[][src]Module curve25519_dalek::montgomery

[]

Scalar multiplication on the Montgomery form of Curve25519.

To avoid notational confusion with the Edwards code, we use variables u,v u, v for the Montgomery curve, so that “Montgomery uu” here corresponds to “Montgomery xx” elsewhere.

Montgomery arithmetic works not on the curve itself, but on the uu-line, which discards sign information and unifies the curve and its quadratic twist. See Montgomery curves and their arithmetic by Costello and Smith for more details.

The MontgomeryPoint struct contains the affine uu-coordinate u0(P)u_0(P) of a point PP on either the curve or the twist. Here the map u0:MFpu_0 : \mathcal M \rightarrow \mathbb F_p is defined by u0((u,v))=uu_0((u,v)) = u; u0(O)=0u_0(\mathcal O) = 0. See section 5.4 of Costello-Smith for more details.

Scalar Multiplication

Scalar multiplication on MontgomeryPoints is provided by the * operator, which implements the Montgomery ladder.

Edwards Conversion

The 22-to-11 map from the Edwards model to the Montgomery uu-line is provided by EdwardsPoint::to_montgomery().

To lift a MontgomeryPoint to an EdwardsPoint, use MontgomeryPoint::to_edwards(), which takes a sign parameter. This function rejects MontgomeryPoints which correspond to points on the twist.

Structs

MontgomeryPoint

Holds the uu-coordinate of a point on the Montgomery form of Curve25519 or its twist.

ProjectivePoint

A ProjectivePoint holds a point on the projective line P(Fp) \mathbb P(\mathbb F_p) , which we identify with the Kummer line of the Montgomery curve.

Functions

differential_add_and_double

Perform the double-and-add step of the Montgomery ladder.