fix: require expected policy in proof verification

Author: TheCryptoDonkey

README.md

@@ -27,8 +27,8 @@ import { createRangeProof, verifyRangeProof } from '@forgesworn/range-proof';
 // Prove that `value` is in [min, max] without revealing `value`
 const proof = createRangeProof(value, min, max);
 
-// Anyone can verify the proof
-const valid = verifyRangeProof(proof); // true
+// Verifiers must supply the public range they expect
+const valid = verifyRangeProof(proof, min, max); // true
 ```
 
 ### Age range proofs
@@ -38,10 +38,11 @@ import { createAgeRangeProof, verifyAgeRangeProof } from '@forgesworn/range-proo
 
 // Prove age is between 8 and 12 (e.g. child category)
 const proof = createAgeRangeProof(10, '8-12');
-const valid = verifyAgeRangeProof(proof); // true
+const valid = verifyAgeRangeProof(proof, '8-12'); // true
 
 // Prove age is 18 or over
 const adultProof = createAgeRangeProof(25, '18+');
+const adultValid = verifyAgeRangeProof(adultProof, '18+'); // true
 ```
 
 ### Binding context
@@ -50,6 +51,7 @@ Pass an optional context string to bind the proof to a specific credential or id
 
 ```typescript
 const proof = createRangeProof(value, min, max, 'subject-pubkey-hex');
+const valid = verifyRangeProof(proof, min, max, 'subject-pubkey-hex');
 ```
 
 ### Pedersen commitments

llms.txt

@@ -18,7 +18,7 @@ Prove a value is in range:
 import { createRangeProof, verifyRangeProof } from '@forgesworn/range-proof';
 
