elliptic-curve: remove generic invert_vartime implementation

tarcieri · tarcieri · commit 24562ae2f49e · 2023-02-02T19:40:53.000-07:00
It's mathematically unsafe in that it relies on field element
representations outside the curve's modulus, which doesn't work in a
generic context.

The newly added `Invert::invert_vartime` method allows plugging in
generic variable-time inversions.
diff --git a/elliptic-curve/src/scalar.rs b/elliptic-curve/src/scalar.rs
@@ -3,14 +3,12 @@
 #[cfg(feature = "arithmetic")]
 mod blinded;
 #[cfg(feature = "arithmetic")]
-mod invert;
-#[cfg(feature = "arithmetic")]
 mod nonzero;
 mod primitive;
 
 pub use self::primitive::ScalarPrimitive;
 #[cfg(feature = "arithmetic")]
-pub use self::{blinded::BlindedScalar, invert::invert_vartime, nonzero::NonZeroScalar};
+pub use self::{blinded::BlindedScalar, nonzero::NonZeroScalar};
 
 use crypto_bigint::Integer;
 use subtle::Choice;
diff --git a/elliptic-curve/src/scalar/blinded.rs b/elliptic-curve/src/scalar/blinded.rs
@@ -1,6 +1,6 @@
 //! Random blinding support for [`Scalar`]
 
-use super::{invert_vartime, Scalar};
+use super::Scalar;
 use crate::{ops::Invert, CurveArithmetic};
 use group::ff::Field;
 use rand_core::CryptoRngCore;
@@ -57,8 +57,9 @@ where
     fn invert(&self) -> CtOption<Scalar<C>> {
         // prevent side channel analysis of scalar inversion by pre-and-post-multiplying
         // with the random masking scalar
-        let masked_scalar = self.scalar * self.mask;
-        invert_vartime::<C>(&masked_scalar).map(|s| s * self.mask)
+        (self.scalar * self.mask)
+            .invert_vartime()
+            .map(|s| s * self.mask)
     }
 }
 
diff --git a/elliptic-curve/src/scalar/invert.rs b/elliptic-curve/src/scalar/invert.rs
diff --git a/elliptic-curve/src/scalar/nonzero.rs b/elliptic-curve/src/scalar/nonzero.rs
@@ -67,19 +67,6 @@ where
     pub fn from_uint(uint: C::Uint) -> CtOption<Self> {
         ScalarPrimitive::new(uint).and_then(|scalar| Self::new(scalar.into()))
     }
-
-    /// Perform an inversion in variable-time.
-    ///
-    /// ⚠️ WARNING!
-    ///
-    /// This method should not be used with (unblinded) secret scalars, as its
-    /// variable-time operation can potentially leak secrets through
-    /// sidechannels.
-    pub fn invert_vartime(&self) -> Self {
-        Self {
-            scalar: super::invert_vartime::<C>(&self.scalar).unwrap(),
-        }
-    }
 }
 
 impl<C> AsRef<Scalar<C>> for NonZeroScalar<C>
