Implement Reduce for MontgomeryScalar

daxpedda · daxpedda · commit a442897756ff · 2025-09-13T15:27:24.000+02:00
diff --git a/ed448-goldilocks/src/edwards/scalar.rs b/ed448-goldilocks/src/edwards/scalar.rs
@@ -2,8 +2,8 @@ use crate::Ed448;
 use crate::field::{CurveWithScalar, ORDER, Scalar, ScalarBytes, WideScalarBytes};
 
 use elliptic_curve::array::Array;
-use elliptic_curve::bigint::{Limb, NonZero, U448, U704};
-use elliptic_curve::consts::{U57, U84, U88};
+use elliptic_curve::bigint::{Limb, U448};
+use elliptic_curve::consts::{U57, U84};
 use elliptic_curve::ops::Reduce;
 use elliptic_curve::scalar::FromUintUnchecked;
 use subtle::{Choice, CtOption};
@@ -84,17 +84,7 @@ impl From<&EdwardsScalar> for elliptic_curve::scalar::ScalarBits<Ed448> {
 
 impl Reduce<Array<u8, U84>> for EdwardsScalar {
     fn reduce(value: &Array<u8, U84>) -> Self {
-        const SEMI_WIDE_MODULUS: NonZero<U704> = NonZero::<U704>::new_unwrap(U704::from_be_hex(
-            "00000000000000000000000000000000000000000000000000000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3",
-        ));
-        let mut tmp = Array::<u8, U88>::default();
-        tmp[4..].copy_from_slice(&value[..]);
-
-        let mut num = U704::from_be_slice(&tmp[..]);
-        num %= SEMI_WIDE_MODULUS;
-        let mut words = [0; U448::LIMBS];
-        words.copy_from_slice(&num.to_words()[..U448::LIMBS]);
-        Scalar::new(U448::from_words(words))
+        Self::from_okm_u84(value)
     }
 }
 
diff --git a/ed448-goldilocks/src/field/element.rs b/ed448-goldilocks/src/field/element.rs
@@ -531,15 +531,13 @@ mod tests {
             .unwrap();
             let mut data = Array::<u8, U84>::default();
             expander.fill_bytes(&mut data).unwrap();
-            // TODO: This should be `Curve448FieldElement`.
             let u0 = FieldElement::reduce(&data);
             let mut e_u0 = *expected_u0;
             e_u0.reverse();
             let mut e_u1 = *expected_u1;
             e_u1.reverse();
             assert_eq!(u0.to_bytes(), e_u0);
             expander.fill_bytes(&mut data).unwrap();
-            // TODO: This should be `Curve448FieldElement`.
             let u1 = FieldElement::reduce(&data);
             assert_eq!(u1.to_bytes(), e_u1);
         }
diff --git a/ed448-goldilocks/src/field/scalar.rs b/ed448-goldilocks/src/field/scalar.rs
@@ -13,8 +13,8 @@ use elliptic_curve::{
         Array, ArraySize,
         typenum::{Prod, Unsigned},
     },
-    bigint::{Integer, Limb, U448, U896, Word, Zero},
-    consts::U2,
+    bigint::{Integer, Limb, NonZero, U448, U704, U896, Word, Zero},
+    consts::{U2, U84, U88},
     ff::{Field, helpers},
     ops::{Invert, Reduce, ReduceNonZero},
     scalar::{FromUintUnchecked, IsHigh},
@@ -815,4 +815,18 @@ impl<C: CurveWithScalar> Scalar<C> {
     pub fn to_scalar<O: CurveWithScalar>(&self) -> Scalar<O> {
         Scalar::new(self.scalar)
     }
+
+    pub(crate) fn from_okm_u84(data: &Array<u8, U84>) -> Self {
+        const SEMI_WIDE_MODULUS: NonZero<U704> = NonZero::<U704>::new_unwrap(U704::from_be_hex(
+            "00000000000000000000000000000000000000000000000000000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3",
+        ));
+        let mut tmp = Array::<u8, U88>::default();
+        tmp[4..].copy_from_slice(&data[..]);
+
+        let mut num = U704::from_be_slice(&tmp[..]);
+        num %= SEMI_WIDE_MODULUS;
+        let mut words = [0; U448::LIMBS];
+        words.copy_from_slice(&num.to_words()[..U448::LIMBS]);
+        Scalar::new(U448::from_words(words))
+    }
 }
diff --git a/ed448-goldilocks/src/lib.rs b/ed448-goldilocks/src/lib.rs
@@ -189,7 +189,7 @@ impl Curve for Curve448 {
     type FieldBytesSize = U56;
     type Uint = U448;
 
-    const ORDER: NonZero<U448> = ORDER;
+    const ORDER: Odd<U448> = ORDER;
 }
 
 impl PrimeCurve for Curve448 {}
diff --git a/ed448-goldilocks/src/montgomery/scalar.rs b/ed448-goldilocks/src/montgomery/scalar.rs
@@ -1,5 +1,7 @@
+use elliptic_curve::array::Array;
 use elliptic_curve::bigint::{Limb, U448};
-use elliptic_curve::consts::U56;
+use elliptic_curve::consts::{U56, U84};
+use elliptic_curve::ops::Reduce;
 use elliptic_curve::scalar::FromUintUnchecked;
 use subtle::{Choice, CtOption};
 
@@ -14,7 +16,7 @@ impl CurveWithScalar for Curve448 {
             U448::from_le_slice(&input[..56]),
             U448::from_le_slice(&input[56..112]),
         );
-        Scalar::new(U448::rem_wide_vartime(value, &ORDER))
+        Scalar::new(U448::rem_wide_vartime(value, ORDER.as_nz_ref()))
     }
 
     fn from_canonical_bytes(bytes: &ScalarBytes<Self>) -> subtle::CtOption<Scalar<Self>> {
@@ -64,6 +66,12 @@ impl From<&MontgomeryScalar> for elliptic_curve::scalar::ScalarBits<Curve448> {
     }
 }
 
+impl Reduce<Array<u8, U84>> for MontgomeryScalar {
+    fn reduce(value: &Array<u8, U84>) -> Self {
+        Self::from_okm_u84(value)
+    }
+}
+
 #[cfg(test)]
 mod test {
     use super::*;

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,7 @@ impl Curve for Curve448 {`
`189`	`189`	`type FieldBytesSize = U56;`
`190`	`190`	`type Uint = U448;`
`191`	`191`
`192`		`- const ORDER: NonZero<U448> = ORDER;`
	`192`	`+ const ORDER: Odd<U448> = ORDER;`
`193`	`193`	`}`
`194`	`194`
`195`	`195`	`impl PrimeCurve for Curve448 {}`