dalek-cryptography · kayabaNerve · Jul 12, 2025 · Sep 3, 2025 · Sep 3, 2025 · Sep 3, 2025
diff --git a/curve25519-dalek/Cargo.toml b/curve25519-dalek/Cargo.toml
@@ -68,6 +68,7 @@ serde = { version = "1.0", default-features = false, optional = true, features =
     "derive",
 ] }
 zeroize = { version = "1", default-features = false, optional = true }
+typenum = { version = "1", default-features = false, optional = true }
 
 [target.'cfg(target_arch = "x86_64")'.dependencies]
 cpufeatures = "0.2.17"
@@ -80,6 +81,7 @@ default = ["alloc", "precomputed-tables", "zeroize"]
 alloc = ["zeroize?/alloc"]
 precomputed-tables = []
 legacy_compatibility = []
+hazmat = ["rand_core", "ff", "typenum"]
 group = ["dep:group", "rand_core"]
 group-bits = ["group", "ff/bits"]
 digest = ["dep:digest"]

diff --git a/curve25519-dalek/README.md b/curve25519-dalek/README.md
@@ -55,8 +55,9 @@ curve25519-dalek = ">= 5.0, < 5.2"
 | `digest`           |          | Enables `RistrettoPoint::{from_hash, hash_from_bytes}` and `Scalar::{from_hash, hash_from_bytes}`. This is an optional dependency whose version is not subject to SemVer. See [below](#public-api-semver-exemptions) for more details. |
 | `serde`            |          | Enables `serde` serialization/deserialization for all the point and scalar types. |
 | `legacy_compatibility`|       | Enables `Scalar::from_bits`, which allows the user to build unreduced scalars whose arithmetic is broken. Do not use this unless you know what you're doing. |
+| `hazmat`           |          | Enables `FieldElement` satisfying `ff` traits and bespoke traits for lazy reduction |
 | `group`            |          | Enables external `group` and `ff` crate traits. |
-| `group-bits`       |          | Enables `group` and impls `ff::PrimeFieldBits` for `Scalar`.  |
+| `group-bits`       |          | Enables `group` and impls `ff::PrimeFieldBits` for `Scalar`, and `FieldElement` if `hazmat`. |
 
 To disable the default features when using `curve25519-dalek` as a dependency,
 add `default-features = false` to the dependency in your `Cargo.toml`. To

diff --git a/curve25519-dalek/src/backend/serial/fiat_u32/field.rs b/curve25519-dalek/src/backend/serial/fiat_u32/field.rs
@@ -70,14 +70,20 @@ impl Zeroize for FieldElement2625 {
     }
 }
 
-impl<'b> AddAssign<&'b FieldElement2625> for FieldElement2625 {
-    fn add_assign(&mut self, rhs: &'b FieldElement2625) {
+impl FieldElement2625 {
+    pub(crate) const fn const_add_assign(&mut self, rhs: &FieldElement2625) {
         let mut result_loose = fiat_25519_loose_field_element([0; 10]);
         fiat_25519_add(&mut result_loose, &self.0, &rhs.0);
         fiat_25519_carry(&mut self.0, &result_loose);
     }
 }
 
+impl<'b> AddAssign<&'b FieldElement2625> for FieldElement2625 {
+    fn add_assign(&mut self, rhs: &'b FieldElement2625) {
+        self.const_add_assign(rhs)
+    }
+}
+
 impl<'a, 'b> Add<&'b FieldElement2625> for &'a FieldElement2625 {
     type Output = FieldElement2625;
     fn add(self, rhs: &'b FieldElement2625) -> FieldElement2625 {
@@ -118,9 +124,8 @@ impl<'b> MulAssign<&'b FieldElement2625> for FieldElement2625 {
     }
 }
 
-impl<'a, 'b> Mul<&'b FieldElement2625> for &'a FieldElement2625 {
-    type Output = FieldElement2625;
-    fn mul(self, rhs: &'b FieldElement2625) -> FieldElement2625 {
+impl FieldElement2625 {
+    pub(crate) const fn const_mul(&self, rhs: &FieldElement2625) -> FieldElement2625 {
         let mut self_loose = fiat_25519_loose_field_element([0; 10]);
         fiat_25519_relax(&mut self_loose, &self.0);
         let mut rhs_loose = fiat_25519_loose_field_element([0; 10]);
@@ -131,6 +136,13 @@ impl<'a, 'b> Mul<&'b FieldElement2625> for &'a FieldElement2625 {
     }
 }
 
