From 70675843d73ba35b7f3572ca9c161e5d657b65fe Mon Sep 17 00:00:00 2001
From: Henry de Valence <hdevalence@hdevalence.ca>
Date: Wed, 8 May 2019 21:18:40 -0700
Subject: [PATCH] internal/scalar: add invariant checks on Scalar digits

The digit recoding functions require that the scalar has its high bit unset.
We should consider making the Scalar type opaque, as in dalek, to avoid this
condition, although I don't know if we can make guarantees in Go.
---
 internal/scalar/scalar.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/internal/scalar/scalar.go b/internal/scalar/scalar.go
index d705388..73254f4 100644
--- a/internal/scalar/scalar.go
+++ b/internal/scalar/scalar.go
@@ -898,6 +898,9 @@ func (s *Scalar) NonAdjacentForm(w uint) [256]int8 {
 	// This implementation is adapted from the one
 	// in curve25519-dalek and is documented there:
 	// https://github.com/dalek-cryptography/curve25519-dalek/blob/f630041af28e9a405255f98a8a93adca18e4315b/src/scalar.rs#L800-L871
+	if s[31] >= 127 {
+		panic("scalar has high bit set illegally")
+	}
 	if w < 2 {
 		panic("w must be at least 2 by the definition of NAF")
 	} else if w > 8 {
@@ -956,6 +959,10 @@ func (s *Scalar) NonAdjacentForm(w uint) [256]int8 {
 }
 
 func (s *Scalar) SignedRadix16() [64]int8 {
+	if s[31] >= 127 {
+		panic("scalar has high bit set illegally")
+	}
+
 	var digits [64]int8
 
 	// Compute unsigned radix-16 digits: