y
1. `npm run build:circuit` - may take 10 minutes or more
1. `npm run build:contract`
1. `npm run browserify`
1. `npm run test` - optionally run tests. It may fail for the first time, just run one more time.
1. `npx ganache-cli`
1. `npm run test` - optionally run tests. It may fail for the first time, just run one more time.
1. `npm run migrate:dev`
1. `./cli.js deposit`
1. `./cli.js withdraw <note from previous step> <destination eth address>`

View File

@ -4,31 +4,36 @@ include "merkleTree.circom";
// computes Pedersen(nullifier + secret)
template CommitmentHasher() {
signal input nullifier;
signal private input nullifier;
signal private input secret;
signal output hash;
signal output commitment;
signal output nullifierHash;
component commitment = Pedersen(512);
component commitmentHasher = Pedersen(512);
component nullifierHasher = Pedersen(256);
component nullifierBits = Num2Bits(256);
component secretBits = Num2Bits(256);
nullifierBits.in <== nullifier;
secretBits.in <== secret;
for (var i = 0; i < 256; i++) {
commitment.in[i] <== nullifierBits.out[i];
commitment.in[i + 256] <== secretBits.out[i];
nullifierHasher.in[i] <== nullifierBits.out[i];
commitmentHasher.in[i] <== nullifierBits.out[i];
commitmentHasher.in[i + 256] <== secretBits.out[i];
}
hash <== commitment.out[0];
commitment <== commitmentHasher.out[0];
nullifierHash <== nullifierHasher.out[0];
}
// Verifies that commitment that corresponds to given secret and nullifier is included in the merkle tree of deposits
template Withdraw(levels, rounds) {
signal input root;
signal input nullifier;
signal input nullifierHash;
// TODO: Check if we need some kind of explicit constraints or something for those 2 inputs
signal input receiver; // not taking part in any computations
signal input fee; // not taking part in any computations
signal private input nullifier;
signal private input secret;
signal private input pathElements[levels];
signal private input pathIndex[levels];
@ -37,8 +42,10 @@ template Withdraw(levels, rounds) {
hasher.nullifier <== nullifier;
hasher.secret <== secret;
nullifierHash === hasher.nullifierHash;
component tree = MerkleTree(levels, rounds);
tree.leaf <== hasher.hash;
tree.leaf <== hasher.commitment;
tree.root <== root;
for (var i = 0; i < levels; i++) {
tree.pathElements[i] <== pathElements[i];

3
cli.js
View File

@ -64,11 +64,12 @@ async function withdraw(note, receiver) {
const input = {
// public
root: root,
nullifier: deposit.nullifier,
nullifierHash: pedersenHash(deposit.nullifier.leInt2Buff(32)),
receiver: bigInt(receiver),
fee: bigInt(0),
// private
nullifier: deposit.nullifier,
secret: deposit.secret,
pathElements: path_elements,
pathIndex: path_index,

View File

@ -127,6 +127,7 @@ contract('Mixer', accounts => {
const input = stringifyBigInts({
root,
nullifierHash: pedersenHash(deposit.nullifier.leInt2Buff(32)),
nullifier: deposit.nullifier,
receiver,
fee,
@ -179,16 +180,18 @@ contract('Mixer', accounts => {
const input = stringifyBigInts({
// public
root,
nullifier: deposit.nullifier,
nullifierHash: pedersenHash(deposit.nullifier.leInt2Buff(32)),
receiver,
fee,
// private
nullifier: deposit.nullifier,
secret: deposit.secret,
pathElements: path_elements,
pathIndex: path_index,
})
const proof = await websnarkUtils.genWitnessAndProve(groth16, input, circuit, proving_key)
const { pi_a, pi_b, pi_c, publicSignals } = websnarkUtils.toSolidityInput(proof)
@ -207,7 +210,7 @@ contract('Mixer', accounts => {
balanceRecieverAfter.should.be.eq.BN(toBN(balanceRecieverBefore).add(toBN(value)).sub(feeBN))
logs[0].event.should.be.equal('Withdraw')
logs[0].args.nullifier.should.be.eq.BN(toBN(deposit.nullifier.toString()))
logs[0].args.nullifier.should.be.eq.BN(toBN(input.nullifierHash.toString()))
logs[0].args.fee.should.be.eq.BN(feeBN)
})
@ -220,6 +223,7 @@ contract('Mixer', accounts => {
const input = stringifyBigInts({
root,
nullifierHash: pedersenHash(deposit.nullifier.leInt2Buff(32)),
nullifier: deposit.nullifier,
receiver,
fee,
@ -244,6 +248,7 @@ contract('Mixer', accounts => {
const oneEtherFee = bigInt(1e18) // 1 ether
const input = stringifyBigInts({
root,
nullifierHash: pedersenHash(deposit.nullifier.leInt2Buff(32)),
nullifier: deposit.nullifier,
receiver,
fee: oneEtherFee,
@ -266,6 +271,7 @@ contract('Mixer', accounts => {
const { root, path_elements, path_index } = await tree.path(0)
const input = stringifyBigInts({
nullifierHash: pedersenHash(deposit.nullifier.leInt2Buff(32)),
root,
nullifier: deposit.nullifier,
receiver,
@ -293,6 +299,7 @@ contract('Mixer', accounts => {
const input = stringifyBigInts({
root,
nullifierHash: pedersenHash(deposit.nullifier.leInt2Buff(32)),
nullifier: deposit.nullifier,
receiver,
fee,