Use elliptic-curve with ff/group v0.14.0

Companion PR to RustCypto/traits#2431 which migrates everything to use
the upstream releases of `ff`/`group` v0.14.0.

To make this work, it's using a vendored copy of `wnaf.rs` in the
`elliptic-curve` crate which has been modified to support big endian
`PrimeField::Repr` as well as multiscalar multiplication.

Author: tarcieri

Cargo.lock

@@ -28,4 +28,3 @@ primefield = { path = "primefield" }
 primeorder = { path = "primeorder" }
 
 elliptic-curve = { git = "http://github.com/RustCrypto/traits.git" }
-rustcrypto-group = { git = "https://github.com/RustCrypto/group" }

Cargo.toml

@@ -1,10 +1,12 @@
+use crate::decaf::points::DecafPointRepr;
 use crate::{
     Decaf448FieldBytes, DecafPoint, DecafScalar, ORDER,
     curve::twedwards::affine::AffinePoint as InnerAffinePoint, field::FieldElement,
 };
 use elliptic_curve::{
-    Error, Generate, ctutils,
-    ops::{Mul, MulVartime},
+    CurveGroup, Error, Generate, ctutils,
+    group::{CurveAffine, GroupEncoding},
+    ops::{Mul, MulVartime, Neg},
     point::{AffineCoordinates, NonIdentity},
     zeroize::DefaultIsZeroes,
 };
@@ -102,6 +104,27 @@ impl AffineCoordinates for AffinePoint {
     }
 }
 
+impl CurveAffine for AffinePoint {
+    type Curve = DecafPoint;
+    type Scalar = DecafScalar;
+
+    fn identity() -> AffinePoint {
+        Self::IDENTITY
+    }
+
+    fn generator() -> AffinePoint {
+        DecafPoint::GENERATOR.to_affine()
+    }
+
+    fn is_identity(&self) -> Choice {
+        self.to_decaf().is_identity()
+    }
+
+    fn to_curve(&self) -> DecafPoint {
+        self.to_decaf()
+    }
+}
+
 impl DefaultIsZeroes for AffinePoint {}
 
 impl Generate for AffinePoint {
@@ -110,6 +133,23 @@ impl Generate for AffinePoint {
     }
 }
 
+impl GroupEncoding for AffinePoint {
+    type Repr = DecafPointRepr;
+
+    fn from_bytes(bytes: &Self::Repr) -> CtOption<Self> {
+        DecafPoint::from_bytes(bytes).map(|point| point.to_affine())
+    }
+
+    fn from_bytes_unchecked(bytes: &Self::Repr) -> CtOption<Self> {
+        // No unchecked conversion possible for compressed points
+        Self::from_bytes(bytes)
+    }
+
+    fn to_bytes(&self) -> Self::Repr {
+        self.to_decaf().to_bytes()
+    }
+}
+
 /// The constant-time alternative is available at [`NonIdentity::new()`].
 impl TryFrom<AffinePoint> for NonIdentity<AffinePoint> {
     type Error = Error;
@@ -157,3 +197,11 @@ impl MulVartime<&DecafScalar> for &AffinePoint {
 }
 
 define_mul_variants!(LHS = AffinePoint, RHS = DecafScalar, Output = DecafPoint);
+
+impl Neg for AffinePoint {
+    type Output = AffinePoint;
+
+    fn neg(self) -> Self::Output {
+        self.to_decaf().neg().to_affine()
+    }
+}

ed448-goldilocks/src/decaf/affine.rs

@@ -266,7 +266,7 @@ impl Generate for DecafPoint {
 impl Group for DecafPoint {
     type Scalar = DecafScalar;
 
-    fn try_from_rng<R>(rng: &mut R) -> Result<Self, R::Error>
+    fn try_random<R>(rng: &mut R) -> Result<Self, R::Error>
     where
         R: TryRng + ?Sized,
     {
@@ -341,9 +341,9 @@ impl<const N: usize> LinearCombination<[(DecafPoint, DecafScalar); N]> for Decaf
 impl LinearCombination<[(DecafPoint, DecafScalar)]> for DecafPoint {}
 
 impl CurveGroup for DecafPoint {
-    type AffineRepr = DecafAffinePoint;
+    type Affine = DecafAffinePoint;
 
-    fn to_affine(&self) -> Self::AffineRepr {
+    fn to_affine(&self) -> Self::Affine {
         DecafAffinePoint(self.0.to_extensible().to_affine())
     }
 }

ed448-goldilocks/src/decaf/points.rs

@@ -1,9 +1,11 @@
 use crate::{field::FieldElement, *};
 use core::fmt::{Display, Formatter, LowerHex, Result as FmtResult, UpperHex};
+use elliptic_curve::array::Array;
 use elliptic_curve::{
     Error, Generate, ctutils,
-    ops::{Mul, MulVartime},
-    point::NonIdentity,
+    group::{CurveAffine, Group, GroupEncoding},
+    ops::{Mul, MulVartime, Neg},
+    point::{AffineCoordinates, NonIdentity},
     zeroize::DefaultIsZeroes,
 };
 use rand_core::{TryCryptoRng, TryRng};
@@ -105,7 +107,7 @@ impl AffinePoint {
     ///
     /// Helper method that has `TryRng` bounds so `ProjectivePoint` can call it for its `group`
     /// impls, otherwise end users should use the `Generate` trait.
-    pub(crate) fn try_from_rng<R>(rng: &mut R) -> Result<Self, R::Error>
+    pub(crate) fn try_random<R>(rng: &mut R) -> Result<Self, R::Error>
     where
         R: TryRng + ?Sized,
     {
@@ -120,6 +122,56 @@ impl AffinePoint {
     }
 }
 
