edwards25519

Imports

Imports # 

_ "crypto/internal/fips140/check"
"crypto/internal/fips140/edwards25519/field"
"errors"
"crypto/internal/fips140deps/byteorder"
"errors"
"math/bits"
"sync"
"crypto/internal/fips140/subtle"

Constants & Variables

_ var #

d is a constant in the curve equation.

var _

_ var #

identity is the point at infinity.

var _

_ var #

generator is the canonical curve basepoint. See TestGenerator for the correspondence of this encoding with the values in RFC 8032.

var _

basepointNafTablePrecomp var # 

var basepointNafTablePrecomp struct{...}

basepointTablePrecomp var # 

var basepointTablePrecomp struct{...}

d var #

d is a constant in the curve equation.

var d = *ast.CallExpr

d2 var # 

var d2 = *ast.CallExpr

feOne var # 

var feOne = *ast.CallExpr

generator var #

generator is the canonical curve basepoint. See TestGenerator for the correspondence of this encoding with the values in RFC 8032.

var generator = *ast.CallExpr

identity var #

identity is the point at infinity.

var identity = *ast.CallExpr

scalarMinusOneBytes var #

scalarMinusOneBytes is l - 1 in little endian.

var scalarMinusOneBytes = [32]byte{...}

scalarTwo168 var #

scalarTwo168 and scalarTwo336 are 2^168 and 2^336 modulo l, encoded as a fiatScalarMontgomeryDomainFieldElement, which is a little-endian 4-limb value in the 2^256 Montgomery domain.

var scalarTwo168 = *ast.UnaryExpr

scalarTwo336 var # 

var scalarTwo336 = *ast.UnaryExpr

Type Aliases

fiatScalarInt1 type # 

type fiatScalarInt1 int64

fiatScalarMontgomeryDomainFieldElement type #

The type fiatScalarMontgomeryDomainFieldElement is a field element in the Montgomery domain. Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]

type fiatScalarMontgomeryDomainFieldElement [4]uint64

fiatScalarNonMontgomeryDomainFieldElement type #

The type fiatScalarNonMontgomeryDomainFieldElement is a field element NOT in the Montgomery domain. Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]

type fiatScalarNonMontgomeryDomainFieldElement [4]uint64

fiatScalarUint1 type # 

type fiatScalarUint1 uint64

incomparable type # 

type incomparable [0]func()

Structs

Point struct #

Point represents a point on the edwards25519 curve. This type works similarly to math/big.Int, and all arguments and receivers are allowed to alias. The zero value is NOT valid, and it may be used only as a receiver.

type Point struct {
_ incomparable
x field.Element
y field.Element
z field.Element
t field.Element
}

Scalar struct #

A Scalar is an integer modulo l = 2^252 + 27742317777372353535851937790883648493 which is the prime order of the edwards25519 group. This type works similarly to math/big.Int, and all arguments and receivers are allowed to alias. The zero value is a valid zero element.

type Scalar struct {
s fiatScalarMontgomeryDomainFieldElement
}

affineCached struct # 

type affineCached struct {
YplusX field.Element
YminusX field.Element
T2d field.Element
}

affineLookupTable struct #

A precomputed lookup table for fixed-base, constant-time scalar muls.

type affineLookupTable struct {
points [8]affineCached
}

nafLookupTable5 struct #

A dynamic lookup table for variable-base, variable-time scalar muls.

type nafLookupTable5 struct {
points [8]projCached
}

nafLookupTable8 struct #

A precomputed lookup table for fixed-base, variable-time scalar muls.

type nafLookupTable8 struct {
points [64]affineCached
}

projCached struct # 

type projCached struct {
YplusX field.Element
YminusX field.Element
Z field.Element
T2d field.Element
}

projLookupTable struct #

A dynamic lookup table for variable-base, constant-time scalar muls.

type projLookupTable struct {
points [8]projCached
}

projP1xP1 struct # 

type projP1xP1 struct {
X field.Element
Y field.Element
Z field.Element
T field.Element
}

projP2 struct # 

type projP2 struct {
X field.Element
Y field.Element
Z field.Element
}

Functions

Add method # 

func (v *projP1xP1) Add(p *Point, q *projCached) *projP1xP1

Add method #

Add sets v = p + q, and returns v.

func (v *Point) Add(p *Point, q *Point) *Point

Add method #

Add sets s = x + y mod l, and returns s.

func (s *Scalar) Add(x *Scalar, y *Scalar) *Scalar

AddAffine method # 

func (v *projP1xP1) AddAffine(p *Point, q *affineCached) *projP1xP1

Bytes method #

Bytes returns the canonical 32-byte little-endian encoding of s.

