From c6982b5dfcffce458f7b0237d2e982708b402d2d Mon Sep 17 00:00:00 2001
From: Luke Parker <lukeparker5132@gmail.com>
Date: Tue, 30 May 2023 22:05:52 -0400
Subject: [PATCH] Ensure canonical points in the cross-group DLEq proof

---
 crypto/dleq/src/cross_group/mod.rs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/crypto/dleq/src/cross_group/mod.rs b/crypto/dleq/src/cross_group/mod.rs
index f97ee390..c08ff7b2 100644
--- a/crypto/dleq/src/cross_group/mod.rs
+++ b/crypto/dleq/src/cross_group/mod.rs
@@ -55,10 +55,13 @@ pub(crate) fn read_point<R: Read, G: PrimeGroup>(r: &mut R) -> std::io::Result<G
   let mut repr = G::Repr::default();
   r.read_exact(repr.as_mut())?;
   let point = G::from_bytes(&repr);
-  if point.is_none().into() {
-    Err(std::io::Error::new(std::io::ErrorKind::Other, "invalid point"))?;
+  let Some(point) = Option::<G>::from(point) else {
+    Err(std::io::Error::new(std::io::ErrorKind::Other, "invalid point"))?
+  };
+  if point.to_bytes().as_ref() != repr.as_ref() {
+    Err(std::io::Error::new(std::io::ErrorKind::Other, "non-canonical point"))?;
   }
-  Ok(point.unwrap())
+  Ok(point)
 }
 
 /// A pair of generators, one committing to values (primary), one blinding (alt), for an elliptic