[WIP] Impl ff::Field for Scalar

.github/workflows/rust.yml

@@ -29,6 +29,7 @@ jobs:
       - run: ${{ matrix.deps }}
       - run: cargo test --target ${{ matrix.target }} --no-default-features
       - run: cargo test --target ${{ matrix.target }}
+      - run: cargo test --target ${{ matrix.target }} --features ff
       - run: cargo test --target ${{ matrix.target }} --features serde
       - env:
           RUSTFLAGS: '--cfg curve25519_dalek_backend="fiat"'

Cargo.toml

@@ -48,6 +48,7 @@ required-features = ["rand_core"]
 
 [dependencies]
 cfg-if = "1"
+ff = { version = "0.13", default-features = false, optional = true }
 rand_core = { version = "0.6.4", default-features = false, optional = true }
 digest = { version = "0.10", default-features = false, optional = true }
 subtle = { version = "^2.2.1", default-features = false }

src/backend/serial/curve_models/mod.rs

@@ -226,20 +226,20 @@ use crate::traits::Identity;
 impl Identity for ProjectivePoint {
     fn identity() -> ProjectivePoint {
         ProjectivePoint {
-            X: FieldElement::zero(),
-            Y: FieldElement::one(),
-            Z: FieldElement::one(),
+            X: FieldElement::ZERO,
+            Y: FieldElement::ONE,
+            Z: FieldElement::ONE,
         }
     }
 }
 
 impl Identity for ProjectiveNielsPoint {
     fn identity() -> ProjectiveNielsPoint {
         ProjectiveNielsPoint {
-            Y_plus_X: FieldElement::one(),
-            Y_minus_X: FieldElement::one(),
-            Z: FieldElement::one(),
-            T2d: FieldElement::zero(),
+            Y_plus_X: FieldElement::ONE,
+            Y_minus_X: FieldElement::ONE,
+            Z: FieldElement::ONE,
+            T2d: FieldElement::ZERO,
         }
     }
 }
@@ -253,9 +253,9 @@ impl Default for ProjectiveNielsPoint {
 impl Identity for AffineNielsPoint {
     fn identity() -> AffineNielsPoint {
         AffineNielsPoint {
-            y_plus_x: FieldElement::one(),
-            y_minus_x: FieldElement::one(),
-            xy2d: FieldElement::zero(),
+            y_plus_x: FieldElement::ONE,
+            y_minus_x: FieldElement::ONE,
+            xy2d: FieldElement::ZERO,
         }
     }
 }

src/backend/serial/fiat_u32/field.rs

@@ -177,30 +177,19 @@ impl ConditionallySelectable for FieldElement2625 {
 }
 
 impl FieldElement2625 {
+    pub const ZERO: FieldElement2625 = FieldElement2625([0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
+    pub const ONE: FieldElement2625 = FieldElement2625([1, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
+    pub const MINUS_ONE: FieldElement2625 = FieldElement2625([
+        0x3ffffec, 0x1ffffff, 0x3ffffff, 0x1ffffff, 0x3ffffff, 0x1ffffff, 0x3ffffff, 0x1ffffff,
+        0x3ffffff, 0x1ffffff,
+    ]);
+
     /// Invert the sign of this field element
     pub fn negate(&mut self) {
         let neg = self.neg();
         self.0 = neg.0;
     }
 
-    /// Construct zero.
-    pub fn zero() -> FieldElement2625 {
-        FieldElement2625([0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
-    }
-
-    /// Construct one.
-    pub fn one() -> FieldElement2625 {
-        FieldElement2625([1, 0, 0, 0, 0, 0, 0, 0, 0, 0])
-    }
-
-    /// Construct -1.
-    pub fn minus_one() -> FieldElement2625 {
-        FieldElement2625([
-            0x3ffffec, 0x1ffffff, 0x3ffffff, 0x1ffffff, 0x3ffffff, 0x1ffffff, 0x3ffffff, 0x1ffffff,
-            0x3ffffff, 0x1ffffff,
-        ])
-    }
-
     /// Given `k > 0`, return `self^(2^k)`.
     pub fn pow2k(&self, k: u32) -> FieldElement2625 {
         debug_assert!(k > 0);

