ristretto255 point压缩和解压缩算法（1）——affine坐标系下

1、背景技术介绍

Extended twisted Edwards curve坐标系及相互转换中指出了，Every Edwards curve has a point of order 4.
论文《Decaf-Eliminating cofactors through point compression 2015-673》中对cofactor=4的曲线进行了压缩，保证了所使用的point步骤small-cofactor subgroup中。若使用small-cofactor subgroup中的point，存在的small-subgroup attack等危害参见博客ristretto对cofactor>1的椭圆曲线(如Curve25519等)的兼容（含Curve25519 cofactor的sage验证）。

以下为对cofactor=4的Edwards(或twisted Edwards curve $\epsilon$)曲线进行压缩和解压缩算法梳理：
该曲线的order为$r=hq,h=4$，其中$q$为素数。为了消除cofactor subgroup，实际要选择的group为 $\epsilon /\epsilon [4]$。（group群的一些基本概念可参见博客Elliptic curve isogeny and group coset）
同时，对于曲线$\epsilon$上的点，若两个点有small order(可被4整除)，则认为该两点等价。需要涉及以下三方面的调整：

• 判断points等价的方法需调整，差异为4 order的点应视为等价。
• 在发送前必须压缩point，同时保证对等价的points，压缩后的序列表示 { 0 , 1 } n \{0,1\}^n {0,1}n也应相同。压缩后的结果为一个Field域内的非负数元素（具体定义见Non-negative field elements）。
• 解压缩时，应保证仅对有效point的压缩结果进行解压缩。

Non-negative field elements定义：
若$x\in F_p，且x\in [0,(p-1)/2]$，则$x$可称为field域内的非负数。否则，称为field域内的负数。

在论文《Decaf-Eliminating cofactors through point compression 2015-673》中提到，对于曲线表现形式选择为Montgomery curve的原因为：Montgomery curves give simple Diffie-Hellman protocols, and twisted Edwards curves give a speed boost but have incomplete formulas in fields of order 3 (mod 4).

1.1 Twisted Edwards curves表示

Twisted Edwards curves的affine坐标系表示为：
ε a , d : = { ( x , y ) ∈ P 2 ( F ) : a ∗ x 2 + y 2 = 1 + d ∗ x 2 ∗ y 2 } \varepsilon_{a,d}:=\{(x,y)\in P^2(F):a*x^2+y^2=1+d*x^2*y^2\} εa,d​:={(x,y)∈P2(F):a∗x2+y2=1+d∗x2∗y2}

对应的Extended坐标系表示为：
ε a , d : = { ( X : Y : Z : T ) ∈ P 3 ( F ) : X Y = Z T   a n d   a ∗ X 2 + Y 2 = Z 2 + d ∗ T 2 } \varepsilon_{a,d}:=\{(X:Y:Z:T)\in P^3(F):XY=ZT\ and\ a*X^2+Y^2=Z^2+d*T^2\} εa,d​:={(X:Y:Z:T)∈P3(F):XY=ZT and a∗X2+Y2=Z2+d∗T2}

Edwards curve的identity point表示为$(0,1)=(0:1:1:0)$。

通常地，当$a=1$时，为untwisted；当$a=-1$时，具有更高的计算速度。

由于edwards25519满足完备性条件，所以，其4-torsion subgroup is cyclic：
ε a , d [ 4 ] = { ( 0 , 1 ) , ( 1 / a , 0 ) , ( 0 , − 1 ) , ( − 1 / a , 0 ) } \varepsilon_{a,d}[4]=\{(0,1),(1/\sqrt a,0),(0,-1), (-1/\sqrt a, 0)\} εa,d​[4]={(0,1),(1/a ​,0),(0,−1),(−1/a ​,0)}
这些4-torsion points为edwards25519上仅有的满足$xy=0$的点。且其中的$y!=0$点（即$(0,1),(0,-1)$）为2-torsion point。可定义Group H = { ( 0 , 1 ) , ( 1 / a , 0 ) , ( 0 , − 1 ) , ( − 1 / a , 0 ) } H=\{(0,1),(1/\sqrt a,0),(0,-1), (-1/\sqrt a, 0)\} H={(0,1),(1/a ​,0),(0,−1),(−1/a ​,0)}

若a在有限域内存在平方根，$a\ast x^2+y^2=1+d\ast x^2\ast y^2$可变形为：
$a\ast (\frac{y}{\sqrt{a}}{)}^2+(\sqrt{a}x{)}^2=1+d\ast (\frac{y}{\sqrt{a}}{)}^2\ast (\sqrt{a}x{)}^2$
${\epsilon }_{a,d}$上的point点除可表示为$(x,y),(-x,-y)$外，亦可表示为$(y/\sqrt{a},-\sqrt{a}x),(y/\sqrt{a},-\sqrt{a}x)$。之所以横纵坐标分别取不同的符号，是为了保证点表示的唯一性？？？
亦即${\epsilon }_{a,d}$对应的group G = { ( x , y ) , ( − x , − y ) , ( y / a , − a x ) , ( y / a , − a x ) } G=\{(x,y),(-x,-y),(y/\sqrt a,-\sqrt ax),(y/\sqrt a,-\sqrt ax)\} G={(x,y),(−x,−y),(y/a ​,−a ​x),(y/a ​,−a ​x)}

所以相应的coset of H= { ( x , y ) , ( − x , − y ) , ( y / a , − a x ) , ( − y / a , a x ) } \{(x,y),(-x,-y),(y/\sqrt a,-\sqrt ax),(-y/\sqrt a,\sqrt ax)\} {(x,y),(−x,−y),(y/a ​,−a ​x),(−y/a ​,a ​x)}

亦即 P + ε a , d [ 4 ] = { ( x , y ) , ( − x , − y ) , ( y / a , − a x ) , ( − y / a , a x ) } P+\varepsilon_{a,d}[4]=\{(x,y),(-x,-y),(y/\sqrt a,-\sqrt ax),(-y/\sqrt a,\sqrt ax)\} P+εa,d​[4]={(x,y),(−x,−y),(y/a ​,−a ​x),(−y/a ​,a ​x)}

1.1.1 Edwards 4-torsion subgroup验证

论文《Twisted Edwards Curves Revisited》中有：

可知，当$(x_1,y_1)$为$(0,1)$或$(0,-1)$时，对应的$2(0,1)=(0,1)=identitypointofedwards$，和$2(0,-1)=(0,1)=identitypointofedwards$
$\therefore (0,1)(0,-1)为2-torsionpoint$

而：
$2(1/\sqrt{a},0)=(0,-1)\Rightarrow 4(1/\sqrt{a},0)=2(0,-1)=(0,1)=identitypointofedwards$
$2(-1/\sqrt{a},0)=(0,-1)\Rightarrow 4(-1/\sqrt{a},0)=2(0,-1)=(0,1)=identitypointofedwards$
$\therefore (1/\sqrt{a},0)(-1/\sqrt{a},0)为4-torsionpoint$

因此有：
$(x,y)+(0,-1)=(-x,-y)；(x,y)+(0,1)=(x,y)；(x,y)+(1/\sqrt{a},0)=(y/\sqrt{a},-\sqrt{a}x)；(x,y)+(-1/\sqrt{a},0)=(-y/\sqrt{a},\sqrt{a}x)$
同理对其它G中的点，做类似的计算。
∴ c o s e t   o f   H = { ( x , y ) , ( − x , − y ) , ( y / a , − a x ) , ( − y / a , a x ) } \therefore coset\ of\ H=\{(x,y),(-x,-y),(y/\sqrt a,-\sqrt ax),(-y/\sqrt a,\sqrt ax)\} ∴coset of H={(x,y),(−x,−y),(y/a ​,−a ​x),(−y/a ​,a ​x)}

