Involved Source Files Package edwards25519 implements group logic for the twisted Edwards curve
-x^2 + y^2 = 1 + -(121665/121666)*x^2*y^2
This is better known as the Edwards curve equivalent to Curve25519, and is
the curve used by the Ed25519 signature scheme.
Most users don't need this package, and should instead use crypto/ed25519 for
signatures, golang.org/x/crypto/curve25519 for Diffie-Hellman, or
github.com/gtank/ristretto255 for prime order group logic.
However, developers who do need to interact with low-level edwards25519
operations can use filippo.io/edwards25519, an extended version of this
package repackaged as an importable module.
(Note that filippo.io/edwards25519 and github.com/gtank/ristretto255 are not
maintained by the Go team and are not covered by the Go 1 Compatibility Promise.)edwards25519.goscalar.goscalar_fiat.goscalarmult.gotables.go
Package-Level Type Names (total 15, in which 2 are exported)
/* sort exporteds by: | */
Point represents a point on the edwards25519 curve.
This type works similarly to math/big.Int, and all arguments and receivers
are allowed to alias.
The zero value is NOT valid, and it may be used only as a receiver. The point is internally represented in extended coordinates (X, Y, Z, T)
where x = X/Z, y = Y/Z, and xy = T/Z per https://eprint.iacr.org/2008/522. The point is internally represented in extended coordinates (X, Y, Z, T)
where x = X/Z, y = Y/Z, and xy = T/Z per https://eprint.iacr.org/2008/522. The point is internally represented in extended coordinates (X, Y, Z, T)
where x = X/Z, y = Y/Z, and xy = T/Z per https://eprint.iacr.org/2008/522. The point is internally represented in extended coordinates (X, Y, Z, T)
where x = X/Z, y = Y/Z, and xy = T/Z per https://eprint.iacr.org/2008/522. Add sets v = p + q, and returns v. Bytes returns the canonical 32-byte encoding of v, according to RFC 8032,
Section 5.1.2. Equal returns 1 if v is equivalent to u, and 0 otherwise. Negate sets v = -p, and returns v. ScalarBaseMult sets v = x * B, where B is the canonical generator, and
returns v.
The scalar multiplication is done in constant time. ScalarMult sets v = x * q, and returns v.
The scalar multiplication is done in constant time. Set sets v = u, and returns v. SetBytes sets v = x, where x is a 32-byte encoding of v. If x does not
represent a valid point on the curve, SetBytes returns nil and an error and
the receiver is unchanged. Otherwise, SetBytes returns v.
Note that SetBytes accepts all non-canonical encodings of valid points.
That is, it follows decoding rules that match most implementations in
the ecosystem rather than RFC 8032. Subtract sets v = p - q, and returns v. VarTimeDoubleScalarBaseMult sets v = a * A + b * B, where B is the canonical
generator, and returns v.
Execution time depends on the inputs.(*Point) bytes(buf *[32]byte) []byte(*Point) fromP1xP1(p *projP1xP1) *Point(*Point) fromP2(p *projP2) *Point
func NewGeneratorPoint() *Point
func NewIdentityPoint() *Point
func (*Point).Add(p, q *Point) *Point
func (*Point).Negate(p *Point) *Point
func (*Point).ScalarBaseMult(x *Scalar) *Point
func (*Point).ScalarMult(x *Scalar, q *Point) *Point
func (*Point).Set(u *Point) *Point
func (*Point).SetBytes(x []byte) (*Point, error)
func (*Point).Subtract(p, q *Point) *Point
func (*Point).VarTimeDoubleScalarBaseMult(a *Scalar, A *Point, b *Scalar) *Point
func (*Point).fromP1xP1(p *projP1xP1) *Point
func (*Point).fromP2(p *projP2) *Point
func (*Point).Add(p, q *Point) *Point
func (*Point).Equal(u *Point) int
func (*Point).Negate(p *Point) *Point
func (*Point).ScalarMult(x *Scalar, q *Point) *Point
func (*Point).Set(u *Point) *Point
func (*Point).Subtract(p, q *Point) *Point
func (*Point).VarTimeDoubleScalarBaseMult(a *Scalar, A *Point, b *Scalar) *Point
func checkInitialized(points ...*Point)
var generator *Point
var identity *Point
A Scalar is an integer modulo
l = 2^252 + 27742317777372353535851937790883648493
which is the prime order of the edwards25519 group.
This type works similarly to math/big.Int, and all arguments and
receivers are allowed to alias.
The zero value is a valid zero element. s is the scalar in the Montgomery domain, in the format of the
fiat-crypto implementation. Add sets s = x + y mod l, and returns s. Bytes returns the canonical 32-byte little-endian encoding of s. Equal returns 1 if s and t are equal, and 0 otherwise. Multiply sets s = x * y mod l, and returns s. MultiplyAdd sets s = x * y + z mod l, and returns s. It is equivalent to
using Multiply and then Add. Negate sets s = -x mod l, and returns s. Set sets s = x, and returns s. SetBytesWithClamping applies the buffer pruning described in RFC 8032,
Section 5.1.5 (also known as clamping) and sets s to the result. The input
must be 32 bytes, and it is not modified. If x is not of the right length,
SetBytesWithClamping returns nil and an error, and the receiver is unchanged.
Note that since Scalar values are always reduced modulo the prime order of
the curve, the resulting value will not preserve any of the cofactor-clearing
properties that clamping is meant to provide. It will however work as
expected as long as it is applied to points on the prime order subgroup, like
in Ed25519. In fact, it is lost to history why RFC 8032 adopted the
irrelevant RFC 7748 clamping, but it is now required for compatibility. SetCanonicalBytes sets s = x, where x is a 32-byte little-endian encoding of
s, and returns s. If x is not a canonical encoding of s, SetCanonicalBytes
returns nil and an error, and the receiver is unchanged. SetUniformBytes sets s = x mod l, where x is a 64-byte little-endian integer.
If x is not of the right length, SetUniformBytes returns nil and an error,
and the receiver is unchanged.
SetUniformBytes can be used to set s to a uniformly distributed value given
64 uniformly distributed random bytes. Subtract sets s = x - y mod l, and returns s.(*Scalar) bytes(out *[32]byte) []byte nonAdjacentForm computes a width-w non-adjacent form for this scalar.
w must be between 2 and 8, or nonAdjacentForm will panic. setShortBytes sets s = x mod l, where x is a little-endian integer shorter
than 32 bytes.(*Scalar) signedRadix16() [64]int8
func NewScalar() *Scalar
func (*Scalar).Add(x, y *Scalar) *Scalar
func (*Scalar).Multiply(x, y *Scalar) *Scalar
func (*Scalar).MultiplyAdd(x, y, z *Scalar) *Scalar
func (*Scalar).Negate(x *Scalar) *Scalar
func (*Scalar).Set(x *Scalar) *Scalar
func (*Scalar).SetBytesWithClamping(x []byte) (*Scalar, error)
func (*Scalar).SetCanonicalBytes(x []byte) (*Scalar, error)
func (*Scalar).SetUniformBytes(x []byte) (*Scalar, error)
func (*Scalar).Subtract(x, y *Scalar) *Scalar
func (*Scalar).setShortBytes(x []byte) *Scalar
func (*Point).ScalarBaseMult(x *Scalar) *Point
func (*Point).ScalarMult(x *Scalar, q *Point) *Point
func (*Point).VarTimeDoubleScalarBaseMult(a *Scalar, A *Point, b *Scalar) *Point
func (*Point).VarTimeDoubleScalarBaseMult(a *Scalar, A *Point, b *Scalar) *Point
func (*Scalar).Add(x, y *Scalar) *Scalar
func (*Scalar).Equal(t *Scalar) int
func (*Scalar).Multiply(x, y *Scalar) *Scalar
func (*Scalar).MultiplyAdd(x, y, z *Scalar) *Scalar
func (*Scalar).Negate(x *Scalar) *Scalar
func (*Scalar).Set(x *Scalar) *Scalar
func (*Scalar).Subtract(x, y *Scalar) *Scalar
var scalarTwo168 *Scalar
var scalarTwo336 *Scalar
A precomputed lookup table for fixed-base, constant-time scalar muls.points[8]affineCached This is not optimised for speed; fixed-base tables should be precomputed. Set dest to x*Q, where -8 <= x <= 8, in constant time.
func basepointTable() *[32]affineLookupTable
A dynamic lookup table for variable-base, variable-time scalar muls.points[8]projCached Builds a lookup table at runtime. Fast. Given odd x with 0 < x < 2^4, return x*Q (in variable time).
A precomputed lookup table for fixed-base, variable-time scalar muls.points[64]affineCached This is not optimised for speed; fixed-base tables should be precomputed. Given odd x with 0 < x < 2^7, return x*Q (in variable time).
func basepointNafTable() *nafLookupTable8
A dynamic lookup table for variable-base, constant-time scalar muls.points[8]projCached Builds a lookup table at runtime. Fast. Set dest to x*Q, where -8 <= x <= 8, in constant time.
fiatScalarAdd adds two field elements in the Montgomery domain.
Preconditions:
0 ≤ eval arg1 < m
0 ≤ eval arg2 < m
Postconditions:
eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
0 ≤ eval out1 < m
fiatScalarFromMontgomery translates a field element out of the Montgomery domain.
Preconditions:
0 ≤ eval arg1 < m
Postconditions:
eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m
0 ≤ eval out1 < m
fiatScalarMul multiplies two field elements in the Montgomery domain.
Preconditions:
0 ≤ eval arg1 < m
0 ≤ eval arg2 < m
Postconditions:
eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
0 ≤ eval out1 < m
fiatScalarNonzero outputs a single non-zero word if the input is non-zero and zero otherwise.
Preconditions:
0 ≤ eval arg1 < m
Postconditions:
out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0
Input Bounds:
arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
Output Bounds:
out1: [0x0 ~> 0xffffffffffffffff]
fiatScalarOpp negates a field element in the Montgomery domain.
Preconditions:
0 ≤ eval arg1 < m
Postconditions:
eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
0 ≤ eval out1 < m
fiatScalarSub subtracts two field elements in the Montgomery domain.
Preconditions:
0 ≤ eval arg1 < m
0 ≤ eval arg2 < m
Postconditions:
eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m
0 ≤ eval out1 < m
fiatScalarToMontgomery translates a field element into the Montgomery domain.
Preconditions:
0 ≤ eval arg1 < m
Postconditions:
eval (from_montgomery out1) mod m = eval arg1 mod m
0 ≤ eval out1 < m
isReduced returns whether the given scalar in 32-byte little endian encoded
form is reduced modulo l.
Package-Level Variables (total 10, none are exported)
generator is the canonical curve basepoint. See TestGenerator for the
correspondence of this encoding with the values in RFC 8032.
identity is the point at infinity.
scalarMinusOneBytes is l - 1 in little endian.
scalarTwo168 and scalarTwo336 are 2^168 and 2^336 modulo l, encoded as a
fiatScalarMontgomeryDomainFieldElement, which is a little-endian 4-limb value
in the 2^256 Montgomery domain.
The pages are generated with Goldsv0.6.7. (GOOS=linux GOARCH=amd64)
Golds is a Go 101 project developed by Tapir Liu.
PR and bug reports are welcome and can be submitted to the issue list.
Please follow @Go100and1 (reachable from the left QR code) to get the latest news of Golds.