+impl AffineCoordinates for AffinePoint {
+    type FieldRepr = Ed448FieldBytes;
+
+    fn from_coordinates(x: &Self::FieldRepr, y: &Self::FieldRepr) -> CtOption<Self> {
+        let point = Self {
+            x: FieldElement::from_bytes_extended(&x.0),
+            y: FieldElement::from_bytes_extended(&y.0),
+        };
+
+        CtOption::new(point, point.is_on_curve())
+    }
+
+    fn x(&self) -> Self::FieldRepr {
+        Ed448FieldBytes::from(self.x.to_bytes_extended())
+    }
+
+    fn y(&self) -> Self::FieldRepr {
+        Ed448FieldBytes::from(self.y.to_bytes_extended())
+    }
+
+    fn x_is_odd(&self) -> Choice {
+        self.x.is_negative()
+    }
+
+    fn y_is_odd(&self) -> Choice {
+        self.y.is_negative()
+    }
+}
+
+impl CurveAffine for AffinePoint {
+    type Curve = EdwardsPoint;
+    type Scalar = EdwardsScalar;
+
+    fn identity() -> AffinePoint {
+        Self::IDENTITY
+    }
+
+    fn generator() -> AffinePoint {
+        EdwardsPoint::GENERATOR.to_affine()
+    }
+
+    fn is_identity(&self) -> Choice {
+        self.to_edwards().is_identity()
+    }
+
+    fn to_curve(&self) -> EdwardsPoint {
+        self.into()
+    }
+}
+
 impl Default for AffinePoint {
     fn default() -> Self {
         Self::IDENTITY
@@ -156,6 +208,8 @@ impl ctutils::CtSelect for AffinePoint {
     }
 }
 
+impl DefaultIsZeroes for AffinePoint {}
+
 impl Eq for AffinePoint {}
 impl PartialEq for AffinePoint {
     fn eq(&self, other: &Self) -> bool {
@@ -165,41 +219,27 @@ impl PartialEq for AffinePoint {
 
 impl Generate for AffinePoint {
     fn try_generate_from_rng<R: TryCryptoRng + ?Sized>(rng: &mut R) -> Result<Self, R::Error> {
-        Self::try_from_rng(rng)
+        Self::try_random(rng)
     }
 }
 
-impl elliptic_curve::point::AffineCoordinates for AffinePoint {
-    type FieldRepr = Ed448FieldBytes;
+impl GroupEncoding for AffinePoint {
+    type Repr = Array<u8, U57>;
 
-    fn from_coordinates(x: &Self::FieldRepr, y: &Self::FieldRepr) -> CtOption<Self> {
-        let point = Self {
-            x: FieldElement::from_bytes_extended(&x.0),
-            y: FieldElement::from_bytes_extended(&y.0),
-        };
-
-        CtOption::new(point, point.is_on_curve())
+    fn from_bytes(bytes: &Self::Repr) -> CtOption<Self> {
+        CompressedEdwardsY((*bytes).into()).decompress()
     }
 
-    fn x(&self) -> Self::FieldRepr {
-        Ed448FieldBytes::from(self.x.to_bytes_extended())
+    fn from_bytes_unchecked(bytes: &Self::Repr) -> CtOption<Self> {
+        // No unchecked conversion possible for compressed points
+        Self::from_bytes(bytes)
     }
 
-    fn y(&self) -> Self::FieldRepr {
-        Ed448FieldBytes::from(self.y.to_bytes_extended())
-    }
-
-    fn x_is_odd(&self) -> Choice {
-        self.x.is_negative()
-    }
-
-    fn y_is_odd(&self) -> Choice {
-        self.y.is_negative()
+    fn to_bytes(&self) -> Self::Repr {
+        self.compress().0.into()
     }
 }
 
-impl DefaultIsZeroes for AffinePoint {}
-
 impl From<NonIdentity<AffinePoint>> for AffinePoint {
     fn from(affine: NonIdentity<AffinePoint>) -> Self {
         affine.to_point()
@@ -251,6 +291,14 @@ define_mul_variants!(
     Output = EdwardsPoint
 );
 
+impl Neg for AffinePoint {
+    type Output = AffinePoint;
+
+    fn neg(self) -> Self::Output {
+        self.to_edwards().neg().to_affine()
+    }
+}
+
 /// The compressed internal representation of a point on the Twisted Edwards Curve
 pub type PointBytes = [u8; 57];