elliptic-curve: extract NonIdentity/NonZeroScalar casting methods (#1903)

tarcieri · web-flow · commit 93974c9b453b · 2025-06-13T19:35:45.000-06:00
These methods encapsulate safely casting references for arrays and slices of `NonIdentity<P>` to array/slice references to the inner `P` type, and the same for `NonZeroScalar` and its inner `Scalar<C>` type. Note the choice of method names follows similar ones in `hybrid-array`: https://docs.rs/hybrid-array/latest/hybrid_array/struct.Array.html#method.cast_slice_to_core
diff --git a/elliptic-curve/src/lib.rs b/elliptic-curve/src/lib.rs
@@ -5,8 +5,7 @@
     html_logo_url = "https://raw.githubusercontent.com/RustCrypto/media/8f1a9894/logo.svg",
     html_favicon_url = "https://raw.githubusercontent.com/RustCrypto/media/8f1a9894/logo.svg"
 )]
-// Only allowed for newtype casts.
-#![deny(unsafe_code)]
+#![deny(unsafe_code)] // Only allowed for newtype casts.
 #![warn(
     clippy::cast_lossless,
     clippy::cast_possible_truncation,
diff --git a/elliptic-curve/src/point/non_identity.rs b/elliptic-curve/src/point/non_identity.rs
@@ -22,7 +22,7 @@ use crate::{BatchNormalize, CurveArithmetic, NonZeroScalar, Scalar};
 /// In the context of ECC, it's useful for ensuring that certain arithmetic
 /// cannot result in the identity point.
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
-#[repr(transparent)]
+#[repr(transparent)] // SAFETY: needed for `unsafe` safety invariants below
 pub struct NonIdentity<P> {
     point: P,
 }
@@ -51,6 +51,29 @@ where
     }
 }
 
+impl<P> NonIdentity<P> {
+    /// Transform array reference containing [`NonIdentity`] points to an array reference to the
+    /// inner point type.
+    pub fn cast_array_as_inner<const N: usize>(points: &[Self; N]) -> &[P; N] {
+        // SAFETY: `NonIdentity` is a `repr(transparent)` newtype for `P` so it's safe to cast to
+        // the inner `P` type.
+        #[allow(unsafe_code)]
+        unsafe {
+            &*points.as_ptr().cast()
+        }
+    }
+
+    /// Transform slice containing [`NonIdentity`] points to a slice of the inner point type.
+    pub fn cast_slice_as_inner(points: &[Self]) -> &[P] {
+        // SAFETY: `NonIdentity` is a `repr(transparent)` newtype for `P` so it's safe to cast to
+        // the inner `P` type.
+        #[allow(unsafe_code)]
+        unsafe {
+            &*(points as *const [NonIdentity<P>] as *const [P])
+        }
+    }
+}
+
 impl<P: Copy> NonIdentity<P> {
     /// Return wrapped point.
     pub fn to_point(self) -> P {
@@ -114,26 +137,8 @@ where
     type Output = [NonIdentity<P::AffineRepr>; N];
 
     fn batch_normalize(points: &[Self; N]) -> [NonIdentity<P::AffineRepr>; N] {
-        // Ensure casting is safe.
-        // This always succeeds because `NonIdentity` is `repr(transparent)`.
-        debug_assert_eq!(size_of::<P>(), size_of::<NonIdentity<P>>());
-        debug_assert_eq!(align_of::<P>(), align_of::<NonIdentity<P>>());
-
-        #[allow(unsafe_code)]
-        // SAFETY: `NonIdentity` is `repr(transparent)`.
-        let points: &[P; N] = unsafe { &*points.as_ptr().cast() };
+        let points = Self::cast_array_as_inner::<N>(points);
         let affine_points = <P as BatchNormalize<_>>::batch_normalize(points);
-
-        // Ensure `array::map()` can be optimized to a `memcpy`.
-        debug_assert_eq!(
-            size_of::<P::AffineRepr>(),
-            size_of::<NonIdentity<P::AffineRepr>>()
-        );
-        debug_assert_eq!(
-            align_of::<P::AffineRepr>(),
-            align_of::<NonIdentity<P::AffineRepr>>()
-        );
-
         affine_points.map(|point| NonIdentity { point })
     }
 }
@@ -146,26 +151,8 @@ where
     type Output = Vec<NonIdentity<P::AffineRepr>>;
 
     fn batch_normalize(points: &[Self]) -> Vec<NonIdentity<P::AffineRepr>> {
-        // Ensure casting is safe.
-        // This always succeeds because `NonIdentity` is `repr(transparent)`.
-        debug_assert_eq!(size_of::<P>(), size_of::<NonIdentity<P>>());
-        debug_assert_eq!(align_of::<P>(), align_of::<NonIdentity<P>>());
-
-        #[allow(unsafe_code)]
-        // SAFETY: `NonIdentity` is `repr(transparent)`.
-        let points: &[P] = unsafe { &*(points as *const [NonIdentity<P>] as *const [P]) };
+        let points = Self::cast_slice_as_inner(points);
         let affine_points = <P as BatchNormalize<_>>::batch_normalize(points);
-
-        // Ensure `into_iter()` + `collect()` can be optimized away.
-        debug_assert_eq!(
-            size_of::<P::AffineRepr>(),
-            size_of::<NonIdentity<P::AffineRepr>>()
-        );
-        debug_assert_eq!(
-            align_of::<P::AffineRepr>(),
-            align_of::<NonIdentity<P::AffineRepr>>()
-        );
-
         affine_points
             .into_iter()
             .map(|point| NonIdentity { point })
diff --git a/elliptic-curve/src/scalar/nonzero.rs b/elliptic-curve/src/scalar/nonzero.rs
@@ -33,6 +33,7 @@ use serdect::serde::{Deserialize, Serialize, de, ser};
 /// In the context of ECC, it's useful for ensuring that scalar multiplication
 /// cannot result in the point at infinity.
 #[derive(Clone)]
+#[repr(transparent)] // SAFETY: needed for `unsafe` safety invariants below
 pub struct NonZeroScalar<C>
 where
     C: CurveArithmetic,
@@ -88,6 +89,27 @@ where
     pub fn from_uint(uint: C::Uint) -> CtOption<Self> {
         ScalarPrimitive::new(uint).and_then(|scalar| Self::new(scalar.into()))
     }
+
+    /// Transform array reference containing [`NonZeroScalar`]s to an array reference to the inner
+    /// scalar type.
+    pub fn cast_array_as_inner<const N: usize>(scalars: &[Self; N]) -> &[Scalar<C>; N] {
+        // SAFETY: `NonZeroScalar` is a `repr(transparent)` newtype for `Scalar<C>` so it's safe to
+        // cast to the inner scalar type.
+        #[allow(unsafe_code)]
+        unsafe {
+            &*scalars.as_ptr().cast()
+        }
+    }
+
+    /// Transform slice containing [`NonZeroScalar`]s to a slice of the inner scalar type.
+    pub fn cast_slice_as_inner(scalars: &[Self]) -> &[Scalar<C>] {
+        // SAFETY: `NonZeroScalar` is a `repr(transparent)` newtype for `Scalar<C>` so it's safe to
+        // cast to the inner scalar type.
+        #[allow(unsafe_code)]
+        unsafe {
+            &*(scalars as *const [NonZeroScalar<C>] as *const [Scalar<C>])
+        }
+    }
 }
 
 impl<C> AsRef<Scalar<C>> for NonZeroScalar<C>
