[Zellic] 1 missing input validation on user inputs #50
Description
The Groth16 circuit accepts user inputs in the form of wires. It is structured so that each field element is represented by n wires where n is the bit length of the underlying bigint. Similarly, curve points in G1 and G2 are represented by their projective coordinates packed into field elements, which are again encoded as n wires. Most field and curve operations work only under the assumption that the input is well-formed. However, the circuit never constrains the validity of any user inputs. This means a user can pass
- field elements bigger than the field modulus,
- curve points with coordinates that do not lie on the curve, and
- curve points that do not lie in the pairing subgroups.