Add full-coordinate MontgomeryPoint skeleton

daxpedda · daxpedda · commit f7ac90c110e1 · 2025-07-19T01:33:09.000+02:00
diff --git a/ed448-goldilocks/src/lib.rs b/ed448-goldilocks/src/lib.rs
@@ -61,7 +61,9 @@ pub use edwards::{
     WideEdwardsScalarBytes,
 };
 pub use field::{MODULUS_LIMBS, ORDER, Scalar, WIDE_ORDER};
-pub use montgomery::{MontgomeryXpoint, ProjectiveMontgomeryXpoint};
+pub use montgomery::{
+    MontgomeryPoint, MontgomeryXpoint, ProjectiveMontgomeryPoint, ProjectiveMontgomeryXpoint,
+};
 pub use ristretto::{CompressedRistretto, RistrettoPoint};
 #[cfg(feature = "signing")]
 pub use sign::*;
@@ -171,3 +173,7 @@ impl elliptic_curve::CurveArithmetic for Decaf448 {
 impl GroupDigest for Decaf448 {
     type K = U28;
 }
+
+/// Curve448 curve.
+#[derive(Copy, Clone, Debug, Default, Eq, PartialEq, Ord, PartialOrd, Hash)]
+pub struct Curve448;
diff --git a/ed448-goldilocks/src/montgomery.rs b/ed448-goldilocks/src/montgomery.rs
@@ -10,6 +10,8 @@
 
 #![allow(non_snake_case)]
 
+mod point;
 mod x;
 
+pub use point::{MontgomeryPoint, ProjectiveMontgomeryPoint};
 pub use x::{MontgomeryXpoint, ProjectiveMontgomeryXpoint};
diff --git a/ed448-goldilocks/src/montgomery/point.rs b/ed448-goldilocks/src/montgomery/point.rs
@@ -0,0 +1,174 @@
+use elliptic_curve::bigint::U448;
+use subtle::Choice;
+use subtle::ConditionallySelectable;
+use subtle::ConstantTimeEq;
+
+use super::{MontgomeryXpoint, ProjectiveMontgomeryXpoint};
+use crate::field::ConstMontyType;
+use crate::field::FieldElement;
+
+/// A point in Montgomery form including the y-coordinate.
+#[derive(Copy, Clone, Debug, Default)]
+pub struct MontgomeryPoint {
+    pub(super) x: FieldElement,
+    pub(super) y: FieldElement,
+}
+
+impl MontgomeryPoint {
+    /// The identity element of the group: the point at infinity.
+    pub const IDENTITY: Self = Self {
+        x: FieldElement::ZERO,
+        y: FieldElement::ONE,
+    };
+
+    pub(crate) fn new(x: FieldElement, y: FieldElement) -> Self {
+        Self { x, y }
+    }
+
+    /// Convert the point to its form without the y-coordinate
+    pub fn to_affine_x(&self) -> MontgomeryXpoint {
+        MontgomeryXpoint(self.x.to_bytes())
+    }
+}
+
+impl ConditionallySelectable for MontgomeryPoint {
+    fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self {
+        Self {
+            x: FieldElement::conditional_select(&a.x, &b.x, choice),
+            y: FieldElement::conditional_select(&a.y, &b.y, choice),
+        }
+    }
+}
+
+impl ConstantTimeEq for MontgomeryPoint {
+    fn ct_eq(&self, other: &Self) -> Choice {
+        self.x.ct_eq(&other.x) & self.y.ct_eq(&other.y)
+    }
+}
+
+impl PartialEq for MontgomeryPoint {
+    fn eq(&self, other: &Self) -> bool {
+        self.ct_eq(other).into()
+    }
+}
+impl Eq for MontgomeryPoint {}
+
+impl From<ProjectiveMontgomeryPoint> for MontgomeryPoint {
+    fn from(value: ProjectiveMontgomeryPoint) -> Self {
+        value.to_affine()
+    }
+}
+
+/// A Projective point in Montgomery form including the y-coordinate.
+#[derive(Copy, Clone, Debug, Eq)]
+pub struct ProjectiveMontgomeryPoint {
+    pub(super) U: FieldElement,
+    pub(super) V: FieldElement,
+    pub(super) W: FieldElement,
+}
+
+impl ProjectiveMontgomeryPoint {
+    /// The identity element of the group: the point at infinity.
+    pub const IDENTITY: Self = Self {
+        U: FieldElement::ZERO,
+        V: FieldElement::ONE,
+        W: FieldElement::ZERO,
+    };
+
+    /// The generator point
+    pub const GENERATOR: Self = Self {
+        U: FieldElement(ConstMontyType::new(&U448::from_u64(5))),
+        V: FieldElement(ConstMontyType::new(&U448::from_be_hex(
+            "7d235d1295f5b1f66c98ab6e58326fcecbae5d34f55545d060f75dc28df3f6edb8027e2346430d211312c4b150677af76fd7223d457b5b1a",
+        ))),
+        W: FieldElement::ONE,
+    };
+
+    pub(crate) fn new(U: FieldElement, V: FieldElement, W: FieldElement) -> Self {
+        Self { U, V, W }
+    }
+
+    /// Convert the point to its form without the y-coordinate
+    pub fn to_projective_x(&self) -> ProjectiveMontgomeryXpoint {
+        ProjectiveMontgomeryXpoint::conditional_select(
+            &ProjectiveMontgomeryXpoint {
+                U: self.U,
+                W: self.W,
+            },
+            &ProjectiveMontgomeryXpoint::IDENTITY,
+            self.ct_eq(&Self::IDENTITY),
+        )
+    }
+
+    /// Convert the point to affine form without the y-coordinate
+    pub fn to_affine_x(&self) -> MontgomeryXpoint {
+        self.to_projective_x().to_affine()
+    }
+
+    /// Convert the point to affine form
+    pub fn to_affine(&self) -> MontgomeryPoint {
+        let W_inv = self.W.invert();
+        let x = self.U * W_inv;
+        let y = self.V * W_inv;
+
+        MontgomeryPoint { x, y }
+    }
+}
+
+impl ConditionallySelectable for ProjectiveMontgomeryPoint {
+    fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self {
+        Self {
+            U: FieldElement::conditional_select(&a.U, &b.U, choice),
+            V: FieldElement::conditional_select(&a.V, &b.V, choice),
+            W: FieldElement::conditional_select(&a.W, &b.W, choice),
+        }
+    }
+}
+
+impl ConstantTimeEq for ProjectiveMontgomeryPoint {
+    fn ct_eq(&self, other: &Self) -> Choice {
+        self.U.ct_eq(&other.U) & self.V.ct_eq(&other.V) & self.W.ct_eq(&other.W)
+    }
+}
+
+impl Default for ProjectiveMontgomeryPoint {
+    fn default() -> Self {
+        Self::IDENTITY
+    }
+}
+impl PartialEq for ProjectiveMontgomeryPoint {
+    fn eq(&self, other: &Self) -> bool {
+        self.ct_eq(other).into()
+    }
+}
+
+impl From<MontgomeryPoint> for ProjectiveMontgomeryPoint {
+    fn from(value: MontgomeryPoint) -> Self {
+        ProjectiveMontgomeryPoint {
+            U: value.x,
+            V: value.y,
+            W: FieldElement::ONE,
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn to_projective_x() {
+        let x_identity = ProjectiveMontgomeryXpoint::IDENTITY;
+        let identity = ProjectiveMontgomeryPoint::IDENTITY;
+
+        assert_eq!(identity.to_projective_x(), x_identity);
+    }
+
+    #[test]
+    fn to_affine_x() {
+        let x_identity = ProjectiveMontgomeryXpoint::IDENTITY.to_affine();
+        let identity = ProjectiveMontgomeryPoint::IDENTITY.to_affine_x();
+
+        assert_eq!(identity, x_identity);
+    }
+}
diff --git a/ed448-goldilocks/src/montgomery/x.rs b/ed448-goldilocks/src/montgomery/x.rs
@@ -1,4 +1,5 @@
 // use crate::constants::A_PLUS_TWO_OVER_FOUR;
+use super::{MontgomeryPoint, ProjectiveMontgomeryPoint};
 use crate::EdwardsScalar;
 use crate::edwards::extended::EdwardsPoint;
 use crate::field::ConstMontyType;
@@ -62,8 +63,8 @@ impl Eq for MontgomeryXpoint {}
 /// A Projective point in Montgomery form
 #[derive(Copy, Clone, Debug, Eq)]
 pub struct ProjectiveMontgomeryXpoint {
-    U: FieldElement,
-    W: FieldElement,
+    pub(super) U: FieldElement,
+    pub(super) W: FieldElement,
 }
 