+impl<'a, 'b> Mul<&'b FieldElement2625> for &'a FieldElement2625 {
+    type Output = FieldElement2625;
+    fn mul(self, rhs: &'b FieldElement2625) -> FieldElement2625 {
+        self.const_mul(rhs)
+    }
+}
+
 impl<'a> Neg for &'a FieldElement2625 {
     type Output = FieldElement2625;
     fn neg(self) -> FieldElement2625 {
@@ -241,7 +253,7 @@ impl FieldElement2625 {
 
     /// Serialize this `FieldElement51` to a 32-byte array.  The
     /// encoding is canonical.
-    pub fn to_bytes(self) -> [u8; 32] {
+    pub const fn to_bytes(self) -> [u8; 32] {
         let mut bytes = [0u8; 32];
         fiat_25519_to_bytes(&mut bytes, &self.0);
         bytes
@@ -269,3 +281,8 @@ impl FieldElement2625 {
         output
     }
 }
+
+#[cfg(feature = "hazmat")]
+impl crate::hazmat::UnderlyingCapacity for FieldElement2625 {
+    type Capacity = typenum::U3;
+}
diff --git a/curve25519-dalek/src/backend/serial/fiat_u64/field.rs b/curve25519-dalek/src/backend/serial/fiat_u64/field.rs
@@ -59,14 +59,20 @@ impl Zeroize for FieldElement51 {
     }
 }
 
-impl<'b> AddAssign<&'b FieldElement51> for FieldElement51 {
-    fn add_assign(&mut self, rhs: &'b FieldElement51) {
+impl FieldElement51 {
+    pub(crate) const fn const_add_assign(&mut self, rhs: &FieldElement51) {
         let mut result_loose = fiat_25519_loose_field_element([0; 5]);
         fiat_25519_add(&mut result_loose, &self.0, &rhs.0);
         fiat_25519_carry(&mut self.0, &result_loose);
     }
 }
 
+impl<'b> AddAssign<&'b FieldElement51> for FieldElement51 {
+    fn add_assign(&mut self, rhs: &'b FieldElement51) {
+        self.const_add_assign(rhs)
+    }
+}
+
 impl<'a, 'b> Add<&'b FieldElement51> for &'a FieldElement51 {
     type Output = FieldElement51;
     fn add(self, rhs: &'b FieldElement51) -> FieldElement51 {
@@ -107,9 +113,8 @@ impl<'b> MulAssign<&'b FieldElement51> for FieldElement51 {
     }
 }
 
-impl<'a, 'b> Mul<&'b FieldElement51> for &'a FieldElement51 {
-    type Output = FieldElement51;
-    fn mul(self, rhs: &'b FieldElement51) -> FieldElement51 {
+impl FieldElement51 {
+    pub(crate) const fn const_mul(&self, rhs: &FieldElement51) -> FieldElement51 {
         let mut self_loose = fiat_25519_loose_field_element([0; 5]);
         fiat_25519_relax(&mut self_loose, &self.0);
         let mut rhs_loose = fiat_25519_loose_field_element([0; 5]);
@@ -120,6 +125,13 @@ impl<'a, 'b> Mul<&'b FieldElement51> for &'a FieldElement51 {
     }
 }
 
+impl<'a, 'b> Mul<&'b FieldElement51> for &'a FieldElement51 {
+    type Output = FieldElement51;
+    fn mul(self, rhs: &'b FieldElement51) -> FieldElement51 {
+        self.const_mul(rhs)
+    }
+}
+
 impl<'a> Neg for &'a FieldElement51 {
     type Output = FieldElement51;
     fn neg(self) -> FieldElement51 {
@@ -218,7 +230,7 @@ impl FieldElement51 {
 
     /// Serialize this `FieldElement51` to a 32-byte array.  The
     /// encoding is canonical.
-    pub fn to_bytes(self) -> [u8; 32] {
+    pub const fn to_bytes(self) -> [u8; 32] {
         let mut bytes = [0u8; 32];
         fiat_25519_to_bytes(&mut bytes, &self.0);
         bytes
@@ -260,3 +272,8 @@ impl FieldElement51 {
         output
     }
 }
+
+#[cfg(feature = "hazmat")]
+impl crate::hazmat::UnderlyingCapacity for FieldElement51 {
+    type Capacity = typenum::U8;
+}