ecdsa: refactor VerifyingKey::recover_from_prehash (#804)

Replaces some manual branching and use of `unwrap()` with a more combinator-like style. This could benefit from it being easier to convert `CtOption` into `Option`. See dalek-cryptography/subtle#119
RustCrypto · Feb 2, 2024 · 9961304 · 9961304
1 parent 3e229ed
commit 9961304
Showing 1 changed file with 15 additions and 15 deletions.
diff --git a/ecdsa/src/recovery.rs b/ecdsa/src/recovery.rs
@@ -275,23 +275,23 @@ where
         let (r, s) = signature.split_scalars();
         let z = <Scalar<C> as Reduce<C::Uint>>::reduce_bytes(&bits2field::<C>(prehash)?);
 
-        let mut r_bytes = r.to_repr();
-        if recovery_id.is_x_reduced() {
-            match Option::<C::Uint>::from(
-                C::Uint::decode_field_bytes(&r_bytes).checked_add(&C::ORDER),
-            ) {
-                Some(restored) => r_bytes = restored.encode_field_bytes(),
-                // No reduction should happen here if r was reduced
-                None => return Err(Error::new()),
-            };
-        }
-        let R = AffinePoint::<C>::decompress(&r_bytes, u8::from(recovery_id.is_y_odd()).into());
+        let r_bytes = if recovery_id.is_x_reduced() {
+            Option::<C::Uint>::from(
+                C::Uint::decode_field_bytes(&r.to_repr()).checked_add(&C::ORDER),
+            )
+            .ok_or_else(Error::new)?
+            .encode_field_bytes()
+        } else {
+            r.to_repr()
+        };
 
-        if R.is_none().into() {
-            return Err(Error::new());
-        }
+        let R: ProjectivePoint<C> = Option::<AffinePoint<C>>::from(AffinePoint::<C>::decompress(
+            &r_bytes,
+            u8::from(recovery_id.is_y_odd()).into(),
+        ))
+        .ok_or_else(Error::new)?
+        .into();
 
-        let R = ProjectivePoint::<C>::from(R.unwrap());
         let r_inv = *r.invert();
         let u1 = -(r_inv * z);
         let u2 = r_inv * *s;