merge other upstream branches

Author: baloo

.github/workflows/x448.yml

@@ -0,0 +1,111 @@
+name: x448
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/x448.yml"
+      - "ed448-goldilocks/**"
+      - "x448/**"
+      - "Cargo.*"
+  push:
+    branches: master
+
+defaults:
+  run:
+    working-directory: x448
+
+env:
+  CARGO_INCREMENTAL: 0
+  RUSTFLAGS: "-Dwarnings"
+  RUSTDOCFLAGS: "-Dwarnings"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        rust:
+          - 1.85.0 # MSRV
+          - stable
+        target:
+          - thumbv7em-none-eabi
+          - wasm32-unknown-unknown
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ matrix.rust }}
+          targets: ${{ matrix.target }}
+      - run: cargo build --target ${{ matrix.target }} --release
+
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          # 32-bit Linux
+          - target: i686-unknown-linux-gnu
+            rust: 1.85.0 # MSRV
+            deps: sudo apt update && sudo apt install gcc-multilib
+          - target: i686-unknown-linux-gnu
+            rust: stable
+            deps: sudo apt update && sudo apt install gcc-multilib
+
+          # 64-bit Linux
+          - target: x86_64-unknown-linux-gnu
+            rust: 1.85.0 # MSRV
+          - target: x86_64-unknown-linux-gnu
+            rust: stable
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ matrix.rust }}
+          targets: ${{ matrix.target }}
+      - uses: RustCrypto/actions/cargo-hack-install@master
+      - run: ${{ matrix.deps }}
+      - run: cargo test --release --target ${{ matrix.target }}
+
+  cross:
+    strategy:
+      matrix:
+        include:
+          # ARM32
+          - target: armv7-unknown-linux-gnueabihf
+            rust: 1.85.0 # MSRV (cross)
+          - target: armv7-unknown-linux-gnueabihf
+            rust: stable
+
+          # ARM64
+          - target: aarch64-unknown-linux-gnu
+            rust: 1.85.0 # MSRV (cross)
+          - target: aarch64-unknown-linux-gnu
+            rust: stable
+
+          # PPC32
+          - target: powerpc-unknown-linux-gnu
+            rust: 1.85.0 # MSRV (cross)
+          - target: powerpc-unknown-linux-gnu
+            rust: stable
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: ${{ matrix.deps }}
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ matrix.rust }}
+          targets: ${{ matrix.target }}
+      - uses: RustCrypto/actions/cross-install@master
+      - run: cross test --release --target ${{ matrix.target }}
+
+  doc:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: RustCrypto/actions/cargo-cache@master
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+      - run: cargo doc

Cargo.lock

@@ -14,13 +14,15 @@ members = [
     "p521",
     "primefield",
     "primeorder",
-    "sm2"
+    "sm2",
+    "x448"
 ]
 
 [profile.dev]
 opt-level = 2
 
 [patch.crates-io]
+ed448-goldilocks = { path = "ed448-goldilocks" }
 elliptic-curve = { git = "https://github.com/RustCrypto/traits.git" }
 hash2curve = { path = "hash2curve" }
 primefield = { path = "primefield" }

Cargo.toml

@@ -7,19 +7,7 @@ pub const DECAF_BASEPOINT: DecafPoint = DecafPoint(curve::twedwards::extended::E
     T: TWISTED_EDWARDS_BASE_POINT.T,
 });
 
-/// `BASEPOINT_ORDER` is the order of the Ed448 basepoint, i.e.,
-/// $$
-/// \ell = 2^\{446\} + 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d.
-/// $$
-pub const EDWARDS_BASEPOINT_ORDER: EdwardsScalar = EdwardsScalar::new(ORDER);
-
-/// `BASEPOINT_ORDER` is the order of the Decaf448 basepoint, i.e.,
-/// $$
-/// \ell = 2^\{446\} + 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d.
-/// $$
-pub const DECAF_BASEPOINT_ORDER: DecafScalar = DecafScalar::new(ORDER);
-
-/// `BASEPOINT_ORDER` is the order of the Curve448 basepoint, i.e.,
+/// [`MONTGOMERY_BASEPOINT_ORDER`] is the order of the Curve448 basepoint, i.e.,
 /// $$
 /// \ell = 2^\{446\} + 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d.
 /// $$

ed448-goldilocks/src/constants.rs

@@ -115,7 +115,7 @@ impl ExtendedPoint {
 
         // Compute x
         let xy = x * y;
-        let x_numerator = xy + xy;
+        let x_numerator = xy.double();
         let x_denom = y.square() - (a * x.square());
         let new_x = x_numerator * x_denom.invert();
 

ed448-goldilocks/src/curve/twedwards/extended.rs

@@ -52,7 +52,7 @@ impl ExtensiblePoint {
     pub fn double(&self) -> ExtensiblePoint {
         let A = self.X.square();
         let B = self.Y.square();
-        let C = self.Z.square() + self.Z.square();
+        let C = self.Z.square().double();
         let D = -A;
         let E = (self.X + self.Y).square() - A - B;
         let G = D + B;

ed448-goldilocks/src/curve/twedwards/extensible.rs

@@ -93,36 +93,6 @@ impl From<NonIdentity<AffinePoint>> for AffinePoint {
     }
 }
 
