Sanity check that trusted setup was loaded in Lagrange form (#309)

* Sanity check that trusted setup was loaded in Lagrange form

* fixup! Sanity check that trusted setup was loaded in Lagrange form

* Fix some nits

* Fix another nit

---------

Co-authored-by: Justin Traglia <jtraglia@pm.me>

src/c_kzg_4844.c

@@ -1656,6 +1656,33 @@ void free_trusted_setup(KZGSettings *s) {
     c_kzg_free(s->g2_values);
 }
 
+/**
+ * Basic sanity check that the trusted setup was loaded in Lagrange form.
+ *
+ * @param[in] s  Pointer to the stored trusted setup data
+ * @param[in] n1 Number of `g1` points in trusted_setup
+ * @param[in] n2 Number of `g2` points in trusted_setup
+ */
+static C_KZG_RET is_trusted_setup_in_lagrange_form(
+    const KZGSettings *s, size_t n1, size_t n2
+) {
+    /* Trusted setup is too small; we can't work with this */
+    if (n1 < 2 || n2 < 2) {
+        return C_KZG_BADARGS;
+    }
+
+    /*
+     * If the following pairing equation checks out:
+     *     e(G1_SETUP[1], G2_SETUP[0]) ?= e(G1_SETUP[0], G2_SETUP[1])
+     * then the trusted setup was loaded in monomial form.
+     * If so, error out since we want the trusted setup in Lagrange form.
+     */
+    bool is_monomial_form = pairings_verify(
+        &s->g1_values[1], &s->g2_values[0], &s->g1_values[0], &s->g2_values[1]
+    );
+    return is_monomial_form ? C_KZG_BADARGS : C_KZG_OK;
+}
+
 /**
  * Load trusted setup into a KZGSettings.
  *
@@ -1727,6 +1754,10 @@ C_KZG_RET load_trusted_setup(
         blst_p2_from_affine(&out->g2_values[i], &g2_affine);
     }
 
+    /* Make sure the trusted setup was loaded in Lagrange form */
+    ret = is_trusted_setup_in_lagrange_form(out, n1, n2);
+    if (ret != C_KZG_OK) goto out_error;
+
     /* Compute roots of unity and permute the G1 trusted setup */
     ret = compute_roots_of_unity(out->roots_of_unity, max_scale);
     if (ret != C_KZG_OK) goto out_error;