Skip to content

Fix wNAF scalar multiplication for big-endian scalar repr#1689

Open
tob-scott-a wants to merge 1 commit intoRustCrypto:wnaffrom
tob-scott-a:wnaf
Open

Fix wNAF scalar multiplication for big-endian scalar repr#1689
tob-scott-a wants to merge 1 commit intoRustCrypto:wnaffrom
tob-scott-a:wnaf

Conversation

@tob-scott-a
Copy link

@tob-scott-a tob-scott-a commented Mar 19, 2026
edited
Loading

Note: This depends on RustCrypto/group#10, otherwise the tests fail.

@tob-scott-a @claude
Fix wNAF scalar multiplication for big-endian scalar repr
b24513a 
Two bugs prevented wNAF from working with NIST/SEC1 curves:

1. The group crate's wnaf_form() assumes Scalar::to_repr() returns
   little-endian bytes, but ff::PrimeField documents repr endianness
   as implementation-specific. All SEC1 curves use big-endian.
   Fix: add WnafGroup::scalar_repr_to_le_bytes() with a default
   LE-passthrough; primeorder overrides it to reverse bytes.

2. wnaf_form() drops the final carry when the scalar fills all
   bit_len bits. This was masked on BLS12-381 (255-bit modulus in
   256 bits) but fails on p256 (256-bit modulus in 256 bits).
   Fix: emit remaining carry after the loop (in group crate).

Also implements recommended_wnaf_for_num_scalars (was todo!()).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This was referenced Mar 19, 2026
Open
Open
@tob-scott-a
Copy link
Author

tob-scott-a commented Mar 19, 2026

If changing group is annoying, #1690 should be preferred.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tob-scott-a