1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
//! Field arithmetic modulo p = 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1
#[cfg(target_pointer_width = "32")]
mod field_10x26;
#[cfg(all(target_pointer_width = "32", not(debug_assertions)))]
use field_10x26::FieldElement10x26 as FieldElementImpl;
#[cfg(target_pointer_width = "64")]
mod field_5x52;
#[cfg(all(target_pointer_width = "64", not(debug_assertions)))]
use field_5x52::FieldElement5x52 as FieldElementImpl;
#[cfg(debug_assertions)]
mod field_impl;
#[cfg(debug_assertions)]
use field_impl::FieldElementImpl;
use super::FieldBytes;
use core::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign};
use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
/// An element in the finite field used for curve coordinates.
#[derive(Clone, Copy, Debug)]
pub struct FieldElement(FieldElementImpl);
impl FieldElement {
/// Zero element.
pub const ZERO: Self = Self(FieldElementImpl::zero());
/// Multiplicative identity.
pub const ONE: Self = Self(FieldElementImpl::one());
/// Determine if this `FieldElement` is zero.
///
/// # Returns
///
/// If zero, return `Choice(1)`. Otherwise, return `Choice(0)`.
pub fn is_zero(&self) -> Choice {
self.0.is_zero()
}
/// Determine if this `FieldElement` is even in the SEC1 sense: `self mod 2 == 0`.
///
/// # Returns
///
/// If even, return `Choice(1)`. Otherwise, return `Choice(0)`.
pub fn is_even(&self) -> Choice {
!self.0.is_odd()
}
/// Determine if this `FieldElement` is odd in the SEC1 sense: `self mod 2 == 1`.
///
/// # Returns
///
/// If odd, return `Choice(1)`. Otherwise, return `Choice(0)`.
pub fn is_odd(&self) -> Choice {
self.0.is_odd()
}
/// Attempts to parse the given byte array as an SEC1-encoded field element.
/// Does not check the result for being in the correct range.
pub(crate) const fn from_bytes_unchecked(bytes: &[u8; 32]) -> Self {
Self(FieldElementImpl::from_bytes_unchecked(bytes))
}
/// Attempts to parse the given byte array as an SEC1-encoded field element.
///
/// Returns None if the byte array does not contain a big-endian integer in the range
/// [0, p).
pub fn from_bytes(bytes: &FieldBytes) -> CtOption<Self> {
FieldElementImpl::from_bytes(bytes).map(Self)
}
/// Returns the SEC1 encoding of this field element.
pub fn to_bytes(self) -> FieldBytes {
self.0.normalize().to_bytes()
}
/// Returns -self, treating it as a value of given magnitude.
/// The provided magnitude must be equal or greater than the actual magnitude of `self`.
pub fn negate(&self, magnitude: u32) -> Self {
Self(self.0.negate(magnitude))
}
/// Fully normalizes the field element.
/// Brings the magnitude to 1 and modulo reduces the value.
pub fn normalize(&self) -> Self {
Self(self.0.normalize())
}
/// Weakly normalizes the field element.
/// Brings the magnitude to 1, but does not guarantee the value to be less than the modulus.
pub fn normalize_weak(&self) -> Self {
Self(self.0.normalize_weak())
}
/// Checks if the field element becomes zero if normalized.
pub fn normalizes_to_zero(&self) -> Choice {
self.0.normalizes_to_zero()
}
/// Multiplies by a single-limb integer.
/// Multiplies the magnitude by the same value.
pub fn mul_single(&self, rhs: u32) -> Self {
Self(self.0.mul_single(rhs))
}
/// Returns 2*self.
/// Doubles the magnitude.
pub fn double(&self) -> Self {
Self(self.0.add(&(self.0)))
}
/// Returns self * rhs mod p
/// Brings the magnitude to 1 (but doesn't normalize the result).
/// The magnitudes of arguments should be <= 8.
pub fn mul(&self, rhs: &Self) -> Self {
Self(self.0.mul(&(rhs.0)))
}
/// Returns self * self.
///
/// Brings the magnitude to 1 (but doesn't normalize the result).
/// The magnitudes of arguments should be <= 8.
pub fn square(&self) -> Self {
Self(self.0.square())
}
/// Raises the scalar to the power `2^k`
pub(crate) fn pow2k(&self, k: usize) -> Self {
let mut x = *self;
for _j in 0..k {
x = x.square();
}
x
}
/// Returns the multiplicative inverse of self, if self is non-zero.
/// The result has magnitude 1, but is not normalized.
pub fn invert(&self) -> CtOption<Self> {
// The binary representation of (p - 2) has 5 blocks of 1s, with lengths in
// { 1, 2, 22, 223 }. Use an addition chain to calculate 2^n - 1 for each block:
// [1], [2], 3, 6, 9, 11, [22], 44, 88, 176, 220, [223]
let x2 = self.pow2k(1).mul(self);
let x3 = x2.pow2k(1).mul(self);
let x6 = x3.pow2k(3).mul(&x3);
let x9 = x6.pow2k(3).mul(&x3);
let x11 = x9.pow2k(2).mul(&x2);
let x22 = x11.pow2k(11).mul(&x11);
let x44 = x22.pow2k(22).mul(&x22);
let x88 = x44.pow2k(44).mul(&x44);
let x176 = x88.pow2k(88).mul(&x88);
let x220 = x176.pow2k(44).mul(&x44);
let x223 = x220.pow2k(3).mul(&x3);
// The final result is then assembled using a sliding window over the blocks.
let res = x223
.pow2k(23)
.mul(&x22)
.pow2k(5)
.mul(self)
.pow2k(3)
.mul(&x2)
.pow2k(2)
.mul(self);
CtOption::new(res, !self.normalizes_to_zero())
}
/// Returns the square root of self mod p, or `None` if no square root exists.
