Module curve25519_dalek::montgomery [−][src]
Scalar multiplication on the Montgomery form of Curve25519.
To avoid notational confusion with the Edwards code, we use variables \( u, v \) for the Montgomery curve, so that “Montgomery \(u\)” here corresponds to “Montgomery \(x\)” elsewhere.
Montgomery arithmetic works not on the curve itself, but on the \(u\)-line, which discards sign information and unifies the curve and its quadratic twist. See Montgomery curves and their arithmetic by Costello and Smith for more details.
The MontgomeryPoint
struct contains the affine \(u\)-coordinate
\(u_0(P)\) of a point \(P\) on either the curve or the twist.
Here the map \(u_0 : \mathcal M \rightarrow \mathbb F_p \) is
defined by \(u_0((u,v)) = u\); \(u_0(\mathcal O) = 0\). See
section 5.4 of Costello-Smith for more details.
Scalar Multiplication
Scalar multiplication on MontgomeryPoint
s is provided by the *
operator, which implements the Montgomery ladder.
Edwards Conversion
The \(2\)-to-\(1\) map from the Edwards model to the Montgomery
\(u\)-line is provided by EdwardsPoint::to_montgomery()
.
To lift a MontgomeryPoint
to an EdwardsPoint
, use
MontgomeryPoint::to_edwards()
, which takes a sign parameter.
This function rejects MontgomeryPoints
which correspond to points
on the twist.
Structs
MontgomeryPoint | Holds the \(u\)-coordinate of a point on the Montgomery form of Curve25519 or its twist. |