correct the negative-g tests

Author: jayz22

soroban-env-host/observations/25/test__bn254__test_bn254_g1_deserialize_rejects_y_sign_bit.json

@@ -1,8 +1,44 @@
 {
   "   0 begin": "cpu:0, mem:0, prngs:-/-, objs:-/-, vm:-/-, evt:-, store:-/-, foot:-, stk:-, auth:-/-",
   "   1 call bytes_new_from_slice(64)": "cpu:688",
-  "   2 ret bytes_new_from_slice -> Ok(Bytes(obj#1))": "cpu:1667, mem:160, objs:-/1@1eb8c8fe",
+  "   2 ret bytes_new_from_slice -> Ok(Bytes(obj#1))": "cpu:1667, mem:160, objs:-/1@33e03491",
   "   3 call bytes_copy_to_slice(Bytes(obj#1), U32(0), 64)": "",
   "   4 ret bytes_copy_to_slice -> Ok(())": "cpu:1778",
-  "   5 end": "cpu:2818, mem:320, prngs:-/-, objs:-/2@631f248e, vm:-/-, evt:-, store:-/-, foot:-, stk:-, auth:-/-"
+  "   5 call bytes_new_from_slice(64)": "cpu:3506, mem:320, objs:-/2@fd8cc406",
+  "   6 ret bytes_new_from_slice -> Ok(Bytes(obj#5))": "cpu:4485, mem:480, objs:-/3@557acb46",
+  "   7 call bytes_copy_to_slice(Bytes(obj#5), U32(0), 64)": "",
+  "   8 ret bytes_copy_to_slice -> Ok(())": "cpu:4596",
+  "   9 call bytes_new_from_slice(64)": "cpu:6324, mem:640, objs:-/4@f61c921",
+  "  10 ret bytes_new_from_slice -> Ok(Bytes(obj#9))": "cpu:7303, mem:800, objs:-/5@8336a1ce",
+  "  11 call bytes_copy_to_slice(Bytes(obj#9), U32(0), 64)": "",
+  "  12 ret bytes_copy_to_slice -> Ok(())": "cpu:7414",
+  "  13 call bytes_new_from_slice(64)": "cpu:9142, mem:960, objs:-/6@168a749a",
+  "  14 ret bytes_new_from_slice -> Ok(Bytes(obj#13))": "cpu:10121, mem:1120, objs:-/7@e0797ac1",
+  "  15 call bytes_copy_to_slice(Bytes(obj#13), U32(0), 64)": "",
+  "  16 ret bytes_copy_to_slice -> Ok(())": "cpu:10232",
+  "  17 call bytes_new_from_slice(64)": "cpu:11960, mem:1280, objs:-/8@9b6cc918",
+  "  18 ret bytes_new_from_slice -> Ok(Bytes(obj#17))": "cpu:12939, mem:1440, objs:-/9@2268b300",
+  "  19 call bytes_copy_to_slice(Bytes(obj#17), U32(0), 64)": "",
+  "  20 ret bytes_copy_to_slice -> Ok(())": "cpu:13050",
+  "  21 call bytes_new_from_slice(64)": "cpu:14778, mem:1600, objs:-/10@170b9258",
+  "  22 ret bytes_new_from_slice -> Ok(Bytes(obj#21))": "cpu:15757, mem:1760, objs:-/11@dea52bdc",
+  "  23 call bytes_copy_to_slice(Bytes(obj#21), U32(0), 64)": "",
+  "  24 ret bytes_copy_to_slice -> Ok(())": "cpu:15868",
+  "  25 call bytes_new_from_slice(64)": "cpu:17596, mem:1920, objs:-/12@b5e452bd",
+  "  26 ret bytes_new_from_slice -> Ok(Bytes(obj#25))": "cpu:18575, mem:2080, objs:-/13@3f368ae0",
+  "  27 call bytes_copy_to_slice(Bytes(obj#25), U32(0), 64)": "",
+  "  28 ret bytes_copy_to_slice -> Ok(())": "cpu:18686",
+  "  29 call bytes_new_from_slice(64)": "cpu:20414, mem:2240, objs:-/14@69cceb0c",
+  "  30 ret bytes_new_from_slice -> Ok(Bytes(obj#29))": "cpu:21393, mem:2400, objs:-/15@d92c241",
+  "  31 call bytes_copy_to_slice(Bytes(obj#29), U32(0), 64)": "",
+  "  32 ret bytes_copy_to_slice -> Ok(())": "cpu:21504",
+  "  33 call bytes_new_from_slice(64)": "cpu:23232, mem:2560, objs:-/16@f9a4c09c",
+  "  34 ret bytes_new_from_slice -> Ok(Bytes(obj#33))": "cpu:24211, mem:2720, objs:-/17@1c9000f2",
+  "  35 call bytes_copy_to_slice(Bytes(obj#33), U32(0), 64)": "",
+  "  36 ret bytes_copy_to_slice -> Ok(())": "cpu:24322",
+  "  37 call bytes_new_from_slice(64)": "cpu:26050, mem:2880, objs:-/18@3d7d48a9",
+  "  38 ret bytes_new_from_slice -> Ok(Bytes(obj#37))": "cpu:27029, mem:3040, objs:-/19@e3a7db9a",
+  "  39 call bytes_copy_to_slice(Bytes(obj#37), U32(0), 64)": "",
+  "  40 ret bytes_copy_to_slice -> Ok(())": "cpu:27140",
+  "  41 end": "cpu:28180, mem:3200, prngs:-/-, objs:-/20@dbec9ab, vm:-/-, evt:-, store:-/-, foot:-, stk:-, auth:-/-"
 }