1.1.2 edwards的完备性条件

An Edwards curve is called “complete” if $d$ and $ad$ are nonsquare in F, which also implies that $a$ is square. A complete Edwards curve has no points at infi nity, and supports fast addition formulas which are complete in that they compute the correct answer for any two input points.
以下magma脚本可证明，ed25519是完备的Edwards curve：

clear;
q:=2^255-19;
LegendreSymbol(37095705934669439343138083508754565189542113879843219016388785533085940283555,q);// 为-1，即不是域Fq内的平方值
LegendreSymbol(-1,q); //为1，即域Fq内的平方值

1.2 Jacobi Quartic curve表示

Jacobi Quartic curve格式如下：
$$J_{e,A}:t^2=e{s}^4+2A{s}^2+1$$

当$e=a^2$时，$J_{e,A}$具有full 2-torsion，即$J[2]\cong \mathbb{Z}/2\times \mathbb{Z}/2$.
论文《Division Polynomials for Jacobi Quartic Curves》中提到：
Jacobi Quartic curve的identity point表示为$(0,1)$，$(0,-1)$为2-torsion point。
J e , A [ 2 ] = { ( 0 , 1 ) , ( 0 , − 1 ) } J_{e,A}[2]=\{(0,1),(0,-1)\} Je,A​[2]={(0,1),(0,−1)}
可定义Group H = { ( 0 , 1 ) , ( 0 , − 1 ) } H=\{(0,1),(0,-1)\} H={(0,1),(0,−1)}。

当$e=a^2$时，$t^2=e{s}^4+2A{s}^2+1$可变形为：
$(\frac{t}{a{s}^2}{)}^2=e(\frac{1}{as}{)}^4+2A(\frac{1}{as}{)}^2+1$
因此，$J_{e,A}$上的点point除可表示为$(s,t),(-s,-t)$外，还可表示为$(1/as,-t/a{s}^2),(-1/as,t/a{s}^2)$。之所以横纵坐标分别取不同的符号，是为了保证点表示的唯一性？？？

亦即$J_{e,A}$对应的group G = { ( s , t ) , ( − s , − t ) , ( 1 / a s , − t / a s 2 ) , ( − 1 / a s , t / a s 2 ) } G=\{(s,t),(-s,-t),(1/as,-t/as^2),(-1/as,t/as^2)\} G={(s,t),(−s,−t),(1/as,−t/as2),(−1/as,t/as2)}

所以相应的coset of H= { ( s , t ) , ( − s , − t ) , ( 1 / a s , − t / a s 2 ) , ( − 1 / a s , t / a s 2 ) } \{(s,t),(-s,-t),(1/as,-t/as^2),(-1/as,t/as^2)\} {(s,t),(−s,−t),(1/as,−t/as2),(−1/as,t/as2)}

对于任意点$P\in G$,有：
P + J e , A [ 2 ] = { ( s , t ) , ( − s , − t ) , ( 1 / a s , − t / a s 2 ) , ( − 1 / a s , t / a s 2 ) } P+J_{e,A}[2]=\{(s,t),(-s,-t),(1/as,-t/as^2),(-1/as,t/as^2)\} P+Je,A​[2]={(s,t),(−s,−t),(1/as,−t/as2),(−1/as,t/as2)}

以上可理解为： J e , A J e , A [ 2 ] = P + J e , A [ 2 ] = { ( s , t ) , ( − s , − t ) , ( 1 / a s , − t / a s 2 ) , ( − 1 / a s , t / a s 2 ) } \frac{J_{e,A}}{J_{e,A}[2]}=P+J_{e,A}[2]=\{(s,t),(-s,-t),(1/as,-t/as^2),(-1/as,t/as^2)\} Je,A​[2]Je,A​​=P+Je,A​[2]={(s,t),(−s,−t),(1/as,−t/as2),(−1/as,t/as2)}，任意的点$P\in G$ modulo $J_{e,A}[2]$，可实现一定程度的压缩。

