-
Notifications
You must be signed in to change notification settings - Fork 101
Add test and fix for non-canonical point at infinity #157
Conversation
if !flags.is_compressed { | ||
return Err(SerializationError::UnexpectedFlags); | ||
} | ||
|
||
// Attempt to obtain the x-coordinate | ||
let x = read_fq_with_offset(&bytes, 0, true)?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we make this a byte-based check? i.e. directly on the bytes that we've read?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, I've PRed to @kevaundray's fork, if not merged there soon I'll open a PR directly here.
/// Fetches the flags from the byte-string | ||
pub fn get_flags(bytes: &[u8]) -> Self { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think some extra validation here is needed to catch another, more subtle class of non-canonical infinity point encodings: some flag combinations are nonsensical. Here's a failing test to show you what I mean:
#[test]
fn bad_flag_combination() {
// See https://github.com/zkcrypto/pairing/tree/fa8103764a07bd273927447d434de18aace252d3/src/bls12_381#serialization
// - Bit 1 is compressed/uncompressed
// - Bit 2 is infinity
// - Bit 3 is lexicographical order for compressed point deserialization
// Hence `0b1110` ("e" in hex) or `0b0110` ("6" in hex") are both nonsensical.
let non_canonical_hex = "e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";
let non_canonical_bytes = hex::decode(non_canonical_hex).unwrap();
assert_eq!(non_canonical_bytes.len(), 48);
let maybe_affine_point: Result<G1Affine, ark_serialize::SerializationError> =
CanonicalDeserialize::deserialize_compressed(&non_canonical_bytes[..]);
assert!(maybe_affine_point.is_err())
}
Description
closes: #XXXX
Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.
Pending
section inCHANGELOG.md
Files changed
in the Github PR explorer