Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Add is_small_order_point, is_prime_subgroup_point
In a nutshell, this offers an opt-in way of performing some public key checks relating to small order components, without having to pay an additional point decompression. In detail: Since dalek-cryptography@8dbaf9a, the `PublicKey` type is the performant way to carry public key material, with an eager check that the point is on curve. However, some applications which may like eager point decompression also need to check whether the point is small order, or even torsion-free: - aligning a discrepancy in verification between batch verification and iterated verification (see dalek-cryptography#115), - avoiding small subgroup confinement attacks in a DH, - ... `verify_strict` was introduced to offer an opt-in approach to some of this sort of scrutiny at the time the key is used, but cannot be performed eagerly, e.g. at the time of deserializing a public key. Rejecting small order keys (or worse non-torsion-free) keys on deserialization would have a performance impact. However, it's still desirable to have the option to do so long before the key is ever used for any actual cryptographic purpose (e.g. signature verification). In order to perform this sort of check, some code bases have taken to [re-implementing the check from the bytes representation of the key, which involves an additional decompression](https://github.com/diem/diem/blob/a290b0859a6152a5ffd6f85773a875f17334adac/crates/diem-crypto/src/ed25519.rs#L358-L386). The added functions of this PR allow the checks to be performed without additional decompression.
- Loading branch information