soroban-env-host/observations/25/test__bn254__test_bn254_g2_deserialize_rejects_y_sign_bit.json

@@ -1,8 +1,26 @@
 {
   "   0 begin": "cpu:0, mem:0, prngs:-/-, objs:-/-, vm:-/-, evt:-, store:-/-, foot:-, stk:-, auth:-/-",
   "   1 call bytes_new_from_slice(128)": "cpu:1376",
-  "   2 ret bytes_new_from_slice -> Ok(Bytes(obj#1))": "cpu:2371, mem:224, objs:-/1@4a50f3a2",
+  "   2 ret bytes_new_from_slice -> Ok(Bytes(obj#1))": "cpu:2371, mem:224, objs:-/1@62ecc3ea",
   "   3 call bytes_copy_to_slice(Bytes(obj#1), U32(0), 128)": "",
   "   4 ret bytes_copy_to_slice -> Ok(())": "cpu:2490",
-  "   5 end": "cpu:3546, mem:448, prngs:-/-, objs:-/2@72bbc3f0, vm:-/-, evt:-, store:-/-, foot:-, stk:-, auth:-/-"
+  "   5 call bytes_copy_to_slice(Bytes(obj#1), U32(0), 128)": "cpu:3546, mem:448, objs:-/2@72f8d01b",
+  "   6 ret bytes_copy_to_slice -> Ok(())": "cpu:3665",
+  "   7 call bytes_copy_to_slice(Bytes(obj#1), U32(0), 128)": "cpu:4721, mem:672, objs:-/3@e68bd088",
+  "   8 ret bytes_copy_to_slice -> Ok(())": "cpu:4840",
+  "   9 call bytes_copy_to_slice(Bytes(obj#1), U32(0), 128)": "cpu:5896, mem:896, objs:-/4@8a54f28",
+  "  10 ret bytes_copy_to_slice -> Ok(())": "cpu:6015",
+  "  11 call bytes_copy_to_slice(Bytes(obj#1), U32(0), 128)": "cpu:7071, mem:1120, objs:-/5@3a682175",
+  "  12 ret bytes_copy_to_slice -> Ok(())": "cpu:7190",
+  "  13 call bytes_copy_to_slice(Bytes(obj#1), U32(0), 128)": "cpu:8246, mem:1344, objs:-/6@8dda692d",
+  "  14 ret bytes_copy_to_slice -> Ok(())": "cpu:8365",
+  "  15 call bytes_copy_to_slice(Bytes(obj#1), U32(0), 128)": "cpu:9421, mem:1568, objs:-/7@e3cc5f61",
+  "  16 ret bytes_copy_to_slice -> Ok(())": "cpu:9540",
+  "  17 call bytes_copy_to_slice(Bytes(obj#1), U32(0), 128)": "cpu:10596, mem:1792, objs:-/8@fd6b01b1",
+  "  18 ret bytes_copy_to_slice -> Ok(())": "cpu:10715",
+  "  19 call bytes_copy_to_slice(Bytes(obj#1), U32(0), 128)": "cpu:11771, mem:2016, objs:-/9@b5ec8a9e",
+  "  20 ret bytes_copy_to_slice -> Ok(())": "cpu:11890",
+  "  21 call bytes_copy_to_slice(Bytes(obj#1), U32(0), 128)": "cpu:12946, mem:2240, objs:-/10@b0a16390",
+  "  22 ret bytes_copy_to_slice -> Ok(())": "cpu:13065",
+  "  23 end": "cpu:14121, mem:2464, prngs:-/-, objs:-/11@5ca70dcd, vm:-/-, evt:-, store:-/-, foot:-, stk:-, auth:-/-"
 }

