[zk-token-sdk] Allow all zero auditor pubkey in proofs (#33106)

samkim-crypto · web-flow · commit a4ceea32d72c · 2023-09-01T10:26:15.000-07:00
* allow auditor ElGamal public key to be all zero

* remove test components on all zero auditor ElGamal pubkey
diff --git a/zk-token-sdk/src/instruction/transfer/with_fee.rs b/zk-token-sdk/src/instruction/transfer/with_fee.rs
@@ -840,7 +840,7 @@ mod test {
 
         assert!(fee_data.verify_proof().is_ok());
 
-        // Case 4: invalid destination, auditor, or withdraw authority pubkeys
+        // Case 4: destination pubkey invalid
         let spendable_balance: u64 = 120;
         let spendable_ciphertext = source_keypair.pubkey().encrypt(spendable_balance);
 
@@ -871,47 +871,5 @@ mod test {
         .unwrap();
 
         assert!(fee_data.verify_proof().is_err());
-
-        // auditor pubkey invalid
-        let destination_keypair = ElGamalKeypair::new_rand();
-        let destination_pubkey = destination_keypair.pubkey();
-
-        let auditor_pubkey = pod::ElGamalPubkey::zeroed().try_into().unwrap();
-
-        let withdraw_withheld_authority_keypair = ElGamalKeypair::new_rand();
-        let withdraw_withheld_authority_pubkey = withdraw_withheld_authority_keypair.pubkey();
-
-        let fee_data = TransferWithFeeData::new(
-            transfer_amount,
-            (spendable_balance, &spendable_ciphertext),
-            &source_keypair,
-            (destination_pubkey, &auditor_pubkey),
-            fee_parameters,
-            withdraw_withheld_authority_pubkey,
-        )
-        .unwrap();
-
-        assert!(fee_data.verify_proof().is_err());
-
-        // withdraw authority invalid
-        let destination_keypair = ElGamalKeypair::new_rand();
-        let destination_pubkey = destination_keypair.pubkey();
-
-        let auditor_keypair = ElGamalKeypair::new_rand();
-        let auditor_pubkey = auditor_keypair.pubkey();
-
-        let withdraw_withheld_authority_pubkey = pod::ElGamalPubkey::zeroed().try_into().unwrap();
-
-        let fee_data = TransferWithFeeData::new(
-            transfer_amount,
-            (spendable_balance, &spendable_ciphertext),
-            &source_keypair,
-            (destination_pubkey, auditor_pubkey),
-            fee_parameters,
-            &withdraw_withheld_authority_pubkey,
-        )
-        .unwrap();
-
-        assert!(fee_data.verify_proof().is_err());
     }
 }
diff --git a/zk-token-sdk/src/instruction/transfer/without_fee.rs b/zk-token-sdk/src/instruction/transfer/without_fee.rs
@@ -524,13 +524,11 @@ mod test {
 
         assert!(transfer_data.verify_proof().is_ok());
 
-        // Case 4: invalid destination or auditor pubkey
+        // Case 4: destination pubkey is invalid
         let spendable_balance: u64 = 0;
         let spendable_ciphertext = source_keypair.pubkey().encrypt(spendable_balance);
-
         let transfer_amount: u64 = 0;
 
-        // destination pubkey invalid
         let dest_pk = pod::ElGamalPubkey::zeroed().try_into().unwrap();
         let auditor_keypair = ElGamalKeypair::new_rand();
         let auditor_pk = auditor_keypair.pubkey();
@@ -544,21 +542,6 @@ mod test {
         .unwrap();
 
         assert!(transfer_data.verify_proof().is_err());
-
-        // auditor pubkey invalid
-        let dest_keypair = ElGamalKeypair::new_rand();
-        let dest_pk = dest_keypair.pubkey();
-        let auditor_pk = pod::ElGamalPubkey::zeroed().try_into().unwrap();
-
-        let transfer_data = TransferData::new(
-            transfer_amount,
-            (spendable_balance, &spendable_ciphertext),
-            &source_keypair,
-            (dest_pk, &auditor_pk),
-        )
-        .unwrap();
-
-        assert!(transfer_data.verify_proof().is_err());
     }
 
     #[test]
diff --git a/zk-token-sdk/src/sigma_proofs/grouped_ciphertext_validity_proof.rs b/zk-token-sdk/src/sigma_proofs/grouped_ciphertext_validity_proof.rs
@@ -134,7 +134,8 @@ impl GroupedCiphertext2HandlesValidityProof {
         // include Y_0, Y_1, Y_2 to transcript and extract challenges
         transcript.validate_and_append_point(b"Y_0", &self.Y_0)?;
         transcript.validate_and_append_point(b"Y_1", &self.Y_1)?;
-        transcript.validate_and_append_point(b"Y_2", &self.Y_2)?;
+        // Y_2 can be an all zero point if the auditor public key is all zero
+        transcript.append_point(b"Y_2", &self.Y_2);
 
         let c = transcript.challenge_scalar(b"c");
         let w = transcript.challenge_scalar(b"w");
@@ -301,37 +302,6 @@ mod test {
             )
             .is_err());
 
-        // if auditor public key zeroed, then the proof should always reject
-        let destination_keypair = ElGamalKeypair::new_rand();
-        let destination_pubkey = destination_keypair.pubkey();
-
-        let auditor_pubkey = ElGamalPubkey::from_bytes(&[0u8; 32]).unwrap();
-
-        let amount: u64 = 55;
-        let (commitment, opening) = Pedersen::new(amount);
-
-        let destination_handle = destination_pubkey.decrypt_handle(&opening);
-        let auditor_handle = auditor_pubkey.decrypt_handle(&opening);
-
-        let mut prover_transcript = Transcript::new(b"Test");
-        let mut verifier_transcript = Transcript::new(b"Test");
-
-        let proof = GroupedCiphertext2HandlesValidityProof::new(
-            (destination_pubkey, &auditor_pubkey),
-            amount,
-            &opening,
-            &mut prover_transcript,
-        );
-
-        assert!(proof
-            .verify(
-                &commitment,
-                (destination_pubkey, &auditor_pubkey),
-                (&destination_handle, &auditor_handle),
-                &mut verifier_transcript,
-            )
-            .is_err());
-
         // all zeroed ciphertext should still be valid
         let destination_keypair = ElGamalKeypair::new_rand();
         let destination_pubkey = destination_keypair.pubkey();
