Merge changes from zkcrypto/release-0.14.0

Cargo.toml

@@ -33,3 +33,6 @@ wnaf-memuse = ["alloc", "memuse"]
 
 [badges]
 maintenance = { status = "actively-developed" }
+
+[patch.crates-io.rustcrypto-ff]
+git = "https://github.com/RustCrypto/ff"

rust-toolchain.toml

@@ -1,3 +1,3 @@
 [toolchain]
 channel = "1.85.0"
-components = ["clippy", "rustfmt"]
+components = [ "clippy", "rustfmt" ]

src/cofactor.rs

@@ -1,9 +1,6 @@
-use core::fmt;
-use core::ops::{Mul, Neg};
-use ff::PrimeField;
 use subtle::{Choice, CtOption};
 
-use crate::{prime::PrimeGroup, Curve, Group, GroupEncoding, GroupOps, GroupOpsOwned};
+use crate::{prime::PrimeGroup, Curve, CurveAffine, Group, GroupEncoding, GroupOps, GroupOpsOwned};
 
 /// This trait represents an element of a cryptographic group with a large prime-order
 /// subgroup and a comparatively-small cofactor.
@@ -54,47 +51,10 @@ pub trait CofactorGroup:
 
 /// Efficient representation of an elliptic curve point guaranteed to be
 /// in the correct prime order subgroup.
-pub trait CofactorCurve:
-    Curve<AffineRepr = <Self as CofactorCurve>::Affine> + CofactorGroup
-{
-    type Affine: CofactorCurveAffine<Curve = Self, Scalar = Self::Scalar>
-        + Mul<Self::Scalar, Output = Self>
-        + for<'r> Mul<&'r Self::Scalar, Output = Self>;
-}
+pub trait CofactorCurve: Curve + CofactorGroup {}
 
 /// Affine representation of an elliptic curve point guaranteed to be
 /// in the correct prime order subgroup.
-pub trait CofactorCurveAffine:
-    GroupEncoding
-    + Copy
-    + Clone
-    + Sized
-    + Send
-    + Sync
-    + fmt::Debug
-    + PartialEq
-    + Eq
-    + 'static
-    + Neg<Output = Self>
-    + Mul<<Self as CofactorCurveAffine>::Scalar, Output = <Self as CofactorCurveAffine>::Curve>
-    + for<'r> Mul<
-        &'r <Self as CofactorCurveAffine>::Scalar,
-        Output = <Self as CofactorCurveAffine>::Curve,
-    >
-{
-    type Scalar: PrimeField;
-    type Curve: CofactorCurve<Affine = Self, Scalar = Self::Scalar>;
-
-    /// Returns the additive identity.
-    fn identity() -> Self;
+pub trait CofactorCurveAffine: CurveAffine {}
 
-    /// Returns a fixed generator of unknown exponent.
-    fn generator() -> Self;
-
-    /// Determines if this point represents the point at infinity; the
-    /// additive identity.
-    fn is_identity(&self) -> Choice;
-
-    /// Converts this element to its curve representation.
-    fn to_curve(&self) -> Self::Curve;
-}
+impl<C: CurveAffine> CofactorCurveAffine for C where C::Curve: CofactorCurve {}

src/lib.rs

@@ -9,7 +9,6 @@ extern crate alloc;
 // Re-export ff to make version-matching easier.
 pub use ff;
 
-use core::convert::Infallible;
 use core::fmt;
 use core::iter::Sum;
 use core::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign};
@@ -74,25 +73,23 @@ pub trait Group:
     type Scalar: PrimeField;
 
