Thanks to Nguyen Thoi Minh Quan for the bug report. Somehow the serialization is not unique (see #108), the infinity point checks should have been done after decompression.
How was it fixed?
Extract pubkey_subgroup_check from pubkey_to_G1.
Test if is_inf(pubkey_point)afterpubkey_to_G1.
Apply full KeyValidate(pk) in the precondition of FastAggregateVerify.
What was wrong?
Thanks to Nguyen Thoi Minh Quan for the bug report. Somehow the serialization is not unique (see #108), the infinity point checks should have been done after decompression.
How was it fixed?
pubkey_subgroup_check
frompubkey_to_G1
.is_inf(pubkey_point)
afterpubkey_to_G1
.KeyValidate(pk)
in the precondition ofFastAggregateVerify
.Cute Animal Picture
🦝