ecdsa: use Reduce::reduce_bytes

Uses the newly (re)introduced method for reducing an input with serialized bytes to perform modular reductions on `FieldBytes`. See: RustCrypto/traits#1229
RustCrypto · Jan 31, 2023 · fb33f6d · fb33f6d
1 parent 8d61fce
commit fb33f6d
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 65 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -9,3 +9,6 @@ members = [
 
 [profile.dev]
 opt-level = 2
+
+[patch.crates-io.elliptic-curve]
+git = "https://github.com/RustCrypto/traits.git"
diff --git a/ecdsa/src/hazmat.rs b/ecdsa/src/hazmat.rs
@@ -53,7 +53,7 @@ pub trait SignPrimitive<C>:
     + Into<FieldBytes<C>>
     + IsHigh
     + PrimeField<Repr = FieldBytes<C>>
-    + Reduce<C::Uint>
+    + Reduce<C::Uint, Bytes = FieldBytes<C>>
     + Sized
 where
     C: PrimeCurve + CurveArithmetic + CurveArithmetic<Scalar = Self>,
@@ -84,7 +84,7 @@ where
             return Err(Error::new());
         }
 
-        let z = <Self as Reduce<C::Uint>>::reduce(C::decode_field_bytes(z));
+        let z = <Self as Reduce<C::Uint>>::reduce_bytes(z);
 
         // Compute scalar inversion of 𝑘
         let k_inv = Option::<Scalar<C>>::from(k.invert()).ok_or_else(Error::new)?;
@@ -94,7 +94,7 @@ where
 
         // Lift x-coordinate of 𝑹 (element of base field) into a serialized big
         // integer, then reduce it into an element of the scalar field
-        let r = Self::reduce(C::decode_field_bytes(&R.x()));
+        let r = Self::reduce_bytes(&R.x());
 
         // Compute 𝒔 as a signature over 𝒓 and 𝒛.
         let s = k_inv * (z + (r * self));
@@ -132,14 +132,15 @@ where
         Self: From<ScalarPrimitive<C>>,
         D: Digest + BlockSizeUser + FixedOutput<OutputSize = FieldBytesSize<C>> + FixedOutputReset,
     {
-        let k = rfc6979::generate_k::<D, FieldBytesSize<C>>(
+        let k = Scalar::<C>::from_repr(rfc6979::generate_k::<D, _>(
             &self.to_repr(),
             &C::encode_field_bytes(&C::ORDER),
             z,
             ad,
-        );
-        let k = ScalarPrimitive::<C>::new(C::decode_field_bytes(&k)).unwrap();
-        self.try_sign_prehashed::<Self>(k.into(), z)
+        ))
+        .unwrap();
+
+        self.try_sign_prehashed::<Self>(k, z)
     }
 }
 
@@ -152,7 +153,6 @@ where
 pub trait VerifyPrimitive<C>: AffineXCoordinate<FieldRepr = FieldBytes<C>> + Copy + Sized
 where
     C: PrimeCurve + CurveArithmetic<AffinePoint = Self> + CurveArithmetic,
-    Scalar<C>: Reduce<C::Uint>,
     SignatureSize<C>: ArrayLength<u8>,
 {
     /// Verify the prehashed message against the provided signature
@@ -163,7 +163,7 @@ where
     ///        CRYPTOGRAPHICALLY SECURE DIGEST ALGORITHM!!!
     /// - `sig`: signature to be verified against the key and message
     fn verify_prehashed(&self, z: &FieldBytes<C>, sig: &Signature<C>) -> Result<()> {
-        let z = Scalar::<C>::reduce(C::decode_field_bytes(z));
+        let z = Scalar::<C>::reduce_bytes(z);
         let (r, s) = sig.split_scalars();
         let s_inv = *s.invert();
         let u1 = z * s_inv;
@@ -177,7 +177,7 @@ where
         .to_affine()
         .x();
 
