Decouple element from Group

Author: daxpedda

src/group/mod.rs

@@ -21,29 +21,47 @@ use digest::{Digest, FixedOutputReset};
 use generic_array::typenum::U1;
 use generic_array::{ArrayLength, GenericArray};
 use rand_core::{CryptoRng, RngCore};
+#[cfg(feature = "ristretto255")]
+pub use ristretto::Ristretto255;
 use subtle::ConstantTimeEq;
 use zeroize::Zeroize;
 
 use crate::{Error, Result};
 
 /// A prime-order subgroup of a base field (EC, prime-order field ...). This
 /// subgroup is noted additively — as in the draft RFC — in this trait.
-pub trait Group:
-    Copy
-    + Sized
-    + ConstantTimeEq
-    + for<'a> Mul<&'a <Self as Group>::Scalar, Output = Self>
-    + for<'a> Add<&'a Self, Output = Self>
-{
+pub trait Group {
     /// The ciphersuite identifier as dictated by
     /// <https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-05.txt>
     const SUITE_ID: usize;
 
+    /// The type of group elements
+    type Elem: Copy
+        + Sized
+        + ConstantTimeEq
+        + Zeroize
+        + for<'a> Mul<&'a Self::Scalar, Output = Self::Elem>
+        + for<'a> Add<&'a Self::Elem, Output = Self::Elem>;
+
+    /// The byte length necessary to represent group elements
+    type ElemLen: ArrayLength<u8> + 'static;
+
+    /// The type of base field scalars
+    type Scalar: Zeroize
+        + Copy
+        + ConstantTimeEq
+        + for<'a> Add<&'a Self::Scalar, Output = Self::Scalar>
+        + for<'a> Sub<&'a Self::Scalar, Output = Self::Scalar>
+        + for<'a> Mul<&'a Self::Scalar, Output = Self::Scalar>;
+
+    /// The byte length necessary to represent scalars
+    type ScalarLen: ArrayLength<u8> + 'static;
+
     /// transforms a password and domain separation tag (DST) into a curve point
     fn hash_to_curve<H: BlockSizeUser + Digest + FixedOutputReset, D: ArrayLength<u8> + Add<U1>>(
         msg: &[u8],
         dst: GenericArray<u8, D>,
-    ) -> Result<Self>
+    ) -> Result<Self::Elem>
     where
         <D as Add<U1>>::Output: ArrayLength<u8>;
 
@@ -60,16 +78,6 @@ pub trait Group:
     where
         <D as Add<U1>>::Output: ArrayLength<u8>;
 
-    /// The type of base field scalars
-    type Scalar: Zeroize
-        + Copy
-        + ConstantTimeEq
-        + for<'a> Add<&'a Self::Scalar, Output = Self::Scalar>
-        + for<'a> Sub<&'a Self::Scalar, Output = Self::Scalar>
-        + for<'a> Mul<&'a Self::Scalar, Output = Self::Scalar>;
-    /// The byte length necessary to represent scalars
-    type ScalarLen: ArrayLength<u8> + 'static;
-
     /// Return a scalar from its fixed-length bytes representation, without
     /// checking if the scalar is zero.
     fn from_scalar_slice_unchecked(
@@ -90,28 +98,28 @@ pub trait Group:
 
     /// picks a scalar at random
     fn random_nonzero_scalar<R: RngCore + CryptoRng>(rng: &mut R) -> Self::Scalar;
+
     /// Serializes a scalar to bytes
     fn scalar_as_bytes(scalar: Self::Scalar) -> GenericArray<u8, Self::ScalarLen>;
+
     /// The multiplicative inverse of this scalar
     fn scalar_invert(scalar: &Self::Scalar) -> Self::Scalar;
 
-    /// The byte length necessary to represent group elements
-    type ElemLen: ArrayLength<u8> + 'static;
-
     /// Return an element from its fixed-length bytes representation. This is
     /// the unchecked version, which does not check for deserializing the
     /// identity element
-    fn from_element_slice_unchecked(element_bits: &GenericArray<u8, Self::ElemLen>)
-        -> Result<Self>;
+    fn from_element_slice_unchecked(
+        element_bits: &GenericArray<u8, Self::ElemLen>,
+    ) -> Result<Self::Elem>;
 
     /// Return an element from its fixed-length bytes representation. If the
     /// element is the identity element, return an error.
     fn from_element_slice<'a>(
         element_bits: impl Into<&'a GenericArray<u8, Self::ElemLen>>,
-    ) -> Result<Self> {
+    ) -> Result<Self::Elem> {
         let elem = Self::from_element_slice_unchecked(element_bits.into())?;
 
