subgroup check

Author: swasilyev

w3f-plonk-common/src/kzg_acc.rs

@@ -134,10 +134,16 @@ impl<E: Pairing> KzgAccumulator<E> {
     }
 
     pub fn verify(&self) -> bool {
-        let acc = (-E::G1::msm(&self.acc_points, &self.acc_scalars).unwrap()).into_affine();
         let proof = E::G1::msm(&self.kzg_proofs, &self.randomizers)
             .unwrap()
             .into_affine();
+        if !crate::is_in_correct_subgroup_assuming_on_curve::<E>(&proof) {
+            return false;
+        }
+        let acc = (-E::G1::msm(&self.acc_points, &self.acc_scalars).unwrap()).into_affine();
+        if !crate::is_in_correct_subgroup_assuming_on_curve::<E>(&acc) {
+            return false;
+        }
         KZG::<E>::verify_accumulated(AccumulatedOpening { acc, proof }, &self.kzg_vk)
     }
 }

w3f-plonk-common/src/lib.rs

@@ -1,6 +1,8 @@
 #![cfg_attr(not(feature = "std"), no_std)]
 
-use ark_ff::{FftField, PrimeField};
+use ark_ec::pairing::Pairing;
+use ark_ec::AffineRepr;
+use ark_ff::{FftField, Field, PrimeField, Zero};
 use ark_poly::univariate::DensePolynomial;
 use ark_poly::{EvaluationDomain, Evaluations, GeneralEvaluationDomain, Polynomial};
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
@@ -78,6 +80,12 @@ pub trait ColumnsCommited<F: PrimeField, C: Commitment<F>>:
     fn to_vec(self) -> Vec<C>;
 }
 
+// suboptimal for BLS12-381
+fn is_in_correct_subgroup_assuming_on_curve<E: Pairing>(p: &E::G1Affine) -> bool {
+    let r = E::ScalarField::characteristic();
+    p.mul_bigint(r).is_zero()
+}
+
 #[derive(Clone, CanonicalSerialize, CanonicalDeserialize)]
 pub struct Proof<F, CS, Commitments, Evaluations>
 where