Struct Scalar 

pub struct Scalar(/* private fields */);

Scalars are elements in the finite field modulo n.

Trait impls

Much of the important functionality of scalars is provided by traits from the ff crate, which is re-exported as p256::elliptic_curve::ff:

• Field - represents elements of finite fields and provides:
  • Field::random - generate a random scalar
  • double, square, and invert operations
  • Bounds for Add, Sub, Mul, and Neg (as well as *Assign equivalents)
  • Bounds for ConditionallySelectable from the subtle crate
• PrimeField - represents elements of prime fields and provides:
  • from_repr/to_repr for converting field elements from/to big integers.
  • multiplicative_generator and root_of_unity constants.
• PrimeFieldBits - operations over field elements represented as bits (requires bits feature)

Please see the documentation for the relevant traits for more information.

serde support

When the serde feature of this crate is enabled, the Serialize and Deserialize traits are impl’d for this type.

The serialization is a fixed-width big endian encoding. When used with textual formats, the binary data is encoded as hexadecimal.

Implementations

impl Scalar

pub const ZERO: Scalar

Zero scalar.

pub const ONE: Scalar

Multiplicative identity.

pub fn to_bytes(&self) -> GenericArray<u8, <NistP256 as Curve>::FieldBytesSize>

Returns the SEC1 encoding of this scalar.

pub const fn add(&self, rhs: &Scalar) -> Scalar

Returns self + rhs mod n

pub const fn double(&self) -> Scalar

Returns 2*self.

pub const fn sub(&self, rhs: &Scalar) -> Scalar

Returns self - rhs mod n.

pub const fn multiply(&self, rhs: &Scalar) -> Scalar

Returns self * rhs mod n

pub const fn square(&self) -> Scalar

Returns self * self mod p

pub const fn shr_vartime(&self, shift: usize) -> Scalar

Right shifts the scalar.

Note: not constant-time with respect to the shift parameter.

pub fn invert(&self) -> CtOption<Scalar>

Returns the multiplicative inverse of self, if self is non-zero

pub const fn pow_vartime(&self, exp: &[u64]) -> Scalar

Exponentiates self by exp, where exp is a little-endian order integer exponent.

pub fn is_odd(&self) -> Choice

Is integer representing equivalence class odd?

pub fn is_even(&self) -> Choice

Is integer representing equivalence class even?

Trait Implementations

impl Add<&Scalar> for &Scalar

type Output = Scalar

The resulting type after applying the + operator.

fn add(self, other: &Scalar) -> Scalar

Performs the + operation.

impl Add<&Scalar> for Scalar

type Output = Scalar

The resulting type after applying the + operator.

fn add(self, other: &Scalar) -> Scalar

Performs the + operation.

impl Add for Scalar

type Output = Scalar

The resulting type after applying the + operator.

fn add(self, other: Scalar) -> Scalar

Performs the + operation.

impl AddAssign<&Scalar> for Scalar

fn add_assign(&mut self, rhs: &Scalar)

Performs the += operation.

impl AddAssign for Scalar

fn add_assign(&mut self, rhs: Scalar)

Performs the += operation.

impl AsRef<Scalar> for Scalar

fn as_ref(&self) -> &Scalar

Converts this type into a shared reference of the (usually inferred) input type.

impl Clone for Scalar

fn clone(&self) -> Scalar

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl ConditionallySelectable for Scalar

fn conditional_select(a: &Scalar, b: &Scalar, choice: Choice) -> Scalar

Select a or b according to choice.

fn conditional_assign(&mut self, other: &Self, choice: Choice)

Conditionally assign other to self, according to choice.

fn conditional_swap(a: &mut Self, b: &mut Self, choice: Choice)

Conditionally swap self and other if choice == 1; otherwise, reassign both unto themselves.

impl ConstantTimeEq for Scalar

fn ct_eq(&self, other: &Scalar) -> Choice

Determine if two items are equal.

fn ct_ne(&self, other: &Self) -> Choice

Determine if two items are NOT equal.

impl Debug for Scalar

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter.

impl Default for Scalar

fn default() -> Scalar

Returns the “default value” for a type.

impl Field for Scalar

fn sqrt(&self) -> CtOption<Scalar>

Tonelli-Shank’s algorithm for q mod 16 = 1 https://eprint.iacr.org/2012/685.pdf (page 12, algorithm 5)

const ZERO: Scalar = Self::ZERO

The zero element of the field, the additive identity.

