dalek-cryptography
diff --git a/‎.github/workflows/workspace.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/workspace.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎curve25519-dalek/Cargo.toml
Lines changed: 5 additions & 5 deletions b/‎curve25519-dalek/Cargo.toml
Lines changed: 5 additions & 5 deletions
diff --git a/‎curve25519-dalek/benches/dalek_benchmarks.rs
Lines changed: 9 additions & 9 deletions b/‎curve25519-dalek/benches/dalek_benchmarks.rs
Lines changed: 9 additions & 9 deletions
diff --git a/‎curve25519-dalek/src/edwards.rs
Lines changed: 22 additions & 16 deletions b/‎curve25519-dalek/src/edwards.rs
Lines changed: 22 additions & 16 deletions
diff --git a/‎curve25519-dalek/src/montgomery.rs
Lines changed: 9 additions & 9 deletions b/‎curve25519-dalek/src/montgomery.rs
Lines changed: 9 additions & 9 deletions
@@ -78,7 +78,7 @@ jobs:
       - name: no_std / no feat ${{ matrix.crate }}
         run: cargo build -p ${{ matrix.crate }} --target thumbv7em-none-eabi --release --no-default-features
       - name: no_std / cargo hack ${{ matrix.crate }}
-        run: cargo hack build -p ${{ matrix.crate }} --target thumbv7em-none-eabi --release --each-feature --exclude-features default,std,getrandom
+        run: cargo hack build -p ${{ matrix.crate }} --target thumbv7em-none-eabi --release --each-feature --exclude-features default,std,os_rng
 
   clippy:
     name: Check that clippy is happy
 
@@ -34,8 +34,8 @@ sha2 = { version = "0.11.0-rc.0", default-features = false }
 bincode = "1"
 criterion = { version = "0.5", features = ["html_reports"] }
 hex = "0.4.2"
-rand = "0.8"
-rand_core = { version = "0.6", default-features = false, features = ["getrandom"] }
+rand = "0.9"
+rand_core = { version = "0.9", default-features = false, features = ["os_rng"] }
 
 [build-dependencies]
 rustc_version = "0.4.0"
@@ -47,9 +47,9 @@ required-features = ["alloc", "rand_core"]
 
 [dependencies]
 cfg-if = "1"
-ff = { version = "0.13", default-features = false, optional = true }
-group = { version = "0.13", default-features = false, optional = true }
-rand_core = { version = "0.6.4", default-features = false, optional = true }
+ff = { version = "=0.14.0-pre.0", default-features = false, optional = true }
+group = { version = "=0.14.0-pre.0", default-features = false, optional = true }
+rand_core = { version = "0.9", default-features = false, optional = true }
 digest = { version = "0.11.0-rc.0", default-features = false, optional = true, features = ["block-api"] }
 subtle = { version = "2.6.0", default-features = false, features = ["const-generics"] }
 serde = { version = "1.0", default-features = false, optional = true, features = ["derive"] }
 
@@ -1,6 +1,6 @@
 #![allow(non_snake_case)]
 
-use rand::{RngCore, rngs::OsRng, thread_rng};
+use rand::{RngCore, TryRngCore, rng, rngs::OsRng};
 
 use criterion::{
     BatchSize, BenchmarkGroup, BenchmarkId, Criterion, criterion_main, measurement::Measurement,
@@ -31,7 +31,7 @@ mod edwards_benches {
                 BenchmarkId::new("Batch EdwardsPoint compression", batch_size),
                 &batch_size,
                 |b, &size| {
-                    let mut rng = OsRng;
+                    let mut rng = OsRng.unwrap_err();
                     let points: Vec<EdwardsPoint> =
                         (0..size).map(|_| EdwardsPoint::random(&mut rng)).collect();
                     b.iter(|| EdwardsPoint::compress_batch(&points));
@@ -64,7 +64,7 @@ mod edwards_benches {
 
     fn vartime_double_base_scalar_mul<M: Measurement>(c: &mut BenchmarkGroup<M>) {
         c.bench_function("Variable-time aA+bB, A variable, B fixed", |bench| {
-            let mut rng = thread_rng();
+            let mut rng = rng();
             let A = EdwardsPoint::mul_base(&Scalar::random(&mut rng));
             bench.iter_batched(
                 || (Scalar::random(&mut rng), Scalar::random(&mut rng)),
@@ -76,7 +76,7 @@ mod edwards_benches {
 
