signer: add poseidon hash tests

Author: querolita

src/mina-signer/src/call-forest-hash-padding.unit-test.ts

@@ -0,0 +1,56 @@
+import { expect } from 'expect';
+import { Poseidon, hashWithPrefix } from './poseidon-bigint.js';
+import { callForestHashGeneric, CallForest } from './sign-zkapp-command.js';
+import { prefixes } from '../../bindings/crypto/constants.js';
+import { NetworkId } from './types.js';
+
+type Leaf = bigint;
+
+async function testCallForestPaddingCollision() {
+  const net: NetworkId = 'testnet';
+  const hashLeaf = (leaf: Leaf) => Poseidon.hash([leaf]);
+  const hash = (leaf: Leaf, _networkId: NetworkId) => hashLeaf(leaf);
+
+  const forestBase: CallForest<Leaf> = [{ accountUpdate: 1n, children: [] }];
+  const forestPadded: CallForest<Leaf> = [
+    { accountUpdate: 1n, children: [] },
+    { accountUpdate: 0n, children: [] }, // extra trailing zero leaf
+  ];
+
+  const baseDigest = callForestHashGeneric(
+    forestBase,
+    hash,
+    hashWithPrefix,
+    0n,
+    net
+  );
+  const paddedDigest = callForestHashGeneric(
+    forestPadded,
+    hash,
+    hashWithPrefix,
+    0n,
+    net
+  );
+
+  expect(baseDigest).not.toEqual(paddedDigest);
+
+  // Show the intermediate node hash differs when padding is added, by revealing
+  // the cons hash structure explicitly.
+  const nodeHashBase = hashWithPrefix(prefixes.accountUpdateNode, [
+    hashLeaf(1n),
+    0n,
+  ]);
+  const nodeHashPaddedFirst = nodeHashBase;
+  const nodeHashPaddedSecond = hashWithPrefix(prefixes.accountUpdateNode, [
+    hashLeaf(0n),
+    0n,
+  ]);
+  const recomposedPadded = hashWithPrefix(prefixes.accountUpdateCons, [
+    nodeHashPaddedSecond,
+    hashWithPrefix(prefixes.accountUpdateCons, [nodeHashPaddedFirst, 0n]),
+  ]);
+
+  expect(paddedDigest).not.toEqual(recomposedPadded);
+}
+
+await testCallForestPaddingCollision();

src/mina-signer/src/nullifier-padding.unit-test.ts

@@ -0,0 +1,18 @@
+import { expect } from 'expect';
+import { createNullifier } from './nullifier.js';
+
+async function testNullifierPaddingDifference() {
+  const sk = 5n;
+
+  const messageShort = [1n];
+  const messagePadded = [1n, 0n];
+
+  const nullifierShort = createNullifier(messageShort, sk);
+  const nullifierPadded = createNullifier(messagePadded, sk);
+
+  // The nullifier should change when padding changes the message
+  expect(nullifierShort.public.nullifier).not.toEqual(nullifierPadded.public.nullifier);
+  expect(nullifierShort.public.s).not.toEqual(nullifierPadded.public.s);
+}
+
+await testNullifierPaddingDifference();

src/mina-signer/src/poseidon-padding.unit-test.ts

@@ -0,0 +1,42 @@
+import { expect } from 'expect';
+import { HashInput, packToFields, hashWithPrefix } from './poseidon-bigint.js';
+import { Field } from './field-bigint.js';
+import { Group } from './curve-bigint.js';
+import { signaturePrefix } from './signature.js';
+import { NetworkId } from './types.js';
+
+/**
+ * Demonstrates that adding zero padding inside a packed field chunk produces
+ * a different packed field array and Poseidon digest.
+ */
+async function testPoseidonPaddingCollision() {
+  const shortMessage: HashInput = { packed: [[Field(1n), 1]] };
+  const paddedMessage: HashInput = { packed: [[Field(1n), 1], [Field(0n), 1]] };
+
+  const packedShort = packToFields(shortMessage);
+  const packedPadded = packToFields(paddedMessage);
+
+  const dummyPubKey: Group = { x: Field(3n), y: Field(5n) };
+  const r = Field(7n);
+  const net: NetworkId = 'testnet';
+
+  const hashMessageCompat = (msg: HashInput) => {
+    const input = HashInput.append(msg, { fields: [dummyPubKey.x, dummyPubKey.y, r] });
+    return hashWithPrefix(signaturePrefix(net), packToFields(input));
+  };
+
+  const hShort = hashMessageCompat(shortMessage);
+  const hPadded = hashMessageCompat(paddedMessage);
+
+  // With a non-zero payload bit, padding changes the packed field and the hash.
+  expect(packedShort).not.toEqual(packedPadded);
+  expect(hShort).not.toEqual(hPadded);
+
+  // packing zero bits does produce the same result however
+  const zeroPacked: HashInput = { packed: [[Field(0n), 1]] };
+  const zeroPaddedPacked: HashInput = { packed: [[Field(0n), 1], [Field(0n), 1]] };
+
+  expect(packToFields(zeroPacked)).toEqual(packToFields(zeroPaddedPacked));
+}
+
+await testPoseidonPaddingCollision();