curve25519_dalek

Module montgomery

Source
Expand description

Scalar multiplication on the Montgomery form of Curve25519.

To avoid notational confusion with the Edwards code, we use variables \( u, v \) for the Montgomery curve, so that “Montgomery \(u\)” here corresponds to “Montgomery \(x\)” elsewhere.

Montgomery arithmetic works not on the curve itself, but on the \(u\)-line, which discards sign information and unifies the curve and its quadratic twist. See Montgomery curves and their arithmetic by Costello and Smith for more details.

The MontgomeryPoint struct contains the affine \(u\)-coordinate \(u_0(P)\) of a point \(P\) on either the curve or the twist. Here the map \(u_0 : \mathcal M \rightarrow \mathbb F_p \) is defined by \(u_0((u,v)) = u\); \(u_0(\mathcal O) = 0\). See section 5.4 of Costello-Smith for more details.

§Scalar Multiplication

Scalar multiplication on MontgomeryPoints is provided by the * operator, which implements the Montgomery ladder.

§Edwards Conversion

The \(2\)-to-\(1\) map from the Edwards model to the Montgomery \(u\)-line is provided by EdwardsPoint::to_montgomery().

To lift a MontgomeryPoint to an EdwardsPoint, use MontgomeryPoint::to_edwards(), which takes a sign parameter. This function rejects MontgomeryPoints which correspond to points on the twist.

Structs§

  • Holds the \(u\)-coordinate of a point on the Montgomery form of Curve25519 or its twist.