Implement FromOkm for MontgomeryScalar

daxpedda · daxpedda · commit f6acc425fb89 · 2025-08-03T00:40:09.000+02:00
diff --git a/ed448-goldilocks/src/edwards/scalar.rs b/ed448-goldilocks/src/edwards/scalar.rs
@@ -2,8 +2,8 @@ use crate::field::{CurveWithScalar, NZ_ORDER, Scalar, ScalarBytes, WideScalarByt
 use crate::{Ed448, ORDER};
 
 use elliptic_curve::array::Array;
-use elliptic_curve::bigint::{Limb, NonZero, U448, U704};
-use elliptic_curve::consts::{U57, U84, U88};
+use elliptic_curve::bigint::{Limb, U448};
+use elliptic_curve::consts::{U57, U84};
 use elliptic_curve::scalar::FromUintUnchecked;
 use hash2curve::FromOkm;
 use subtle::{Choice, CtOption};
@@ -86,17 +86,7 @@ impl FromOkm for EdwardsScalar {
     type Length = U84;
 
     fn from_okm(data: &Array<u8, Self::Length>) -> Self {
-        const SEMI_WIDE_MODULUS: NonZero<U704> = NonZero::<U704>::new_unwrap(U704::from_be_hex(
-            "00000000000000000000000000000000000000000000000000000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3",
-        ));
-        let mut tmp = Array::<u8, U88>::default();
-        tmp[4..].copy_from_slice(&data[..]);
-
-        let mut num = U704::from_be_slice(&tmp[..]);
-        num %= SEMI_WIDE_MODULUS;
-        let mut words = [0; U448::LIMBS];
-        words.copy_from_slice(&num.to_words()[..U448::LIMBS]);
-        Scalar::new(U448::from_words(words))
+        Self::from_okm_u84(data)
     }
 }
 
diff --git a/ed448-goldilocks/src/field/element.rs b/ed448-goldilocks/src/field/element.rs
@@ -68,7 +68,7 @@ impl PartialEq for FieldElement {
 }
 impl Eq for FieldElement {}
 
-impl FromOkm for Ed448FieldElement {
+impl FromOkm for FieldElementU84 {
     type Length = U84;
 
     fn from_okm(data: &Array<u8, Self::Length>) -> Self {
@@ -89,7 +89,7 @@ impl FromOkm for Ed448FieldElement {
     }
 }
 
-impl FromOkm for Decaf448FieldElement {
+impl FromOkm for FieldElementU56 {
     type Length = U56;
 
     fn from_okm(data: &Array<u8, Self::Length>) -> Self {
@@ -194,13 +194,13 @@ impl Neg for FieldElement {
 }
 
 #[derive(Clone, Copy, Default, Debug)]
-pub struct Ed448FieldElement(FieldElement);
+pub struct FieldElementU84(pub(crate) FieldElement);
 
 impl MapToCurve for Ed448 {
     type CurvePoint = EdwardsPoint;
-    type FieldElement = Ed448FieldElement;
+    type FieldElement = FieldElementU84;
 
-    fn map_to_curve(element: Ed448FieldElement) -> Self::CurvePoint {
+    fn map_to_curve(element: FieldElementU84) -> Self::CurvePoint {
         AffinePoint::from(element.0.map_to_curve_elligator2_curve448()).to_edwards()
     }
 
@@ -214,13 +214,13 @@ impl MapToCurve for Ed448 {
 }
 
 #[derive(Clone, Copy, Default, Debug)]
-pub struct Decaf448FieldElement(FieldElement);
+pub struct FieldElementU56(pub(crate) FieldElement);
 
 impl MapToCurve for Decaf448 {
     type CurvePoint = DecafPoint;
-    type FieldElement = Decaf448FieldElement;
+    type FieldElement = FieldElementU56;
 
-    fn map_to_curve(element: Decaf448FieldElement) -> DecafPoint {
+    fn map_to_curve(element: FieldElementU56) -> DecafPoint {
         DecafPoint(element.0.map_to_curve_decaf448())
     }
 
