Add Montgomery <-> Edwards conversions

Author: daxpedda

ed448-goldilocks/src/edwards/affine.rs

@@ -69,37 +69,6 @@ impl AffinePoint {
         y: FieldElement::ONE,
     };
 
-    pub(crate) fn isogeny(&self) -> Self {
-        let x = self.x;
-        let y = self.y;
-        let mut t0 = x.square(); // x^2
-        let t1 = t0 + FieldElement::ONE; // x^2+1
-        t0 -= FieldElement::ONE; // x^2-1
-        let mut t2 = y.square(); // y^2
-        t2 = t2.double(); // 2y^2
-        let t3 = x.double(); // 2x
-
-        let mut t4 = t0 * y; // y(x^2-1)
-        t4 = t4.double(); // 2y(x^2-1)
-        let xNum = t4.double(); // xNum = 4y(x^2-1)
-
-        let mut t5 = t0.square(); // x^4-2x^2+1
-        t4 = t5 + t2; // x^4-2x^2+1+2y^2
-        let xDen = t4 + t2; // xDen = x^4-2x^2+1+4y^2
-
-        t5 *= x; // x^5-2x^3+x
-        t4 = t2 * t3; // 4xy^2
-        let yNum = t4 - t5; // yNum = -(x^5-2x^3+x-4xy^2)
-
-        t4 = t1 * t2; // 2x^2y^2+2y^2
-        let yDen = t5 - t4; // yDen = x^5-2x^3+x-2x^2y^2-2y^2
-
-        Self {
-            x: xNum * xDen.invert(),
-            y: yNum * yDen.invert(),
-        }
-    }
-
     /// Convert to edwards extended point
     pub fn to_edwards(&self) -> EdwardsPoint {
         EdwardsPoint {

ed448-goldilocks/src/edwards/extended.rs

@@ -542,6 +542,28 @@ impl EdwardsPoint {
         MontgomeryXpoint(u.to_bytes())
     }
 
+    /// Convert this point to [`MontgomeryPoint`]
+    // See https://www.rfc-editor.org/rfc/rfc7748#section-4.2 4-isogeny maps
+    pub fn to_montgomery(&self) -> MontgomeryPoint {
+        // u = y^2/x^2
+        // v = (2 - x^2 - y^2)*y/x^3
+
+        let affine = self.to_affine();
+
+        // TODO: optimize to a single inversion.
+        let xx = affine.x.square();
+        let yy = affine.y.square();
+
+        let u = yy * xx.invert();
+        let v = (FieldElement::TWO - xx - yy) * affine.y * (xx * affine.x).invert();
+
+        MontgomeryPoint::conditional_select(
+            &MontgomeryPoint::new(u, v),
+            &MontgomeryPoint::IDENTITY,
+            self.ct_eq(&Self::IDENTITY),
+        )
+    }
+
     /// Generic scalar multiplication to compute s*P
     pub fn scalar_mul(&self, scalar: &EdwardsScalar) -> Self {
         // Compute floor(s/4)

ed448-goldilocks/src/field/element.rs

@@ -3,7 +3,7 @@ use core::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign};
 
 use super::ConstMontyType;
 use crate::{
-    AffinePoint, Decaf448, DecafPoint, Ed448, EdwardsPoint,
+    Decaf448, DecafPoint, Ed448, EdwardsPoint, MontgomeryPoint,
     curve::twedwards::extended::ExtendedPoint as TwistedExtendedPoint,
 };
 use elliptic_curve::{
@@ -197,7 +197,11 @@ impl MapToCurve for Ed448 {
     type FieldElement = Ed448FieldElement;
 
     fn map_to_curve(element: Ed448FieldElement) -> Self::CurvePoint {
-        element.0.map_to_curve_elligator2().isogeny().to_edwards()
+        element
+            .0
+            .map_to_curve_elligator2_curve448()
+            .to_edwards()
+            .to_edwards()
     }
 
     fn map_to_subgroup(point: EdwardsPoint) -> EdwardsPoint {
@@ -377,7 +381,7 @@ impl FieldElement {
         (inv_sqrt_x * u, zero_u | is_res)
     }
 
-    pub(crate) fn map_to_curve_elligator2(&self) -> AffinePoint {
+    pub(crate) fn map_to_curve_elligator2_curve448(&self) -> MontgomeryPoint {
         let mut t1 = self.square(); // 1.   t1 = u^2
         t1 *= Self::Z; // 2.   t1 = Z * t1              // Z * u^2
         let e1 = t1.ct_eq(&Self::MINUS_ONE); // 3.   e1 = t1 == -1            // exceptional case: Z * u^2 == -1
@@ -397,7 +401,7 @@ impl FieldElement {
         let mut y = y2.sqrt(); // 17.   y = sqrt(y2)
         let e3 = y.is_negative(); // 18.  e3 = sgn0(y) == 1
         y.conditional_negate(e2 ^ e3); //       y = CMOV(-y, y, e2 xor e3)
-        AffinePoint { x, y }
+        MontgomeryPoint::new(x, y)
     }
 
     // See https://www.shiftleft.org/papers/decaf/decaf.pdf#section.A.3.

