Add CompressedEdwardsY::validated_decompress()

daxpedda · daxpedda · commit 52877f1fe984 · 2025-09-26T00:45:16.000+02:00
diff --git a/curve25519-dalek/Cargo.toml b/curve25519-dalek/Cargo.toml
@@ -40,7 +40,9 @@ features = [
 sha2 = { version = "0.11.0-rc.2", default-features = false }
 bincode = "1"
 criterion = { version = "0.5", features = ["html_reports"] }
+crypto-bigint = { version = "*"}
 hex = "0.4.2"
+hex-literal = "0.4"
 proptest = "1"
 rand = "0.9"
 rand_core = { version = "0.9", default-features = false, features = ["os_rng"] }
diff --git a/curve25519-dalek/src/edwards.rs b/curve25519-dalek/src/edwards.rs
@@ -217,10 +217,57 @@ impl CompressedEdwardsY {
             None
         }
     }
+
+    /// Attempt to decompress to an `EdwardsPoint` according to NIST rules.
+    ///
+    /// Returns `None` if the input overflows the field modulus or is not the
+    /// \\(y\\)-coordinate of a curve point. With `PointValidation::Full` it
+    /// will also return `None` if the point is the identity point or is not
+    /// contained in the prime-order subgroup.
+    pub fn validated_decompress(&self, validation: PointValidation) -> Option<EdwardsPoint> {
+        if !bool::from(decompress::check_modulus(self)) {
+            return None;
+        }
+
+        let (is_valid_y_coord, X, Y, Z) = decompress::step_1(self);
+
+        if !bool::from(is_valid_y_coord) {
+            return None;
+        }
+
+        let point = decompress::step_2(self, X, Y, Z);
+
+        if let PointValidation::Full = validation {
+            (!point.is_identity() && point.is_torsion_free()).then_some(point)
+        } else {
+            Some(point)
+        }
+    }
+}
+
+/// NIST validation rules.
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+pub enum PointValidation {
+    /// Checks for overflowing the field modulus.
+    Partial,
+    /// Checks for overflowing the field modulus, prime-order subgroup and
+    /// identity point.
+    Full,
 }
 
 mod decompress {
     use super::*;
+    use subtle::ConstantTimeLess;
+
+    pub(super) fn check_modulus(repr: &CompressedEdwardsY) -> Choice {
+        let high_without_sign = repr.as_bytes()[31] & 0x7f;
+
+        let high = high_without_sign.ct_lt(&0x8f);
+        let mid = repr.as_bytes()[1..31].ct_eq(&[0xff; 30]);
+        let low = repr.as_bytes()[0].ct_lt(&0xed);
+
+        high & (!mid | low)
+    }
 
     #[rustfmt::skip] // keep alignment of explanatory comments
     pub(super) fn step_1(
@@ -1484,8 +1531,12 @@ impl GroupEncoding for EdwardsPoint {
 
     fn from_bytes(bytes: &Self::Repr) -> CtOption<Self> {
         let repr = CompressedEdwardsY(*bytes);
+        let is_in_modulus = decompress::check_modulus(&repr);
         let (is_valid_y_coord, X, Y, Z) = decompress::step_1(&repr);
-        CtOption::new(decompress::step_2(&repr, X, Y, Z), is_valid_y_coord)
+        CtOption::new(
+            decompress::step_2(&repr, X, Y, Z),
+            is_in_modulus & is_valid_y_coord,
+        )
     }
 
     fn from_bytes_unchecked(bytes: &Self::Repr) -> CtOption<Self> {
@@ -1779,6 +1830,7 @@ impl CofactorGroup for EdwardsPoint {
 mod test {
     use super::*;
 
+    use hex_literal::hex;
     use rand_core::TryRngCore;
 
     #[cfg(feature = "alloc")]
@@ -1872,6 +1924,42 @@ mod test {
         assert_eq!(minus_basepoint.T, -(&constants::ED25519_BASEPOINT_POINT.T));
     }
 
+    /// Test validated decompression
+    #[test]
+    fn validated_decompression() {
+        const OVERFLOWING_POINT: CompressedEdwardsY = CompressedEdwardsY(hex!(
+            "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f"
+        ));
+
+        let point = OVERFLOWING_POINT.decompress().unwrap();
+        assert_eq!(point.compress().0, [0; 32]);
+        assert!(
+            OVERFLOWING_POINT
+                .validated_decompress(PointValidation::Partial)
+                .is_none()
+        );
+
+        const TORSION_POINT: CompressedEdwardsY = CompressedEdwardsY(hex!(
+            "5d78934d0311e9791fb9577f568a47605f347b367db825c4e27c52eb0cbe944d"
+        ));
+
+        let point = TORSION_POINT
+            .validated_decompress(PointValidation::Partial)
+            .unwrap();
+        assert!(!point.is_torsion_free());
+        assert!(
+            OVERFLOWING_POINT
+                .validated_decompress(PointValidation::Full)
+                .is_none()
+        );
+
+        assert!(
+            CompressedEdwardsY::identity()
+                .validated_decompress(PointValidation::Full)
+                .is_none()
+        );
+    }
+
     /// Test that computing 1*basepoint gives the correct basepoint.
     #[cfg(feature = "precomputed-tables")]
     #[test]
