diff --git a/packages/evm/src/precompiles/0b-bls12-g1add.ts b/packages/evm/src/precompiles/0b-bls12-g1add.ts index d3e63d1619..060f40418a 100644 --- a/packages/evm/src/precompiles/0b-bls12-g1add.ts +++ b/packages/evm/src/precompiles/0b-bls12-g1add.ts @@ -60,8 +60,8 @@ export async function precompile0b(opts: PrecompileInput): Promise { let mclPoint1 let mclPoint2 try { - mclPoint1 = BLS12_381_ToG1Point(opts.data.subarray(0, 128), mcl) - mclPoint2 = BLS12_381_ToG1Point(opts.data.subarray(128, 256), mcl) + mclPoint1 = BLS12_381_ToG1Point(opts.data.subarray(0, 128), mcl, false) + mclPoint2 = BLS12_381_ToG1Point(opts.data.subarray(128, 256), mcl, false) } catch (e: any) { if (opts._debug !== undefined) { opts._debug(`BLS12G1ADD (0x0b) failed: ${e.message}`) diff --git a/packages/evm/src/precompiles/0e-bls12-g2add.ts b/packages/evm/src/precompiles/0e-bls12-g2add.ts index 1694a47399..a86a401f41 100644 --- a/packages/evm/src/precompiles/0e-bls12-g2add.ts +++ b/packages/evm/src/precompiles/0e-bls12-g2add.ts @@ -67,8 +67,8 @@ export async function precompile0e(opts: PrecompileInput): Promise { let mclPoint2 try { - mclPoint1 = BLS12_381_ToG2Point(opts.data.subarray(0, 256), mcl) - mclPoint2 = BLS12_381_ToG2Point(opts.data.subarray(256, 512), mcl) + mclPoint1 = BLS12_381_ToG2Point(opts.data.subarray(0, 256), mcl, false) + mclPoint2 = BLS12_381_ToG2Point(opts.data.subarray(256, 512), mcl, false) } catch (e: any) { return EvmErrorResult(e, opts.gasLimit) } diff --git a/packages/evm/src/precompiles/util/bls12_381.ts b/packages/evm/src/precompiles/util/bls12_381.ts index 7f7e24e941..a882c8c4b6 100644 --- a/packages/evm/src/precompiles/util/bls12_381.ts +++ b/packages/evm/src/precompiles/util/bls12_381.ts @@ -145,10 +145,15 @@ export const gasDiscountPairs = [ [127, 175], [128, 174], ] -// convert an input Uint8Array to a mcl G1 point -// this does /NOT/ do any input checks. the input Uint8Array needs to be of length 128 -// it does raise an error if the point is not on the curve. -function BLS12_381_ToG1Point(input: Uint8Array, mcl: any): any { +/** + * Converts an Uint8Array to a MCL G1 point. Raises errors if the point is not on the curve + * and (if activated) if the point is in the subgroup / order check. + * @param input Input Uint8Array. Should be 128 bytes + * @param mcl MCL instance + * @param verifyOrder Perform the subgroup check (defaults to true) + * @returns MCL G1 point + */ +function BLS12_381_ToG1Point(input: Uint8Array, mcl: any, verifyOrder = true): any { const p_x = bytesToUnprefixedHex(input.subarray(16, 64)) const p_y = bytesToUnprefixedHex(input.subarray(80, 128)) @@ -171,7 +176,8 @@ function BLS12_381_ToG1Point(input: Uint8Array, mcl: any): any { G1.setY(Fp_Y) G1.setZ(One) - if (G1.isValidOrder() === false) { + mcl.verifyOrderG1(verifyOrder) + if (verifyOrder && G1.isValidOrder() === false) { throw new EvmError(ERROR.BLS_12_381_POINT_NOT_ON_CURVE) } @@ -206,9 +212,15 @@ function BLS12_381_FromG1Point(input: any): Uint8Array { return concatBytes(xBuffer, yBuffer) } -// convert an input Uint8Array to a mcl G2 point -// this does /NOT/ do any input checks. the input Uint8Array needs to be of length 256 -function BLS12_381_ToG2Point(input: Uint8Array, mcl: any): any { +/** + * Converts an Uint8Array to a MCL G2 point. Raises errors if the point is not on the curve + * and (if activated) if the point is in the subgroup / order check. + * @param input Input Uint8Array. Should be 256 bytes + * @param mcl MCL instance + * @param verifyOrder Perform the subgroup check (defaults to true) + * @returns MCL G2 point + */ +function BLS12_381_ToG2Point(input: Uint8Array, mcl: any, verifyOrder = true): any { const p_x_1 = input.subarray(0, 64) const p_x_2 = input.subarray(64, 128) const p_y_1 = input.subarray(128, 192) @@ -245,7 +257,8 @@ function BLS12_381_ToG2Point(input: Uint8Array, mcl: any): any { mclPoint.setY(Fp2Y) mclPoint.setZ(Fp2One) - if (mclPoint.isValidOrder() === false) { + mcl.verifyOrderG2(verifyOrder) + if (verifyOrder && mclPoint.isValidOrder() === false) { throw new EvmError(ERROR.BLS_12_381_POINT_NOT_ON_CURVE) }