Use rejection sampling for random point generation (#1344)

Co-authored-by: Tony Arcieri <[email protected]>

Author: daxpedda

ed448-goldilocks/src/decaf/points.rs

@@ -174,9 +174,14 @@ impl Group for DecafPoint {
     where
         R: TryRngCore + ?Sized,
     {
-        let mut uniform_bytes = [0u8; 112];
-        rng.try_fill_bytes(&mut uniform_bytes)?;
-        Ok(Self::from_uniform_bytes(&uniform_bytes))
+        let mut bytes = DecafPointRepr::default();
+
+        loop {
+            rng.try_fill_bytes(bytes.as_mut())?;
+            if let Some(point) = Self::from_bytes(&bytes).into() {
+                return Ok(point);
+            }
+        }
     }
 
     fn identity() -> Self {

ed448-goldilocks/src/edwards/extended.rs

@@ -341,9 +341,14 @@ impl Group for EdwardsPoint {
     where
         R: TryRngCore + ?Sized,
     {
-        let mut bytes = [0u8; 32];
-        rng.try_fill_bytes(&mut bytes)?;
-        Ok(Self::hash_with_defaults(&bytes))
+        let mut bytes = Array::default();
+
+        loop {
+            rng.try_fill_bytes(bytes.as_mut())?;
+            if let Some(point) = Self::from_bytes(&bytes).into() {
+                return Ok(point);
+            }
+        }
     }
 
     fn identity() -> Self {

k256/src/arithmetic/affine.rs

@@ -9,6 +9,7 @@ use elliptic_curve::{
     Error, Result,
     group::{GroupEncoding, prime::PrimeCurveAffine},
     point::{AffineCoordinates, DecompactPoint, DecompressPoint, NonIdentity},
+    rand_core::TryRngCore,
     sec1::{self, FromEncodedPoint, ToEncodedPoint},
     subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption},
     zeroize::DefaultIsZeroes,
@@ -73,6 +74,22 @@ impl AffinePoint {
         ]),
         infinity: 0,
     };
+
+    /// Generate a random [`AffinePoint`].
+    pub fn try_from_rng<R: TryRngCore + ?Sized>(
+        rng: &mut R,
+    ) -> core::result::Result<Self, R::Error> {
+        let mut bytes = FieldBytes::default();
+        let mut sign = 0;
+
+        loop {
+            rng.try_fill_bytes(&mut bytes)?;
+            rng.try_fill_bytes(core::array::from_mut(&mut sign))?;
+            if let Some(point) = Self::decompress(&bytes, Choice::from(sign & 1)).into_option() {
+                return Ok(point);
+            }
+        }
+    }
 }
 
 impl AffinePoint {

k256/src/arithmetic/projective.rs

@@ -12,7 +12,6 @@ use elliptic_curve::{
     BatchNormalize, CurveGroup, Error, Result,
     group::{
         Group, GroupEncoding,
-        ff::Field,
         prime::{PrimeCurve, PrimeCurveAffine, PrimeGroup},
     },
     rand_core::TryRngCore,
@@ -411,7 +410,7 @@ impl Group for ProjectivePoint {
     type Scalar = Scalar;
 
     fn try_from_rng<R: TryRngCore + ?Sized>(rng: &mut R) -> core::result::Result<Self, R::Error> {
-        Ok(Self::GENERATOR * Scalar::try_from_rng(rng)?)
+        AffinePoint::try_from_rng(rng).map(Self::from)
     }
 
     fn identity() -> Self {

primeorder/src/affine.rs

@@ -13,6 +13,7 @@ use elliptic_curve::{
     ff::{Field, PrimeField},
     group::{GroupEncoding, prime::PrimeCurveAffine},
     point::{AffineCoordinates, DecompactPoint, DecompressPoint, Double, NonIdentity},
+    rand_core::TryRngCore,
     sec1::{
         self, CompressedPoint, EncodedPoint, FromEncodedPoint, ModulusSize, ToCompactEncodedPoint,
         ToEncodedPoint, UncompressedPointSize,
@@ -77,6 +78,28 @@ where
     }
 }
 
+impl<C> AffinePoint<C>
+where
+    C: PrimeCurveParams,
+    FieldBytes<C>: Copy,
+{
+    /// Generate a cryptographically random [`AffinePoint`].
+    pub fn try_from_rng<R: TryRngCore + ?Sized>(
+        rng: &mut R,
+    ) -> core::result::Result<Self, R::Error> {
+        let mut bytes = FieldBytes::<C>::default();
+        let mut sign = 0;
+
+        loop {
+            rng.try_fill_bytes(&mut bytes)?;
+            rng.try_fill_bytes(core::array::from_mut(&mut sign))?;
+            if let Some(point) = Self::decompress(&bytes, Choice::from(sign & 1)).into_option() {
+                return Ok(point);
+            }
+        }
+    }
+}
+
 impl<C> AffineCoordinates for AffinePoint<C>
 where
     C: PrimeCurveParams,

primeorder/src/projective.rs

@@ -258,13 +258,13 @@ where
 
 impl<C> Group for ProjectivePoint<C>
 where
-    Self: Double,
     C: PrimeCurveParams,
+    FieldBytes<C>: Copy,
 {
     type Scalar = Scalar<C>;
 
     fn try_from_rng<R: TryRngCore + ?Sized>(rng: &mut R) -> core::result::Result<Self, R::Error> {
-        Ok(Self::GENERATOR * <Scalar<C> as Field>::try_from_rng(rng)?)
+        AffinePoint::try_from_rng(rng).map(Self::from)
     }
 
     fn identity() -> Self {
@@ -311,8 +311,8 @@ where
 
 impl<C> CurveGroup for ProjectivePoint<C>
 where
-    Self: Double,
     C: PrimeCurveParams,
+    FieldBytes<C>: Copy,
 {
     type AffineRepr = AffinePoint<C>;
 
@@ -331,8 +331,8 @@ where
 
 impl<const N: usize, C> BatchNormalize<[ProjectivePoint<C>; N]> for ProjectivePoint<C>
 where
-    Self: Double,
     C: PrimeCurveParams,
+    FieldBytes<C>: Copy,
 {
     type Output = [<Self as CurveGroup>::AffineRepr; N];
 
@@ -348,8 +348,8 @@ where
 #[cfg(feature = "alloc")]
 impl<C> BatchNormalize<[ProjectivePoint<C>]> for ProjectivePoint<C>
 where
-    Self: Double,
     C: PrimeCurveParams,
+    FieldBytes<C>: Copy,
 {
     type Output = Vec<<Self as CurveGroup>::AffineRepr>;
 
@@ -400,16 +400,16 @@ where
 
 impl<C> LinearCombination<[(Self, Scalar<C>)]> for ProjectivePoint<C>
 where
-    Self: Double,
     C: PrimeCurveParams,
+    FieldBytes<C>: Copy,
 {
     // TODO(tarcieri): optimized implementation
 }
 
 impl<C, const N: usize> LinearCombination<[(Self, Scalar<C>); N]> for ProjectivePoint<C>
 where
-    Self: Double,
     C: PrimeCurveParams,
+    FieldBytes<C>: Copy,
 {
     // TODO(tarcieri): optimized implementation
 }