1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

// Copyright 2021 BlockPuppets developers.
//
// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
// https://www.apache.org/licenses/LICENSE-2.0> or the MIT license
// <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your
// option. This file may not be copied, modified, or distributed
// except according to those terms.

extern crate core_crypto as core;
#[cfg(feature = "serde")]
extern crate serde_crate as serde;

use anyhow::{bail, Result};

use crate::core::curve25519::scalar::Scalar;

pub use self::cipher::*;
pub use self::keypair::*;

mod cipher;
mod internal_private_key;
mod internal_public_key;
mod internal_signature;
mod keccak_256;
pub mod keypair;

#[inline(always)]
pub(crate) fn check_scalar(bytes: [u8; 32]) -> Result<Scalar> {
    // Since this is only used in signature deserialisation (i.e. upon
    // verification), we can do a "succeed fast" trick by checking that the most
    // significant 4 bits are unset.  If they are unset, we can succeed fast
    // because we are guaranteed that the scalar is fully reduced.  However, if
    // the 4th most significant bit is set, we must do the full reduction check,
    // as the order of the basepoint is roughly a 2^(252.5) bit number.
    //
    // This succeed-fast trick should succeed for roughly half of all scalars.
    if bytes[31] & 240 == 0 {
        return Ok(Scalar::from_bits(bytes));
    }

    match Scalar::from_canonical_bytes(bytes) {
        None => bail!("ScalarFormatError"),
        Some(x) => Ok(x),
    }
}