src/backend/serial/fiat_u64/field.rs

@@ -156,26 +156,15 @@ impl ConditionallySelectable for FieldElement51 {
 }
 
 impl FieldElement51 {
-    /// Construct zero.
-    pub fn zero() -> FieldElement51 {
-        FieldElement51([0, 0, 0, 0, 0])
-    }
-
-    /// Construct one.
-    pub fn one() -> FieldElement51 {
-        FieldElement51([1, 0, 0, 0, 0])
-    }
-
-    /// Construct -1.
-    pub fn minus_one() -> FieldElement51 {
-        FieldElement51([
-            2251799813685228,
-            2251799813685247,
-            2251799813685247,
-            2251799813685247,
-            2251799813685247,
-        ])
-    }
+    pub const ZERO: FieldElement51 = FieldElement51([0, 0, 0, 0, 0]);
+    pub const ONE: FieldElement51 = FieldElement51([1, 0, 0, 0, 0]);
+    pub const MINUS_ONE: FieldElement51 = FieldElement51([
+        2251799813685228,
+        2251799813685247,
+        2251799813685247,
+        2251799813685247,
+        2251799813685247,
+    ]);
 
     /// Given 64-bit input limbs, reduce to enforce the bound 2^(51 + epsilon).
     #[inline(always)]

src/backend/serial/u32/constants.rs

@@ -19,7 +19,7 @@ use crate::backend::serial::curve_models::AffineNielsPoint;
 use crate::edwards::{EdwardsBasepointTable, EdwardsPoint};
 use crate::window::{LookupTable, NafLookupTable8};
 
-/// The value of minus one, equal to `-&FieldElement::one()`
+/// The value of minus one, equal to `-&FieldElement::ONE`
 pub(crate) const MINUS_ONE: FieldElement2625 = FieldElement2625([
     67108844, 33554431, 67108863, 33554431, 67108863, 33554431, 67108863, 33554431, 67108863,
     33554431,

src/backend/serial/u32/field.rs

@@ -282,6 +282,13 @@ impl ConditionallySelectable for FieldElement2625 {
 }
 
 impl FieldElement2625 {
+    pub const ZERO: FieldElement2625 = FieldElement2625([0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
+    pub const ONE: FieldElement2625 = FieldElement2625([1, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
+    pub const MINUS_ONE: FieldElement2625 = FieldElement2625([
+        0x3ffffec, 0x1ffffff, 0x3ffffff, 0x1ffffff, 0x3ffffff, 0x1ffffff, 0x3ffffff, 0x1ffffff,
+        0x3ffffff, 0x1ffffff,
+    ]);
+
     /// Invert the sign of this field element
     pub fn negate(&mut self) {
         // Compute -b as ((2^4 * p) - b) to avoid underflow.
@@ -300,24 +307,6 @@ impl FieldElement2625 {
         self.0 = neg.0;
     }
 
-    /// Construct zero.
-    pub fn zero() -> FieldElement2625 {
-        FieldElement2625([0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
-    }
-
-    /// Construct one.
-    pub fn one() -> FieldElement2625 {
-        FieldElement2625([1, 0, 0, 0, 0, 0, 0, 0, 0, 0])
-    }
-
-    /// Construct -1.
-    pub fn minus_one() -> FieldElement2625 {
-        FieldElement2625([
-            0x3ffffec, 0x1ffffff, 0x3ffffff, 0x1ffffff, 0x3ffffff, 0x1ffffff, 0x3ffffff, 0x1ffffff,
-            0x3ffffff, 0x1ffffff,
-        ])
-    }
-
     /// Given `k > 0`, return `self^(2^k)`.
     pub fn pow2k(&self, k: u32) -> FieldElement2625 {
         debug_assert!(k > 0);

src/backend/serial/u32/scalar.rs

@@ -53,10 +53,7 @@ fn m(x: u32, y: u32) -> u64 {
 }
 
 impl Scalar29 {
-    /// Return the zero scalar.
-    pub fn zero() -> Scalar29 {
-        Scalar29([0, 0, 0, 0, 0, 0, 0, 0, 0])
-    }
+    pub const ZERO: Scalar29 = Scalar29([0, 0, 0, 0, 0, 0, 0, 0, 0]);
 
