// -*- mode: rust; -*- // // This file is part of curve25519-dalek. // Copyright (c) 2016-2019 Isis Lovecruft, Henry de Valence // Portions Copyright 2017 Brian Smith // See LICENSE for licensing information. // // Authors: // - Isis Agora Lovecruft // - Henry de Valence // - Brian Smith //! Arithmetic on scalars (integers mod the group order). //! //! Both the Ristretto group and the Ed25519 basepoint have prime order //! \$ \ell = 2\^{252} + 27742317777372353535851937790883648493 \$. //! //! This code is intended to be useful with both the Ristretto group //! (where everything is done modulo \$ \ell \$), and the X/Ed25519 //! setting, which mandates specific bit-twiddles that are not //! well-defined modulo \$ \ell \$. //! //! All arithmetic on `Scalars` is done modulo \$ \ell \$. //! //! # Constructing a scalar //! //! To create a [`Scalar`](struct.Scalar.html) from a supposedly canonical encoding, use //! [`Scalar::from_canonical_bytes`](struct.Scalar.html#method.from_canonical_bytes). //! //! This function does input validation, ensuring that the input bytes //! are the canonical encoding of a `Scalar`. //! If they are, we'll get //! `Some(Scalar)` in return: //! //! ``` //! use curve25519_dalek::scalar::Scalar; //! //! let one_as_bytes: [u8; 32] = Scalar::one().to_bytes(); //! let a: Option = Scalar::from_canonical_bytes(one_as_bytes); //! //! assert!(a.is_some()); //! ``` //! //! However, if we give it bytes representing a scalar larger than \$ \ell \$ //! (in this case, \$ \ell + 2 \$), we'll get `None` back: //! //! ``` //! use curve25519_dalek::scalar::Scalar; //! //! let l_plus_two_bytes: [u8; 32] = [ //! 0xef, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, //! 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, //! 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //! 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, //! ]; //! let a: Option = Scalar::from_canonical_bytes(l_plus_two_bytes); //! //! assert!(a.is_none()); //! ``` //! //! Another way to create a `Scalar` is by reducing a \$256\$-bit integer mod //! \$ \ell \$, for which one may use the //! [`Scalar::from_bytes_mod_order`](struct.Scalar.html#method.from_bytes_mod_order) //! method. In the case of the second example above, this would reduce the //! resultant scalar \$ \mod \ell \$, producing \$ 2 \$: //! //! ``` //! use curve25519_dalek::scalar::Scalar; //! //! let l_plus_two_bytes: [u8; 32] = [ //! 0xef, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, //! 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, //! 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //! 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, //! ]; //! let a: Scalar = Scalar::from_bytes_mod_order(l_plus_two_bytes); //! //! let two: Scalar = Scalar::one() + Scalar::one(); //! //! assert!(a == two); //! ``` //! //! There is also a constructor that reduces a \$512\$-bit integer, //! [`Scalar::from_bytes_mod_order_wide`](struct.Scalar.html#method.from_bytes_mod_order_wide). //! //! To construct a `Scalar` as the hash of some input data, use //! [`Scalar::hash_from_bytes`](struct.Scalar.html#method.hash_from_bytes), //! which takes a buffer, or //! [`Scalar::from_hash`](struct.Scalar.html#method.from_hash), //! which allows an IUF API. //! //! ``` //! # extern crate curve25519_dalek; //! # extern crate sha2; //! # //! # fn main() { //! use sha2::{Digest, Sha512}; //! use curve25519_dalek::scalar::Scalar; //! //! // Hashing a single byte slice //! let a = Scalar::hash_from_bytes::(b"Abolish ICE"); //! //! // Streaming data into a hash object //! let mut hasher = Sha512::default(); //! hasher.input(b"Abolish "); //! hasher.input(b"ICE"); //! let a2 = Scalar::from_hash(hasher); //! //! assert_eq!(a, a2); //! # } //! ``` //! //! Finally, to create a `Scalar` with a specific bit-pattern //! (e.g., for compatibility with X/Ed25519 //! ["clamping"](https://github.com/isislovecruft/ed25519-dalek/blob/f790bd2ce/src/ed25519.rs#L349)), //! use [`Scalar::from_bits`](struct.Scalar.html#method.from_bits). This //! constructs a scalar with exactly the bit pattern given, without any //! assurances as to reduction modulo the group order: //! //! ``` //! use curve25519_dalek::scalar::Scalar; //! //! let l_plus_two_bytes: [u8; 32] = [ //! 0xef, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, //! 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, //! 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //! 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, //! ]; //! let a: Scalar = Scalar::from_bits(l_plus_two_bytes); //! //! let two: Scalar = Scalar::one() + Scalar::one(); //! //! assert!(a != two); // the scalar is not reduced (mod l)… //! assert!(! a.is_canonical()); // …and therefore is not canonical. //! assert!(a.reduce() == two); // if we were to reduce it manually, it would be. //! ``` //! //! The resulting `Scalar` has exactly the specified bit pattern, //! **except for the highest bit, which will be set to 0**. use core::borrow::Borrow; use core::cmp::{Eq, PartialEq}; use core::fmt::Debug; use core::iter::{Product, Sum}; use core::ops::Index; use core::ops::Neg; use core::ops::{Add, AddAssign}; use core::ops::{Mul, MulAssign}; use core::ops::{Sub, SubAssign}; #[allow(unused_imports)] use prelude::*; use rand_core::{CryptoRng, RngCore}; use digest::generic_array::typenum::U64; use digest::Digest; use subtle::Choice; use subtle::ConditionallySelectable; use subtle::ConstantTimeEq; use zeroize::Zeroize; use backend; use constants; /// An `UnpackedScalar` represents an element of the field GF(l), optimized for speed. /// /// This is a type alias for one of the scalar types in the `backend` /// module. #[cfg(feature = "u64_backend")] type UnpackedScalar = backend::serial::u64::scalar::Scalar52; /// An `UnpackedScalar` represents an element of the field GF(l), optimized for speed. /// /// This is a type alias for one of the scalar types in the `backend` /// module. #[cfg(feature = "u32_backend")] type UnpackedScalar = backend::serial::u32::scalar::Scalar29; /// The `Scalar` struct holds an integer \$s < 2\^{255} \$ which /// represents an element of \$\mathbb Z / \ell\$. #[derive(Copy, Clone)] pub struct Scalar { /// `bytes` is a little-endian byte encoding of an integer representing a scalar modulo the /// group order. /// /// # Invariant /// /// The integer representing this scalar must be bounded above by \$2\^{255}\$, or /// equivalently the high bit of `bytes[31]` must be zero. /// /// This ensures that there is room for a carry bit when computing a NAF representation. // // XXX This is pub(crate) so we can write literal constants. If const fns were stable, we could // make the Scalar constructors const fns and use those instead. pub(crate) bytes: [u8; 32], } impl Scalar { /// Construct a `Scalar` by reducing a 256-bit little-endian integer /// modulo the group order \$ \ell \$. pub fn from_bytes_mod_order(bytes: [u8; 32]) -> Scalar { // Temporarily allow s_unreduced.bytes > 2^255 ... let s_unreduced = Scalar{bytes}; // Then reduce mod the group order and return the reduced representative. let s = s_unreduced.reduce(); debug_assert_eq!(0u8, s[31] >> 7); s } /// Construct a `Scalar` by reducing a 512-bit little-endian integer /// modulo the group order \$ \ell \$. pub fn from_bytes_mod_order_wide(input: &[u8; 64]) -> Scalar { UnpackedScalar::from_bytes_wide(input).pack() } /// Attempt to construct a `Scalar` from a canonical byte representation. /// /// # Return /// /// - `Some(s)`, where `s` is the `Scalar` corresponding to `bytes`, /// if `bytes` is a canonical byte representation; /// - `None` if `bytes` is not a canonical byte representation. pub fn from_canonical_bytes(bytes: [u8; 32]) -> Option { // Check that the high bit is not set if (bytes[31] >> 7) != 0u8 { return None; } let candidate = Scalar::from_bits(bytes); if candidate.is_canonical() { Some(candidate) } else { None } } /// Construct a `Scalar` from the low 255 bits of a 256-bit integer. /// /// This function is intended for applications like X25519 which /// require specific bit-patterns when performing scalar /// multiplication. pub fn from_bits(bytes: [u8; 32]) -> Scalar { let mut s = Scalar{bytes}; // Ensure that s < 2^255 by masking the high bit s.bytes[31] &= 0b0111_1111; s } } impl Debug for Scalar { fn fmt(&self, f: &mut ::core::fmt::Formatter) -> ::core::fmt::Result { write!(f, "Scalar{{\n\tbytes: {:?},\n}}", &self.bytes) } } impl Eq for Scalar {} impl PartialEq for Scalar { fn eq(&self, other: &Self) -> bool { self.ct_eq(other).unwrap_u8() == 1u8 } } impl ConstantTimeEq for Scalar { fn ct_eq(&self, other: &Self) -> Choice { self.bytes.ct_eq(&other.bytes) } } impl Index for Scalar { type Output = u8; /// Index the bytes of the representative for this `Scalar`. Mutation is not permitted. fn index(&self, _index: usize) -> &u8 { &(self.bytes[_index]) } } impl<'b> MulAssign<&'b Scalar> for Scalar { fn mul_assign(&mut self, _rhs: &'b Scalar) { *self = UnpackedScalar::mul(&self.unpack(), &_rhs.unpack()).pack(); } } define_mul_assign_variants!(LHS = Scalar, RHS = Scalar); impl<'a, 'b> Mul<&'b Scalar> for &'a Scalar { type Output = Scalar; fn mul(self, _rhs: &'b Scalar) -> Scalar { UnpackedScalar::mul(&self.unpack(), &_rhs.unpack()).pack() } } define_mul_variants!(LHS = Scalar, RHS = Scalar, Output = Scalar); impl<'b> AddAssign<&'b Scalar> for Scalar { fn add_assign(&mut self, _rhs: &'b Scalar) { *self = *self + _rhs; } } define_add_assign_variants!(LHS = Scalar, RHS = Scalar); impl<'a, 'b> Add<&'b Scalar> for &'a Scalar { type Output = Scalar; #[allow(non_snake_case)] fn add(self, _rhs: &'b Scalar) -> Scalar { // The UnpackedScalar::add function produces reduced outputs // if the inputs are reduced. However, these inputs may not // be reduced -- they might come from Scalar::from_bits. So // after computing the sum, we explicitly reduce it mod l // before repacking. let sum = UnpackedScalar::add(&self.unpack(), &_rhs.unpack()); let sum_R = UnpackedScalar::mul_internal(&sum, &constants::R); let sum_mod_l = UnpackedScalar::montgomery_reduce(&sum_R); sum_mod_l.pack() } } define_add_variants!(LHS = Scalar, RHS = Scalar, Output = Scalar); impl<'b> SubAssign<&'b Scalar> for Scalar { fn sub_assign(&mut self, _rhs: &'b Scalar) { *self = *self - _rhs; } } define_sub_assign_variants!(LHS = Scalar, RHS = Scalar); impl<'a, 'b> Sub<&'b Scalar> for &'a Scalar { type Output = Scalar; #[allow(non_snake_case)] fn sub(self, rhs: &'b Scalar) -> Scalar { // The UnpackedScalar::sub function requires reduced inputs // and produces reduced output. However, these inputs may not // be reduced -- they might come from Scalar::from_bits. So // we explicitly reduce the inputs. let self_R = UnpackedScalar::mul_internal(&self.unpack(), &constants::R); let self_mod_l = UnpackedScalar::montgomery_reduce(&self_R); let rhs_R = UnpackedScalar::mul_internal(&rhs.unpack(), &constants::R); let rhs_mod_l = UnpackedScalar::montgomery_reduce(&rhs_R); UnpackedScalar::sub(&self_mod_l, &rhs_mod_l).pack() } } define_sub_variants!(LHS = Scalar, RHS = Scalar, Output = Scalar); impl<'a> Neg for &'a Scalar { type Output = Scalar; #[allow(non_snake_case)] fn neg(self) -> Scalar { let self_R = UnpackedScalar::mul_internal(&self.unpack(), &constants::R); let self_mod_l = UnpackedScalar::montgomery_reduce(&self_R); UnpackedScalar::sub(&UnpackedScalar::zero(), &self_mod_l).pack() } } impl<'a> Neg for Scalar { type Output = Scalar; fn neg(self) -> Scalar { -&self } } impl ConditionallySelectable for Scalar { fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self { let mut bytes = [0u8; 32]; for i in 0..32 { bytes[i] = u8::conditional_select(&a.bytes[i], &b.bytes[i], choice); } Scalar { bytes } } } #[cfg(feature = "serde")] use serde::{self, Serialize, Deserialize, Serializer, Deserializer}; #[cfg(feature = "serde")] use serde::de::Visitor; #[cfg(feature = "serde")] impl Serialize for Scalar { fn serialize(&self, serializer: S) -> Result where S: Serializer { use serde::ser::SerializeTuple; let mut tup = serializer.serialize_tuple(32)?; for byte in