-        if *r == Scalar::<C>::reduce(C::decode_field_bytes(&x)) {
+        if *r == Scalar::<C>::reduce_bytes(&x) {
             Ok(())
         } else {
             Err(Error::new())

diff --git a/ecdsa/src/recovery.rs b/ecdsa/src/recovery.rs
@@ -103,7 +103,6 @@ impl RecoveryId {
         AffinePoint<C>:
             DecompressPoint<C> + FromEncodedPoint<C> + ToEncodedPoint<C> + VerifyPrimitive<C>,
         FieldBytesSize<C>: sec1::ModulusSize,
-        Scalar<C>: Reduce<C::Uint>,
         SignatureSize<C>: ArrayLength<u8>,
     {
         Self::trial_recovery_from_digest(verifying_key, C::Digest::new_with_prefix(msg), signature)
@@ -123,7 +122,6 @@ impl RecoveryId {
         AffinePoint<C>:
             DecompressPoint<C> + FromEncodedPoint<C> + ToEncodedPoint<C> + VerifyPrimitive<C>,
         FieldBytesSize<C>: sec1::ModulusSize,
-        Scalar<C>: Reduce<C::Uint>,
         SignatureSize<C>: ArrayLength<u8>,
     {
         Self::trial_recovery_from_prehash(verifying_key, &digest.finalize(), signature)
@@ -142,7 +140,6 @@ impl RecoveryId {
         AffinePoint<C>:
             DecompressPoint<C> + FromEncodedPoint<C> + ToEncodedPoint<C> + VerifyPrimitive<C>,
         FieldBytesSize<C>: sec1::ModulusSize,
-        Scalar<C>: Reduce<C::Uint>,
         SignatureSize<C>: ArrayLength<u8>,
     {
         for id in 0..=Self::MAX {
@@ -177,7 +174,7 @@ impl From<RecoveryId> for u8 {
 impl<C> SigningKey<C>
 where
     C: PrimeCurve + CurveArithmetic + DigestPrimitive,
-    Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + Reduce<C::Uint> + SignPrimitive<C>,
+    Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + SignPrimitive<C>,
     SignatureSize<C>: ArrayLength<u8>,
 {
     /// Sign the given message prehash, returning a signature and recovery ID.
@@ -210,7 +207,7 @@ impl<C, D> DigestSigner<D, (Signature<C>, RecoveryId)> for SigningKey<C>
 where
     C: PrimeCurve + CurveArithmetic + DigestPrimitive,
     D: Digest,
-    Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + Reduce<C::Uint> + SignPrimitive<C>,
+    Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + SignPrimitive<C>,
     SignatureSize<C>: ArrayLength<u8>,
 {
     fn try_sign_digest(&self, msg_digest: D) -> Result<(Signature<C>, RecoveryId)> {
@@ -222,7 +219,7 @@ where
 impl<C> PrehashSigner<(Signature<C>, RecoveryId)> for SigningKey<C>
 where
     C: PrimeCurve + CurveArithmetic + DigestPrimitive,
-    Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + Reduce<C::Uint> + SignPrimitive<C>,
+    Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + SignPrimitive<C>,
     SignatureSize<C>: ArrayLength<u8>,
 {
     fn sign_prehash(&self, prehash: &[u8]) -> Result<(Signature<C>, RecoveryId)> {
@@ -234,7 +231,7 @@ where
 impl<C> Signer<(Signature<C>, RecoveryId)> for SigningKey<C>
 where
     C: PrimeCurve + CurveArithmetic + DigestPrimitive,
-    Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + Reduce<C::Uint> + SignPrimitive<C>,
+    Scalar<C>: Invert<Output = CtOption<Scalar<C>>> + SignPrimitive<C>,
     SignatureSize<C>: ArrayLength<u8>,
 {
     fn try_sign(&self, msg: &[u8]) -> Result<(Signature<C>, RecoveryId)> {
@@ -249,7 +246,6 @@ where
     AffinePoint<C>:
         DecompressPoint<C> + FromEncodedPoint<C> + ToEncodedPoint<C> + VerifyPrimitive<C>,
     FieldBytesSize<C>: sec1::ModulusSize,
-    Scalar<C>: Reduce<C::Uint>,
     SignatureSize<C>: ArrayLength<u8>,
 {
     /// Recover a [`VerifyingKey`] from the given message, signature, and
@@ -290,9 +286,7 @@ where
         recovery_id: RecoveryId,
     ) -> Result<Self> {
         let (r, s) = signature.split_scalars();
-        let z = <Scalar<C> as Reduce<C::Uint>>::reduce(C::decode_field_bytes(&bits2field::<C>(
-            prehash,
-        )?));
+        let z = <Scalar<C> as Reduce<C::Uint>>::reduce_bytes(&bits2field::<C>(prehash)?);
         let R = AffinePoint::<C>::decompress(&r.to_repr(), u8::from(recovery_id.is_y_odd()).into());
 
         if R.is_none().into() {