Add MontgomeryScalar

daxpedda · daxpedda · commit eb4e07ec8d53 · 2025-07-26T22:46:38.000+02:00
diff --git a/ed448-goldilocks/src/field/scalar.rs b/ed448-goldilocks/src/field/scalar.rs
@@ -26,7 +26,7 @@ use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, ConstantTimeGreate
 use elliptic_curve::ff::{FieldBits, PrimeFieldBits};
 
 /// Shared scalar for [`Ed448`] and [`Decaf448`].
-/// Use [`EdwardsScalar`] and [`DecafScalar`] directly.
+/// Use [`EdwardsScalar`], [`DecafScalar`] and [`MontgomeryScalar`] directly.
 ///
 /// This is the scalar field
 /// size = 4q = 2^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d
@@ -821,4 +821,9 @@ impl<C: CurveWithScalar> Scalar<C> {
         rng.fill_bytes(&mut scalar_bytes);
         C::from_bytes_mod_order_wide(&scalar_bytes)
     }
+
+    /// Convert to other [`Scalar`] type
+    pub fn to_scalar<O: CurveWithScalar>(&self) -> Scalar<O> {
+        Scalar::new(self.scalar)
+    }
 }
diff --git a/ed448-goldilocks/src/lib.rs b/ed448-goldilocks/src/lib.rs
@@ -61,7 +61,8 @@ pub use edwards::{
 };
 pub use field::{MODULUS_LIMBS, ORDER, Scalar, WIDE_ORDER};
 pub use montgomery::{
-    MontgomeryPoint, MontgomeryXpoint, ProjectiveMontgomeryPoint, ProjectiveMontgomeryXpoint,
+    MontgomeryPoint, MontgomeryScalar, MontgomeryScalarBytes, MontgomeryXpoint,
+    ProjectiveMontgomeryPoint, ProjectiveMontgomeryXpoint, WideMontgomeryScalarBytes,
 };
 #[cfg(feature = "signing")]
 pub use sign::*;
diff --git a/ed448-goldilocks/src/montgomery.rs b/ed448-goldilocks/src/montgomery.rs
@@ -11,7 +11,9 @@
 #![allow(non_snake_case)]
 
 mod point;
+mod scalar;
 mod x;
 
 pub use point::{MontgomeryPoint, ProjectiveMontgomeryPoint};
+pub use scalar::{MontgomeryScalar, MontgomeryScalarBytes, WideMontgomeryScalarBytes};
 pub use x::{MontgomeryXpoint, ProjectiveMontgomeryXpoint};
diff --git a/ed448-goldilocks/src/montgomery/scalar.rs b/ed448-goldilocks/src/montgomery/scalar.rs
@@ -0,0 +1,251 @@
+use elliptic_curve::bigint::{Limb, U448};
+use elliptic_curve::consts::U56;
+use subtle::{Choice, CtOption};
+
+use crate::field::{CurveWithScalar, NZ_ORDER, ScalarBytes, WideScalarBytes};
+use crate::{Curve448, ORDER, Scalar};
+
+impl CurveWithScalar for Curve448 {
+    type ReprSize = U56;
+
+    fn from_bytes_mod_order_wide(input: &WideScalarBytes<Self>) -> Scalar<Self> {
+        let value = (
+            U448::from_le_slice(&input[..56]),
+            U448::from_le_slice(&input[56..112]),
+        );
+        Scalar::new(U448::rem_wide_vartime(value, &NZ_ORDER))
+    }
+
+    fn from_canonical_bytes(bytes: &ScalarBytes<Self>) -> subtle::CtOption<Scalar<Self>> {
+        fn is_zero(b: u8) -> Choice {
+            let res = b as i8;
+            Choice::from((((res | -res) >> 7) + 1) as u8)
+        }
+
+        // Check that the 10 high bits are not set
+        let is_valid = is_zero(bytes[55] >> 6);
+        let bytes: [u8; 56] = core::array::from_fn(|i| bytes[i]);
+        let candidate = Scalar::new(U448::from_le_slice(&bytes));
+
+        // underflow means candidate < ORDER, thus canonical
+        let (_, underflow) = candidate.scalar.borrowing_sub(&ORDER, Limb::ZERO);
+        let underflow = Choice::from((underflow.0 >> (Limb::BITS - 1)) as u8);
+        CtOption::new(candidate, underflow & is_valid)
+    }
+
+    fn to_repr(scalar: &Scalar<Self>) -> ScalarBytes<Self> {
+        scalar.to_bytes().into()
+    }
+}
+
+/// [`Curve448`] scalar field.
+pub type MontgomeryScalar = Scalar<Curve448>;
+
+impl MontgomeryScalar {
+    /// Construct a `Scalar` by reducing a 896-bit little-endian integer
+    /// modulo the group order ℓ.
+    pub fn from_bytes_mod_order_wide(input: &WideMontgomeryScalarBytes) -> MontgomeryScalar {
+        Curve448::from_bytes_mod_order_wide(input)
+    }
+}
+
+/// The number of bytes needed to represent the scalar field
+pub type MontgomeryScalarBytes = ScalarBytes<Curve448>;
+/// The number of bytes needed to represent the safely create a scalar from a random bytes
+pub type WideMontgomeryScalarBytes = WideScalarBytes<Curve448>;
+
+#[cfg(test)]
+mod test {
+    use super::*;
+    use hex_literal::hex;
+
+    #[test]
+    fn test_basic_add() {
+        let five = MontgomeryScalar::from(5u8);
+        let six = MontgomeryScalar::from(6u8);
+
+        assert_eq!(five + six, MontgomeryScalar::from(11u8))
+    }
+
+    #[test]
+    fn test_basic_sub() {
+        let ten = MontgomeryScalar::from(10u8);
+        let five = MontgomeryScalar::from(5u8);
+        assert_eq!(ten - five, MontgomeryScalar::from(5u8))
+    }
+
+    #[test]
+    fn test_basic_mul() {
+        let ten = MontgomeryScalar::from(10u8);
+        let five = MontgomeryScalar::from(5u8);
+
+        assert_eq!(ten * five, MontgomeryScalar::from(50u8))
+    }
+
+    #[test]
+    fn test_mul() {
+        let a = MontgomeryScalar::new(U448::from_be_hex(
+            "1e63e8073b089f0747cf8cac2c3dc2732aae8688a8fa552ba8cb0ae8c0be082e74d657641d9ac30a087b8fb97f8ed27dc96a3c35ffb823a3",
+        ));
+
+        let b = MontgomeryScalar::new(U448::from_be_hex(
+            "16c5450acae1cb680a92de2d8e59b30824e8d4991adaa0e7bc343bcbd099595b188c6b1a1e30b38b17aa6d9be416b899686eb329d8bedc42",
+        ));
+
+        let exp = MontgomeryScalar::new(U448::from_be_hex(
+            "31e055c14ca389edfccd61b3203d424bb9036ff6f2d89c1e07bcd93174e9335f36a1492008a3a0e46abd26f5994c9c2b1f5b3197a18d010a",
+        ));
+
+        assert_eq!(a * b, exp)
+    }
+    #[test]
+    fn test_basic_square() {
+        let a = MontgomeryScalar::new(U448::from_be_hex(
+            "3162081604b3273b930392e5d2391f9d21cc3078f22c69514bb395e08dccc4866f08f3311370f8b83fa50692f640922b7e56a34bcf5fac3d",
+        ));
+        let expected_a_squared = MontgomeryScalar::new(U448::from_be_hex(
+            "1c1e32fc66b21c9c42d6e8e20487193cf6d49916421b290098f30de3713006cfe8ee9d21eeef7427f82a1fe036630c74b9acc2c2ede40f04",
+        ));
+
+        assert_eq!(a.square(), expected_a_squared)
+    }
+
+    #[test]
+    fn test_sanity_check_index_mut() {
+        let mut x = MontgomeryScalar::ONE;
+        x[0] = 2;
+        assert_eq!(x, MontgomeryScalar::from(2u8))
+    }
+    #[test]
+    fn test_basic_halving() {
+        let eight = MontgomeryScalar::from(8u8);
+        let four = MontgomeryScalar::from(4u8);
+        let two = MontgomeryScalar::from(2u8);
+        assert_eq!(eight.halve(), four);
+        assert_eq!(four.halve(), two);
+        assert_eq!(two.halve(), MontgomeryScalar::ONE);
+    }
+
+    #[test]
+    fn test_equals() {
+        let a = MontgomeryScalar::from(5u8);
+        let b = MontgomeryScalar::from(5u8);
+        let c = MontgomeryScalar::from(10u8);
+        assert_eq!(a, b);
