Use rejection sampling for random point generation #1344
Conversation
|
Wouldn't there be a modulo bias without reducing a field element from a larger random input? |
|
@andrewwhitehead no, it's the other way around: reduction introduces a bias, and even a wide reduction has a minute bias. Rejection sampling is unbiased. |
No, de-serialization actually declines field elements that don't fit the modulus. |
primeorder/src/projective.rs
Outdated
| let mut bytes = FieldBytes::<C>::default(); | ||
| let mut sign = 0; | ||
|
|
||
| loop { | ||
| rng.try_fill_bytes(&mut bytes)?; | ||
| rng.try_fill_bytes(core::array::from_mut(&mut sign))?; | ||
| if let Some(point) = | ||
| AffinePoint::decompress(&bytes, Choice::from(sign & 1)).into_option() | ||
| { | ||
| return Ok(point.into()); | ||
| } | ||
| } |
There was a problem hiding this comment.
I know I just stamped approve, but now I'm kind of noticing that perhaps this should be an inherent pub fn try_from_rng impl'd on AffinePoint, and then the ProjectivePoint impl could be:
| let mut bytes = FieldBytes::<C>::default(); | |
| let mut sign = 0; | |
| loop { | |
| rng.try_fill_bytes(&mut bytes)?; | |
| rng.try_fill_bytes(core::array::from_mut(&mut sign))?; | |
| if let Some(point) = | |
| AffinePoint::decompress(&bytes, Choice::from(sign & 1)).into_option() | |
| { | |
| return Ok(point.into()); | |
| } | |
| } | |
| AffinePoint::try_from_rng(rng).map(Into::into) |
There was a problem hiding this comment.
I agree, but don't we need a trait for that to implement it in primeorder?
There was a problem hiding this comment.
Apparently not.
Working on it.
There was a problem hiding this comment.
Done.
EdwardsPoint and DecafPoint still need a bit more work.
After this is merged I will do the necessary follow-up for EdwardsPoint in #1333.
Will make a PR for DecafPoint later.
Co-Authored-By: Tony Arcieri <[email protected]>
This PR changes random point generation to use rejection sampling by de-serialization instead of deriving a point from a random scalar.
Fixes #1140.