Handling subgroup checks

[tplooker]

Currently in the draft there are several key places we need to do subgroup checks on points, for example to validate a public key post de-serialization. However in some places we are implicitly relying on the octet_to_point function to perform this role and other places we are doing it as an explicit step in the procedure. We need to make this consistent, the options are

1. Consistently rely on the octet_to_point_g* implementation and add a security consideration that documents this function MUST perform the relevant subgroup check.
2. Explicitly document anywhere in the procedure where a subgroup check is required.

IMO 2 feels like a safer but more verbose option to me.

[BasileiosKal]

Maybe a middle-of-the-road solution would be to define explicitly octets_to_point as an operation in the spec, that calls octets_to_point_g1 and does the checks. For example, something like:

result = octets_to_point_g1(point_octets)

Inputs:
- point_octets, octet string

Parameters:
- SubgroupCheck_g1, a function that on input a point P, returns VALID if P 
                    is in the G1 subgroup and INVALID in any other case.

Procedure:

1. P = octets_to_point_g1(point_octets)

2. if P is INVALID, return INVALID

3. if SubgroupCheck_g1(P) is INVALID, return INVALID

4. if P = Identity_G1, return INVALID

5. return P 

Note: the identity check is not always necessary above, but it can be nice to have.

[tplooker]

Labeling as pending close ahead of WG call on the 4th of july

[tplooker]

Discussed on WG 8th August, there is potentially some inconsistencies that we need to address before we can close this issue

[tplooker]

Discussed on WG call 20th of September, we believe the major inconsistencies around this check are resolved, closing for now and will re-open if some where missed.