在论文《Decaf-Eliminating cofactors through point compression 2015-673》中，任意点$P$以$(s,t)$形式表示，约定$s,t$均为非负数，实际仅需$s$坐标值即可代表任意点$P$。

1.2.1 Jacobi Quartic curve 2-torsion point验证

论文《Jacobi Quartic Curves Revisited》中指出Jacobi Quartic curve point addition的公式为：

$J_{e,A}:t^2=e{s}^4+2A{s}^2+1$相应的double公式为：
$$2(s_1,t_1)=(\frac{2s_1{t}_1}{1-e{s}_1^4},\frac{t_1^2+e{s}_1^4{t}_1^2+2A{s}_1^2+2eA{s}_1^6+4e{s}_1^4}{(1-e{s}_1^4{)}^2})=(s_3,t_3)$$
$J_{e,A}:t^2=e{s}^4+2A{s}^2+1$相应的addition公式为:
$$(s_1,t_1)+(s_2+t_2)=(\frac{s_1{t}_2+t_1{s}_2}{1-e{s}_1^2{s}_2^2},\frac{(t_1{t}_2+2A{s}_1{s}_2)(1+e{s}_1^2{s}_2^2)+2e{s}_1{s}_2(s_1^2+s_2^2)}{(1-e{s}_1^2{s}_2^2{)}^2})=(s_3,t_3)$$

$\Rightarrow 2(0,-1)=(0,1)=identitypointofJacobiQuartic$
$\therefore (0,-1)为2-torsionpoint.$

$\Rightarrow (s,t)+(0,-1)=(-s,-t)；(1/as,-t/a{s}^2)+(0,-1)=(-1/as,t/a{s}^2)$
∴ c o s e t   o f   H = { ( s , t ) , ( − s , − t ) , ( 1 / a s , − t / a s 2 ) , ( − 1 / a s , t / a s 2 ) } \therefore coset\ of\ H=\{(s,t),(-s,-t),(1/as,-t/as^2),(-1/as,t/as^2)\} ∴coset of H={(s,t),(−s,−t),(1/as,−t/as2),(−1/as,t/as2)}

1.3 Twisted Edwards curve与Jacobi Quartic curve之间的N-isogenous关系

根据书《Elliptic Curves Number Theory And Cryptography 2n》中定义：


Twisted Edwards curves的affine坐标系表示为：
ε a , d : = { ( x , y ) ∈ P 2 ( F ) : a ∗ x 2 + y 2 = 1 + d ∗ x 2 ∗ y 2 } \varepsilon_{a,d}:=\{(x,y)\in P^2(F):a*x^2+y^2=1+d*x^2*y^2\} εa,d​:={(x,y)∈P2(F):a∗x2+y2=1+d∗x2∗y2}
Jacobi Quartic curve格式如下：
$$J_{a^2,a-2d}:t^2=a^2{s}^4+2(a-2d)s^2+1$$
两者之间的映射关系为：
$(x,y)\mapsto (s,t):s=\frac{x}{y},t=\frac{2-y^2-a{x}^2}{y^2}$

即$\hat{\varphi }(x,y)=(\frac{x}{y},\frac{2-y^2-a{x}^2}{y^2}):{\epsilon }_{a,d}\mapsto J_{a^2,a-2d}$

$(s,t)\mapsto (x,y):x=\frac{2s}{1+a{s}^2},y=\frac{1-a{s}^2}{t}$

即$\varphi (s,t)=(\frac{2s}{1+a{s}^2},\frac{1-a{s}^2}{t}):J_{a^2,a-2d}\mapsto {\epsilon }_{a,d}$