self.as_bytes().iter() { tup.serialize_element(byte)?; } tup.end() } } #[cfg(feature = "serde")] impl<'de> Deserialize<'de> for Scalar { fn deserialize(deserializer: D) -> Result where D: Deserializer<'de> { struct ScalarVisitor; impl<'de> Visitor<'de> for ScalarVisitor { type Value = Scalar; fn expecting(&self, formatter: &mut ::core::fmt::Formatter) -> ::core::fmt::Result { formatter.write_str("a valid point in Edwards y + sign format") } fn visit_seq(self, mut seq: A) -> Result where A: serde::de::SeqAccess<'de> { let mut bytes = [0u8; 32]; for i in 0..32 { bytes[i] = seq.next_element()? .ok_or(serde::de::Error::invalid_length(i, &"expected 32 bytes"))?; } Scalar::from_canonical_bytes(bytes) .ok_or(serde::de::Error::custom( &"scalar was not canonically encoded" )) } } deserializer.deserialize_tuple(32, ScalarVisitor) } } impl Product for Scalar where T: Borrow { fn product(iter: I) -> Self where I: Iterator { iter.fold(Scalar::one(), |acc, item| acc * item.borrow()) } } impl Sum for Scalar where T: Borrow { fn sum(iter: I) -> Self where I: Iterator { iter.fold(Scalar::zero(), |acc, item| acc + item.borrow()) } } impl Default for Scalar { fn default() -> Scalar { Scalar::zero() } } impl From for Scalar { fn from(x: u8) -> Scalar { let mut s_bytes = [0u8; 32]; s_bytes[0] = x; Scalar{ bytes: s_bytes } } } impl From for Scalar { fn from(x: u16) -> Scalar { use byteorder::{ByteOrder, LittleEndian}; let mut s_bytes = [0u8; 32]; LittleEndian::write_u16(&mut s_bytes, x); Scalar{ bytes: s_bytes } } } impl From for Scalar { fn from(x: u32) -> Scalar { use byteorder::{ByteOrder, LittleEndian}; let mut s_bytes = [0u8; 32]; LittleEndian::write_u32(&mut s_bytes, x); Scalar{ bytes: s_bytes } } } impl From for Scalar { /// Construct a scalar from the given `u64`. /// /// # Inputs /// /// An `u64` to convert to a `Scalar`. /// /// # Returns /// /// A `Scalar` corresponding to the input `u64`. /// /// # Example /// /// ``` /// use curve25519_dalek::scalar::Scalar; /// /// let fourtytwo = Scalar::from(42u64); /// let six = Scalar::from(6u64); /// let seven = Scalar::from(7u64); /// /// assert!(fourtytwo == six * seven); /// ``` fn from(x: u64) -> Scalar { use byteorder::{ByteOrder, LittleEndian}; let mut s_bytes = [0u8; 32]; LittleEndian::write_u64(&mut s_bytes, x); Scalar{ bytes: s_bytes } } } impl From for Scalar { fn from(x: u128) -> Scalar { use byteorder::{ByteOrder, LittleEndian}; let mut s_bytes = [0u8; 32]; LittleEndian::write_u128(&mut s_bytes, x); Scalar{ bytes: s_bytes } } } impl Zeroize for Scalar { fn zeroize(&mut self) { self.bytes.zeroize(); } } impl Scalar { /// Return a `Scalar` chosen uniformly at random using a user-provided RNG. /// /// # Inputs /// /// * `rng`: any RNG which implements the `RngCore + CryptoRng` interface. /// /// # Returns /// /// A random scalar within ℤ/lℤ. /// /// # Example /// /// ``` /// extern crate rand_core; /// # extern crate curve25519_dalek; /// # /// # fn main() { /// use curve25519_dalek::scalar::Scalar; /// /// use rand_core::OsRng; /// /// let mut csprng = OsRng; /// let a: Scalar = Scalar::random(&mut csprng); /// # } pub fn random(rng: &mut R) -> Self { let mut scalar_bytes = [0u8; 64]; rng.fill_bytes(&mut scalar_bytes); Scalar::from_bytes_mod_order_wide(&scalar_bytes) } /// Hash a slice of bytes into a scalar. /// /// Takes a type parameter `D`, which is any `Digest` producing 64 /// bytes (512 bits) of output. /// /// Convenience wrapper around `from_hash`. /// /// # Example /// /// ``` /// # extern crate curve25519_dalek; /// # use curve25519_dalek::scalar::Scalar; /// extern crate sha2; /// /// use sha2::Sha512; /// /// # // Need fn main() here in comment so the doctest compiles /// # // See https://doc.rust-lang.org/book/documentation.html#documentation-as-tests /// # fn main() { /// let msg = "To really appreciate architecture, you may even need to commit a murder"; /// let s = Scalar::hash_from_bytes::(msg.as_bytes()); /// # } /// ``` pub fn hash_from_bytes(input: &[u8]) -> Scalar where D: Digest + Default { let mut hash = D::default(); hash.input(input); Scalar::from_hash(hash) } /// Construct a scalar from an existing `Digest` instance. /// /// Use this instead of `hash_from_bytes` if it is more convenient /// to stream data into the `Digest` than to pass a single byte /// slice. /// /// # Example /// /// ``` /// # extern crate curve25519_dalek; /// # use curve25519_dalek::scalar::Scalar; /// extern crate sha2; /// /// use sha2::Digest; /// use sha2::Sha512; /// /// # fn main() { /// let mut h = Sha512::new() /// .chain("To really appreciate architecture, you may even need to commit a murder.") /// .chain("While the programs used for The Manhattan Transcripts are of the most extreme") /// .chain("nature, they also parallel the most common formula plot: the archetype of") /// .chain("murder. Other phantasms were occasionally used to underline the fact that") /// .chain("perhaps all architecture, rather than being about functional standards, is") /// .chain("about love and death."); /// /// let s = Scalar::from_hash(h); /// /// println!("{:?}", s.to_bytes()); /// assert!(s == Scalar::from_bits([ 21, 88, 208, 252, 63, 122, 210, 152, /// 154, 38, 15, 23, 16, 167, 80, 150, /// 192, 221, 77, 226, 62, 25, 224, 148, /// 239, 48, 176, 10, 185, 69, 168, 11, ])); /// # } /// ``` pub fn from_hash(hash: D) -> Scalar where D: Digest { let mut output = [0u8; 64]; output.copy_from_slice(hash.result().as_slice()); Scalar::from_bytes_mod_order_wide(&output) } /// Convert this `Scalar` to its underlying sequence of bytes. /// /// # Example /// /// ``` /// use curve25519_dalek::scalar::Scalar; /// /// let s: Scalar = Scalar::zero(); /// /// assert!(s.to_bytes() == [0u8; 32]); /// ``` pub fn to_bytes(&self) -> [u8; 32] { self.bytes } /// View the little-endian byte encoding of the integer representing this Scalar. /// /// # Example /// /// ``` /// use curve25519_dalek::scalar::Scalar; /// /// let s: Scalar = Scalar::zero(); /// /// assert!