Use rejection sampling for random point generation

daxpedda · tarcieri · daxpedda · commit 7ed415c5ab6d · 2025-08-02T20:01:19.000+02:00
Co-Authored-By: Tony Arcieri &lt;bascule@gmail.com&gt;
diff --git a/ed448-goldilocks/src/decaf/points.rs b/ed448-goldilocks/src/decaf/points.rs
@@ -174,9 +174,14 @@ impl Group for DecafPoint {
     where
         R: TryRngCore + ?Sized,
     {
-        let mut uniform_bytes = [0u8; 112];
-        rng.try_fill_bytes(&mut uniform_bytes)?;
-        Ok(Self::from_uniform_bytes(&uniform_bytes))
+        let mut bytes = DecafPointRepr::default();
+
+        loop {
+            rng.try_fill_bytes(bytes.as_mut())?;
+            if let Some(point) = Self::from_bytes(&bytes).into() {
+                return Ok(point);
+            }
+        }
     }
 
     fn identity() -> Self {
diff --git a/ed448-goldilocks/src/edwards/extended.rs b/ed448-goldilocks/src/edwards/extended.rs
@@ -341,9 +341,14 @@ impl Group for EdwardsPoint {
     where
         R: TryRngCore + ?Sized,
     {
-        let mut bytes = [0u8; 32];
-        rng.try_fill_bytes(&mut bytes)?;
-        Ok(Self::hash_with_defaults(&bytes))
+        let mut bytes = Array::default();
+
+        loop {
+            rng.try_fill_bytes(bytes.as_mut())?;
+            if let Some(point) = Self::from_bytes(&bytes).into() {
+                return Ok(point);
+            }
+        }
     }
 
     fn identity() -> Self {
diff --git a/k256/src/arithmetic/projective.rs b/k256/src/arithmetic/projective.rs
@@ -3,7 +3,7 @@
 #![allow(clippy::op_ref)]
 
 use super::{AffinePoint, CURVE_EQUATION_B_SINGLE, FieldElement, Scalar};
-use crate::{CompressedPoint, EncodedPoint, PublicKey, Secp256k1};
+use crate::{CompressedPoint, EncodedPoint, FieldBytes, PublicKey, Secp256k1};
 use core::{
     iter::Sum,
     ops::{Add, AddAssign, Neg, Sub, SubAssign},
@@ -12,9 +12,9 @@ use elliptic_curve::{
     BatchNormalize, CurveGroup, Error, Result,
     group::{
         Group, GroupEncoding,
-        ff::Field,
         prime::{PrimeCurve, PrimeCurveAffine, PrimeGroup},
     },
+    point::DecompressPoint,
     rand_core::TryRngCore,
     sec1::{FromEncodedPoint, ToEncodedPoint},
     subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption},
@@ -411,7 +411,18 @@ impl Group for ProjectivePoint {
     type Scalar = Scalar;
 
     fn try_from_rng<R: TryRngCore + ?Sized>(rng: &mut R) -> core::result::Result<Self, R::Error> {
-        Ok(Self::GENERATOR * Scalar::try_from_rng(rng)?)
+        let mut bytes = FieldBytes::default();
+        let mut sign = 0;
+
+        loop {
+            rng.try_fill_bytes(&mut bytes)?;
+            rng.try_fill_bytes(core::array::from_mut(&mut sign))?;
+            if let Some(point) =
+                AffinePoint::decompress(&bytes, Choice::from(sign & 1)).into_option()
+            {
+                return Ok(point.into());
+            }
+        }
     }
 
     fn identity() -> Self {
diff --git a/primeorder/src/projective.rs b/primeorder/src/projective.rs
@@ -18,7 +18,7 @@ use elliptic_curve::{
         prime::{PrimeCurve, PrimeGroup},
     },
     ops::{BatchInvert, LinearCombination},
-    point::{Double, NonIdentity},
+    point::{DecompressPoint, Double, NonIdentity},
     rand_core::TryRngCore,
     sec1::{
         CompressedPoint, EncodedPoint, FromEncodedPoint, ModulusSize, ToEncodedPoint,
@@ -258,13 +258,24 @@ where
 
 impl<C> Group for ProjectivePoint<C>
 where
-    Self: Double,
     C: PrimeCurveParams,
+    FieldBytes<C>: Copy,
 {
     type Scalar = Scalar<C>;
 
     fn try_from_rng<R: TryRngCore + ?Sized>(rng: &mut R) -> core::result::Result<Self, R::Error> {
-        Ok(Self::GENERATOR * <Scalar<C> as Field>::try_from_rng(rng)?)
+        let mut bytes = FieldBytes::<C>::default();
+        let mut sign = 0;
+
+        loop {
+            rng.try_fill_bytes(&mut bytes)?;
+            rng.try_fill_bytes(core::array::from_mut(&mut sign))?;
+            if let Some(point) =
+                AffinePoint::decompress(&bytes, Choice::from(sign & 1)).into_option()
+            {
+                return Ok(point.into());
+            }
+        }
     }
 
     fn identity() -> Self {
@@ -311,8 +322,8 @@ where
 
 impl<C> CurveGroup for ProjectivePoint<C>
 where
-    Self: Double,
     C: PrimeCurveParams,
+    FieldBytes<C>: Copy,
 {
     type AffineRepr = AffinePoint<C>;
 
@@ -331,8 +342,8 @@ where
 
 impl<const N: usize, C> BatchNormalize<[ProjectivePoint<C>; N]> for ProjectivePoint<C>
 where
-    Self: Double,
     C: PrimeCurveParams,
+    FieldBytes<C>: Copy,
 {
     type Output = [<Self as CurveGroup>::AffineRepr; N];
 
@@ -348,8 +359,8 @@ where
 #[cfg(feature = "alloc")]
 impl<C> BatchNormalize<[ProjectivePoint<C>]> for ProjectivePoint<C>
 where
-    Self: Double,
     C: PrimeCurveParams,
+    FieldBytes<C>: Copy,
 {
     type Output = Vec<<Self as CurveGroup>::AffineRepr>;
 
@@ -400,16 +411,16 @@ where
 
 impl<C> LinearCombination<[(Self, Scalar<C>)]> for ProjectivePoint<C>
 where
-    Self: Double,
     C: PrimeCurveParams,
+    FieldBytes<C>: Copy,
 {
     // TODO(tarcieri): optimized implementation
 }
 
 impl<C, const N: usize> LinearCombination<[(Self, Scalar<C>); N]> for ProjectivePoint<C>
 where
-    Self: Double,
     C: PrimeCurveParams,
+    FieldBytes<C>: Copy,
 {
     // TODO(tarcieri): optimized implementation
 }
