Impl TryFrom<&[u8]> for all compressed point types. #296
Conversation
isislovecruft
force-pushed
the
feature/compressed-try-from
branch
from
1e88566
to
0840d3a
Compare
|
This seems good, should there also be an implementation for montgomery points? |
|
Thinking about this a bit more on the weekend, I have concerns about the use of I think that this will interact poorly with the type conversions used in the |
|
I can also implement this for Montgomery points. Also, I can make a curve25519 specific error type—I just avoided doing that because I didn't know how much error-handling boiler plate we'd want in this crate. |
isislovecruft
force-pushed
the
feature/compressed-try-from
branch
from
b49bc15
to
5c98d00
Compare
|
@hdevalence Alright, you've now got custom error types, with optional dependency and implemenation on the |
isislovecruft
force-pushed
the
feature/compressed-try-from
branch
from
b004d77
to
2d2fe9a
Compare
|
I don't think we should depend on Previously, we avoided all of this by using only |
|
The approach we've used in various RustCrypto crates is an opaque |
|
@hdevalence Would you be okay with the |
|
Hmm.. I'm afraid I don't understand why I'm getting this error, for like the first time ever in Rust: https://travis-ci.org/dalek-cryptography/curve25519-dalek/jobs/602034204#L355 |
|
@isislovecruft Try |
|
Rather than having a stub error type that may or not be |
isislovecruft
force-pushed
the
feature/compressed-try-from
branch
from
4b51235
to
a7f2c6c
Compare
|
Need to use Created the following PR to extend this one for other types: |
|
@hdevalence I'm not sure I precisely understand what you're suggesting.. do you mean, rather than implementing |
|
No, I'm suggesting that we should provide an |
This reduces copy-pasta in downstream users to check the length of the slice beforehand.
We due this in lieu of implementing `TryFrom` to allow for API consumers to use the `?` operator to convert potential `None`s into their own `Result<T, CustomError>` types for better error handling with less boilerplate. Note that this is a breaking API change.
|
Ah, I see. Sure. |
isislovecruft
force-pushed
the
feature/compressed-try-from
branch
from
a7f2c6c
to
9ae2e3b
Compare
|
Done. Do we also want a similar API for |
|
I would prefer not to have a similar API for |
|
Sounds good. This branch is ready for review then. Also I can squash it down and remove the history if you like. |
|
|
||
| u.ct_eq(&self.0).into() | ||
| } | ||
| } |
There was a problem hiding this comment.
This is not the right definition of validity; all 32-byte strings are valid representations of elements of the curve+twist pair, and this check should not exist in the source code.
There was a problem hiding this comment.
§5.2 of "Montgomery Curves and Their Arithmetic" reads:
both E_{(A,B)}(𝔽_q) and E_{(A,B')}(𝔽_q) have cryptographically strong (i.e. almost prime) group orders. This means that every element of 𝔽_q corresponds to a point on a cryptographically strong Montgomery curve, and implementers need not perform any point validation checks in this protocol.
My reading of that is that we do not need to check that a 32-byte string is a canonical representation of a field element, however we probably should check (which the decoding function explicitly does not do) in order to avoid inputs in [2^255 - 18, 2^255).
There was a problem hiding this comment.
That is the check that the encoding is canonical, which is why we don't need it.
There was a problem hiding this comment.
Yes, I realise that is the the check that the encoding is canonical. I'm arguing that we should do the check to ensure the 32-bytes are a canonical element in 𝔽_q, otherwise the callee must check this if they care about potential "non-contributory" inputs. (My understanding of TryFrom is essentially "here's some random crap, make it absolutely safe if you can".)
There was a problem hiding this comment.
I mean, consumers of our library are doing similar checks on their own (cf. tendermint/tmkms#279). I'm arguing that we should give them proper tools to Just Do The Thing And Not Have To Worry, since the whole point of this PR is to reduce copy-pasta.
|
Uh.. I'm confused, @hdevalence, why you'd unilaterally revert my commits without any given reasoning or explanation? And then furthermore gaslight me by claiming you're not doing this?
Do you have a problem with my code? |
|
The reasoning is given in the commit message of the revert commit, linked above in this thread:
Searching for "2.0.0" on the issue tracker shows #265 (comment), which was crossreferenced from various other issues tracking the Regarding "gaslighting", the date on your original message, which you did not include in the screenshot, was November 22; I made the revert commit yesterday afternoon, December 10, because I was concerned that other minor changes would be made on top of the incompatible code in |
* Add `Scalar` and `MontgomeryPoint` conversions - Adds `SigningKey::to_scalar` to extract the private scalar - Adds `VerifyingKey::to_montgomery` to map the verifying key's `EdwardsPoint` to a `MontgomeryPoint` - Also adds corresponding `From<&T>` impls which call the inherent methods. This is useful for systems which are keyed using Ed25519 keys which would like to use X25519 for D-H. Having inherent methods means it's possible to call these methods without having to import `Scalar` and `MontgomeryPoint` from `curve25519-dalek`. This is of course a bit circuitous: we could just multiply `Scalar` by `EdwardsPoint` and use the resulting `EdwardsPoint` as the D-H shared secret, however it seems many protocols have adopted this approach of mapping to `MontgomeryPoint` and using that for the shared secret, since X25519 is traditionally used for ECDH with Curve25519. * Add reference to eprint 2021/509 * Basic X25519 Diffie-Hellman test
This reduces copy-pasta in downstream users to check the length of the slice beforehand.