Skip to content

Use optimized algorithm to check for Edwards torsion-freeness #1335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 2, 2025
Merged

Use optimized algorithm to check for Edwards torsion-freeness #1335

merged 1 commit into from
Sep 2, 2025

Conversation

daxpedda
Copy link
Contributor

@daxpedda daxpedda commented Jul 30, 2025
edited
Loading

The check if an Edwards point is torsion-free involves a scalar multiplication and is therefor quite expensive. This PR implements the algorithm from "Point-Halving and Subgroup Membership in Twisted Edwards Curves" to significantly reduce the computational requirements.

Ed448/decompress        time:   [116.51 µs 116.72 µs 116.90 µs]
                        change: [−76.218% −76.179% −76.147%] (p = 0.00 < 0.05)
                        Performance has improved.

@daxpedda daxpedda force-pushed the ed448-decompress branch 2 times, most recently from 244546b to 0b51143 Compare July 30, 2025 10:07
@daxpedda
Copy link
Contributor Author

I'm not sure what the is_on_curve() here really does. We reduce the y-coordinate and derive the x-coordinate, so I believe we always end up with a point that is on the curve.

Additionally, why do we require torsion-freeness on points in the first place? I think this should be optional and not enforced by the default decompress() function.

@daxpedda daxpedda changed the title Improve Edwards448 decompression checks Use optimized algorithm to check for Edwards torsion-freeness Aug 2, 2025
@daxpedda daxpedda mentioned this pull request Aug 3, 2025
Open
49 tasks
@daxpedda daxpedda mentioned this pull request Aug 14, 2025
Merged
@tarcieri
Copy link
Member

tarcieri commented Sep 2, 2025
edited
Loading

I'm not sure what the is_on_curve() here really does. We reduce the y-coordinate and derive the x-coordinate, so I believe we always end up with a point that is on the curve.

Yes, ideally points that aren't on the curve are unrepresentable, because the constructors be it via decompression or validating that a given set of affine coordinates are valid solutions to the curve equation always ensure a valid curve point.

Ideally if such a function exists you shouldn't need to make an invalid curve point first in order to check it! Rather the check can be implemented as a constructor which returns a point type only if the coordinates are valid.

@daxpedda
Copy link
Contributor Author

daxpedda commented Sep 2, 2025

I did go ahead and remove both checks, is_on_curve() and is_torsion_free(), in #1336.

@tarcieri tarcieri merged commit aa7d696 into RustCrypto:master Sep 2, 2025
174 checks passed
@tarcieri
Copy link
Member

tarcieri commented Sep 3, 2025

Re: constructors that check affine coordinates, here's an issue for that for curve25519-dalek if you'd like to coordinate on APIs: dalek-cryptography/curve25519-dalek#817

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tarcieri tarcieri tarcieri approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@daxpedda @tarcieri