Merge pull request #121 from ethereum/fix-z1-check

Fix the x1 point check

py_ecc/bls/point_compression.py

@@ -196,6 +196,9 @@ def decompress_G2(p: G2Compressed) -> G2Uncompressed:
     # Else, not point at infinity
     # 3 MSBs should be 100 or 101
     x1 = z1 % POW_2_381
+    # Ensure that x1 is less than the field modulus.
+    if x1 >= q:
+        raise ValueError("x1 value should be less than field modulus. Got %d", x1)
 
     # Ensure that z2 is less than the field modulus.
     if z2 >= q:

tests/bls/test_point_compression.py

@@ -143,6 +143,7 @@ def test_G2_compress_and_decompress_flags(pt, on_curve, is_infinity):
         ((compressed_g2[0] & ~(1<<383), compressed_g2[1]), "c_flag should be 1"),  # set c_flag1 to 0
         ((compressed_g2[0] | (1<<382), compressed_g2[1]), "b_flag should be 0"),  # set b_flag1 to 1
         ((compressed_z2[0] & ~(1<<382), compressed_z2[1]), "b_flag should be 1"),  # set b_flag1 to 0
+        ((q | (1<<383), compressed_z2[1]), "x1 value should be less than field modulus."),  # x1 == q
         ((compressed_z2[0] | (1<<381), compressed_z2[1]), "a point at infinity should have a_flag == 0"),  # set a_flag1 to 1
         ((compressed_g2[0], compressed_z2[1] | (1<<383)), "z2 point value should be less than field modulus."),  # set c_flag2 to 1
         ((compressed_g2[0], compressed_z2[1] | (1<<382)), "z2 point value should be less than field modulus."),  # set b_flag2 to 1