Struct ScalarChallenge 

pub struct ScalarChallenge<F>(F);

A challenge which is used as a scalar on a group element in the verifier.

This wraps a field element that will be converted to an “effective” scalar using the curve endomorphism for efficient scalar multiplication.

See ScalarChallenge::to_field for how the conversion works.

Tuple Fields

0: F

Implementations

impl<F> ScalarChallenge<F>

pub const fn new(challenge: F) -> Self

Creates a ScalarChallenge from a field element.

Deprecation

This constructor will be deprecated in favor of Self::from_limbs, which enforces the 128-bit constraint at construction.

The field element is assumed to contain at most 128 bits of data (i.e., only the two lowest 64-bit limbs are set). This is the case when the value comes from FqSponge::challenge.

impl<F: PrimeField> ScalarChallenge<F>

pub fn from_limbs(limbs: [u64; 2]) -> Self

Creates a ScalarChallenge from exactly 128 bits (2 limbs).

This is the preferred constructor as it enforces the 128-bit constraint required by Self::to_field.

Panics

Panics if the 128-bit value cannot be represented as a field element (unreachable for fields with modulus > 2^128).

pub const fn inner(&self) -> F

Get the inner value

pub fn to_field_with_length(&self, length_in_bits: usize, endo_coeff: &F) -> F

Converts a scalar challenge to an “effective” scalar using endomorphism decomposition.

Background

For curves with an endomorphism φ(P) = [λ]P, we can represent any scalar k as:

k = a·λ + b

This allows efficient scalar multiplication because:

[k]P = [a·λ + b]P = [a]·φ(P) + [b]·P

Since φ(P) = (ξ·x, y) is essentially free (one field multiplication), we reduce the scalar multiplication cost by processing two scalar multiplications of half the size instead of one full-size multiplication.

Algorithm

Starting with a = b = 2, the challenge bits are processed in pairs (r_{2i}, r_{2i+1}) from MSB to LSB. For each pair:

1. Double both a and b
2. Add ±1 to either a or b based on the bit pair:

r_{2i}	r_{2i+1}	Action
0	0	b += -1
1	0	b += +1
0	1	a += -1
1	1	a += +1

The result is: a·λ + b

Parameters

• length_in_bits: Number of bits to process from the challenge
• endo_coeff: The scalar λ such that φ(P) = [λ]P

Returns

The effective scalar k = a·λ + b

References

• Halo paper, Section 6.2: https://eprint.iacr.org/2019/1021

pub fn to_field(&self, endo_coeff: &F) -> F

Converts a scalar challenge to an effective scalar.

This is a convenience wrapper around Self::to_field_with_length using the default challenge length (128 bits).

See Self::to_field_with_length for details on the algorithm.

Trait Implementations

impl<F: Clone> Clone for ScalarChallenge<F>

fn clone(&self) -> ScalarChallenge<F>

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl<F: Debug> Debug for ScalarChallenge<F>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<F, CamlF> From<CamlScalarChallenge<CamlF>> for ScalarChallenge<F>

where CamlF: Into<F>,

fn from(caml_sc: CamlScalarChallenge<CamlF>) -> Self

Converts to this type from the input type.

impl<F, CamlF> From<ScalarChallenge<F>> for CamlScalarChallenge<CamlF>

where CamlF: From<F>,

fn from(sc: ScalarChallenge<F>) -> Self

Converts to this type from the input type.