Disallow invalid points in aggregate() methods. Reported by @guidovra…

…nken
paulmillr · Jun 26, 2021 · 7356dd7 · 7356dd7
1 parent 4e0390a
commit 7356dd7
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -249,20 +249,20 @@ getPublicKey x 1,608 ops/sec @ 621μs/op
 sign x 31 ops/sec @ 32ms/op
 verify x 25 ops/sec @ 38ms/op
 pairing x 63 ops/sec @ 15ms/op
-aggregatePublicKeys/8 x 154 ops/sec @ 6ms/op
+aggregatePublicKeys/8 x 143 ops/sec @ 6ms/op
 aggregateSignatures/8 x 34 ops/sec @ 29ms/op
 
 with compression / decompression disabled:
 sign/nc x 48 ops/sec @ 20ms/op
 verify/nc x 43 ops/sec @ 23ms/op
-aggregatePublicKeys/32 x 5,389 ops/sec @ 185μs/op
-aggregatePublicKeys/128 x 1,325 ops/sec @ 754μs/op
-aggregatePublicKeys/512 x 321 ops/sec @ 3ms/op
-aggregatePublicKeys/2048 x 80 ops/sec @ 12ms/op
-aggregateSignatures/32 x 1,427 ops/sec @ 700μs/op
-aggregateSignatures/128 x 338 ops/sec @ 2ms/op
-aggregateSignatures/512 x 82 ops/sec @ 12ms/op
-aggregateSignatures/2048 x 21 ops/sec @ 47ms/op
+aggregatePublicKeys/32 x 1,557 ops/sec @ 642μs/op
+aggregatePublicKeys/128 x 803 ops/sec @ 1ms/op
+aggregatePublicKeys/512 x 280 ops/sec @ 3ms/op
+aggregatePublicKeys/2048 x 77 ops/sec @ 12ms/op
+aggregateSignatures/32 x 405 ops/sec @ 2ms/op
+aggregateSignatures/128 x 213 ops/sec @ 4ms/op
+aggregateSignatures/512 x 73 ops/sec @ 13ms/op
+aggregateSignatures/2048 x 20 ops/sec @ 49ms/op
 ```
 
 ## Security

diff --git a/index.js b/index.js
@@ -494,6 +494,7 @@ function aggregatePublicKeys(publicKeys) {
     if (!publicKeys.length)
         throw new Error('Expected non-empty array');
     const agg = publicKeys.map(normP1).reduce((sum, p) => sum.add(p), PointG1.ZERO);
+    agg.assertValidity();
     if (publicKeys[0] instanceof PointG1)
         return agg;
     const bytes = agg.toRawBytes(true);
@@ -506,6 +507,7 @@ function aggregateSignatures(signatures) {
     if (!signatures.length)
         throw new Error('Expected non-empty array');
     const agg = signatures.map(normP2).reduce((sum, s) => sum.add(s), PointG2.ZERO);
+    agg.assertValidity();
     if (signatures[0] instanceof PointG2)
         return agg;
     const bytes = agg.toSignature();

diff --git a/index.ts b/index.ts
@@ -604,6 +604,7 @@ export function aggregatePublicKeys(publicKeys: PointG1[]): PointG1;
 export function aggregatePublicKeys(publicKeys: G1Hex[]): Uint8Array | string | PointG1 {
   if (!publicKeys.length) throw new Error('Expected non-empty array');
   const agg = publicKeys.map(normP1).reduce((sum, p) => sum.add(p), PointG1.ZERO);
+  agg.assertValidity();
   if (publicKeys[0] instanceof PointG1) return agg;
   const bytes = agg.toRawBytes(true);
   if (publicKeys[0] instanceof Uint8Array) return bytes;
@@ -617,6 +618,7 @@ export function aggregateSignatures(signatures: PointG2[]): PointG2;
 export function aggregateSignatures(signatures: G2Hex[]): Uint8Array | string | PointG2 {
   if (!signatures.length) throw new Error('Expected non-empty array');
   const agg = signatures.map(normP2).reduce((sum, s) => sum.add(s), PointG2.ZERO);
+  agg.assertValidity();
   if (signatures[0] instanceof PointG2) return agg;
   const bytes = agg.toSignature();
   if (signatures[0] instanceof Uint8Array) return bytes;

diff --git a/test/index.test.ts b/test/index.test.ts
@@ -241,6 +241,23 @@ describe('bls12-381', () => {
   it('should not compress and decompress zero G1 point', async () => {
     expect(() => bls.PointG1.fromPrivateKey(0n)).toThrowError();
   });
+  const VALID_G1 = new bls.PointG1(
+    new bls.Fp(3609742242174788176010452839163620388872641749536604986743596621604118973777515189035770461528205168143692110933639n),
+    new bls.Fp(1619277690257184054444116778047375363103842303863153349133480657158810226683757397206929105479676799650932070320089n)
+  );
+  const VALID_G1_2 = new bls.PointG1(
+    new bls.Fp(1206972466279728255044019580914616126536509750250979180256809997983196363639429409634110400978470384566664128085207n),
+    new bls.Fp(2991142246317096160788653339959532007292638191110818490939476869616372888657136539642598243964263069435065725313423n)
+  );
+  const INVALID_G1 = new bls.PointG1(new bls.Fp(0n), new bls.Fp(0n));
+  it('should aggregate pubkeys', async () => {
+    bls.aggregatePublicKeys([VALID_G1, VALID_G1_2]);
+  });
+  it('should not aggregate invalid pubkeys', async () => {
+    expect(() => bls.aggregatePublicKeys([VALID_G1, INVALID_G1])).toThrowError();
+  })
+  // should aggregate signatures
+
   it(`should produce correct signatures (${G2_VECTORS.length} vectors)`, async () => {
     for (let vector of G2_VECTORS) {
       const [priv, msg, expected] = vector;