finding 7: reject g2 = point at infinity

Author: suyash67

barretenberg/cpp/src/barretenberg/bbapi/bbapi_srs.cpp

@@ -83,15 +83,27 @@ SrsInitSrs::Response SrsInitSrs::execute(BB_UNUSED BBApiRequest& request) &&
         throw_or_abort("SrsInitSrs: g1_points[1] does not match the canonical trusted-setup tau·G");
     }
 
-    // Defense in depth: hash-pin AND subgroup-check the G2 input. Hash equality alone is sufficient
-    // for the canonical case (it implies prime-order membership); the subgroup check is kept so
-    // that any future relaxation of the hash gate (e.g. a flag to allow a different trusted setup)
-    // does not silently reopen audit finding #7's small-subgroup attack.
+    // Defense in depth: deserialize G2, then run three independent gates (infinity / hash / subgroup).
+    //
+    // Why all three:
+    //   - is_point_at_infinity(): `[x]_2 = O` is in G_r (so subgroup check passes) and matches no
+    //     canonical hash, but it would degenerate the KZG verifier — `e(−W, O) = 1` for every W,
+    //     so the second pairing in the opening check is identically 1 and a malicious prover can
+    //     forge openings for arbitrary statements. This must be rejected even if the hash gate is
+    //     ever loosened (e.g. a future "allow custom SRS" flag).
+    //   - SHA-256 vs BN254_G2_ELEMENT_SHA256: pins the exact canonical Aztec trusted-setup [x]_2,
+    //     blocking byte-level tampering and wrong-trusted-setup swaps.
+    //   - is_in_prime_subgroup(): rejects cofactor-subgroup points (audit finding #7's original
+    //     small-subgroup attack); strictly redundant given the hash pin but kept so that loosening
+    //     the hash gate does not silently reopen the cofactor attack either.
+    auto g2_point_elem = from_buffer<g2::affine_element>(g2_point.data());
+    if (g2_point_elem.is_point_at_infinity()) {
+        throw_or_abort("SrsInitSrs: g2_point cannot be the point at infinity");
+    }
     auto g2_hash = bb::crypto::sha256(std::span<const uint8_t>(g2_point.data(), g2_point.size()));
     if (g2_hash != bb::srs::BN254_G2_ELEMENT_SHA256) {
         throw_or_abort("SrsInitSrs: g2_point bytes do not match the canonical Aztec [x]_2 SHA-256");
     }
-    auto g2_point_elem = from_buffer<g2::affine_element>(g2_point.data());
     if (!g2_point_elem.is_in_prime_subgroup()) {
         throw_or_abort("SrsInitSrs: g2_point is not in the BN254 G2 prime-order subgroup");
     }

barretenberg/cpp/src/barretenberg/srs/factories/crs_factory.test.cpp

@@ -167,6 +167,26 @@ TEST(CrsFactory, Bn254G2CorruptionDetected)
     fs::remove_all(temp_path);
 }
 
+// Regression test: a `bn254_g2.dat` whose 128 bytes are the all-1s infinity sentinel
+// deserializes to `affine_element::infinity()`. That point is a member of every subgroup
+// (so the subgroup check alone would let it through), but `[x]_2 = O` collapses the KZG
+// pairing check (`e(−W, O) = 1` for every W) and lets a malicious prover forge openings.
+// The loader must reject it with the explicit infinity error before the SHA-256 / subgroup
+// checks fire.
+TEST(CrsFactory, Bn254G2InfinityRejected)
+{
+    const std::filesystem::path temp_path = "barretenberg_srs_test_crs_g2_infinity";
+    fs::remove_all(temp_path);
+    fs::create_directories(temp_path);
+
+    std::vector<uint8_t> infinity_bytes(128, 0xFF);
+    bb::write_file(temp_path / "bn254_g2.dat", infinity_bytes);
+
+    EXPECT_THROW_OR_ABORT(bb::get_bn254_g2_data(temp_path, /*allow_download=*/false), "point at infinity");
+
+    fs::remove_all(temp_path);
+}
+
 TEST(CrsFactory, Bn254CompressedChunkHashFirstChunk)
 {
     // Download the first chunk of compressed CRS from CDN and verify its hash.

barretenberg/cpp/src/barretenberg/srs/factories/get_bn254_crs.cpp

@@ -293,11 +293,17 @@ g2::affine_element get_bn254_g2_data(const std::filesystem::path& path, bool all
         if (data.size() != G2_BYTES) {
             throw_or_abort("bn254 g2 data has wrong size: expected 128 bytes, got " + std::to_string(data.size()));
         }
+        auto point = from_buffer<g2::affine_element>(data.data());
+        // Reject the point at infinity: it is a member of every subgroup (so subgroup check passes)
+        // but `e(−W, O) = 1` for every W, which collapses the KZG verifier's pairing check and lets
+        // a malicious prover forge arbitrary openings.
+        if (point.is_point_at_infinity()) {
+            throw_or_abort("bn254 g2 cannot be the point at infinity");
+        }
         auto hash = bb::crypto::sha256(std::span<const uint8_t>(data.data(), data.size()));
         if (hash != bb::srs::BN254_G2_ELEMENT_SHA256) {
             throw_or_abort("bn254 g2 SHA-256 mismatch: payload does not match the canonical [x]_2");
         }
-        auto point = from_buffer<g2::affine_element>(data.data());
         if (!point.is_in_prime_subgroup()) {
             throw_or_abort("bn254 g2 deserialized to a point outside the prime-order subgroup");
         }