(s.as_bytes() == &[0u8; 32]); /// ``` pub fn as_bytes(&self) -> &[u8; 32] { &self.bytes } /// Construct the scalar \$ 0 \$. pub fn zero() -> Self { Scalar { bytes: [0u8; 32]} } /// Construct the scalar \$ 1 \$. pub fn one() -> Self { Scalar { bytes: [ 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ], } } /// Given a nonzero `Scalar`, compute its multiplicative inverse. /// /// # Warning /// /// `self` **MUST** be nonzero. If you cannot /// *prove* that this is the case, you **SHOULD NOT USE THIS /// FUNCTION**. /// /// # Returns /// /// The multiplicative inverse of the this `Scalar`. /// /// # Example /// /// ``` /// use curve25519_dalek::scalar::Scalar; /// /// // x = 2238329342913194256032495932344128051776374960164957527413114840482143558222 /// let X: Scalar = Scalar::from_bytes_mod_order([ /// 0x4e, 0x5a, 0xb4, 0x34, 0x5d, 0x47, 0x08, 0x84, /// 0x59, 0x13, 0xb4, 0x64, 0x1b, 0xc2, 0x7d, 0x52, /// 0x52, 0xa5, 0x85, 0x10, 0x1b, 0xcc, 0x42, 0x44, /// 0xd4, 0x49, 0xf4, 0xa8, 0x79, 0xd9, 0xf2, 0x04, /// ]); /// // 1/x = 6859937278830797291664592131120606308688036382723378951768035303146619657244 /// let XINV: Scalar = Scalar::from_bytes_mod_order([ /// 0x1c, 0xdc, 0x17, 0xfc, 0xe0, 0xe9, 0xa5, 0xbb, /// 0xd9, 0x24, 0x7e, 0x56, 0xbb, 0x01, 0x63, 0x47, /// 0xbb, 0xba, 0x31, 0xed, 0xd5, 0xa9, 0xbb, 0x96, /// 0xd5, 0x0b, 0xcd, 0x7a, 0x3f, 0x96, 0x2a, 0x0f, /// ]); /// /// let inv_X: Scalar = X.invert(); /// assert!(XINV == inv_X); /// let should_be_one: Scalar = &inv_X * &X; /// assert!(should_be_one == Scalar::one()); /// ``` pub fn invert(&self) -> Scalar { self.unpack().invert().pack() } /// Given a slice of nonzero (possibly secret) `Scalar`s, /// compute their inverses in a batch. /// /// # Return /// /// Each element of `inputs` is replaced by its inverse. /// /// The product of all inverses is returned. /// /// # Warning /// /// All input `Scalars` **MUST** be nonzero. If you cannot /// *prove* that this is the case, you **SHOULD NOT USE THIS /// FUNCTION**. /// /// # Example /// /// ``` /// # extern crate curve25519_dalek; /// # use curve25519_dalek::scalar::Scalar; /// # fn main() { /// let mut scalars = [ /// Scalar::from(3u64), /// Scalar::from(5u64), /// Scalar::from(7u64), /// Scalar::from(11u64), /// ]; /// /// let allinv = Scalar::batch_invert(&mut scalars); /// /// assert_eq!(allinv, Scalar::from(3*5*7*11u64).invert()); /// assert_eq!(scalars[0], Scalar::from(3u64).invert()); /// assert_eq!(scalars[1], Scalar::from(5u64).invert()); /// assert_eq!(scalars[2], Scalar::from(7u64).invert()); /// assert_eq!(scalars[3], Scalar::from(11u64).invert()); /// # } /// ``` #[cfg(feature = "alloc")] pub fn batch_invert(inputs: &mut [Scalar]) -> Scalar { // This code is essentially identical to the FieldElement // implementation, and is documented there. Unfortunately, // it's not easy to write it generically, since here we want // to use `UnpackedScalar`s internally, and `Scalar`s // externally, but there's no corresponding distinction for // field elements. use zeroize::Zeroizing; let n = inputs.len(); let one: UnpackedScalar = Scalar::one().unpack().to_montgomery(); // Place scratch storage in a Zeroizing wrapper to wipe it when // we pass out of scope. let scratch_vec = vec![one; n]; let mut scratch = Zeroizing::new(scratch_vec); // Keep an accumulator of all of the previous products let mut acc = Scalar::one().unpack().to_montgomery(); // Pass through the input vector, recording the previous // products in the scratch space for (input, scratch) in inputs.iter_mut().zip(scratch.iter_mut()) { *scratch = acc; // Avoid unnecessary Montgomery multiplication in second pass by // keeping inputs in Montgomery form let tmp = input.unpack().to_montgomery(); *input = tmp.pack(); acc = UnpackedScalar::montgomery_mul(&acc, &tmp); } // acc is nonzero iff all inputs are nonzero debug_assert!(acc.pack() != Scalar::zero()); // Compute the inverse of all products acc = acc.montgomery_invert().from_montgomery(); // We need to return the product of all inverses later let ret = acc.pack(); // Pass through the vector backwards to compute the inverses // in place for (input, scratch) in inputs.iter_mut().rev().zip(scratch.iter().rev()) { let tmp = UnpackedScalar::montgomery_mul(&acc, &input.unpack()); *input = UnpackedScalar::montgomery_mul(&acc, &scratch).pack(); acc = tmp; } ret } /// Get the bits of the scalar. pub(crate) fn bits(&self) -> [i8; 256] { let mut bits = [0i8; 256]; for i in 0..256 { // As i runs from 0..256, the bottom 3 bits index the bit, // while the upper bits index the byte. bits[i] = ((self.bytes[i>>3] >> (i&7)) & 1u8) as i8; } bits } /// Compute a width-\$w\$ "Non-Adjacent Form" of this scalar. /// /// A width-\$w\$ NAF of a positive integer \$k\$ is an expression /// $$ /// k = \sum_{i=0}\^m n\_i 2\^i, /// $$ /// where each nonzero /// coefficient \$n\_i\$ is odd and bounded by \$|n\_i| < 2\^{w-1}\$, /// \$n\_{m-1}\$ is nonzero, and at most one of any \$w\$ consecutive /// coefficients is nonzero. (Hankerson, Menezes, Vanstone; def 3.32). /// /// The length of the NAF is at most one more than the length of /// the binary representation of \$k\$. This is why the /// `Scalar` type maintains an invariant that the top bit is /// \$0\$, so that the NAF of a scalar has at most 256 digits. /// /// Intuitively, this is like a binary expansion, except that we /// allow some coefficients to grow in magnitude up to /// \$2\^{w-1}\$ so that the nonzero coefficients are as sparse /// as possible. /// /// When doing scalar multiplication, we can then use a lookup /// table of precomputed multiples of a point to add the nonzero /// terms \$ k_i P \$. Using signed digits cuts the table size /// in half, and using odd digits cuts the table size in half /// again. /// /// To compute a \$w\$-NAF, we use a modification of Algorithm 3.35 of HMV: /// /// 1. \$ i \gets 0 \$ /// 2. While \$ k \ge 1 \$: /// 1. If \$k\$ is odd, \$ n_i \gets k \operatorname{mods} 2^w \$, \$ k \gets k - n_i \$. /// 2. If \$k\$ is even, \$ n_i \gets 0 \$. /// 3. \$ k \gets k / 2 \$, \$ i \gets i + 1 \$. /// 3. Return \$ n_0, n_1, ... , \$ /// /// Here \$ \bar x = x \operatorname{mods} 2^w \$ means the /// \$ \bar x \$ with \$ \bar x \equiv x \pmod{2^w} \$ and /// \$ -2^{w-1} \leq \bar x < 2^w \$. /// /// We implement this by scanning across the bits of \$k\$ from /// least-significant bit to most-significant-bit. /// Write the bits of \$k\$ as /// $$ /// k = \sum\_{i=0}\^m k\_i 2^i, /// $$ /// and split the sum as /// $$ /// k = \sum\_{i=0}^{w-1} k\_i 2^i + 2^w \sum\_{i=0} k\_{i+w} 2^i /// $$ /// where the first part is \$ k \mod 2^w \$. /// /// If \$ k \mod 2^w\$ is odd, and \$ k \mod 2^w < 2^{w-1} \$, then we emit /// \$ n_0 = k \mod 2^w \$. Instead of computing /// \$ k - n_0 \$, we just advance \$w\$ bits and reindex. /// /// If \$ k \mod 2^w\$ is odd, and \$ k \mod 2^w \ge 2^{w-1} \$, then /// \$ n_0 = k \operatorname{mods} 2^w = k \mod 2^w - 2^w \$. /// The quantity \$ k - n_0 \$ is /// $$ /// \begin{aligned} /// k - n_0 &= \sum\_{i=0}^{w-1} k\_i 2^i + 2^w \sum\_{i=0} k\_{i+w} 2^i /// - \sum\_{i=0}^{w-1} k\_i 2^i + 2^w \\\\ /// &= 2^w + 2^w \sum\_{i=0} k\_{i+w} 2^i /// \end{aligned} /// $$ /// so instead of computing the subtraction, we can set a carry /// bit, advance \$w\$ bits, and reindex. /// /// If \$ k \mod 2^w\$ is even, we emit \$0\$, advance 1 bit /// and reindex. In fact, by setting all digits to \$0\$ /// initially, we don't need to emit anything. pub(crate) fn non_adjacent_form(&self, w: usize) -> [i8; 256] { // required by the NAF definition debug_assert!( w >= 2 ); // required so that the NAF digits fit in i8 debug_assert!( w <= 8 ); use byteorder::{ByteOrder, LittleEndian}; let mut naf = [0i8; 256]; let mut x_u64 = [0u64; 5]; LittleEndian::read_u64_into(&self.bytes, &mut x_u64[0..4]); let width = 1 << w; let window_mask = width - 1; let mut pos = 0; let mut carry = 0; while pos < 256 { // Construct a buffer of bits of the scalar, starting at bit `pos` let u64_idx = pos / 64; let bit_idx = pos % 64; let bit_buf: u64; if bit_idx < 64 - w { // This window's bits are contained in a single u64 bit_buf = x_u64[u64_idx] >> bit_idx; } else { // Combine the current u64's bits with the bits from the next u64 bit_buf = (x_u64[u64_idx] >> bit_idx) | (x_u64[1+u64_idx] << (64 - bit_idx)); } // Add the carry into the current window let window = carry + (bit_buf & window_mask); if window & 1 == 0 { // If the window value is even, preserve the carry and continue. // Why is the carry preserved? // If carry == 0 and window & 1 == 0, then the next carry should be 0 // If carry == 1 and window & 1 == 0, then bit_buf & 1 == 1 so the next carry should be 1 pos += 1; continue; } if window < width/2 { carry = 0; naf[pos] = window as i8; } else { carry = 1; naf[pos] = (window as i8).wrapping_sub(width as i8); } pos += w; } naf } /// Write this scalar in radix 16, with coefficients in \$[-8,8)\$, /// i.e., compute \$a\_i\$ such that /// $$ /// a = a\_0 + a\_1 16\^1 + \cdots + a_{63} 16\^{63}, /// $$ /// with \$-8 \leq a_i < 8\$ for \$0 \leq i < 63\$ and \$-8 \leq a_{63} \leq 8\$. pub(crate) fn to_radix_16(&self) -> [i8; 64] { debug_assert!(self[31] <= 127); let mut output = [0i8; 64]; // Step 1: change radix. // Convert from radix 256 (bytes) to radix 16 (nibbles) #[inline(always)] fn bot_half(x: u8) -> u8 { (x >> 0) & 15 } #[inline(always)] fn top_half(x: u8) -> u8 { (x >> 4) & 15 } for i in 0..32 { output[2*i ] = bot_half(self[i]) as i8; output[2*i+1] = top_half(self[i]) as i8; } // Precondition note: since self[31] <= 127, output[63] <= 7 // Step 2: recenter coefficients from [0,16) to [-8,8) for i in 0..63 { let carry = (output[i] + 8) >> 4; output[i ] -= carry << 4; output[i+1] += carry; } // Precondition note: output[63] is not recentered. It // increases by carry <= 1. Thus output[63] <= 8. output } /// Returns a size hint indicating how many entries of the return /// value of `to_radix_2w` are nonzero. pub(crate) fn to_radix_2w_size_hint(w: usize) -> usize { debug_assert!(w >= 6); debug_assert!(w <= 8); let digits_count = match w { 6 => (256 + w - 1)/w as usize, 7 => (256 + w - 1)/w as usize, // See comment in to_radix_2w on handling the terminal carry. 8 => (256 + w - 1)/w + 1 as usize, _ => panic!("invalid radix parameter"), }; debug_assert!(digits_count <= 43); digits_count } /// Creates a representation of a Scalar in radix 64, 128 or 256 for use with the Pippenger algorithm. /// For lower radix, use `to_radix_16`, which is used by the Straus multi-scalar multiplication. /// Higher radixes are not supported to save cache space. Radix 256 is near-optimal even for very /// large inputs. /// /// Radix below 64 or above 256 is prohibited. /// This method returns digits in a fixed-sized array, excess digits are zeroes. /// The second returned value is the number of digits. /// /// ## Scalar representation /// /// Radix \$2\^w\$, with \$n = ceil(256/w)\$ coefficients in \$[-(2\^w)/2,(2\^w)/2)\$, /// i.e., scalar is represented using digits \$a\_i\$ such that /// $$ /// a = a\_0 + a\_1 2\^1w + \cdots + a_{n-1} 2\^{w*(n-1)}, /// $$ /// with \$-2\^w/2 \leq a_i < 2\^w/2\$ for \$0 \leq i < (n-1)\$ and \$-2\^w/2 \leq a_{n-1} \leq 2\^w/2\$. /// pub(crate) fn to_radix_2w(&self, w: usize) -> [i8; 43] { debug_assert!(w >= 6); debug_assert!(w <= 8); use byteorder::{ByteOrder, LittleEndian}; // Scalar formatted as four `u64`s with carry bit packed into the highest bit. let mut scalar64x4 = [0u64; 4]; LittleEndian::read_u64_into(&self.bytes, &mut scalar64x4[0..4]); let radix: u64 = 1 << w; let window_mask: u64 = radix - 1; let mut carry = 0u64; let mut digits = [0i8; 43]; let digits_count = (256 + w - 1)/w as usize; for i in 0..digits_count { // Construct a buffer of bits of the scalar, starting at `bit_offset`. let bit_offset = i*w; let u64_idx = bit_offset / 64; let bit_idx = bit_offset % 64; // Read the bits from the scalar let bit_buf: u64; if bit_idx < 64 - w || u64_idx == 3 { // This window's bits are contained in a single u64, // or it's the last u64 anyway. bit_buf = scalar64x4[u64_idx] >> bit_idx; } else { // Combine the current u64's bits with the bits from the next u64 bit_buf = (scalar64x4[u64_idx] >> bit_idx) | (scalar64x4[1+u64_idx] << (64 - bit_idx)); } // Read the actual coefficient value from the window let coef = carry + (bit_buf & window_mask); // coef = [0, 2^r) // Recenter coefficients from [0,2^w) to [-2^w/2, 2^w/2) carry = (coef + (radix/2) as u64) >> w; digits[i] = ((coef as i64) - (carry << w) as i64) as i8; } // When w < 8, we can fold the final carry onto the last digit d, // because d < 2^w/2 so d + carry*2^w = d + 1*2^w < 2^(w+1) < 2^8. // // When w = 8, we can't fit carry*2^w into an i8. This should // not happen anyways, because the final carry will be 0 for // reduced scalars, but the Scalar invariant allows 255-bit scalars. // To handle this, we expand the size_hint by 1 when w=8, // and accumulate the final carry onto another digit. match w { 8 => digits[digits_count] += carry as i8, _ => digits[digits_count-1] += (carry << w) as i8, } digits } /// Unpack this `Scalar` to an `UnpackedScalar` for faster arithmetic. pub(crate) fn unpack(&self) -> UnpackedScalar { UnpackedScalar::from_bytes(&self.bytes) } /// Reduce this `Scalar` modulo \$\ell\$. #[allow(non_snake_case)] pub fn reduce(&self) -> Scalar { let x = self.unpack(); let xR = UnpackedScalar::mul_internal(&x, &constants::R); let x_mod_l = UnpackedScalar::montgomery_reduce(&xR); x_mod_l.pack() } /// Check whether this `Scalar` is the canonical representative mod \$\ell\$. /// /// This is intended for uses like input validation, where variable-time code is acceptable. /// /// ``` /// # extern crate curve25519_dalek; /// # extern crate subtle; /// # use curve25519_dalek::scalar::Scalar; /// # use subtle::ConditionallySelectable; /// # fn main() { /// // 2^255 - 1, since `from_bits` clears the high bit /// let _2_255_minus_1 = Scalar::from_bits([0xff;32]); /// assert!(!_2_255_minus_1.is_canonical()); /// /// let reduced = _2_255_minus_1.reduce(); /// assert!(reduced.is_canonical()); /// # } /// ``` pub fn is_canonical(&self) -> bool { *self == self.reduce() } } impl UnpackedScalar { /// Pack the limbs of this `UnpackedScalar` into a `Scalar`. fn pack(&self) -> Scalar { Scalar{ bytes: self.to_bytes() } } /// Inverts an UnpackedScalar in Montgomery form. pub fn montgomery_invert(&self) -> UnpackedScalar { // Uses the addition chain from // https://briansmith.org/ecc-inversion-addition-chains-01#curve25519_scalar_inversion let _1 = self; let _10 = _1.montgomery_square(); let _100 = _10.montgomery_square(); let _11 = UnpackedScalar::montgomery_mul(&_10, &_1); let _101 = UnpackedScalar::montgomery_mul(&_10, &_11); let _111 = UnpackedScalar::montgomery_mul(&_10, &_101); let _1001 = UnpackedScalar::montgomery_mul(&_10, &_111); let _1011 = UnpackedScalar::montgomery_mul(&_10, &_1001); let _1111 = UnpackedScalar::montgomery_mul(&_100, &_1011); // _10000 let mut y = UnpackedScalar::montgomery_mul(&_1111, &_1); #[inline] fn square_multiply(y: &mut UnpackedScalar, squarings: usize, x: &UnpackedScalar) { for _ in 0..squarings { *y = y.montgomery_square(); } *y = UnpackedScalar::montgomery_mul(y, x); } square_multiply(&mut y, 123 + 3, &_101); square_multiply(&mut y, 2 + 2, &_11); square_multiply(&mut y, 1 + 4, &_1111); square_multiply(&mut y, 1 + 4, &_1111); square_multiply(&mut y, 4, &_1001); square_multiply(&mut y, 2, &_11); square_multiply(&mut y, 1 + 4, &_1111); square_multiply(&mut y, 1 + 3, &_101); square_multiply(&mut y, 3 + 3, &_101); square_multiply(&mut y, 3, &_111); square_multiply(&mut y, 1 + 4, &_1111); square_multiply(&mut y, 2 + 3, &_111); square_multiply(&mut y, 2 + 2, &_11); square_multiply(&mut y, 1 + 4, &_1011); square_multiply(&mut y, 2 + 4, &_1011); square_multiply(&mut y, 6 + 4, &_1001); square_multiply(&mut y, 2 + 2, &_11); square_multiply(&mut y, 3 + 2, &_11); square_multiply(&mut y, 3 + 2, &_11); square_multiply(&mut y, 1 + 4, &_1001); square_multiply(&mut y, 1 + 3, &_111); square_multiply(&mut y, 2 + 4, &_1111); square_multiply(&mut y, 1 + 4, &_1011); square_multiply(&mut y, 3, &_101); square_multiply(&mut y, 2 + 4, &_1111); square_multiply(&mut y, 3, &_101); square_multiply(&mut y, 1 + 2, &_11); y } /// Inverts an UnpackedScalar not in Montgomery form. pub fn invert(&self) -> UnpackedScalar { self.to_montgomery().montgomery_invert().from_montgomery() } } #[cfg(test)] mod test { use super::*; use constants; /// x = 2238329342913194256032495932344128051776374960164957527413114840482143558222 pub static X: Scalar = Scalar{ bytes: [ 0x4e, 0x5a, 0xb4, 0x34, 0x5d, 0x47, 0x08, 0x84, 0x59, 0x13, 0xb4, 0x64, 0x1b, 0xc2, 0x7d, 0x52, 0x52, 0xa5, 0x85, 0x10, 0x1b, 0xcc, 0x42, 0x44, 0xd4, 0x49, 0xf4, 0xa8, 0x79, 0xd9, 0xf2, 0x04, ], }; /// 1/x = 6859937278830797291664592131120606308688036382723378951768035303146619657244 pub static XINV: Scalar = Scalar{ bytes: [ 0x1c, 0xdc, 0x17, 0xfc, 0xe0, 0xe9, 0xa5, 0xbb, 0xd9, 0x24, 0x7e, 0x56, 0xbb, 0x01, 0x63, 0x47, 0xbb, 0xba, 0x31, 0xed, 0xd5, 0xa9, 0xbb, 0x96, 0xd5, 0x0b, 0xcd, 0x7a, 0x3f, 0x96, 0x2a, 0x0f, ], }; /// y = 2592331292931086675770238855846338635550719849568364935475441891787804997264 pub static Y: Scalar = Scalar{ bytes: [ 0x90, 0x76, 0x33, 0xfe, 0x1c, 0x4b, 0x66, 0xa4, 0xa2, 0x8d, 0x2d, 0xd7, 0x67, 0x83, 0x86, 0xc3, 0x53, 0xd0, 0xde, 0x54, 0x55, 0xd4, 0xfc, 0x9d, 0xe8, 0xef, 0x7a, 0xc3, 0x1f, 0x35, 0xbb, 0x05, ], }; /// x*y = 5690045403673944803228348699031245560686958845067437804563560795922180092780 static X_TIMES_Y: Scalar = Scalar{ bytes: [ 0x6c, 0x33, 0x74, 0xa1, 0x89, 0x4f, 0x62, 0x21, 0x0a, 0xaa, 0x2f, 0xe1, 0x86, 0xa6, 0xf9, 0x2c, 0xe0, 0xaa, 0x75, 0xc2, 0x77, 0x95, 0x81, 0xc2, 0x95, 0xfc, 0x08, 0x17, 0x9a, 0x73, 0x94, 0x0c, ], }; /// sage: l = 2^252 + 27742317777372353535851937790883648493 /// sage: big = 2^256 - 1 /// sage: repr((big % l).digits(256)) static CANONICAL_2_256_MINUS_1: Scalar = Scalar{ bytes: [ 28, 149, 152, 141, 116, 49, 236, 214, 112, 207, 125, 115, 244, 91, 239, 198, 254, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 15, ], }; static A_SCALAR: Scalar = Scalar{ bytes: [ 0x1a, 0x0e, 0x97, 0x8a, 0x90, 0xf6, 0x62, 0x2d, 0x37, 0x47, 0x02, 0x3f, 0x8a, 0xd8, 0x26, 0x4d, 0xa7, 0x58, 0xaa, 0x1b, 0x88, 0xe0, 0x40, 0xd1, 0x58, 0x9e, 0x7b, 0x7f, 0x23, 0x76, 0xef, 0x09, ], }; static A_NAF: [i8; 256] = [0,13,0,0,0,0,0,0,0,7,0,0,0,0,0,0,-9,0,0,0,0,-11,0,0,0,0,3,0,0,0,0,1, 0,0,0,0,9,0,0,0,0,-5,0,0,0,0,0,0,3,0,0,0,0,11,0,0,0,0,11,0,0,0,0,0, -9,0,0,0,0,0,-3,0,0,0,0,9,0,0,0,0,0,1,0,0,0,0,0,0,-1,0,0,0,0,0,9,0, 0,0,0,-15,0,0,0,0,-7,0,0,0,0,-9,0,0,0,0,0,5,0,0,0,0,13,0,0,0,0,0,-3,0, 0,0,0,-11,0,0,0,0,-7,0,0,0,0,-13,0,0,0,0,11,0,0,0,0,-9,0,0,0,0,0,1,0,0, 0,0,0,-15,0,0,0,0,1,0,0,0,0,7,0,0,0,0,0,0,0,0,5,0,0,0,0,0,13,0,0,0, 0,0,0,11,0,0,0,0,0,15,0,0,0,0,0,-9,0,0,0,0,0,0,0,-1,0,0,0,0,0,0,0,7, 0,0,0,0,0,-15,0,0,0,0,0,15,0,0,0,0,15,0,0,0,0,15,0,0,0,0,0,1,0,0,0,0]; static LARGEST_ED25519_S: Scalar = Scalar { bytes: [ 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, ], }; static CANONICAL_LARGEST_ED25519_S_PLUS_ONE: Scalar = Scalar { bytes: [ 0x7e, 0x34, 0x47, 0x75, 0x47, 0x4a, 0x7f, 0x97, 0x23, 0xb6, 0x3a, 0x8b, 0xe9, 0x2a, 0xe7, 0x6d, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, ], }; static CANONICAL_LARGEST_ED25519_S_MINUS_ONE: Scalar = Scalar { bytes: [ 0x7c, 0x34, 0x47, 0x75, 0x47, 0x4a, 0x7f, 0x97, 0x23, 0xb6, 0x3a, 0x8b, 0xe9, 0x2a, 0xe7, 0x6d, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, ], }; #[test] fn fuzzer_testcase_reduction() { // LE bytes of 24519928653854221733733552434404946937899825954937634815 let a_bytes = [255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0]; // LE bytes of 4975441334397345751130612518500927154628011511324180036903450236863266160640 let b_bytes = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 210, 210, 210, 255, 255, 255, 255, 10]; // LE bytes of 6432735165214683820902750800207468552549813371247423777071615116673864412038 let c_bytes = [134, 171, 119, 216, 180, 128, 178, 62, 171, 132, 32, 62, 34, 119, 104, 193, 47, 215, 181, 250, 14, 207, 172, 93, 75, 207, 211, 103, 144, 204, 56, 14]; let a = Scalar::from_bytes_mod_order(a_bytes); let b = Scalar::from_bytes_mod_order(b_bytes); let c = Scalar::from_bytes_mod_order(c_bytes); let mut tmp = [0u8; 64]; // also_a = (a mod l) tmp[0..32].copy_from_slice(&a_bytes[..]); let also_a = Scalar::from_bytes_mod_order_wide(&tmp); // also_b = (b mod l) tmp[0..32].copy_from_slice(&b_bytes[..]); let also_b = Scalar::from_bytes_mod_order_wide(&tmp); let expected_c = &a * &b; let also_expected_c = &also_a * &also_b; assert_eq!(c, expected_c); assert_eq!(c, also_expected_c); } #[test] fn non_adjacent_form_test_vector() { let naf = A_SCALAR.non_adjacent_form(5); for i in 0..256 { assert_eq!(naf[i], A_NAF[i]); } } fn non_adjacent_form_iter(w: usize, x: &Scalar) { let naf = x.non_adjacent_form(w); // Reconstruct the scalar from the computed NAF let mut y = Scalar::zero(); for i in (0..256).rev() { y += y; let digit = if naf[i] < 0 { -Scalar::from((-naf[i]) as u64) } else { Scalar::from(naf[i] as u64) }; y += digit; } assert_eq!(*x, y); } #[test] fn non_adjacent_form_random() { let mut rng = rand::thread_rng(); for _ in 0..1_000 { let x = Scalar::random(&mut rng); for w in &[5, 6, 7, 8] { non_adjacent_form_iter(*w, &x); } } } #[test] fn from_u64() { let val: u64 = 0xdeadbeefdeadbeef; let s = Scalar::from(val); assert_eq!(s[7], 0xde); assert_eq!(s[6], 0xad); assert_eq!(s[5], 0xbe); assert_eq!(s[4], 0xef); assert_eq!(s[3], 0xde); assert_eq!(s[2], 0xad); assert_eq!(s[1], 0xbe); assert_eq!(s[0], 0xef); } #[test] fn scalar_mul_by_one() { let test_scalar = &X * &Scalar::one(); for i in 0..32 { assert!(test_scalar[i] == X[i]); } } #[test] fn add_reduces() { // Check that the addition works assert_eq!( (LARGEST_ED25519_S + Scalar::one()).reduce(), CANONICAL_LARGEST_ED25519_S_PLUS_ONE ); // Check that the addition reduces assert_eq!( LARGEST_ED25519_S + Scalar::one(), CANONICAL_LARGEST_ED25519_S_PLUS_ONE ); } #[test] fn sub_reduces() { // Check that the subtraction works assert_eq!( (LARGEST_ED25519_S - Scalar::one()).reduce(), CANONICAL_LARGEST_ED25519_S_MINUS_ONE ); // Check that the subtraction reduces assert_eq!( LARGEST_ED25519_S - Scalar::one(), CANONICAL_LARGEST_ED25519_S_MINUS_ONE ); } #[test] fn quarkslab_scalar_overflow_does_not_occur() { // Check that manually-constructing large Scalars with // from_bits cannot produce incorrect results. // // The from_bits function is required to implement X/Ed25519, // while all other methods of constructing a Scalar produce // reduced Scalars. However, this "invariant loophole" allows // constructing large scalars which are not reduced mod l. // // This issue was discovered independently by both Jack // "str4d" Grigg (issue #238), who noted that reduction was // not performed on addition, and Laurent Grémy & Nicolas // Surbayrole of Quarkslab, who noted that it was possible to // cause an overflow and compute incorrect results. // // This test is adapted from the one suggested by Quarkslab. let large_bytes = [ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, ]; let a = Scalar::from_bytes_mod_order(large_bytes); let b = Scalar::from_bits(large_bytes); assert_eq!(a, b.reduce()); let a_3 = a + a + a; let b_3 = b + b + b; assert_eq!(a_3, b_3); let neg_a = -a; let neg_b = -b; assert_eq!(neg_a, neg_b); let minus_a_3 = Scalar::zero() - a - a - a; let minus_b_3 = Scalar::zero() - b - b - b; assert_eq!(minus_a_3, minus_b_3); assert_eq!(minus_a_3, -a_3); assert_eq!(minus_b_3, -b_3); } #[test] fn impl_add() { let two = Scalar::from(2u64); let one = Scalar::one(); let should_be_two = &one + &one; assert_eq!(should_be_two, two); } #[allow(non_snake_case)] #[test] fn impl_mul() { let should_be_X_times_Y = &X * &Y; assert_eq!(should_be_X_times_Y, X_TIMES_Y); } #[allow(non_snake_case)] #[test] fn impl_product() { // Test that product works for non-empty iterators let X_Y_vector = vec![X, Y]; let should_be_X_times_Y: Scalar = X_Y_vector.iter().product(); assert_eq!(should_be_X_times_Y, X_TIMES_Y); // Test that product works for the empty iterator let one = Scalar::one(); let empty_vector = vec![]; let should_be_one: Scalar = empty_vector.iter().product(); assert_eq!(should_be_one, one); // Test that product works for iterators where Item = Scalar let xs = [Scalar::from(2u64); 10]; let ys = [Scalar::from(3u64); 10]; // now zs is an iterator with Item = Scalar let zs = xs.iter().zip(ys.iter()).map(|(x,y)| x * y); let x_prod: Scalar = xs.iter().product(); let y_prod: Scalar = ys.iter().product(); let z_prod: Scalar = zs.product(); assert_eq!(x_prod, Scalar::from(1024u64)); assert_eq!(y_prod, Scalar::from(59049u64)); assert_eq!(z_prod, Scalar::from(60466176u64)); assert_eq!(x_prod * y_prod, z_prod); } #[test] fn impl_sum() { // Test that sum works for non-empty iterators let two = Scalar::from(2u64); let one_vector = vec![Scalar::one(), Scalar::one()]; let should_be_two: Scalar = one_vector.iter().sum(); assert_eq!(should_be_two, two); // Test that sum works for the empty iterator let zero = Scalar::zero(); let empty_vector = vec![]; let should_be_zero: Scalar = empty_vector.iter().sum(); assert_eq!(should_be_zero, zero); // Test that sum works for owned types let xs = [Scalar::from(1u64); 10]; let ys = [Scalar::from(2u64); 10]; // now zs is an iterator with Item = Scalar let zs = xs.iter().zip(ys.iter()).map(|(x,y)| x + y); let x_sum: Scalar = xs.iter().sum(); let y_sum: Scalar = ys.iter().sum(); let z_sum: Scalar = zs.sum(); assert_eq!(x_sum, Scalar::from(10u64)); assert_eq!(y_sum, Scalar::from(20u64)); assert_eq!(z_sum, Scalar::from(30u64)); assert_eq!(x_sum + y_sum, z_sum); } #[test] fn square() { let expected = &X * &X; let actual = X.unpack().square().pack(); for i in 0..32 { assert!(expected[i] == actual[i]); } } #[test] fn reduce() { let biggest = Scalar::from_bytes_mod_order([0xff; 32]); assert_eq!(biggest, CANONICAL_2_256_MINUS_1); } #[test] fn from_bytes_mod_order_wide() { let mut bignum = [0u8; 64]; // set bignum = x + 2^256x for i in 0..32 { bignum[ i] = X[i]; bignum[32+i] = X[i]; } // 3958878930004874126169954872055634648693766179881526445624823978500314864344 // = x + 2^256x (mod l) let reduced = Scalar{ bytes: [ 216, 154, 179, 139, 210, 121, 2, 71, 69, 99, 158, 216, 23, 173, 63, 100, 204, 0, 91, 50, 219, 153, 57, 249, 28, 82, 31, 197, 100, 165, 192, 8, ], }; let test_red = Scalar::from_bytes_mod_order_wide(&bignum); for i in 0..32 { assert!(test_red[i] == reduced[i]); } } #[allow(non_snake_case)] #[test] fn invert() { let inv_X = X.invert(); assert_eq!(inv_X, XINV); let should_be_one = &inv_X * &X; assert_eq!(should_be_one, Scalar::one()); } // Negating a scalar twice should result in the original scalar. #[allow(non_snake_case)] #[test] fn neg_twice_is_identity() { let negative_X = -&X; let should_be_X = -&negative_X; assert_eq!(should_be_X, X); } #[test] fn to_bytes_from_bytes_roundtrips() { let unpacked = X.unpack(); let bytes = unpacked.to_bytes(); let should_be_unpacked = UnpackedScalar::from_bytes(&bytes); assert_eq!(should_be_unpacked.0, unpacked.0); } #[test] fn montgomery_reduce_matches_from_bytes_mod_order_wide() { let mut bignum = [0u8; 64]; // set bignum = x + 2^256x for i in 0..32 { bignum[ i] = X[i]; bignum[32+i] = X[i]; } // x + 2^256x (mod l) // = 3958878930004874126169954872055634648693766179881526445624823978500314864344 let expected = Scalar{ bytes: [ 216, 154, 179, 139, 210, 121, 2, 71, 69, 99, 158, 216, 23, 173, 63, 100, 204, 0, 91, 50, 219, 153, 57, 249, 28, 82, 31, 197, 100, 165, 192, 8 ], }; let reduced = Scalar::from_bytes_mod_order_wide(&bignum); // The reduced scalar should match the expected assert_eq!(reduced.bytes, expected.bytes); // (x + 2^256x) * R let interim = UnpackedScalar::mul_internal(&UnpackedScalar::from_bytes_wide(&bignum), &constants::R); // ((x + 2^256x) * R) / R (mod l) let montgomery_reduced = UnpackedScalar::montgomery_reduce(&interim); // The Montgomery reduced scalar should match the reduced one, as well as the expected assert_eq!(montgomery_reduced.0, reduced.unpack().0); assert_eq!(montgomery_reduced.0, expected.unpack().0) } #[test] fn canonical_decoding() { // canonical encoding of 1667457891 let canonical_bytes = [99, 99, 99, 99, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,]; // encoding of // 7265385991361016183439748078976496179028704920197054998554201349516117938192 // = 28380414028753969466561515933501938171588560817147392552250411230663687203 (mod l) // non_canonical because unreduced mod l let non_canonical_bytes_because_unreduced = [16; 32]; // encoding with high bit set, to check that the parser isn't pre-masking the high bit let non_canonical_bytes_because_highbit = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 128]; assert!( Scalar::from_canonical_bytes(canonical_bytes).is_some() ); assert!( Scalar::from_canonical_bytes(non_canonical_bytes_because_unreduced).is_none() ); assert!( Scalar::from_canonical_bytes(non_canonical_bytes_because_highbit).is_none() ); } #[test] #[cfg(feature = "serde")] fn serde_bincode_scalar_roundtrip() { use bincode; let encoded = bincode::serialize(&X).unwrap(); let parsed: Scalar = bincode::deserialize(&encoded).unwrap(); assert_eq!(parsed, X); // Check that the encoding is 32 bytes exactly assert_eq!(encoded.len(), 32); // Check that the encoding itself matches the usual one assert_eq!( X, bincode::deserialize(X.as_bytes()).unwrap(), ); } #[cfg(debug_assertions)] #[test] #[should_panic] fn batch_invert_with_a_zero_input_panics() { let mut xs = vec![Scalar::one(); 16]; xs[3] = Scalar::zero(); // This should panic in debug mode. Scalar::batch_invert(&mut xs); } #[test] fn batch_invert_empty() { assert_eq!(Scalar::one(), Scalar::batch_invert(&mut [])); } #[test] fn batch_invert_consistency() { let mut x = Scalar::from(1u64); let mut v1: Vec<_> = (0..16).map(|_| {let tmp = x; x = x + x; tmp}).collect(); let v2 = v1.clone(); let expected: Scalar = v1.iter().product(); let expected = expected.invert(); let ret = Scalar::batch_invert(&mut v1); assert_eq!(ret, expected); for (a, b) in v1.iter().zip(v2.iter()) { assert_eq!(a * b, Scalar::one()); } } fn test_pippenger_radix_iter(scalar: Scalar, w: usize) { let digits_count = Scalar::to_radix_2w_size_hint(w); let digits = scalar.to_radix_2w(w); let radix = Scalar::from((1<