Use rejection sampling for random point generation

Co-Authored-By: Tony Arcieri <[email protected]>

Author: daxpedda

ed448-goldilocks/src/decaf/points.rs

@@ -174,9 +174,14 @@ impl Group for DecafPoint {
     where
         R: TryRngCore + ?Sized,
     {
-        let mut uniform_bytes = [0u8; 112];
-        rng.try_fill_bytes(&mut uniform_bytes)?;
-        Ok(Self::from_uniform_bytes(&uniform_bytes))
+        let mut bytes = DecafPointRepr::default();
+
+        loop {
+            rng.try_fill_bytes(bytes.as_mut())?;
+            if let Some(point) = Self::from_bytes(&bytes).into() {
+                return Ok(point);
+            }
+        }
     }
 
     fn identity() -> Self {

ed448-goldilocks/src/edwards/extended.rs

@@ -341,9 +341,14 @@ impl Group for EdwardsPoint {
     where
         R: TryRngCore + ?Sized,
     {
-        let mut bytes = [0u8; 32];
-        rng.try_fill_bytes(&mut bytes)?;
-        Ok(Self::hash_with_defaults(&bytes))
+        let mut bytes = Array::default();
+
+        loop {
+            rng.try_fill_bytes(bytes.as_mut())?;
+            if let Some(point) = Self::from_bytes(&bytes).into() {
+                return Ok(point);
+            }
+        }
     }
 
     fn identity() -> Self {

k256/src/arithmetic/projective.rs

@@ -12,7 +12,6 @@ use elliptic_curve::{
     BatchNormalize, CurveGroup, Error, Result,
     group::{
         Group, GroupEncoding,
-        ff::Field,
         prime::{PrimeCurve, PrimeCurveAffine, PrimeGroup},
     },
     rand_core::TryRngCore,
@@ -411,7 +410,18 @@ impl Group for ProjectivePoint {
     type Scalar = Scalar;
 
     fn try_from_rng<R: TryRngCore + ?Sized>(rng: &mut R) -> core::result::Result<Self, R::Error> {
-        Ok(Self::GENERATOR * Scalar::try_from_rng(rng)?)
+        let mut bytes = CompressedPoint::default();
+
+        loop {
+            rng.try_fill_bytes(&mut bytes)?;
+
+            // Ensure SEC1 tag is 0x02 or 0x03 (compressed w\ even vs odd y-coordinate respectively)
+            bytes[0] = (bytes[0] & 1) | 2;
+
+            if let Some(point) = Self::from_bytes(&bytes).into() {
+                return Ok(point);
+            }
+        }
     }
 
     fn identity() -> Self {

primeorder/src/projective.rs

@@ -258,13 +258,24 @@ where
 
 impl<C> Group for ProjectivePoint<C>
 where
-    Self: Double,
+    Self: GroupEncoding,
     C: PrimeCurveParams,
 {
     type Scalar = Scalar<C>;
 
     fn try_from_rng<R: TryRngCore + ?Sized>(rng: &mut R) -> core::result::Result<Self, R::Error> {
-        Ok(Self::GENERATOR * <Scalar<C> as Field>::try_from_rng(rng)?)
+        let mut bytes = <Self as GroupEncoding>::Repr::default();
+
+        loop {
+            rng.try_fill_bytes(bytes.as_mut())?;
+
+            // Ensure SEC1 tag is 0x02 or 0x03 (compressed w\ even vs odd y-coordinate respectively)
+            bytes.as_mut()[0] = (bytes.as_mut()[0] & 1) | 2;
+
+            if let Some(point) = Self::from_bytes(&bytes).into() {
+                return Ok(point);
+            }
+        }
     }
 
     fn identity() -> Self {
@@ -311,7 +322,7 @@ where
 
 impl<C> CurveGroup for ProjectivePoint<C>
 where
-    Self: Double,
+    Self: GroupEncoding,
     C: PrimeCurveParams,
 {
     type AffineRepr = AffinePoint<C>;
@@ -331,7 +342,7 @@ where
 
 impl<const N: usize, C> BatchNormalize<[ProjectivePoint<C>; N]> for ProjectivePoint<C>
 where
-    Self: Double,
+    Self: GroupEncoding,
     C: PrimeCurveParams,
 {
     type Output = [<Self as CurveGroup>::AffineRepr; N];
@@ -348,7 +359,7 @@ where
 #[cfg(feature = "alloc")]
 impl<C> BatchNormalize<[ProjectivePoint<C>]> for ProjectivePoint<C>
 where
-    Self: Double,
+    Self: GroupEncoding,
     C: PrimeCurveParams,
 {
     type Output = Vec<<Self as CurveGroup>::AffineRepr>;
@@ -400,15 +411,15 @@ where
 
 impl<C> LinearCombination<[(Self, Scalar<C>)]> for ProjectivePoint<C>
 where
-    Self: Double,
+    Self: GroupEncoding,
     C: PrimeCurveParams,
 {
     // TODO(tarcieri): optimized implementation
 }
 
 impl<C, const N: usize> LinearCombination<[(Self, Scalar<C>); N]> for ProjectivePoint<C>
 where
-    Self: Double,
+    Self: GroupEncoding,
     C: PrimeCurveParams,
 {
     // TODO(tarcieri): optimized implementation