 const proof = createRangeProof(25, 18, 150);
-const valid = verifyRangeProof(proof); // true
+const valid = verifyRangeProof(proof, 18, 150); // true
 ```
 
 Bind a proof to a subject identity (prevents transplant attacks):
@@ -46,9 +46,9 @@ An optional context string is included in all Fiat-Shamir challenges, binding th
 ### Core Functions
 
 - `createRangeProof(value, min, max, bindingContext?)` — prove `value` is in `[min, max]`
-- `verifyRangeProof(proof)` — verify a range proof (returns boolean)
+- `verifyRangeProof(proof, expectedMin, expectedMax, expectedBindingContext?)` — verify a range proof against expected public inputs
 - `createAgeRangeProof(age, ageRange, subjectPubkey?)` — convenience wrapper accepting `'18+'` or `'8-12'` format
-- `verifyAgeRangeProof(proof)` — verify an age range proof
+- `verifyAgeRangeProof(proof, expectedAgeRange, expectedSubjectPubkey?)` — verify an age range proof against an expected policy
 
 ### Pedersen Commitments
 

src/range-proof.ts

@@ -43,6 +43,51 @@ function isValidScalarHex(hex: string): boolean {
   return HEX_SCALAR_64.test(hex);
 }
 
+function normalizeBindingContext(bindingContext?: string): string | undefined {
+  return bindingContext === '' ? undefined : bindingContext;
+}
+
+function bindingContextToBytes(bindingContext?: string): Uint8Array {
+  const normalized = normalizeBindingContext(bindingContext);
+  if (normalized === undefined) return EMPTY_CONTEXT;
+  if (normalized.length > MAX_CONTEXT_BYTES) {
+    throw new ValidationError('Binding context exceeds maximum length (1024 bytes)');
+  }
+  const context = utf8ToBytes(normalized);
+  if (context.length > MAX_CONTEXT_BYTES) {
+    throw new ValidationError('Binding context exceeds maximum length (1024 bytes)');
+  }
+  return context;
+}
+
+function sameBindingContext(left?: string, right?: string): boolean {
+  return normalizeBindingContext(left) === normalizeBindingContext(right);
+}
+
+function parseAgeRange(ageRange: string): { min: number; max: number } {
+  const DIGITS_ONLY = /^\d+$/;
+
+  if (ageRange.endsWith('+')) {
+    const minStr = ageRange.slice(0, -1);
+    if (!DIGITS_ONLY.test(minStr)) {
+      throw new ValidationError('Invalid age range format (expected "min-max" or "min+")');
+    }
+    return { min: parseInt(minStr, 10), max: 150 };
+  }
+
+  const parts = ageRange.split('-');
+  if (parts.length !== 2) {
+    throw new ValidationError('Invalid age range format (expected "min-max" or "min+")');
+  }
+  if (!DIGITS_ONLY.test(parts[0]) || !DIGITS_ONLY.test(parts[1])) {
+    throw new ValidationError('Invalid age range format (expected "min-max" or "min+")');
+  }
+  return {
+    min: parseInt(parts[0], 10),
+    max: parseInt(parts[1], 10),
+  };
+}
+
 // --- Pedersen Commitment ---
 
 export interface PedersenCommitment {
@@ -387,11 +432,8 @@ export function createRangeProof(value: number, min: number, max: number, bindin
   if (max < min) throw new ValidationError('Maximum must be >= minimum');
   if (value < min || value > max) throw new ValidationError('Value is not within the specified range');
 
-  if (bindingContext !== undefined && bindingContext.length > MAX_CONTEXT_BYTES) {
-    throw new ValidationError('Binding context exceeds maximum length (1024 bytes)');
-  }
-  const context = bindingContext ? utf8ToBytes(bindingContext) : EMPTY_CONTEXT;
-  if (context.length > MAX_CONTEXT_BYTES) throw new ValidationError('Binding context exceeds maximum length (1024 bytes)');
+  const normalizedBindingContext = normalizeBindingContext(bindingContext);
+  const context = bindingContextToBytes(normalizedBindingContext);
 
   const range = max - min;
   const bits = bitsNeeded(range);
@@ -462,26 +504,38 @@ export function createRangeProof(value: number, min: number, max: number, bindin
     sumBindingS: sumBinding.s,
     commitBindingE: commitBinding.e,
     commitBindingS: commitBinding.s,
-    context: bindingContext,
+    ...(normalizedBindingContext !== undefined ? { context: normalizedBindingContext } : {}),
   };
 }
 
 /**
  * Verify a range proof.
  *
  * @param proof - The range proof to verify
+ * @param expectedMin - The minimum bound the verifier expects
+ * @param expectedMax - The maximum bound the verifier expects
+ * @param expectedBindingContext - Optional binding context the verifier expects
  * @returns true if the proof is valid
  */
-export function verifyRangeProof(proof: RangeProof): boolean {
+export function verifyRangeProof(
+  proof: RangeProof,
+  expectedMin: number,
+  expectedMax: number,
+  expectedBindingContext?: string
+): boolean {
   try {
     const { min, max, bits, lowerProof, upperProof } = proof;
-    if (proof.context && proof.context.length > MAX_CONTEXT_BYTES) return false;
-    const context = proof.context ? utf8ToBytes(proof.context) : EMPTY_CONTEXT;
-    if (context.length > MAX_CONTEXT_BYTES) return false;
+    if (!Number.isSafeInteger(expectedMin) || !Number.isSafeInteger(expectedMax)) return false;
+    if (expectedMin < 0 || expectedMax < 0 || expectedMax < expectedMin) return false;
+
+    const context = bindingContextToBytes(proof.context);
+    bindingContextToBytes(expectedBindingContext);
 
     // Validate range bounds
     if (!Number.isSafeInteger(min) || !Number.isSafeInteger(max)) return false;
     if (min < 0 || max < 0 || max < min) return false;
+    if (min !== expectedMin || max !== expectedMax) return false;
+    if (!sameBindingContext(proof.context, expectedBindingContext)) return false;
 
     // Recompute expected bits from range — do not trust proof.bits blindly
     const expectedBits = bitsNeeded(max - min);
@@ -557,31 +611,21 @@ export function verifyRangeProof(proof: RangeProof): boolean {
  * @returns The range proof
  */
 export function createAgeRangeProof(age: number, ageRange: string, subjectPubkey?: string): RangeProof {
-  const DIGITS_ONLY = /^\d+$/;
-
-  // Handle "18+" format (no upper bound — use 150 as practical max)
-  if (ageRange.endsWith('+')) {
-    const minStr = ageRange.slice(0, -1);
-    if (!DIGITS_ONLY.test(minStr)) throw new ValidationError('Invalid age range format (expected "min-max" or "min+")');
-    return createRangeProof(age, parseInt(minStr, 10), 150, subjectPubkey);
-  }
-
-  const parts = ageRange.split('-');
-  if (parts.length !== 2) throw new ValidationError('Invalid age range format (expected "min-max" or "min+")');
-  if (!DIGITS_ONLY.test(parts[0]) || !DIGITS_ONLY.test(parts[1])) {
-    throw new ValidationError('Invalid age range format (expected "min-max" or "min+")');
-  }
-  const min = parseInt(parts[0], 10);
-  const max = parseInt(parts[1], 10);
+  const { min, max } = parseAgeRange(ageRange);
 
   return createRangeProof(age, min, max, subjectPubkey);
 }
 
 /**
  * Verify an age range proof.
  */
-export function verifyAgeRangeProof(proof: RangeProof): boolean {
-  return verifyRangeProof(proof);
+export function verifyAgeRangeProof(proof: RangeProof, expectedAgeRange: string, expectedSubjectPubkey?: string): boolean {
+  try {
+    const { min, max } = parseAgeRange(expectedAgeRange);
+    return verifyRangeProof(proof, min, max, expectedSubjectPubkey);
+  } catch {
+    return false;
+  }
 }
 
 /**