Involved Source Files Package nistec implements the NIST P elliptic curves from FIPS 186-4.
This package uses fiat-crypto or specialized assembly and Go code for its
backend field arithmetic (not math/big) and exposes constant-time, heap
allocation-free, byte slice-based safe APIs. Group operations use modern and
safe complete addition formulas where possible. The point at infinity is
handled and encoded according to SEC 1, Version 2.0, and invalid curve points
can't be represented.p224.gop224_sqrt.gop256_asm.gop256_ordinv.gop384.gop521.gop256_asm_amd64.s
Package-Level Type Names (total 12, in which 4 are exported)
/* sort exporteds by: | */
P224Point is a P224 point. The zero value is NOT valid. The point is represented in projective coordinates (X:Y:Z),
where x = X/Z and y = Y/Z. The point is represented in projective coordinates (X:Y:Z),
where x = X/Z and y = Y/Z. The point is represented in projective coordinates (X:Y:Z),
where x = X/Z and y = Y/Z. Add sets q = p1 + p2, and returns q. The points may overlap. Bytes returns the uncompressed or infinity encoding of p, as specified in
SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at
infinity is shorter than all other encodings. BytesCompressed returns the compressed or infinity encoding of p, as
specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the
point at infinity is shorter than all other encodings. BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1,
Version 2.0, Section 2.3.5, or an error if p is the point at infinity. Double sets q = p + p, and returns q. The points may overlap. ScalarBaseMult sets p = scalar * B, where B is the canonical generator, and
returns p. ScalarMult sets p = scalar * q, and returns p. Select sets q to p1 if cond == 1, and to p2 if cond == 0. Set sets p = q and returns p. SetBytes sets p to the compressed, uncompressed, or infinity value encoded in
b, as specified in SEC 1, Version 2.0, Section 2.3.4. If the point is not on
the curve, it returns nil and an error, and the receiver is unchanged.
Otherwise, it returns p. SetGenerator sets p to the canonical generator and returns p.(*P224Point) bytes(out *[57]byte) []byte(*P224Point) bytesCompressed(out *[29]byte) []byte(*P224Point) bytesX(out *[28]byte) ([]byte, error) generatorTable returns a sequence of p224Tables. The first table contains
multiples of G. Each successive table is the previous table doubled four
times.
func NewP224Point() *P224Point
func (*P224Point).Add(p1, p2 *P224Point) *P224Point
func (*P224Point).Double(p *P224Point) *P224Point
func (*P224Point).ScalarBaseMult(scalar []byte) (*P224Point, error)
func (*P224Point).ScalarMult(q *P224Point, scalar []byte) (*P224Point, error)
func (*P224Point).Select(p1, p2 *P224Point, cond int) *P224Point
func (*P224Point).Set(q *P224Point) *P224Point
func (*P224Point).SetBytes(b []byte) (*P224Point, error)
func (*P224Point).SetGenerator() *P224Point
func (*P224Point).Add(p1, p2 *P224Point) *P224Point
func (*P224Point).Double(p *P224Point) *P224Point
func (*P224Point).ScalarMult(q *P224Point, scalar []byte) (*P224Point, error)
func (*P224Point).Select(p1, p2 *P224Point, cond int) *P224Point
func (*P224Point).Set(q *P224Point) *P224Point
P256Point is a P-256 point. The zero value should not be assumed to be valid
(although it is in this implementation). (X:Y:Z) are Jacobian coordinates where x = X/Z² and y = Y/Z³. The point
at infinity can be represented by any set of coordinates with Z = 0. (X:Y:Z) are Jacobian coordinates where x = X/Z² and y = Y/Z³. The point
at infinity can be represented by any set of coordinates with Z = 0. (X:Y:Z) are Jacobian coordinates where x = X/Z² and y = Y/Z³. The point
at infinity can be represented by any set of coordinates with Z = 0. Add sets q = p1 + p2, and returns q. The points may overlap. Bytes returns the uncompressed or infinity encoding of p, as specified in
SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at
infinity is shorter than all other encodings. BytesCompressed returns the compressed or infinity encoding of p, as
specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the
point at infinity is shorter than all other encodings. BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1,
Version 2.0, Section 2.3.5, or an error if p is the point at infinity. Double sets q = p + p, and returns q. The points may overlap. ScalarBaseMult sets r = scalar * generator, where scalar is a 32-byte big
endian value, and returns r. If scalar is not 32 bytes long, ScalarBaseMult
returns an error and the receiver is unchanged. ScalarMult sets r = scalar * q, where scalar is a 32-byte big endian value,
and returns r. If scalar is not 32 bytes long, ScalarBaseMult returns an
error and the receiver is unchanged. Select sets q to p1 if cond == 1, and to p2 if cond == 0. Set sets p = q and returns p. SetBytes sets p to the compressed, uncompressed, or infinity value encoded in
b, as specified in SEC 1, Version 2.0, Section 2.3.4. If the point is not on
the curve, it returns nil and an error, and the receiver is unchanged.