+        assert_ne!(a, c);
+    }
+
+    #[test]
+    fn test_basic_inversion() {
+        // Test inversion from 2 to 100
+        for i in 1..=100u8 {
+            let x = MontgomeryScalar::from(i);
+            let x_inv = x.invert();
+            assert_eq!(x_inv * x, MontgomeryScalar::ONE)
+        }
+
+        // Inversion of zero is zero
+        let zero = MontgomeryScalar::ZERO;
+        let expected_zero = zero.invert();
+        assert_eq!(expected_zero, zero)
+    }
+    #[test]
+    fn test_serialise() {
+        let scalar = MontgomeryScalar::new(U448::from_be_hex(
+            "0d79f6e375d3395ed9a6c4c3c49a1433fd7c58aa38363f74e9ab2c22a22347d79988f8e01e8a309f862a9f1052fcd042b9b1ed7115598f62",
+        ));
+        let got = MontgomeryScalar::from_canonical_bytes(&scalar.into()).unwrap();
+        assert_eq!(scalar, got)
+    }
+    #[test]
+    fn test_from_canonical_bytes() {
+        // ff..ff should fail
+        let mut bytes = MontgomeryScalarBytes::from(hex!(
+            "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+        ));
+        bytes.reverse();
+        let s = MontgomeryScalar::from_canonical_bytes(&bytes);
+        assert!(<Choice as Into<bool>>::into(s.is_none()));
+
+        // n should fail
+        let mut bytes = MontgomeryScalarBytes::from(hex!(
+            "3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3"
+        ));
+        bytes.reverse();
+        let s = MontgomeryScalar::from_canonical_bytes(&bytes);
+        assert!(<Choice as Into<bool>>::into(s.is_none()));
+
+        // n-1 should work
+        let mut bytes = MontgomeryScalarBytes::from(hex!(
+            "3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f2"
+        ));
+        bytes.reverse();
+        let s = MontgomeryScalar::from_canonical_bytes(&bytes);
+        match Option::<MontgomeryScalar>::from(s) {
+            Some(s) => assert_eq!(s, MontgomeryScalar::ZERO - MontgomeryScalar::ONE),
+            None => panic!("should not return None"),
+        };
+    }
+
+    #[test]
+    fn test_from_bytes_mod_order_wide() {
+        // n should become 0
+        let mut bytes = WideMontgomeryScalarBytes::from(hex!(
+            "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3"
+        ));
+        bytes.reverse();
+        let s = MontgomeryScalar::from_bytes_mod_order_wide(&bytes);
+        assert_eq!(s, MontgomeryScalar::ZERO);
+
+        // n-1 should stay the same
+        let mut bytes = WideMontgomeryScalarBytes::from(hex!(
+            "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f2"
+        ));
+        bytes.reverse();
+        let s = MontgomeryScalar::from_bytes_mod_order_wide(&bytes);
+        assert_eq!(s, MontgomeryScalar::ZERO - MontgomeryScalar::ONE);
+
+        // n+1 should become 1
+        let mut bytes = WideMontgomeryScalarBytes::from(hex!(
+            "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f4"
+        ));
+        bytes.reverse();
+        let s = MontgomeryScalar::from_bytes_mod_order_wide(&bytes);
+        assert_eq!(s, MontgomeryScalar::ONE);
+
+        // 2^896-1 should become 0x3402a939f823b7292052bcb7e4d070af1a9cc14ba3c47c44ae17cf725ee4d8380d66de2388ea18597af32c4bc1b195d9e3539257049b9b5f
+        let bytes = WideMontgomeryScalarBytes::from(hex!(
+            "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+        ));
+        let s = MontgomeryScalar::from_bytes_mod_order_wide(&bytes);
+        let mut bytes = MontgomeryScalarBytes::from(hex!(
+            "3402a939f823b7292052bcb7e4d070af1a9cc14ba3c47c44ae17cf725ee4d8380d66de2388ea18597af32c4bc1b195d9e3539257049b9b5f"
+        ));
+        bytes.reverse();
+        let reduced = MontgomeryScalar::from_canonical_bytes(&bytes).unwrap();
+        assert_eq!(s, reduced);
+    }
+
+    #[cfg(all(feature = "alloc", feature = "serde"))]
+    #[test]
+    fn serde() {
+        use elliptic_curve::PrimeField;
+
+        let res = serde_json::to_string(&MontgomeryScalar::TWO_INV);
+        assert!(res.is_ok());
+        let sj = res.unwrap();
+
+        let res = serde_json::from_str::<MontgomeryScalar>(&sj);
+        assert!(res.is_ok());
+        assert_eq!(res.unwrap(), MontgomeryScalar::TWO_INV);
+
+        let res = serde_bare::to_vec(&MontgomeryScalar::TWO_INV);
+        assert!(res.is_ok());
+        let sb = res.unwrap();
+        assert_eq!(sb.len(), 57);
+
+        let res = serde_bare::from_slice::<MontgomeryScalar>(&sb);
+        assert!(res.is_ok());
+        assert_eq!(res.unwrap(), MontgomeryScalar::TWO_INV);
+    }
+}
diff --git a/ed448-goldilocks/src/montgomery/x.rs b/ed448-goldilocks/src/montgomery/x.rs
@@ -1,6 +1,5 @@
 // use crate::constants::A_PLUS_TWO_OVER_FOUR;
-use super::{MontgomeryPoint, ProjectiveMontgomeryPoint};
-use crate::EdwardsScalar;
+use super::{MontgomeryPoint, MontgomeryScalar, ProjectiveMontgomeryPoint};
 use crate::edwards::extended::EdwardsPoint;
 use crate::field::{ConstMontyType, FieldElement};
 use core::fmt;
@@ -70,15 +69,15 @@ pub struct ProjectiveMontgomeryXpoint {
     pub(super) W: FieldElement,
 }
 
