-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adapt existing ristretto225 implementation to the CIRCL Group interfaces() #216
Conversation
…t, and Scalar interfaces.
group/ristretto255.go
Outdated
} | ||
} | ||
|
||
// Note(caw): this does NOT implement HashToElement as specified in the hash-to-curve draft |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm happy to make changes to go-ristretto to accommodate the spec.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's a new API. Derive is basically FromUniformBytes, but this is a wrapper around that interface.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you be a bit more specific what functionality you need?
} | ||
|
||
func (e *ristrettoElement) Dbl(x Element) Element { | ||
return e.Add(x, x) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I could expose a more efficient double in go-ristretto
, if desired.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, please. :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
Promoting for full review after adding test vectors. I'll investigate the build failures in a bit. |
Hmm, the "verifying code" stage is failing in CI, due to a new external library:
@armfazh, what does this stage do? |
6bec92b
to
1080545
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also add ristretto to the batch of tests.
func TestGroup(t *testing.T) {
for _, g := range []group.Group{
group.P256,
group.P384,
group.P521,
group.Ristretto255,
@armfazh done -- good catch! I had to fix the identity serialization test. The change makes me wonder if Marshal() should ever return an encoded element whose byte length is less than the expected size. (For example, 32 zeroes instead of 1 zero.) I can see arguments for either or, but here I went with the former. |
I think it is ok to check for all-zeros, but how many of them? There should be some field in Group that tells you the encoding size. This works well with groups that have fixed-size encodings, but for NIST groups we have variable length encoding, say 1 byte, n+1 bytes, or 2n+1 bytes. |
My take: the number of zeroes should match the size of an encoded element. (That means the existing group implementations should change, since the identity encoding is Can we address this in a future issue? |
1-byte encoding for identity follows the SEC specification.
sure, this is not a blocker for this pr. |
LGTM. |
@armfazh what additional changes would you like to see? |
This change wraps @bwesterb's ristretto225 implementation. I'm opening it up as a draft PR to start, since there are some questions I'd like to work through regarding the
Order()
function (see #214). Once we agree on the general design, I'll add tests along the lines of group_test.go.cc @claucece, @wbl