-impl Mul<DecafScalar> for AffinePoint {
-    type Output = DecafPoint;
-
-    #[inline]
-    #[expect(clippy::op_ref, reason = "false-positive")]
-    fn mul(self, scalar: DecafScalar) -> DecafPoint {
-        &self * scalar
-    }
-}
-
-#[allow(clippy::op_ref)] // https://github.com/rust-lang/rust-clippy/issues/12463
-impl Mul<DecafScalar> for &AffinePoint {
-    type Output = DecafPoint;
-
-    #[inline]
-    fn mul(self, scalar: DecafScalar) -> DecafPoint {
-        self * &scalar
-    }
-}
-
-#[allow(clippy::op_ref)] // https://github.com/rust-lang/rust-clippy/issues/12463
-impl Mul<&DecafScalar> for AffinePoint {
-    type Output = DecafPoint;
-
-    #[inline]
-    fn mul(self, scalar: &DecafScalar) -> DecafPoint {
-        &self * scalar
-    }
-}
-
 impl Mul<&DecafScalar> for &AffinePoint {
     type Output = DecafPoint;
 
@@ -132,20 +102,4 @@ impl Mul<&DecafScalar> for &AffinePoint {
     }
 }
 
-impl Mul<AffinePoint> for DecafScalar {
-    type Output = DecafPoint;
-
-    #[inline]
-    fn mul(self, point: AffinePoint) -> DecafPoint {
-        point * self
-    }
-}
-
-impl Mul<&AffinePoint> for DecafScalar {
-    type Output = DecafPoint;
-
-    #[inline]
-    fn mul(self, point: &AffinePoint) -> DecafPoint {
-        point * self
-    }
-}
+define_mul_variants!(LHS = AffinePoint, RHS = DecafScalar, Output = DecafPoint);

ed448-goldilocks/src/decaf/affine.rs

@@ -20,16 +20,6 @@ impl Mul<&DecafScalar> for &DecafPoint {
 
 define_mul_variants!(LHS = DecafPoint, RHS = DecafScalar, Output = DecafPoint);
 
-impl Mul<&DecafPoint> for &DecafScalar {
-    type Output = DecafPoint;
-
-    fn mul(self, point: &DecafPoint) -> DecafPoint {
-        point * self
-    }
-}
-
-define_mul_variants!(LHS = DecafScalar, RHS = DecafPoint, Output = DecafPoint);
-
 impl<'s> MulAssign<&'s DecafScalar> for DecafPoint {
     fn mul_assign(&mut self, scalar: &'s DecafScalar) {
         *self = *self * scalar;

ed448-goldilocks/src/decaf/ops.rs

@@ -1,4 +1,4 @@
-use crate::constants::{DECAF_BASEPOINT, DECAF_BASEPOINT_ORDER};
+use crate::constants::DECAF_BASEPOINT;
 use crate::curve::twedwards::extended::ExtendedPoint;
 use crate::field::FieldElement;
 use crate::*;
@@ -226,7 +226,7 @@ impl CofactorGroup for DecafPoint {
     }
 
     fn is_torsion_free(&self) -> Choice {
-        (self * DECAF_BASEPOINT_ORDER).ct_eq(&Self::IDENTITY)
+        Choice::from(1)
     }
 }
 
@@ -550,7 +550,7 @@ impl CompressedDecaf {
         let (I, ok) = (v * u1_sqr).inverse_square_root();
 
         let Dx = I * u1;
-        let Dxs = (s + s) * Dx;
+        let Dxs = s.double() * Dx;
 
         let mut X = (Dxs * I) * v;
         let k = Dxs * FieldElement::DECAF_FACTOR;

ed448-goldilocks/src/decaf/points.rs

@@ -52,7 +52,7 @@ impl DecafScalar {
     }
 }
 
-elliptic_curve::scalar_from_impls!(Decaf448, DecafScalar);
+elliptic_curve::scalar_impls!(Decaf448, DecafScalar);
 
 /// The number of bytes needed to represent the scalar field
 pub type DecafScalarBytes = ScalarBytes<Decaf448>;