$\because 2(s_1,t_1)=(\frac{2s_1{t}_1}{1-e{s}_1^4},\frac{t_1^2+e{s}_1^4{t}_1^2+2A{s}_1^2+2eA{s}_1^6+4e{s}_1^4}{(1-e{s}_1^4{)}^2})=(\frac{x}{y},\frac{2-y^2-a{x}^2}{y^2}),当x=\frac{2s}{1+a{s}^2},y=\frac{1-a{s}^2}{t}$

$\therefore [2]:J_{a^2,a-2d}\mapsto {\epsilon }_{a,d}$

$\therefore$ $J_{a^2,a-2d}$为${\epsilon }_{a,d}$的2-isogenous。

根据推论：

$\therefore \frac{J}{J[2]}\cong \frac{\varphi (J)}{\varphi (J[2])}\cong \frac{[2](\epsilon )}{\epsilon [2]}$

• 当曲线的cofactor为4时，有$$\#\epsilon (F_p)=4\ast l$，而$\frac{[2](\epsilon )}{\epsilon [2]}$的order即为素数$(4l/2)/2=l$。因此此时即可避免cofactor=4的small-subgroup的影响。
• 当曲线的cofactor为8时，有$$\#\epsilon (F_p)=8\ast l$，有$[2](\epsilon [8])=\epsilon [4]$，$\epsilon [4]\subseteq [2](\epsilon )$，于是有$\frac{[2](\epsilon )}{\epsilon [4]}$的order即为$(8l/2)/4=l$。

所以，当曲线的cofactor为8时，接下来是要将points从$\frac{\epsilon }{\epsilon [4]}$扭转到$\frac{\epsilon }{\epsilon [2]}$。

根据1.1节有：
ε a , d [ 4 ] = { ( 0 , 1 ) , ( 1 / a , 0 ) , ( 0 , − 1 ) , ( − 1 / a , 0 ) } ; \varepsilon_{a,d}[4]=\{(0,1),(1/\sqrt a,0),(0,-1), (-1/\sqrt a, 0)\}; εa,d​[4]={(0,1),(1/a ​,0),(0,−1),(−1/a ​,0)};
其中$(0,-1),(0,1)$为2-torsion point，$(1/\sqrt{a},0),(-1/\sqrt{a},0)$为4-torsion point。

P + ε a , d [ 4 ] = { ( x , y ) , ( − x , − y ) , ( y / a , − a x ) , ( − y / a , a x ) } P+\varepsilon_{a,d}[4]=\{(x,y),(-x,-y),(y/\sqrt a,-\sqrt ax),(-y/\sqrt a,\sqrt ax)\} P+εa,d​[4]={(x,y),(−x,−y),(y/a ​,−a ​x),(−y/a ​,a ​x)}

$(x,y)+(0,-1)=(-x,-y)；(x,y)+(0,1)=(x,y)；(x,y)+(1/\sqrt{a},0)=(y/\sqrt{a},-\sqrt{a}x)；(x,y)+(-1/\sqrt{a},0)=(-y/\sqrt{a},\sqrt{a}x)$
注意上面公式中：

• 当要求$xy>0$时，加法中对应的均为2-torsion point $(0,1),(0,-1)$，所以，此时相当于求的是： P + ε a , d [ 2 ] = { ( x , y ) , ( − x , − y ) } P+\varepsilon_{a,d}[2]=\{(x,y),(-x,-y)\} P+εa,d​[2]={(x,y),(−x,−y)}。
  亦即由此实现由$\frac{\epsilon }{\epsilon [4]}$扭转到$\frac{\epsilon }{\epsilon [2]}$。