-impl Mul<&EdwardsScalar> for &MontgomeryXpoint {
+impl Mul<&MontgomeryScalar> for &MontgomeryXpoint {
     type Output = ProjectiveMontgomeryXpoint;
 
-    fn mul(self, scalar: &EdwardsScalar) -> ProjectiveMontgomeryXpoint {
+    fn mul(self, scalar: &MontgomeryScalar) -> ProjectiveMontgomeryXpoint {
         self.mul_internal(scalar).0
     }
 }
 
-impl Mul<&MontgomeryXpoint> for &EdwardsScalar {
+impl Mul<&MontgomeryXpoint> for &MontgomeryScalar {
     type Output = ProjectiveMontgomeryXpoint;
 
     fn mul(self, point: &MontgomeryXpoint) -> ProjectiveMontgomeryXpoint {
@@ -119,7 +118,7 @@ impl MontgomeryXpoint {
 
     pub(super) fn mul_internal(
         &self,
-        scalar: &EdwardsScalar,
+        scalar: &MontgomeryScalar,
     ) -> (ProjectiveMontgomeryXpoint, ProjectiveMontgomeryXpoint) {
         // Algorithm 8 of Costello-Smith 2017
         let mut x0 = ProjectiveMontgomeryXpoint::IDENTITY;
@@ -185,15 +184,15 @@ impl PartialEq for ProjectiveMontgomeryXpoint {
     }
 }
 
-impl Mul<&EdwardsScalar> for &ProjectiveMontgomeryXpoint {
+impl Mul<&MontgomeryScalar> for &ProjectiveMontgomeryXpoint {
     type Output = ProjectiveMontgomeryXpoint;
 
-    fn mul(self, scalar: &EdwardsScalar) -> ProjectiveMontgomeryXpoint {
+    fn mul(self, scalar: &MontgomeryScalar) -> ProjectiveMontgomeryXpoint {
         &self.to_affine() * scalar
     }
 }
 
-impl Mul<&ProjectiveMontgomeryXpoint> for &EdwardsScalar {
+impl Mul<&ProjectiveMontgomeryXpoint> for &MontgomeryScalar {
     type Output = ProjectiveMontgomeryXpoint;
 
     fn mul(self, point: &ProjectiveMontgomeryXpoint) -> ProjectiveMontgomeryXpoint {
@@ -311,13 +310,13 @@ mod tests {
 
     #[test]
     fn test_montgomery_edwards() {
-        let scalar = EdwardsScalar::from(200u32);
+        let scalar = MontgomeryScalar::from(200u32);
 
         // Montgomery scalar mul
         let montgomery_res = &(&ProjectiveMontgomeryXpoint::GENERATOR * &scalar) * &scalar;
 
         // Goldilocks scalar mul
-        let goldilocks_point = EdwardsPoint::GENERATOR * scalar * scalar;
+        let goldilocks_point = EdwardsPoint::GENERATOR * scalar.to_scalar() * scalar.to_scalar();
         assert_eq!(
             goldilocks_point.to_montgomery_x(),
             montgomery_res.to_affine()
