Add full-coordinate MontgomeryPoint skeleton

Author: daxpedda

ed448-goldilocks/src/lib.rs

@@ -60,7 +60,9 @@ pub use edwards::{
     WideEdwardsScalarBytes,
 };
 pub use field::{MODULUS_LIMBS, ORDER, Scalar, WIDE_ORDER};
-pub use montgomery::{MontgomeryXpoint, ProjectiveMontgomeryXpoint};
+pub use montgomery::{
+    MontgomeryPoint, MontgomeryXpoint, ProjectiveMontgomeryPoint, ProjectiveMontgomeryXpoint,
+};
 #[cfg(feature = "signing")]
 pub use sign::*;
 
@@ -169,3 +171,7 @@ impl elliptic_curve::CurveArithmetic for Decaf448 {
 impl GroupDigest for Decaf448 {
     type K = U28;
 }
+
+/// Curve448 curve.
+#[derive(Copy, Clone, Debug, Default, Eq, PartialEq, Ord, PartialOrd, Hash)]
+pub struct Curve448;

ed448-goldilocks/src/montgomery.rs

@@ -10,6 +10,8 @@
 
 #![allow(non_snake_case)]
 
+mod point;
 mod x;
 
+pub use point::{MontgomeryPoint, ProjectiveMontgomeryPoint};
 pub use x::{MontgomeryXpoint, ProjectiveMontgomeryXpoint};

