Struct curve25519_dalek::montgomery::MontgomeryPoint

pub struct MontgomeryPoint {
    pub U: FieldElement,
    pub W: FieldElement,
}

A point on the Montgomery form of the curve, in projective 𝗣² coordinates.

The transition between affine and projective is given by

    u → U/W     v → V/W

thus the Montgomery curve equation

    E_(A,B) : Bv² = u(u² + Au + 1)

becomes

    E_(A,B) : BV²W = U(U² + AUW + W²) ⊆ 𝗣²

Here, again, to differentiate from points in the twisted Edwards model, we call the point (x,y) in affine coordinates (u,v) and similarly in projective space we use (U:V:W). However, since (as per Montgomery's original work) the v-coordinate is superfluous for the purposes of scalar multiplication, we merely use (U:W).

Fields

U: FieldElement

W: FieldElement

Methods

impl MontgomeryPoint

fn compress(&self) -> CompressedMontgomeryU

Compress this point to only its u-coordinate (note: affine).

Returns

A CompressedMontgomeryU.

Trait Implementations

impl Copy for MontgomeryPoint

impl Clone for MontgomeryPoint

fn clone(&self) -> MontgomeryPoint

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for MontgomeryPoint

fn fmt(&self, __arg_0: &mut Formatter) -> Result

Formats the value using the given formatter.

impl Identity for MontgomeryPoint

The identity point is a unique point (the only where W = 0) on the curve.

In projective coordinates, the quotient map x : E (A,B) → E/<⦵> = 𝗣¹ is

    ⎧ (x_P:1) if P = (x_P:y_P:1) ,     x : P ↦ ⎨     ⎩ (1:0) if P = O = (0:1:0) .

We emphasize that the formula x((U: V : W)) = (U : W) only holds on the open subset of E_(A,B) where W ≠ 0; it does not extend to the point O = (0:1:0) at infinity, because (0:0) is not a projective point.

Returns

The (exceptional) point at infinity in the Montgomery model.

fn identity() -> MontgomeryPoint

Returns the identity element of the curve. Can be used as a constructor.

impl Equal for MontgomeryPoint

Determine if two MontgomeryPoints are equal, in constant time.

Note

Because a compressed point on the Montgomery form of the curve doesn't include the sign bit, there's two points here (if translated from the Edwards form) which will equate.

Returns

1 if the points are equal, and 0 otherwise.

fn ct_eq(&self, that: &MontgomeryPoint) -> u8

Determine if two items are equal in constant time.

impl ValidityCheck for MontgomeryPoint

Determine if this MontgomeryPoint is valid.

Note

All projective points, except for (X:W) = (0:0), are valid, since the projective model is linear through the origin and is comprised by all X in ℤ/(2²⁵⁵-19), thus (0:0) is the only element in Fₚ² which is not a projective point.

Returns

true if it is valid, and false otherwise.

fn is_valid(&self) -> bool

Checks whether the point is on the curve. Not CT.

impl ConditionallyAssignable for MontgomeryPoint

Conditionally assign another MontgomeryPoint to this point, in constant time.

If choice == 1, assign that to self. Otherwise, leave self unchanged.

fn conditional_assign(&mut self, that: &MontgomeryPoint, choice: Mask)

Conditionally assign other to self in constant time.

impl<'a, 'b> Mul<&'b Scalar> for &'a MontgomeryPoint

Multiply this MontgomeryPoint by a Scalar.

The reader is refered to §5.3 of "Montgomery Curves and Their Arithmetic" by Craig Costello and Benjamin Smith for an overview of side-channel-free Montgomery laddering algorithms.

type Output = MontgomeryPoint

The resulting type after applying the * operator.

fn mul(self, scalar: &'b Scalar) -> MontgomeryPoint

Performs the * operation.

impl<'b> MulAssign<&'b Scalar> for MontgomeryPoint

fn mul_assign(&mut self, scalar: &'b Scalar)

Performs the *= operation.