const ONE: Scalar = Self::ONE

The one element of the field, the multiplicative identity.

fn random(rng: impl RngCore) -> Scalar

Returns an element chosen uniformly at random using a user-provided RNG.

fn square(&self) -> Scalar

Squares this element.

fn double(&self) -> Scalar

Doubles this element.

fn invert(&self) -> CtOption<Scalar>

Computes the multiplicative inverse of this element, failing if the element is zero.

fn sqrt_ratio(num: &Scalar, div: &Scalar) -> (Choice, Scalar)

Computes:

fn is_zero(&self) -> Choice

Returns true iff this element is zero.

fn is_zero_vartime(&self) -> bool

Returns true iff this element is zero.

fn cube(&self) -> Self

Cubes this element.

fn sqrt_alt(&self) -> (Choice, Self)

Equivalent to Self::sqrt_ratio(self, one()).

fn pow<S>(&self, exp: S) -> Self

where S: AsRef<[u64]>,

Exponentiates self by exp, where exp is a little-endian order integer exponent.

fn pow_vartime<S>(&self, exp: S) -> Self

where S: AsRef<[u64]>,

Exponentiates self by exp, where exp is a little-endian order integer exponent.

impl From<&Scalar> for GenericArray<u8, <NistP256 as Curve>::FieldBytesSize>

fn from( scalar: &Scalar, ) -> GenericArray<u8, <NistP256 as Curve>::FieldBytesSize>

Converts to this type from the input type.

impl From<&Scalar> for ScalarPrimitive<NistP256>

fn from(scalar: &Scalar) -> ScalarPrimitive<NistP256>

Converts to this type from the input type.

impl From<&Scalar> for Uint<crypto_bigint::::uint::U256::{constant#0}>

fn from(scalar: &Scalar) -> Uint<crypto_bigint::::uint::U256::{constant#0}>

Converts to this type from the input type.

impl From<&ScalarPrimitive<NistP256>> for Scalar

fn from(scalar: &ScalarPrimitive<NistP256>) -> Scalar

Converts to this type from the input type.

impl From<&SecretKey<NistP256>> for Scalar

fn from(secret_key: &SecretKey<NistP256>) -> Scalar

Converts to this type from the input type.

impl From<Scalar> for GenericArray<u8, <NistP256 as Curve>::FieldBytesSize>

fn from(scalar: Scalar) -> GenericArray<u8, <NistP256 as Curve>::FieldBytesSize>

Converts to this type from the input type.

impl From<Scalar> for ScalarPrimitive<NistP256>

fn from(scalar: Scalar) -> ScalarPrimitive<NistP256>

Converts to this type from the input type.

impl From<Scalar> for Uint<crypto_bigint::::uint::U256::{constant#0}>

fn from(scalar: Scalar) -> Uint<crypto_bigint::::uint::U256::{constant#0}>

Converts to this type from the input type.

impl From<ScalarPrimitive<NistP256>> for Scalar

fn from(scalar: ScalarPrimitive<NistP256>) -> Scalar

Converts to this type from the input type.

impl From<u128> for Scalar

fn from(k: u128) -> Scalar

Converts to this type from the input type.

impl From<u32> for Scalar

fn from(k: u32) -> Scalar

Converts to this type from the input type.

impl From<u64> for Scalar

fn from(k: u64) -> Scalar

Converts to this type from the input type.

impl FromUintUnchecked for Scalar

type Uint = Uint<crypto_bigint::::uint::U256::{constant#0}>

Unsigned integer type (i.e. Curve::Uint)

fn from_uint_unchecked(uint: <Scalar as FromUintUnchecked>::Uint) -> Scalar

Instantiate scalar from an unsigned integer without checking whether the value overflows the field modulus.

impl Invert for Scalar

fn invert_vartime(&self) -> CtOption<Scalar>

Fast variable-time inversion using Stein’s algorithm.

Returns none if the scalar is zero.

https://link.springer.com/article/10.1007/s13389-016-0135-4

⚠️ WARNING!

