Open asanso opened 1 year ago
Powers arrays of length one is a verifiably illegal state of this sequencer, so this not a security concern for this particular service. That being said, in the interest of this code being potentially reusable for other purposes, a PR with a fix is welcome :).
I am aware the length of the array used in the Ethereum PoT is way bigger .
The pairing equality called as part of test_verify_g1 should fail but this is not the case. The reason behind it is a bit "subtle" see below:
The test:
samples two random elements in
G1
andG2
having two different $\tau$: $\tau_1G1$ and $\tau_2G2$ so, as said, the pairing check is supposed to fail. Both the implementations ofverify_g1
(BLST and Arkworks) used the Vitalik's batch optimization for Fast verification of multiple BLS signatures. With a furher optimization (due the fact the second input of the pairing is always the same). Looking at the BLST implementation ofverify_g1
:we note that
powers.len()
= 1 so:let (factors, sum) = random_factors(powers.len() - 1);
is calledsum
is equal to 0p1s_mult_pippenger
the
G1
generator is returned.The pairing equality than becomes:
$e(g_1, 0) \stackrel{?}{=} (g_1, 0)$