ed448-goldilocks: Tracking Issue #1348
Description
This issue tracks various fixes, improvements and such for the ed448-goldilocks crate so we don't loose sight of them.
- Bugs
-
ed448-goldilocks: reject identity points inGroup::try_from_rng()#1347 - Remove unnecessary checks from
CompressedEdwardsY::decompress()#1336 -
ed448-goldilocks: account for oddness in Scalar divisions #1369 -
ed448-goldilocks: don't reduce points during decompression #1462 -
ed448-goldilocks:ScalarSerde implementation should matchPrimeFields #1463 - Conversions between points of different curve types should account for identity points and other exceptions. We need tests for all of those cases.
-
ed448_goldilocks::SigningKey::from_pkcs8_pemfails due to slice length mismatch (in0.14.0-pre.2) #1326 (I didn't look into the EdDSA code at all yet) - Don't implement
PrimeGroupforEdwardsPointand add aSubgroupPoint.
-
- Optimizations
- Optimize Edwards to Montgomery conversions #1301
- Reuse Edwards windowed scalar multiplication for Decaf #1303
- Optimize Montgomery to Edwards conversions #1308
- Use optimized
map_to_curve_elligator2_curve448()#1309 - Add optimized Edwards addition and doubling algorithms #1313
- Use Decaf448 specific addition algorithm #1314
- Optimize untwisted <-> twisted Edwards conversions #1316
- Use
Extended/ExtensiblePointmore appropriately #1329 - Make
ProjectiveNielsPoint::identity()an associated constant #1330 - Use
ConstMontyForm::invert()in place ofpow()#1332 - Move function requiring
AffinePointfromEdwardsPointtoAffinePoint#1333 - Use optimized algorithm to check for Edwards torsion-freeness #1335
-
ed448-goldilocks: optimize Edwards isogeny map further #1350 - ed448-goldilocks: use Jacobi Symbol for
FieldElement::is_square#1461 - Open tracking issue for implementing "Faster Complete Addition Laws for MontgomeryCurves".
- Add de/serialization for
DecafAffinePoint. Here we can addDecafAffinePoint::try_from_rng()as well and makehash2curveoptional. - Add optimized algorithms for various arithmetic operations in affine form for all curves.
- Add optimized conversions for affine -> projective and projective -> projective points between different curves.
- Add optimized implementation for
LinearCombinationfor all curves. - After implementing
DecompressPointfor affine forms, basetry_from_rng()on it. - Use
ConstMontyForm::lincomb_vartime()where appropriate. (seeConstMontyForm::lincomb_vartime()is constant-time crypto-bigint#904 for questions about constant-timeness)
- Additions
-
Curve448with full coordinates #1306 - ed448-goldilocks: add basic benchmark suite #1334
-
ed448-goldilocks: implementBatchNormalizeforDecafPoint#1460 - Add a checked
MontgomeryXpointde-serialization. The current one is unchecked because that's how X448 works. - Add double-and-compress batching for
DecafPoint. - Add batch conversion between points when it makes sense.
-
- Align with other RustCrypto curve APIs
- Remove methods covered by traits.
- Remove
Compressed*types in favor ofFieldBytes. - Remove
(Wide)ScalarBytestypedefs. - Use rejection sampling for
Scalar::try_from_rng()instead of modular reduction. - Implement missing traits on affine forms (and
DecafPoint):DecompactPoint,DecompressPoint,GroupEncoding. - Implement
serde::De/Serializefor all affine forms (andDecafPoint).
- Improvements
-
ed448-goldilocks: clean up benchmarks #1386 - Implement
CofactorGroupfor all relevant curves #1394 -
ed448-goldilocks: merge*Scalartypes and forego RFC 8032 encoding #1464 -
ed448-goldilocks: implementgrouptraits for affine forms #1474 - Move internal arithmetic methods to trait implementations.
- Re-export internal types under more succinct names. E.g.
ExtendedPoint as TwistedEdwardsPoint. Or maybe we can come up with an even better setup. - Rename
twedwardsmodule totwisted. - Rename
Ed448toEdwards448(signature vs curve). - Use
proptestmore widely.
-