Scalar multiplication on the Montgomery form of Curve25519.
To avoid notational confusion with the Edwards code, we use variables \( u, v \) for the Montgomery curve, so that “Montgomery \(u\)” here corresponds to “Montgomery \(x\)” elsewhere.
Montgomery arithmetic works not on the curve itself, but on the \(u\)-line, which discards sign information and unifies the curve and its quadratic twist. See Montgomery curves and their arithmetic by Costello and Smith for more details.
MontgomeryPoint struct contains the affine \(u\)-coordinate
\(u_0(P)\) of a point \(P\) on either the curve or the twist.
Here the map \(u_0 : \mathcal M \rightarrow \mathbb F_p \) is
defined by \(u_0((u,v)) = u\); \(u_0(\mathcal O) = 0\). See
section 5.4 of Costello-Smith for more details.
Scalar multiplication on
MontgomeryPoints is provided by the
operator, which implements the Montgomery ladder.
The \(2\)-to-\(1\) map from the Edwards model to the Montgomery
\(u\)-line is provided by
To lift a
MontgomeryPoint to an
MontgomeryPoint::to_edwards(), which takes a sign parameter.
This function rejects
MontgomeryPoints which correspond to points
on the twist.
Holds the \(u\)-coordinate of a point on the Montgomery form of Curve25519 or its twist.
Perform the double-and-add step of the Montgomery ladder.