Change default to_bits and to_bytes functions to the safe versions

2026-01-12 00:41:32 +01:00 · 2020-03-18 22:29:16 -07:00
parent b24e705527
commit b1913a9ca7
17 changed files with 118 additions and 176 deletions
--- a/r1cs-std/src/fields/fp.rs
+++ b/r1cs-std/src/fields/fp.rs
@@ -326,9 +326,18 @@ impl<F: PrimeField> NEqGadget<F> for FpGadget<F> {
 }

 impl<F: PrimeField> ToBitsGadget<F> for FpGadget<F> {
-    /// Outputs the binary representation of the value in `self` in *big-endian*
+    /// Outputs the unique bit-wise decomposition of `self` in *big-endian*
    /// form.
    fn to_bits<CS: ConstraintSystem<F>>(&self, mut cs: CS) -> Result<Vec<Boolean>, SynthesisError> {
+        let bits = self.to_non_unique_bits(&mut cs)?;
+        Boolean::enforce_in_field::<_, _, F>(&mut cs, &bits)?;
+        Ok(bits)
+    }
+
+    fn to_non_unique_bits<CS: ConstraintSystem<F>>(
+        &self,
+        mut cs: CS,
+    ) -> Result<Vec<Boolean>, SynthesisError> {
        let num_bits = F::Params::MODULUS_BITS;
        use algebra::BitIterator;
        let bit_values = match self.value {
@@ -375,20 +384,29 @@ impl<F: PrimeField> ToBitsGadget<F> for FpGadget<F> {

        Ok(bits.into_iter().map(Boolean::from).collect())
    }
-
-    fn to_bits_strict<CS: ConstraintSystem<F>>(
-        &self,
-        mut cs: CS,
-    ) -> Result<Vec<Boolean>, SynthesisError> {
-        let bits = self.to_bits(&mut cs)?;
-        Boolean::enforce_in_field::<_, _, F>(&mut cs, &bits)?;
-
-        Ok(bits)
-    }
 }

 impl<F: PrimeField> ToBytesGadget<F> for FpGadget<F> {
+    /// Outputs the unique byte decomposition of `self` in *little-endian*
+    /// form.
    fn to_bytes<CS: ConstraintSystem<F>>(&self, mut cs: CS) -> Result<Vec<UInt8>, SynthesisError> {
+        let bytes = self.to_non_unique_bytes(&mut cs)?;
+        Boolean::enforce_in_field::<_, _, F>(
+            &mut cs,
+            &bytes.iter()
+                .flat_map(|byte_gadget| byte_gadget.into_bits_le())
+                // This reverse maps the bits into big-endian form, as required by `enforce_in_field`.
+                .rev()
+                .collect::<Vec<_>>(),
+        )?;
+
+        Ok(bytes)
+    }
+
+    fn to_non_unique_bytes<CS: ConstraintSystem<F>>(
+        &self,
+        mut cs: CS,
+    ) -> Result<Vec<UInt8>, SynthesisError> {
        let byte_values = match self.value {
            Some(value) => to_bytes![&value.into_repr()]?
                .into_iter()
@@ -425,23 +443,6 @@ impl<F: PrimeField> ToBytesGadget<F> for FpGadget<F> {

        Ok(bytes)
    }
-
-    fn to_bytes_strict<CS: ConstraintSystem<F>>(
-        &self,
-        mut cs: CS,
-    ) -> Result<Vec<UInt8>, SynthesisError> {
-        let bytes = self.to_bytes(&mut cs)?;
-        Boolean::enforce_in_field::<_, _, F>(
-            &mut cs,
-            &bytes.iter()
-                .flat_map(|byte_gadget| byte_gadget.into_bits_le())
-                // This reverse maps the bits into big-endian form, as required by `enforce_in_field`.
-                .rev()
-                .collect::<Vec<_>>(),
-        )?;
-
-        Ok(bytes)
-    }
 }

 impl<F: PrimeField> CondSelectGadget<F> for FpGadget<F> {
--- a/r1cs-std/src/fields/fp12.rs
+++ b/r1cs-std/src/fields/fp12.rs
@@ -731,12 +731,12 @@ where
        Ok(c0)
    }

-    fn to_bits_strict<CS: ConstraintSystem<ConstraintF>>(
+    fn to_non_unique_bits<CS: ConstraintSystem<ConstraintF>>(
        &self,
        mut cs: CS,
    ) -> Result<Vec<Boolean>, SynthesisError> {
-        let mut c0 = self.c0.to_bits_strict(cs.ns(|| "c0"))?;
-        let mut c1 = self.c1.to_bits_strict(cs.ns(|| "c1"))?;
+        let mut c0 = self.c0.to_non_unique_bits(cs.ns(|| "c0"))?;
+        let mut c1 = self.c1.to_non_unique_bits(cs.ns(|| "c1"))?;
        c0.append(&mut c1);
        Ok(c0)
    }
@@ -757,12 +757,12 @@ where
        Ok(c0)
    }

