tarcieri
commented
5 months ago I guess one of the immediate concerns here is there is no From<VerifyingKey> for EdwardsPoint impl, or a to_edwards method, to get the EdwardsPoint out of a VerifyingKey, which seems like an oversight.
I believe this would be checked if we implemented NIST's "D.1.3.2. Full Public Key Validation": see https://github.com/dalek-cryptography/curve25519-dalek/issues/380#issuecomment-1487681764. Namely step 3:
- Verify that nQ = (0,1). Output REJECT if verification fails.
randombit
Given a
VerifyingKeythat I've created from bytes sent to me by another party, how can I check that the point is within the prime order subgroup?IIUC, I can check if it is contained entirely within the torsion subgroup using
is_weak(), but to check that it is within the subgroup mod \ell the best I can find ispk.to_montgomery().to_edwards(0).unwrap().is_torsion_free()which seems quite contorted, not to mention pointlessly expensive.
Am I missing something that would make this easier/cheaper?