The non degeneracy criteria is there’s no bilinear pairing resulting in the finite field element 1 equivalent.
In the case of the optimal ate pairing, this can happen if one of the point of the pairing is the point at infinity : then whatever is the other point in the key, the result will always be 1.
For that reason, Zcash prevent the prover from fully controlling proof inputs and thus provide no encodings for the point at infinity.
On Ethereum, the prover often can set without filters A ; B ; C. And the only check in ᴇɪᴘ‑197 is points must be on curves and implementations just skip the compultation of bilinear parings containing a point at infinity : as long as the end result is 1 in $F_q¹²$, the contract call can succeed even with 1 or 3 points at infinity $(0,0)$
But what would happen if it would be the cases as it’s happening on some implementation that use the Ethereum’s ᴇɪᴘ‐197 precompile ? There are clear examples on how to forge proofs when there’s no public inputs or they are allowed to be all 0 but are there security risk when public inputs are used and if yes how this can be done ?
[link] [comments]
You can get bonuses upto $100 FREE BONUS when you:
💰 Install these recommended apps:
💲 SocialGood - 100% Crypto Back on Everyday Shopping
💲 xPortal - The DeFi For The Next Billion
💲 CryptoTab Browser - Lightweight, fast, and ready to mine!
💰 Register on these recommended exchanges:
🟡 Binance🟡 Bitfinex🟡 Bitmart🟡 Bittrex🟡 Bitget
🟡 CoinEx🟡 Crypto.com🟡 Gate.io🟡 Huobi🟡 Kucoin.
Comments