Merge branch 'release/0.8.1'

plotskogwq · May 19, 2017 · aeebd3b · aeebd3b
2 parents 06c51a5 + 5ad89e3
commit aeebd3b
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "curve25519-dalek"
-version = "0.8.0"
+version = "0.8.1"
 authors = ["Isis Lovecruft <[email protected]>",
            "Henry de Valence <[email protected]>"]
 readme = "README.md"

diff --git a/src/decaf.rs b/src/decaf.rs
@@ -267,18 +267,23 @@ impl DecafPoint {
     fn elligator_decaf_flavour(r_0: &FieldElement) -> DecafPoint {
         // Follows Appendix C of the Decaf paper.
         // Use n = 2 as the quadratic nonresidue so that n*x = x + x.
+        let minus_one = -&FieldElement::one();
 
         // 1. Compute r <--- nr_0^2.
         let r_0_squared = r_0.square();
         let r = &r_0_squared + &r_0_squared;
 
         // 2. Compute D <--- (dr + (a-d)) * (dr - (d + ar)) 
         let dr = &constants::d * &r;
-        // D = (dr + (a-d)) * (dr - (d + ar)) = (dr + (a-d))*(dr - (d-r)) since a=-1
-        let D = &(&dr + &constants::a_minus_d) * &(&dr - &(&constants::d - &r));
+        // D = (dr + (a-d)) * (dr - (d + ar))
+        //   = (dr + (a-d)) * (dr - (d-r)) since a=-1
+        // writing as
+        //   = (dr + (a-d)) * dr - (dr + (a-d)) * (d - r)
+        // avoids two consecutive additions (could cause overflow)
+        let dr_plus_amd = &dr + &constants::a_minus_d;
+        let D = &(&dr_plus_amd * &dr) - &(&dr_plus_amd * &(&constants::d - &r));
 
         // 3. Compute N <--- (r+1) * (a-2d)
-        let minus_one = -&FieldElement::one();
         let N = &(&r + &FieldElement::one()) * &(&minus_one - &constants::d2);
 
         // 4. Compute
@@ -666,7 +671,7 @@ mod test {
     #[test]
     fn decaf_random_is_valid() {
         let mut rng = OsRng::new().unwrap();
-        for _ in 0..100 {
+        for _ in 0..10_000 {
             let P = DecafPoint::random(&mut rng);
             // Check that P is on the curve
             assert!(P.0.is_valid());