Function curve25519_dalek::scalar::clamp_integer
source · pub const fn clamp_integer(bytes: [u8; 32]) -> [u8; 32]
Expand description
Clamps the given little-endian representation of a 32-byte integer. Clamping the value puts it in the range:
n ∈ 2^254 + 8*{0, 1, 2, 3, . . ., 2^251 − 1}
§Explanation of clamping
For Curve25519, h = 8, and multiplying by 8 is the same as a binary left-shift by 3 bits. If you take a secret scalar value between 2^251 and 2^252 – 1 and left-shift by 3 bits then you end up with a 255-bit number with the most significant bit set to 1 and the least-significant three bits set to 0.
The Curve25519 clamping operation takes an arbitrary 256-bit random value and clears the most-significant bit (making it a 255-bit number), sets the next bit, and then clears the 3 least-significant bits. In other words, it directly creates a scalar value that is in the right form and pre-multiplied by the cofactor.
See here for more details.