As noted here, our implementation of BN, secp256k1, and supersingular curves do not check the curve equation, nor do they check if the given element is in the right subgroup.
This needs to be fixed.
The curve check can go into the WeierstrassCurve interface and called in the AbstractEllipticCurvePoint class during deserialization.
The subgroup check should happen in PairingSourceGroupImpl. The current PairingSourceGroupImpl::isMember in there may be a bit wonky because it uses the pow() function, which may optimize the exponentiation by taking the exponent mod size(). So something like the dedicated PairingSourceGroupImpl::cofactorMultiplication() seens to be much better for this use case.
It should be called in the PairingSourceGroupImpl::restoreElement() method (together with the check that the point is on the curve).
As noted here, our implementation of BN, secp256k1, and supersingular curves do not check the curve equation, nor do they check if the given element is in the right subgroup.
This needs to be fixed.
The curve check can go into the
WeierstrassCurveinterface and called in theAbstractEllipticCurvePointclass during deserialization.The subgroup check should happen in
PairingSourceGroupImpl. The currentPairingSourceGroupImpl::isMemberin there may be a bit wonky because it uses the pow() function, which may optimize the exponentiation by taking the exponent modsize(). So something like the dedicatedPairingSourceGroupImpl::cofactorMultiplication()seens to be much better for this use case. It should be called in thePairingSourceGroupImpl::restoreElement()method (together with the check that the point is on the curve).