Add Montgomery <-> Edwards conversions

Author: daxpedda

ed448-goldilocks/src/edwards/extended.rs

@@ -542,6 +542,28 @@ impl EdwardsPoint {
         MontgomeryXpoint(u.to_bytes())
     }
 
+    /// Convert this point to [`MontgomeryPoint`]
+    // See https://www.rfc-editor.org/rfc/rfc7748#section-4.2 4-isogeny maps
+    pub fn to_montgomery(&self) -> MontgomeryPoint {
+        // u = y^2/x^2
+        // v = (2 - x^2 - y^2)*y/x^3
+
+        let affine = self.to_affine();
+
+        // TODO: optimize to a single inversion.
+        let xx = affine.x.square();
+        let yy = affine.y.square();
+
+        let u = yy * xx.invert();
+        let v = (FieldElement::TWO - xx - yy) * affine.y * (xx * affine.x).invert();
+
+        MontgomeryPoint::conditional_select(
+            &MontgomeryPoint::new(u, v),
+            &MontgomeryPoint::IDENTITY,
+            self.ct_eq(&Self::IDENTITY),
+        )
+    }
+
     /// Generic scalar multiplication to compute s*P
     pub fn scalar_mul(&self, scalar: &EdwardsScalar) -> Self {
         // Compute floor(s/4)

ed448-goldilocks/src/montgomery/point.rs

@@ -4,6 +4,7 @@ use subtle::ConditionallySelectable;
 use subtle::ConstantTimeEq;
 
 use super::{MontgomeryXpoint, ProjectiveMontgomeryXpoint};
+use crate::AffinePoint;
 use crate::field::ConstMontyType;
 use crate::field::FieldElement;
 
@@ -25,6 +26,36 @@ impl MontgomeryPoint {
         Self { x, y }
     }
 
+    /// Convert this point to an [`AffinePoint`]
+    // https://www.rfc-editor.org/rfc/rfc7748#section-4.2
+    pub fn to_edwards(&self) -> AffinePoint {
+        let u = self.x;
+        let v = self.y;
+
+        let u_sq = self.x.square();
+        let u_sq_minus_1 = u_sq - FieldElement::ONE;
+        let u_sq_minus_1_sq = u_sq_minus_1.square();
+        let v_sq_2 = v.square().double();
+        let v_sq_4 = v_sq_2.double();
+
+        let xn = v.double().double() * u_sq_minus_1;
+        let xd = u_sq_minus_1_sq + v_sq_4;
+
+        let yn = -u * (u_sq_minus_1_sq - v_sq_4);
+        let yd = u * u_sq_minus_1_sq - v_sq_2 * (u_sq + FieldElement::ONE);
+
+        let d = (xd * yd).invert();
+
+        let x = xn * yd * d;
+        let y = yn * xd * d;
+
+        AffinePoint::conditional_select(
+            &AffinePoint { x, y },
+            &AffinePoint::IDENTITY,
+            self.ct_eq(&Self::IDENTITY),
+        )
+    }
+
     /// Convert the point to its form without the y-coordinate
     pub fn to_affine_x(&self) -> MontgomeryXpoint {
         MontgomeryXpoint(self.x.to_bytes())
@@ -155,6 +186,35 @@ impl From<MontgomeryPoint> for ProjectiveMontgomeryPoint {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use crate::{EdwardsPoint, MontgomeryScalar};
+
+    #[test]
+    fn to_edwards() {
+        let scalar = MontgomeryScalar::from(200u32);
+
+        // Montgomery scalar mul
+        let montgomery_res = ProjectiveMontgomeryPoint::GENERATOR * scalar * scalar;
+        // Goldilocks scalar mul
+        let goldilocks_point = EdwardsPoint::GENERATOR * scalar.to_scalar() * scalar.to_scalar();
+
+        assert_eq!(goldilocks_point.to_montgomery(), montgomery_res.to_affine());
+    }
+
+    #[test]
+    fn identity_to_edwards() {
+        let edwards = AffinePoint::IDENTITY;
+        let montgomery = MontgomeryPoint::IDENTITY;
+
+        assert_eq!(montgomery.to_edwards(), edwards);
+    }
+
+    #[test]
+    fn identity_from_montgomery() {
+        let edwards = EdwardsPoint::IDENTITY;
+        let montgomery = MontgomeryPoint::IDENTITY;
+
+        assert_eq!(edwards.to_montgomery(), montgomery);
+    }
 
     #[test]
     fn to_projective_x() {

ed448-goldilocks/src/montgomery/x.rs

@@ -1,6 +1,6 @@
 // use crate::constants::A_PLUS_TWO_OVER_FOUR;
 use super::{MontgomeryPoint, MontgomeryScalar, ProjectiveMontgomeryPoint};
-use crate::edwards::extended::EdwardsPoint;
+use crate::AffinePoint;
 use crate::field::ConstMontyType;
 use crate::field::FieldElement;
 use core::fmt;
@@ -91,13 +91,6 @@ impl MontgomeryXpoint {
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     ]);
 
-    /// Convert this point to an [`EdwardsPoint`]
-    pub fn to_edwards(&self, _sign: u8) -> Option<EdwardsPoint> {
-        // We use the 4-isogeny to map to the Ed448.
-        // This is different to Curve25519, where we use a birational map.
-        todo!()
-    }
-
     /// Returns true if the point is one of the low order points
     pub fn is_low_order(&self) -> bool {
         (*self == LOW_A) || (*self == LOW_B) || (*self == LOW_C)
@@ -154,6 +147,11 @@ impl MontgomeryXpoint {
     pub fn to_extended(&self, sign: Choice) -> MontgomeryPoint {
         self.to_projective().to_extended_affine(sign)
     }
+
+    /// Convert this point to an [`AffinePoint`]
+    pub fn to_edwards(&self, sign: Choice) -> AffinePoint {
+        self.to_extended(sign).to_edwards()
+    }
 }
 
 impl ConstantTimeEq for ProjectiveMontgomeryXpoint {
@@ -304,6 +302,7 @@ impl ProjectiveMontgomeryXpoint {
 mod tests {
 
     use super::*;
+    use crate::EdwardsPoint;
 
     #[test]
     fn test_montgomery_edwards() {