p256: implement AffinePoint::identity() and ::is_identity()

This is a corresponding change ala #165, but for the `p256` crate.

k256/src/arithmetic/affine.rs

@@ -139,8 +139,7 @@ impl FromEncodedPoint<Secp256k1> for AffinePoint {
                         // Check that the point is on the curve
                         let lhs = (y * &y).negate(1);
                         let rhs = x * &x * &x + &CURVE_EQUATION_B;
-                        let infinity = Choice::from(0);
-                        let point = AffinePoint { x, y, infinity };
+                        let point = AffinePoint { x, y, infinity: Choice::from(0) };
                         CtOption::new(point, (lhs + &rhs).normalizes_to_zero())
                     })
                 })

p256/src/arithmetic/affine.rs

@@ -20,20 +20,38 @@ use elliptic_curve::zeroize::Zeroize;
 pub struct AffinePoint {
     pub(crate) x: FieldElement,
     pub(crate) y: FieldElement,
+    pub(super) infinity: Choice,
+}
+
+impl AffinePoint {
+    /// Returns the identity of the group: the point at infinity.
+    pub fn identity() -> AffinePoint {
+        Self {
+            x: FieldElement::zero(),
+            y: FieldElement::zero(),
+            infinity: Choice::from(1),
+        }
+    }
+
+    /// Is this point the identity point?
+    pub fn is_identity(&self) -> Choice {
+        self.infinity
+    }
 }
 
 impl ConditionallySelectable for AffinePoint {
     fn conditional_select(a: &AffinePoint, b: &AffinePoint, choice: Choice) -> AffinePoint {
         AffinePoint {
             x: FieldElement::conditional_select(&a.x, &b.x, choice),
             y: FieldElement::conditional_select(&a.y, &b.y, choice),
+            infinity: Choice::conditional_select(&a.infinity, &b.infinity, choice),
         }
     }
 }
 
 impl ConstantTimeEq for AffinePoint {
     fn ct_eq(&self, other: &AffinePoint) -> Choice {
-        self.x.ct_eq(&other.x) & self.y.ct_eq(&other.y)
+        self.x.ct_eq(&other.x) & self.y.ct_eq(&other.y) & !(self.infinity ^ other.infinity)
     }
 }
 
@@ -64,6 +82,7 @@ impl Generator for AffinePoint {
                 0x37, 0xbf, 0x51, 0xf5
             ])
             .unwrap(),
+            infinity: Choice::from(0),
         }
     }
 }
@@ -82,7 +101,11 @@ impl Decompress<NistP256> for AffinePoint {
                     !(beta.is_odd() ^ y_is_odd),
                 );
 
-                Self { x, y }
+                Self {
+                    x,
+                    y,
+                    infinity: Choice::from(0),
+                }
             })
         })
     }
@@ -108,7 +131,12 @@ impl FromEncodedPoint<NistP256> for AffinePoint {
                         // Check that the point is on the curve
                         let lhs = y * &y;
                         let rhs = x * &x * &x + &(CURVE_EQUATION_A * &x) + &CURVE_EQUATION_B;
-                        CtOption::new(AffinePoint { x, y }, lhs.ct_eq(&rhs))
+                        let point = AffinePoint {
+                            x,
+                            y,
+                            infinity: Choice::from(0),
+                        };
+                        CtOption::new(point, lhs.ct_eq(&rhs))
                     })
                 })
             }
@@ -133,9 +161,7 @@ impl Mul<NonZeroScalar> for AffinePoint {
     type Output = AffinePoint;
 
     fn mul(self, scalar: NonZeroScalar) -> Self {
-        (ProjectivePoint::from(self) * scalar.as_ref())
-            .to_affine()
-            .unwrap()
+        (ProjectivePoint::from(self) * scalar.as_ref()).to_affine()
     }
 }
 
@@ -146,6 +172,7 @@ impl Neg for AffinePoint {
         AffinePoint {
             x: self.x,
             y: -self.y,
+            infinity: self.infinity,
         }
     }
 }
@@ -192,7 +219,7 @@ mod tests {
         let point = AffinePoint::from_encoded_point(&pubkey).unwrap();
         assert_eq!(point, AffinePoint::generator());
 