-        if Self::ct_eq(&elem, &<Self as Group>::identity()).into() {
+        if Self::Elem::ct_eq(&elem, &Self::identity()).into() {
             // found the identity element
             return Err(Error::PointError);
         }
@@ -120,26 +128,21 @@ pub trait Group:
     }
 
     /// Serializes the `self` group element
-    fn to_arr(&self) -> GenericArray<u8, Self::ElemLen>;
+    fn to_arr(elem: Self::Elem) -> GenericArray<u8, Self::ElemLen>;
 
     /// Get the base point for the group
-    fn base_point() -> Self;
+    fn base_point() -> Self::Elem;
 
     /// Returns if the group element is equal to the identity (1)
-    fn is_identity(&self) -> bool {
-        self.ct_eq(&<Self as Group>::identity()).into()
+    fn is_identity(elem: Self::Elem) -> bool {
+        elem.ct_eq(&Self::identity()).into()
     }
 
     /// Returns the identity group element
-    fn identity() -> Self;
+    fn identity() -> Self::Elem;
 
     /// Returns the scalar representing zero
     fn scalar_zero() -> Self::Scalar;
-
-    /// Set the contents of self to the identity value
-    fn zeroize(&mut self) {
-        *self = <Self as Group>::identity();
-    }
 }
 
 #[cfg(test)]

src/group/p256.rs

@@ -29,7 +29,7 @@ use p256_::elliptic_curve::group::GroupEncoding;
 use p256_::elliptic_curve::ops::Reduce;
 use p256_::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint};
 use p256_::elliptic_curve::Field;
-use p256_::{AffinePoint, EncodedPoint, ProjectivePoint};
+use p256_::{AffinePoint, EncodedPoint, NistP256, ProjectivePoint, Scalar};
 use rand_core::{CryptoRng, RngCore};
 use subtle::{Choice, ConditionallySelectable};
 
@@ -41,15 +41,23 @@ use crate::{Error, Result};
 pub type L = U48;
 
 #[cfg(feature = "p256")]
-impl Group for ProjectivePoint {
+impl Group for NistP256 {
     const SUITE_ID: usize = 0x0003;
 
+    type Elem = ProjectivePoint;
+
+    type ElemLen = U33;
+
+    type Scalar = Scalar;
+
+    type ScalarLen = U32;
+
     // Implements the `hash_to_curve()` function from
     // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
     fn hash_to_curve<H: BlockSizeUser + Digest + FixedOutputReset, D: ArrayLength<u8> + Add<U1>>(
         msg: &[u8],
         dst: GenericArray<u8, D>,
-    ) -> Result<Self>
+    ) -> Result<Self::Elem>
     where
         <D as Add<U1>>::Output: ArrayLength<u8>,
     {
@@ -133,55 +141,51 @@ impl Group for ProjectivePoint {
         let mut result = GenericArray::default();
         result[..bytes.len()].copy_from_slice(&bytes);
 
-        Ok(p256_::Scalar::from_be_bytes_reduced(result))
+        Ok(Scalar::from_be_bytes_reduced(result))
     }
 
-    type ElemLen = U33;
-    type Scalar = p256_::Scalar;
-    type ScalarLen = U32;
-
     fn from_scalar_slice_unchecked(
         scalar_bits: &GenericArray<u8, Self::ScalarLen>,
     ) -> Result<Self::Scalar> {
-        Ok(Self::Scalar::from_be_bytes_reduced(*scalar_bits))
+        Ok(Scalar::from_be_bytes_reduced(*scalar_bits))
     }
 
     fn random_nonzero_scalar<R: RngCore + CryptoRng>(rng: &mut R) -> Self::Scalar {
-        Self::Scalar::random(rng)
+        Scalar::random(rng)
     }
 
     fn scalar_as_bytes(scalar: Self::Scalar) -> GenericArray<u8, Self::ScalarLen> {
         scalar.into()
     }
 
     fn scalar_invert(scalar: &Self::Scalar) -> Self::Scalar {
-        scalar.invert().unwrap_or(Self::Scalar::zero())
+        scalar.invert().unwrap_or(Scalar::zero())
     }
 
     fn from_element_slice_unchecked(
         element_bits: &GenericArray<u8, Self::ElemLen>,
-    ) -> Result<Self> {
-        Option::from(Self::from_bytes(element_bits)).ok_or(Error::PointError)
+    ) -> Result<Self::Elem> {
+        Option::from(ProjectivePoint::from_bytes(element_bits)).ok_or(Error::PointError)
     }
 
-    fn to_arr(&self) -> GenericArray<u8, Self::ElemLen> {
-        let bytes = self.to_affine().to_encoded_point(true);
+    fn to_arr(elem: Self::Elem) -> GenericArray<u8, Self::ElemLen> {
+        let bytes = elem.to_affine().to_encoded_point(true);
         let bytes = bytes.as_bytes();
         let mut result = GenericArray::default();
         result[..bytes.len()].copy_from_slice(bytes);
         result
     }
 
