import "ecc/edwardsAdd" as add;
import "ecc/edwardsScalarMult" as multiply;
import "utils/pack/bool/nonStrictUnpack256" as unpack256;
from "ecc/babyjubjubParams" import BabyJubJubParams;

// Verifies that the point is not one of the low-order points.
// If any of the points is multiplied by the cofactor, the resulting point
// will be infinity.
// Returns true if the point is not one of the low-order points, false otherwise.
// Curve parameters are defined with the last argument
// https://github.com/zcash-hackworks/sapling-crypto/blob/master/src/jubjub/edwards.rs#L166
def main(field[2] pt, BabyJubJubParams context) -> bool {
    field cofactor = context.JUBJUB_C;
    assert(cofactor == 8);

    // Co-factor currently hard-coded to 8 for efficiency reasons
    // See discussion here: https://github.com/Zokrates/ZoKrates/pull/301#discussion_r267203391
    // Generic code:
    // bool[256] cofactorExponent = unpack256(cofactor);
    // field[2] ptExp = multiply(cofactorExponent, pt, context);
    field[2] mut ptExp = add(pt, pt, context); // 2*pt
    ptExp = add(ptExp, ptExp, context);    // 4*pt
    ptExp = add(ptExp, ptExp, context);    // 8*pt

    return !(ptExp[0] == 0 && ptExp[1] == 1);
}