x448: api fixups

baloo · baloo · commit f8cd31a7c66f · 2025-07-18T13:26:04.000-07:00
diff --git a/ed448-goldilocks/src/field.rs b/ed448-goldilocks/src/field.rs
@@ -2,9 +2,9 @@ mod element;
 mod scalar;
 
 pub(crate) use element::*;
-pub(crate) use scalar::CurveWithScalar;
 pub use scalar::{
-    MODULUS_LIMBS, NZ_ORDER, ORDER, Scalar, ScalarBytes, WIDE_ORDER, WideScalarBytes,
+    CurveWithScalar, MODULUS_LIMBS, NZ_ORDER, ORDER, Scalar, ScalarBytes, WIDE_ORDER,
+    WideScalarBytes,
 };
 
 use crate::curve::twedwards::extended::ExtendedPoint as TwExtendedPoint;
diff --git a/ed448-goldilocks/src/field/scalar.rs b/ed448-goldilocks/src/field/scalar.rs
@@ -41,13 +41,18 @@ pub type ScalarBytes<C> = Array<u8, <C as CurveWithScalar>::ReprSize>;
 /// The number of bytes needed to represent the safely create a scalar from a random bytes
 pub type WideScalarBytes<C> = Array<u8, Prod<<C as CurveWithScalar>::ReprSize, U2>>;
 
+/// Representation of a curve scalar for either Ed448 or Decaf448
 pub trait CurveWithScalar: 'static + CurveArithmetic + Send + Sync {
+    /// The size of the scalar for the given curve
     type ReprSize: ArraySize<ArrayType<u8>: Copy> + Mul<U2, Output: ArraySize<ArrayType<u8>: Copy>>;
 
+    /// Create a scalar from the wide representation
     fn from_bytes_mod_order_wide(input: &WideScalarBytes<Self>) -> Scalar<Self>;
 
+    /// Create a scalar from its serialization
     fn from_canonical_bytes(bytes: &ScalarBytes<Self>) -> CtOption<Scalar<Self>>;
 
+    /// Return the serialization for a given scalar
     fn to_repr(scalar: &Scalar<Self>) -> ScalarBytes<Self>;
 }
 
diff --git a/ed448-goldilocks/src/lib.rs b/ed448-goldilocks/src/lib.rs
@@ -60,8 +60,8 @@ pub use edwards::{
     AffinePoint, CompressedEdwardsY, EdwardsPoint, EdwardsScalar, EdwardsScalarBytes,
     WideEdwardsScalarBytes,
 };
-pub use field::{MODULUS_LIMBS, ORDER, Scalar, WIDE_ORDER};
-pub use montgomery::{MontgomeryPoint, ProjectiveMontgomeryPoint};
+pub use field::{CurveWithScalar, MODULUS_LIMBS, ORDER, Scalar, WIDE_ORDER};
+pub use montgomery::{LOW_A, LOW_B, LOW_C, MontgomeryPoint, ProjectiveMontgomeryPoint};
 pub use ristretto::{CompressedRistretto, RistrettoPoint};
 #[cfg(feature = "signing")]
 pub use sign::*;
diff --git a/ed448-goldilocks/src/montgomery.rs b/ed448-goldilocks/src/montgomery.rs
@@ -18,20 +18,22 @@ use core::fmt;
 use core::ops::Mul;
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq};
 
-// Low order points on Curve448 and it's twist
-const LOW_A: MontgomeryPoint = MontgomeryPoint([
+/// First low order point on Curve448 and it's twist
+pub const LOW_A: MontgomeryPoint = MontgomeryPoint([
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 ]);
-const LOW_B: MontgomeryPoint = MontgomeryPoint([
+/// Second low order point on Curve448 and it's twist
+pub const LOW_B: MontgomeryPoint = MontgomeryPoint([
     0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 ]);
-const LOW_C: MontgomeryPoint = MontgomeryPoint([
+/// Third low order point on Curve448 and it's twist
+pub const LOW_C: MontgomeryPoint = MontgomeryPoint([
     0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff,
     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
diff --git a/x448/src/lib.rs b/x448/src/lib.rs
@@ -1,10 +1,13 @@
 #![no_std]
 
+use ed448_goldilocks::Ed448;
 use ed448_goldilocks::MontgomeryPoint;
-use ed448_goldilocks::Scalar;
+use ed448_goldilocks::elliptic_curve::{bigint::U448, scalar::FromUintUnchecked};
 use rand_core::{CryptoRng, RngCore};
 use zeroize::Zeroize;
 
+type Scalar = ed448_goldilocks::Scalar<Ed448>;
+
 /// Computes a Scalar according to RFC7748
 /// given a byte array of length 56
 impl From<[u8; 56]> for Secret {
@@ -20,16 +23,18 @@ impl From<[u8; 56]> for Secret {
 /// XXX: Waiting for upstream PR to use pre-computation
 impl From<&Secret> for PublicKey {
     fn from(secret: &Secret) -> PublicKey {
-        let point = &MontgomeryPoint::GENERATOR * &Scalar::from_bytes(&secret.0);
+        let secret = secret.as_scalar();
+        let point = &MontgomeryPoint::GENERATOR * &secret;
         PublicKey(point)
     }
 }
 
 /// A PublicKey is a point on Curve448.
+#[derive(Debug, PartialEq, Eq, Copy, Clone)]
 pub struct PublicKey(MontgomeryPoint);
 
 /// A Secret is a Scalar on Curve448.
-#[derive(Zeroize)]
+#[derive(Clone, Zeroize)]
 #[zeroize(drop)]
 pub struct Secret([u8; 56]);
 
@@ -85,7 +90,7 @@ impl Secret {
     // Taken from dalek-x25519
     pub fn new<T>(csprng: &mut T) -> Self
     where
-        T: RngCore + CryptoRng,
+        T: RngCore + CryptoRng + ?Sized,
     {
         let mut bytes = [0u8; 56];
 
@@ -102,7 +107,8 @@ impl Secret {
 
     /// Views a Secret as a Scalar
     fn as_scalar(&self) -> Scalar {
-        Scalar::from_bytes(&self.0)
+        let secret = U448::from_le_slice(&self.0);
+        Scalar::from_uint_unchecked(secret)
     }
 
     /// Performs a Diffie-hellman key exchange between the secret key and an external public key
@@ -171,28 +177,10 @@ mod test {
     use super::*;
     use alloc::vec;
 
+    use ed448_goldilocks::{LOW_A, LOW_B, LOW_C};
+
     #[test]
     fn test_low_order() {
-        // These are also in ed448-goldilocks. We could export them, but I cannot see any use except for this test.
-        const LOW_A: MontgomeryPoint = MontgomeryPoint([
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        ]);
-        const LOW_B: MontgomeryPoint = MontgomeryPoint([
-            0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        ]);
-        const LOW_C: MontgomeryPoint = MontgomeryPoint([
-            0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-            0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-            0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-            0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-        ]);
-
         // Notice, that this is the only way to add low order points into the system
         // and this is not exposed to the user. The user will use `from_bytes` which will check for low order points.
         let bad_key_a = PublicKey(LOW_A);
