Implement Default for MontgomeryPoint

[DebugSteven]

MontegomeryPoint should have an implementation of Default so values that have types associated with it can zero their values with clear instead of transmute on drop. This is related to https://github.com/dalek-cryptography/x25519-dalek/issues/9

[hdevalence]

This would be great! One decision to make is what the default value should be. For the other point types we define default() to return the identity point, but for MontgomeryPoints this isn't possible because the identity point is not representable in affine coordinates.

[myrrlyn]

• EdwardsPoint implements Identity
• EdwardsPoint has a to_montgomery inherent
• MontgomeryPoint default could thus be EdwardsPoint::identity().to_montgomery()?

The conversion source is:

/// Convert this `EdwardsPoint` on the Edwards model to the
/// corresponding `MontgomeryPoint` on the Montgomery model.
///
/// Note that this is a one-way conversion, since the Montgomery
/// model does not retain sign information.
pub fn to_montgomery(&self) -> MontgomeryPoint {
    // We have u = (1+y)/(1-y) = (Z+Y)/(Z-Y).
    //
    // The denominator is zero only when y=1, the identity point of
    // the Edwards curve.  Since 0.invert() = 0, in this case we
    // compute u = 0, the identity point of the Montgomery line.
    let U = &self.Z + &self.Y;
    let W = &self.Z - &self.Y;
    let u = &U * &W.invert();
    MontgomeryPoint(u.to_bytes())
}

I presume that the zero point ([0u8; 32]) is suitable both as a default value and, coincidentally enough, also the value most beloved for the Clear trait to use as the clobber.

[hdevalence]

Sorry for the delay, the comment I wrote in the quoted code isn't correct so I wanted to double-check the reasoning.

Backing up a little bit: the Montgomery u-coordinate 0 corresponds to the point (u,v) = (0,0), which is a 2-torsion point (= adding it to itself gives the identity), but isn't the identity point. The identity point on Montgomery curves isn't representable in affine coordinates (u,v) (it's "at infinity", so it requires projective coordinates). This is why the Edwards identity point (x,y) = (0,1) is exceptional for the conversion u = (1+y)/(1-y), where it gives denominator 0. The identity point of the Montgomery u-line (in projective coordinates) is (U : W) = (1 : 0), which is converted to the MontgomeryPoint with u = 0, which is a standard part of X25519 (see section 5.4 of https://arxiv.org/pdf/1703.01863v1.pdf , page 16, for more details).

So:

• the zero point MontgomeryPoint([0u8; 32]) is a reasonable choice for MontgomeryPoint::default();
• this isn't the identity point, so MontgomeryPoint should probably not implement Identity;
• the comment in the EdwardsPoint::to_montgomery function is incorrect and should say ", the 2-torsion point (0,0)";
• the docstr for EdwardsPoint::to_montgomery should note that the Edwards identity point is exceptional and gets sent to the 2-torsion point (0,0);

I can fix the comment and docstr for the to_montgomery function separately from this issue (or someone else can, if they want, but I'm happy to do it).