RustCrypto
diff --git a/‎ed448-goldilocks/src/montgomery.rs
Lines changed: 2 additions & 223 deletions b/‎ed448-goldilocks/src/montgomery.rs
Lines changed: 2 additions & 223 deletions
@@ -10,227 +10,6 @@
 
 #![allow(non_snake_case)]
 
-// use crate::constants::A_PLUS_TWO_OVER_FOUR;
-use crate::EdwardsScalar;
-use crate::edwards::extended::EdwardsPoint;
-use crate::field::FieldElement;
-use core::fmt;
-use core::ops::Mul;
-use subtle::{Choice, ConditionallySelectable, ConstantTimeEq};
+mod x;
 
-// Low order points on Curve448 and it's twist
-const LOW_A: MontgomeryXpoint = MontgomeryXpoint([
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-]);
-const LOW_B: MontgomeryXpoint = MontgomeryXpoint([
-    0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-]);
-const LOW_C: MontgomeryXpoint = MontgomeryXpoint([
-    0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff,
-    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-]);
-
-/// A point in Montgomery form
-#[derive(Copy, Clone)]
-pub struct MontgomeryXpoint(pub [u8; 56]);
-
-impl Default for MontgomeryXpoint {
-    fn default() -> MontgomeryXpoint {
-        Self([0u8; 56])
-    }
-}
-
-impl elliptic_curve::zeroize::DefaultIsZeroes for MontgomeryXpoint {}
-
-impl fmt::Debug for MontgomeryXpoint {
-    fn fmt(&self, formatter: &mut fmt::Formatter) -> fmt::Result {
-        self.0[..].fmt(formatter)
-    }
-}
-
-impl ConstantTimeEq for MontgomeryXpoint {
-    fn ct_eq(&self, other: &MontgomeryXpoint) -> Choice {
-        self.0.ct_eq(&other.0)
-    }
-}
-
-impl PartialEq for MontgomeryXpoint {
-    fn eq(&self, other: &MontgomeryXpoint) -> bool {
-        self.ct_eq(other).into()
-    }
-}
-impl Eq for MontgomeryXpoint {}
-
-/// A Projective point in Montgomery form
-#[derive(Copy, Clone, Debug)]
-pub struct ProjectiveMontgomeryXpoint {
-    U: FieldElement,
-    W: FieldElement,
-}
-
-impl Mul<&EdwardsScalar> for &MontgomeryXpoint {
-    type Output = MontgomeryXpoint;
-
-    #[allow(clippy::suspicious_arithmetic_impl)]
-    fn mul(self, scalar: &EdwardsScalar) -> MontgomeryXpoint {
-        // Algorithm 8 of Costello-Smith 2017
-        let affine_u = FieldElement::from_bytes(&self.0);
-        let mut x0 = ProjectiveMontgomeryXpoint::identity();
-        let mut x1 = ProjectiveMontgomeryXpoint {
-            U: affine_u,
-            W: FieldElement::ONE,
-        };
-
-        let bits = scalar.bits();
-        let mut swap = 0;
-        for s in (0..448).rev() {
-            let bit = bits[s] as u8;
-            let choice: u8 = swap ^ bit;
-
-            ProjectiveMontgomeryXpoint::conditional_swap(&mut x0, &mut x1, Choice::from(choice));
-            differential_add_and_double(&mut x0, &mut x1, &affine_u);
-
-            swap = bit;
-        }
-
-        x0.to_affine()
-    }
-}
-
-impl Mul<&MontgomeryXpoint> for &EdwardsScalar {
-    type Output = MontgomeryXpoint;
-
-    fn mul(self, point: &MontgomeryXpoint) -> MontgomeryXpoint {
-        point * self
-    }
-}
-
-impl MontgomeryXpoint {
-    /// Returns the generator specified in RFC7748
-    pub const GENERATOR: Self = Self([
-        0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    ]);
-
-    /// Convert this point to an [`EdwardsPoint`]
-    pub fn to_edwards(&self, _sign: u8) -> Option<EdwardsPoint> {
-        // We use the 4-isogeny to map to the Ed448.
-        // This is different to Curve25519, where we use a birational map.
-        todo!()
-    }
-
-    /// Returns true if the point is one of the low order points
-    pub fn is_low_order(&self) -> bool {
-        (*self == LOW_A) || (*self == LOW_B) || (*self == LOW_C)
-    }
-
-    /// View the point as a byte slice
-    pub fn as_bytes(&self) -> &[u8; 56] {
-        &self.0
-    }
-
-    /// Convert the point to a ProjectiveMontgomeryPoint
-    pub fn to_projective(&self) -> ProjectiveMontgomeryXpoint {
-        ProjectiveMontgomeryXpoint {
-            U: FieldElement::from_bytes(&self.0),
-            W: FieldElement::ONE,
-        }
-    }
-}
-
-impl ConditionallySelectable for ProjectiveMontgomeryXpoint {
-    fn conditional_select(
-        a: &ProjectiveMontgomeryXpoint,
-        b: &ProjectiveMontgomeryXpoint,
-        choice: Choice,
-    ) -> ProjectiveMontgomeryXpoint {
-        ProjectiveMontgomeryXpoint {
-            U: FieldElement::conditional_select(&a.U, &b.U, choice),
-            W: FieldElement::conditional_select(&a.W, &b.W, choice),
-        }
-    }
-}
-
-fn differential_add_and_double(
-    P: &mut ProjectiveMontgomeryXpoint,
-    Q: &mut ProjectiveMontgomeryXpoint,
-    affine_PmQ: &FieldElement,
-) {
-    let t0 = P.U + P.W;
-    let t1 = P.U - P.W;
-    let t2 = Q.U + Q.W;
-    let t3 = Q.U - Q.W;
-
-    let t4 = t0.square(); // (U_P + W_P)^2 = U_P^2 + 2 U_P W_P + W_P^2
-    let t5 = t1.square(); // (U_P - W_P)^2 = U_P^2 - 2 U_P W_P + W_P^2
-
-    let t6 = t4 - t5; // 4 U_P W_P
-
-    let t7 = t0 * t3; // (U_P + W_P) (U_Q - W_Q) = U_P U_Q + W_P U_Q - U_P W_Q - W_P W_Q
-    let t8 = t1 * t2; // (U_P - W_P) (U_Q + W_Q) = U_P U_Q - W_P U_Q + U_P W_Q - W_P W_Q
-
-    let t9 = t7 + t8; // 2 (U_P U_Q - W_P W_Q)
-    let t10 = t7 - t8; // 2 (W_P U_Q - U_P W_Q)
-
-    let t11 = t9.square(); // 4 (U_P U_Q - W_P W_Q)^2
-    let t12 = t10.square(); // 4 (W_P U_Q - U_P W_Q)^2
-    let t13 = FieldElement::A_PLUS_TWO_OVER_FOUR * t6; // (A + 2) U_P U_Q
-
-    let t14 = t4 * t5; // ((U_P + W_P)(U_P - W_P))^2 = (U_P^2 - W_P^2)^2
-    let t15 = t13 + t5; // (U_P - W_P)^2 + (A + 2) U_P W_P
-
-    let t16 = t6 * t15; // 4 (U_P W_P) ((U_P - W_P)^2 + (A + 2) U_P W_P)
-    let t17 = *affine_PmQ * t12; // U_D * 4 (W_P U_Q - U_P W_Q)^2
-    let t18 = t11; // W_D * 4 (U_P U_Q - W_P W_Q)^2
-
-    P.U = t14; // U_{P'} = (U_P + W_P)^2 (U_P - W_P)^2
-    P.W = t16; // W_{P'} = (4 U_P W_P) ((U_P - W_P)^2 + ((A + 2)/4) 4 U_P W_P)
-    Q.U = t18; // U_{Q'} = W_D * 4 (U_P U_Q - W_P W_Q)^2
-    Q.W = t17; // W_{Q'} = U_D * 4 (W_P U_Q - U_P W_Q)^2
-}
-
-impl ProjectiveMontgomeryXpoint {
-    /// The identity element of the group: the point at infinity.
-    pub fn identity() -> ProjectiveMontgomeryXpoint {
-        ProjectiveMontgomeryXpoint {
-            U: FieldElement::ONE,
-            W: FieldElement::ZERO,
-        }
-    }
-
-    /// Convert the point to affine form
-    pub fn to_affine(&self) -> MontgomeryXpoint {
-        let x = self.U * self.W.invert();
-        MontgomeryXpoint(x.to_bytes())
-    }
-}
-
-#[cfg(test)]
-mod tests {
-
-    use super::*;
-
-    #[test]
-    fn test_montgomery_edwards() {
-        let scalar = EdwardsScalar::from(200u32);
-        use crate::GOLDILOCKS_BASE_POINT as bp;
-
-        // Montgomery scalar mul
-        let montgomery_bp = bp.to_montgomery_x();
-        let montgomery_res = &montgomery_bp * &scalar;
-
-        // Goldilocks scalar mul
-        let goldilocks_point = bp.scalar_mul(&scalar);
-        assert_eq!(goldilocks_point.to_montgomery_x(), montgomery_res);
-    }
-}
+pub use x::{MontgomeryXpoint, ProjectiveMontgomeryXpoint};