Add sampling of non-zero scalars.

go.mod

@@ -4,6 +4,6 @@ go 1.15
 
 require (
 	github.com/bwesterb/go-ristretto v1.2.1
-	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
-	golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac
+	golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871
+	golang.org/x/sys v0.0.0-20211124211545-fe61309f8881
 )

go.sum

@@ -1,14 +1,13 @@
-github.com/bwesterb/go-ristretto v1.2.0 h1:xxWOVbN5m8NNKiSDZXE1jtZvZnC6JSJ9cYFADiZcWtw=
-github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/bwesterb/go-ristretto v1.2.1 h1:Xd9ZXmjKE2aY8Ub7+4bX7tXsIPsV1pIZaUlJUjI1toE=
 github.com/bwesterb/go-ristretto v1.2.1/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 h1:7I4JAnoQBe7ZtJcBaYHi5UtiO8tQHbUSXxL+pnGRANg=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871 h1:/pEO3GD/ABYAjuakUS6xSEmmlyVS4kxBNkeA9tLJiTI=
+golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac h1:oN6lz7iLW/YC7un8pq+9bOLyXrprv2+DKfkJY+2LJJw=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211124211545-fe61309f8881 h1:TyHqChC80pFkXWraUUf6RuB5IqFdQieMLwwCJokV2pc=
+golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

group/group.go

@@ -23,6 +23,7 @@ type Group interface {
 	Order() Scalar
 	RandomElement(io.Reader) Element
 	RandomScalar(io.Reader) Scalar
+	RandomNonZeroScalar(io.Reader) Scalar
 	HashToElement(data, dst []byte) Element
 	HashToElementNonUniform(b, dst []byte) Element
 	HashToScalar(data, dst []byte) Scalar

group/ristretto255.go

@@ -3,6 +3,7 @@ package group
 import (
 	"crypto"
 	_ "crypto/sha512" // to link libraries
+	"fmt"
 	"io"
 
 	r255 "github.com/bwesterb/go-ristretto"
@@ -76,13 +77,22 @@ func (g ristrettoGroup) RandomElement(r io.Reader) Element {
 	}
 }
 
-func (g ristrettoGroup) RandomScalar(r io.Reader) Scalar {
+func (g ristrettoGroup) RandomScalar(io.Reader) Scalar {
 	var x r255.Scalar
 	x.Rand()
 	return &ristrettoScalar{
 		s: x,
 	}
 }
+func (g ristrettoGroup) RandomNonZeroScalar(io.Reader) Scalar {
+	var s r255.Scalar
+	for {
+		s.Rand()
+		if s.IsNonZeroI() == 1 {
+			return &ristrettoScalar{s}
+		}
+	}
+}
 func (g ristrettoGroup) HashToElementNonUniform(b, dst []byte) Element {
 	return g.HashToElement(b, dst)
 }
@@ -146,6 +156,7 @@ func (e *ristrettoElement) UnmarshalBinary(data []byte) error {
 	return e.p.UnmarshalBinary(data)
 }
 
+func (s *ristrettoScalar) String() string     { return fmt.Sprintf("0x%x", s.s.Bytes()) }
 func (s *ristrettoScalar) SetUint64(n uint64) { s.s.SetUint64(n) }
 
 func (s *ristrettoScalar) IsEqual(x Scalar) bool {

group/short.go

@@ -29,7 +29,7 @@ func (g wG) String() string      { return g.c.Params().Name }
 func (g wG) NewElement() Element { return g.zeroElement() }
 func (g wG) NewScalar() Scalar   { return g.zeroScalar() }
 func (g wG) Identity() Element   { return g.zeroElement() }
-func (g wG) zeroScalar() *wScl   { return &wScl{g, nil} }
+func (g wG) zeroScalar() *wScl   { return &wScl{g, make([]byte, (g.c.Params().BitSize+7)/8)} }
 func (g wG) zeroElement() *wElt  { return &wElt{g, new(big.Int), new(big.Int)} }
 func (g wG) Generator() Element  { return &wElt{g, g.c.Params().Gx, g.c.Params().Gy} }
 func (g wG) Order() Scalar       { s := &wScl{g, nil}; s.fromBig(g.c.Params().N); return s }
@@ -47,6 +47,15 @@ func (g wG) RandomScalar(rd io.Reader) Scalar {
 	}
 	return g.HashToScalar(b, nil)
 }
+func (g wG) RandomNonZeroScalar(rd io.Reader) Scalar {
+	zero := g.zeroScalar()
+	for {
+		s := g.RandomScalar(rd)
+		if !s.IsEqual(zero) {
+			return s
+		}
+	}
+}
 func (g wG) cvtElt(e Element) *wElt {
 	if e == nil {
 		return g.zeroElement()
@@ -205,35 +214,36 @@ func (s *wScl) IsEqual(a Scalar) bool {
 	return subtle.ConstantTimeCompare(s.k, aa.k) == 1
 }
 func (s *wScl) fromBig(b *big.Int) {
-	if err := s.UnmarshalBinary(b.Bytes()); err != nil {
+	k := new(big.Int).Mod(b, s.c.Params().N)
+	if err := s.UnmarshalBinary(k.Bytes()); err != nil {
 		panic(err)
 	}
 }
 func (s *wScl) Add(a, b Scalar) Scalar {
 	aa, bb := s.cvtScl(a), s.cvtScl(b)
 	r := new(big.Int)
-	r.SetBytes(aa.k).Add(r, new(big.Int).SetBytes(bb.k)).Mod(r, s.c.Params().N)
+	r.SetBytes(aa.k).Add(r, new(big.Int).SetBytes(bb.k))
 	s.fromBig(r)
 	return s
 }
 func (s *wScl) Sub(a, b Scalar) Scalar {
 	aa, bb := s.cvtScl(a), s.cvtScl(b)
 	r := new(big.Int)
-	r.SetBytes(aa.k).Sub(r, new(big.Int).SetBytes(bb.k)).Mod(r, s.c.Params().N)
+	r.SetBytes(aa.k).Sub(r, new(big.Int).SetBytes(bb.k))
 	s.fromBig(r)
 	return s
 }
 func (s *wScl) Mul(a, b Scalar) Scalar {
 	aa, bb := s.cvtScl(a), s.cvtScl(b)
 	r := new(big.Int)
-	r.SetBytes(aa.k).Mul(r, new(big.Int).SetBytes(bb.k)).Mod(r, s.c.Params().N)
+	r.SetBytes(aa.k).Mul(r, new(big.Int).SetBytes(bb.k))
 	s.fromBig(r)
 	return s
 }
 func (s *wScl) Neg(a Scalar) Scalar {
 	aa := s.cvtScl(a)
 	r := new(big.Int)
-	r.SetBytes(aa.k).Neg(r).Mod(r, s.c.Params().N)
+	r.SetBytes(aa.k).Neg(r)
 	s.fromBig(r)
 	return s
 }