@@ -480,16 +480,14 @@ mod tests {
             .unwrap();
             let mut data = Array::<u8, U84>::default();
             expander.fill_bytes(&mut data);
-            // TODO: This should be `Curve448FieldElement`.
-            let u0 = Ed448FieldElement::from_okm(&data).0;
+            let u0 = FieldElementU84::from_okm(&data).0;
             let mut e_u0 = *expected_u0;
             e_u0.reverse();
             let mut e_u1 = *expected_u1;
             e_u1.reverse();
             assert_eq!(u0.to_bytes(), e_u0);
             expander.fill_bytes(&mut data);
-            // TODO: This should be `Curve448FieldElement`.
-            let u1 = Ed448FieldElement::from_okm(&data).0;
+            let u1 = FieldElementU84::from_okm(&data).0;
             assert_eq!(u1.to_bytes(), e_u1);
         }
     }
@@ -514,14 +512,14 @@ mod tests {
             .unwrap();
             let mut data = Array::<u8, U84>::default();
             expander.fill_bytes(&mut data);
-            let u0 = Ed448FieldElement::from_okm(&data).0;
+            let u0 = FieldElementU84::from_okm(&data).0;
             let mut e_u0 = *expected_u0;
             e_u0.reverse();
             let mut e_u1 = *expected_u1;
             e_u1.reverse();
             assert_eq!(u0.to_bytes(), e_u0);
             expander.fill_bytes(&mut data);
-            let u1 = Ed448FieldElement::from_okm(&data).0;
+            let u1 = FieldElementU84::from_okm(&data).0;
             assert_eq!(u1.to_bytes(), e_u1);
         }
     }
diff --git a/ed448-goldilocks/src/field/scalar.rs b/ed448-goldilocks/src/field/scalar.rs
@@ -13,8 +13,8 @@ use elliptic_curve::{
         Array, ArraySize,
         typenum::{Prod, Unsigned},
     },
-    bigint::{Limb, NonZero, U448, U896, Word, Zero},
-    consts::U2,
+    bigint::{Limb, NonZero, U448, U704, U896, Word, Zero},
+    consts::{U2, U84, U88},
     ff::{Field, helpers},
     ops::{Invert, Reduce, ReduceNonZero},
     scalar::{FromUintUnchecked, IsHigh},
@@ -826,4 +826,18 @@ impl<C: CurveWithScalar> Scalar<C> {
     pub fn to_scalar<O: CurveWithScalar>(&self) -> Scalar<O> {
         Scalar::new(self.scalar)
     }
+
+    pub(crate) fn from_okm_u84(data: &Array<u8, U84>) -> Self {
+        const SEMI_WIDE_MODULUS: NonZero<U704> = NonZero::<U704>::new_unwrap(U704::from_be_hex(
+            "00000000000000000000000000000000000000000000000000000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3",
+        ));
+        let mut tmp = Array::<u8, U88>::default();
+        tmp[4..].copy_from_slice(&data[..]);
+
+        let mut num = U704::from_be_slice(&tmp[..]);
+        num %= SEMI_WIDE_MODULUS;
+        let mut words = [0; U448::LIMBS];
+        words.copy_from_slice(&num.to_words()[..U448::LIMBS]);
+        Scalar::new(U448::from_words(words))
+    }
 }
diff --git a/ed448-goldilocks/src/montgomery/scalar.rs b/ed448-goldilocks/src/montgomery/scalar.rs
@@ -1,6 +1,8 @@
+use elliptic_curve::array::Array;
 use elliptic_curve::bigint::{Limb, U448};
-use elliptic_curve::consts::U56;
+use elliptic_curve::consts::{U56, U84};
 use elliptic_curve::scalar::FromUintUnchecked;
+use hash2curve::FromOkm;
 use subtle::{Choice, CtOption};
 
 use crate::field::{CurveWithScalar, NZ_ORDER, ScalarBytes, WideScalarBytes};
@@ -64,6 +66,14 @@ impl From<&MontgomeryScalar> for elliptic_curve::scalar::ScalarBits<Curve448> {
     }
 }
 
+impl FromOkm for MontgomeryScalar {
+    type Length = U84;
+
+    fn from_okm(data: &Array<u8, Self::Length>) -> Self {
+        Self::from_okm_u84(data)
+    }
+}
+
 #[cfg(test)]
 mod test {
     use super::*;