-    fn to_bytes_strict<CS: ConstraintSystem<ConstraintF>>(
+    fn to_non_unique_bytes<CS: ConstraintSystem<ConstraintF>>(
        &self,
        mut cs: CS,
    ) -> Result<Vec<UInt8>, SynthesisError> {
-        let mut c0 = self.c0.to_bytes_strict(cs.ns(|| "c0"))?;
-        let mut c1 = self.c1.to_bytes_strict(cs.ns(|| "c1"))?;
+        let mut c0 = self.c0.to_non_unique_bytes(cs.ns(|| "c0"))?;
+        let mut c1 = self.c1.to_non_unique_bytes(cs.ns(|| "c1"))?;
        c0.append(&mut c1);
        Ok(c0)
    }
--- a/r1cs-std/src/fields/fp2.rs
+++ b/r1cs-std/src/fields/fp2.rs
@@ -527,12 +527,12 @@ impl<P: Fp2Parameters<Fp = ConstraintF>, ConstraintF: PrimeField> ToBitsGadget<C
        Ok(c0)
    }

-    fn to_bits_strict<CS: ConstraintSystem<ConstraintF>>(
+    fn to_non_unique_bits<CS: ConstraintSystem<ConstraintF>>(
        &self,
        mut cs: CS,
    ) -> Result<Vec<Boolean>, SynthesisError> {
-        let mut c0 = self.c0.to_bits_strict(cs.ns(|| "c0"))?;
-        let mut c1 = self.c1.to_bits_strict(cs.ns(|| "c1"))?;
+        let mut c0 = self.c0.to_non_unique_bits(cs.ns(|| "c0"))?;
+        let mut c1 = self.c1.to_non_unique_bits(cs.ns(|| "c1"))?;
        c0.append(&mut c1);
        Ok(c0)
    }
@@ -551,12 +551,12 @@ impl<P: Fp2Parameters<Fp = ConstraintF>, ConstraintF: PrimeField> ToBytesGadget<
        Ok(c0)
    }

-    fn to_bytes_strict<CS: ConstraintSystem<ConstraintF>>(
+    fn to_non_unique_bytes<CS: ConstraintSystem<ConstraintF>>(
        &self,
        mut cs: CS,
    ) -> Result<Vec<UInt8>, SynthesisError> {
-        let mut c0 = self.c0.to_bytes_strict(cs.ns(|| "c0"))?;
-        let mut c1 = self.c1.to_bytes_strict(cs.ns(|| "c1"))?;
+        let mut c0 = self.c0.to_non_unique_bytes(cs.ns(|| "c0"))?;
+        let mut c1 = self.c1.to_non_unique_bytes(cs.ns(|| "c1"))?;
        c0.append(&mut c1);
        Ok(c0)
    }
--- a/r1cs-std/src/fields/fp6_3over2.rs
+++ b/r1cs-std/src/fields/fp6_3over2.rs
@@ -800,13 +800,13 @@ where
        Ok(c0)
    }

-    fn to_bits_strict<CS: ConstraintSystem<ConstraintF>>(
+    fn to_non_unique_bits<CS: ConstraintSystem<ConstraintF>>(
        &self,
        mut cs: CS,
    ) -> Result<Vec<Boolean>, SynthesisError> {
-        let mut c0 = self.c0.to_bits_strict(cs.ns(|| "c0"))?;
-        let mut c1 = self.c1.to_bits_strict(cs.ns(|| "c1"))?;
-        let mut c2 = self.c2.to_bits_strict(cs.ns(|| "c2"))?;
+        let mut c0 = self.c0.to_non_unique_bits(cs.ns(|| "c0"))?;
+        let mut c1 = self.c1.to_non_unique_bits(cs.ns(|| "c1"))?;
+        let mut c2 = self.c2.to_non_unique_bits(cs.ns(|| "c2"))?;

        c0.append(&mut c1);
        c0.append(&mut c2);
@@ -834,11 +834,18 @@ where
        Ok(c0)
    }

-    fn to_bytes_strict<CS: ConstraintSystem<ConstraintF>>(
+    fn to_non_unique_bytes<CS: ConstraintSystem<ConstraintF>>(
        &self,
-        cs: CS,
+        mut cs: CS,
    ) -> Result<Vec<UInt8>, SynthesisError> {
-        self.to_bytes(cs)
+        let mut c0 = self.c0.to_non_unique_bytes(cs.ns(|| "c0"))?;
+        let mut c1 = self.c1.to_non_unique_bytes(cs.ns(|| "c1"))?;
+        let mut c2 = self.c2.to_non_unique_bytes(cs.ns(|| "c2"))?;
+
+        c0.append(&mut c1);
+        c0.append(&mut c2);
+
+        Ok(c0)
    }
 }

--- a/r1cs-std/src/fields/mod.rs
+++ b/r1cs-std/src/fields/mod.rs
@@ -452,7 +452,9 @@ pub(crate) mod tests {

        let n = F::alloc(&mut cs.ns(|| "alloc new var"), || Ok(negone)).unwrap();
        let _ = n.to_bytes(&mut cs.ns(|| "ToBytes")).unwrap();
-        let _ = n.to_bytes_strict(&mut cs.ns(|| "ToBytes Strict")).unwrap();
+        let _ = n
+            .to_non_unique_bytes(&mut cs.ns(|| "ToBytes Strict"))
+            .unwrap();

        let ab_false = a
            .conditionally_add_constant(