Bump elliptic-curve to v0.11.0-pre

Sourced from git.

This includes transitive updates to ff and group v0.11. A major notable
change of these updates is switching several APIs to use
`subtle::Choice` and `subtle::CtOption` instead of `bool`/`Option`.

Fortunately, the crates in this repo are already written with
constant-time implementations internally, so this was an easy change.

Author: tarcieri

Cargo.lock

@@ -7,3 +7,7 @@ members = [
     "p256",
     "p384",
 ]
+
+[patch.crates-io]
+ecdsa = { git = "https://github.com/RustCrypto/signatures.git" }
+elliptic-curve = { git = "https://github.com/RustCrypto/traits.git" }

Cargo.toml

@@ -12,7 +12,7 @@ categories = ["cryptography", "no-std"]
 keywords = ["brainpool", "crypto", "ecc"]
 
 [dependencies]
-elliptic-curve = { version = "0.10", default-features = false, features = ["hazmat"] }
+elliptic-curve = { version = "=0.11.0-pre", default-features = false, features = ["hazmat"] }
 
 # optional dependencies
 ecdsa = { version = "0.12", optional = true, default-features = false, features = ["der"] }

bp256/Cargo.toml

@@ -12,7 +12,7 @@ categories = ["cryptography", "no-std"]
 keywords = ["brainpool", "crypto", "ecc"]
 
 [dependencies]
-elliptic-curve = { version = "0.10", default-features = false, features = ["hazmat"] }
+elliptic-curve = { version = "=0.11.0-pre", default-features = false, features = ["hazmat"] }
 
 # optional dependencies
 ecdsa = { version = "0.12", optional = true, default-features = false, features = ["der"] }

bp384/Cargo.toml

@@ -18,24 +18,18 @@ keywords = ["bitcoin", "crypto", "ecc", "ethereum", "secp256k1"]
 
 [dependencies]
 cfg-if = "1.0"
-elliptic-curve = { version = "0.10.6", default-features = false, features = ["hazmat"] }
+elliptic-curve = { version = "=0.11.0-pre", default-features = false, features = ["hazmat"] }
 
 # optional dependencies
+ecdsa-core = { version = "=0.13.0-pre", package = "ecdsa", optional = true, default-features = false, features = ["der"] }
 hex-literal = { version = "0.3", optional = true }
 sha2 = { version = "0.9", optional = true, default-features = false }
 sha3 = { version = "0.9", optional = true, default-features = false }
 
-[dependencies.ecdsa-core]
-version = "0.12.1"
-package = "ecdsa"
-optional = true
-default-features = false
-features = ["der"]
-
 [dev-dependencies]
 blobby = "0.3"
 criterion = "0.3"
-ecdsa-core = { version = "0.12.1", package = "ecdsa", default-features = false, features = ["dev"] }
+ecdsa-core = { version = "=0.13.0-pre", package = "ecdsa", default-features = false, features = ["dev"] }
 hex-literal = "0.3"
 num-bigint = "0.4"
 num-traits = "0.2"

k256/Cargo.toml

@@ -95,10 +95,6 @@ impl Field for Scalar {
         Scalar::one()
     }
 
-    fn is_zero(&self) -> bool {
-        self.0.is_zero().into()
-    }
-
     #[must_use]
     fn square(&self) -> Self {
         Scalar::square(self)
@@ -493,16 +489,16 @@ impl PrimeField for Scalar {
     ///
     /// Returns None if the byte array does not contain a big-endian integer in the range
     /// [0, p).
-    fn from_repr(bytes: FieldBytes) -> Option<Self> {
-        ScalarImpl::from_bytes(bytes.as_ref()).map(Self).into()
+    fn from_repr(bytes: FieldBytes) -> CtOption<Self> {
+        ScalarImpl::from_bytes(bytes.as_ref()).map(Self)
     }
 
     fn to_repr(&self) -> FieldBytes {
         self.to_bytes()
     }
 
-    fn is_odd(&self) -> bool {
-        self.0.is_odd().into()
+    fn is_odd(&self) -> Choice {
+        self.0.is_odd()
     }
 
     fn multiplicative_generator() -> Self {
@@ -707,7 +703,7 @@ impl Scalar {
         // TODO: pre-generate several scalars to bring the probability of non-constant-timeness down?
         loop {
             rng.fill_bytes(&mut bytes);
-            if let Some(scalar) = Scalar::from_repr(bytes) {
+            if let Some(scalar) = Scalar::from_repr(bytes).into() {
                 return scalar;
             }
         }

k256/src/arithmetic/scalar.rs

@@ -83,11 +83,6 @@ pub use self::{sign::SigningKey, verify::VerifyingKey};
 
 use crate::Secp256k1;
 
-#[cfg(feature = "ecdsa")]
-use crate::NonZeroScalar;
-#[cfg(feature = "ecdsa")]
-use elliptic_curve::generic_array::GenericArray;
-
 /// ECDSA/secp256k1 signature (fixed-size)
 pub type Signature = ecdsa_core::Signature<Secp256k1>;
 