Otherwise, it returns p. SetGenerator sets p to the canonical generator and returns p. affineFromMont sets (x, y) to the affine coordinates of p, converted out of the
Montgomery domain.(*P256Point) bytes(out *[65]byte) []byte(*P256Point) bytesCompressed(out *[33]byte) []byte(*P256Point) bytesX(out *[32]byte) ([]byte, error) isInfinity returns 1 if p is the point at infinity and 0 otherwise.(*P256Point) p256BaseMult(scalar *p256OrdElement)(*P256Point) p256ScalarMult(scalar *p256OrdElement)
func NewP256Point() *P256Point
func (*P256Point).Add(r1, r2 *P256Point) *P256Point
func (*P256Point).Double(p *P256Point) *P256Point
func (*P256Point).ScalarBaseMult(scalar []byte) (*P256Point, error)
func (*P256Point).ScalarMult(q *P256Point, scalar []byte) (*P256Point, error)
func (*P256Point).Select(p1, p2 *P256Point, cond int) *P256Point
func (*P256Point).Set(q *P256Point) *P256Point
func (*P256Point).SetBytes(b []byte) (*P256Point, error)
func (*P256Point).SetGenerator() *P256Point
func (*P256Point).Add(r1, r2 *P256Point) *P256Point
func (*P256Point).Double(p *P256Point) *P256Point
func (*P256Point).ScalarMult(q *P256Point, scalar []byte) (*P256Point, error)
func (*P256Point).Select(p1, p2 *P256Point, cond int) *P256Point
func (*P256Point).Set(q *P256Point) *P256Point
func p256MovCond(res, a, b *P256Point, cond int)
func p256PointAddAffineAsm(res, in1 *P256Point, in2 *p256AffinePoint, sign, sel, zero int)
func p256PointAddAsm(res, in1, in2 *P256Point) int
func p256PointDoubleAsm(res, in *P256Point)
func p256Select(res *P256Point, table *p256Table, idx int)
P384Point is a P384 point. The zero value is NOT valid. The point is represented in projective coordinates (X:Y:Z),
where x = X/Z and y = Y/Z. The point is represented in projective coordinates (X:Y:Z),
where x = X/Z and y = Y/Z. The point is represented in projective coordinates (X:Y:Z),
where x = X/Z and y = Y/Z. Add sets q = p1 + p2, and returns q. The points may overlap. Bytes returns the uncompressed or infinity encoding of p, as specified in
SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at
infinity is shorter than all other encodings. BytesCompressed returns the compressed or infinity encoding of p, as
specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the
point at infinity is shorter than all other encodings. BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1,
Version 2.0, Section 2.3.5, or an error if p is the point at infinity. Double sets q = p + p, and returns q. The points may overlap. ScalarBaseMult sets p = scalar * B, where B is the canonical generator, and
returns p. ScalarMult sets p = scalar * q, and returns p. Select sets q to p1 if cond == 1, and to p2 if cond == 0. Set sets p = q and returns p. SetBytes sets p to the compressed, uncompressed, or infinity value encoded in
b, as specified in SEC 1, Version 2.0, Section 2.3.4. If the point is not on
the curve, it returns nil and an error, and the receiver is unchanged.
