Use a Group::random which doesn't have a known DL

While Group::random shouldn't be used instead of a hash to curve, anyone who did would've previously been insecure and now isn't. Could've done a recover_x and a raw Point construction, followed by a cofactor mul, to avoid the serialization, yet the serialization ensures full validity under the standard from_bytes function. THis also doesn't need to be micro-optimized.
2025-12-08 20:29:23 +00:00 · 2022-08-29 13:02:20 -04:00
parent b97713aac7
commit ee6316b26b
2 changed files with 24 additions and 8 deletions
--- a/crypto/dalek-ff-group/src/lib.rs
+++ b/crypto/dalek-ff-group/src/lib.rs
@@ -311,10 +311,15 @@ macro_rules! dalek_group {

    impl Group for $Point {
      type Scalar = Scalar;
-      // Ideally, this would be cryptographically secure, yet that's not a bound on the trait
-      // k256 also does this
-      fn random(rng: impl RngCore) -> Self {
-        &$BASEPOINT_TABLE * Scalar::random(rng)
+      fn random(mut rng: impl RngCore) -> Self {
+        loop {
+          let mut bytes = field::FieldElement::random(&mut rng).to_repr();
+          bytes[31] |= u8::try_from(rng.next_u32() % 2).unwrap() << 7;
+          let opt = Self::from_bytes(&bytes);
+          if opt.is_some().into() {
+            return opt.unwrap();
+          }
+        }
      }
      fn identity() -> Self {
        Self($DPoint::identity())