Implement a constant time Scalar::is_canonical check

Author: elichai

Cargo.toml

@@ -45,7 +45,7 @@ harness = false
 rand_core = { version = "0.5", default-features = false }
 byteorder = { version = "^1.2.3", default-features = false, features = ["i128"] }
 digest = { version = "0.9", default-features = false }
-subtle = { version = "^2.2.1", default-features = false }
+subtle = { version = "^2.4", default-features = false }
 serde = { version = "1.0", default-features = false, optional = true, features = ["derive"] }
 # The original packed_simd package was orphaned, see
 # https://github.com/rust-lang/packed_simd/issues/303#issuecomment-701361161

src/scalar.rs

@@ -157,9 +157,7 @@ use rand_core::{CryptoRng, RngCore};
 use digest::generic_array::typenum::U64;
 use digest::Digest;
 
-use subtle::Choice;
-use subtle::ConditionallySelectable;
-use subtle::ConstantTimeEq;
+use subtle::{Choice, ConstantTimeGreater, ConditionallySelectable, ConstantTimeEq};
 
 use zeroize::Zeroize;
 
@@ -237,9 +235,7 @@ impl Scalar {
     ///   if `bytes` is a canonical byte representation;
     /// - `None` if `bytes` is not a canonical byte representation.
     pub fn from_canonical_bytes(bytes: [u8; 32]) -> Option<Scalar> {
-        // Check that the high bit is not set
-        if (bytes[31] >> 7) != 0u8 { return None; }
-        let candidate = Scalar::from_bits(bytes);
+        let candidate = Scalar{bytes};
 
         if candidate.is_canonical() {
             Some(candidate)
@@ -1127,7 +1123,15 @@ impl Scalar {
     /// # }
     /// ```
     pub fn is_canonical(&self) -> bool {
-        *self == self.reduce()
+        let mut over = Choice::from(0);
+        let mut under = Choice::from(0);
+        for (this, l) in self.unpack().0.iter().zip(&constants::L.0).rev() {
+            let gt = this.ct_gt(&l);
+            let eq = this.ct_eq(&l);
+            under |= (!gt & !eq) &!over;
+            over |= gt;
+        }
+        under.into()
     }
 }