/// The result has magnitude 1, but is not normalized.
pub fn sqrt(&self) -> CtOption<Self> {
/*
Given that p is congruent to 3 mod 4, we can compute the square root of
a mod p as the (p+1)/4'th power of a.
As (p+1)/4 is an even number, it will have the same result for a and for
(-a). Only one of these two numbers actually has a square root however,
so we test at the end by squaring and comparing to the input.
Also because (p+1)/4 is an even number, the computed square root is
itself always a square (a ** ((p+1)/4) is the square of a ** ((p+1)/8)).
*/
// The binary representation of (p + 1)/4 has 3 blocks of 1s, with lengths in
// { 2, 22, 223 }. Use an addition chain to calculate 2^n - 1 for each block:
// 1, [2], 3, 6, 9, 11, [22], 44, 88, 176, 220, [223]
let x2 = self.pow2k(1).mul(self);
let x3 = x2.pow2k(1).mul(self);
let x6 = x3.pow2k(3).mul(&x3);
let x9 = x6.pow2k(3).mul(&x3);
let x11 = x9.pow2k(2).mul(&x2);
let x22 = x11.pow2k(11).mul(&x11);
let x44 = x22.pow2k(22).mul(&x22);
let x88 = x44.pow2k(44).mul(&x44);
let x176 = x88.pow2k(88).mul(&x88);
let x220 = x176.pow2k(44).mul(&x44);
let x223 = x220.pow2k(3).mul(&x3);
// The final result is then assembled using a sliding window over the blocks.
let res = x223.pow2k(23).mul(&x22).pow2k(6).mul(&x2).pow2k(2);
let is_root = (res.mul(&res).negate(1) + self).normalizes_to_zero();
// Only return Some if it's the square root.
CtOption::new(res, is_root)
}
}
impl ConditionallySelectable for FieldElement {
fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self {
Self(FieldElementImpl::conditional_select(&(a.0), &(b.0), choice))
}
}
impl ConstantTimeEq for FieldElement {
fn ct_eq(&self, other: &Self) -> Choice {
self.0.ct_eq(&(other.0))
}
}
impl Default for FieldElement {
fn default() -> Self {
Self::ZERO
}
}
impl Eq for FieldElement {}
impl PartialEq for FieldElement {
fn eq(&self, other: &Self) -> bool {
self.0.ct_eq(&(other.0)).into()
}
}
impl Add<FieldElement> for FieldElement {
type Output = FieldElement;
fn add(self, other: FieldElement) -> FieldElement {
FieldElement(self.0.add(&(other.0)))
}
}
impl Add<&FieldElement> for FieldElement {
type Output = FieldElement;
fn add(self, other: &FieldElement) -> FieldElement {
FieldElement(self.0.add(&(other.0)))
}
}
impl Add<&FieldElement> for &FieldElement {
type Output = FieldElement;
fn add(self, other: &FieldElement) -> FieldElement {
FieldElement(self.0.add(&(other.0)))
}
}
impl AddAssign<FieldElement> for FieldElement {
fn add_assign(&mut self, other: FieldElement) {
*self = *self + &other;
}
}
impl AddAssign<&FieldElement> for FieldElement {
fn add_assign(&mut self, other: &FieldElement) {
*self = *self + other;
}
}
impl Sub<FieldElement> for FieldElement {
type Output = FieldElement;
fn sub(self, other: FieldElement) -> FieldElement {
self + -other
}
}
impl Sub<&FieldElement> for FieldElement {
type Output = FieldElement;
fn sub(self, other: &FieldElement) -> FieldElement {
self + -other
}
}
impl SubAssign<FieldElement> for FieldElement {
fn sub_assign(&mut self, other: FieldElement) {
*self = *self + -other;
}
}
impl SubAssign<&FieldElement> for FieldElement {
fn sub_assign(&mut self, other: &FieldElement) {
*self = *self + -other;
}
}
impl Mul<FieldElement> for FieldElement {
type Output = FieldElement;
fn mul(self, other: FieldElement) -> FieldElement {
FieldElement(self.0.mul(&(other.0)))
}
}
impl Mul<&FieldElement> for FieldElement {
type Output = FieldElement;
fn mul(self, other: &FieldElement) -> FieldElement {
FieldElement(self.0.mul(&(other.0)))
}
}
impl Mul<&FieldElement> for &FieldElement {
type Output = FieldElement;
fn mul(self, other: &FieldElement) -> FieldElement {
FieldElement(self.0.mul(&(other.0)))
}
}
impl MulAssign<FieldElement> for FieldElement {
fn mul_assign(&mut self, rhs: FieldElement) {
*self = *self * &rhs;
}
}
impl MulAssign<&FieldElement> for FieldElement {
fn mul_assign(&mut self, rhs: &FieldElement) {
*self = *self * rhs;
}
}
impl Neg for FieldElement {
type Output = FieldElement;
fn neg(self) -> FieldElement {
self.negate(1)
}
}
impl Neg for &FieldElement {
type Output = FieldElement;
fn neg(self) -> FieldElement {
self.negate(1)
}
}