Thanks to Nguyen Thoi Minh Quan for the bug report. Somehow the serialization is not unique (see #108), the infinity point checks should have been done after decompression.
How was it fixed?
Extract pubkey_subgroup_check from pubkey_to_G1.
Test if is_inf(pubkey_point)afterpubkey_to_G1.
Apply full KeyValidate(pk) in the precondition of FastAggregateVerify.
What was wrong?
Thanks to Nguyen Thoi Minh Quan for the bug report. Somehow the serialization is not unique (see #108), the infinity point checks should have been done after decompression.
How was it fixed?
pubkey_subgroup_checkfrompubkey_to_G1.is_inf(pubkey_point)afterpubkey_to_G1.KeyValidate(pk)in the precondition ofFastAggregateVerify.Cute Animal Picture
🦝