// HashToEdwards converts a 256-bit hash output into a point on the Edwards
// curve isomorphic to Curve25519 in a manner that preserves
// collision-resistance. The returned curve points are NOT indistinguishable
// from random even if the hash value is.
// Specifically, first one bit of the hash output is set aside for parity and
// the rest is tuncated and fed into the elligator bijection (which covers half
// of the points on the elliptic curve).
func HashToEdwards(out *edwards25519.ExtendedGroupElement, h *[32]byte) {
hh := *h
bit := hh[31] >> 7
hh[31] &= 127
edwards25519.FeFromBytes(&out.Y, &hh)
representativeToMontgomeryX(&out.X, &out.Y)
montgomeryXToEdwardsY(&out.Y, &out.X)
if ok := out.FromParityAndY(bit, &out.Y); !ok {
panic("HashToEdwards: point not on curve")
}
}
// RepresentativeToPublicKey converts a uniform representative value for a
// curve25519 public key, as produced by ScalarBaseMult, to a curve25519 public
// key.
func RepresentativeToPublicKey(publicKey, representative *[32]byte) {
var rr2, v edwards25519.FieldElement
edwards25519.FeFromBytes(&rr2, representative)
representativeToMontgomeryX(&v, &rr2)
edwards25519.FeToBytes(publicKey, &v)
}