     /// Returns an element chosen uniformly at random from the non-identity elements of
-    /// this group.
+    /// this group using a user-provided infallible RNG.
     ///
-    /// This function is non-deterministic, and samples from the user-provided RNG.
+    /// This is a convenience wrapper around [`Group::try_random`] for RNGs that cannot
+    /// fail. Use [`Group::try_random`] if your RNG may fail (for example, an OS-backed
+    /// entropy source).
     fn random<R: Rng + ?Sized>(rng: &mut R) -> Self {
-        Self::try_from_rng(rng)
-            .map_err(|e: Infallible| e)
-            .expect("Infallible failed")
-
-        // NOTE: once MSRV gets to 1.82 remove the map_err/expect and use
-        // let Ok(out) = Self::try_from_rng(rng);
-        // out
-        // See: https://blog.rust-lang.org/2024/10/17/Rust-1.82.0.html#omitting-empty-types-in-pattern-matching
+        let Ok(out) = Self::try_random(rng);
+        out
     }
 
     /// Returns an element chosen uniformly at random from the non-identity elements of
-    /// this group.
+    /// this group using a user-provided fallible RNG.
     ///
-    /// This function is non-deterministic, and samples from the user-provided RNG.
-    fn try_from_rng<R: TryRng + ?Sized>(rng: &mut R) -> Result<Self, R::Error>;
+    /// Returns `Err` propagating the RNG's error if the underlying RNG fails to produce
+    /// the randomness required to sample an element. Implementors of `Group` must
+    /// provide this method; [`Group::random`] is derived from it for infallible RNGs.
+    fn try_random<R: TryRng + ?Sized>(rng: &mut R) -> Result<Self, R::Error>;
 
     /// Returns the additive identity, also known as the "neutral element".
     fn identity() -> Self;
@@ -114,16 +111,14 @@ pub trait Group:
     }
 }
 
-/// Efficient representation of an elliptic curve point guaranteed.
-pub trait Curve:
-    Group + GroupOps<<Self as Curve>::AffineRepr> + GroupOpsOwned<<Self as Curve>::AffineRepr>
-{
+/// Efficient representation of an elliptic curve point.
+pub trait Curve: Group + GroupOps<Self::Affine> + GroupOpsOwned<Self::Affine> {
     /// The affine representation for this elliptic curve.
-    type AffineRepr;
+    type Affine: CurveAffine<Curve = Self, Scalar = Self::Scalar>;
 
     /// Converts a batch of projective elements into affine elements. This function will
     /// panic if `p.len() != q.len()`.
-    fn batch_normalize(p: &[Self], q: &mut [Self::AffineRepr]) {
+    fn batch_normalize(p: &[Self], q: &mut [Self::Affine]) {
         assert_eq!(p.len(), q.len());
 
         for (p, q) in p.iter().zip(q.iter_mut()) {
@@ -132,7 +127,42 @@ pub trait Curve:
     }
 
     /// Converts this element into its affine representation.
-    fn to_affine(&self) -> Self::AffineRepr;
+    fn to_affine(&self) -> Self::Affine;
+}
+
+/// Affine representation of an elliptic curve point.
+pub trait CurveAffine:
+    GroupEncoding
+    + Copy
+    + fmt::Debug
+    + Eq
+    + Send
+    + Sync
+    + 'static
+    + Neg<Output = Self>
+    + Mul<<Self::Curve as Group>::Scalar, Output = Self::Curve>
+    + for<'r> Mul<&'r <Self::Curve as Group>::Scalar, Output = Self::Curve>
+{
+    /// The efficient representation for this elliptic curve.
+    type Curve: Curve<Affine = Self, Scalar = Self::Scalar>;
+
+    /// Scalars modulo the order of this group's scalar field.
+    ///
+    /// This associated type is temporary, and will be removed once downstream users have
+    /// migrated to using `Curve` as the primary generic bound.
+    type Scalar: PrimeField;
+
+    /// Returns the additive identity.
+    fn identity() -> Self;
+
+    /// Returns a fixed generator of unknown exponent.
+    fn generator() -> Self;
+
+    /// Determines if this point represents the additive identity.
+    fn is_identity(&self) -> Choice;
+
+    /// Converts this affine point to its efficient representation.
+    fn to_curve(&self) -> Self::Curve;
 }
 
 pub trait GroupEncoding: Sized {

src/prime.rs

@@ -1,50 +1,14 @@
-use core::fmt;
-use core::ops::{Mul, Neg};
-use ff::PrimeField;
-use subtle::Choice;
-
-use crate::{Curve, Group, GroupEncoding};
+use crate::{Curve, CurveAffine, Group, GroupEncoding};
 