Otherwise, it returns p. SetGenerator sets p to the canonical generator and returns p.(*P384Point) bytes(out *[97]byte) []byte(*P384Point) bytesCompressed(out *[49]byte) []byte(*P384Point) bytesX(out *[48]byte) ([]byte, error) generatorTable returns a sequence of p384Tables. The first table contains
multiples of G. Each successive table is the previous table doubled four
times.
func NewP384Point() *P384Point
func (*P384Point).Add(p1, p2 *P384Point) *P384Point
func (*P384Point).Double(p *P384Point) *P384Point
func (*P384Point).ScalarBaseMult(scalar []byte) (*P384Point, error)
func (*P384Point).ScalarMult(q *P384Point, scalar []byte) (*P384Point, error)
func (*P384Point).Select(p1, p2 *P384Point, cond int) *P384Point
func (*P384Point).Set(q *P384Point) *P384Point
func (*P384Point).SetBytes(b []byte) (*P384Point, error)
func (*P384Point).SetGenerator() *P384Point
func (*P384Point).Add(p1, p2 *P384Point) *P384Point
func (*P384Point).Double(p *P384Point) *P384Point
func (*P384Point).ScalarMult(q *P384Point, scalar []byte) (*P384Point, error)
func (*P384Point).Select(p1, p2 *P384Point, cond int) *P384Point
func (*P384Point).Set(q *P384Point) *P384Point
P521Point is a P521 point. The zero value is NOT valid. The point is represented in projective coordinates (X:Y:Z),
where x = X/Z and y = Y/Z. The point is represented in projective coordinates (X:Y:Z),
where x = X/Z and y = Y/Z. The point is represented in projective coordinates (X:Y:Z),
where x = X/Z and y = Y/Z. Add sets q = p1 + p2, and returns q. The points may overlap. Bytes returns the uncompressed or infinity encoding of p, as specified in
SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at
infinity is shorter than all other encodings. BytesCompressed returns the compressed or infinity encoding of p, as
specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the
point at infinity is shorter than all other encodings. BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1,
Version 2.0, Section 2.3.5, or an error if p is the point at infinity. Double sets q = p + p, and returns q. The points may overlap. ScalarBaseMult sets p = scalar * B, where B is the canonical generator, and
returns p. ScalarMult sets p = scalar * q, and returns p. Select sets q to p1 if cond == 1, and to p2 if cond == 0. Set sets p = q and returns p. SetBytes sets p to the compressed, uncompressed, or infinity value encoded in
b, as specified in SEC 1, Version 2.0, Section 2.3.4. If the point is not on
the curve, it returns nil and an error, and the receiver is unchanged.
Otherwise, it returns p. SetGenerator sets p to the canonical generator and returns p.(*P521Point) bytes(out *[133]byte) []byte(*P521Point) bytesCompressed(out *[67]byte) []byte(*P521Point) bytesX(out *[66]byte) ([]byte, error) generatorTable returns a sequence of p521Tables. The first table contains
multiples of G. Each successive table is the previous table doubled four
times.
func NewP521Point() *P521Point
func (*P521Point).Add(p1, p2 *P521Point) *P521Point
func (*P521Point).Double(p *P521Point) *P521Point
func (*P521Point).ScalarBaseMult(scalar []byte) (*P521Point, error)
func (*P521Point).ScalarMult(q *P521Point, scalar []byte) (*P521Point, error)
func (*P521Point).Select(p1, p2 *P521Point, cond int) *P521Point
func (*P521Point).Set(q *P521Point) *P521Point
func (*P521Point).SetBytes(b []byte) (*P521Point, error)
func (*P521Point).SetGenerator() *P521Point
func (*P521Point).Add(p1, p2 *P521Point) *P521Point
func (*P521Point).Double(p *P521Point) *P521Point
func (*P521Point).ScalarMult(q *P521Point, scalar []byte) (*P521Point, error)
func (*P521Point).Select(p1, p2 *P521Point, cond int) *P521Point
func (*P521Point).Set(q *P521Point) *P521Point
A p224Table holds the first 15 multiples of a point at offset -1, so [1]P
is at table[0], [15]P is at table[14], and [0]P is implicitly the identity
point. Select selects the n-th multiple of the table base point into p. It works in
constant time by iterating over every entry of the table. n must be in [0, 15].
func (*P224Point).generatorTable() *[56]p224Table
p256AffineTable is a table of the first 32 multiples of a point. Points are
stored at an index offset of -1 like in p256Table, and [0]P is not stored.
func p256SelectAffine(res *p256AffinePoint, table *p256AffineTable, idx int)
p256OrdElement is a P-256 scalar field element in [0, ord(G)-1] in the
Montgomery domain (with R 2²⁵⁶) as four uint64 limbs in little-endian order.
func p256OrdBigToLittle(res *p256OrdElement, in *[32]byte)
func p256OrdLittleToBig(res *[32]byte, in *p256OrdElement)
func p256OrdMul(res, in1, in2 *p256OrdElement)
func p256OrdReduce(s *p256OrdElement)
func p256OrdSqr(res, in *p256OrdElement, n int)
func (*P256Point).p256BaseMult(scalar *p256OrdElement)
func (*P256Point).p256ScalarMult(scalar *p256OrdElement)
p256Table is a table of the first 16 multiples of a point. Points are stored
at an index offset of -1 so [8]P is at index 7, P is at 0, and [16]P is at 15.
[0]P is the point at infinity and it's not stored.
func p256Select(res *P256Point, table *p256Table, idx int)
A p384Table holds the first 15 multiples of a point at offset -1, so [1]P
is at table[0], [15]P is at table[14], and [0]P is implicitly the identity
point. Select selects the n-th multiple of the table base point into p. It works in
constant time by iterating over every entry of the table. n must be in [0, 15].
func (*P384Point).generatorTable() *[96]p384Table
A p521Table holds the first 15 multiples of a point at offset -1, so [1]P
is at table[0], [15]P is at table[14], and [0]P is implicitly the identity
point. Select selects the n-th multiple of the table base point into p. It works in
constant time by iterating over every entry of the table. n must be in [0, 15].
func (*P521Point).generatorTable() *[132]p521Table
Package-Level Functions (total 48, in which 5 are exported)
NewP224Point returns a new P224Point representing the point at infinity point.
NewP256Point returns a new P256Point representing the point at infinity.
NewP384Point returns a new P384Point representing the point at infinity point.
NewP521Point returns a new P521Point representing the point at infinity point.
p256Equal returns 1 if a and b are equal and 0 otherwise.
Montgomery multiplication by R⁻¹, or 1 outside the domain.
Sets res = in * R⁻¹, bringing res out of the Montgomery domain.
p256Inverse sets out to in⁻¹ mod p. If in is zero, out will be zero.
p256LessThanP returns 1 if x < p, and 0 otherwise. Note that a p256Element is
not allowed to be equal to or greater than p, so if this function returns 0
then x is invalid.
p256OrdReduce ensures s is in the range [0, ord(G)-1].
Montgomery square modulo org(G), repeated n times (n >= 1).
Point addition with an affine point and constant time conditions.
If zero is 0, sets res = in2. If sel is 0, sets res = in1.
If sign is not 0, sets res = in1 + -in2. Otherwise, sets res = in1 + in2
Point addition. Sets res = in1 + in2. Returns one if the two input points
were equal and zero otherwise. If in1 or in2 are the point at infinity, res
and the return value are undefined.
Point doubling. Sets res = in + in. in can be the point at infinity.
p256Polynomial sets y2 to x³ - 3x + b, and returns y2.
p256Select sets res to the point at index idx in the table.
idx must be in [0, 15]. It executes in constant time.
p256SelectAffine sets res to the point at index idx in the table.
idx must be in [0, 31]. It executes in constant time.
Montgomery square, repeated n times (n >= 1).
p256Sqrt sets e to a square root of x. If x is not a square, p256Sqrt returns
false and e is unchanged. e and x can overlap.
p256P is 2²⁵⁶ - 2²²⁴ + 2¹⁹² + 2⁹⁶ - 1 in the Montgomery domain.
p256Precomputed is a series of precomputed multiples of G, the canonical
generator. The first p256AffineTable contains multiples of G. The second one
multiples of [2⁶]G, the third one of [2¹²]G, and so on, where each successive
table is the previous table doubled six times. Six is the width of the
sliding window used in p256ScalarMult, and having each table already
pre-doubled lets us avoid the doublings between windows entirely. This table
MUST NOT be modified, as it aliases into p256PrecomputedEmbed below.
p384ElementLength is the length of an element of the base or scalar field,
which have the same bytes length for all NIST P curves.
p521ElementLength is the length of an element of the base or scalar field,
which have the same bytes length for all NIST P curves.
The pages are generated with Goldsv0.6.7. (GOOS=linux GOARCH=amd64)
Golds is a Go 101 project developed by Tapir Liu.
PR and bug reports are welcome and can be submitted to the issue list.
Please follow @Go100and1 (reachable from the left QR code) to get the latest news of Golds.
