Verifier needs to perform a subgroup check on proof points #2

ggutoski · 2020-02-26T22:13:31Z

@kobigurk has observed that the gnark verifier currently does not check a purported Groth16 proof to ensure that its points are actually in the correct elliptic curve subgroup (G1 or G2). It is known that these checks are necessary to thwart certain attacks on the protocol. See 2019/814 - Faster Subgroup Checks for BLS12-381 and references therein for state-of-the-art solutions to this issue.

The text was updated successfully, but these errors were encountered:

…e verifying it (closes #2)

style: cleaner computation nb BSB commitments

ggutoski added the bug Something isn't working label Feb 26, 2020

ggutoski assigned ggutoski and ThomasPiellard Feb 26, 2020

ThomasPiellard added a commit that referenced this issue Sep 23, 2020

internal/../<curve>/groth16/: added subgroup check on the proof befor…

b2d442d

…e verifying it (closes #2)

gbotrel closed this as completed Sep 23, 2020

ruslangm referenced this issue in ruslangm/gnark Dec 29, 2022

poseidon circuit (#2)

a94d59b

ThomasPiellard added a commit to ThomasPiellard/gnark that referenced this issue Jul 9, 2024

Merge pull request Consensys#2 from ThomasPiellard/audit/N-01

d1e7512

style: cleaner computation nb BSB commitments

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Verifier needs to perform a subgroup check on proof points #2

Verifier needs to perform a subgroup check on proof points #2

ggutoski commented Feb 26, 2020

Verifier needs to perform a subgroup check on proof points #2

Verifier needs to perform a subgroup check on proof points #2

Comments

ggutoski commented Feb 26, 2020