Skip to content

Move function requiring AffinePoint from EdwardsPoint to AffinePoint #1333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Move function requiring AffinePoint from EdwardsPoint to AffinePoint #1333

wants to merge 2 commits into from

Conversation

daxpedda
Copy link
Contributor

A bunch of functionality implemented on EdwardsPoint internally just converts to AffinePoint. This functionality should rather live in AffinePoint.

This PR also implement BatchNormalize for EdwardsPoint, which wouldn't have much of a point without these changes to begin with.

@daxpedda daxpedda force-pushed the ed448-affine branch 3 times, most recently from deecb76 to 6b929cf Compare July 30, 2025 10:04
@daxpedda daxpedda mentioned this pull request Aug 2, 2025
Merged
@daxpedda daxpedda mentioned this pull request Aug 2, 2025
Merged
@daxpedda daxpedda force-pushed the ed448-affine branch 2 times, most recently from c452dc0 to ab14e29 Compare August 3, 2025 00:47
@daxpedda daxpedda mentioned this pull request Aug 3, 2025
Open
47 tasks
@tarcieri
Copy link
Member

tarcieri commented Aug 3, 2025
edited
Loading

This is definitely pushing my knowledge of both Edwards curves and Ed448-Goldilocks, and sent me on a rabbit hole reading the paper.

I think both versions of edwards_isogeny are naively implemented, and we would ideally be converting directly from EdwardsPoint to TwistedExtendedPoint (sidebar: which should probably be called TwistedEdwardsPoint for consistency, I guess the former was renamed from ExtendedPoint at some point) without first converting to an intermediate AffinePoint with its associated inversions. There's even a comment to that effect:

So what we can do is optimise each respective isogeny method for a=1 or a = -1 (currently, I just made it really slow and simple)

Edit: opened an issue about this #1349, and it seems to be the reason you weren't seeing speedups using twisted scalar multiplication in #1337

@tarcieri
Copy link
Member

tarcieri commented Aug 3, 2025

To expound on that:

  • EdwardsPoint should probably remain the primary user-facing type with the majority of the functionality
  • AffinePoint and TwistedExtendedPoint are implementation details

Conversions look like:

CompressedEdwardsY <-> AffinePoint <-> EdwardsPoint <-> TwistedExtendedPoint

...but I think it's fine to preserve methods like compress and decompress directly on EdwardsPoint, but with the actual point compression/decompression implementation factored onto AffinePoint, and the methods on EdwardsPoint delegating to AffinePoint and doing affine conversions as needed.

Likewise, scalar multiplication would ideally do a more direct conversion from EdwardsPoint to TwistedExtendedPoint, and delegate to the implementation there.

@daxpedda
Copy link
Contributor Author

daxpedda commented Aug 3, 2025

compress() and decompress() remain available on EdwardsPoint through GroupEncoding. Eventually we should remove these functions entirely and implement GroupEncoding on AffinePoint as well (tracking that in #1348).

I hope I'm on the right track here? I'm kinda trying to align things with the other RustCrypto crates, where most types have very few methods and its all mostly implemented through traits. It also makes sense to me, because otherwise we have all those duplicate methods.

tarcieri
tarcieri reviewed Aug 3, 2025
View reviewed changes
tarcieri
tarcieri reviewed Aug 3, 2025
View reviewed changes
@daxpedda daxpedda marked this pull request as draft August 3, 2025 14:38
@daxpedda
Copy link
Contributor Author

daxpedda commented Aug 3, 2025

Putting on draft until I rebase. Still working on those optimized implementations from #1316.

@daxpedda daxpedda marked this pull request as ready for review August 3, 2025 16:57
@daxpedda daxpedda requested a review from tarcieri August 3, 2025 17:00
tarcieri
tarcieri reviewed Aug 3, 2025
View reviewed changes
tarcieri
tarcieri reviewed Aug 3, 2025
View reviewed changes
tarcieri
tarcieri reviewed Aug 3, 2025
View reviewed changes
tarcieri
tarcieri reviewed Aug 3, 2025
View reviewed changes
daxpedda
daxpedda commented Aug 3, 2025
View reviewed changes
ed448-goldilocks/src/sign/expanded.rs
@@ -61,7 +64,7 @@ impl ExpandedSecretKey {

let point = EdwardsPoint::GENERATOR * scalar;
let public_key = VerifyingKey {
compressed: point.compress(),
compressed: point.to_affine().compress(),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't remove this because we are storing CompressedEdwardsY in VerifyingKey and GroupEncoding doesn't return that.

I'm happy to change the type.
I'm planning on removing the type entirely anyway to align with the other curves in this repo, so we can wait for that as well.

@daxpedda daxpedda requested a review from tarcieri August 3, 2025 20:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tarcieri tarcieri Awaiting requested review from tarcieri

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@daxpedda @tarcieri