• 当$xy<0$或$y=0$时，对应的点在 { ( y / a , − a x ) , ( − y / a , a x ) } \{(y/\sqrt a,-\sqrt ax),(-y/\sqrt a,\sqrt ax)\} {(y/a ​,−a ​x),(−y/a ​,a ​x)}中，在此基础上再加一个点$Q_4$【当$a=1$时，$Q_4=(1,0)$；当$a=-1$时，$Q_4=(i,0)$】。当$a=1$时，有$(y/\sqrt{a},-\sqrt{a}x)+(1,0)=(-x,-y);(-y/\sqrt{a},\sqrt{a}x)+(1,0)=(x,y)$；当$a=-1，\sqrt{a}=i$时，有$(y/\sqrt{a},-\sqrt{a}x)+(i,0)=(x,y);(-y/\sqrt{a},\sqrt{a}x)+(i,0)=(-x,-y)$。因此，通过加上一个点$Q_4$【当$a=1$时，$Q_4=(1,0)$；当$a=-1$时，$Q_4=(i,0)$】，可实现由$\frac{\epsilon }{\epsilon [4]}$扭转到$\frac{\epsilon }{\epsilon [2]}$。

2、 ristretto255 point压缩算法

论文《Decaf-Eliminating cofactors through point compression 2015-673》中采用的压缩算法是直接使用由Jacobi quartic curve 映射到edwards curve（$a_1{x}^2+y^2=1+d_1{x}^2{y}^2,a_1=1$）的关系：
$(s,t)\mapsto (x,y):x=\frac{2s}{1+a_1{s}^2},y=\frac{1-a_1{s}^2}{t}$
$\Rightarrow s=(1\pm \sqrt{1-a_1{x}^2})/a_{1}x$

而ristretto255 point压缩算法采用的是由Jacobi quartic curve 映射到Montgomery curve，然后再映射到ed25519（$a_2{x}^2+y^2=1+d_2{x}^2{y}^2,a_2=-1=-a_1,d_2=\frac{a_1{d}_1}{a_1-d_1}$）的关系：

$(s,t)\mapsto (u,v):u=\frac{1}{a_1{s}^2},v=\frac{-t}{a_1{s}^3}$
$(u,v)\mapsto (x,y):x=\frac{u}{v}(\pm \sqrt{\frac{A+2}{a_{2}B}}),y=\frac{u-1}{u+1}$
$a_2=-a_1,a_2=\pm 1$
$\Rightarrow a_2^2=1,a_1^2=1$
$A=2-4d_1/a_1,B=a_1$
$d_2=\frac{a_1{d}_1}{a_1-d_1},d_1=\frac{a_2{d}_2}{a_2-d_2}$
$\Rightarrow d_1{d}_2=\frac{a_1{a}_2{d}_1{d}_2}{(a_1-d_1)(a_2-d_2)}$
$\Rightarrow a_1{a}_2=(a_1-d_1)(a_2-d_2)$

$\Rightarrow y=\frac{u-1}{u+1}=\frac{1+a_2{s}^2}{1-a_2{s}^2}$
取非负数根：
$\Rightarrow s=\sqrt{\frac{1}{-a_2}\frac{1-y}{1+y}}=\sqrt{\frac{a_2^2}{-a_2}\frac{1-y}{1+y}}=\sqrt{-a_2\frac{1-y}{1+y}}$

$\Rightarrow s^2=(-a_2)\frac{1-y}{1+y}$

根据 https://ristretto.group/details/isogenies.html 有：
$x=\frac{u}{v}(\pm \sqrt{\frac{A+2}{a_{2}B}})=\frac{2s}{t}\sqrt{\frac{a_1-d_1}{a_1^2{a}_2}}$
$\because a_1{a}_2=(a_1-d_1)(a_2-d_2)$
$\because a_2^2=1,a_1=-a_2$
$\Rightarrow x=\frac{2s}{t}\sqrt{\frac{a_1-d_1}{a_1^2{a}_2}}=\frac{2s}{t}\sqrt{\frac{a_1-d_1}{a_1(a_1-d_1)(a_2-d_2)}}=\frac{2s}{t}\sqrt{\frac{1}{-a_2(a_2-d_2)}}=\frac{1}{\sqrt{a_2{d}_2-1}}\frac{2s}{t}$