@@ -100,20 +95,6 @@ impl ecdsa_core::hazmat::DigestPrimitive for Secp256k1 {
     type Digest = sha2::Sha256;
 }
 
-/// Validate that the scalars of an ECDSA signature are modulo the order
-#[cfg(feature = "ecdsa")]
-fn check_scalars(signature: &Signature) -> Result<(), Error> {
-    let (r_bytes, s_bytes) = signature.as_ref().split_at(32);
-    let r_valid = NonZeroScalar::from_repr(GenericArray::clone_from_slice(r_bytes)).is_some();
-    let s_valid = NonZeroScalar::from_repr(GenericArray::clone_from_slice(s_bytes)).is_some();
-
-    if r_valid && s_valid {
-        Ok(())
-    } else {
-        Err(Error::new())
-    }
-}
-
 #[cfg(all(test, feature = "ecdsa", feature = "arithmetic"))]
 mod tests {
     mod wycheproof {
@@ -165,7 +146,7 @@ mod tests {
                     Err(_) => return Some("failed to parse signature ASN.1"),
                 };
 
-                sig.normalize_s().unwrap();
+                sig.normalize_s();
 
                 match verifying_key.verify(msg, &sig) {
                     Ok(_) if pass => None,

k256/src/ecdsa.rs

@@ -47,7 +47,7 @@ mod tests {
         ]).unwrap();
 
         let mut sig_normalized = sig_hi;
-        assert!(sig_normalized.normalize_s().unwrap());
+        assert!(sig_normalized.normalize_s());
         assert_eq!(sig_lo, sig_normalized);
     }
 
@@ -62,7 +62,7 @@ mod tests {
         ]).unwrap();
 
         let mut sig_normalized = sig;
-        assert!(!sig_normalized.normalize_s().unwrap());
+        assert!(!sig_normalized.normalize_s());
         assert_eq!(sig, sig_normalized);
     }
 }

k256/src/ecdsa/normalize.rs

@@ -47,10 +47,7 @@ use crate::{
         signature::{digest::Digest, DigestVerifier},
         VerifyingKey,
     },
-    elliptic_curve::{
-        consts::U32, generic_array::GenericArray, ops::Invert, subtle::Choice,
-        weierstrass::DecompressPoint,
-    },
+    elliptic_curve::{consts::U32, ops::Invert, subtle::Choice, weierstrass::DecompressPoint},
     lincomb, AffinePoint, FieldBytes, NonZeroScalar, ProjectivePoint, Scalar,
 };
 
@@ -81,9 +78,6 @@ impl Signature {
     /// This is an "unchecked" conversion and assumes the provided [`Id`]
     /// is valid for this signature.
     pub fn new(signature: &super::Signature, recovery_id: Id) -> Result<Self, Error> {
-        #[cfg(feature = "ecdsa")]
-        super::check_scalars(signature)?;
-
         let mut bytes = [0u8; SIZE];
         bytes[..64].copy_from_slice(signature.as_ref());
         bytes[64] = recovery_id.0;
@@ -127,7 +121,7 @@ impl Signature {
         D: Clone + Digest<OutputSize = U32>,
     {
         let mut signature = *signature;
-        signature.normalize_s()?;
+        signature.normalize_s();
 
         for recovery_id in 0..=1 {
             if let Ok(recoverable_signature) = Signature::new(&signature, Id(recovery_id)) {
@@ -198,16 +192,16 @@ impl Signature {
     #[cfg(feature = "ecdsa")]
     #[cfg_attr(docsrs, doc(cfg(feature = "ecdsa")))]
     pub fn r(&self) -> NonZeroScalar {
-        NonZeroScalar::from_repr(GenericArray::clone_from_slice(&self.bytes[..32]))
-            .unwrap_or_else(|| unreachable!("r-component ensured valid in constructor"))
+        NonZeroScalar::try_from(&self.bytes[..32])
+            .expect("r-component ensured valid in constructor")
     }
 
     /// Parse the `s` component of this signature to a [`NonZeroScalar`]
     #[cfg(feature = "ecdsa")]
     #[cfg_attr(docsrs, doc(cfg(feature = "ecdsa")))]
     pub fn s(&self) -> NonZeroScalar {
-        NonZeroScalar::from_repr(GenericArray::clone_from_slice(&self.bytes[32..64]))
-            .unwrap_or_else(|| unreachable!("s-component ensured valid in constructor"))
+        NonZeroScalar::try_from(&self.bytes[32..64])
+            .expect("s-component ensured valid in constructor")
     }
 }
 

k256/src/ecdsa/recoverable.rs

@@ -192,7 +192,7 @@ impl RecoverableSignPrimitive<Secp256k1> for Scalar {
 
         let mut signature = Signature::from_scalars(r, s)?;
         let is_r_odd = bool::from(R.y.normalize().is_odd());
-        let is_s_high = signature.normalize_s()?;
+        let is_s_high = signature.normalize_s();
         Ok((signature, is_r_odd ^ is_s_high))
     }
 }