elliptic-curves icon indicating copy to clipboard operation
elliptic-curves copied to clipboard
verified publisher icon RustCrypto

Remove unnecessary checks from `CompressedEdwardsY::decompress()`

Open daxpedda opened this issue 6 months ago • 3 comments

Currently CompressedEdwardsY::decompress() checks if the point is on the curve. This PR removes this check.

Please correct me if I'm wrong here, but I believe this check can never fail because we don't allow invalid y-coordinates (we reduce the input) and the x-coordinate is derived.

daxpedda avatar Jul 30 '25 10:07 daxpedda

we don't allow invalid y-coordinates (we reduce the input)

That doesn't mean a prospective y-coordinate will be a valid solution to the curve equation.

However, as far as I can tell CompressedEdwardsY::decompress_unchecked does ensure a valid solution to the curve equation, and will return the CtOption equivalent of None if it isn't

tarcieri avatar Jul 30 '25 13:07 tarcieri

we don't allow invalid y-coordinates (we reduce the input)

That doesn't mean a prospective y-coordinate will be a valid solution to the curve equation.

I see, thanks!

However, as far as I can tell CompressedEdwardsY::decompress_unchecked does ensure a valid solution to the curve equation, and will return the CtOption equivalent of None if it isn't

I went ahead and adjusted the implementation to follow RFC 8032 and left comments here and there. If we assume that the RFC algorithm only produces points on the curve, our current implementation must be fine then.

daxpedda avatar Jul 30 '25 14:07 daxpedda

I went ahead and removed the check for torsion-freeness as well, following the RFC.

daxpedda avatar Sep 02 '25 13:09 daxpedda