$\Rightarrow \frac{s}{t}=x\frac{\sqrt{a_2{d}_2-1}}{2}$

所以可看出，$s/t$的符号由$x$的符号决定。

详细的流程为：

3、 ristretto255 point解压缩算法

解压缩的过程是根据$s$值，恢复$(x,y)$：
$\Rightarrow y=\frac{u-1}{u+1}=\frac{1+a_2{s}^2}{1-a_2{s}^2}$
$\because \frac{s}{t}=x\frac{\sqrt{a_2{d}_2-1}}{2}$
$\because a_1=-a_2$
$\because J_{e,A}=J_{a_1^2,a_1-2d_1}:t^2=e{s}^4+2A{s}^2+1=a_1^2{s}^4+2(a_1-2d_1)s^2+1=(1-a_2{s}^2{)}^2-4d_1{s}^2$
$\Rightarrow x^2=\frac{4s^2}{t^2(a_2{d}_2-1)}=\frac{4s^2}{(a_2{d}_2-1)((1-a_2{s}^2{)}^2-4d_1{s}^2)}$
$\Rightarrow x^2=\frac{4s^2}{(a_2{d}_2-1)((1-a_2{s}^2{)}^2-4d_1{s}^2)}=\frac{4s^2}{a_2{d}_2(1-a_2{s}^2{)}^2-4a_2{d}_2{d}_1{s}^2+4d_1{s}^2-(1-a_2{s}^2{)}^2}$

$\because d_1=\frac{a_2{d}_2}{a_2-d_2},a_2^2=1$
$\therefore a_2{d}_2(1-a_2{s}^2{)}^2-4a_2{d}_2{d}_1{s}^2+4d_1{s}^2=a_2{d}_2(1-a_2{s}^2{)}^2-4a_2{d}_2{d}_1{s}^2+4a_2^2{d}_1{s}^2=a_2{d}_2(1-a_2{s}^2{)}^2+4a_2{d}_1{s}^2(a_2-d_2)=a_2{d}_2(1-a_2{s}^2{)}^2+4a_2{s}^2{a}_2{d}_2=a_2{d}_2(1+a_2{s}^2{)}^2$

$\Rightarrow x^2=\frac{4s^2}{(a_2{d}_2-1)((1-a_2{s}^2{)}^2-4d_1{s}^2)}=\frac{4s^2}{a_2{d}_2(1+a_2{s}^2{)}^2-(1-a_2{s}^2{)}^2}$

取正数根有：
$\Rightarrow x=+\sqrt{\frac{4s^2}{a_2{d}_2(1+a_2{s}^2{)}^2-(1-a_2{s}^2{)}^2}}$

整个解压缩的流程为：

4、 实际压缩和解压缩过程中用到的常量值

edwards25519中$a=-1$，所以$i=$SQRT_M1。
《The ristretto255 Group draft-hdevalence-cfrg-ristretto-01》中对一些常量值进行了计算：

* D = 37095705934669439343138083508754565189542113879843219016388785533085940283555
- This is the Edwards d parameter for Curve25519, as specified in Section 4.1 of [RFC7748].
* SQRT_M1 = 19681161376707505956807079304988542015446066515923890162744021073123829784752
* SQRT_AD_MINUS_ONE = 25063068953384623474111414158702152701244531502492656460079210482610430750235
* INVSQRT_A_MINUS_D = 54469307008909316920995813868745141605393597292927456921205312896311721017578
* ONE_MINUS_D_SQ = 1159843021668779879193775521855586647937357759715417654439879720876111806838
* D_MINUS_ONE_SQ = 40440834346308536858101042469323190826248399146238708352240133220865137265952