-    fn base_point() -> Self {
-        Self::generator()
+    fn base_point() -> Self::Elem {
+        ProjectivePoint::generator()
     }
 
-    fn identity() -> Self {
-        Self::identity()
+    fn identity() -> Self::Elem {
+        ProjectivePoint::identity()
     }
 
     fn scalar_zero() -> Self::Scalar {
-        Self::Scalar::zero()
+        Scalar::zero()
     }
 }
 

src/group/ristretto.rs

@@ -21,18 +21,26 @@ use rand_core::{CryptoRng, RngCore};
 use super::Group;
 use crate::{Error, Result};
 
+/// [`Group`] implementation for Ristretto255.
+pub struct Ristretto255;
+
 // `cfg` here is only needed because of a bug in Rust's crate feature documentation. See: https://github.com/rust-lang/rust/issues/83428
 #[cfg(feature = "ristretto255")]
-/// The implementation of such a subgroup for Ristretto
-impl Group for RistrettoPoint {
+impl Group for Ristretto255 {
     const SUITE_ID: usize = 0x0001;
 
+    type Elem = RistrettoPoint;
+
+    type Scalar = Scalar;
+
+    type ScalarLen = U32;
+
     // Implements the `hash_to_ristretto255()` function from
     // https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-10.txt
     fn hash_to_curve<H: BlockSizeUser + Digest + FixedOutputReset, D: ArrayLength<u8> + Add<U1>>(
         msg: &[u8],
         dst: GenericArray<u8, D>,
-    ) -> Result<Self>
+    ) -> Result<Self::Elem>
     where
         <D as Add<U1>>::Output: ArrayLength<u8>,
     {
@@ -70,8 +78,6 @@ impl Group for RistrettoPoint {
         ))
     }
 
-    type Scalar = Scalar;
-    type ScalarLen = U32;
     fn from_scalar_slice_unchecked(
         scalar_bits: &GenericArray<u8, Self::ScalarLen>,
     ) -> Result<Self::Scalar> {
@@ -104,25 +110,26 @@ impl Group for RistrettoPoint {
     type ElemLen = U32;
     fn from_element_slice_unchecked(
         element_bits: &GenericArray<u8, Self::ElemLen>,
-    ) -> Result<Self> {
+    ) -> Result<Self::Elem> {
         CompressedRistretto::from_slice(element_bits)
             .decompress()
             .ok_or(Error::PointError)
     }
+
     // serialization of a group element
-    fn to_arr(&self) -> GenericArray<u8, Self::ElemLen> {
-        self.compress().to_bytes().into()
+    fn to_arr(elem: Self::Elem) -> GenericArray<u8, Self::ElemLen> {
+        elem.compress().to_bytes().into()
     }
 
-    fn base_point() -> Self {
+    fn base_point() -> Self::Elem {
         RISTRETTO_BASEPOINT_POINT
     }
 
-    fn identity() -> Self {
-        <Self as Identity>::identity()
+    fn identity() -> Self::Elem {
+        RistrettoPoint::identity()
     }
 
     fn scalar_zero() -> Self::Scalar {
-        Self::Scalar::zero()
+        Scalar::zero()
     }
 }

src/group/tests.rs

@@ -16,18 +16,18 @@ use crate::{Error, Group, Result};
 fn test_group_properties() -> Result<()> {
     #[cfg(feature = "ristretto255")]
     {
-        use curve25519_dalek::ristretto::RistrettoPoint;
+        use crate::Ristretto255;
 
-        test_identity_element_error::<RistrettoPoint>()?;
-        test_zero_scalar_error::<RistrettoPoint>()?;
+        test_identity_element_error::<Ristretto255>()?;
+        test_zero_scalar_error::<Ristretto255>()?;
     }
 
     #[cfg(feature = "p256")]
     {
-        use p256_::ProjectivePoint;
+        use p256_::NistP256;
 
-        test_identity_element_error::<ProjectivePoint>()?;
-        test_zero_scalar_error::<ProjectivePoint>()?;
+        test_identity_element_error::<NistP256>()?;
+        test_zero_scalar_error::<NistP256>()?;
     }
 
     Ok(())
@@ -36,7 +36,7 @@ fn test_group_properties() -> Result<()> {
 // Checks that the identity element cannot be deserialized
 fn test_identity_element_error<G: Group>() -> Result<()> {
     let identity = G::identity();
-    let result = G::from_element_slice(&identity.to_arr());
+    let result = G::from_element_slice(&G::to_arr(identity));
     assert!(matches!(result, Err(Error::PointError)));
 
     Ok(())