Account for identity point during conversion

Author: daxpedda

ed448-goldilocks/src/montgomery/point.rs

@@ -166,7 +166,11 @@ impl ProjectiveMontgomeryPoint {
 
     /// Convert the point to its form without the y-coordinate
     pub fn to_projective_x(&self) -> ProjectiveMontgomeryXpoint {
-        ProjectiveMontgomeryXpoint::new(self.U, self.W)
+        ProjectiveMontgomeryXpoint::conditional_select(
+            &ProjectiveMontgomeryXpoint::new(self.U, self.W),
+            &ProjectiveMontgomeryXpoint::IDENTITY,
+            self.ct_eq(&Self::IDENTITY),
+        )
     }
 
     /// Convert the point to affine form without the y-coordinate
@@ -384,6 +388,22 @@ mod tests {
         assert_eq!(goldilocks_point.to_montgomery(), montgomery_res);
     }
 
+    #[test]
+    fn test_montgomery_x() {
+        let x_identity = ProjectiveMontgomeryXpoint::IDENTITY;
+        let identity = ProjectiveMontgomeryPoint::IDENTITY;
+
+        assert_eq!(identity.to_projective_x(), x_identity);
+    }
+
+    #[test]
+    fn test_montgomery_affine_x() {
+        let x_identity = ProjectiveMontgomeryXpoint::IDENTITY.to_affine();
+        let identity = ProjectiveMontgomeryPoint::IDENTITY.to_affine();
+
+        assert_eq!(identity.to_affine_x(), x_identity);
+    }
+
     #[test]
     fn hash_with_test_vectors() {
         const DST: &[u8] = b"QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_RO_";

ed448-goldilocks/src/montgomery/x.rs

@@ -41,7 +41,7 @@ const LOW_C: MontgomeryXpoint = MontgomeryXpoint([
 ]);
 
 /// A point in Montgomery form
-#[derive(Copy, Clone)]
+#[derive(Copy, Clone, Eq)]
 pub struct MontgomeryXpoint(pub [u8; 56]);
 
 impl Default for MontgomeryXpoint {
@@ -69,10 +69,9 @@ impl PartialEq for MontgomeryXpoint {
         self.ct_eq(other).into()
     }
 }
-impl Eq for MontgomeryXpoint {}
 
 /// A Projective point in Montgomery form
-#[derive(Copy, Clone, Debug)]
+#[derive(Copy, Clone, Debug, Eq)]
 pub struct ProjectiveMontgomeryXpoint {
     U: FieldElement,
     W: FieldElement,
@@ -143,6 +142,12 @@ impl MontgomeryXpoint {
     }
 }
 
+impl ConstantTimeEq for ProjectiveMontgomeryXpoint {
+    fn ct_eq(&self, other: &Self) -> Choice {
+        self.U.ct_eq(&other.U) & self.W.ct_eq(&other.W)
+    }
+}
+
 impl ConditionallySelectable for ProjectiveMontgomeryXpoint {
     fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self {
         Self {
@@ -152,6 +157,12 @@ impl ConditionallySelectable for ProjectiveMontgomeryXpoint {
     }
 }
 
+impl PartialEq for ProjectiveMontgomeryXpoint {
+    fn eq(&self, other: &Self) -> bool {
+        self.ct_eq(other).into()
+    }
+}
+
 impl Mul<&MontgomeryScalar> for &ProjectiveMontgomeryXpoint {
     type Output = ProjectiveMontgomeryXpoint;
 
@@ -341,14 +352,19 @@ impl ProjectiveMontgomeryXpoint {
 
     /// Convert the point to its form including the y-coordinate
     pub fn to_extended(&self, sign: Choice) -> ProjectiveMontgomeryPoint {
-        ProjectiveMontgomeryPoint::new(self.U, self.y(sign), self.W)
+        ProjectiveMontgomeryPoint::conditional_select(
+            &ProjectiveMontgomeryPoint::new(self.U, self.y(sign), self.W),
+            &ProjectiveMontgomeryPoint::IDENTITY,
+            self.ct_eq(&Self::IDENTITY),
+        )
     }
 }
 
 #[cfg(test)]
 mod tests {
     use super::*;
     use crate::EdwardsPoint;
+    use elliptic_curve::CurveGroup;
     use hex_literal::hex;
     use sha3::Shake256;
 
@@ -366,6 +382,22 @@ mod tests {
         assert_eq!(goldilocks_point.to_montgomery_x(), montgomery_res);
     }
 
+    #[test]
+    fn test_montgomery_extended() {
+        let x_identity = ProjectiveMontgomeryXpoint::IDENTITY;
+        let identity = ProjectiveMontgomeryPoint::IDENTITY;
+
+        assert_eq!(x_identity.to_extended(Choice::from(1)), identity);
+    }
+
+    #[test]
+    fn test_montgomery_extended_affine() {
+        let x_identity = ProjectiveMontgomeryXpoint::IDENTITY.to_affine();
+        let identity = ProjectiveMontgomeryPoint::IDENTITY.to_affine();
+
+        assert_eq!(x_identity.to_extended(Choice::from(1)), identity);
+    }
+
     #[test]
     fn hash_with_test_vectors() {
         const DST: &[u8] = b"QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_RO_";