This issue tracks various fixes, improvements and such for the `ed448-goldilocks` crate so we don't loose sight of them. - [ ] Bugs - [x] #1347 - [ ] #1336 - [x] #1369 - [ ] #1462 - [ ] #1463 - [ ] Conversions between points of different curve types should account for identity points and other exceptions. We need tests for all of those cases. - [ ] #1326 (I didn't look into the EdDSA code at all yet) - [ ] Don't implement `PrimeGroup` for `EdwardsPoint` and add a `SubgroupPoint`. - [ ] Optimizations - [ ] #1301 - [ ] #1303 - [ ] #1308 - [ ] #1309 - [ ] #1313 - [ ] #1314 - [x] #1316 - [x] #1329 - [x] #1330 - [x] #1332 - [x] #1333 - [x] #1335 - [x] #1350 - [x] #1461 - [ ] Open tracking issue for implementing ["Faster Complete Addition Laws for MontgomeryCurves"](https://tches.iacr.org/index.php/TCHES/article/view/11808/11313). - [ ] Add de/serialization for `DecafAffinePoint`. Here we can add `DecafAffinePoint::try_from_rng()` as well and make `hash2curve` optional. - [ ] Add optimized algorithms for various arithmetic operations in affine form for all curves. - [ ] Add optimized conversions for affine -> projective and projective -> projective points between different curves. - [ ] Add optimized implementation for `LinearCombination` for all curves. - [ ] After implementing `DecompressPoint` for affine forms, base `try_from_rng()` on it. - [ ] Use [`ConstMontyForm::lincomb_vartime()`](https://docs.rs/crypto-bigint/0.7.0-pre.7/crypto_bigint/modular/struct.ConstMontyForm.html#method.lincomb_vartime) where appropriate. (see https://github.com/RustCrypto/crypto-bigint/pull/904 for questions about constant-timeness) - [ ] Additions - [ ] #1306 - [x] #1334 - [ ] #1460 - [ ] Add a checked `MontgomeryXpoint` de-serialization. The current one is unchecked because that's how X448 works. - [ ] Add double-and-compress batching for `DecafPoint`. - [ ] Add batch conversion between points when it makes sense. - [ ] Align with other RustCrypto curve APIs - [ ] Remove methods covered by traits. - [ ] Remove `Compressed*` types in favor of `FieldBytes`. - [ ] Remove `(Wide)ScalarBytes` typedefs. - [ ] Use rejection sampling for `Scalar::try_from_rng()` instead of modular reduction. - [ ] Implement missing traits on affine forms (and `DecafPoint`): `DecompactPoint`, `DecompressPoint`, `GroupEncoding`. - [ ] Implement `serde::De/Serialize` for all affine forms (and `DecafPoint`). - [ ] Improvements - [x] #1386 - [x] #1394 - [ ] #1464 - [ ] #1474 - [ ] Move internal arithmetic methods to trait implementations. - [ ] Re-export internal types under more succinct names. E.g. `ExtendedPoint as TwistedEdwardsPoint`. Or maybe we can come up with an even better setup. - [ ] Rename `twedwards` module to `twisted`. - [ ] Rename `Ed448` to `Edwards448` (signature vs curve). - [ ] Use `proptest` more widely.
This issue tracks various fixes, improvements and such for the
ed448-goldilockscrate so we don't loose sight of them.ed448-goldilocks: reject identity points inGroup::try_from_rng()#1347CompressedEdwardsY::decompress()#1336ed448-goldilocks: account for oddness in Scalar divisions #1369ed448-goldilocks: don't reduce points during decompression #1462ed448-goldilocks:ScalarSerde implementation should matchPrimeFields #1463ed448_goldilocks::SigningKey::from_pkcs8_pemfails due to slice length mismatch (in0.14.0-pre.2) #1326 (I didn't look into the EdDSA code at all yet)PrimeGroupforEdwardsPointand add aSubgroupPoint.map_to_curve_elligator2_curve448()#1309Extended/ExtensiblePointmore appropriately #1329ProjectiveNielsPoint::identity()an associated constant #1330ConstMontyForm::invert()in place ofpow()#1332AffinePointfromEdwardsPointtoAffinePoint#1333ed448-goldilocks: optimize Edwards isogeny map further #1350FieldElement::is_square#1461DecafAffinePoint. Here we can addDecafAffinePoint::try_from_rng()as well and makehash2curveoptional.LinearCombinationfor all curves.DecompressPointfor affine forms, basetry_from_rng()on it.ConstMontyForm::lincomb_vartime()where appropriate. (seeConstMontyForm::lincomb_vartime()is constant-time crypto-bigint#904 for questions about constant-timeness)Curve448with full coordinates #1306ed448-goldilocks: implementBatchNormalizeforDecafPoint#1460MontgomeryXpointde-serialization. The current one is unchecked because that's how X448 works.DecafPoint.Compressed*types in favor ofFieldBytes.(Wide)ScalarBytestypedefs.Scalar::try_from_rng()instead of modular reduction.DecafPoint):DecompactPoint,DecompressPoint,GroupEncoding.serde::De/Serializefor all affine forms (andDecafPoint).ed448-goldilocks: clean up benchmarks #1386CofactorGroupfor all relevant curves #1394ed448-goldilocks: merge*Scalartypes and forego RFC 8032 encoding #1464ed448-goldilocks: implementgrouptraits for affine forms #1474ExtendedPoint as TwistedEdwardsPoint. Or maybe we can come up with an even better setup.twedwardsmodule totwisted.Ed448toEdwards448(signature vs curve).proptestmore widely.