BQFC: reject non-reduced decompressed forms in strict mode

[richardkiss]

Fixes #334.

Problem

bqfc_verify_canon performs a self-consistency check — encode(decode(X)) == X — rather than a uniqueness check — encode(reduce(decode(X))) == X.

For forms with g > 1, the b0 field can be inflated by any multiple of a' = a/g and still round-trip through bqfc_compr, because the xgcd_partial Euclidean path is unaffected and b0 = floor(|b|/a') picks up the inflated quotient.

Concretely (1024-bit discriminant, g=2, g_size=0): byte 99 (b0) accepts 64 distinct values — b0, b0+4, b0+8, … — instead of 1. DeserializeForm silently reduces the form via from_abd, so Wesolowski verification passes with the correct (reduced) y. The proof is malleable: the same mathematical VDF output has 64 valid serializations.

Fix

Add a strict flag to BQFC form deserialization.

When strict=true, after bqfc_decompr computes (out_a, out_b), assert |out_b| <= out_a. A reduced binary quadratic form requires |b| <= a; if this is violated the encoding cannot be canonical.

When strict=false, preserve the historical behavior and accept these forms for compatibility with existing consensus behavior.

The check is a single mpz_cmpabs call — no need to compute c or run the full Pulmark reduction.

if (strict && mpz_cmpabs(out_b, out_a) > 0) {
    ret = -1;
    goto out;
}

Why this is the right place

The root cause is that bqfc_decompr can produce a non-reduced (out_a, out_b), and bqfc_verify_canon compares against the encoding of that non-reduced form rather than the reduced representative. Adding the optional strict bounds check here:

1. Costs one GMP comparison per strict deserialization.
2. Lets callers explicitly choose strict canonical decoding versus historical lenient compatibility.
3. Fixes the issue at the correct semantic layer when strict mode is selected: decompression guarantees a reduced form or fails.

This PR does not change default consensus behavior unless consensus callers opt into strict=true.

Regression test

Added strict/lenient regression coverage to proof_deserialization_regression_test.cpp using a real Chia mainnet vector (block 309155, CC infusion-point VDF). The canonical b0=0x01 is accepted; inflated b0=0x05 and b0=0x09 are rejected with strict=true and accepted with strict=false.

The Python module also exposes bqfc_deserialize(..., strict=True) for testing and differential fuzzing. Its default is strict, and strict=False preserves the historical behavior.

Testing

Discovered via differential fuzzing of chia-vdf-verify (pure-Rust reimplementation) against chiavdf, where Rust's stricter is_reduced() check exposed the discrepancy. See the characterization in issue #334.

Made with Cursor

---

Note

Medium Risk
Touches BQFC form decompression/deserialization used in proof verification; the new strict path can change acceptance of previously-valid encodings and introduces a new API parameter that callers must handle correctly.

Overview
Adds an optional strict mode to BQFC decompression/deserialization (bqfc_decompr/bqfc_deserialize) that rejects decoded forms where |b| > a, closing a b0-inflation malleability gap while preserving legacy behavior when strict=false.

Updates call sites to thread the new flag (e.g., hardware init uses lenient mode) and extends regression coverage to assert strict rejection vs lenient acceptance of inflated b0 encodings; also exposes a new Python binding chiavdf.bqfc_deserialize(..., strict=True) plus pytest coverage, and ignores src/build/ in .gitignore.

^{Reviewed by Cursor Bugbot for commit bd82b74. Bugbot is set up for automated code reviews on this repo. Configure here.}

[Copilot]

Pull request overview

This PR tightens compressed quadratic-form deserialization to eliminate a known malleability vector in the b0 field, and adds a regression test using a real mainnet-derived vector.

Changes:

• Add an additional validity check during bqfc_decompr to reject certain non-canonical decodings.
• Add a regression test that mutates b0 (inflation by +4/+8) and asserts deserialization rejection.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/proof_deserialization_regression_test.cpp	Adds a regression test covering b0 inflation malleability using a fixed mainnet vector.
src/bqfc.c	Adds a post-decompression bound check intended to reject inflated b0 encodings that previously passed canonical verification.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hoffmang9]

We're going to get around to a chiavdf release one of these days. Should this get in?

Happy to pick it up and finish it if so.

[richardkiss]

We're going to get around to a chiavdf release one of these days. Should this get in?

Happy to pick it up and finish it if so.

This is entirely AI generated, with guidance from me. Seems like non-canonical proofs are accepted, as was discovered by differential fuzzing with the newly created rust vdf crate. This lets us tighten this gap when HF2 kicks in. A similar knob exists in the rust vdf api.

[hoffmang9]

Close and re-open to reset baseline CI status

[hoffmang9]

lgtm