@@ -39,6 +39,7 @@ public class GroupElement implements Serializable {
3939 * <ul>
4040 * <li>P2: Projective representation $(X:Y:Z)$ satisfying $x=X/Z, y=Y/Z$.
4141 * <li>P3: Extended projective representation $(X:Y:Z:T)$ satisfying $x=X/Z, y=Y/Z, XY=ZT$.
42+ * <li>P3PrecomputedDouble: P3 but with dblPrecmp populated.
4243 * <li>P1P1: Completed representation $((X:Z), (Y:T))$ satisfying $x=X/Z, y=Y/T$.
4344 * <li>PRECOMP: Precomputed representation $(y+x, y-x, 2dxy)$.
4445 * <li>CACHED: Cached representation $(Y+X, Y-X, Z, 2dT)$
@@ -84,6 +85,7 @@ public static GroupElement p2(
8485 * @param Y The $Y$ coordinate.
8586 * @param Z The $Z$ coordinate.
8687 * @param T The $T$ coordinate.
88+ * @param precomputeDoubleOnly If true, populate dblPrecmp, else set to null.
8789 * @return The group element in P3 representation.
8890 */
8991 public static GroupElement p3 (
@@ -206,6 +208,7 @@ public static GroupElement cached(
206208 * @param Y The $Y$ coordinate.
207209 * @param Z The $Z$ coordinate.
208210 * @param T The $T$ coordinate.
211+ * @param precomputeDouble If true, populate dblPrecmp, else set to null.
209212 */
210213 public GroupElement (
211214 final Curve curve ,
@@ -245,6 +248,23 @@ public GroupElement(final Curve curve, final byte[] s) {
245248 this (curve , s , false );
246249 }
247250
251+ /**
252+ * Creates a group element for a curve from a given encoded point.
253+ * <p>
254+ * A point $(x,y)$ is encoded by storing $y$ in bit 0 to bit 254 and the sign of $x$ in bit 255.
255+ * $x$ is recovered in the following way:
256+ * </p><ul>
257+ * <li>$x = sign(x) * \sqrt{(y^2 - 1) / (d * y^2 + 1)} = sign(x) * \sqrt{u / v}$ with $u = y^2 - 1$ and $v = d * y^2 + 1$.
258+ * <li>Setting $β = (u * v^3) * (u * v^7)^{((q - 5) / 8)}$ one has $β^2 = \pm(u / v)$.
259+ * <li>If $v * β = -u$ multiply $β$ with $i=\sqrt{-1}$.
260+ * <li>Set $x := β$.
261+ * <li>If $sign(x) \ne$ bit 255 of $s$ then negate $x$.
262+ * </ul>
263+ *
264+ * @param curve The curve.
265+ * @param s The encoded point.
266+ * @param precomputeSingleAndDouble If true, populate both precmp and dblPrecmp, else set both to null.
267+ */
248268 // TODO
249269 public GroupElement (final Curve curve , final byte [] s , boolean precomputeSingleAndDouble ) {
250270 FieldElement x , y , yy , u , v , v3 , vxx , check ;
@@ -394,7 +414,11 @@ public GroupElement toP3() {
394414 return toRep (Representation .P3 );
395415 }
396416
397- // TODO
417+ /**
418+ * Converts the group element to the P3 representation, with dblPrecmp populated.
419+ *
420+ * @return The group element in the P3 representation.
421+ */
398422 public GroupElement toP3PrecomputeDouble () {
399423 return toRep (Representation .P3PrecomputedDouble );
400424 }
@@ -898,10 +922,6 @@ public GroupElement scalarMultiply(final byte[] a) {
898922 final byte [] e = toRadix16 (a );
899923
900924 GroupElement h = this .curve .getZero (Representation .P3 );
901- // TODO: Get opinion from a crypto professional.
902- // This should in practice never be necessary, the only point that
903- // this should get called on is EdDSA's B.
904- //precompute();
905925 for (i = 1 ; i < 64 ; i += 2 ) {
906926 t = select (i /2 , e [i ]);
907927 h = h .madd (t ).toP3 ();
@@ -988,11 +1008,6 @@ public GroupElement doubleScalarMultiplyVariableTime(final GroupElement A, final
9881008 if (aslide [i ] != 0 || bslide [i ] != 0 ) break ;
9891009 }
9901010
991- // TODO-CR BR strange comment below.
992- // TODO: Get opinion from a crypto professional.
993- // This should in practice never be necessary, the only point that
994- // this should get called on is EdDSA's B.
995- //precompute();
9961011 for (; i >= 0 ; --i ) {
9971012 GroupElement t = r .dbl ();
9981013
0 commit comments