Merge pull request #11 from ThomasPiellard/audit/M-04

fix: fixed M-04

internal/generator/backend/template/zkpschemes/plonk/plonk.verify.go.tmpl

@@ -24,6 +24,7 @@ import (
 var (
 	errAlgebraicRelation = errors.New("algebraic relation does not hold")
 	errInvalidWitness    = errors.New("witness length is invalid")
+	errInvalidPoint      = errors.New("point is not on the curve")
 )
 
 func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...backend.VerifierOption) error {
@@ -43,6 +44,32 @@ func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...bac
 		return errInvalidWitness
 	}
 
+	// check that the points in the proof are on the curve
+	for i := 0; i < len(proof.LRO); i++ {
+		if !proof.LRO[i].IsInSubGroup() {
+			return errInvalidPoint
+		}
+	}
+	if !proof.Z.IsInSubGroup() {
+		return errInvalidPoint
+	}
+	for i := 0; i < len(proof.H); i++ {
+		if !proof.H[i].IsInSubGroup() {
+			return errInvalidPoint
+		}
+	}
+	for i := 0; i < len(proof.Bsb22Commitments); i++ {
+		if !proof.Bsb22Commitments[i].IsInSubGroup() {
+			return errInvalidPoint
+		}
+	}
+	if !proof.BatchedProof.H.IsInSubGroup() {
+		return errInvalidPoint
+	}
+	if !proof.ZShiftedOpening.H.IsInSubGroup() {
+		return errInvalidPoint
+	}
+
 	// transcript to derive the challenge
 	fs := fiatshamir.NewTranscript(cfg.ChallengeHash, "gamma", "beta", "alpha", "zeta")