-        let res: EncodedPoint = point.to_encoded_point(true).into();
+        let res: EncodedPoint = point.to_encoded_point(true);
         assert_eq!(res, pubkey);
     }
 

p256/src/arithmetic/projective.rs

@@ -4,7 +4,7 @@ use super::{AffinePoint, FieldElement, Scalar, CURVE_EQUATION_B};
 use core::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign};
 use elliptic_curve::{
     point::Generator,
-    subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption},
+    subtle::{Choice, ConditionallySelectable, ConstantTimeEq},
 };
 
 /// A point on the secp256r1 curve in projective coordinates.
@@ -65,11 +65,15 @@ impl ProjectivePoint {
     }
 
     /// Returns the affine representation of this point, or `None` if it is the identity.
-    pub fn to_affine(&self) -> CtOption<AffinePoint> {
-        self.z.invert().map(|zinv| AffinePoint {
-            x: self.x * &zinv,
-            y: self.y * &zinv,
-        })
+    pub fn to_affine(&self) -> AffinePoint {
+        self.z
+            .invert()
+            .map(|zinv| AffinePoint {
+                x: self.x * &zinv,
+                y: self.y * &zinv,
+                infinity: Choice::from(0),
+            })
+            .unwrap_or_else(AffinePoint::identity)
     }
 
     /// Returns `-self`.
@@ -363,11 +367,11 @@ mod tests {
             ProjectivePoint::from(basepoint_affine),
             basepoint_projective,
         );
-        assert_eq!(basepoint_projective.to_affine().unwrap(), basepoint_affine);
+        assert_eq!(basepoint_projective.to_affine(), basepoint_affine);
+        assert!(!bool::from(basepoint_projective.to_affine().is_identity()));
 
-        // The projective identity does not have an affine representation.
         assert!(bool::from(
-            ProjectivePoint::identity().to_affine().is_none()
+            ProjectivePoint::identity().to_affine().is_identity()
         ));
     }
 
@@ -399,7 +403,7 @@ mod tests {
         let mut p = generator;
 
         for i in 0..ADD_TEST_VECTORS.len() {
-            let affine = p.to_affine().unwrap();
+            let affine = p.to_affine();
             assert_eq!(
                 (
                     hex::encode(affine.x.to_bytes()).to_uppercase().as_str(),
@@ -408,7 +412,7 @@ mod tests {
                 ADD_TEST_VECTORS[i]
             );
 
-            p = p + &generator;
+            p += &generator;
         }
     }
 
@@ -418,7 +422,7 @@ mod tests {
         let mut p = ProjectivePoint::generator();
 
         for i in 0..ADD_TEST_VECTORS.len() {
-            let affine = p.to_affine().unwrap();
+            let affine = p.to_affine();
             assert_eq!(
                 (
                     hex::encode(affine.x.to_bytes()).to_uppercase().as_str(),
@@ -437,7 +441,7 @@ mod tests {
         let mut p = generator;
 
         for i in 0..2 {
-            let affine = p.to_affine().unwrap();
+            let affine = p.to_affine();
             assert_eq!(
                 (
                     hex::encode(affine.x.to_bytes()).to_uppercase().as_str(),
@@ -494,7 +498,7 @@ mod tests {
                 )
             }))
         {
-            let res = (generator * &k).to_affine().unwrap();
+            let res = (generator * &k).to_affine();
             assert_eq!(
                 (
                     hex::encode(res.x.to_bytes()).to_uppercase().as_str(),

p256/src/ecdsa.rs

@@ -89,7 +89,7 @@ impl SignPrimitive<NistP256> for Scalar {
         let k_inverse = k_inverse.unwrap();
 
         // Compute `x`-coordinate of affine point 𝑘×𝑮
-        let x = (ProjectivePoint::generator() * k).to_affine().unwrap().x;
+        let x = (ProjectivePoint::generator() * k).to_affine().x;
 
         // Lift `x` (element of base field) to serialized big endian integer,
         // then reduce it to an element of the scalar field
@@ -117,7 +117,6 @@ impl VerifyPrimitive<NistP256> for AffinePoint {
 
         let x = ((&ProjectivePoint::generator() * &u1) + &(ProjectivePoint::from(*self) * &u2))
             .to_affine()
-            .unwrap()
             .x;
 
         if Scalar::from_bytes_reduced(&x.to_bytes()) == *r {