Test Montgomery -> Edwards through hash2curve

daxpedda · daxpedda · commit 70b3a7532d25 · 2025-09-14T16:40:12.000+02:00
diff --git a/ed448-goldilocks/src/edwards/extended.rs b/ed448-goldilocks/src/edwards/extended.rs
@@ -809,6 +809,7 @@ mod tests {
     use proptest::prelude::any;
     use proptest::proptest;
     use rand_core::{OsRng, TryRngCore};
+    use sha3::Shake256;
 
     fn hex_to_field(hex: &'static str) -> FieldElement {
         assert_eq!(hex.len(), 56 * 2);
@@ -969,9 +970,7 @@ mod tests {
         ];
 
         for (msg, x, y) in MSGS {
-            let p =
-                hash2curve::hash_from_bytes::<Ed448, ExpandMsgXof<sha3::Shake256>>(&[msg], &[DST])
-                    .unwrap();
+            let p = Ed448::hash_from_bytes(msg, DST).unwrap();
             assert_eq!(p.is_on_curve().unwrap_u8(), 1u8);
             let p = p.to_affine();
             let mut xx = [0u8; 56];
@@ -1008,11 +1007,7 @@ mod tests {
         ];
 
         for (msg, x, y) in MSGS {
-            let p = hash2curve::encode_from_bytes::<Ed448, ExpandMsgXof<sha3::Shake256>>(
-                &[msg],
-                &[DST],
-            )
-            .unwrap();
+            let p = Ed448::encode_from_bytes(msg, DST).unwrap();
             assert_eq!(p.is_on_curve().unwrap_u8(), 1u8);
             let p = p.to_affine();
             let mut xx = [0u8; 56];
@@ -1023,6 +1018,22 @@ mod tests {
             yy.reverse();
             assert_eq!(p.x.to_bytes(), xx);
             assert_eq!(p.y.to_bytes(), yy);
+
+            // Test Montgomery to Edwards conversion.
+            // See https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/blob/664b13592116cecc9e52fb192dcde0ade36f904e/poc/ell2_opt_3mod4.sage#L243-L245.
+            let conv_p =
+                ProjectiveMontgomeryXpoint::encode::<ExpandMsgXof<Shake256>>(&[msg], &[DST])
+                    .unwrap()
+                    .to_affine();
+            let conv_p1 = conv_p.to_edwards(Choice::from(0));
+            let conv_p2 = conv_p.to_edwards(Choice::from(1));
+            assert!(conv_p1.x == p.x || conv_p2.x == p.x);
+            assert!(conv_p1.y == p.y || conv_p2.y == p.y);
+
+            let conv_p =
+                AffinePoint::from(Curve448::encode_from_bytes(msg, DST).unwrap().to_affine());
+            assert_eq!(conv_p.x, p.x);
+            assert_eq!(conv_p.y, p.y);
         }
     }
 