soroban-env-host/src/crypto/bls12_381.rs

@@ -45,8 +45,6 @@ impl Host {
     // (the base field element), and will be charged accordingly.
     // Validation of the deserialized entity must be performed outside of this
     // function, to keep budget charging isolated.
-
-    // TODO: this function has to be moved into curve_utils because it is used by both
     pub(crate) fn deserialize_uncompressed_no_validate<
         const EXPECTED_SIZE: usize,
         T: CanonicalDeserialize,

soroban-env-host/src/test/bn254.rs

@@ -80,7 +80,13 @@ fn negative_g1(host: &Host, rng: &mut StdRng) -> Result<BytesObject, HostError>
             // infinity
             continue;
         }
-        if g1.y <= -g1.y {
+        if g1.y > -g1.y {
+            // check that the Y-sign bit is indeed set in arkworks by retrieving
+            // the MSB (the last byte in little-endian serialized buffer) and
+            // asserting on the flag bit
+            let mut buf = [0u8; BN254_G1_SERIALIZED_SIZE];
+            g1.serialize_uncompressed(&mut buf[..]).unwrap(); // this is little-endian
+            assert!(buf[BN254_G1_SERIALIZED_SIZE - 1] & 0b1000_0000 != 0u8);
             // we get our point
             return host.bn254_g1_affine_serialize_uncompressed(&g1);
         }
@@ -176,7 +182,13 @@ fn negative_g2(host: &Host, rng: &mut StdRng) -> Result<BytesObject, HostError>
             // infinity
             continue;
         }
-        if g2.y <= -g2.y {
+        if g2.y > -g2.y {
+            // check that the Y-sign bit is indeed set in arkworks by retrieving
+            // the MSB (the last byte in little-endian serialized buffer) and
+            // asserting on the flag bit
+            let mut buf = [0u8; BN254_G2_SERIALIZED_SIZE];
+            g2.serialize_uncompressed(&mut buf[..]).unwrap(); // this is little-endian
+            assert!(buf[BN254_G2_SERIALIZED_SIZE - 1] & 0b1000_0000 != 0u8);
             // we get our point
             return host.bn254_g2_affine_serialize_uncompressed(&g2);
         }
@@ -811,30 +823,31 @@ fn test_bn254_g1_deserialize_rejects_y_sign_bit() -> Result<(), HostError> {
     host.enable_debug()?;
     let mut rng = StdRng::from_seed([0u8; 32]);
 
-    // This is a negative g1 point serialized by us, it should not set the y-sign bit
-    let g1_bytes_obj = negative_g1(&host, &mut rng)?;
+    for _ in 0..10 {
+        // This is a negative g1 point serialized by us, it should not set the y-sign bit
+        let g1_bytes_obj = negative_g1(&host, &mut rng)?;
 
