Skip to main content

curve25519_dalek/
scalar.rs

1// -*- mode: rust; -*-
2//
3// This file is part of curve25519-dalek.
4// Copyright (c) 2016-2021 isis lovecruft
5// Copyright (c) 2016-2019 Henry de Valence
6// Portions Copyright 2017 Brian Smith
7// See LICENSE for licensing information.
8//
9// Authors:
10// - Isis Agora Lovecruft <[email protected]>
11// - Henry de Valence <[email protected]>
12// - Brian Smith <[email protected]>
13
14//! Arithmetic on scalars (integers mod the group order).
15//!
16//! Both the Ristretto group and the Ed25519 basepoint have prime order
17//! \\( \ell = 2\^{252} + 27742317777372353535851937790883648493 \\).
18//!
19//! This code is intended to be useful with both the Ristretto group
20//! (where everything is done modulo \\( \ell \\)), and the X/Ed25519
21//! setting, which mandates specific bit-twiddles that are not
22//! well-defined modulo \\( \ell \\).
23//!
24//! All arithmetic on `Scalars` is done modulo \\( \ell \\).
25//!
26//! # Constructing a scalar
27//!
28//! To create a [`Scalar`](struct.Scalar.html) from a supposedly canonical encoding, use
29//! [`Scalar::from_canonical_bytes`](struct.Scalar.html#method.from_canonical_bytes).
30//!
31//! This function does input validation, ensuring that the input bytes
32//! are the canonical encoding of a `Scalar`.
33//! If they are, we'll get
34//! `Some(Scalar)` in return:
35//!
36//! ```
37//! use curve25519_dalek::scalar::Scalar;
38//!
39//! let one_as_bytes: [u8; 32] = Scalar::ONE.to_bytes();
40//! let a: Option<Scalar> = Scalar::from_canonical_bytes(one_as_bytes).into();
41//!
42//! assert!(a.is_some());
43//! ```
44//!
45//! However, if we give it bytes representing a scalar larger than \\( \ell \\)
46//! (in this case, \\( \ell + 2 \\)), we'll get `None` back:
47//!
48//! ```
49//! use curve25519_dalek::scalar::Scalar;
50//!
51//! let l_plus_two_bytes: [u8; 32] = [
52//!    0xef, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
53//!    0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
54//!    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
55//!    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,
56//! ];
57//! let a: Option<Scalar> = Scalar::from_canonical_bytes(l_plus_two_bytes).into();
58//!
59//! assert!(a.is_none());
60//! ```
61//!
62//! Another way to create a `Scalar` is by reducing a \\(256\\)-bit integer mod
63//! \\( \ell \\), for which one may use the
64//! [`Scalar::from_bytes_mod_order`](struct.Scalar.html#method.from_bytes_mod_order)
65//! method.  In the case of the second example above, this would reduce the
66//! resultant scalar \\( \mod \ell \\), producing \\( 2 \\):
67//!
68//! ```
69//! use curve25519_dalek::scalar::Scalar;
70//!
71//! let l_plus_two_bytes: [u8; 32] = [
72//!    0xef, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
73//!    0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
74//!    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
75//!    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,
76//! ];
77//! let a: Scalar = Scalar::from_bytes_mod_order(l_plus_two_bytes);
78//!
79//! let two: Scalar = Scalar::ONE + Scalar::ONE;
80//!
81//! assert!(a == two);
82//! ```
83//!
84//! There is also a constructor that reduces a \\(512\\)-bit integer,
85//! [`Scalar::from_bytes_mod_order_wide`].
86//!
87//! To construct a `Scalar` as the hash of some input data, use
88//! [`Scalar::hash_from_bytes`], which takes a buffer, or
89//! [`Scalar::from_hash`], which allows an IUF API.
90//!
91#![cfg_attr(feature = "digest", doc = "```")]
92#![cfg_attr(not(feature = "digest"), doc = "```ignore")]
93//! # fn main() {
94//! use sha2::{Digest, Sha512};
95//! use curve25519_dalek::scalar::Scalar;
96//!
97//! // Hashing a single byte slice
98//! let a = Scalar::hash_from_bytes::<Sha512>(b"Abolish ICE");
99//!
100//! // Streaming data into a hash object
101//! let mut hasher = Sha512::default();
102//! hasher.update(b"Abolish ");
103//! hasher.update(b"ICE");
104//! let a2 = Scalar::from_hash(hasher);
105//!
106//! assert_eq!(a, a2);
107//! # }
108//! ```
109//!
110//! See also `Scalar::hash_from_bytes` and `Scalar::from_hash` that
111//! reduces a \\(512\\)-bit integer, if the optional `digest` feature
112//! has been enabled.
113
114use core::borrow::Borrow;
115use core::fmt::Debug;
116use core::iter::{Product, Sum};
117use core::ops::Index;
118use core::ops::Neg;
119use core::ops::{Add, AddAssign};
120use core::ops::{Mul, MulAssign};
121use core::ops::{Sub, SubAssign};
122
123use cfg_if::cfg_if;
124
125#[cfg(feature = "group")]
126use group::ff::{Field, FromUniformBytes, PrimeField};
127
128#[cfg(feature = "group")]
129use rand_core::TryRng;
130
131#[cfg(feature = "rand_core")]
132use rand_core::CryptoRng;
133
134#[cfg(feature = "digest")]
135use digest::Digest;
136#[cfg(feature = "digest")]
137use digest::array::typenum::U64;
138
139use subtle::Choice;
140use subtle::ConditionallySelectable;
141use subtle::ConstantTimeEq;
142use subtle::CtOption;
143
144#[cfg(feature = "zeroize")]
145use zeroize::Zeroize;
146
147use crate::backend;
148use crate::constants;
149
150cfg_if! {
151    if #[cfg(curve25519_dalek_backend = "fiat")] {
152        /// An `UnpackedScalar` represents an element of the field GF(l), optimized for speed.
153        ///
154        /// This is a type alias for one of the scalar types in the `backend`
155        /// module.
156        #[cfg(curve25519_dalek_bits = "32")]
157        #[cfg_attr(
158            docsrs,
159            doc(cfg(all(feature = "fiat_backend", curve25519_dalek_bits = "32")))
160        )]
161        type UnpackedScalar = backend::serial::fiat_u32::scalar::Scalar29;
162
163        /// An `UnpackedScalar` represents an element of the field GF(l), optimized for speed.
164        ///
165        /// This is a type alias for one of the scalar types in the `backend`
166        /// module.
167        #[cfg(curve25519_dalek_bits = "64")]
168        #[cfg_attr(
169            docsrs,
170            doc(cfg(all(feature = "fiat_backend", curve25519_dalek_bits = "64")))
171        )]
172        type UnpackedScalar = backend::serial::fiat_u64::scalar::Scalar52;
173    } else if #[cfg(curve25519_dalek_bits = "64")] {
174        /// An `UnpackedScalar` represents an element of the field GF(l), optimized for speed.
175        ///
176        /// This is a type alias for one of the scalar types in the `backend`
177        /// module.
178        #[cfg_attr(docsrs, doc(cfg(curve25519_dalek_bits = "64")))]
179        type UnpackedScalar = backend::serial::u64::scalar::Scalar52;
180    } else {
181        /// An `UnpackedScalar` represents an element of the field GF(l), optimized for speed.
182        ///
183        /// This is a type alias for one of the scalar types in the `backend`
184        /// module.
185        #[cfg_attr(docsrs, doc(cfg(curve25519_dalek_bits = "64")))]
186        type UnpackedScalar = backend::serial::u32::scalar::Scalar29;
187    }
188}
189
190/// The `Scalar` struct holds an element of \\(\mathbb Z / \ell\mathbb Z \\).
191#[allow(clippy::derived_hash_with_manual_eq)]
192#[derive(Copy, Clone, Hash)]
193pub struct Scalar {
194    /// `bytes` is a little-endian byte encoding of an integer representing a scalar modulo the
195    /// group order.
196    ///
197    /// # Invariant #1
198    ///
199    /// The integer representing this scalar is less than \\(2\^{255}\\). That is, the most
200    /// significant bit of `bytes[31]` is 0.
201    ///
202    /// This is required for `EdwardsPoint` variable- and fixed-base multiplication, because most
203    /// integers above 2^255 are unrepresentable in our radix-16 NAF (see [`Self::as_radix_16`]).
204    /// The invariant is also required because our `MontgomeryPoint` multiplication assumes the MSB
205    /// is 0 (see `MontgomeryPoint::mul`).
206    ///
207    /// # Invariant #2 (weak)
208    ///
209    /// The integer representing this scalar is less than \\(2\^{255} - 19 \\), i.e., it represents
210    /// a canonical representative of an element of \\( \mathbb Z / \ell\mathbb Z \\). This is
211    /// stronger than invariant #1. It also sometimes has to be broken.
212    ///
213    /// This invariant is deliberately broken in the implementation of `EdwardsPoint::{mul_clamped,
214    /// mul_base_clamped}`, `MontgomeryPoint::{mul_clamped, mul_base_clamped}`, and
215    /// `BasepointTable::mul_base_clamped`. This is not an issue though. As mentioned above,
216    /// scalar-point multiplication is defined for any choice of `bytes` that satisfies invariant
217    /// #1. Since clamping guarantees invariant #1 is satisfied, these operations are well defined.
218    ///
219    /// Note: Scalar-point mult is the _only_ thing you can do safely with an unreduced scalar.
220    /// Scalar-scalar addition and subtraction are NOT correct when using unreduced scalars.
221    /// Multiplication is correct, but this is only due to a quirk of our implementation, and not
222    /// guaranteed to hold in general in the future.
223    ///
224    /// Note: It is not possible to construct an unreduced `Scalar` from the public API unless the
225    /// `legacy_compatibility` is enabled (thus making `Scalar::from_bits` public). Thus, for all
226    /// public non-legacy uses, invariant #2
227    /// always holds.
228    ///
229    pub(crate) bytes: [u8; 32],
230}
231
232impl Scalar {
233    /// Construct a `Scalar` by reducing a 256-bit little-endian integer
234    /// modulo the group order \\( \ell \\).
235    pub fn from_bytes_mod_order(bytes: [u8; 32]) -> Scalar {
236        // Temporarily allow s_unreduced.bytes > 2^255 ...
237        let s_unreduced = Scalar { bytes };
238
239        // Then reduce mod the group order and return the reduced representative.
240        let s = s_unreduced.reduce();
241        debug_assert_eq!(0u8, s[31] >> 7);
242
243        s
244    }
245
246    /// Construct a `Scalar` by reducing a 512-bit little-endian integer
247    /// modulo the group order \\( \ell \\).
248    pub fn from_bytes_mod_order_wide(input: &[u8; 64]) -> Scalar {
249        UnpackedScalar::from_bytes_wide(input).pack()
250    }
251
252    /// Attempt to construct a `Scalar` from a canonical byte representation.
253    ///
254    /// # Return
255    ///
256    /// - `Some(s)`, where `s` is the `Scalar` corresponding to `bytes`,
257    ///   if `bytes` is a canonical byte representation modulo the group order \\( \ell \\);
258    /// - `None` if `bytes` is not a canonical byte representation.
259    pub fn from_canonical_bytes(bytes: [u8; 32]) -> CtOption<Scalar> {
260        let high_bit_unset = (bytes[31] >> 7).ct_eq(&0);
261        let candidate = Scalar { bytes };
262        CtOption::new(candidate, high_bit_unset & candidate.is_canonical())
263    }
264
265    /// Construct a `Scalar` from the low 255 bits of a 256-bit integer. This breaks the invariant
266    /// that scalars are always reduced. Scalar-scalar arithmetic, i.e., addition, subtraction,
267    /// multiplication, **does not work** on scalars produced from this function. You may only use
268    /// the output of this function for `EdwardsPoint::mul`, `MontgomeryPoint::mul`, and
269    /// `EdwardsPoint::vartime_double_scalar_mul_basepoint`. **Do not use this function** unless
270    /// you absolutely have to.
271    #[cfg(feature = "legacy_compatibility")]
272    pub const fn from_bits(bytes: [u8; 32]) -> Scalar {
273        let mut s = Scalar { bytes };
274        // Ensure invariant #1 holds. That is, make s < 2^255 by masking the high bit.
275        s.bytes[31] &= 0b0111_1111;
276
277        s
278    }
279}
280
281impl Debug for Scalar {
282    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
283        write!(f, "Scalar{{\n\tbytes: {:?},\n}}", &self.bytes)
284    }
285}
286
287impl Eq for Scalar {}
288impl PartialEq for Scalar {
289    fn eq(&self, other: &Self) -> bool {
290        self.ct_eq(other).into()
291    }
292}
293
294impl ConstantTimeEq for Scalar {
295    fn ct_eq(&self, other: &Self) -> Choice {
296        self.bytes.ct_eq(&other.bytes)
297    }
298}
299
300impl Index<usize> for Scalar {
301    type Output = u8;
302
303    /// Index the bytes of the representative for this `Scalar`.  Mutation is not permitted.
304    fn index(&self, _index: usize) -> &u8 {
305        &(self.bytes[_index])
306    }
307}
308
309impl<'a> MulAssign<&'a Scalar> for Scalar {
310    fn mul_assign(&mut self, _rhs: &'a Scalar) {
311        *self = UnpackedScalar::mul(&self.unpack(), &_rhs.unpack()).pack();
312    }
313}
314
315define_mul_assign_variants!(LHS = Scalar, RHS = Scalar);
316
317impl<'a> Mul<&'a Scalar> for &Scalar {
318    type Output = Scalar;
319    fn mul(self, _rhs: &'a Scalar) -> Scalar {
320        UnpackedScalar::mul(&self.unpack(), &_rhs.unpack()).pack()
321    }
322}
323
324define_mul_variants!(LHS = Scalar, RHS = Scalar, Output = Scalar);
325
326impl<'a> AddAssign<&'a Scalar> for Scalar {
327    fn add_assign(&mut self, _rhs: &'a Scalar) {
328        *self = *self + _rhs;
329    }
330}
331
332define_add_assign_variants!(LHS = Scalar, RHS = Scalar);
333
334impl<'a> Add<&'a Scalar> for &Scalar {
335    type Output = Scalar;
336    #[allow(non_snake_case)]
337    fn add(self, _rhs: &'a Scalar) -> Scalar {
338        // The UnpackedScalar::add function produces reduced outputs if the inputs are reduced. By
339        // Scalar invariant #1, this is always the case.
340        UnpackedScalar::add(&self.unpack(), &_rhs.unpack()).pack()
341    }
342}
343
344define_add_variants!(LHS = Scalar, RHS = Scalar, Output = Scalar);
345
346impl<'a> SubAssign<&'a Scalar> for Scalar {
347    fn sub_assign(&mut self, _rhs: &'a Scalar) {
348        *self = *self - _rhs;
349    }
350}
351
352define_sub_assign_variants!(LHS = Scalar, RHS = Scalar);
353
354impl<'a> Sub<&'a Scalar> for &Scalar {
355    type Output = Scalar;
356    #[allow(non_snake_case)]
357    fn sub(self, rhs: &'a Scalar) -> Scalar {
358        // The UnpackedScalar::sub function produces reduced outputs if the inputs are reduced. By
359        // Scalar invariant #1, this is always the case.
360        UnpackedScalar::sub(&self.unpack(), &rhs.unpack()).pack()
361    }
362}
363
364define_sub_variants!(LHS = Scalar, RHS = Scalar, Output = Scalar);
365
366impl Neg for &Scalar {
367    type Output = Scalar;
368    #[allow(non_snake_case)]
369    fn neg(self) -> Scalar {
370        let self_R = UnpackedScalar::mul_internal(&self.unpack(), &constants::R);
371        let self_mod_l = UnpackedScalar::montgomery_reduce(&self_R);
372        UnpackedScalar::sub(&UnpackedScalar::ZERO, &self_mod_l).pack()
373    }
374}
375
376impl Neg for Scalar {
377    type Output = Scalar;
378    fn neg(self) -> Scalar {
379        -&self
380    }
381}
382
383impl ConditionallySelectable for Scalar {
384    fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self {
385        let mut bytes = [0u8; 32];
386        #[allow(clippy::needless_range_loop)]
387        for i in 0..32 {
388            bytes[i] = u8::conditional_select(&a.bytes[i], &b.bytes[i], choice);
389        }
390        Scalar { bytes }
391    }
392}
393
394#[cfg(feature = "serde")]
395use serde::de::Visitor;
396#[cfg(feature = "serde")]
397use serde::{Deserialize, Deserializer, Serialize, Serializer};
398
399#[cfg(feature = "serde")]
400#[cfg_attr(docsrs, doc(cfg(feature = "serde")))]
401impl Serialize for Scalar {
402    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
403    where
404        S: Serializer,
405    {
406        use serde::ser::SerializeTuple;
407        let mut tup = serializer.serialize_tuple(32)?;
408        for byte in self.as_bytes().iter() {
409            tup.serialize_element(byte)?;
410        }
411        tup.end()
412    }
413}
414
415#[cfg(feature = "serde")]
416#[cfg_attr(docsrs, doc(cfg(feature = "serde")))]
417impl<'de> Deserialize<'de> for Scalar {
418    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
419    where
420        D: Deserializer<'de>,
421    {
422        struct ScalarVisitor;
423
424        impl<'de> Visitor<'de> for ScalarVisitor {
425            type Value = Scalar;
426
427            fn expecting(&self, formatter: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
428                formatter.write_str(
429                    "a sequence of 32 bytes whose little-endian interpretation is less than the \
430                    basepoint order ℓ",
431                )
432            }
433
434            fn visit_seq<A>(self, mut seq: A) -> Result<Scalar, A::Error>
435            where
436                A: serde::de::SeqAccess<'de>,
437            {
438                let mut bytes = [0u8; 32];
439                #[allow(clippy::needless_range_loop)]
440                for i in 0..32 {
441                    bytes[i] = seq
442                        .next_element()?
443                        .ok_or_else(|| serde::de::Error::invalid_length(i, &"expected 32 bytes"))?;
444                }
445                Option::from(Scalar::from_canonical_bytes(bytes))
446                    .ok_or_else(|| serde::de::Error::custom("scalar was not canonically encoded"))
447            }
448        }
449
450        deserializer.deserialize_tuple(32, ScalarVisitor)
451    }
452}
453
454impl<T> Product<T> for Scalar
455where
456    T: Borrow<Scalar>,
457{
458    fn product<I>(iter: I) -> Self
459    where
460        I: Iterator<Item = T>,
461    {
462        iter.fold(Scalar::ONE, |acc, item| acc * item.borrow())
463    }
464}
465
466impl<T> Sum<T> for Scalar
467where
468    T: Borrow<Scalar>,
469{
470    fn sum<I>(iter: I) -> Self
471    where
472        I: Iterator<Item = T>,
473    {
474        iter.fold(Scalar::ZERO, |acc, item| acc + item.borrow())
475    }
476}
477
478impl Default for Scalar {
479    fn default() -> Scalar {
480        Scalar::ZERO
481    }
482}
483
484impl From<u8> for Scalar {
485    fn from(x: u8) -> Scalar {
486        let mut s_bytes = [0u8; 32];
487        s_bytes[0] = x;
488        Scalar { bytes: s_bytes }
489    }
490}
491
492impl From<u16> for Scalar {
493    fn from(x: u16) -> Scalar {
494        let mut s_bytes = [0u8; 32];
495        let x_bytes = x.to_le_bytes();
496        s_bytes[0..x_bytes.len()].copy_from_slice(&x_bytes);
497        Scalar { bytes: s_bytes }
498    }
499}
500
501impl From<u32> for Scalar {
502    fn from(x: u32) -> Scalar {
503        let mut s_bytes = [0u8; 32];
504        let x_bytes = x.to_le_bytes();
505        s_bytes[0..x_bytes.len()].copy_from_slice(&x_bytes);
506        Scalar { bytes: s_bytes }
507    }
508}
509
510impl From<u64> for Scalar {
511    /// Construct a scalar from the given `u64`.
512    ///
513    /// # Inputs
514    ///
515    /// An `u64` to convert to a `Scalar`.
516    ///
517    /// # Returns
518    ///
519    /// A `Scalar` corresponding to the input `u64`.
520    ///
521    /// # Example
522    ///
523    /// ```
524    /// use curve25519_dalek::scalar::Scalar;
525    ///
526    /// let fourtytwo = Scalar::from(42u64);
527    /// let six = Scalar::from(6u64);
528    /// let seven = Scalar::from(7u64);
529    ///
530    /// assert!(fourtytwo == six * seven);
531    /// ```
532    fn from(x: u64) -> Scalar {
533        let mut s_bytes = [0u8; 32];
534        let x_bytes = x.to_le_bytes();
535        s_bytes[0..x_bytes.len()].copy_from_slice(&x_bytes);
536        Scalar { bytes: s_bytes }
537    }
538}
539
540impl From<u128> for Scalar {
541    fn from(x: u128) -> Scalar {
542        let mut s_bytes = [0u8; 32];
543        let x_bytes = x.to_le_bytes();
544        s_bytes[0..x_bytes.len()].copy_from_slice(&x_bytes);
545        Scalar { bytes: s_bytes }
546    }
547}
548
549#[cfg(feature = "zeroize")]
550impl Zeroize for Scalar {
551    fn zeroize(&mut self) {
552        self.bytes.zeroize();
553    }
554}
555
556impl Scalar {
557    /// The scalar \\( 0 \\).
558    pub const ZERO: Self = Self { bytes: [0u8; 32] };
559
560    /// The scalar \\( 1 \\).
561    pub const ONE: Self = Self {
562        bytes: [
563            1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
564            0, 0, 0,
565        ],
566    };
567
568    /// Return a `Scalar` chosen uniformly at random using a user-provided RNG.
569    ///
570    /// # Inputs
571    ///
572    /// * `rng`: any RNG which implements `CryptoRng` interface.
573    ///
574    /// # Returns
575    ///
576    /// A random scalar within \\(\mathbb{Z} / \ell\mathbb{Z}\\).
577    ///
578    /// # Example
579    ///
580    /// ```
581    /// # fn main() {
582    /// use curve25519_dalek::scalar::Scalar;
583    /// use getrandom::{SysRng, rand_core::UnwrapErr};
584    ///
585    /// let mut csprng = UnwrapErr(SysRng);
586    /// let a: Scalar = Scalar::random(&mut csprng);
587    /// # }
588    #[cfg(feature = "rand_core")]
589    pub fn random<R: CryptoRng + ?Sized>(rng: &mut R) -> Self {
590        let mut scalar_bytes = [0u8; 64];
591        rng.fill_bytes(&mut scalar_bytes);
592        Scalar::from_bytes_mod_order_wide(&scalar_bytes)
593    }
594
595    #[cfg(feature = "digest")]
596    /// Hash a slice of bytes into a scalar.
597    ///
598    /// Takes a type parameter `D`, which is any `Digest` producing 64
599    /// bytes (512 bits) of output.
600    ///
601    /// Convenience wrapper around `from_hash`.
602    ///
603    /// # Example
604    ///
605    #[cfg_attr(feature = "digest", doc = "```")]
606    #[cfg_attr(not(feature = "digest"), doc = "```ignore")]
607    /// # use curve25519_dalek::scalar::Scalar;
608    /// use sha2::Sha512;
609    ///
610    /// # // Need fn main() here in comment so the doctest compiles
611    /// # // See https://doc.rust-lang.org/book/documentation.html#documentation-as-tests
612    /// # fn main() {
613    /// let msg = "To really appreciate architecture, you may even need to commit a murder";
614    /// let s = Scalar::hash_from_bytes::<Sha512>(msg.as_bytes());
615    /// # }
616    /// ```
617    pub fn hash_from_bytes<D>(input: &[u8]) -> Scalar
618    where
619        D: Digest<OutputSize = U64> + Default,
620    {
621        let mut hash = D::default();
622        hash.update(input);
623        Scalar::from_hash(hash)
624    }
625
626    #[cfg(feature = "digest")]
627    /// Construct a scalar from an existing `Digest` instance.
628    ///
629    /// Use this instead of `hash_from_bytes` if it is more convenient
630    /// to stream data into the `Digest` than to pass a single byte
631    /// slice.
632    ///
633    /// # Example
634    ///
635    /// ```
636    /// # use curve25519_dalek::scalar::Scalar;
637    /// use curve25519_dalek::digest::Update;
638    ///
639    /// use sha2::Digest;
640    /// use sha2::Sha512;
641    ///
642    /// # fn main() {
643    /// let mut h = Sha512::new()
644    ///     .chain("To really appreciate architecture, you may even need to commit a murder.")
645    ///     .chain("While the programs used for The Manhattan Transcripts are of the most extreme")
646    ///     .chain("nature, they also parallel the most common formula plot: the archetype of")
647    ///     .chain("murder. Other phantasms were occasionally used to underline the fact that")
648    ///     .chain("perhaps all architecture, rather than being about functional standards, is")
649    ///     .chain("about love and death.");
650    ///
651    /// let s = Scalar::from_hash(h);
652    ///
653    /// println!("{:?}", s.to_bytes());
654    /// assert_eq!(
655    ///     s.to_bytes(),
656    ///     [  21,  88, 208, 252,  63, 122, 210, 152,
657    ///       154,  38,  15,  23,  16, 167,  80, 150,
658    ///       192, 221,  77, 226,  62,  25, 224, 148,
659    ///       239,  48, 176,  10, 185,  69, 168,  11, ],
660    /// );
661    /// # }
662    /// ```
663    pub fn from_hash<D>(hash: D) -> Scalar
664    where
665        D: Digest<OutputSize = U64>,
666    {
667        let mut output = [0u8; 64];
668        output.copy_from_slice(hash.finalize().as_slice());
669        Scalar::from_bytes_mod_order_wide(&output)
670    }
671
672    /// Convert this `Scalar` to its underlying sequence of bytes.
673    ///
674    /// # Example
675    ///
676    /// ```
677    /// use curve25519_dalek::scalar::Scalar;
678    ///
679    /// let s: Scalar = Scalar::ZERO;
680    ///
681    /// assert!(s.to_bytes() == [0u8; 32]);
682    /// ```
683    pub const fn to_bytes(&self) -> [u8; 32] {
684        self.bytes
685    }
686
687    /// View the little-endian byte encoding of the integer representing this Scalar.
688    ///
689    /// # Example
690    ///
691    /// ```
692    /// use curve25519_dalek::scalar::Scalar;
693    ///
694    /// let s: Scalar = Scalar::ZERO;
695    ///
696    /// assert!(s.as_bytes() == &[0u8; 32]);
697    /// ```
698    pub const fn as_bytes(&self) -> &[u8; 32] {
699        &self.bytes
700    }
701
702    /// Given a nonzero `Scalar`, compute its multiplicative inverse.
703    ///
704    /// # Warning
705    ///
706    /// `self` **MUST** be nonzero.  If you cannot
707    /// *prove* that this is the case, you **SHOULD NOT USE THIS
708    /// FUNCTION**.
709    ///
710    /// # Returns
711    ///
712    /// The multiplicative inverse of the this `Scalar`.
713    ///
714    /// # Example
715    ///
716    /// ```
717    /// use curve25519_dalek::scalar::Scalar;
718    ///
719    /// // x = 2238329342913194256032495932344128051776374960164957527413114840482143558222
720    /// let X: Scalar = Scalar::from_bytes_mod_order([
721    ///         0x4e, 0x5a, 0xb4, 0x34, 0x5d, 0x47, 0x08, 0x84,
722    ///         0x59, 0x13, 0xb4, 0x64, 0x1b, 0xc2, 0x7d, 0x52,
723    ///         0x52, 0xa5, 0x85, 0x10, 0x1b, 0xcc, 0x42, 0x44,
724    ///         0xd4, 0x49, 0xf4, 0xa8, 0x79, 0xd9, 0xf2, 0x04,
725    ///     ]);
726    /// // 1/x = 6859937278830797291664592131120606308688036382723378951768035303146619657244
727    /// let XINV: Scalar = Scalar::from_bytes_mod_order([
728    ///         0x1c, 0xdc, 0x17, 0xfc, 0xe0, 0xe9, 0xa5, 0xbb,
729    ///         0xd9, 0x24, 0x7e, 0x56, 0xbb, 0x01, 0x63, 0x47,
730    ///         0xbb, 0xba, 0x31, 0xed, 0xd5, 0xa9, 0xbb, 0x96,
731    ///         0xd5, 0x0b, 0xcd, 0x7a, 0x3f, 0x96, 0x2a, 0x0f,
732    ///     ]);
733    ///
734    /// let inv_X: Scalar = X.invert();
735    /// assert!(XINV == inv_X);
736    /// let should_be_one: Scalar = &inv_X * &X;
737    /// assert!(should_be_one == Scalar::ONE);
738    /// ```
739    pub fn invert(&self) -> Scalar {
740        self.unpack().invert().pack()
741    }
742
743    /// Given a slice of nonzero (possibly secret) `Scalar`s,
744    /// compute their inverses in a batch.
745    ///
746    /// # Return
747    ///
748    /// Each element of `inputs` is replaced by its inverse.
749    ///
750    /// The product of all inverses is returned.
751    ///
752    /// # Warning
753    ///
754    /// All input `Scalars` **MUST** be nonzero.  If you cannot
755    /// *prove* that this is the case, you **SHOULD NOT USE THIS
756    /// FUNCTION**.
757    ///
758    /// # Example
759    ///
760    /// ```
761    /// # use curve25519_dalek::scalar::Scalar;
762    /// # fn main() {
763    /// let mut scalars = [
764    ///     Scalar::from(3u64),
765    ///     Scalar::from(5u64),
766    ///     Scalar::from(7u64),
767    ///     Scalar::from(11u64),
768    /// ];
769    ///
770    /// let allinv = Scalar::invert_batch(&mut scalars);
771    ///
772    /// assert_eq!(allinv, Scalar::from(3*5*7*11u64).invert());
773    /// assert_eq!(scalars[0], Scalar::from(3u64).invert());
774    /// assert_eq!(scalars[1], Scalar::from(5u64).invert());
775    /// assert_eq!(scalars[2], Scalar::from(7u64).invert());
776    /// assert_eq!(scalars[3], Scalar::from(11u64).invert());
777    /// # }
778    /// ```
779    pub fn invert_batch<const N: usize>(inputs: &mut [Scalar; N]) -> Scalar {
780        let one: UnpackedScalar = Scalar::ONE.unpack().as_montgomery();
781
782        let mut scratch = [one; N];
783
784        Self::invert_batch_internal(inputs, &mut scratch)
785    }
786
787    /// Given a slice of nonzero (possibly secret) `Scalar`s, compute their inverses in a batch.
788    /// This the allocating form of [`Self::invert_batch`]. See those docs for examples.
789    ///
790    /// # Return
791    ///
792    /// Each element of `inputs` is replaced by its inverse.
793    ///
794    /// The product of all inverses is returned.
795    ///
796    /// # Warning
797    ///
798    /// All input `Scalars` **MUST** be nonzero.  If you cannot
799    /// *prove* that this is the case, you **SHOULD NOT USE THIS
800    /// FUNCTION**.
801    #[cfg(feature = "alloc")]
802    pub fn invert_batch_alloc(inputs: &mut [Scalar]) -> Scalar {
803        let n = inputs.len();
804        let one: UnpackedScalar = Scalar::ONE.unpack().as_montgomery();
805
806        let mut scratch = vec![one; n];
807
808        Self::invert_batch_internal(inputs, &mut scratch)
809    }
810
811    fn invert_batch_internal(inputs: &mut [Scalar], scratch: &mut [UnpackedScalar]) -> Scalar {
812        // This code is essentially identical to the FieldElement
813        // implementation, and is documented there.  Unfortunately,
814        // it's not easy to write it generically, since here we want
815        // to use `UnpackedScalar`s internally, and `Scalar`s
816        // externally, but there's no corresponding distinction for
817        // field elements.
818
819        // Keep an accumulator of all of the previous products
820        let mut acc = Scalar::ONE.unpack().as_montgomery();
821
822        // Pass through the input vector, recording the previous
823        // products in the scratch space
824        for (input, scratch) in inputs.iter_mut().zip(scratch.iter_mut()) {
825            *scratch = acc;
826
827            // Avoid unnecessary Montgomery multiplication in second pass by
828            // keeping inputs in Montgomery form
829            let tmp = input.unpack().as_montgomery();
830            *input = tmp.pack();
831            acc = UnpackedScalar::montgomery_mul(&acc, &tmp);
832        }
833
834        // acc is nonzero iff all inputs are nonzero
835        debug_assert!(acc.pack() != Scalar::ZERO);
836
837        // Compute the inverse of all products
838        acc = acc.montgomery_invert().from_montgomery();
839
840        // We need to return the product of all inverses later
841        let ret = acc.pack();
842
843        // Pass through the vector backwards to compute the inverses
844        // in place
845        for (input, scratch) in inputs.iter_mut().rev().zip(scratch.iter().rev()) {
846            let tmp = UnpackedScalar::montgomery_mul(&acc, &input.unpack());
847            *input = UnpackedScalar::montgomery_mul(&acc, scratch).pack();
848            acc = tmp;
849        }
850
851        #[cfg(feature = "zeroize")]
852        Zeroize::zeroize(&mut scratch.iter_mut());
853
854        ret
855    }
856
857    /// Compute `b` such that `b + b = a mod modulus`.
858    pub fn div_by_2(&self) -> Self {
859        // We are looking for such `b` that `b + b = a mod modulus`.
860        // Two possibilities:
861        // - if `a` is even, we can just divide by 2;
862        // - if `a` is odd, we divide `(a + modulus)` by 2.
863        let is_odd = Choice::from(self.as_bytes()[0] & 1);
864        let mut scalar = self.unpack();
865        scalar.conditional_add_l(is_odd);
866
867        let carry = scalar.shr1_assign();
868        debug_assert_eq!(carry, 0);
869
870        scalar.pack()
871    }
872
873    /// Get the bits of the scalar, in little-endian order
874    pub(crate) fn bits_le(&self) -> impl DoubleEndedIterator<Item = bool> + '_ {
875        (0..256).map(|i| {
876            // As i runs from 0..256, the bottom 3 bits index the bit, while the upper bits index
877            // the byte. Since self.bytes is little-endian at the byte level, this iterator is
878            // little-endian on the bit level
879            ((self.bytes[i >> 3] >> (i & 7)) & 1u8) == 1
880        })
881    }
882
883    /// Compute a width-\\(w\\) "Non-Adjacent Form" of this scalar.
884    ///
885    /// A width-\\(w\\) NAF of a positive integer \\(k\\) is an expression
886    /// $$
887    /// k = \sum_{i=0}\^m n\_i 2\^i,
888    /// $$
889    /// where each nonzero
890    /// coefficient \\(n\_i\\) is odd and bounded by \\(|n\_i| < 2\^{w-1}\\),
891    /// \\(n\_{m-1}\\) is nonzero, and at most one of any \\(w\\) consecutive
892    /// coefficients is nonzero.  (Hankerson, Menezes, Vanstone; def 3.32).
893    ///
894    /// The length of the NAF is at most one more than the length of
895    /// the binary representation of \\(k\\).  This is why the
896    /// `Scalar` type maintains an invariant (invariant #1) that the top bit is
897    /// \\(0\\), so that the NAF of a scalar has at most 256 digits.
898    ///
899    /// Intuitively, this is like a binary expansion, except that we
900    /// allow some coefficients to grow in magnitude up to
901    /// \\(2\^{w-1}\\) so that the nonzero coefficients are as sparse
902    /// as possible.
903    ///
904    /// When doing scalar multiplication, we can then use a lookup
905    /// table of precomputed multiples of a point to add the nonzero
906    /// terms \\( k_i P \\).  Using signed digits cuts the table size
907    /// in half, and using odd digits cuts the table size in half
908    /// again.
909    ///
910    /// To compute a \\(w\\)-NAF, we use a modification of Algorithm 3.35 of HMV:
911    ///
912    /// 1. \\( i \gets 0 \\)
913    /// 2. While \\( k \ge 1 \\):
914    ///     1. If \\(k\\) is odd, \\( n_i \gets k \operatorname{mods} 2^w \\), \\( k \gets k - n_i \\).
915    ///     2. If \\(k\\) is even, \\( n_i \gets 0 \\).
916    ///     3. \\( k \gets k / 2 \\), \\( i \gets i + 1 \\).
917    /// 3. Return \\( n_0, n_1, ... , \\)
918    ///
919    /// Here \\( \bar x = x \operatorname{mods} 2^w \\) means the
920    /// \\( \bar x \\) with \\( \bar x \equiv x \pmod{2^w} \\) and
921    /// \\( -2^{w-1} \leq \bar x < 2^{w-1} \\).
922    ///
923    /// We implement this by scanning across the bits of \\(k\\) from
924    /// least-significant bit to most-significant-bit.
925    /// Write the bits of \\(k\\) as
926    /// $$
927    /// k = \sum\_{i=0}\^m k\_i 2^i,
928    /// $$
929    /// and split the sum as
930    /// $$
931    /// k = \sum\_{i=0}^{w-1} k\_i 2^i + 2^w \sum\_{i=0} k\_{i+w} 2^i
932    /// $$
933    /// where the first part is \\( k \mod 2^w \\).
934    ///
935    /// If \\( k \mod 2^w\\) is odd, and \\( k \mod 2^w < 2^{w-1} \\), then we emit
936    /// \\( n_0 = k \mod 2^w \\).  Instead of computing
937    /// \\( k - n_0 \\), we just advance \\(w\\) bits and reindex.
938    ///
939    /// If \\( k \mod 2^w\\) is odd, and \\( k \mod 2^w \ge 2^{w-1} \\), then
940    /// \\( n_0 = k \operatorname{mods} 2^w = k \mod 2^w - 2^w \\).
941    /// The quantity \\( k - n_0 \\) is
942    /// $$
943    /// \begin{aligned}
944    /// k - n_0 &= \sum\_{i=0}^{w-1} k\_i 2^i + 2^w \sum\_{i=0} k\_{i+w} 2^i
945    ///          - \sum\_{i=0}^{w-1} k\_i 2^i + 2^w \\\\
946    /// &= 2^w + 2^w \sum\_{i=0} k\_{i+w} 2^i
947    /// \end{aligned}
948    /// $$
949    /// so instead of computing the subtraction, we can set a carry
950    /// bit, advance \\(w\\) bits, and reindex.
951    ///
952    /// If \\( k \mod 2^w\\) is even, we emit \\(0\\), advance 1 bit
953    /// and reindex.  In fact, by setting all digits to \\(0\\)
954    /// initially, we don't need to emit anything.
955    pub(crate) fn non_adjacent_form(&self, w: usize) -> [i8; 256] {
956        // required by the NAF definition
957        debug_assert!(w >= 2);
958        // required so that the NAF digits fit in i8
959        debug_assert!(w <= 8);
960
961        let mut naf = [0i8; 256];
962
963        let mut x_u64 = [0u64; 5];
964        read_le_u64_into(&self.bytes, &mut x_u64[0..4]);
965
966        let width = 1 << w;
967        let window_mask = width - 1;
968
969        let mut pos = 0;
970        let mut carry = 0;
971        while pos < 256 {
972            // Construct a buffer of bits of the scalar, starting at bit `pos`
973            let u64_idx = pos / 64;
974            let bit_idx = pos % 64;
975            let bit_buf: u64 = if bit_idx < 64 - w {
976                // This window's bits are contained in a single u64
977                x_u64[u64_idx] >> bit_idx
978            } else {
979                // Combine the current u64's bits with the bits from the next u64
980                (x_u64[u64_idx] >> bit_idx) | (x_u64[1 + u64_idx] << (64 - bit_idx))
981            };
982
983            // Add the carry into the current window
984            let window = carry + (bit_buf & window_mask);
985
986            if window & 1 == 0 {
987                // If the window value is even, preserve the carry and continue.
988                // Why is the carry preserved?
989                // If carry == 0 and window & 1 == 0, then the next carry should be 0
990                // If carry == 1 and window & 1 == 0, then bit_buf & 1 == 1 so the next carry should be 1
991                pos += 1;
992                continue;
993            }
994
995            if window < width / 2 {
996                carry = 0;
997                naf[pos] = window as i8;
998            } else {
999                carry = 1;
1000                naf[pos] = (window as i8).wrapping_sub(width as i8);
1001            }
1002
1003            pos += w;
1004        }
1005
1006        naf
1007    }
1008
1009    /// Write this scalar in radix 16, with coefficients in \\([-8,8)\\),
1010    /// i.e., compute \\(a\_i\\) such that
1011    /// $$
1012    ///    a = a\_0 + a\_1 16\^1 + \cdots + a_{63} 16\^{63},
1013    /// $$
1014    /// with \\(-8 \leq a_i < 8\\) for \\(0 \leq i < 63\\) and \\(-8 \leq a_{63} \leq 8\\).
1015    ///
1016    /// The largest value that can be decomposed like this is just over \\(2^{255}\\). Thus, in
1017    /// order to not error, the top bit MUST NOT be set, i.e., `Self` MUST be less than
1018    /// \\(2^{255}\\).
1019    pub(crate) fn as_radix_16(&self) -> [i8; 64] {
1020        debug_assert!(self[31] <= 127);
1021        let mut output = [0i8; 64];
1022
1023        // Step 1: change radix.
1024        // Convert from radix 256 (bytes) to radix 16 (nibbles)
1025        #[allow(clippy::identity_op)]
1026        #[inline(always)]
1027        fn bot_half(x: u8) -> u8 {
1028            (x >> 0) & 15
1029        }
1030        #[inline(always)]
1031        fn top_half(x: u8) -> u8 {
1032            (x >> 4) & 15
1033        }
1034
1035        for i in 0..32 {
1036            output[2 * i] = bot_half(self[i]) as i8;
1037            output[2 * i + 1] = top_half(self[i]) as i8;
1038        }
1039        // Precondition note: since self[31] <= 127, output[63] <= 7
1040
1041        // Step 2: recenter coefficients from [0,16) to [-8,8)
1042        for i in 0..63 {
1043            let carry = (output[i] + 8) >> 4;
1044            output[i] -= carry << 4;
1045            output[i + 1] += carry;
1046        }
1047        // Precondition note: output[63] is not recentered.  It
1048        // increases by carry <= 1.  Thus output[63] <= 8.
1049
1050        output
1051    }
1052
1053    /// Returns a size hint indicating how many entries of the return
1054    /// value of `to_radix_2w` are nonzero.
1055    #[cfg(any(feature = "alloc", all(test, feature = "precomputed-tables")))]
1056    pub(crate) fn to_radix_2w_size_hint(w: usize) -> usize {
1057        debug_assert!(w >= 4);
1058        debug_assert!(w <= 8);
1059
1060        let digits_count = match w {
1061            4..=7 => 256_usize.div_ceil(w),
1062            // See comment in to_radix_2w on handling the terminal carry.
1063            8 => 256_usize.div_ceil(w) + 1_usize,
1064            _ => panic!("invalid radix parameter"),
1065        };
1066
1067        debug_assert!(digits_count <= 64);
1068        digits_count
1069    }
1070
1071    /// Creates a representation of a Scalar in radix \\( 2^w \\) with \\(w = 4, 5, 6, 7, 8\\) for
1072    /// use with the Pippenger algorithm. Higher radixes are not supported to save cache space.
1073    /// Radix 256 is near-optimal even for very large inputs.
1074    ///
1075    /// Radix below 16 or above 256 is prohibited.
1076    /// This method returns digits in a fixed-sized array, excess digits are zeroes.
1077    ///
1078    /// For radix 16, `Self` must be less than \\(2^{255}\\). This is because most integers larger
1079    /// than \\(2^{255}\\) are unrepresentable in the form described below for \\(w = 4\\). This
1080    /// would be true for \\(w = 8\\) as well, but it is compensated for by increasing the size
1081    /// hint by 1.
1082    ///
1083    /// ## Scalar representation
1084    ///
1085    /// Radix \\(2\^w\\), with \\(n = ceil(256/w)\\) coefficients in \\([-(2\^w)/2,(2\^w)/2)\\),
1086    /// i.e., scalar is represented using digits \\(a\_i\\) such that
1087    /// $$
1088    ///    a = a\_0 + a\_1 2\^1w + \cdots + a_{n-1} 2\^{w*(n-1)},
1089    /// $$
1090    /// with \\(-2\^w/2 \leq a_i < 2\^w/2\\) for \\(0 \leq i < (n-1)\\) and \\(-2\^w/2 \leq a_{n-1} \leq 2\^w/2\\).
1091    ///
1092    #[cfg(any(feature = "alloc", feature = "precomputed-tables"))]
1093    pub(crate) fn as_radix_2w(&self, w: usize) -> [i8; 64] {
1094        debug_assert!(w >= 4);
1095        debug_assert!(w <= 8);
1096
1097        if w == 4 {
1098            return self.as_radix_16();
1099        }
1100
1101        // Scalar formatted as four `u64`s with carry bit packed into the highest bit.
1102        let mut scalar64x4 = [0u64; 4];
1103        read_le_u64_into(&self.bytes, &mut scalar64x4[0..4]);
1104
1105        let radix: u64 = 1 << w;
1106        let window_mask: u64 = radix - 1;
1107
1108        let mut carry = 0u64;
1109        let mut digits = [0i8; 64];
1110        let digits_count = 256_usize.div_ceil(w);
1111        #[allow(clippy::needless_range_loop)]
1112        for i in 0..digits_count {
1113            // Construct a buffer of bits of the scalar, starting at `bit_offset`.
1114            let bit_offset = i * w;
1115            let u64_idx = bit_offset / 64;
1116            let bit_idx = bit_offset % 64;
1117
1118            // Read the bits from the scalar
1119            let bit_buf: u64 = if bit_idx < 64 - w || u64_idx == 3 {
1120                // This window's bits are contained in a single u64,
1121                // or it's the last u64 anyway.
1122                scalar64x4[u64_idx] >> bit_idx
1123            } else {
1124                // Combine the current u64's bits with the bits from the next u64
1125                (scalar64x4[u64_idx] >> bit_idx) | (scalar64x4[1 + u64_idx] << (64 - bit_idx))
1126            };
1127
1128            // Read the actual coefficient value from the window
1129            let coef = carry + (bit_buf & window_mask); // coef = [0, 2^r)
1130
1131            // Recenter coefficients from [0,2^w) to [-2^w/2, 2^w/2)
1132            carry = (coef + (radix / 2)) >> w;
1133            digits[i] = ((coef as i64) - (carry << w) as i64) as i8;
1134        }
1135
1136        // When 4 < w < 8, we can fold the final carry onto the last digit d,
1137        // because d < 2^w/2 so d + carry*2^w = d + 1*2^w < 2^(w+1) < 2^8.
1138        //
1139        // When w = 8, we can't fit carry*2^w into an i8.  This should
1140        // not happen anyways, because the final carry will be 0 for
1141        // reduced scalars, but Scalar invariant #1 allows 255-bit scalars.
1142        // To handle this, we expand the size_hint by 1 when w=8,
1143        // and accumulate the final carry onto another digit.
1144        match w {
1145            8 => digits[digits_count] += carry as i8,
1146            _ => digits[digits_count - 1] += (carry << w) as i8,
1147        }
1148
1149        digits
1150    }
1151
1152    /// Unpack this `Scalar` to an `UnpackedScalar` for faster arithmetic.
1153    pub(crate) fn unpack(&self) -> UnpackedScalar {
1154        UnpackedScalar::from_bytes(&self.bytes)
1155    }
1156
1157    /// Reduce this `Scalar` modulo \\(\ell\\).
1158    #[allow(non_snake_case)]
1159    fn reduce(&self) -> Scalar {
1160        let x = self.unpack();
1161        let xR = UnpackedScalar::mul_internal(&x, &constants::R);
1162        let x_mod_l = UnpackedScalar::montgomery_reduce(&xR);
1163        x_mod_l.pack()
1164    }
1165
1166    /// Check whether this `Scalar` is the canonical representative mod \\(\ell\\). This is not
1167    /// public because any `Scalar` that is publicly observed is reduced, by scalar invariant #2.
1168    fn is_canonical(&self) -> Choice {
1169        self.ct_eq(&self.reduce())
1170    }
1171}
1172
1173impl UnpackedScalar {
1174    /// Pack the limbs of this `UnpackedScalar` into a `Scalar`.
1175    fn pack(&self) -> Scalar {
1176        Scalar {
1177            bytes: self.to_bytes(),
1178        }
1179    }
1180
1181    /// Inverts an UnpackedScalar in Montgomery form.
1182    #[rustfmt::skip] // keep alignment of addition chain and squarings
1183    #[allow(clippy::just_underscores_and_digits)]
1184    pub fn montgomery_invert(&self) -> UnpackedScalar {
1185        // Uses the addition chain from
1186        // https://briansmith.org/ecc-inversion-addition-chains-01#curve25519_scalar_inversion
1187        let    _1 = *self;
1188        let   _10 = _1.montgomery_square();
1189        let  _100 = _10.montgomery_square();
1190        let   _11 = UnpackedScalar::montgomery_mul(&_10,     &_1);
1191        let  _101 = UnpackedScalar::montgomery_mul(&_10,    &_11);
1192        let  _111 = UnpackedScalar::montgomery_mul(&_10,   &_101);
1193        let _1001 = UnpackedScalar::montgomery_mul(&_10,   &_111);
1194        let _1011 = UnpackedScalar::montgomery_mul(&_10,  &_1001);
1195        let _1111 = UnpackedScalar::montgomery_mul(&_100, &_1011);
1196
1197        // _10000
1198        let mut y = UnpackedScalar::montgomery_mul(&_1111, &_1);
1199
1200        #[inline]
1201        fn square_multiply(y: &mut UnpackedScalar, squarings: usize, x: &UnpackedScalar) {
1202            for _ in 0..squarings {
1203                *y = y.montgomery_square();
1204            }
1205            *y = UnpackedScalar::montgomery_mul(y, x);
1206        }
1207
1208        square_multiply(&mut y, 123 + 3, &_101);
1209        square_multiply(&mut y,   2 + 2, &_11);
1210        square_multiply(&mut y,   1 + 4, &_1111);
1211        square_multiply(&mut y,   1 + 4, &_1111);
1212        square_multiply(&mut y,       4, &_1001);
1213        square_multiply(&mut y,       2, &_11);
1214        square_multiply(&mut y,   1 + 4, &_1111);
1215        square_multiply(&mut y,   1 + 3, &_101);
1216        square_multiply(&mut y,   3 + 3, &_101);
1217        square_multiply(&mut y,       3, &_111);
1218        square_multiply(&mut y,   1 + 4, &_1111);
1219        square_multiply(&mut y,   2 + 3, &_111);
1220        square_multiply(&mut y,   2 + 2, &_11);
1221        square_multiply(&mut y,   1 + 4, &_1011);
1222        square_multiply(&mut y,   2 + 4, &_1011);
1223        square_multiply(&mut y,   6 + 4, &_1001);
1224        square_multiply(&mut y,   2 + 2, &_11);
1225        square_multiply(&mut y,   3 + 2, &_11);
1226        square_multiply(&mut y,   3 + 2, &_11);
1227        square_multiply(&mut y,   1 + 4, &_1001);
1228        square_multiply(&mut y,   1 + 3, &_111);
1229        square_multiply(&mut y,   2 + 4, &_1111);
1230        square_multiply(&mut y,   1 + 4, &_1011);
1231        square_multiply(&mut y,       3, &_101);
1232        square_multiply(&mut y,   2 + 4, &_1111);
1233        square_multiply(&mut y,       3, &_101);
1234        square_multiply(&mut y,   1 + 2, &_11);
1235
1236        y
1237    }
1238
1239    /// Inverts an UnpackedScalar not in Montgomery form.
1240    pub fn invert(&self) -> UnpackedScalar {
1241        self.as_montgomery().montgomery_invert().from_montgomery()
1242    }
1243}
1244
1245#[cfg(feature = "group")]
1246impl Field for Scalar {
1247    const ZERO: Self = Self::ZERO;
1248    const ONE: Self = Self::ONE;
1249
1250    fn try_random<R: TryRng + ?Sized>(rng: &mut R) -> Result<Self, R::Error> {
1251        // NOTE: this is duplicated due to different `rng` bounds
1252        let mut scalar_bytes = [0u8; 64];
1253        rng.try_fill_bytes(&mut scalar_bytes)?;
1254        Ok(Self::from_bytes_mod_order_wide(&scalar_bytes))
1255    }
1256
1257    fn square(&self) -> Self {
1258        self * self
1259    }
1260
1261    fn double(&self) -> Self {
1262        self + self
1263    }
1264
1265    fn invert(&self) -> CtOption<Self> {
1266        CtOption::new(self.invert(), !self.is_zero())
1267    }
1268
1269    fn sqrt_ratio(num: &Self, div: &Self) -> (Choice, Self) {
1270        #[allow(unused_qualifications)]
1271        group::ff::helpers::sqrt_ratio_generic(num, div)
1272    }
1273
1274    fn sqrt(&self) -> CtOption<Self> {
1275        #[allow(unused_qualifications)]
1276        group::ff::helpers::sqrt_tonelli_shanks(
1277            self,
1278            [
1279                0xcb02_4c63_4b9e_ba7d,
1280                0x029b_df3b_d45e_f39a,
1281                0x0000_0000_0000_0000,
1282                0x0200_0000_0000_0000,
1283            ],
1284        )
1285    }
1286}
1287
1288#[cfg(feature = "group")]
1289impl PrimeField for Scalar {
1290    type Repr = [u8; 32];
1291
1292    fn from_repr(repr: Self::Repr) -> CtOption<Self> {
1293        Self::from_canonical_bytes(repr)
1294    }
1295
1296    fn from_repr_vartime(repr: Self::Repr) -> Option<Self> {
1297        // Check that the high bit is not set
1298        if (repr[31] >> 7) != 0u8 {
1299            return None;
1300        }
1301
1302        let candidate = Scalar { bytes: repr };
1303
1304        if candidate == candidate.reduce() {
1305            Some(candidate)
1306        } else {
1307            None
1308        }
1309    }
1310
1311    fn to_repr(&self) -> Self::Repr {
1312        self.to_bytes()
1313    }
1314
1315    fn is_odd(&self) -> Choice {
1316        Choice::from(self.as_bytes()[0] & 1)
1317    }
1318
1319    const MODULUS: &'static str =
1320        "0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed";
1321    const NUM_BITS: u32 = 253;
1322    const CAPACITY: u32 = 252;
1323
1324    const TWO_INV: Self = Self {
1325        bytes: [
1326            0xf7, 0xe9, 0x7a, 0x2e, 0x8d, 0x31, 0x09, 0x2c, 0x6b, 0xce, 0x7b, 0x51, 0xef, 0x7c,
1327            0x6f, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1328            0x00, 0x00, 0x00, 0x08,
1329        ],
1330    };
1331    const MULTIPLICATIVE_GENERATOR: Self = Self {
1332        bytes: [
1333            2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
1334            0, 0, 0,
1335        ],
1336    };
1337    const S: u32 = 2;
1338    const ROOT_OF_UNITY: Self = Self {
1339        bytes: [
1340            0xd4, 0x07, 0xbe, 0xeb, 0xdf, 0x75, 0x87, 0xbe, 0xfe, 0x83, 0xce, 0x42, 0x53, 0x56,
1341            0xf0, 0x0e, 0x7a, 0xc2, 0xc1, 0xab, 0x60, 0x6d, 0x3d, 0x7d, 0xe7, 0x81, 0x79, 0xe0,
1342            0x10, 0x73, 0x4a, 0x09,
1343        ],
1344    };
1345    const ROOT_OF_UNITY_INV: Self = Self {
1346        bytes: [
1347            0x19, 0xcc, 0x37, 0x71, 0x3a, 0xed, 0x8a, 0x99, 0xd7, 0x18, 0x29, 0x60, 0x8b, 0xa3,
1348            0xee, 0x05, 0x86, 0x3d, 0x3e, 0x54, 0x9f, 0x92, 0xc2, 0x82, 0x18, 0x7e, 0x86, 0x1f,
1349            0xef, 0x8c, 0xb5, 0x06,
1350        ],
1351    };
1352    const DELTA: Self = Self {
1353        bytes: [
1354            16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
1355            0, 0, 0,
1356        ],
1357    };
1358}
1359
1360#[cfg(feature = "group")]
1361impl FromUniformBytes<64> for Scalar {
1362    fn from_uniform_bytes(bytes: &[u8; 64]) -> Self {
1363        Scalar::from_bytes_mod_order_wide(bytes)
1364    }
1365}
1366
1367/// Read one or more u64s stored as little endian bytes.
1368///
1369/// ## Panics
1370/// Panics if `src.len() != 8 * dst.len()`.
1371fn read_le_u64_into(src: &[u8], dst: &mut [u64]) {
1372    assert!(
1373        src.len() == 8 * dst.len(),
1374        "src.len() = {}, dst.len() = {}",
1375        src.len(),
1376        dst.len()
1377    );
1378    for (bytes, val) in src.chunks(8).zip(dst.iter_mut()) {
1379        *val = u64::from_le_bytes(
1380            bytes
1381                .try_into()
1382                .expect("Incorrect src length, should be 8 * dst.len()"),
1383        );
1384    }
1385}
1386
1387/// _Clamps_ the given little-endian representation of a 32-byte integer. Clamping the value puts
1388/// it in the range:
1389///
1390/// **n ∈ 2^254 + 8\*{0, 1, 2, 3, . . ., 2^251 − 1}**
1391///
1392/// # Explanation of clamping
1393///
1394/// For Curve25519, h = 8, and multiplying by 8 is the same as a binary left-shift by 3 bits.
1395/// If you take a secret scalar value between 2^251 and 2^252 – 1 and left-shift by 3 bits
1396/// then you end up with a 255-bit number with the most significant bit set to 1 and
1397/// the least-significant three bits set to 0.
1398///
1399/// The Curve25519 clamping operation takes **an arbitrary 256-bit random value** and
1400/// clears the most-significant bit (making it a 255-bit number), sets the next bit, and then
1401/// clears the 3 least-significant bits. In other words, it directly creates a scalar value that is
1402/// in the right form and pre-multiplied by the cofactor.
1403///
1404/// See [here](https://neilmadden.blog/2020/05/28/whats-the-curve25519-clamping-all-about/) for
1405/// more details.
1406#[must_use]
1407pub const fn clamp_integer(mut bytes: [u8; 32]) -> [u8; 32] {
1408    bytes[0] &= 0b1111_1000;
1409    bytes[31] &= 0b0111_1111;
1410    bytes[31] |= 0b0100_0000;
1411    bytes
1412}
1413
1414#[cfg(test)]
1415pub(crate) mod test {
1416    use super::*;
1417    use getrandom::{
1418        SysRng,
1419        rand_core::{Rng, UnwrapErr},
1420    };
1421
1422    #[cfg(feature = "alloc")]
1423    use alloc::vec::Vec;
1424
1425    /// x = 2238329342913194256032495932344128051776374960164957527413114840482143558222
1426    pub static X: Scalar = Scalar {
1427        bytes: [
1428            0x4e, 0x5a, 0xb4, 0x34, 0x5d, 0x47, 0x08, 0x84, 0x59, 0x13, 0xb4, 0x64, 0x1b, 0xc2,
1429            0x7d, 0x52, 0x52, 0xa5, 0x85, 0x10, 0x1b, 0xcc, 0x42, 0x44, 0xd4, 0x49, 0xf4, 0xa8,
1430            0x79, 0xd9, 0xf2, 0x04,
1431        ],
1432    };
1433    /// 1/x = 6859937278830797291664592131120606308688036382723378951768035303146619657244
1434    pub static XINV: Scalar = Scalar {
1435        bytes: [
1436            0x1c, 0xdc, 0x17, 0xfc, 0xe0, 0xe9, 0xa5, 0xbb, 0xd9, 0x24, 0x7e, 0x56, 0xbb, 0x01,
1437            0x63, 0x47, 0xbb, 0xba, 0x31, 0xed, 0xd5, 0xa9, 0xbb, 0x96, 0xd5, 0x0b, 0xcd, 0x7a,
1438            0x3f, 0x96, 0x2a, 0x0f,
1439        ],
1440    };
1441    /// y = 2592331292931086675770238855846338635550719849568364935475441891787804997264
1442    pub static Y: Scalar = Scalar {
1443        bytes: [
1444            0x90, 0x76, 0x33, 0xfe, 0x1c, 0x4b, 0x66, 0xa4, 0xa2, 0x8d, 0x2d, 0xd7, 0x67, 0x83,
1445            0x86, 0xc3, 0x53, 0xd0, 0xde, 0x54, 0x55, 0xd4, 0xfc, 0x9d, 0xe8, 0xef, 0x7a, 0xc3,
1446            0x1f, 0x35, 0xbb, 0x05,
1447        ],
1448    };
1449
1450    /// The largest scalar that satisfies invariant #1, i.e., the largest scalar with the top bit
1451    /// set to 0. Since this scalar violates invariant #2, i.e., it's greater than the modulus `l`,
1452    /// addition and subtraction are broken. The only thing you can do with this is scalar-point
1453    /// multiplication (and actually also scalar-scalar multiplication, but that's just a quirk of
1454    /// our implementation).
1455    pub(crate) static LARGEST_UNREDUCED_SCALAR: Scalar = Scalar {
1456        bytes: [
1457            0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1458            0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1459            0xff, 0xff, 0xff, 0x7f,
1460        ],
1461    };
1462
1463    /// x*y = 5690045403673944803228348699031245560686958845067437804563560795922180092780
1464    static X_TIMES_Y: Scalar = Scalar {
1465        bytes: [
1466            0x6c, 0x33, 0x74, 0xa1, 0x89, 0x4f, 0x62, 0x21, 0x0a, 0xaa, 0x2f, 0xe1, 0x86, 0xa6,
1467            0xf9, 0x2c, 0xe0, 0xaa, 0x75, 0xc2, 0x77, 0x95, 0x81, 0xc2, 0x95, 0xfc, 0x08, 0x17,
1468            0x9a, 0x73, 0x94, 0x0c,
1469        ],
1470    };
1471
1472    /// sage: l = 2^252 + 27742317777372353535851937790883648493
1473    /// sage: big = 2^256 - 1
1474    /// sage: repr((big % l).digits(256))
1475    static CANONICAL_2_256_MINUS_1: Scalar = Scalar {
1476        bytes: [
1477            28, 149, 152, 141, 116, 49, 236, 214, 112, 207, 125, 115, 244, 91, 239, 198, 254, 255,
1478            255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 15,
1479        ],
1480    };
1481
1482    static A_SCALAR: Scalar = Scalar {
1483        bytes: [
1484            0x1a, 0x0e, 0x97, 0x8a, 0x90, 0xf6, 0x62, 0x2d, 0x37, 0x47, 0x02, 0x3f, 0x8a, 0xd8,
1485            0x26, 0x4d, 0xa7, 0x58, 0xaa, 0x1b, 0x88, 0xe0, 0x40, 0xd1, 0x58, 0x9e, 0x7b, 0x7f,
1486            0x23, 0x76, 0xef, 0x09,
1487        ],
1488    };
1489
1490    static A_NAF: [i8; 256] = [
1491        0, 13, 0, 0, 0, 0, 0, 0, 0, 7, 0, 0, 0, 0, 0, 0, -9, 0, 0, 0, 0, -11, 0, 0, 0, 0, 3, 0, 0,
1492        0, 0, 1, 0, 0, 0, 0, 9, 0, 0, 0, 0, -5, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, 11, 0, 0, 0, 0,
1493        11, 0, 0, 0, 0, 0, -9, 0, 0, 0, 0, 0, -3, 0, 0, 0, 0, 9, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0,
1494        0, -1, 0, 0, 0, 0, 0, 9, 0, 0, 0, 0, -15, 0, 0, 0, 0, -7, 0, 0, 0, 0, -9, 0, 0, 0, 0, 0, 5,
1495        0, 0, 0, 0, 13, 0, 0, 0, 0, 0, -3, 0, 0, 0, 0, -11, 0, 0, 0, 0, -7, 0, 0, 0, 0, -13, 0, 0,
1496        0, 0, 11, 0, 0, 0, 0, -9, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, -15, 0, 0, 0, 0, 1, 0, 0, 0, 0,
1497        7, 0, 0, 0, 0, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 13, 0, 0, 0, 0, 0, 0, 11, 0, 0, 0, 0, 0, 15,
1498        0, 0, 0, 0, 0, -9, 0, 0, 0, 0, 0, 0, 0, -1, 0, 0, 0, 0, 0, 0, 0, 7, 0, 0, 0, 0, 0, -15, 0,
1499        0, 0, 0, 0, 15, 0, 0, 0, 0, 15, 0, 0, 0, 0, 15, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0,
1500    ];
1501
1502    const BASEPOINT_ORDER_MINUS_ONE: Scalar = Scalar {
1503        bytes: [
1504            0xec, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9,
1505            0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1506            0x00, 0x00, 0x00, 0x10,
1507        ],
1508    };
1509
1510    /// The largest clamped integer
1511    static LARGEST_CLAMPED_INTEGER: [u8; 32] = clamp_integer(LARGEST_UNREDUCED_SCALAR.bytes);
1512
1513    #[test]
1514    fn fuzzer_testcase_reduction() {
1515        // LE bytes of 24519928653854221733733552434404946937899825954937634815
1516        let a_bytes = [
1517            255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
1518            255, 255, 255, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0,
1519        ];
1520        // LE bytes of 4975441334397345751130612518500927154628011511324180036903450236863266160640
1521        let b_bytes = [
1522            0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 210, 210,
1523            210, 255, 255, 255, 255, 10,
1524        ];
1525        // LE bytes of 6432735165214683820902750800207468552549813371247423777071615116673864412038
1526        let c_bytes = [
1527            134, 171, 119, 216, 180, 128, 178, 62, 171, 132, 32, 62, 34, 119, 104, 193, 47, 215,
1528            181, 250, 14, 207, 172, 93, 75, 207, 211, 103, 144, 204, 56, 14,
1529        ];
1530
1531        let a = Scalar::from_bytes_mod_order(a_bytes);
1532        let b = Scalar::from_bytes_mod_order(b_bytes);
1533        let c = Scalar::from_bytes_mod_order(c_bytes);
1534
1535        let mut tmp = [0u8; 64];
1536
1537        // also_a = (a mod l)
1538        tmp[0..32].copy_from_slice(&a_bytes[..]);
1539        let also_a = Scalar::from_bytes_mod_order_wide(&tmp);
1540
1541        // also_b = (b mod l)
1542        tmp[0..32].copy_from_slice(&b_bytes[..]);
1543        let also_b = Scalar::from_bytes_mod_order_wide(&tmp);
1544
1545        let expected_c = a * b;
1546        let also_expected_c = also_a * also_b;
1547
1548        assert_eq!(c, expected_c);
1549        assert_eq!(c, also_expected_c);
1550    }
1551
1552    #[test]
1553    fn non_adjacent_form_test_vector() {
1554        let naf = A_SCALAR.non_adjacent_form(5);
1555        for i in 0..256 {
1556            assert_eq!(naf[i], A_NAF[i]);
1557        }
1558    }
1559
1560    #[cfg(feature = "rand_core")]
1561    fn non_adjacent_form_iter(w: usize, x: &Scalar) {
1562        let naf = x.non_adjacent_form(w);
1563
1564        // Reconstruct the scalar from the computed NAF
1565        let mut y = Scalar::ZERO;
1566        for i in (0..256).rev() {
1567            y += y;
1568            let digit = if naf[i] < 0 {
1569                -Scalar::from((-naf[i]) as u64)
1570            } else {
1571                Scalar::from(naf[i] as u64)
1572            };
1573            y += digit;
1574        }
1575
1576        assert_eq!(*x, y);
1577    }
1578
1579    #[cfg(feature = "rand_core")]
1580    #[test]
1581    fn non_adjacent_form_random() {
1582        let mut rng = UnwrapErr(SysRng);
1583        for _ in 0..1_000 {
1584            let x = Scalar::random(&mut rng);
1585            for w in &[5, 6, 7, 8] {
1586                non_adjacent_form_iter(*w, &x);
1587            }
1588        }
1589    }
1590
1591    #[test]
1592    fn from_u64() {
1593        let val: u64 = 0xdeadbeefdeadbeef;
1594        let s = Scalar::from(val);
1595        assert_eq!(s[7], 0xde);
1596        assert_eq!(s[6], 0xad);
1597        assert_eq!(s[5], 0xbe);
1598        assert_eq!(s[4], 0xef);
1599        assert_eq!(s[3], 0xde);
1600        assert_eq!(s[2], 0xad);
1601        assert_eq!(s[1], 0xbe);
1602        assert_eq!(s[0], 0xef);
1603    }
1604
1605    #[test]
1606    fn scalar_mul_by_one() {
1607        let test_scalar = X * Scalar::ONE;
1608        for i in 0..32 {
1609            assert!(test_scalar[i] == X[i]);
1610        }
1611    }
1612
1613    #[test]
1614    fn add_reduces() {
1615        // Check that addition wraps around the modulus
1616        assert_eq!(BASEPOINT_ORDER_MINUS_ONE + Scalar::ONE, Scalar::ZERO);
1617    }
1618
1619    #[test]
1620    fn sub_reduces() {
1621        // Check that subtraction wraps around the modulus
1622        assert_eq!(Scalar::ZERO - Scalar::ONE, BASEPOINT_ORDER_MINUS_ONE);
1623    }
1624
1625    #[test]
1626    fn impl_add() {
1627        let two = Scalar::from(2u64);
1628        let one = Scalar::ONE;
1629        let should_be_two = one + one;
1630        assert_eq!(should_be_two, two);
1631    }
1632
1633    #[allow(non_snake_case)]
1634    #[test]
1635    fn impl_mul() {
1636        let should_be_X_times_Y = X * Y;
1637        assert_eq!(should_be_X_times_Y, X_TIMES_Y);
1638    }
1639
1640    #[allow(non_snake_case)]
1641    #[test]
1642    #[cfg(feature = "alloc")]
1643    fn impl_product() {
1644        // Test that product works for non-empty iterators
1645        let X_Y_vector = [X, Y];
1646        let should_be_X_times_Y: Scalar = X_Y_vector.iter().product();
1647        assert_eq!(should_be_X_times_Y, X_TIMES_Y);
1648
1649        // Test that product works for the empty iterator
1650        let one = Scalar::ONE;
1651        let empty_vector = [];
1652        let should_be_one: Scalar = empty_vector.iter().product();
1653        assert_eq!(should_be_one, one);
1654
1655        // Test that product works for iterators where Item = Scalar
1656        let xs = [Scalar::from(2u64); 10];
1657        let ys = [Scalar::from(3u64); 10];
1658        // now zs is an iterator with Item = Scalar
1659        let zs = xs.iter().zip(ys.iter()).map(|(x, y)| x * y);
1660
1661        let x_prod: Scalar = xs.iter().product();
1662        let y_prod: Scalar = ys.iter().product();
1663        let z_prod: Scalar = zs.product();
1664
1665        assert_eq!(x_prod, Scalar::from(1024u64));
1666        assert_eq!(y_prod, Scalar::from(59049u64));
1667        assert_eq!(z_prod, Scalar::from(60466176u64));
1668        assert_eq!(x_prod * y_prod, z_prod);
1669    }
1670
1671    #[test]
1672    #[cfg(feature = "alloc")]
1673    fn impl_sum() {
1674        // Test that sum works for non-empty iterators
1675        let two = Scalar::from(2u64);
1676        let one_vector = [Scalar::ONE, Scalar::ONE];
1677        let should_be_two: Scalar = one_vector.iter().sum();
1678        assert_eq!(should_be_two, two);
1679
1680        // Test that sum works for the empty iterator
1681        let zero = Scalar::ZERO;
1682        let empty_vector = [];
1683        let should_be_zero: Scalar = empty_vector.iter().sum();
1684        assert_eq!(should_be_zero, zero);
1685
1686        // Test that sum works for owned types
1687        let xs = [Scalar::from(1u64); 10];
1688        let ys = [Scalar::from(2u64); 10];
1689        // now zs is an iterator with Item = Scalar
1690        let zs = xs.iter().zip(ys.iter()).map(|(x, y)| x + y);
1691
1692        let x_sum: Scalar = xs.iter().sum();
1693        let y_sum: Scalar = ys.iter().sum();
1694        let z_sum: Scalar = zs.sum();
1695
1696        assert_eq!(x_sum, Scalar::from(10u64));
1697        assert_eq!(y_sum, Scalar::from(20u64));
1698        assert_eq!(z_sum, Scalar::from(30u64));
1699        assert_eq!(x_sum + y_sum, z_sum);
1700    }
1701
1702    #[test]
1703    fn square() {
1704        let expected = X * X;
1705        let actual = X.unpack().square().pack();
1706        for i in 0..32 {
1707            assert!(expected[i] == actual[i]);
1708        }
1709    }
1710
1711    #[test]
1712    fn div_by_2() {
1713        // test a range of small scalars
1714        for i in 0u64..32 {
1715            let scalar = Scalar::from(i);
1716            let dividend = scalar.div_by_2();
1717            assert_eq!(scalar, dividend + dividend);
1718        }
1719
1720        // test a range of scalars near the modulus
1721        for i in 0u64..32 {
1722            let scalar = Scalar::ZERO - Scalar::from(i);
1723            let dividend = scalar.div_by_2();
1724            assert_eq!(scalar, dividend + dividend);
1725        }
1726    }
1727
1728    #[test]
1729    fn reduce() {
1730        let biggest = Scalar::from_bytes_mod_order([0xff; 32]);
1731        assert_eq!(biggest, CANONICAL_2_256_MINUS_1);
1732    }
1733
1734    #[test]
1735    fn from_bytes_mod_order_wide() {
1736        let mut bignum = [0u8; 64];
1737        // set bignum = x + 2^256x
1738        for i in 0..32 {
1739            bignum[i] = X[i];
1740            bignum[32 + i] = X[i];
1741        }
1742        // 3958878930004874126169954872055634648693766179881526445624823978500314864344
1743        // = x + 2^256x (mod l)
1744        let reduced = Scalar {
1745            bytes: [
1746                216, 154, 179, 139, 210, 121, 2, 71, 69, 99, 158, 216, 23, 173, 63, 100, 204, 0,
1747                91, 50, 219, 153, 57, 249, 28, 82, 31, 197, 100, 165, 192, 8,
1748            ],
1749        };
1750        let test_red = Scalar::from_bytes_mod_order_wide(&bignum);
1751        for i in 0..32 {
1752            assert!(test_red[i] == reduced[i]);
1753        }
1754    }
1755
1756    #[allow(non_snake_case)]
1757    #[test]
1758    fn invert() {
1759        let inv_X = X.invert();
1760        assert_eq!(inv_X, XINV);
1761        let should_be_one = inv_X * X;
1762        assert_eq!(should_be_one, Scalar::ONE);
1763    }
1764
1765    // Negating a scalar twice should result in the original scalar.
1766    #[allow(non_snake_case)]
1767    #[test]
1768    fn neg_twice_is_identity() {
1769        let negative_X = -&X;
1770        let should_be_X = -&negative_X;
1771
1772        assert_eq!(should_be_X, X);
1773    }
1774
1775    #[test]
1776    fn to_bytes_from_bytes_roundtrips() {
1777        let unpacked = X.unpack();
1778        let bytes = unpacked.to_bytes();
1779        let should_be_unpacked = UnpackedScalar::from_bytes(&bytes);
1780
1781        assert_eq!(should_be_unpacked.0, unpacked.0);
1782    }
1783
1784    #[test]
1785    fn montgomery_reduce_matches_from_bytes_mod_order_wide() {
1786        let mut bignum = [0u8; 64];
1787
1788        // set bignum = x + 2^256x
1789        for i in 0..32 {
1790            bignum[i] = X[i];
1791            bignum[32 + i] = X[i];
1792        }
1793        // x + 2^256x (mod l)
1794        //         = 3958878930004874126169954872055634648693766179881526445624823978500314864344
1795        let expected = Scalar {
1796            bytes: [
1797                216, 154, 179, 139, 210, 121, 2, 71, 69, 99, 158, 216, 23, 173, 63, 100, 204, 0,
1798                91, 50, 219, 153, 57, 249, 28, 82, 31, 197, 100, 165, 192, 8,
1799            ],
1800        };
1801        let reduced = Scalar::from_bytes_mod_order_wide(&bignum);
1802
1803        // The reduced scalar should match the expected
1804        assert_eq!(reduced.bytes, expected.bytes);
1805
1806        //  (x + 2^256x) * R
1807        let interim =
1808            UnpackedScalar::mul_internal(&UnpackedScalar::from_bytes_wide(&bignum), &constants::R);
1809        // ((x + 2^256x) * R) / R  (mod l)
1810        let montgomery_reduced = UnpackedScalar::montgomery_reduce(&interim);
1811
1812        // The Montgomery reduced scalar should match the reduced one, as well as the expected
1813        assert_eq!(montgomery_reduced.0, reduced.unpack().0);
1814        assert_eq!(montgomery_reduced.0, expected.unpack().0)
1815    }
1816
1817    #[test]
1818    fn canonical_decoding() {
1819        // canonical encoding of 1667457891
1820        let canonical_bytes = [
1821            99, 99, 99, 99, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
1822            0, 0, 0, 0,
1823        ];
1824
1825        // encoding of
1826        //   7265385991361016183439748078976496179028704920197054998554201349516117938192
1827        // = 28380414028753969466561515933501938171588560817147392552250411230663687203 (mod l)
1828        // non_canonical because unreduced mod l
1829        let non_canonical_bytes_because_unreduced = [16; 32];
1830
1831        // encoding with high bit set, to check that the parser isn't pre-masking the high bit
1832        let non_canonical_bytes_because_highbit = [
1833            0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
1834            0, 0, 128,
1835        ];
1836
1837        assert!(bool::from(
1838            Scalar::from_canonical_bytes(canonical_bytes).is_some()
1839        ));
1840        assert!(bool::from(
1841            Scalar::from_canonical_bytes(non_canonical_bytes_because_unreduced).is_none()
1842        ));
1843        assert!(bool::from(
1844            Scalar::from_canonical_bytes(non_canonical_bytes_because_highbit).is_none()
1845        ));
1846    }
1847
1848    #[test]
1849    #[cfg(feature = "serde")]
1850    fn serde_postcard_scalar_roundtrip() {
1851        let encoded = postcard::to_allocvec(&X).unwrap();
1852        let parsed: Scalar = postcard::from_bytes(&encoded).unwrap();
1853        assert_eq!(parsed, X);
1854
1855        // Check that the encoding is 32 bytes exactly
1856        assert_eq!(encoded.len(), 32);
1857
1858        // Check that the encoding itself matches the usual one.
1859        // serde::Deserialize on fixed-size arrays calls tuple deserialization. postcard
1860        // (de)serializes tuples by just doing each element and that's it.
1861        assert_eq!(X, postcard::from_bytes(X.as_bytes()).unwrap(),);
1862    }
1863
1864    #[cfg(debug_assertions)]
1865    #[test]
1866    #[should_panic]
1867    fn invert_batch_with_a_zero_input_panics() {
1868        let mut xs = [Scalar::ONE; 16];
1869        xs[3] = Scalar::ZERO;
1870        // This should panic in debug mode.
1871        Scalar::invert_batch(&mut xs);
1872    }
1873
1874    #[test]
1875    fn invert_batch_empty() {
1876        assert_eq!(Scalar::ONE, Scalar::invert_batch(&mut []));
1877    }
1878
1879    #[test]
1880    fn invert_batch_consistency() {
1881        let mut x = Scalar::from(1u64);
1882        let mut v1: [Scalar; 16] = core::array::from_fn(|_| {
1883            let tmp = x;
1884            x = x + x;
1885            tmp
1886        });
1887        let v2 = v1;
1888
1889        let expected: Scalar = v1.iter().product();
1890        let expected = expected.invert();
1891        let ret = Scalar::invert_batch(&mut v1);
1892        assert_eq!(ret, expected);
1893
1894        for (a, b) in v1.iter().zip(v2.iter()) {
1895            assert_eq!(a * b, Scalar::ONE);
1896        }
1897    }
1898
1899    #[test]
1900    #[cfg(feature = "alloc")]
1901    fn batch_vec_invert_consistency() {
1902        let mut x = Scalar::from(1u64);
1903        let mut v1: Vec<_> = (0..16)
1904            .map(|_| {
1905                let tmp = x;
1906                x = x + x;
1907                tmp
1908            })
1909            .collect();
1910        let v2 = v1.clone();
1911
1912        let expected: Scalar = v1.iter().product();
1913        let expected = expected.invert();
1914        let ret = Scalar::invert_batch_alloc(&mut v1);
1915        assert_eq!(ret, expected);
1916
1917        for (a, b) in v1.iter().zip(v2.iter()) {
1918            assert_eq!(a * b, Scalar::ONE);
1919        }
1920    }
1921
1922    #[cfg(feature = "precomputed-tables")]
1923    fn test_pippenger_radix_iter(scalar: Scalar, w: usize) {
1924        let digits_count = Scalar::to_radix_2w_size_hint(w);
1925        let digits = scalar.as_radix_2w(w);
1926
1927        let radix = Scalar::from((1 << w) as u64);
1928        let mut term = Scalar::ONE;
1929        let mut recovered_scalar = Scalar::ZERO;
1930        for digit in &digits[0..digits_count] {
1931            let digit = *digit;
1932            if digit != 0 {
1933                let sdigit = if digit < 0 {
1934                    -Scalar::from((-(digit as i64)) as u64)
1935                } else {
1936                    Scalar::from(digit as u64)
1937                };
1938                recovered_scalar += term * sdigit;
1939            }
1940            term *= radix;
1941        }
1942        // When the input is unreduced, we may only recover the scalar mod l.
1943        assert_eq!(recovered_scalar, scalar.reduce());
1944    }
1945
1946    #[test]
1947    #[cfg(feature = "precomputed-tables")]
1948    fn test_pippenger_radix() {
1949        use core::iter;
1950        // For each valid radix it tests that 1000 random-ish scalars can be restored
1951        // from the produced representation precisely.
1952        let cases = (2..100)
1953            .map(|s| Scalar::from(s as u64).invert())
1954            // The largest unreduced scalar, s = 2^255-1. This is not reduced mod l. Scalar mult
1955            // still works though.
1956            .chain(iter::once(LARGEST_UNREDUCED_SCALAR));
1957
1958        for scalar in cases {
1959            test_pippenger_radix_iter(scalar, 6);
1960            test_pippenger_radix_iter(scalar, 7);
1961            test_pippenger_radix_iter(scalar, 8);
1962        }
1963    }
1964
1965    #[test]
1966    #[cfg(feature = "alloc")]
1967    fn test_read_le_u64_into() {
1968        let cases: &[(&[u8], &[u64])] = &[
1969            (
1970                &[0xFE, 0xEF, 0x10, 0x01, 0x1F, 0xF1, 0x0F, 0xF0],
1971                &[0xF00F_F11F_0110_EFFE],
1972            ),
1973            (
1974                &[
1975                    0xFE, 0xEF, 0x10, 0x01, 0x1F, 0xF1, 0x0F, 0xF0, 0x12, 0x34, 0x56, 0x78, 0x9A,
1976                    0xBC, 0xDE, 0xF0,
1977                ],
1978                &[0xF00F_F11F_0110_EFFE, 0xF0DE_BC9A_7856_3412],
1979            ),
1980        ];
1981
1982        for (src, expected) in cases {
1983            let mut dst = vec![0; expected.len()];
1984            read_le_u64_into(src, &mut dst);
1985
1986            assert_eq!(&dst, expected, "Expected {:x?} got {:x?}", expected, dst);
1987        }
1988    }
1989
1990    // Tests consistency of From<{integer}> impls for Scalar
1991    #[test]
1992    fn test_scalar_from_int() {
1993        let s1 = Scalar::ONE;
1994
1995        // For `x` in `u8`, `u16`, `u32`, `u64`, and `u128`, check that
1996        // `Scalar::from(x + 1) == Scalar::from(x) + Scalar::from(1)`
1997
1998        let x = 0x23u8;
1999        let sx = Scalar::from(x);
2000        assert_eq!(sx + s1, Scalar::from(x + 1));
2001
2002        let x = 0x2323u16;
2003        let sx = Scalar::from(x);
2004        assert_eq!(sx + s1, Scalar::from(x + 1));
2005
2006        let x = 0x2323_2323u32;
2007        let sx = Scalar::from(x);
2008        assert_eq!(sx + s1, Scalar::from(x + 1));
2009
2010        let x = 0x2323_2323_2323_2323u64;
2011        let sx = Scalar::from(x);
2012        assert_eq!(sx + s1, Scalar::from(x + 1));
2013
2014        let x = 0x2323_2323_2323_2323_2323_2323_2323_2323u128;
2015        let sx = Scalar::from(x);
2016        assert_eq!(sx + s1, Scalar::from(x + 1));
2017    }
2018
2019    #[cfg(feature = "group")]
2020    #[test]
2021    fn ff_constants() {
2022        assert_eq!(Scalar::from(2u64) * Scalar::TWO_INV, Scalar::ONE);
2023
2024        assert_eq!(
2025            Scalar::ROOT_OF_UNITY * Scalar::ROOT_OF_UNITY_INV,
2026            Scalar::ONE,
2027        );
2028
2029        // ROOT_OF_UNITY^{2^s} mod m == 1
2030        assert_eq!(
2031            Scalar::ROOT_OF_UNITY.pow(&[1u64 << Scalar::S, 0, 0, 0]),
2032            Scalar::ONE,
2033        );
2034
2035        // DELTA^{t} mod m == 1
2036        assert_eq!(
2037            Scalar::DELTA.pow(&[
2038                0x9604_98c6_973d_74fb,
2039                0x0537_be77_a8bd_e735,
2040                0x0000_0000_0000_0000,
2041                0x0400_0000_0000_0000,
2042            ]),
2043            Scalar::ONE,
2044        );
2045    }
2046
2047    #[cfg(feature = "group")]
2048    #[test]
2049    fn ff_impls() {
2050        assert!(bool::from(Scalar::ZERO.is_even()));
2051        assert!(bool::from(Scalar::ONE.is_odd()));
2052        assert!(bool::from(Scalar::from(2u64).is_even()));
2053        assert!(bool::from(Scalar::DELTA.is_even()));
2054
2055        assert!(bool::from(Field::invert(&Scalar::ZERO).is_none()));
2056        assert_eq!(Field::invert(&X).unwrap(), XINV);
2057
2058        let x_sq = X.square();
2059        // We should get back either the positive or negative root.
2060        assert!([X, -X].contains(&x_sq.sqrt().unwrap()));
2061
2062        assert_eq!(Scalar::from_repr_vartime(X.to_repr()), Some(X));
2063        assert_eq!(Scalar::from_repr_vartime([0xff; 32]), None);
2064
2065        assert_eq!(Scalar::from_repr(X.to_repr()).unwrap(), X);
2066        assert!(bool::from(Scalar::from_repr([0xff; 32]).is_none()));
2067    }
2068
2069    #[test]
2070    #[should_panic]
2071    fn test_read_le_u64_into_should_panic_on_bad_input() {
2072        let mut dst = [0_u64; 1];
2073        // One byte short
2074        read_le_u64_into(&[0xFE, 0xEF, 0x10, 0x01, 0x1F, 0xF1, 0x0F], &mut dst);
2075    }
2076
2077    #[test]
2078    fn test_scalar_clamp() {
2079        let input = A_SCALAR.bytes;
2080        let expected = [
2081            0x18, 0x0e, 0x97, 0x8a, 0x90, 0xf6, 0x62, 0x2d, 0x37, 0x47, 0x02, 0x3f, 0x8a, 0xd8,
2082            0x26, 0x4d, 0xa7, 0x58, 0xaa, 0x1b, 0x88, 0xe0, 0x40, 0xd1, 0x58, 0x9e, 0x7b, 0x7f,
2083            0x23, 0x76, 0xef, 0x49,
2084        ];
2085        let actual = clamp_integer(input);
2086        assert_eq!(actual, expected);
2087
2088        let expected = [
2089            0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2090            0, 0, 0x40,
2091        ];
2092        let actual = clamp_integer([0; 32]);
2093        assert_eq!(expected, actual);
2094        let expected = [
2095            0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2096            0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2097            0xff, 0xff, 0xff, 0x7f,
2098        ];
2099        let actual = clamp_integer([0xff; 32]);
2100        assert_eq!(actual, expected);
2101
2102        assert_eq!(
2103            LARGEST_CLAMPED_INTEGER,
2104            clamp_integer(LARGEST_CLAMPED_INTEGER)
2105        );
2106    }
2107
2108    // Check that a * b == a.reduce() * a.reduce() for ANY scalars a,b, even ones that violate
2109    // invariant #1, i.e., a,b > 2^255. Old versions of ed25519-dalek did multiplication where a
2110    // was reduced and b was clamped and unreduced. This checks that was always well-defined.
2111    #[test]
2112    fn test_mul_reduction_invariance() {
2113        let mut rng = UnwrapErr(SysRng);
2114
2115        for _ in 0..10 {
2116            // Also define c that's clamped. We'll make sure that clamping doesn't affect
2117            // computation
2118            let (a, b, c) = {
2119                let mut a_bytes = [0u8; 32];
2120                let mut b_bytes = [0u8; 32];
2121                let mut c_bytes = [0u8; 32];
2122                rng.fill_bytes(&mut a_bytes);
2123                rng.fill_bytes(&mut b_bytes);
2124                rng.fill_bytes(&mut c_bytes);
2125                (
2126                    Scalar { bytes: a_bytes },
2127                    Scalar { bytes: b_bytes },
2128                    Scalar {
2129                        bytes: clamp_integer(c_bytes),
2130                    },
2131                )
2132            };
2133
2134            // Make sure this is the same product no matter how you cut it
2135            let reduced_mul_ab = a.reduce() * b.reduce();
2136            let reduced_mul_ac = a.reduce() * c.reduce();
2137            assert_eq!(a * b, reduced_mul_ab);
2138            assert_eq!(a.reduce() * b, reduced_mul_ab);
2139            assert_eq!(a * b.reduce(), reduced_mul_ab);
2140            assert_eq!(a * c, reduced_mul_ac);
2141            assert_eq!(a.reduce() * c, reduced_mul_ac);
2142            assert_eq!(a * c.reduce(), reduced_mul_ac);
2143        }
2144    }
2145}