ed448-goldilocks/src/montgomery/point.rs

@@ -0,0 +1,207 @@
+use elliptic_curve::bigint::U448;
+use subtle::Choice;
+use subtle::ConditionallySelectable;
+use subtle::ConstantTimeEq;
+
+use super::{MontgomeryXpoint, ProjectiveMontgomeryXpoint};
+use crate::field::{ConstMontyType, FieldElement};
+
+/// A point in Montgomery form including the y-coordinate.
+#[derive(Copy, Clone, Debug, Default, Eq)]
+pub struct MontgomeryPoint {
+    pub(super) x: FieldElement,
+    pub(super) y: FieldElement,
+}
+
+impl MontgomeryPoint {
+    /// The identity element of the group: the point at infinity.
+    pub const IDENTITY: Self = Self {
+        x: FieldElement::ZERO,
+        y: FieldElement::ONE,
+    };
+
+    pub(crate) fn new(x: FieldElement, y: FieldElement) -> Self {
+        Self { x, y }
+    }
+}
+
+impl ConditionallySelectable for MontgomeryPoint {
+    fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self {
+        Self {
+            x: FieldElement::conditional_select(&a.x, &b.x, choice),
+            y: FieldElement::conditional_select(&a.y, &b.y, choice),
+        }
+    }
+}
+
+impl ConstantTimeEq for MontgomeryPoint {
+    fn ct_eq(&self, other: &Self) -> Choice {
+        self.x.ct_eq(&other.x) & self.y.ct_eq(&other.y)
+    }
+}
+
+impl PartialEq for MontgomeryPoint {
+    fn eq(&self, other: &Self) -> bool {
+        self.ct_eq(other).into()
+    }
+}
+
+impl From<&MontgomeryPoint> for ProjectiveMontgomeryPoint {
+    fn from(value: &MontgomeryPoint) -> Self {
+        ProjectiveMontgomeryPoint {
+            U: value.x,
+            V: value.y,
+            W: FieldElement::ONE,
+        }
+    }
+}
+
+impl From<MontgomeryPoint> for ProjectiveMontgomeryPoint {
+    fn from(value: MontgomeryPoint) -> Self {
+        (&value).into()
+    }
+}
+
+impl From<&MontgomeryPoint> for MontgomeryXpoint {
+    fn from(value: &MontgomeryPoint) -> Self {
+        MontgomeryXpoint(value.x.to_bytes())
+    }
+}
+
+impl From<MontgomeryPoint> for MontgomeryXpoint {
+    fn from(value: MontgomeryPoint) -> Self {
+        (&value).into()
+    }
+}
+
+/// A Projective point in Montgomery form including the y-coordinate.
+#[derive(Copy, Clone, Debug, Eq)]
+pub struct ProjectiveMontgomeryPoint {
+    pub(super) U: FieldElement,
+    pub(super) V: FieldElement,
+    pub(super) W: FieldElement,
+}
+
+impl ProjectiveMontgomeryPoint {
+    /// The identity element of the group: the point at infinity.
+    pub const IDENTITY: Self = Self {
+        U: FieldElement::ZERO,
+        V: FieldElement::ONE,
+        W: FieldElement::ZERO,
+    };
+
+    /// The generator point
+    pub const GENERATOR: Self = Self {
+        U: FieldElement(ConstMontyType::new(&U448::from_u64(5))),
+        V: FieldElement(ConstMontyType::new(&U448::from_be_hex(
+            "7d235d1295f5b1f66c98ab6e58326fcecbae5d34f55545d060f75dc28df3f6edb8027e2346430d211312c4b150677af76fd7223d457b5b1a",
+        ))),
+        W: FieldElement::ONE,
+    };
+
+    pub(crate) fn new(U: FieldElement, V: FieldElement, W: FieldElement) -> Self {
+        Self { U, V, W }
+    }
+}
+
+impl ConditionallySelectable for ProjectiveMontgomeryPoint {
+    fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self {
+        Self {
+            U: FieldElement::conditional_select(&a.U, &b.U, choice),
+            V: FieldElement::conditional_select(&a.V, &b.V, choice),
+            W: FieldElement::conditional_select(&a.W, &b.W, choice),
+        }
+    }
+}
+
+impl ConstantTimeEq for ProjectiveMontgomeryPoint {
+    fn ct_eq(&self, other: &Self) -> Choice {
+        let UW = self.U * other.W;
+        let WU = self.W * other.U;
+
+        let VW = self.V * other.W;
+        let WV = self.W * other.V;
+
+        (UW.ct_eq(&WU)) & (VW.ct_eq(&WV))
+    }
+}
+
+impl Default for ProjectiveMontgomeryPoint {
+    fn default() -> Self {
+        Self::IDENTITY
+    }
+}
+
+impl PartialEq for ProjectiveMontgomeryPoint {
+    fn eq(&self, other: &Self) -> bool {
+        self.ct_eq(other).into()
+    }
+}
+
+impl From<&ProjectiveMontgomeryPoint> for MontgomeryPoint {
+    fn from(value: &ProjectiveMontgomeryPoint) -> Self {
+        let W_inv = value.W.invert();
+        let x = value.U * W_inv;
+        let y = value.V * W_inv;
+
+        MontgomeryPoint { x, y }
+    }
+}
+
+impl From<ProjectiveMontgomeryPoint> for MontgomeryPoint {
+    fn from(value: ProjectiveMontgomeryPoint) -> Self {
+        (&value).into()
+    }
+}
+
+impl From<&ProjectiveMontgomeryPoint> for ProjectiveMontgomeryXpoint {
+    fn from(value: &ProjectiveMontgomeryPoint) -> Self {
+        ProjectiveMontgomeryXpoint::conditional_select(
+            &ProjectiveMontgomeryXpoint {
+                U: value.U,
+                W: value.W,
+            },
+            &ProjectiveMontgomeryXpoint::IDENTITY,
+            value.ct_eq(&ProjectiveMontgomeryPoint::IDENTITY),
+        )
+    }
+}
+
+impl From<ProjectiveMontgomeryPoint> for ProjectiveMontgomeryXpoint {
+    fn from(value: ProjectiveMontgomeryPoint) -> Self {
+        (&value).into()
+    }
+}
+
+impl From<&ProjectiveMontgomeryPoint> for MontgomeryXpoint {
+    fn from(value: &ProjectiveMontgomeryPoint) -> Self {
+        ProjectiveMontgomeryXpoint::from(value).to_affine()
+    }
+}
+
+impl From<ProjectiveMontgomeryPoint> for MontgomeryXpoint {
+    fn from(value: ProjectiveMontgomeryPoint) -> Self {
+        (&value).into()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn to_projective_x() {
+        let x_identity = ProjectiveMontgomeryXpoint::IDENTITY;
+        let identity = ProjectiveMontgomeryPoint::IDENTITY;
+
+        assert_eq!(ProjectiveMontgomeryXpoint::from(identity), x_identity);
+    }
+
+    #[test]
+    fn to_affine_x() {
+        let x_identity = ProjectiveMontgomeryXpoint::IDENTITY.to_affine();
+        let identity = MontgomeryXpoint::from(ProjectiveMontgomeryPoint::IDENTITY);
+
+        assert_eq!(identity, x_identity);
+    }
+}

ed448-goldilocks/src/montgomery/x.rs

@@ -1,4 +1,5 @@
 // use crate::constants::A_PLUS_TWO_OVER_FOUR;
+use super::{MontgomeryPoint, ProjectiveMontgomeryPoint};
 use crate::EdwardsScalar;
 use crate::edwards::extended::EdwardsPoint;
 use crate::field::{ConstMontyType, FieldElement};
@@ -65,8 +66,8 @@ impl Eq for MontgomeryXpoint {}
 /// A Projective point in Montgomery form
 #[derive(Copy, Clone, Debug, Eq)]
 pub struct ProjectiveMontgomeryXpoint {
-    U: FieldElement,
-    W: FieldElement,
+    pub(super) U: FieldElement,
+    pub(super) W: FieldElement,
 }
 
 impl Mul<&EdwardsScalar> for &MontgomeryXpoint {
@@ -113,13 +114,12 @@ impl MontgomeryXpoint {
 
