feat: add osswu trait

Signed-off-by: Michael Lodder <redmike7@gmail.com>

elliptic-curve/Cargo.toml

@@ -49,6 +49,7 @@ dev = ["arithmetic", "hex-literal", "pem", "pkcs8"]
 ecdh = ["arithmetic"]
 hazmat = []
 jwk = ["alloc", "base64ct/alloc", "serde", "serde_json", "zeroize/alloc"]
+osswu = ["ff"]
 pem = ["alloc", "arithmetic", "pem-rfc7468/alloc", "pkcs8", "sec1/pem"]
 pkcs8 = ["sec1/pkcs8"]
 std = ["alloc", "rand_core/std"]

elliptic-curve/src/lib.rs

@@ -94,6 +94,11 @@ pub mod ecdh;
 #[cfg(feature = "jwk")]
 mod jwk;
 
+/// Optimized simplified Shallue-van de Woestijne-Ulas methods
+#[cfg(feature = "osswu")]
+#[cfg_attr(docsrs, doc(cfg(feature = "osswu")))]
+pub mod osswu;
+
 pub use crate::{
  error::{Error, Result},
  point::{

elliptic-curve/src/osswu.rs

@@ -0,0 +1,84 @@
+use ff::Field;
+use subtle::Choice;
+
+/// The Optimized Simplified Shallue-van de Woestijne-Ulas parameters
+pub struct OsswuMapParams<F>
+where
+ F: Field,
+{
+ /// The first constant term
+ pub c1: [u64; 4],
+ /// The second constant term
+ pub c2: F,
+ /// The ISO A variable or Curve A variable
+ pub map_a: F,
+ /// The ISO A variable or Curve A variable
+ pub map_b: F,
+ /// The Z parameter
+ pub z: F,
+}
+
+/// Trait for determining the parity of the field
+pub trait Sgn0 {
+ /// Return the parity of the field
+ /// 1 == negative
+ /// 0 == non-negative
+ fn sgn0(&self) -> Choice;
+}
+
+/// The optimized simplified Shallue-van de Woestijne-Ulas method
+/// for mapping elliptic curve scalars to affine points.
+pub trait OsswuMap: Field + Sgn0 {
+ /// The OSSWU parameters for mapping the field to affine points.
+ /// For Weierstrass curves having A==0 or B==0, the parameters
+ /// should be for isogeny where A≠0 and B≠0.
+ const PARAMS: OsswuMapParams<Self>;
+
+ /// Convert this field element into an affine point on the ellliptic curve
+ /// returning (X, Y). For Weierstrass curves having A==0 or B==0
+ /// the result is a point on an isogeny.
+ fn osswu(&self) -> (Self, Self) {
+ let tv1 = self.square(); // u^2
+ let tv3 = Self::PARAMS.z * tv1; // Z * u^2
+ let mut tv2 = tv3.square(); // tv3^2
+ let mut xd = tv2 + tv3; // tv3^2 + tv3
+ let x1n = Self::PARAMS.map_b * (xd + Self::one()); // B * (xd + 1)
+ let a_neg = -Self::PARAMS.map_a;
+ xd *= a_neg; // -A * xd
+
+ let tv = Self::PARAMS.z * Self::PARAMS.map_a;
+ xd.conditional_assign(&tv, xd.is_zero());
+
+ tv2 = xd.square(); //xd^2
+ let gxd = tv2 * xd; // xd^3
+ tv2 *= Self::PARAMS.map_a; // A * tv2
+
+ let mut gx1 = x1n * (tv2 + x1n.square()); //x1n *(tv2 + x1n^2)
+ tv2 = gxd * Self::PARAMS.map_b; // B * gxd
+ gx1 += tv2; // gx1 + tv2
+
+ let mut tv4 = gxd.square(); // gxd^2
+ tv2 = gx1 * gxd; // gx1 * gxd
+ tv4 *= tv2;
+
+ let y1 = tv4.pow_vartime(&Self::PARAMS.c1) * tv2; // tv4^C1 * tv2
+ let x2n = tv3 * x1n; // tv3 * x1n
+
+ let y2 = y1 * Self::PARAMS.c2 * tv1 * self; // y1 * c2 * tv1 * u
+
+ tv2 = y1.square() * gxd; //y1^2 * gxd
+
+ let e2 = tv2.ct_eq(&gx1);
+
+ // if e2 , x = x1, else x = x2
+ let mut x = Self::conditional_select(&x2n, &x1n, e2);
+ // xn / xd
+ x *= xd.invert().unwrap();
+
+ // if e2, y = y1, else y = y2
+ let mut y = Self::conditional_select(&y2, &y1, e2);
+
+ y.conditional_assign(&-y, self.sgn0() ^ y.sgn0());
+ (x, y)
+ }
+}