相应的sage脚本验证为：

sage: p=2^255-19
sage: mod(2506306895338462347411141415870215270124453150249265646007921048261043
....: 0750235^2,p)
20800338683988658368647408995589388737092878452977063003340006470870624536393
sage: mod(-121665/121666,p) //D值
37095705934669439343138083508754565189542113879843219016388785533085940283555
sage: d=mod(-121665/121666,p)
sage: mod(sqrt(-d-1),p) //SQRT_AD_MINUS_ONE值
25063068953384623474111414158702152701244531502492656460079210482610430750235
sage: mod(-d-1,p)
32832975665273474237674078345641801225390460830327625559649581521346134069713
sage: p
57896044618658097711785492504343953926634992332820282019728792003956564819949
sage: mod(5446930700890931692099581386874514160539359729292745692120531289631172
....: 1017578*250630689533846234741114141587021527012445315024926564600792104826
....: 10430750235,p)
57896044618658097711785492504343953926634992332820282019728792003956564819948
sage: p
57896044618658097711785492504343953926634992332820282019728792003956564819949
sage: a=2241493124984347
sage: b=425987919032274
sage: c=2207028919301688
sage: d=1220490630685848
sage: e=974799131293748
sage: a+b*2^51+c*2^102+d*2^153+e*2^204
25063068953384623474111414158702152701244531502492656460079210482610430750235
sage: l=a+b*2^51+c*2^102+d*2^153+e*2^204
sage: mod(l^2,p)
20800338683988658368647408995589388737092878452977063003340006470870624536393
sage: d
1220490630685848
sage: a=929955233495203
sage: b=466365720129213
sage: c=1662059464998953
sage: d=2033849074728123
sage: e=1442794654840575
sage: D=a+b*2^51+c*2^102+d*2^153+e*2^204
....:
sage: D
37095705934669439343138083508754565189542113879843219016388785533085940283555
sage: mod(D-1,p)
37095705934669439343138083508754565189542113879843219016388785533085940283554
sage: mod(-D-1,p)
20800338683988658368647408995589388737092878452977063003340006470870624536393
sage: a=278908739862762
sage: b=821645201101625
sage: c=8113234426968
sage: d=1777959178193151
sage: e=2118520810568447
sage: m=a+b*2^51+c*2^102+d*2^153+e*2^204
....:
sage: m
54469307008909316920995813868745141605393597292927456921205312896311721017578
sage: mod(l*m,p)
57896044618658097711785492504343953926634992332820282019728792003956564819948

sage: 57896044618658097711785492504343953926634992332820282019728792003956564819
....: 948-p
-1
sage: l
25063068953384623474111414158702152701244531502492656460079210482610430750235
sage: hex(l)
'376931bf2b8348ac0f3cfcc931f5d1fdaf9d8e0c1b7854bd7e97f6a0497b2e1b'
sage: m
54469307008909316920995813868745141605393597292927456921205312896311721017578
sage: hex(m)
'786c8905cfaffca216c27b91fe01d8409d2f16175a4172be99c8fdaa805d40ea'
sage: mod((1-D)^2,p)
40440834346308536858101042469323190826248399146238708352240133220865137265952
sage: D
37095705934669439343138083508754565189542113879843219016388785533085940283555
sage: mod(1-D^2,p) //ONE_MINUS_D_SQ值
1159843021668779879193775521855586647937357759715417654439879720876111806838
sage: p-l
32832975665273474237674078345641801225390460830327625559649581521346134069714
sage: (p-l)*m
1788389431527829492869725092323360218484488678733938239121849300962925603156558697721738157939675524196853104345063905463952335683787129472311662471432692
sage: mod((p-l)*m,p)
1

参考资料：
[1] 论文《Decaf-Eliminating cofactors through point compression 2015-673》
[2] 《The ristretto255 Group draft-hdevalence-cfrg-ristretto-01》
[3] https://ristretto.group/formulas/encoding.html
[4] https://ristretto.group/formulas/decoding.html
[5] Extended twisted Edwards curve坐标系及相互转换
[6] ristretto对cofactor>1的椭圆曲线(如Curve25519等)的兼容（含Curve25519 cofactor的sage验证）
[7] https://ristretto.group/details/curve_models.html