elliptic-curve: add scalar::IsHigh trait (#814)

Adds a trait for determining if a given scalar is larger than the order divided by 2. This is useful for "normalization" use cases such as low-S normalized ECDSA signatures, where a scalar is conditionally negated if "high".
RustCrypto · Nov 17, 2021 · 0b26502 · 0b26502
1 parent 5c7394c
commit 0b26502
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 8 deletions.
diff --git a/elliptic-curve/Cargo.lock b/elliptic-curve/Cargo.lock
diff --git a/elliptic-curve/src/arithmetic.rs b/elliptic-curve/src/arithmetic.rs
@@ -1,6 +1,6 @@
 //! Elliptic curve arithmetic traits.
 
-use crate::{Curve, FieldBytes, PrimeCurve, ScalarCore};
+use crate::{Curve, FieldBytes, IsHigh, PrimeCurve, ScalarCore};
 use core::fmt::Debug;
 use subtle::{ConditionallySelectable, ConstantTimeEq};
 use zeroize::DefaultIsZeroes;
@@ -77,6 +77,7 @@ pub trait ScalarArithmetic: Curve {
         + From<ScalarCore<Self>>
         + Into<FieldBytes<Self>>
         + Into<Self::UInt>
+        + IsHigh
         + ff::Field
         + ff::PrimeField<Repr = FieldBytes<Self>>;
 }
diff --git a/elliptic-curve/src/dev.rs b/elliptic-curve/src/dev.rs
@@ -12,7 +12,7 @@ use crate::{
     sec1::{FromEncodedPoint, ToEncodedPoint},
     subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption},
     zeroize::DefaultIsZeroes,
-    AffineArithmetic, AlgorithmParameters, Curve, PrimeCurve, ProjectiveArithmetic,
+    AffineArithmetic, AlgorithmParameters, Curve, IsHigh, PrimeCurve, ProjectiveArithmetic,
     ScalarArithmetic,
 };
 use core::{
@@ -346,6 +346,12 @@ impl From<&Scalar> for FieldBytes {
     }
 }
 
+impl IsHigh for Scalar {
+    fn is_high(&self) -> Choice {
+        self.0.is_high()
+    }
+}
+
 /// Example affine point type
 #[derive(Clone, Copy, Debug, Eq, PartialEq)]
 pub enum AffinePoint {

diff --git a/elliptic-curve/src/lib.rs b/elliptic-curve/src/lib.rs
@@ -79,7 +79,7 @@ mod jwk;
 pub use crate::{
     error::{Error, Result},
     point::{DecompactPoint, DecompressPoint, PointCompaction, PointCompression},
-    scalar::core::ScalarCore,
+    scalar::{core::ScalarCore, IsHigh},
     secret_key::SecretKey,
 };
 pub use crypto_bigint as bigint;

diff --git a/elliptic-curve/src/scalar.rs b/elliptic-curve/src/scalar.rs
@@ -1,5 +1,7 @@
 //! Scalar types.
 
+use subtle::Choice;
+
 pub(crate) mod core;
 
 #[cfg(feature = "arithmetic")]
@@ -17,3 +19,14 @@ pub type Scalar<C> = <C as ScalarArithmetic>::Scalar;
 #[cfg(feature = "bits")]
 #[cfg_attr(docsrs, doc(cfg(feature = "bits")))]
 pub type ScalarBits<C> = ff::FieldBits<<Scalar<C> as ff::PrimeFieldBits>::ReprBits>;
+
+/// Is this scalar greater than n / 2?
+///
+/// # Returns
+///
+/// - For scalars 0 through n / 2: `Choice::from(0)`
+/// - For scalars (n / 2) + 1 through n - 1: `Choice::from(1)`
+pub trait IsHigh {
+    /// Is this scalar greater than or equal to n / 2?
+    fn is_high(&self) -> Choice;
+}
diff --git a/elliptic-curve/src/scalar/core.rs b/elliptic-curve/src/scalar/core.rs
@@ -7,7 +7,7 @@ use crate::{
         Choice, ConditionallySelectable, ConstantTimeEq, ConstantTimeGreater, ConstantTimeLess,
         CtOption,
     },
-    Curve, Error, FieldBytes, Result,
+    Curve, Error, FieldBytes, IsHigh, Result,
 };
 use core::{
     cmp::Ordering,
@@ -337,3 +337,13 @@ where
         -*self
     }
 }
+
+impl<C> IsHigh for ScalarCore<C>
+where
+    C: Curve,
+{
+    fn is_high(&self) -> Choice {
+        let n_2 = C::ORDER >> 1;
+        self.inner.ct_gt(&n_2)
+    }
+}