 impl Mul<&EdwardsScalar> for &MontgomeryXpoint {
@@ -145,6 +146,16 @@ impl MontgomeryXpoint {
             W: FieldElement::ONE,
         }
     }
+
+    /// Convert the point to projective form including the y-coordinate
+    pub fn to_extended_projective(&self, sign: Choice) -> ProjectiveMontgomeryPoint {
+        self.to_projective().to_extended(sign)
+    }
+
+    /// Convert the point to its form including the y-coordinate
+    pub fn to_extended(&self, sign: Choice) -> MontgomeryPoint {
+        self.to_projective().to_extended_affine(sign)
+    }
 }
 
 impl ConstantTimeEq for ProjectiveMontgomeryXpoint {
@@ -272,6 +283,23 @@ impl ProjectiveMontgomeryXpoint {
         let x = self.U * self.W.invert();
         MontgomeryXpoint(x.to_bytes())
     }
+
+    /// Convert the point to affine form including the y-coordinate
+    pub fn to_extended_affine(&self, sign: Choice) -> MontgomeryPoint {
+        let x = self.U * self.W.invert();
+        let y = self.y(sign);
+
+        MontgomeryPoint::new(x, y)
+    }
+
+    /// Convert the point to its form including the y-coordinate
+    pub fn to_extended(&self, sign: Choice) -> ProjectiveMontgomeryPoint {
+        ProjectiveMontgomeryPoint::conditional_select(
+            &ProjectiveMontgomeryPoint::new(self.U, self.y(sign), self.W),
+            &ProjectiveMontgomeryPoint::IDENTITY,
+            self.ct_eq(&Self::IDENTITY),
+        )
+    }
 }
 
 #[cfg(test)]
@@ -293,4 +321,20 @@ mod tests {
             montgomery_res.to_affine()
         );
     }
+
+    #[test]
+    fn to_extended() {
+        let x_identity = ProjectiveMontgomeryXpoint::IDENTITY;
+        let identity = ProjectiveMontgomeryPoint::IDENTITY;
+
+        assert_eq!(x_identity.to_extended(Choice::from(1)), identity);
+    }
+
+    #[test]
+    fn to_extended_affine() {
+        let x_identity = ProjectiveMontgomeryXpoint::IDENTITY.to_affine();
+        let identity = ProjectiveMontgomeryPoint::IDENTITY.to_affine();
+
+        assert_eq!(x_identity.to_extended(Choice::from(1)), identity);
+    }
 }
