mirror of https://github.com/gtank/ristretto255
internal/scalar: add invariant checks on Scalar digits
The digit recoding functions require that the scalar has its high bit unset. We should consider making the Scalar type opaque, as in dalek, to avoid this condition, although I don't know if we can make guarantees in Go.
This commit is contained in:
parent
8059980336
commit
70675843d7
|
@ -898,6 +898,9 @@ func (s *Scalar) NonAdjacentForm(w uint) [256]int8 {
|
|||
// This implementation is adapted from the one
|
||||
// in curve25519-dalek and is documented there:
|
||||
// https://github.com/dalek-cryptography/curve25519-dalek/blob/f630041af28e9a405255f98a8a93adca18e4315b/src/scalar.rs#L800-L871
|
||||
if s[31] >= 127 {
|
||||
panic("scalar has high bit set illegally")
|
||||
}
|
||||
if w < 2 {
|
||||
panic("w must be at least 2 by the definition of NAF")
|
||||
} else if w > 8 {
|
||||
|
@ -956,6 +959,10 @@ func (s *Scalar) NonAdjacentForm(w uint) [256]int8 {
|
|||
}
|
||||
|
||||
func (s *Scalar) SignedRadix16() [64]int8 {
|
||||
if s[31] >= 127 {
|
||||
panic("scalar has high bit set illegally")
|
||||
}
|
||||
|
||||
var digits [64]int8
|
||||
|
||||
// Compute unsigned radix-16 digits:
|
||||
|
|
Loading…
Reference in New Issue