From ceec513f6209c97ee63729f581402afba849150d Mon Sep 17 00:00:00 2001
From: Pratyush Mishra <pratyushmishra@berkeley.edu>
Date: Tue, 10 Nov 2020 10:46:44 -0800
Subject: [PATCH] Fix SW `to_affine` (#9)

Adds constraints to check that the conversion to affine coordinates happened correctly.
---
 src/groups/curves/short_weierstrass/mod.rs | 41 +++++++---------------
 1 file changed, 13 insertions(+), 28 deletions(-)

diff --git a/src/groups/curves/short_weierstrass/mod.rs b/src/groups/curves/short_weierstrass/mod.rs
index 6465323..b0f49d9 100644
--- a/src/groups/curves/short_weierstrass/mod.rs
+++ b/src/groups/curves/short_weierstrass/mod.rs
@@ -149,40 +149,25 @@ where
     /// Convert this point into affine form.
     #[tracing::instrument(target = "r1cs")]
     pub fn to_affine(&self) -> Result<AffineVar<P, F>, SynthesisError> {
-        let cs = self.cs();
-        let mode = if self.is_constant() {
+        if self.is_constant() {
             let point = self.value()?.into_affine();
             let x = F::new_constant(ConstraintSystemRef::None, point.x)?;
             let y = F::new_constant(ConstraintSystemRef::None, point.y)?;
             let infinity = Boolean::constant(point.infinity);
-            return Ok(AffineVar::new(x, y, infinity));
+            Ok(AffineVar::new(x, y, infinity))
         } else {
-            AllocationMode::Witness
-        };
+            let infinity = self.is_zero()?;
+            let zero_x = F::zero();
+            let zero_y = F::one();
+
+            let non_zero_x = &self.x * &self.z;
+            let non_zero_y = &self.y * &self.z;
 
-        let infinity = self.is_zero()?;
-        let zero_x = F::zero();
-        let zero_y = F::one();
-
-        let non_zero_x = F::new_variable(
-            ark_relations::ns!(cs, "non-zero x"),
-            || {
-                let z_inv = self.z.value()?.inverse().unwrap_or(P::BaseField::zero());
-                Ok(self.x.value()? * &z_inv)
-            },
-            mode,
-        )?;
-        let non_zero_y = F::new_variable(
-            ark_relations::ns!(cs, "non-zero y"),
-            || {
-                let z_inv = self.z.value()?.inverse().unwrap_or(P::BaseField::zero());
-                Ok(self.y.value()? * &z_inv)
-            },
-            mode,
-        )?;
-        let x = infinity.select(&zero_x, &non_zero_x)?;
-        let y = infinity.select(&zero_y, &non_zero_y)?;
-        Ok(AffineVar::new(x, y, infinity))
+            let x = infinity.select(&zero_x, &non_zero_x)?;
+            let y = infinity.select(&zero_y, &non_zero_y)?;
+
+            Ok(AffineVar::new(x, y, infinity))
+        }
     }
 
     /// Allocates a new variable without performing an on-curve check, which is