Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

impl (From<u32>, Hash, Ord, Product) for Scalar #52

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

impl (From<u32>, Hash, Ord, Product) for Scalar #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3e24b43
impl (From<u32>, Hash, Ord) for Scalar
A-Manning Dec 18, 2020
b888cbf
impl Product for Scalar
A-Manning Jan 7, 2021
b5ef8e2
Fix Ord impl and add montgomery repr test
A-Manning Jan 27, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/g1.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1538,7 +1538,7 @@ fn test_mul_by_x() {
};
assert_eq!(generator.mul_by_x(), generator * x);

let point = G1Projective::generator() * Scalar::from(42);
let point = G1Projective::generator() * Scalar::from(42u64);
assert_eq!(point.mul_by_x(), point * x);
}

Expand Down Expand Up @@ -1588,7 +1588,7 @@ fn test_clear_cofactor() {

// in BLS12-381 the cofactor in G1 can be
// cleared multiplying by (1-x)
let h_eff = Scalar::from(1) + Scalar::from(crate::BLS_X);
let h_eff = Scalar::from(1u64) + Scalar::from(crate::BLS_X);
assert_eq!(point.clear_cofactor(), point * h_eff);
}

Expand Down
2 changes: 1 addition & 1 deletion src/g2.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1883,7 +1883,7 @@ fn test_mul_by_x() {
};
assert_eq!(generator.mul_by_x(), generator * x);

let point = G2Projective::generator() * Scalar::from(42);
let point = G2Projective::generator() * Scalar::from(42u64);
assert_eq!(point.mul_by_x(), point * x);
}

Expand Down
64 changes: 63 additions & 1 deletion src/scalar.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ use crate::util::{adc, mac, sbb};
// The internal representation of this type is four 64-bit unsigned
// integers in little-endian order. `Scalar` values are always in
// Montgomery form; i.e., Scalar(a) = aR mod q, with R = 2^256.
#[derive(Clone, Copy, Eq)]
#[derive(Clone, Copy, Eq, Hash)]
pub struct Scalar(pub(crate) [u64; 4]);

impl fmt::Debug for Scalar {
Expand All @@ -37,6 +37,12 @@ impl fmt::Display for Scalar {
}
}

impl From<u32> for Scalar {
fn from(val: u32) -> Scalar {
Scalar([val as u64, 0, 0, 0]) * R2
}
}

Comment on lines +40 to +45
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As is visible from other changes in the PR, this decreases usability by requiring the caller to specify the source type (e.g. 5u64.into() instead of 5.into()). I suspect this would be more usable if impl From<u64> for Scalar was replaced with impl From<T: Into<u64>> for Scalar (and it would then also work for any u* type).

impl From<u64> for Scalar {
fn from(val: u64) -> Scalar {
Scalar([val, 0, 0, 0]) * R2
Expand All @@ -59,6 +65,22 @@ impl PartialEq for Scalar {
}
}

impl Ord for Scalar {
fn cmp(&self, other: &Self) -> core::cmp::Ordering {
let mut self_bytes = self.to_bytes();
let mut other_bytes = other.to_bytes();
&self_bytes.reverse();
&other_bytes.reverse();
self_bytes.cmp(&other_bytes)
}
}

impl PartialOrd for Scalar {
fn partial_cmp(&self, other: &Self) -> Option<core::cmp::Ordering> {
Some(self.cmp(other))
}
}
Comment on lines +68 to +82
Copy link
Contributor

@ebfull ebfull Sep 1, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cryptographic structures, in particular finite fields, do not have a total ordering (in the "well acktually" mathematical sense) so I disagree with exposing Ord/PartialOrd when they are in the form of Scalar since they're expected to behave like finite fields. However, obviously we can totally order them when they're represented in serialized form (as this implementation leverages) assuming they're serialized canonically.

If you need Ord for things like a BTreeMap (for example) then the end user should convert it into its serialized form and depend on the total ordering of that instead.


impl ConditionallySelectable for Scalar {
fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self {
Scalar([
Expand Down Expand Up @@ -786,6 +808,18 @@ where
}
}

impl<T> core::iter::Product<T> for Scalar
where
T: core::borrow::Borrow<Scalar>,
{
fn product<I>(iter: I) -> Self
where
I: Iterator<Item = T>,
{
iter.fold(Self::one(), |acc, item| acc * item.borrow())
}
}

#[test]
fn test_inv() {
// Compute -(q^{-1} mod 2^64) mod 2^64 by exponentiating
Expand Down Expand Up @@ -1231,3 +1265,31 @@ fn test_double() {

assert_eq!(a.double(), a + a);
}

#[test]
fn test_ord() {
assert!(Scalar::one() > Scalar::zero());
A-Manning marked this conversation as resolved.
Show resolved Hide resolved
let x = Scalar::from_raw([
0x0000_0000_0000_0000,
0x0000_0000_0000_0000,
0x1111_1111_1111_1111,
0x1111_1111_1111_1111,
]);
let y = Scalar::from_raw([
0x1111_1111_1111_1111,
0x0000_0000_0000_0000,
0x1111_1111_1111_1111,
0x0000_0000_0000_0000,
]);
assert!(y < x);
}

// Check that Ord is not comparing the Montgomery representations
#[test]
fn test_ord_montgomery() {
/* 4R mod q =
0x6092c566b31415be66313fbfb2f13fd56212dfe8000d200800000007fffffff8
5R mod q =
0x04c9cf6d363b9de5cc83b7a7960bb7c566d9f3df00120c0b0000000afffffff5 */
assert!(Scalar::from(5u32) > Scalar::from(4u32));
}