sarah
/
ristretto255
mirror of https://github.com/gtank/ristretto255
1
0
Fork 0
Code Issues Releases Wiki Activity

internal/scalar: add invariant checks on Scalar digits 

The digit recoding functions require that the scalar has its high bit unset.
We should consider making the Scalar type opaque, as in dalek, to avoid this
condition, although I don't know if we can make guarantees in Go.
This commit is contained in:
Henry de Valence 2019-05-08 21:18:40 -07:00 committed by Filippo Valsorda
parent 8059980336
commit 70675843d7
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
internal/scalar/scalar.go
View File

@ -898,6 +898,9 @@ func (s *Scalar) NonAdjacentForm(w uint) [256]int8 {
// This implementation is adapted from the one
// in curve25519-dalek and is documented there:
// https://github.com/dalek-cryptography/curve25519-dalek/blob/f630041af28e9a405255f98a8a93adca18e4315b/src/scalar.rs#L800-L871
if s[31] >= 127 {
panic("scalar has high bit set illegally")
}
if w < 2 {
panic("w must be at least 2 by the definition of NAF")
} else if w > 8 {
@ -956,6 +959,10 @@ func (s *Scalar) NonAdjacentForm(w uint) [256]int8 {
}
func (s *Scalar) SignedRadix16() [64]int8 {
if s[31] >= 127 {
panic("scalar has high bit set illegally")
}
var digits [64]int8
// Compute unsigned radix-16 digits: