[WIP] Scalar::div_by_2

Author: tarcieri

curve25519-dalek/src/backend/serial/u32/scalar.rs

@@ -197,15 +197,33 @@ impl Scalar29 {
         }
 
         // conditionally add l if the difference is negative
+        difference.conditional_add_l(Choice::from((borrow >> 31) as u8));
+        difference
+    }
+
+    pub(crate) fn conditional_add_l(&mut self, condition: Choice) -> u32 {
         let mut carry: u32 = 0;
+        let mask = (1u32 << 29) - 1;
+
         for i in 0..9 {
-            let underflow = Choice::from((borrow >> 31) as u8);
-            let addend = u32::conditional_select(&0, &constants::L[i], underflow);
-            carry = (carry >> 29) + difference[i] + addend;
-            difference[i] = carry & mask;
+            let addend = u32::conditional_select(&0, &constants::L[i], condition);
+            carry = (carry >> 29) + self[i] + addend;
+            self[i] = carry & mask;
         }
+        carry
+    }
 
-        difference
+    /// Compute a raw in-place carrying right shift over the limbs.
+    #[inline(always)]
+    pub(crate) fn shr1_assign(&mut self) -> u32 {
+        let mut carry: u32 = 0;
+        for i in (0..9).rev() {
+            let limb = self[i];
+            let next_carry = limb & 1;
+            self[i] = (limb >> 1) | (carry << 28);
+            carry = next_carry;
+        }
+        carry
     }
 
     /// Compute `a * b`.

curve25519-dalek/src/backend/serial/u64/scalar.rs

@@ -186,15 +186,34 @@ impl Scalar52 {
         }
 
         // conditionally add l if the difference is negative
+        difference.conditional_add_l(Choice::from((borrow >> 63) as u8));
+        difference
+    }
+
+    pub(crate) fn conditional_add_l(&mut self, condition: Choice) -> u64 {
         let mut carry: u64 = 0;
+        let mask = (1u64 << 52) - 1;
+
         for i in 0..5 {
-            let underflow = Choice::from((borrow >> 63) as u8);
-            let addend = u64::conditional_select(&0, &constants::L[i], underflow);
-            carry = (carry >> 52) + difference[i] + addend;
-            difference[i] = carry & mask;
+            let addend = u64::conditional_select(&0, &constants::L[i], condition);
+            carry = (carry >> 52) + self[i] + addend;
+            self[i] = carry & mask;
         }
 
-        difference
+        carry
+    }
+
+    /// Compute a raw in-place carrying right shift over the limbs.
+    #[inline(always)]
+    pub(crate) fn shr1_assign(&mut self) -> u64 {
+        let mut carry: u64 = 0;
+        for i in (0..5).rev() {
+            let limb = self[i];
+            let next_carry = limb & 1;
+            self[i] = (limb >> 1) | (carry << 51);
+            carry = next_carry;
+        }
+        carry
     }
 
     /// Compute `a * b`

curve25519-dalek/src/scalar.rs

@@ -831,6 +831,22 @@ impl Scalar {
         ret
     }
 
+    /// Compute `b` such that `b + b = a mod modulus`.
+    pub fn div_by_2(&self) -> Self {
+        // We are looking for such `b` that `b + b = a mod modulus`.
+        // Two possibilities:
+        // - if `a` is even, we can just divide by 2;
+        // - if `a` is odd, we divide `(a + modulus)` by 2.
+        let is_odd = Choice::from(self.as_bytes()[0] & 1);
+        let mut scalar = self.unpack();
+        scalar.conditional_add_l(is_odd);
+
+        // TODO(tarcieri): propagate carry
+        let _carry = scalar.shr1_assign();
+        scalar.pack()
+    }
+
+
     /// Get the bits of the scalar, in little-endian order
     pub(crate) fn bits_le(&self) -> impl DoubleEndedIterator<Item = bool> + '_ {
         (0..256).map(|i| {
@@ -1677,6 +1693,16 @@ pub(crate) mod test {
         }
     }
 
+    #[test]
+    fn div_by_2() {
+        for i in 0u64..32 {
+            let scalar = Scalar::from(i);
+            let double = scalar.double();
+            let dividend = double.div_by_2();
+            assert_eq!(scalar, dividend);
+        }
+    }
+
     #[test]
     fn reduce() {
         let biggest = Scalar::from_bytes_mod_order([0xff; 32]);