     /// Compute the Y-coordinate
     pub fn y(&self, sign: Choice) -> [u8; 56] {
-        self.y_internal(sign).to_bytes()
+        Self::y_internal(&FieldElement::from_bytes(&self.0), sign).to_bytes()
     }
 
     // See https://www.rfc-editor.org/rfc/rfc7748#section-1.
-    pub(super) fn y_internal(&self, sign: Choice) -> FieldElement {
+    pub(super) fn y_internal(u: &FieldElement, sign: Choice) -> FieldElement {
         // v^2 = u^3 + A*u^2 + u
-        let u = FieldElement::from_bytes(&self.0);
         let uu = u.square();
         let vv = uu * u + FieldElement::J * uu + u;
 
@@ -159,6 +159,19 @@ impl MontgomeryXpoint {
             W: FieldElement::ONE,
         }
     }
+
+    /// Convert the point to projective form including the y-coordinate
+    pub fn to_extended_projective(&self, sign: Choice) -> ProjectiveMontgomeryPoint {
+        self.to_projective().to_extended(sign)
+    }
+
+    /// Convert the point to its form including the y-coordinate
+    pub fn to_extended(&self, sign: Choice) -> MontgomeryPoint {
+        let x = FieldElement::from_bytes(&self.0);
+        let y = Self::y_internal(&x, sign);
+
+        MontgomeryPoint::new(x, y)
+    }
 }
 
 impl ConstantTimeEq for ProjectiveMontgomeryXpoint {
@@ -255,6 +268,17 @@ impl ProjectiveMontgomeryXpoint {
         W: FieldElement::ONE,
     };
 
+    // See https://www.rfc-editor.org/rfc/rfc7748#section-1.
+    fn y(&self, sign: Choice) -> FieldElement {
+        // v^2 = u^3 + A*u^2 + u
+        let u_sq = self.U.square();
+        let v_sq = u_sq * self.U + FieldElement::J * u_sq + self.U;
+
+        let mut v = v_sq.sqrt();
+        v.conditional_negate(v.is_negative() ^ sign);
+        v
+    }
+
     /// Double this point
     // https://eprint.iacr.org/2020/1338.pdf (2.2)
     pub fn double(&self) -> Self {
@@ -274,6 +298,23 @@ impl ProjectiveMontgomeryXpoint {
         let x = self.U * self.W.invert();
         MontgomeryXpoint(x.to_bytes())
     }
+
+    /// Convert the point to affine form including the y-coordinate
+    pub fn to_extended_affine(&self, sign: Choice) -> MontgomeryPoint {
+        let x = self.U * self.W.invert();
+        let y = self.y(sign);
+
+        MontgomeryPoint::new(x, y)
+    }
+
+    /// Convert the point to its form including the y-coordinate
+    pub fn to_extended(&self, sign: Choice) -> ProjectiveMontgomeryPoint {
+        ProjectiveMontgomeryPoint::conditional_select(
+            &ProjectiveMontgomeryPoint::new(self.U, self.y(sign), self.W),
+            &ProjectiveMontgomeryPoint::IDENTITY,
+            self.ct_eq(&Self::IDENTITY),
+        )
+    }
 }
 
 #[cfg(test)]
@@ -295,4 +336,20 @@ mod tests {
             montgomery_res.to_affine()
         );
     }
+
+    #[test]
+    fn to_extended() {
+        let x_identity = ProjectiveMontgomeryXpoint::IDENTITY;
+        let identity = ProjectiveMontgomeryPoint::IDENTITY;
+
+        assert_eq!(x_identity.to_extended(Choice::from(1)), identity);
+    }
+
+    #[test]
+    fn to_extended_affine() {
+        let x_identity = ProjectiveMontgomeryXpoint::IDENTITY.to_affine();
+        let identity = MontgomeryPoint::from(ProjectiveMontgomeryPoint::IDENTITY);
+
+        assert_eq!(x_identity.to_extended(Choice::from(1)), identity);
+    }
 }