BLS point (de)compression issue

[hwwhww]

What is wrong?

Follow up with #107, to see what's wrong with the (de)compression.

History

• https://github.com/ethereum/py_ecc/blob/master/py_ecc/bls/point_compression.py logic hasn't been updated for 1.5 years.
• The point compression format should have been following the old https://github.com/ethereum/eth2.0-specs/blob/v0.9.0/specs/bls_signature.md#point-representations doc, which was an explainer of Zcash docs: https://github.com/zcash/librustzcash/blob/6e0364cd42a2b3d2b958a54771ef51a8db79dd29/pairing/src/bls12_381/README.md#bls12-381-instantiation
  • Respecting bit ordering, z is decomposed as (c_flag, b_flag, a_flag, x).
  • The most significant bit (c_flag), when set, indicates that the point is in compressed form. Otherwise, the point is in uncompressed form.
  • The second-most significant bit (b_flag)indicates that the point is at infinity. If this bit is set, the remaining bits of the group element's encoding should be set to zero.
  • The third-most significant bit (a_flag) is set if (and only if) this point is in compressed form and it is not the point at infinity and its y-coordinate is the lexicographically largest of the two associated with the encoded x-coordinate.

The implementation and the given test case

• The flags of "normal" point at infinity PK: 110
• The flags of the #107 case PK: 010

The decompress_G1 function: https://github.com/ethereum/py_ecc/blob/d17ee3cec483642e5a6bcd67c06d86eb6b3e7994/py_ecc/bls/point_compression.py#L55-L77

I think decompress_G1 should have checked c_flag (c_flag == 1 in decompress_G1). So do other (de)compress functions.

/cc @ChihChengLiang @CarlBeek could you 👀 sanity check it?