Pairing: check if G1/G2 not in expected subgroup

[jochem-brouwer]

Hey @herumi! We need to check if G1/G2 points are in the correct subgroup (the actual implementation does not matter at this point).

It seems that this functionality is there, by setting verifyOrderG1 and verifyOrderG2 to 1. In that case, if you import one of the EIPs negative test cases, trying to create such G1/G2 number throws. However, we'd like to explicitly check if they are in the correct subgroup.

Sorry for my ignorance, but is it right that we can use isValidOrder for this? Thanks a lot! 😄

EDIT: actually seems that if we disable verifyOrderG1 and verifyOrderG2 (i.e. don't call them, use the default value) and use isValidOrder() this returns true even if they should not be in the right subgroup (maybe I'm mixing terms here and order/subgroup is not the same?).

Seems like isValidOrder only returns false if above setting is set to 1.

[herumi]

Yes, you are right.

If verifyOrder(true), then

• P.isValidOrder() returns true if the point P has the correct order (i.e. rP=0).
• P.isValid() return true if the point P is on the elliptic curve and P.isValidOrder().
• deserialize and setStr call isValid().

If verifyOrder(false), then

• P.isValidOrder() returns true if the point P has the correct order (i.e. rP=0).
• P.isValid() return true if the point P is on the elliptic curve.
• deserialize and setStr don't call isValid().

Seems like isValidOrder only returns false if above setting is set to 1.

I'll verify it.

[herumi]

If verifyOrder(false), then

• deserialize and setStr don't call isValid().

It's wrong. deserialize and setStr always call isValid().

[herumi]

I've added the sample of isValidOrder at https://github.com/herumi/mcl-wasm/blob/master/eth-test.js#L54-L195 .

[jochem-brouwer]

Thanks a lot again! 😄