Add Scalar::halve()

Author: daxpedda

curve25519-dalek/src/backend/serial/u32/constants.rs

@@ -113,6 +113,12 @@ pub(crate) const RR: Scalar29 = Scalar29([
     0x0005046d,
 ]);
 
+/// `TWO_INVERT` = 1/2
+pub(crate) const TWO_INVERT: Scalar29 = Scalar29([
+    0x0e7ae9f7, 0x00498c69, 0x1ef39acb, 0x1ef9dea2, 0x000000a6, 0x00000000, 0x00000000, 0x00000000,
+    0x00080000,
+]);
+
 /// The Ed25519 basepoint, as an `EdwardsPoint`.
 ///
 /// This is called `_POINT` to distinguish it from

curve25519-dalek/src/backend/serial/u64/constants.rs

@@ -153,6 +153,15 @@ pub(crate) const RR: Scalar52 = Scalar52([
     0x000009411b7c309a,
 ]);
 
+/// `TWO_INVERT` = 1/2
+pub(crate) const TWO_INVERT: Scalar52 = Scalar52([
+    0x0009318d2e7ae9f7,
+    0x000ef517bce6b2c0,
+    0x00000000000a6f7c,
+    0x0000000000000000,
+    0x0000080000000000,
+]);
+
 /// The Ed25519 basepoint, as an `EdwardsPoint`.
 ///
 /// This is called `_POINT` to distinguish it from

curve25519-dalek/src/constants.rs

@@ -90,9 +90,9 @@ pub static RISTRETTO_BASEPOINT_TABLE: &RistrettoBasepointTable = unsafe {
 
 #[cfg(test)]
 mod test {
-    use crate::constants;
     use crate::field::FieldElement;
     use crate::traits::{IsIdentity, ValidityCheck};
+    use crate::{Scalar, constants};
 
     #[test]
     fn test_eight_torsion() {
@@ -182,4 +182,11 @@ mod test {
 
         assert_eq!(constants::ED25519_SQRTAM2.square(), a_minus_two)
     }
+
+    #[test]
+    fn test_two_invert() {
+        let two_invert = Scalar::from(2_u8).invert().unpack();
+        dbg!(format!("{:08x?}", two_invert.0));
+        assert_eq!(constants::TWO_INVERT.0, two_invert.0);
+    }
 }

curve25519-dalek/src/ristretto.rs

@@ -1867,6 +1867,35 @@ mod test {
         }
     }
 
+    #[test]
+    #[cfg(all(feature = "alloc", feature = "rand_core", feature = "group"))]
+    fn multiply_double_and_compress_1024_random_points() {
+        use ff::Field;
+        use group::Group;
+        let mut rng = OsRng;
+
+        let mut scalars: Vec<Scalar> = (0..1024)
+            .map(|_| Scalar::try_from_rng(&mut rng).unwrap())
+            .collect();
+        scalars[500] = Scalar::ZERO;
+
+        let mut points: Vec<RistrettoPoint> = (0..1024)
+            .map(|_| RistrettoPoint::try_from_rng(&mut rng).unwrap())
+            .collect();
+        points[500] = <RistrettoPoint as Group>::identity();
+
+        let multiplied_points: Vec<RistrettoPoint> = scalars
+            .iter()
+            .zip(&points)
+            .map(|(scalar, point)| scalar.halve() * point)
+            .collect();
+        let compressed = RistrettoPoint::double_and_compress_batch(&multiplied_points);
+
+        for ((s, P), P2_compressed) in scalars.iter().zip(points).zip(compressed) {
+            assert_eq!(P2_compressed, (s * P).compress());
+        }
+    }
+
     #[test]
     #[cfg(feature = "alloc")]
     fn vartime_precomputed_vs_nonprecomputed_multiscalar() {

curve25519-dalek/src/scalar.rs

@@ -1129,6 +1129,11 @@ impl Scalar {
     fn is_canonical(&self) -> Choice {
         self.ct_eq(&self.reduce())
     }
+
+    /// Returns half the `Scalar`
+    pub fn halve(&self) -> Scalar {
+        UnpackedScalar::mul(&self.unpack(), &constants::TWO_INVERT).pack()
+    }
 }
 
 impl UnpackedScalar {