Module curve25519_dalek::montgomery

Scalar multiplication on the Montgomery form of Curve25519.

To avoid notational confusion with the Edwards code, we use variables \( u, v \) for the Montgomery curve, so that “Montgomery \(u\)” here corresponds to “Montgomery \(x\)” elsewhere.

Montgomery arithmetic works not on the curve itself, but on the \(u\)-line, which discards sign information and unifies the curve and its quadratic twist. See Montgomery curves and their arithmetic by Costello and Smith for more details.

The MontgomeryPoint struct contains the affine \(u\)-coordinate \(u_0(P)\) of a point \(P\) on either the curve or the twist. Here the map \(u_0 : \mathcal M \rightarrow \mathbb F_p \) is defined by \(u_0((u,v)) = u\); \(u_0(\mathcal O) = 0\). See section 5.4 of Costello-Smith for more details.

Scalar Multiplication

Scalar multiplication on MontgomeryPoints is provided by the * operator, which implements the Montgomery ladder.

Edwards Conversion

The \(2\)-to-\(1\) map from the Edwards model to the Montgomery \(u\)-line is provided by EdwardsPoint::to_montgomery().

To lift a MontgomeryPoint to an EdwardsPoint, use MontgomeryPoint::to_edwards(), which takes a sign parameter. This function rejects MontgomeryPoints which correspond to points on the twist.

Structs

MontgomeryPoint	Holds the \(u\)-coordinate of a point on the Montgomery form of Curve25519 or its twist.
ProjectivePoint	A ProjectivePoint holds a point on the projective line \( \mathbb P(\mathbb F_p) \), which we identify with the Kummer line of the Montgomery curve.

Functions

differential_add_and_double

Perform the double-and-add step of the Montgomery ladder.