Make scalars always reduced

[rozbb]

This makes unreduced Scalar unrepresentable by removing Scalar::{from_bits, from_bytes_clamped}. As a consequence, we can remove the additional reduction steps in scalar addition and subtraction. Benchmarks on my M1 Macbook Air show runtime diffs of -52% and -67% on scalar addition and subtraction, respectively.

Since clamping is necessary elsewhere, this change exposes new methods MontgomeryPoint::{mul_clamped, mul_base_clamped}, EdwardsPoint::{mul_clamped, mul_base_clamped}, and BasepointTable::mul_base_clamped, which take byte sequences.

This partially addresses #507 (scalar performance) and #514 (scalar arithmetic well-definedness).

The first snippet of #514 points out that it is possible to construct a clamped scalar s and a point P such that s * P and s.reduce() * P are not equal. This change makes this test case impossible to represent, since unreduced scalars are now unrepresentable.

Upstream changes

dalek-cryptography/ed25519-dalek#293

dalek-cryptography/x25519-dalek#120

[tarcieri]

I like the API and the direction. Preventing the clamped scalars from leaking as returned values seems like an elegant approach, while covering the important use cases.

[rozbb]

@jrose-signal would you mind taking a look at this and verifying it wouldn't break your libraries?

[rozbb]

I noticed that this was the case because the following test fails.

let a_bytes = [0xff; 32];
let s1 = Scalar::from_bytes_mod_order(a_bytes);
let s2 = Scalar { bytes: a_bytes };
assert_eq!(
    s1 * constants::X25519_BASEPOINT,
    s2 * constants::X25519_BASEPOINT
);

That's kinda surprising. There's no NAF or any fancy arithmetic necessary for the Montgomery ladder. Anyways, neither here nor there, because it works for all scalars < 2^255, which is all we care about.

[tarcieri]

I mean, that's expected for me. One scalar is reduced, the other is not, but Scalar { bytes: a_bytes } would not be valid under Scalar's (new) invariant and can't be constructed outside the crate due to field visibility.

sidebar: I'm curious if Scalar could be made into a newtype for ScalarImpl now.

[rozbb]

Right, well it's only surprising because there's nothing inherent about Montgomery multiplication that even requires invariant 1 in the first place. In fact, if you change the below line to

let mut bits = core::iter::once(0).chain(scalar.bits_le().rev());

then these asserts actually pass.

What is ScalarImpl?

[jrose-signal]

@jrose-signal would you mind taking a look at this and verifying it wouldn't break your libraries?

Yes, this is fine for us (and I had someone more cryptographer than me confirm). I did find one place we were using Scalar::from_bits directly: XEd25519 signatures. But those Scalars are always multiplied by the Edwards basepoint, so switching to from_bytes_mod_order for an eager reduction is fine (and doesn't seem to cause any significant slowdown).

[rozbb]

@jrose-signal thanks for the quick turnaround! We'll be propagating the API change to ed- and x- soon

[elichai]

We currently use the Scalar::from_bits function in order to do full-group (non-clamped) Scalar*Point multiplication via the MontgomeryPoint API,
We need this to be over the whole group + twist and not specifically in the prime subgroup,
Is this something that will still be supported?

(Specifically, this is needed for something similar to Moller04 https://www.bmoeller.de/pdf/pke-pseudo-esorics2004.pdf)

[tarcieri]

@elichai would a dedicated API for this, e.g. MontgomeryPoint::mul_unclamped similar to MontgomeryPoint::mul_clamped work for your purposes?

[elichai]

@elichai would a dedicated API for this, e.g. MontgomeryPoint::mul_unclamped similar to MontgomeryPoint::mul_clamped work for your purposes?

Yep, that would definitely work

[elichai]

@elichai would a dedicated API for this, e.g. MontgomeryPoint::mul_unclamped similar to MontgomeryPoint::mul_clamped work for your purposes?

What do you think about this function also overriding invariant #1? i.e. it will allow multiplying with the top bit on, so it can't assume the first bit is zero as in: https://docs.rs/curve25519-dalek/latest/src/curve25519_dalek/montgomery.rs.html#373-374

[tarcieri]

Perhaps it would need to be fallible and return an e.g. CtOption?

[elichai]

Perhaps it would need to be fallible and return an e.g. CtOption?

Why fallible? if it's bigger than 8 \cdot \ell ?

[tarcieri]

Do you have a different solution in mind for it overriding the invariants?

[rozbb]

I think it'd be possible to just extend the iterator to all bits. I'd prefer to not copy the code, so I'll just modify this function and see if we get a performance regression