Adds validity checks to BLS public keys.

matter-labs · Mar 25, 2024 · 0ff5031 · 0ff5031
1 parent 16a87e7
commit 0ff5031
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 8 deletions.
diff --git a/node/Cargo.lock b/node/Cargo.lock
diff --git a/node/Cargo.toml b/node/Cargo.toml
@@ -40,7 +40,7 @@ zksync_protobuf = { path = "libs/protobuf" }
 zksync_protobuf_build = { path = "libs/protobuf_build" }
 
 # Crates from Matter Labs.
-pairing = { package = "pairing_ce", git = "https://github.com/matter-labs/pairing.git", rev = "f55393fd366596eac792d78525d26e9c4d6ed1ca" }
+pairing = { package = "pairing_ce", git = "https://github.com/matter-labs/pairing.git", rev = "e47fd140a1fbfe99b740cabf3d1336127b59199c" }
 vise = { version = "0.1.0", git = "https://github.com/matter-labs/vise.git", rev = "1c9cc500e92cf9ea052b230e114a6f9cce4fb2c1" }
 vise-exporter = { version = "0.1.0", git = "https://github.com/matter-labs/vise.git", rev = "1c9cc500e92cf9ea052b230e114a6f9cce4fb2c1" }
 
@@ -117,11 +117,9 @@ opt-level = 3
 
 [workspace.lints.rust]
 unsafe_code = "deny"
-noop_method_call = "warn"
 missing_docs = "warn"
 unreachable_pub = "warn"
 unused_qualifications = "warn"
-unused_tuple_struct_fields = "warn"
 
 [workspace.lints.clippy]
 # restriction group

diff --git a/node/libs/crypto/src/bn254/error.rs b/node/libs/crypto/src/bn254/error.rs
@@ -6,4 +6,8 @@ pub enum Error {
     SignatureVerificationFailure,
     #[error("Aggregate signature verification failure")]
     AggregateSignatureVerificationFailure,
+    #[error("Public key can't be zero")]
+    InvalidPublicKeyZero,
+    #[error("Public key must be in the subgroup")]
+    InvalidPublicKeySubgroup,
 }
diff --git a/node/libs/crypto/src/bn254/mod.rs b/node/libs/crypto/src/bn254/mod.rs
@@ -96,10 +96,17 @@ impl Hash for PublicKey {
 impl ByteFmt for PublicKey {
     fn decode(bytes: &[u8]) -> anyhow::Result<Self> {
         let arr: [u8; 64] = bytes.try_into()?;
-        let p = G2Compressed::from_fixed_bytes(arr)
-            .into_affine()?
-            .into_projective();
-        Ok(PublicKey(p))
+        let p = G2Compressed::from_fixed_bytes(arr).into_affine()?;
+
+        if p.is_zero() {
+            return Err(Error::InvalidPublicKeyZero.into());
+        }
+
+        if p.scale_by_cofactor().is_zero() {
+            return Err(Error::InvalidPublicKeySubgroup.into());
+        }
+
+        Ok(PublicKey(p.into_projective()))
     }
 
     fn encode(&self) -> Vec<u8> {
@@ -132,6 +139,15 @@ impl Signature {
     pub fn verify(&self, msg: &[u8], pk: &PublicKey) -> Result<(), Error> {
         let hash_point = hash::hash_to_g1(msg);
 
+        // Verify public key
+        if pk.0.is_zero() {
+            return Err(Error::InvalidPublicKeyZero);
+        }
+
+        if pk.0.into_affine().scale_by_cofactor().is_zero() {
+            return Err(Error::InvalidPublicKeySubgroup);
+        }
+
         // First pair: e(H(m): G1, pk: G2)
         let a = Bn256::pairing(hash_point, pk.0);
         // Second pair: e(sig: G1, generator: G2)