ed448-goldilocks/src/montgomery/point.rs

@@ -4,6 +4,7 @@ use subtle::ConditionallySelectable;
 use subtle::ConstantTimeEq;
 
 use super::{MontgomeryXpoint, ProjectiveMontgomeryXpoint};
+use crate::AffinePoint;
 use crate::field::ConstMontyType;
 use crate::field::FieldElement;
 
@@ -25,6 +26,43 @@ impl MontgomeryPoint {
         Self { x, y }
     }
 
+    /// Convert this point to an [`AffinePoint`]
+    // https://www.rfc-editor.org/rfc/rfc7748#section-4.2
+    pub fn to_edwards(&self) -> AffinePoint {
+        let x = self.x;
+        let y = self.y;
+        let mut t0 = x.square(); // x^2
+        let t1 = t0 + FieldElement::ONE; // x^2+1
+        t0 -= FieldElement::ONE; // x^2-1
+        let mut t2 = y.square(); // y^2
+        t2 = t2.double(); // 2y^2
+        let t3 = x.double(); // 2x
+
+        let mut t4 = t0 * y; // y(x^2-1)
+        t4 = t4.double(); // 2y(x^2-1)
+        let xNum = t4.double(); // xNum = 4y(x^2-1)
+
+        let mut t5 = t0.square(); // x^4-2x^2+1
+        t4 = t5 + t2; // x^4-2x^2+1+2y^2
+        let xDen = t4 + t2; // xDen = x^4-2x^2+1+4y^2
+
+        t5 *= x; // x^5-2x^3+x
+        t4 = t2 * t3; // 4xy^2
+        let yNum = t4 - t5; // yNum = -(x^5-2x^3+x-4xy^2)
+
+        t4 = t1 * t2; // 2x^2y^2+2y^2
+        let yDen = t5 - t4; // yDen = x^5-2x^3+x-2x^2y^2-2y^2
+
+        let x = xNum * xDen.invert();
+        let y = yNum * yDen.invert();
+
+        AffinePoint::conditional_select(
+            &AffinePoint { x, y },
+            &AffinePoint::IDENTITY,
+            self.ct_eq(&Self::IDENTITY),
+        )
+    }
+
     /// Convert the point to its form without the y-coordinate
     pub fn to_affine_x(&self) -> MontgomeryXpoint {
         MontgomeryXpoint(self.x.to_bytes())
@@ -155,6 +193,35 @@ impl From<MontgomeryPoint> for ProjectiveMontgomeryPoint {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use crate::{EdwardsPoint, MontgomeryScalar};
+
+    #[test]
+    fn to_edwards() {
+        let scalar = MontgomeryScalar::from(200u32);
+
+        // Montgomery scalar mul
+        let montgomery_res = ProjectiveMontgomeryPoint::GENERATOR * scalar * scalar;
+        // Goldilocks scalar mul
+        let goldilocks_point = EdwardsPoint::GENERATOR * scalar.to_scalar() * scalar.to_scalar();
+
+        assert_eq!(goldilocks_point.to_montgomery(), montgomery_res.to_affine());
+    }
+
+    #[test]
+    fn identity_to_edwards() {
+        let edwards = AffinePoint::IDENTITY;
+        let montgomery = MontgomeryPoint::IDENTITY;
+
+        assert_eq!(montgomery.to_edwards(), edwards);
+    }
+
+    #[test]
+    fn identity_from_montgomery() {
+        let edwards = EdwardsPoint::IDENTITY;
+        let montgomery = MontgomeryPoint::IDENTITY;
+
+        assert_eq!(edwards.to_montgomery(), montgomery);
+    }
 
     #[test]
     fn to_projective_x() {

ed448-goldilocks/src/montgomery/x.rs

@@ -1,6 +1,6 @@
 // use crate::constants::A_PLUS_TWO_OVER_FOUR;
 use super::{MontgomeryPoint, MontgomeryScalar, ProjectiveMontgomeryPoint};
-use crate::edwards::extended::EdwardsPoint;
+use crate::AffinePoint;
 use crate::field::ConstMontyType;
 use crate::field::FieldElement;
 use core::fmt;
@@ -91,13 +91,6 @@ impl MontgomeryXpoint {
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     ]);
 
-    /// Convert this point to an [`EdwardsPoint`]
-    pub fn to_edwards(&self, _sign: u8) -> Option<EdwardsPoint> {
-        // We use the 4-isogeny to map to the Ed448.
-        // This is different to Curve25519, where we use a birational map.
-        todo!()
-    }
-
     /// Returns true if the point is one of the low order points
     pub fn is_low_order(&self) -> bool {
         (*self == LOW_A) || (*self == LOW_B) || (*self == LOW_C)
@@ -154,6 +147,11 @@ impl MontgomeryXpoint {
     pub fn to_extended(&self, sign: Choice) -> MontgomeryPoint {
         self.to_projective().to_extended_affine(sign)
     }
+
+    /// Convert this point to an [`AffinePoint`]
+    pub fn to_edwards(&self, sign: Choice) -> AffinePoint {
+        self.to_extended(sign).to_edwards()
+    }
 }
 
 impl ConstantTimeEq for ProjectiveMontgomeryXpoint {
@@ -304,6 +302,7 @@ impl ProjectiveMontgomeryXpoint {
 mod tests {
 
     use super::*;
+    use crate::EdwardsPoint;
 
     #[test]
     fn test_montgomery_edwards() {