Skip to content

Curve448 with full coordinates #1306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 24 commits into
base: master
Choose a base branch
from
Open

Curve448 with full coordinates #1306

wants to merge 24 commits into from

Conversation

@daxpedda
Copy link
Contributor

@daxpedda daxpedda commented Jul 19, 2025
edited
Loading

This PR implements a set of types for Montgomery points with a full coordinate system and corresponding Curve448 type with a CurveArithmetic implementation. Our current MontgomeryPoint x-coordinate only remains in place for use with X448 and is renamed to MontgomeryXpoint.

For context: the x-only coordinate system can't implement a full set of arithmetic operations because of the missing y-coordinate. While the y-coordinate could be recovered, it is costly and is missing the sign. Some protocols exist that set the sign of the y-coordinate, which is why we have some methods in place for MontgomeryXpoint to do exactly that.

I made sure to add a full set of conversion methods between the new types.

I'm aware that I'm proposing very large changes that have not previously been discussed. I'm happy to take any feedback.
It should be much easier to review than #1291 on account that it can be done commit by commit.

Take 2 on #1291.

@daxpedda daxpedda mentioned this pull request Jul 19, 2025
Merged
@daxpedda daxpedda mentioned this pull request Jul 19, 2025
Open
@daxpedda daxpedda force-pushed the curve448-4 branch 2 times, most recently from de2134a to 0b1b77b Compare July 19, 2025 12:44
@daxpedda daxpedda mentioned this pull request Jul 19, 2025
Open
baloo
baloo reviewed Jul 20, 2025
View reviewed changes
@daxpedda daxpedda requested a review from tarcieri July 20, 2025 10:41
@carloskiki
Copy link
Contributor

Do you have any protocol in mind where this would be used?

@daxpedda
Copy link
Contributor Author

daxpedda commented Jul 20, 2025
edited
Loading

Yes, I am planning on using it with OPRF inside OPAQUE.

baloo
baloo reviewed Jul 20, 2025
View reviewed changes
@baloo baloo mentioned this pull request Jul 20, 2025
Closed
tarcieri
tarcieri reviewed Jul 21, 2025
View reviewed changes
tarcieri
tarcieri reviewed Jul 21, 2025
View reviewed changes
@daxpedda daxpedda requested a review from tarcieri July 26, 2025 12:59
@daxpedda daxpedda force-pushed the curve448-4 branch 2 times, most recently from dce0a03 to ce00799 Compare July 30, 2025 09:56
daxpedda
daxpedda commented Aug 2, 2025
View reviewed changes
@daxpedda daxpedda force-pushed the curve448-4 branch 2 times, most recently from 227d8d8 to 44f8c53 Compare August 3, 2025 01:07
@daxpedda daxpedda mentioned this pull request Aug 3, 2025
Open
55 tasks
@daxpedda daxpedda force-pushed the curve448-4 branch 5 times, most recently from 11c14bc to c84b4f5 Compare September 2, 2025 20:43
@daxpedda daxpedda force-pushed the curve448-4 branch 3 times, most recently from ca0c86b to c55371c Compare September 6, 2025 22:12
@daxpedda
Rename to MontgomeryPoint to MontgomeryXpoint
92248ba
@daxpedda
Move MontgomeryXpoint to its own module
5a53e32
@daxpedda
Implement Eq for ProjectiveMontgomeryXpoint
d307f96
@daxpedda
Change MontgomeryPoint scalar multiplication output to `ProjectiveM…
f9be2d7 
…ontgomeryXpoint`
@daxpedda
Add y-coordinate recovery
5506659
@daxpedda
Make ProjectiveMontgomeryXpoint::identity() an associated const
76346a9
@daxpedda
Add ProjectiveMontgomeryXpoint::GENERATOR
71f9599
@daxpedda
Document source of montgomery::differential_add_and_double
3a2fadd
@daxpedda
Expose Montgomery ladder with additional output internally
6ca0a3f
@daxpedda
Add ProjectiveMontgomeryXpoint::double()
8a8124b
@daxpedda
Add full-coordinate MontgomeryPoint skeleton
14b584f
@daxpedda
Drop CurveArithmetic requirement from CurveWithScalar
6947850
@daxpedda
Add MontgomeryScalar
44f3e1b
@daxpedda
Add arithmetic operations to Montgomery
5e66ff4
@daxpedda
Add Montgomery <-> Edwards conversions
0412d03
@daxpedda
Implement CurveArithmetic for Curve448
a9ee7cd
@daxpedda
Implement Reduce for MontgomeryScalar
89d7a75
@daxpedda
Implement hash2curve for Curve448
6da7e75
@daxpedda
Add hash2curve to ProjectiveMontgomeryXpoint
55df86c
@daxpedda
Test Montgomery -> Edwards through hash2curve
70b3a75
@daxpedda
Rename MontgomeryPoint fields from x|y to U|V
dddc008
@daxpedda
Rename MontgomeryPoint to AffineMontgomeryPoint
3746ef6
@daxpedda
Not every full-coordinate Montgomery point is valid
f62cc79
@daxpedda
Add benchmarks
47bb5d7
@tarcieri tarcieri mentioned this pull request Oct 14, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tarcieri tarcieri Awaiting requested review from tarcieri

1 more reviewer

@baloo baloo baloo left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@daxpedda @carloskiki @tarcieri @baloo