curve25519_dalek::scalar

Function clamp_integer

Source
pub const fn clamp_integer(bytes: [u8; 32]) -> [u8; 32]
Expand description

Clamps the given little-endian representation of a 32-byte integer. Clamping the value puts it in the range:

n โˆˆ 2^254 + 8*{0, 1, 2, 3, . . ., 2^251 โˆ’ 1}

ยงExplanation of clamping

For Curve25519, h = 8, and multiplying by 8 is the same as a binary left-shift by 3 bits. If you take a secret scalar value between 2^251 and 2^252 โ€“ 1 and left-shift by 3 bits then you end up with a 255-bit number with the most significant bit set to 1 and the least-significant three bits set to 0.

The Curve25519 clamping operation takes an arbitrary 256-bit random value and clears the most-significant bit (making it a 255-bit number), sets the next bit, and then clears the 3 least-significant bits. In other words, it directly creates a scalar value that is in the right form and pre-multiplied by the cofactor.

See here for more details.