This method should not be used with (unblinded) secret scalars, as its variable-time operation can potentially leak secrets through sidechannels.

type Output = CtOption<Scalar>

Field element type

fn invert(&self) -> CtOption<Scalar>

Invert a field element.

impl IsHigh for Scalar

fn is_high(&self) -> Choice

Is this scalar greater than or equal to n / 2?

impl Mul<&Scalar> for &Scalar

type Output = Scalar

The resulting type after applying the * operator.

fn mul(self, other: &Scalar) -> Scalar

Performs the * operation.

impl Mul<&Scalar> for Scalar

type Output = Scalar

The resulting type after applying the * operator.

fn mul(self, other: &Scalar) -> Scalar

Performs the * operation.

impl Mul for Scalar

type Output = Scalar

The resulting type after applying the * operator.

fn mul(self, other: Scalar) -> Scalar

Performs the * operation.

impl MulAssign<&Scalar> for Scalar

fn mul_assign(&mut self, rhs: &Scalar)

Performs the *= operation.

impl MulAssign for Scalar

fn mul_assign(&mut self, rhs: Scalar)

Performs the *= operation.

impl<'a> Neg for &'a Scalar

type Output = Scalar

The resulting type after applying the - operator.

fn neg(self) -> Scalar

Performs the unary - operation.

impl Neg for Scalar

type Output = Scalar

The resulting type after applying the - operator.

fn neg(self) -> Scalar

Performs the unary - operation.

impl Ord for Scalar

fn cmp(&self, other: &Scalar) -> Ordering

This method returns an Ordering between self and other.

fn max(self, other: Self) -> Self

where Self: Sized,

Compares and returns the maximum of two values.

fn min(self, other: Self) -> Self

where Self: Sized,

Compares and returns the minimum of two values.

fn clamp(self, min: Self, max: Self) -> Self

where Self: Sized,

Restrict a value to a certain interval.

impl PartialEq for Scalar

fn eq(&self, other: &Scalar) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl PartialOrd for Scalar

fn partial_cmp(&self, other: &Scalar) -> Option<Ordering>

This method returns an ordering between self and other values if one exists.

fn lt(&self, other: &Rhs) -> bool

Tests less than (for self and other) and is used by the < operator.

fn le(&self, other: &Rhs) -> bool

Tests less than or equal to (for self and other) and is used by the <= operator.

fn gt(&self, other: &Rhs) -> bool

Tests greater than (for self and other) and is used by the > operator.

fn ge(&self, other: &Rhs) -> bool

Tests greater than or equal to (for self and other) and is used by the >= operator.

impl PrimeField for Scalar

fn from_repr( bytes: GenericArray<u8, <NistP256 as Curve>::FieldBytesSize>, ) -> CtOption<Scalar>

Attempts to parse the given byte array as an SEC1-encoded scalar.

Returns None if the byte array does not contain a big-endian integer in the range [0, p).

const MODULUS: &'static str = ORDER_HEX

Modulus of the field written as a string for debugging purposes.

const NUM_BITS: u32 = 256

How many bits are needed to represent an element of this field.

const CAPACITY: u32 = 255

How many bits of information can be reliably stored in the field element.

const TWO_INV: Scalar

Inverse of $2$ in the field.

const MULTIPLICATIVE_GENERATOR: Scalar

A fixed multiplicative generator of modulus - 1 order. This element must also be a quadratic nonresidue.

const S: u32 = 4

An integer s satisfying the equation 2^s * t = modulus - 1 with t odd.

const ROOT_OF_UNITY: Scalar

The 2^s root of unity.

const ROOT_OF_UNITY_INV: Scalar

Inverse of Self::ROOT_OF_UNITY.

const DELTA: Scalar

Generator of the t-order multiplicative subgroup.

type Repr = GenericArray<u8, <NistP256 as Curve>::FieldBytesSize>

The prime field can be converted back and forth into this binary representation.

fn to_repr(&self) -> GenericArray<u8, <NistP256 as Curve>::FieldBytesSize>

Converts an element of the prime field into the standard byte representation for this field.

fn is_odd(&self) -> Choice

Returns true iff this element is odd.

fn from_str_vartime(s: &str) -> Option<Self>

Interpret a string of numbers as a (congruent) prime field element. Does not accept unnecessary leading zeroes or a blank string.

fn from_u128(v: u128) -> Self

Obtains a field element congruent to the integer v.

fn from_repr_vartime(repr: Self::Repr) -> Option<Self>

Attempts to convert a byte representation of a field element into an element of this prime field, failing if the input is not canonical (is not smaller than the field’s modulus).

fn is_even(&self) -> Choice

Returns true iff this element is even.

