Make Short Weierstrass random sampling result in an element with unknown discrete log

[kobigurk]

Description

Short Weierstrass random sampling is currently not safe as a method for sampling random elements with unknown discrete log. The PR duplicates the Twisted Edwards random sampling behavior which is safe.

I have not added new tests nor documentation.

Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.

• Targeted PR against correct branch (master)
• Linked to Github issue with discussion and accepted design OR have an explanation in the PR that describes this work.
• Wrote unit tests
• Updated relevant documentation in the code
• Added a relevant changelog entry to the Pending section in CHANGELOG.md
• Re-reviewed Files changed in the Github PR explorer

[Pratyush]

Thanks for the PR!

[weikengchen]

My main concern is a probably stupid question: for SW curves, for a random x, is it guaranteed that we can find a point on the curve? I have this concern since the get_point_from_x for SW curves is Optional.

[weikengchen]

(this same stupid question also goes to the TE one)

[Pratyush]

That's why the loop is there, no? If the x coordinate is invalid, we just keep sampling until we find a valid one. Since validity is decided by a square root, and since half of the elements of a prime field have square roots, in expectation we only need two iterations of the loop.

[weikengchen]

oh got it. I did not notice that loop.