Add CompressedEdwardsY::validated_decompress()

daxpedda · daxpedda · commit aa58b9863b7b · 2025-09-25T22:40:46.000+02:00
diff --git a/curve25519-dalek/Cargo.toml b/curve25519-dalek/Cargo.toml
@@ -41,6 +41,7 @@ sha2 = { version = "0.11.0-rc.2", default-features = false }
 bincode = "1"
 criterion = { version = "0.5", features = ["html_reports"] }
 hex = "0.4.2"
+hex-literal = "0.4"
 proptest = "1"
 rand = "0.9"
 rand_core = { version = "0.9", default-features = false, features = ["os_rng"] }
diff --git a/curve25519-dalek/src/edwards.rs b/curve25519-dalek/src/edwards.rs
@@ -209,43 +209,81 @@ impl CompressedEdwardsY {
     /// Returns `None` if the input is not the \\(y\\)-coordinate of a
     /// curve point.
     pub fn decompress(&self) -> Option<EdwardsPoint> {
-        let (is_valid_y_coord, X, Y, Z) = decompress::step_1(self);
+        let Y = FieldElement::from_bytes(self.as_bytes());
+        let (is_valid_y_coord, X, Z) = decompress::step_1(&Y);
 
         if is_valid_y_coord.into() {
-            Some(decompress::step_2(self, X, Y, Z))
+            Some(decompress::step_2(self.as_bytes(), X, Y, Z))
         } else {
             None
         }
     }
+
+    /// Attempt to decompress to an `EdwardsPoint` according to NIST rules.
+    ///
+    /// Returns `None` if the input overflows the field modulus or is not the
+    /// \\(y\\)-coordinate of a curve point. With `PointValidation::Full` it
+    /// will also return `None` if the point is not contained in the
+    /// prime-order subgroup.
+    pub fn validated_decompress(&self, validation: PointValidation) -> Option<EdwardsPoint> {
+        let Y = FieldElement::from_bytes(self.as_bytes());
+
+        if &Y.to_bytes() != self.as_bytes() {
+            return None;
+        }
+
+        let (is_valid_y_coord, X, Z) = decompress::step_1(&Y);
+
+        if !bool::from(is_valid_y_coord) {
+            return None;
+        }
+
+        let point = decompress::step_2(self.as_bytes(), X, Y, Z);
+
+        if let PointValidation::Full = validation {
+            point.is_torsion_free().then_some(point)
+        } else {
+            Some(point)
+        }
+    }
+}
+
+/// NIST validation rules.
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+pub enum PointValidation {
+    /// Partial validation. Only checks for overflowing the field modulus.
+    Partial,
+    /// Full validation. Checks for overflowing the field modulus and
+    /// prime-order subgroup.
+    Full,
 }
 
 mod decompress {
     use super::*;
 
     #[rustfmt::skip] // keep alignment of explanatory comments
     pub(super) fn step_1(
-        repr: &CompressedEdwardsY,
-    ) -> (Choice, FieldElement, FieldElement, FieldElement) {
-        let Y = FieldElement::from_bytes(repr.as_bytes());
+        Y: &FieldElement,
+    ) -> (Choice, FieldElement, FieldElement) {
         let Z = FieldElement::ONE;
         let YY = Y.square();
         let u = &YY - &Z;                            // u =  y²-1
         let v = &(&YY * &constants::EDWARDS_D) + &Z; // v = dy²+1
         let (is_valid_y_coord, X) = FieldElement::sqrt_ratio_i(&u, &v);
 
-        (is_valid_y_coord, X, Y, Z)
+        (is_valid_y_coord, X, Z)
     }
 
     #[rustfmt::skip]
     pub(super) fn step_2(
-        repr: &CompressedEdwardsY,
+        repr: &[u8; 32],
         mut X: FieldElement,
         Y: FieldElement,
         Z: FieldElement,
     ) -> EdwardsPoint {
          // FieldElement::sqrt_ratio_i always returns the nonnegative square root,
          // so we negate according to the supplied sign bit.
-        let compressed_sign_bit = Choice::from(repr.as_bytes()[31] >> 7);
+        let compressed_sign_bit: Choice = Choice::from(repr[31] >> 7);
         X.conditional_negate(compressed_sign_bit);
 
         EdwardsPoint {
@@ -1483,9 +1521,13 @@ impl GroupEncoding for EdwardsPoint {
     type Repr = [u8; 32];
 
     fn from_bytes(bytes: &Self::Repr) -> CtOption<Self> {
-        let repr = CompressedEdwardsY(*bytes);
-        let (is_valid_y_coord, X, Y, Z) = decompress::step_1(&repr);
-        CtOption::new(decompress::step_2(&repr, X, Y, Z), is_valid_y_coord)
+        let Y = FieldElement::from_bytes(bytes);
+        let y_encoding_is_canonical = Y.to_bytes().ct_eq(bytes);
+        let (is_valid_y_coord, X, Z) = decompress::step_1(&Y);
+        CtOption::new(
+            decompress::step_2(bytes, X, Y, Z),
+            y_encoding_is_canonical & is_valid_y_coord,
+        )
     }
 
     fn from_bytes_unchecked(bytes: &Self::Repr) -> CtOption<Self> {
@@ -1779,6 +1821,7 @@ impl CofactorGroup for EdwardsPoint {
 mod test {
     use super::*;
 
+    use hex_literal::hex;
     use rand_core::TryRngCore;
 
     #[cfg(feature = "alloc")]
@@ -1872,6 +1915,35 @@ mod test {
         assert_eq!(minus_basepoint.T, -(&constants::ED25519_BASEPOINT_POINT.T));
     }
 
+    /// Test validated decompression
+    #[test]
+    fn validated_decompression() {
+        const OVERFLOWING_POINT: CompressedEdwardsY = CompressedEdwardsY(hex!(
+            "e184c7ba7f37cd33bd357f70dc0dfb537fb397761a3fd0a75eb3314b34cc78b5"
+        ));
+
+        assert!(OVERFLOWING_POINT.decompress().is_some());
+        assert!(
+            OVERFLOWING_POINT
+                .validated_decompress(PointValidation::Partial)
+                .is_none()
+        );
+
+        const TORSION_POINT: CompressedEdwardsY = CompressedEdwardsY(hex!(
+            "5d78934d0311e9791fb9577f568a47605f347b367db825c4e27c52eb0cbe944d"
+        ));
+
+        let point = TORSION_POINT
+            .validated_decompress(PointValidation::Partial)
+            .unwrap();
+        assert!(!point.is_torsion_free());
+        assert!(
+            OVERFLOWING_POINT
+                .validated_decompress(PointValidation::Full)
+                .is_none()
+        );
+    }
+
     /// Test that computing 1*basepoint gives the correct basepoint.
     #[cfg(feature = "precomputed-tables")]
     #[test]
