Restrict Edwards <-> Montgomery conversion to Affine form

Author: daxpedda

ed448-goldilocks/src/edwards/affine.rs

@@ -111,6 +111,7 @@ impl AffinePoint {
     }
 
     /// Convert this point to [`MontgomeryXpoint`]
+    // See https://www.rfc-editor.org/rfc/rfc7748#section-4.2 4-isogeny maps
     pub fn to_montgomery_x(&self) -> MontgomeryXpoint {
         // u = y^2/x^2
         let u = self.y.square() * self.x.square().invert();
@@ -119,10 +120,12 @@ impl AffinePoint {
     }
 
     /// Convert this point to [`MontgomeryPoint`]
+    // See https://www.rfc-editor.org/rfc/rfc7748#section-4.2 4-isogeny maps
     pub fn to_montgomery(&self) -> MontgomeryPoint {
         let x_sq = self.x.square();
         let y_sq = self.y.square();
 
+        // u = y^2/x^2
         let u = y_sq * x_sq.invert();
         // v = (2 - x^2 - y^2)*y/x^3)
         let v = ((FieldElement::TWO - x_sq - y_sq) * self.y) * (x_sq * self.x).invert();

ed448-goldilocks/src/edwards/extended.rs

@@ -1186,14 +1186,16 @@ mod tests {
 
             // Test Montgomery to Edwards conversion.
             let conv_p =
-                ProjectiveMontgomeryXpoint::encode::<ExpandMsgXof<Shake256>>(&[msg], &[DST]);
+                ProjectiveMontgomeryXpoint::encode::<ExpandMsgXof<Shake256>>(&[msg], &[DST])
+                    .to_affine();
             let conv_p1 = conv_p.to_edwards(Choice::from(0));
             let conv_p2 = conv_p.to_edwards(Choice::from(1));
             assert!(conv_p1.x == p.x || conv_p2.x == p.x);
             assert!(conv_p1.y == p.y || conv_p2.y == p.y);
 
             let conv_p = Curve448::encode_from_bytes::<ExpandMsgXof<Shake256>>(&[msg], &[DST])
                 .unwrap()
+                .to_affine()
                 .to_edwards();
             assert_eq!(conv_p.x, p.x);
             assert_eq!(conv_p.y, p.y);

ed448-goldilocks/src/montgomery/point.rs

@@ -174,11 +174,6 @@ impl ProjectiveMontgomeryPoint {
         self.to_projective_x().to_affine()
     }
 
-    /// Convert this point to an [`AffinePoint`]
-    pub fn to_edwards(&self) -> AffinePoint {
-        self.to_affine().to_edwards()
-    }
-
     /// Hash a message to a point on the curve
     ///
     /// Hash using the default domain separation tag and hash function.

ed448-goldilocks/src/montgomery/x.rs

@@ -240,6 +240,7 @@ impl ProjectiveMontgomeryXpoint {
         W: FieldElement::ONE,
     };
 
+    // See https://www.rfc-editor.org/rfc/rfc7748#section-1
     fn y(&self, sign: Choice) -> FieldElement {
         // v^2 = u^3 + A*u^2 + u
         let u_sq = self.U.square();
@@ -342,11 +343,6 @@ impl ProjectiveMontgomeryXpoint {
     pub fn to_extended(&self, sign: Choice) -> ProjectiveMontgomeryPoint {
         ProjectiveMontgomeryPoint::new(self.U, self.y(sign), self.W)
     }
-
-    /// Convert this point to an [`AffinePoint`]
-    pub fn to_edwards(&self, sign: Choice) -> AffinePoint {
-        self.to_affine().to_edwards(sign)
-    }
 }
 
 #[cfg(test)]