threshold_pairing/

into_fr.rs

use super::Scalar;
use crate::error::{Error, Result};
use ff::Field;

/// A conversion into an element of the scalar field.
pub trait IntoScalar: Copy {
    /// Converts `self` to a field element.
    fn into_scalar(self) -> Scalar;
}

impl IntoScalar for Scalar {
    fn into_scalar(self) -> Scalar {
        self
    }
}

impl IntoScalar for u64 {
    fn into_scalar(self) -> Scalar {
        Scalar::from(self)
    }
}

impl IntoScalar for usize {
    fn into_scalar(self) -> Scalar {
        (self as u64).into_scalar()
    }
}

impl IntoScalar for i32 {
    fn into_scalar(self) -> Scalar {
        if self >= 0 {
            (self as u64).into_scalar()
        } else {
            // Use wrapping_neg to correctly handle i32::MIN
            // i32::MIN.wrapping_neg() as u64 gives the correct absolute value
            let abs_val = (self as i64).wrapping_neg() as u64;
            abs_val.into_scalar().neg()
        }
    }
}

impl IntoScalar for i64 {
    fn into_scalar(self) -> Scalar {
        if self >= 0 {
            (self as u64).into_scalar()
        } else {
            // Use wrapping_neg to correctly handle i64::MIN
            // i64::MIN.wrapping_neg() as u64 gives 2^63, the correct absolute value
            let abs_val = (self as u64).wrapping_neg();
            abs_val.into_scalar().neg()
        }
    }
}

impl<T: IntoScalar> IntoScalar for &T {
    fn into_scalar(self) -> Scalar {
        (*self).into_scalar()
    }
}

/// A safe conversion into a *non-zero* scalar field element, suitable for use as a share index.
///
/// This trait is the required bound for all share-index parameters (e.g.
/// [`SecretKeySet::secret_key_share`](crate::SecretKeySet::secret_key_share) and
/// [`PublicKeySet::public_key_share`](crate::PublicKeySet::public_key_share)).
///
/// # Security
///
/// Share indices are mapped to scalar field elements via `index + 1`. If the resulting
/// scalar is zero — which happens when a signed index value such as `-1i32` is used —
/// the evaluation point equals `poly(0)`, i.e. the **master secret key**. This trait
/// enforces that the post-mapping scalar is non-zero, preventing that attack.
///
/// For all unsigned types (`u64`, `usize`, `Scalar`) the check is statically guaranteed
/// to succeed and the blanket implementation returns `Ok` without runtime overhead.
pub trait TryIntoScalarSafe: Copy {
    /// Converts `self` to a scalar, returning `Err(Error::IndexMapsToZero)` if the
    /// conversion would produce the zero scalar after the `+ 1` offset applied
    /// by the share-index machinery.
    ///
    /// The check is performed *after* adding 1, so the predicate is:
    /// `self.into_scalar() + 1 != Scalar::zero()`.
    fn try_into_scalar_safe(self) -> Result<Scalar>;
}

/// Blanket implementation for all types that already implement [`IntoScalar`].
///
/// For unsigned types the `+ 1` offset can never produce zero (since the only way
/// to get zero is `x + 1 ≡ 0 (mod p)`, i.e. `x = p - 1`, which is representable
/// only as a `Scalar` value, not as a `u64`/`usize`). We still perform the runtime
/// check so that callers who provide a raw `Scalar` equal to `p - 1` are caught.
impl<T: IntoScalar> TryIntoScalarSafe for T {
    fn try_into_scalar_safe(self) -> Result<Scalar> {
        let s = self.into_scalar();
        // Compute index + 1 (what the share machinery will use as the evaluation point)
        let eval_point = s + Scalar::one();
        if bool::from(eval_point.is_zero()) {
            return Err(Error::IndexMapsToZero);
        }
        Ok(s)
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use core::ops::Neg;

    #[test]
    fn test_i32_min_does_not_overflow() {
        let scalar = i32::MIN.into_scalar();
        // i32::MIN is -2147483648, so the scalar should be -2147483648 mod p
        // which equals (p - 2147483648)
        let expected = (2147483648u64).into_scalar().neg();
        assert_eq!(scalar, expected);
    }

    #[test]
    fn test_i64_min_does_not_overflow() {
        let scalar = i64::MIN.into_scalar();
        // i64::MIN is -9223372036854775808, so the scalar should be the negation
        // of 2^63 in the field
        let expected = (9223372036854775808u64).into_scalar().neg();
        assert_eq!(scalar, expected);
    }

    #[test]
    fn test_negative_values_correct() {
        // Test that negative values are correctly converted
        let neg_one_i32 = (-1i32).into_scalar();
        let neg_one_i64 = (-1i64).into_scalar();
        let one = 1u64.into_scalar();

        assert_eq!(neg_one_i32, one.neg());
        assert_eq!(neg_one_i64, one.neg());
    }

    // --- TryIntoScalarSafe tests ---

    #[test]
    fn test_safe_negative_one_i32_rejected() {
        // -1i32 maps to p-1, and (p-1) + 1 = p = 0 in the field => must be rejected
        assert_eq!((-1i32).try_into_scalar_safe(), Err(Error::IndexMapsToZero));
    }

    #[test]
    fn test_safe_negative_one_i64_rejected() {
        assert_eq!((-1i64).try_into_scalar_safe(), Err(Error::IndexMapsToZero));
    }

    #[test]
    fn test_safe_unsigned_zero_accepted() {
        // 0u64 + 1 = 1 != 0, must be accepted
        assert!(0u64.try_into_scalar_safe().is_ok());
    }

    #[test]
    fn test_safe_usize_zero_accepted() {
        assert!(0usize.try_into_scalar_safe().is_ok());
    }

    #[test]
    fn test_safe_positive_i32_accepted() {
        assert!(0i32.try_into_scalar_safe().is_ok());
        assert!(1i32.try_into_scalar_safe().is_ok());
        assert!(42i32.try_into_scalar_safe().is_ok());
    }

    #[test]
    fn test_safe_large_negative_i32_accepted() {
        // -2i32 maps to p-2, and (p-2) + 1 = p-1 != 0 => accepted
        assert!((-2i32).try_into_scalar_safe().is_ok());
    }

    #[test]
    fn test_safe_scalar_p_minus_1_rejected() {
        // Scalar equal to p-1 should also be rejected since (p-1)+1 = 0
        let p_minus_1 = Scalar::zero() - Scalar::one();
        assert_eq!(
            p_minus_1.try_into_scalar_safe(),
            Err(Error::IndexMapsToZero)
        );
    }
}