     #[cfg(feature = "digest")]
     fn hash_to_curve<M: Measurement>(c: &mut BenchmarkGroup<M>) {
-        let mut rng = thread_rng();
+        let mut rng = rng();
 
         let mut msg = [0u8; 32];
         let mut domain_sep = [0u8; 32];
@@ -114,12 +114,12 @@ mod multiscalar_benches {
     use curve25519_dalek::traits::VartimePrecomputedMultiscalarMul;
 
     fn construct_scalars(n: usize) -> Vec<Scalar> {
-        let mut rng = thread_rng();
+        let mut rng = rng();
         (0..n).map(|_| Scalar::random(&mut rng)).collect()
     }
 
     fn construct_points(n: usize) -> Vec<EdwardsPoint> {
-        let mut rng = thread_rng();
+        let mut rng = rng();
         (0..n)
             .map(|_| EdwardsPoint::mul_base(&Scalar::random(&mut rng)))
             .collect()
@@ -287,7 +287,7 @@ mod ristretto_benches {
                 |b, &&size| {
                     let mut rng = OsRng;
                     let points: Vec<RistrettoPoint> = (0..size)
-                        .map(|_| RistrettoPoint::random(&mut rng))
+                        .map(|_| RistrettoPoint::try_from_rng(&mut rng).unwrap())
                         .collect();
                     b.iter(|| RistrettoPoint::double_and_compress_batch(&points));
                 },
@@ -337,7 +337,7 @@ mod scalar_benches {
     use super::*;
 
     fn scalar_arith<M: Measurement>(c: &mut BenchmarkGroup<M>) {
-        let mut rng = thread_rng();
+        let mut rng = rng();
 
         c.bench_function("Scalar inversion", |b| {
             let s = Scalar::from(897987897u64).invert();
@@ -372,7 +372,7 @@ mod scalar_benches {
                 BenchmarkId::new("Batch scalar inversion", *batch_size),
                 &batch_size,
                 |b, &&size| {
-                    let mut rng = OsRng;
+                    let mut rng = OsRng.unwrap_err();
                     let scalars: Vec<Scalar> =
                         (0..size).map(|_| Scalar::random(&mut rng)).collect();
                     b.iter(|| {
 
@@ -113,6 +113,7 @@ use digest::{
 #[cfg(feature = "group")]
 use {
     group::{GroupEncoding, cofactor::CofactorGroup, prime::PrimeGroup},
+    rand_core::TryRngCore,
     subtle::CtOption,
 };
 
@@ -722,7 +723,7 @@ impl EdwardsPoint {
     /// Uses rejection sampling, generating a random `CompressedEdwardsY` and then attempting point
     /// decompression, rejecting invalid points.
     #[cfg(any(test, feature = "rand_core"))]
-    pub fn random(mut rng: impl RngCore) -> Self {
+    pub fn random<R: RngCore + ?Sized>(rng: &mut R) -> Self {
         let mut repr = CompressedEdwardsY([0u8; 32]);
         loop {
             rng.fill_bytes(&mut repr.0);
@@ -1419,9 +1420,16 @@ impl Debug for EdwardsPoint {
 impl group::Group for EdwardsPoint {
     type Scalar = Scalar;
 
-    fn random(rng: impl RngCore) -> Self {
-        // Call the inherent `pub fn random` defined above
-        Self::random(rng)
+    fn try_from_rng<R: TryRngCore + ?Sized>(rng: &mut R) -> Result<Self, R::Error> {
+        let mut repr = CompressedEdwardsY([0u8; 32]);
+        loop {
+            rng.try_fill_bytes(&mut repr.0)?;
+            if let Some(p) = repr.decompress() {
+                if !IsIdentity::is_identity(&p) {
+                    break Ok(p);
+                }
+            }
+        }
     }
 
     fn identity() -> Self {
@@ -1664,20 +1672,20 @@ impl Zeroize for SubgroupPoint {
 impl group::Group for SubgroupPoint {
     type Scalar = Scalar;
 
-    fn random(mut rng: impl RngCore) -> Self {
+    fn try_from_rng<R: TryRngCore + ?Sized>(rng: &mut R) -> Result<Self, R::Error> {
         use group::ff::Field;
 
         // This will almost never loop, but `Group::random` is documented as returning a
         // non-identity element.
         let s = loop {
-            let s: Scalar = Field::random(&mut rng);
+            let s: Scalar = Field::try_from_rng(rng)?;
             if !s.is_zero_vartime() {
                 break s;
             }
         };
 
         // This gives an element of the prime-order subgroup.
-        Self::generator() * s
+        Ok(Self::generator() * s)
     }
 
     fn identity() -> Self {
@@ -1743,9 +1751,7 @@ impl CofactorGroup for EdwardsPoint {
 mod test {
     use super::*;
 
-    // If `group` is set, then this is already imported in super
-    #[cfg(not(feature = "group"))]
-    use rand_core::RngCore;
+    use rand_core::TryRngCore;
 
     #[cfg(feature = "alloc")]
     use alloc::vec::Vec;
@@ -2040,7 +2046,7 @@ mod test {
         #[cfg(feature = "precomputed-tables")]
         let random_point = {
             let mut b = [0u8; 32];
-            csprng.fill_bytes(&mut b);
+            csprng.try_fill_bytes(&mut b).unwrap();
             EdwardsPoint::mul_base_clamped(b) + constants::EIGHT_TORSION[1]
         };
         // Make a basepoint table from the random point. We'll use this with mul_base_clamped
@@ -2066,7 +2072,7 @@ mod test {
         for _ in 0..100 {
             // This will be reduced mod l with probability l / 2^256 ≈ 6.25%
             let mut a_bytes = [0u8; 32];
-            csprng.fill_bytes(&mut a_bytes);
+            csprng.try_fill_bytes(&mut a_bytes).unwrap();
 
             assert_eq!(
                 EdwardsPoint::mul_base_clamped(a_bytes),
@@ -2151,7 +2157,7 @@ mod test {
     #[cfg(feature = "alloc")]
     #[test]
     fn compress_batch() {
-        let mut rng = rand::thread_rng();
+        let mut rng = rand::rng();
 
         // TODO(tarcieri): proptests?
         // Make some points deterministically then randomly
@@ -2207,7 +2213,7 @@ mod test {
     // A single iteration of a consistency check for MSM.
     #[cfg(feature = "alloc")]
     fn multiscalar_consistency_iter(n: usize) {
-        let mut rng = rand::thread_rng();
+        let mut rng = rand::rng();
 
         // Construct random coefficients x0, ..., x_{n-1},
         // followed by some extra hardcoded ones.
@@ -2270,7 +2276,7 @@ mod test {
     #[test]
     #[cfg(feature = "alloc")]
     fn batch_to_montgomery() {
-        let mut rng = rand::thread_rng();
+        let mut rng = rand::rng();
 
         let scalars = (0..128)
             .map(|_| Scalar::random(&mut rng))
@@ -2295,7 +2301,7 @@ mod test {
     #[test]
     #[cfg(feature = "alloc")]
     fn vartime_precomputed_vs_nonprecomputed_multiscalar() {
-        let mut rng = rand::thread_rng();
+        let mut rng = rand::rng();
 
         let static_scalars = (0..128)
             .map(|_| Scalar::random(&mut rng))
 
@@ -437,7 +437,7 @@ mod test {
     #[cfg(feature = "alloc")]
     use alloc::vec::Vec;
 
-    use rand_core::{CryptoRng, RngCore};
+    use rand_core::{CryptoRng, RngCore, TryRngCore};
 
     #[test]
     fn identity_in_different_coordinates() {
@@ -521,8 +521,8 @@ mod test {
     }
 
     /// Returns a random point on the prime-order subgroup
-    fn rand_prime_order_point(mut rng: impl RngCore + CryptoRng) -> EdwardsPoint {
-        let s: Scalar = Scalar::random(&mut rng);
+    fn rand_prime_order_point<R: CryptoRng + ?Sized>(rng: &mut R) -> EdwardsPoint {
+        let s: Scalar = Scalar::random(rng);
         EdwardsPoint::mul_base(&s)
     }
 
@@ -540,10 +540,10 @@ mod test {
 
     #[test]
     fn montgomery_ladder_matches_edwards_scalarmult() {
-        let mut csprng = rand_core::OsRng;
+        let mut csprng = rand_core::OsRng.unwrap_err();
 
         for _ in 0..100 {
-            let p_edwards = rand_prime_order_point(csprng);
+            let p_edwards = rand_prime_order_point(&mut csprng);
             let p_montgomery: MontgomeryPoint = p_edwards.to_montgomery();
 
             let s: Scalar = Scalar::random(&mut csprng);
@@ -558,11 +558,11 @@ mod test {
     // multiplying by the Scalar representation of the same bits
     #[test]
     fn montgomery_mul_bits_be() {
-        let mut csprng = rand_core::OsRng;
+        let mut csprng = rand_core::OsRng.unwrap_err();
 
         for _ in 0..100 {
             // Make a random prime-order point P
-            let p_edwards = rand_prime_order_point(csprng);
+            let p_edwards = rand_prime_order_point(&mut csprng);
             let p_montgomery: MontgomeryPoint = p_edwards.to_montgomery();
 
             // Make a random integer b
@@ -583,7 +583,7 @@ mod test {
     // integers b₁, b₂ and random (curve or twist) point P.
     #[test]
     fn montgomery_mul_bits_be_twist() {
-        let mut csprng = rand_core::OsRng;
+        let mut csprng = rand_core::OsRng.unwrap_err();
 
         for _ in 0..100 {
             // Make a random point P on the curve or its twist
@@ -629,7 +629,7 @@ mod test {
         for _ in 0..100 {
             // This will be reduced mod l with probability l / 2^256 ≈ 6.25%
             let mut a_bytes = [0u8; 32];
-            csprng.fill_bytes(&mut a_bytes);
+            csprng.try_fill_bytes(&mut a_bytes).unwrap();
 
             assert_eq!(
                 MontgomeryPoint::mul_base_clamped(a_bytes),