bn128: not checking group order when deserializing into G2

[ebfull]

The bn128 G2 deserialization code does not ensure that the point is in the correct subgroup. This is resolved in Zcash (see https://github.com/zcash/zcash/pull/1938) but is_well_formed and the deserialization code itself should be checking the order of the points it deserializes.

It's unclear to me how points outside the group affect the pairing.

[tromer]

Duplicate of #42.

[ebfull]

@tromer #42 is about something slightly different, the deserialization code doesn't check if it's on the curve, and checking if it's on the curve when you're verifying is a bit sketchy. This issue is about the check itself: it doesn't actually properly check if G2 elements are in the right subgroup.

[daira]

This should be reopened IMHO. It is not a duplicate of #42.