cloudflare / circl

CIRCL: Cloudflare Interoperable Reusable Cryptographic Library
http://blog.cloudflare.com/introducing-circl
Other
1.31k stars 144 forks source link

Odd behaviour Ristretto255 Element Marshalling/Unmarshalling #509

Closed pmcampones closed 2 months ago

pmcampones commented 2 months ago

Hello all,

I think there is some odd behavior in the marshalling and unmarshalling of Elements (points) in the Ristreto curve found in group.ristreto255. The structs in question implement the encoding.BinaryMarshaler and encoding.BinaryUnmarshaler interfaces. If I marshal a point A and then unmarshal it as point B, the parameters of the point will differ and a deep equality test between them will fail. However, if I then marshal B and compare it with the byte representation of A, they will be equals. This happens whether the point created is a random point, the identity, or an HashToElement.

I noticed that the test TestRistrettoElGamal in group.ristretto255_test purposefully compares points by their encoding rather than the points themselves, so I don't know if this discrepancy is accounted for. If it is, all the better, otherwise I think there is some bug in the marshalling/unmarshalling process.

armfazh commented 2 months ago

This is not a failure, one must compare group elements and not curve points. That's why one has to rely on comparing the byte representation (which is unique).

Internally, there are eight curve points (and four for decaf) that can represent the same group element.

pmcampones commented 2 months ago

Thanks for the quick response. Better safe than sorry.