Account for more identity point conversion

daxpedda · daxpedda · commit ccfa0424d09f · 2025-07-13T23:49:04.000+02:00
diff --git a/ed448-goldilocks/src/edwards/affine.rs b/ed448-goldilocks/src/edwards/affine.rs
@@ -130,7 +130,11 @@ impl AffinePoint {
         // v = (2 - x^2 - y^2)*y/x^3)
         let v = ((FieldElement::TWO - x_sq - y_sq) * self.y) * (x_sq * self.x).invert();
 
-        MontgomeryPoint::new(u, v)
+        MontgomeryPoint::conditional_select(
+            &MontgomeryPoint::new(u, v),
+            &MontgomeryPoint::IDENTITY,
+            self.ct_eq(&Self::IDENTITY),
+        )
     }
 
     /// The X coordinate
diff --git a/ed448-goldilocks/src/montgomery/point.rs b/ed448-goldilocks/src/montgomery/point.rs
@@ -30,6 +30,12 @@ pub struct MontgomeryPoint {
 }
 
 impl MontgomeryPoint {
+    /// The identity element of the group: the point at infinity.
+    pub const IDENTITY: Self = Self {
+        x: FieldElement::ZERO,
+        y: FieldElement::ONE,
+    };
+
     pub(crate) fn new(x: FieldElement, y: FieldElement) -> Self {
         Self { x, y }
     }
@@ -57,7 +63,11 @@ impl MontgomeryPoint {
         let x = xn * yd * d;
         let y = yn * xd * d;
 
-        AffinePoint { x, y }
+        AffinePoint::conditional_select(
+            &AffinePoint { x, y },
+            &AffinePoint::IDENTITY,
+            self.ct_eq(&Self::IDENTITY),
+        )
     }
 
     /// Convert the point to its form without the y-coordinate
@@ -410,7 +420,7 @@ mod tests {
     use hex_literal::hex;
 
     #[test]
-    fn test_montgomery_edwards() {
+    fn to_edwards() {
         let scalar = MontgomeryScalar::from(200u32);
 
         // Montgomery scalar mul
@@ -424,15 +434,31 @@ mod tests {
     }
 
     #[test]
-    fn test_montgomery_x() {
+    fn identity_to_edwards() {
+        let edwards = AffinePoint::IDENTITY;
+        let montgomery = MontgomeryPoint::IDENTITY;
+
+        assert_eq!(montgomery.to_edwards(), edwards);
+    }
+
+    #[test]
+    fn identity_from_montgomery() {
+        let edwards = AffinePoint::IDENTITY;
+        let montgomery = MontgomeryPoint::IDENTITY;
+
+        assert_eq!(edwards.to_montgomery(), montgomery);
+    }
+
+    #[test]
+    fn to_montgomery_x() {
         let x_identity = ProjectiveMontgomeryXpoint::IDENTITY;
         let identity = ProjectiveMontgomeryPoint::IDENTITY;
 
         assert_eq!(identity.to_projective_x(), x_identity);
     }
 
     #[test]
-    fn test_montgomery_affine_x() {
+    fn to_montgomery_affine_x() {
         let x_identity = ProjectiveMontgomeryXpoint::IDENTITY.to_affine();
         let identity = ProjectiveMontgomeryPoint::IDENTITY.to_affine();
 
diff --git a/ed448-goldilocks/src/montgomery/x.rs b/ed448-goldilocks/src/montgomery/x.rs
@@ -369,7 +369,7 @@ mod tests {
     use sha3::Shake256;
 
     #[test]
-    fn test_montgomery_edwards() {
+    fn to_edwards() {
         let scalar = MontgomeryScalar::from(200u32);
 
         // Montgomery scalar mul
@@ -383,15 +383,15 @@ mod tests {
     }
 
     #[test]
-    fn test_montgomery_extended() {
+    fn to_montgomery_extended_x() {
         let x_identity = ProjectiveMontgomeryXpoint::IDENTITY;
         let identity = ProjectiveMontgomeryPoint::IDENTITY;
 
         assert_eq!(x_identity.to_extended(Choice::from(1)), identity);
     }
 
     #[test]
-    fn test_montgomery_extended_affine() {
+    fn to_montgomery_extended_affine() {
         let x_identity = ProjectiveMontgomeryXpoint::IDENTITY.to_affine();
         let identity = ProjectiveMontgomeryPoint::IDENTITY.to_affine();
 