-    // Get the bytes and verify the y-sign bit is NOT set
-    let mut g1_bytes = vec![0u8; BN254_G1_SERIALIZED_SIZE];
-    host.bytes_copy_to_slice(g1_bytes_obj, U32Val::from(0), &mut g1_bytes)?;
-    assert_eq!(
-        g1_bytes[0] & 0b1000_0000,
-        0,
-        "Y-sign bit should not be set even for negative y"
-    );
+        // Get the bytes and verify the y-sign bit is NOT set
+        let mut g1_bytes = vec![0u8; BN254_G1_SERIALIZED_SIZE];
+        host.bytes_copy_to_slice(g1_bytes_obj, U32Val::from(0), &mut g1_bytes)?;
+        assert_eq!(
+            g1_bytes[0] & 0b1000_0000,
+            0,
+            "Y-sign bit should not be set even for negative y"
+        );
 
-    // Now manually set the y-sign bit (bit 0, which is 0x80 in the MSB)
-    g1_bytes[0] |= 0b1000_0000;
+        // Now manually set the y-sign bit (bit 0, which is 0x80 in the MSB)
+        g1_bytes[0] |= 0b1000_0000;
 
-    // Try to deserialize - should fail
-    let g1_bytes_obj_modified = host.test_bin_obj(&g1_bytes)?;
-    let result = host.bn254_g1_affine_deserialize(g1_bytes_obj_modified);
-
-    assert!(HostError::result_matches_err(
-        result,
-        (ScErrorType::Crypto, ScErrorCode::InvalidInput)
-    ));
+        // Try to deserialize - should fail
+        let g1_bytes_obj_modified = host.test_bin_obj(&g1_bytes)?;
+        let result = host.bn254_g1_affine_deserialize(g1_bytes_obj_modified);
 
+        assert!(HostError::result_matches_err(
+            result,
+            (ScErrorType::Crypto, ScErrorCode::InvalidInput)
+        ));
+    }
     Ok(())
 }
 
@@ -876,30 +889,31 @@ fn test_bn254_g2_deserialize_rejects_y_sign_bit() -> Result<(), HostError> {
     host.enable_debug()?;
     let mut rng = StdRng::from_seed([0u8; 32]);
 
-    // This is a negative g1 point serialized by us, it should not set the y-sign bit
+    // This is a negative G1 point serialized by us, it should not set the y-sign bit
     let g2_bytes_obj = negative_g2(&host, &mut rng)?;
 
-    // Get the bytes and verify the y-sign bit is NOT set
-    let mut g2_bytes = vec![0u8; BN254_G2_SERIALIZED_SIZE];
-    host.bytes_copy_to_slice(g2_bytes_obj, U32Val::from(0), &mut g2_bytes)?;
-    assert_eq!(
-        g2_bytes[0] & 0b1000_0000,
-        0,
-        "Y-sign bit should not be set even for negative y"
-    );
+    for _ in 0..10 {
+        // Get the bytes and verify the y-sign bit is NOT set
+        let mut g2_bytes = vec![0u8; BN254_G2_SERIALIZED_SIZE];
+        host.bytes_copy_to_slice(g2_bytes_obj, U32Val::from(0), &mut g2_bytes)?;
+        assert_eq!(
+            g2_bytes[0] & 0b1000_0000,
+            0,
+            "Y-sign bit should not be set even for negative y"
+        );
 
-    // Now manually set the y-sign bit (bit 0, which is 0x80 in the MSB)
-    g2_bytes[0] |= 0b1000_0000;
+        // Now manually set the y-sign bit (bit 0, which is 0x80 in the MSB)
+        g2_bytes[0] |= 0b1000_0000;
 
-    // Try to deserialize - should fail
-    let g2_bytes_obj_modified = host.test_bin_obj(&g2_bytes)?;
-    let result = host.bn254_g2_affine_deserialize(g2_bytes_obj_modified);
-
-    assert!(HostError::result_matches_err(
-        result,
-        (ScErrorType::Crypto, ScErrorCode::InvalidInput)
-    ));
+        // Try to deserialize - should fail
+        let g2_bytes_obj_modified = host.test_bin_obj(&g2_bytes)?;
+        let result = host.bn254_g2_affine_deserialize(g2_bytes_obj_modified);
 
+        assert!(HostError::result_matches_err(
+            result,
+            (ScErrorType::Crypto, ScErrorCode::InvalidInput)
+        ));
+    }
     Ok(())
 }