impl<'a> Product<&'a Scalar> for Scalar

fn product<I>(iter: I) -> Scalar

where I: Iterator<Item = &'a Scalar>,

Takes an iterator and generates Self from the elements by multiplying the items.

impl Product for Scalar

fn product<I>(iter: I) -> Scalar

where I: Iterator<Item = Scalar>,

Takes an iterator and generates Self from the elements by multiplying the items.

impl Reduce<Uint<crypto_bigint::::uint::U256::{constant#0}>> for Scalar

type Bytes = GenericArray<u8, <NistP256 as Curve>::FieldBytesSize>

Bytes used as input to Reduce::reduce_bytes.

fn reduce(w: Uint<crypto_bigint::::uint::U256::{constant#0}>) -> Scalar

Perform a modular reduction, returning a field element.

fn reduce_bytes( bytes: &GenericArray<u8, <NistP256 as Curve>::FieldBytesSize>, ) -> Scalar

Interpret the given bytes as an integer and perform a modular reduction.

impl ReduceNonZero<Uint<crypto_bigint::::uint::U256::{constant#0}>> for Scalar

fn reduce_nonzero(w: Uint<crypto_bigint::::uint::U256::{constant#0}>) -> Scalar

Perform a modular reduction, returning a field element.

fn reduce_nonzero_bytes( bytes: &GenericArray<u8, <NistP256 as Curve>::FieldBytesSize>, ) -> Scalar

Interpret the given bytes as an integer and perform a modular reduction to a non-zero output.

impl Shr<usize> for &Scalar

type Output = Scalar

The resulting type after applying the >> operator.

fn shr(self, rhs: usize) -> <&Scalar as Shr<usize>>::Output

Performs the >> operation.

impl Shr<usize> for Scalar

type Output = Scalar

The resulting type after applying the >> operator.

fn shr(self, rhs: usize) -> <Scalar as Shr<usize>>::Output

Performs the >> operation.

impl ShrAssign<usize> for Scalar

fn shr_assign(&mut self, rhs: usize)

Performs the >>= operation.

impl SignPrimitive<NistP256> for Scalar

Available on crate feature ecdsa only.

fn try_sign_prehashed<K>( &self, k: K, z: &GenericArray<u8, <C as Curve>::FieldBytesSize>, ) -> Result<(Signature<C>, Option<RecoveryId>), Error>

where K: AsRef<Self> + Invert<Output = CtOption<Self>>,

Try to sign the prehashed message.

fn try_sign_prehashed_rfc6979<D>( &self, z: &GenericArray<u8, <C as Curve>::FieldBytesSize>, ad: &[u8], ) -> Result<(Signature<C>, Option<RecoveryId>), Error>

where Self: From<ScalarPrimitive<C>> + Invert<Output = CtOption<Self>>, D: Digest<OutputSize = <C as Curve>::FieldBytesSize> + BlockSizeUser + FixedOutput + FixedOutputReset,

Try to sign the given message digest deterministically using the method described in RFC6979 for computing ECDSA ephemeral scalar k.

impl Sub<&Scalar> for &Scalar

type Output = Scalar

The resulting type after applying the - operator.

fn sub(self, other: &Scalar) -> Scalar

Performs the - operation.

impl Sub<&Scalar> for Scalar

type Output = Scalar

The resulting type after applying the - operator.

fn sub(self, other: &Scalar) -> Scalar

Performs the - operation.

impl Sub for Scalar

type Output = Scalar

The resulting type after applying the - operator.

fn sub(self, other: Scalar) -> Scalar

Performs the - operation.

impl SubAssign<&Scalar> for Scalar

fn sub_assign(&mut self, rhs: &Scalar)

Performs the -= operation.

impl SubAssign for Scalar

fn sub_assign(&mut self, rhs: Scalar)

Performs the -= operation.

impl<'a> Sum<&'a Scalar> for Scalar

fn sum<I>(iter: I) -> Scalar

where I: Iterator<Item = &'a Scalar>,

Takes an iterator and generates Self from the elements by “summing up” the items.

impl Sum for Scalar

fn sum<I>(iter: I) -> Scalar

where I: Iterator<Item = Scalar>,

Takes an iterator and generates Self from the elements by “summing up” the items.

impl Copy for Scalar

impl DefaultIsZeroes for Scalar

impl Eq for Scalar