 /// This trait represents an element of a prime-order cryptographic group.
 pub trait PrimeGroup: Group + GroupEncoding {}
 
 /// Efficient representation of an elliptic curve point guaranteed to be
 /// in the correct prime order subgroup.
-pub trait PrimeCurve: Curve<AffineRepr = <Self as PrimeCurve>::Affine> + PrimeGroup {
-    type Affine: PrimeCurveAffine<Curve = Self, Scalar = Self::Scalar>
-        + Mul<Self::Scalar, Output = Self>
-        + for<'r> Mul<&'r Self::Scalar, Output = Self>;
-}
+pub trait PrimeCurve: Curve + PrimeGroup {}
 
 /// Affine representation of an elliptic curve point guaranteed to be
 /// in the correct prime order subgroup.
-pub trait PrimeCurveAffine: GroupEncoding
-    + Copy
-    + Clone
-    + Sized
-    + Send
-    + Sync
-    + fmt::Debug
-    + PartialEq
-    + Eq
-    + 'static
-    + Neg<Output = Self>
-    + Mul<<Self as PrimeCurveAffine>::Scalar, Output = <Self as PrimeCurveAffine>::Curve>
-    + for<'r> Mul<&'r <Self as PrimeCurveAffine>::Scalar, Output = <Self as PrimeCurveAffine>::Curve>
-{
-    type Scalar: PrimeField;
-    type Curve: PrimeCurve<Affine = Self, Scalar = Self::Scalar>;
-
-    /// Returns the additive identity.
-    fn identity() -> Self;
-
-    /// Returns a fixed generator of unknown exponent.
-    fn generator() -> Self;
-
-    /// Determines if this point represents the point at infinity; the
-    /// additive identity.
-    fn is_identity(&self) -> Choice;
+pub trait PrimeCurveAffine: CurveAffine {}
 
-    /// Converts this element to its curve representation.
-    fn to_curve(&self) -> Self::Curve;
-}
+impl<C: CurveAffine> PrimeCurveAffine for C where C::Curve: PrimeCurve {}

src/tests/mod.rs

@@ -4,11 +4,7 @@ use ff::{Field, PrimeField};
 use rand::SeedableRng;
 use rand_xorshift::XorShiftRng;
 
-use crate::{
-    prime::{PrimeCurve, PrimeCurveAffine},
-    wnaf::WnafGroup,
-    GroupEncoding, UncompressedEncoding,
-};
+use crate::{prime::PrimeCurve, wnaf::WnafGroup, CurveAffine, GroupEncoding, UncompressedEncoding};
 
 pub fn curve_tests<G: PrimeCurve>() {
     let mut rng = XorShiftRng::from_seed([
@@ -309,7 +305,7 @@ fn random_addition_tests<G: PrimeCurve>() {
             assert_eq!(aplusa, aplusamixed);
         }
 
-        let mut tmp = vec![G::identity(); 6];
+        let mut tmp = [G::identity(); 6];
 
         // (a + b) + c
         tmp[0] = a;
@@ -426,7 +422,7 @@ fn random_compressed_encoding_tests<G: PrimeCurve>() {
 
 pub fn random_uncompressed_encoding_tests<G: PrimeCurve>()
 where
-    <G as PrimeCurve>::Affine: UncompressedEncoding,
+    G::Affine: UncompressedEncoding,
 {
     let mut rng = XorShiftRng::from_seed([
         0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc,