ed448-goldilocks: split Scalar into EdwardsScalar/DecafScalar (#1284)

Resolves #1229

Author: daxpedda

ed448-goldilocks/README.md

@@ -17,25 +17,25 @@ It is intended to be portable, fast, and safe.
 ## Usage
 
 ```rust
-use ed448_goldilocks::{EdwardsPoint, CompressedEdwardsY, Scalar, sha3::Shake256};
+use ed448_goldilocks::{EdwardsPoint, CompressedEdwardsY, EdwardsScalar, sha3::Shake256};
 use elliptic_curve::Field;
 use hash2curve::ExpandMsgXof;
 use rand_core::OsRng;
 
-let secret_key = Scalar::TWO;
+let secret_key = EdwardsScalar::TWO;
 let public_key = EdwardsPoint::GENERATOR * &secret_key;
 
 assert_eq!(public_key, EdwardsPoint::GENERATOR + EdwardsPoint::GENERATOR);
 
-let secret_key = Scalar::try_from_rng(&mut OsRng).unwrap();
+let secret_key = EdwardsScalar::try_from_rng(&mut OsRng).unwrap();
 let public_key = EdwardsPoint::GENERATOR * &secret_key;
 let compressed_public_key = public_key.compress();
 
 assert_eq!(compressed_public_key.to_bytes().len(), 57);
 
-let hashed_scalar = Scalar::hash::<ExpandMsgXof<Shake256>>(b"test", b"edwards448_XOF:SHAKE256_ELL2_RO_");
+let hashed_scalar = EdwardsScalar::hash::<ExpandMsgXof<Shake256>>(b"test", b"edwards448_XOF:SHAKE256_ELL2_RO_");
 let input = hex_literal::hex!("c8c6c8f584e0c25efdb6af5ad234583c56dedd7c33e0c893468e96740fa0cf7f1a560667da40b7bde340a39252e89262fcf707d1180fd43400");
-let expected_scalar = Scalar::from_canonical_bytes(&input.into()).unwrap();
+let expected_scalar = EdwardsScalar::from_canonical_bytes(&input.into()).unwrap();
 assert_eq!(hashed_scalar, expected_scalar);
 
 let hashed_point = EdwardsPoint::hash::<ExpandMsgXof<Shake256>>(b"test", b"edwards448_XOF:SHAKE256_ELL2_RO_");

ed448-goldilocks/src/constants.rs

@@ -1,5 +1,4 @@
 use crate::*;
-use crate::{Scalar, decaf::DecafPoint};
 
 pub const DECAF_BASEPOINT: DecafPoint = DecafPoint(curve::twedwards::extended::ExtendedPoint {
     X: TWISTED_EDWARDS_BASE_POINT.X,
@@ -12,4 +11,10 @@ pub const DECAF_BASEPOINT: DecafPoint = DecafPoint(curve::twedwards::extended::E
 /// $$
 /// \ell = 2^\{446\} + 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d.
 /// $$
-pub const BASEPOINT_ORDER: Scalar = Scalar(ORDER);
+pub const EDWARDS_BASEPOINT_ORDER: EdwardsScalar = EdwardsScalar::new(ORDER);
+
+/// `BASEPOINT_ORDER` is the order of the Decaf448 basepoint, i.e.,
+/// $$
+/// \ell = 2^\{446\} + 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d.
+/// $$
+pub const DECAF_BASEPOINT_ORDER: DecafScalar = DecafScalar::new(ORDER);

ed448-goldilocks/src/curve.rs

@@ -1,7 +1,9 @@
 pub mod edwards;
 pub mod montgomery;
+mod scalar;
 pub(crate) mod scalar_mul;
 pub(crate) mod twedwards;
 
 pub use edwards::{AffinePoint, CompressedEdwardsY, EdwardsPoint};
 pub use montgomery::{MontgomeryPoint, ProjectiveMontgomeryPoint};
+pub use scalar::{EdwardsScalar, EdwardsScalarBytes, WideEdwardsScalarBytes};

ed448-goldilocks/src/curve/edwards/affine.rs

@@ -136,16 +136,17 @@ impl TryFrom<AffinePoint> for NonIdentity<AffinePoint> {
     }
 }
 
-impl Mul<AffinePoint> for Scalar {
+impl Mul<AffinePoint> for EdwardsScalar {
     type Output = EdwardsPoint;
 
     #[inline]
+    #[expect(clippy::op_ref, reason = "false-positive")]
     fn mul(self, rhs: AffinePoint) -> EdwardsPoint {
         self * &rhs
     }
 }
 
-impl Mul<&AffinePoint> for Scalar {
+impl Mul<&AffinePoint> for EdwardsScalar {
     type Output = EdwardsPoint;
 
     #[inline]

ed448-goldilocks/src/curve/edwards/extended.rs

@@ -3,12 +3,12 @@ use core::fmt::{Display, Formatter, LowerHex, Result as FmtResult, UpperHex};
 use core::iter::Sum;
 use core::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign};
 
-use crate::constants::BASEPOINT_ORDER;
+use crate::constants::EDWARDS_BASEPOINT_ORDER;
 use crate::curve::edwards::affine::AffinePoint;
 use crate::curve::montgomery::MontgomeryPoint; // XXX: need to fix this path
 use crate::curve::scalar_mul::variable_base;
 use crate::curve::twedwards::extended::ExtendedPoint as TwistedExtendedPoint;
-use crate::field::{FieldElement, Scalar};
+use crate::field::FieldElement;
 use crate::*;
 use elliptic_curve::{
     CurveGroup, Error,
@@ -339,7 +339,7 @@ impl PartialEq for EdwardsPoint {
 impl Eq for EdwardsPoint {}
 
 impl Group for EdwardsPoint {
-    type Scalar = Scalar;
+    type Scalar = EdwardsScalar;
 
     fn try_from_rng<R>(rng: &mut R) -> Result<Self, R::Error>
     where
@@ -508,9 +508,9 @@ impl From<&EdwardsPoint> for AffinePoint {
     }
 }
 
-impl<const N: usize> LinearCombination<[(EdwardsPoint, Scalar); N]> for EdwardsPoint {}
+impl<const N: usize> LinearCombination<[(EdwardsPoint, EdwardsScalar); N]> for EdwardsPoint {}
 
-impl LinearCombination<[(EdwardsPoint, Scalar)]> for EdwardsPoint {}
+impl LinearCombination<[(EdwardsPoint, EdwardsScalar)]> for EdwardsPoint {}
 
 impl CurveGroup for EdwardsPoint {
     type AffineRepr = AffinePoint;
@@ -546,7 +546,7 @@ impl EdwardsPoint {
     }
 
     /// Generic scalar multiplication to compute s*P
-    pub fn scalar_mul(&self, scalar: &Scalar) -> Self {
+    pub fn scalar_mul(&self, scalar: &EdwardsScalar) -> Self {
         // Compute floor(s/4)
         let mut scalar_div_four = *scalar;
         scalar_div_four.div_by_four();
@@ -558,7 +558,7 @@ impl EdwardsPoint {
     }
 
     /// Returns (scalar mod 4) * P in constant time
-    pub(crate) fn scalar_mod_four(&self, scalar: &Scalar) -> Self {
+    pub(crate) fn scalar_mod_four(&self, scalar: &EdwardsScalar) -> Self {
         // Compute compute (scalar mod 4)
         let s_mod_four = scalar[0] & 3;
 
@@ -727,7 +727,7 @@ impl EdwardsPoint {
     /// * `false` if `self` has a nonzero torsion component and is not
     ///   in the prime-order subgroup.
     pub fn is_torsion_free(&self) -> Choice {
-        (self * BASEPOINT_ORDER).ct_eq(&Self::IDENTITY)
+        (self * EDWARDS_BASEPOINT_ORDER).ct_eq(&Self::IDENTITY)
     }
 
     /// Hash a message to a point on the curve
@@ -972,28 +972,36 @@ impl Neg for EdwardsPoint {
 // Scalar multiplication
 // ------------------------------------------------------------------------
 
-impl<'b> MulAssign<&'b Scalar> for EdwardsPoint {
-    fn mul_assign(&mut self, scalar: &'b Scalar) {
+impl<'b> MulAssign<&'b EdwardsScalar> for EdwardsPoint {
+    fn mul_assign(&mut self, scalar: &'b EdwardsScalar) {
         let result = *self * scalar;
         *self = result;
     }
 }
 
-define_mul_assign_variants!(LHS = EdwardsPoint, RHS = Scalar);
+define_mul_assign_variants!(LHS = EdwardsPoint, RHS = EdwardsScalar);
 
-define_mul_variants!(LHS = EdwardsPoint, RHS = Scalar, Output = EdwardsPoint);
-define_mul_variants!(LHS = Scalar, RHS = EdwardsPoint, Output = EdwardsPoint);
+define_mul_variants!(
+    LHS = EdwardsPoint,
+    RHS = EdwardsScalar,
+    Output = EdwardsPoint
+);
+define_mul_variants!(
+    LHS = EdwardsScalar,
+    RHS = EdwardsPoint,
+    Output = EdwardsPoint
+);
 
-impl Mul<&Scalar> for &EdwardsPoint {
+impl Mul<&EdwardsScalar> for &EdwardsPoint {
     type Output = EdwardsPoint;
 
     /// Scalar multiplication: compute `scalar * self`.
-    fn mul(self, scalar: &Scalar) -> EdwardsPoint {
+    fn mul(self, scalar: &EdwardsScalar) -> EdwardsPoint {
         self.scalar_mul(scalar)
     }
 }
 
-impl Mul<&EdwardsPoint> for &Scalar {
+impl Mul<&EdwardsPoint> for &EdwardsScalar {
     type Output = EdwardsPoint;
 
     /// Scalar multiplication: compute `scalar * self`.
@@ -1295,24 +1303,24 @@ mod tests {
         use rand_core::SeedableRng;
 
         let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0);
-        let x = Scalar::random(&mut rng);
-        let b = Scalar::random(&mut rng);
+        let x = EdwardsScalar::random(&mut rng);
+        let b = EdwardsScalar::random(&mut rng);
 
         let g1 = EdwardsPoint::GENERATOR;
         let g2 = EdwardsPoint::hash_with_defaults(b"test_pow_add_mul");
 
         let expected_commitment = g1 * x + g2 * b;
 
-        let shift = Scalar::from(256u16);
+        let shift = EdwardsScalar::from(256u16);
         let x_bytes = x.to_bytes_rfc_8032();
-        let mut sum = Scalar::ZERO;
+        let mut sum = EdwardsScalar::ZERO;
         let mut components = [EdwardsPoint::IDENTITY; 57];
         for i in 1..57 {
-            let r = Scalar::random(&mut rng);
+            let r = EdwardsScalar::random(&mut rng);
             sum += r * shift.pow([i as u64]);
-            components[i] = g1 * Scalar::from(x_bytes[i]) + g2 * r;
+            components[i] = g1 * EdwardsScalar::from(x_bytes[i]) + g2 * r;
         }
-        components[0] = g1 * Scalar::from(x_bytes[0]) + g2 * (b - sum);
+        components[0] = g1 * EdwardsScalar::from(x_bytes[0]) + g2 * (b - sum);
 
         let mut computed_commitment = EdwardsPoint::IDENTITY;
         for i in (0..57).rev() {

ed448-goldilocks/src/curve/montgomery.rs

@@ -11,8 +11,9 @@
 #![allow(non_snake_case)]
 
 // use crate::constants::A_PLUS_TWO_OVER_FOUR;
+use crate::EdwardsScalar;
 use crate::curve::edwards::extended::EdwardsPoint;
-use crate::field::{FieldElement, Scalar};
+use crate::field::FieldElement;
 use core::fmt;
 use core::ops::Mul;
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq};
@@ -75,11 +76,11 @@ pub struct ProjectiveMontgomeryPoint {
     W: FieldElement,
 }
 
-impl Mul<&Scalar> for &MontgomeryPoint {
+impl Mul<&EdwardsScalar> for &MontgomeryPoint {
     type Output = MontgomeryPoint;
 
     #[allow(clippy::suspicious_arithmetic_impl)]
-    fn mul(self, scalar: &Scalar) -> MontgomeryPoint {
+    fn mul(self, scalar: &EdwardsScalar) -> MontgomeryPoint {
         // Algorithm 8 of Costello-Smith 2017
         let affine_u = FieldElement::from_bytes(&self.0);
         let mut x0 = ProjectiveMontgomeryPoint::identity();
@@ -104,7 +105,7 @@ impl Mul<&Scalar> for &MontgomeryPoint {
     }
 }
 
-impl Mul<&MontgomeryPoint> for &Scalar {
+impl Mul<&MontgomeryPoint> for &EdwardsScalar {
     type Output = MontgomeryPoint;
 
     fn mul(self, point: &MontgomeryPoint) -> MontgomeryPoint {
@@ -221,7 +222,7 @@ mod tests {
 
     #[test]
     fn test_montgomery_edwards() {
-        let scalar = Scalar::from(200u32);
+        let scalar = EdwardsScalar::from(200u32);
         use crate::GOLDILOCKS_BASE_POINT as bp;
 
         // Montgomery scalar mul