     /// Unpack a 32 byte / 256 bit scalar into 9 29-bit limbs.
     #[rustfmt::skip] // keep alignment of s[*] calculations
@@ -70,7 +67,7 @@ impl Scalar29 {
 
         let mask = (1u32 << 29) - 1;
         let top_mask = (1u32 << 24) - 1;
-        let mut s = Scalar29::zero();
+        let mut s = Scalar29::ZERO;
 
         s[0] =   words[0]                            & mask;
         s[1] = ((words[0] >> 29) | (words[1] <<  3)) & mask;
@@ -96,8 +93,8 @@ impl Scalar29 {
         }
 
         let mask = (1u32 << 29) - 1;
-        let mut lo = Scalar29::zero();
-        let mut hi = Scalar29::zero();
+        let mut lo = Scalar29::ZERO;
+        let mut hi = Scalar29::ZERO;
 
         lo[0] =   words[ 0]                             & mask;
         lo[1] = ((words[ 0] >> 29) | (words[ 1] <<  3)) & mask;
@@ -168,7 +165,7 @@ impl Scalar29 {
 
     /// Compute `a + b` (mod l).
     pub fn add(a: &Scalar29, b: &Scalar29) -> Scalar29 {
-        let mut sum = Scalar29::zero();
+        let mut sum = Scalar29::ZERO;
         let mask = (1u32 << 29) - 1;
 
         // a + b
@@ -184,7 +181,7 @@ impl Scalar29 {
 
     /// Compute `a - b` (mod l).
     pub fn sub(a: &Scalar29, b: &Scalar29) -> Scalar29 {
-        let mut difference = Scalar29::zero();
+        let mut difference = Scalar29::ZERO;
         let mask = (1u32 << 29) - 1;
 
         // a - b
@@ -512,7 +509,7 @@ mod test {
     #[test]
     fn add() {
         let res = Scalar29::add(&A, &B);
-        let zero = Scalar29::zero();
+        let zero = Scalar29::ZERO;
         for i in 0..9 {
             assert!(res[i] == zero[i]);
         }

src/backend/serial/u64/constants.rs

@@ -17,7 +17,7 @@ use crate::backend::serial::curve_models::AffineNielsPoint;
 use crate::edwards::{EdwardsBasepointTable, EdwardsPoint};
 use crate::window::{LookupTable, NafLookupTable8};
 
-/// The value of minus one, equal to `-&FieldElement::one()`
+/// The value of minus one, equal to `-&FieldElement::ONE`
 pub(crate) const MINUS_ONE: FieldElement51 = FieldElement51([
     2251799813685228,
     2251799813685247,

src/backend/serial/u64/field.rs

@@ -253,6 +253,16 @@ impl ConditionallySelectable for FieldElement51 {
 }
 
 impl FieldElement51 {
+    pub const ZERO: FieldElement51 = FieldElement51([0, 0, 0, 0, 0]);
+    pub const ONE: FieldElement51 = FieldElement51([1, 0, 0, 0, 0]);
+    pub const MINUS_ONE: FieldElement51 = FieldElement51([
+        2251799813685228,
+        2251799813685247,
+        2251799813685247,
+        2251799813685247,
+        2251799813685247,
+    ]);
+
     /// Invert the sign of this field element
     pub fn negate(&mut self) {
         // See commentary in the Sub impl
@@ -266,27 +276,6 @@ impl FieldElement51 {
         self.0 = neg.0;
     }
 
-    /// Construct zero.
-    pub fn zero() -> FieldElement51 {
-        FieldElement51([0, 0, 0, 0, 0])
-    }
-
-    /// Construct one.
-    pub fn one() -> FieldElement51 {
-        FieldElement51([1, 0, 0, 0, 0])
-    }
-
-    /// Construct -1.
-    pub fn minus_one() -> FieldElement51 {
-        FieldElement51([
-            2251799813685228,
-            2251799813685247,
-            2251799813685247,
-            2251799813685247,
-            2251799813685247,
-        ])
-    }
-
     /// Given 64-bit input limbs, reduce to enforce the bound 2^(51 + epsilon).
     #[inline(always)]
     fn reduce(mut limbs: [u64; 5]) -> FieldElement51 {

src/backend/serial/u64/scalar.rs

@@ -55,10 +55,7 @@ fn m(x: u64, y: u64) -> u128 {
 }
 
 impl Scalar52 {
-    /// Return the zero scalar
-    pub fn zero() -> Scalar52 {
-        Scalar52([0, 0, 0, 0, 0])
-    }
+    pub const ZERO: Scalar52 = Scalar52([0, 0, 0, 0, 0]);
 
