Merge branch 'master' into master

Author: kevaundray

banderwagon/element.go

@@ -1,6 +1,7 @@
 package banderwagon
 
 import (
+	"bytes"
 	"errors"
 	"fmt"
 	"math/big"
@@ -58,8 +59,10 @@ func (p Element) Bytes() [CompressedSize]byte {
 	return affineX.Bytes()
 }
 
-// BytesUncompressed returns the uncompressed serialized version of the element.
-func (p Element) BytesUncompressed() [UncompressedSize]byte {
+// BytesUncompressedTrusted returns the uncompressed serialized version of the element.
+// The returned bytes can only be used with SetBytesUncompressed with the trusted flag on.
+// This is because this method doesn't do any (x, y) transformation regarding the sign of y.
+func (p Element) BytesUncompressedTrusted() [UncompressedSize]byte {
 	// Convert underlying point to affine representation
 	var affine bandersnatch.PointAffine
 	affine.FromProj(&p.inner)
@@ -243,17 +246,27 @@ func (p *Element) SetBytesUncompressed(buf []byte, trusted bool) error {
 	var x fp.Element
 	x.SetBytes(buf[:coordinateSize])
 
-	// subgroup check
+	var y fp.Element
+	// point in curve & subgroup check
 	if !trusted {
+		point := bandersnatch.GetPointFromX(&x, true)
+		if point == nil {
+			return fmt.Errorf("point not in the curve")
+		}
+		calculatedYBytes := point.Y.Bytes()
+		if !bytes.Equal(calculatedYBytes[:], buf[coordinateSize:]) {
+			return fmt.Errorf("provided Y coordinate doesn't correspond to X")
+		}
+		y = point.Y
+
 		err := subgroupCheck(x)
 		if err != nil {
 			return err
 		}
+	} else {
+		y.SetBytes(buf[coordinateSize:])
 	}
 
-	var y fp.Element
-	y.SetBytes(buf[coordinateSize:])
-
 	*p = Element{inner: bandersnatch.PointProj{
 		X: x,
 		Y: y,

banderwagon/element_test.go

@@ -327,6 +327,75 @@ func TestBatchNormalize(t *testing.T) {
 	})
 }
 
+func TestBytesUncompressSerializeDeserialize(t *testing.T) {
+	t.Parallel()
+
+	var point Element
+	point.Add(&Generator, &Generator)
+	point.Double(&Generator)
+
+	bytesUncompressed := point.BytesUncompressedTrusted()
+
+	var point2 Element
+
+	// Trying to deserialize the from an untrusted source would mean that the Y coordinate would be checked from
+	// the EC formula. This would reject the point since BytesUncompressedTrusted() doesn't consider the Y coordinate sign.
+	if err := point2.SetBytesUncompressed(bytesUncompressed[:], false); err == nil {
+		t.Fatalf("the point must be rejected since the serialized bytes didn't consider the Y coordinate sign")
+	}
+
+	// Deserializing with the trusted flag, must succeed since it's simply deserializing the x and y coordinate directly
+	// without subgroup or lexicographic checks.
+	if err := point2.SetBytesUncompressed(bytesUncompressed[:], true); err != nil {
+		t.Fatalf("could not deserialize point: %s", err)
+	}
+	if !point.Equal(&point2) {
+		t.Fatalf("deserialized point does not match original point")
+	}
+}
+
+func TestSetUncompressedFail(t *testing.T) {
+	t.Parallel()
+	one := fp.One()
+
+	t.Run("X not in curve", func(t *testing.T) {
+		startX := one
+		// Find in startX a point that isn't in the curve
+		for {
+			point := bandersnatch.GetPointFromX(&startX, true)
+			if point == nil {
+				break
+			}
+			startX.Add(&startX, &one)
+			continue
+		}
+		var serializedPoint [UncompressedSize]byte
+		xBytes := startX.Bytes()
+		yBytes := Generator.inner.Y.Bytes() // Use some valid-ish Y, but this shouldn't matter much.
+		copy(serializedPoint[:], xBytes[:])
+		copy(serializedPoint[CompressedSize:], yBytes[:])
+
+		var point2 Element
+		if err := point2.SetBytesUncompressed(serializedPoint[:], false); err == nil {
+			t.Fatalf("the point must be rejected")
+		}
+	})
+
+	t.Run("wrong Y", func(t *testing.T) {
+		gen := Generator
+		// Despite X would lead to a point in the curve,
+		// we modify Y+1 to check the provided (serialized) Y
+		// coordinate isn't trusted blindly.
+		gen.inner.Y.Add(&gen.inner.Y, &one)
+
+		pointBytes := gen.BytesUncompressedTrusted()
+		var point2 Element
+		if err := point2.SetBytesUncompressed(pointBytes[:], false); err == nil {
+			t.Fatalf("the point must be rejected")
+		}
+	})
+}
+
 func FuzzDeserializationCompressed(f *testing.F) {
 	f.Fuzz(func(t *testing.T, serializedpoint []byte) {
 		var point Element

go.mod

@@ -3,10 +3,10 @@ module github.com/crate-crypto/go-ipa
 go 1.18
 
 require (
-	github.com/consensys/gnark-crypto v0.12.1
+	github.com/consensys/gnark-crypto v0.13.0
 	github.com/leanovate/gopter v0.2.9
 	golang.org/x/sync v0.1.0
-	golang.org/x/sys v0.9.0
+	golang.org/x/sys v0.15.0
 )
 
 require (

go.sum

@@ -2,8 +2,8 @@ github.com/bits-and-blooms/bitset v1.7.0 h1:YjAGVd3XmtK9ktAbX8Zg2g2PwLIMjGREZJHl
 github.com/bits-and-blooms/bitset v1.7.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/consensys/bavard v0.1.13 h1:oLhMLOFGTLdlda/kma4VOJazblc7IM5y5QPd2A/YjhQ=
 github.com/consensys/bavard v0.1.13/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI=
-github.com/consensys/gnark-crypto v0.12.1 h1:lHH39WuuFgVHONRl3J0LRBtuYdQTumFSDtJF7HpyG8M=
-github.com/consensys/gnark-crypto v0.12.1/go.mod h1:v2Gy7L/4ZRosZ7Ivs+9SfUDr0f5UlG+EM5t7MPHiLuY=
+github.com/consensys/gnark-crypto v0.13.0 h1:VPULb/v6bbYELAPTDFINEVaMTTybV5GLxDdcjnS+4oc=
+github.com/consensys/gnark-crypto v0.13.0/go.mod h1:wKqwsieaKPThcFkHe0d0zMsbHEUWFmZcG7KBCse210o=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
 github.com/leanovate/gopter v0.2.9 h1:fQjYxZaynp97ozCzfOyOuAGOU4aU/z37zf/tOujFk7c=
@@ -15,8 +15,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
-golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 rsc.io/tmplfunc v0.0.3 h1:53XFQh69AfOa8Tw0Jm7t+GV7KZhOi6jzsCzTtKbMvzU=
 rsc.io/tmplfunc v0.0.3/go.mod h1:AG3sTPzElb1Io3Yg4voV9AGZJuleGAwaVRxL9M49PhA=