     /// Unpack a 32 byte / 256 bit scalar into 5 52-bit limbs.
     #[rustfmt::skip] // keep alignment of s[*] calculations
@@ -72,7 +69,7 @@ impl Scalar52 {
 
         let mask = (1u64 << 52) - 1;
         let top_mask = (1u64 << 48) - 1;
-        let mut s = Scalar52::zero();
+        let mut s = Scalar52::ZERO;
 
         s[0] =   words[0]                            & mask;
         s[1] = ((words[0] >> 52) | (words[1] << 12)) & mask;
@@ -94,8 +91,8 @@ impl Scalar52 {
         }
 
         let mask = (1u64 << 52) - 1;
-        let mut lo = Scalar52::zero();
-        let mut hi = Scalar52::zero();
+        let mut lo = Scalar52::ZERO;
+        let mut hi = Scalar52::ZERO;
 
         lo[0] =   words[0]                             & mask;
         lo[1] = ((words[0] >> 52) | (words[ 1] << 12)) & mask;
@@ -158,7 +155,7 @@ impl Scalar52 {
 
     /// Compute `a + b` (mod l)
     pub fn add(a: &Scalar52, b: &Scalar52) -> Scalar52 {
-        let mut sum = Scalar52::zero();
+        let mut sum = Scalar52::ZERO;
         let mask = (1u64 << 52) - 1;
 
         // a + b
@@ -174,7 +171,7 @@ impl Scalar52 {
 
     /// Compute `a - b` (mod l)
     pub fn sub(a: &Scalar52, b: &Scalar52) -> Scalar52 {
-        let mut difference = Scalar52::zero();
+        let mut difference = Scalar52::ZERO;
         let mask = (1u64 << 52) - 1;
 
         // a - b
@@ -472,7 +469,7 @@ mod test {
     #[test]
     fn add() {
         let res = Scalar52::add(&A, &B);
-        let zero = Scalar52::zero();
+        let zero = Scalar52::ZERO;
         for i in 0..5 {
             assert!(res[i] == zero[i]);
         }

src/backend/vector/avx2/edwards.rs

@@ -134,7 +134,7 @@ impl ExtendedPoint {
         //    =======================
         //        S5   S6   S8   S9
 
-        let zero = FieldElement2625x4::zero();
+        let zero = FieldElement2625x4::ZERO;
         let S_1 = tmp1.shuffle(Shuffle::AAAA);
         let S_2 = tmp1.shuffle(Shuffle::BBBB);
 

src/backend/vector/avx2/field.rs

@@ -180,11 +180,13 @@ impl ConditionallySelectable for FieldElement2625x4 {
 }
 
 impl FieldElement2625x4 {
+    pub const ZERO: FieldElement2625x4 = FieldElement2625x4([u32x8::splat(0); 5]);
+
     /// Split this vector into an array of four (serial) field
     /// elements.
     #[rustfmt::skip] // keep alignment of extracted lanes
     pub fn split(&self) -> [FieldElement51; 4] {
-        let mut out = [FieldElement51::zero(); 4];
+        let mut out = [FieldElement51::ZERO; 4];
         for i in 0..5 {
             let a_2i   = self.0[i].extract(0) as u64; //
             let b_2i   = self.0[i].extract(1) as u64; //
@@ -322,11 +324,6 @@ impl FieldElement2625x4 {
         ])
     }
 
-    /// Construct a vector of zeros.
-    pub fn zero() -> FieldElement2625x4 {
-        FieldElement2625x4([u32x8::splat(0); 5])
-    }
-
     /// Convenience wrapper around `new(x,x,x,x)`.
     pub fn splat(x: &FieldElement51) -> FieldElement2625x4 {
         FieldElement2625x4::new(x, x, x, x)
@@ -888,7 +885,7 @@ mod test {
 
     #[test]
     fn scale_by_curve_constants() {
-        let mut x = FieldElement2625x4::splat(&FieldElement51::one());
+        let mut x = FieldElement2625x4::splat(&FieldElement51::ONE);
 
         x = x * (121666, 121666, 2 * 121666, 2 * 121665);