func (s *Scalar) Bytes() []byte

Bytes method #

Bytes returns the canonical 32-byte encoding of v, according to RFC 8032, Section 5.1.2.

func (v *Point) Bytes() []byte

CondNeg method #

CondNeg negates v if cond == 1 and leaves it unchanged if cond == 0.

func (v *affineCached) CondNeg(cond int) *affineCached

CondNeg method #

CondNeg negates v if cond == 1 and leaves it unchanged if cond == 0.

func (v *projCached) CondNeg(cond int) *projCached

Double method # 

func (v *projP1xP1) Double(p *projP2) *projP1xP1

Equal method #

Equal returns 1 if v is equivalent to u, and 0 otherwise.

func (v *Point) Equal(u *Point) int

Equal method #

Equal returns 1 if s and t are equal, and 0 otherwise.

func (s *Scalar) Equal(t *Scalar) int

FromP1xP1 method # 

func (v *projP2) FromP1xP1(p *projP1xP1) *projP2

FromP3 method # 

func (v *projCached) FromP3(p *Point) *projCached

FromP3 method # 

func (v *projP2) FromP3(p *Point) *projP2

FromP3 method # 

func (v *affineCached) FromP3(p *Point) *affineCached

FromP3 method #

Builds a lookup table at runtime. Fast.

func (v *projLookupTable) FromP3(q *Point)

FromP3 method #

This is not optimised for speed; fixed-base tables should be precomputed.

func (v *affineLookupTable) FromP3(q *Point)

FromP3 method #

Builds a lookup table at runtime. Fast.

func (v *nafLookupTable5) FromP3(q *Point)

FromP3 method #

This is not optimised for speed; fixed-base tables should be precomputed.

func (v *nafLookupTable8) FromP3(q *Point)

Multiply method #

Multiply sets s = x * y mod l, and returns s.

func (s *Scalar) Multiply(x *Scalar, y *Scalar) *Scalar

MultiplyAdd method #

MultiplyAdd sets s = x * y + z mod l, and returns s. It is equivalent to using Multiply and then Add.

func (s *Scalar) MultiplyAdd(x *Scalar, y *Scalar, z *Scalar) *Scalar

Negate method #

Negate sets s = -x mod l, and returns s.

func (s *Scalar) Negate(x *Scalar) *Scalar

Negate method #

Negate sets v = -p, and returns v.

func (v *Point) Negate(p *Point) *Point

NewGeneratorPoint function #

NewGeneratorPoint returns a new Point set to the canonical generator.

func NewGeneratorPoint() *Point

NewIdentityPoint function #

NewIdentityPoint returns a new Point set to the identity.

func NewIdentityPoint() *Point

NewScalar function #

NewScalar returns a new zero Scalar.

func NewScalar() *Scalar

ScalarBaseMult method #

ScalarBaseMult sets v = x * B, where B is the canonical generator, and returns v. The scalar multiplication is done in constant time.

func (v *Point) ScalarBaseMult(x *Scalar) *Point

ScalarMult method #

ScalarMult sets v = x * q, and returns v. The scalar multiplication is done in constant time.

func (v *Point) ScalarMult(x *Scalar, q *Point) *Point

Select method #

Select sets v to a if cond == 1 and to b if cond == 0.

func (v *projCached) Select(a *projCached, b *projCached, cond int) *projCached

Select method #

Select sets v to a if cond == 1 and to b if cond == 0.

func (v *affineCached) Select(a *affineCached, b *affineCached, cond int) *affineCached

SelectInto method #

Set dest to x*Q, where -8 <= x <= 8, in constant time.

func (v *projLookupTable) SelectInto(dest *projCached, x int8)

SelectInto method #

Given odd x with 0 < x < 2^7, return x*Q (in variable time).

func (v *nafLookupTable8) SelectInto(dest *affineCached, x int8)

SelectInto method #

Given odd x with 0 < x < 2^4, return x*Q (in variable time).

func (v *nafLookupTable5) SelectInto(dest *projCached, x int8)

SelectInto method #

Set dest to x*Q, where -8 <= x <= 8, in constant time.

func (v *affineLookupTable) SelectInto(dest *affineCached, x int8)

Set method #

Set sets s = x, and returns s.

func (s *Scalar) Set(x *Scalar) *Scalar

Set method #

Set sets v = u, and returns v.

func (v *Point) Set(u *Point) *Point

SetBytes method #

SetBytes sets v = x, where x is a 32-byte encoding of v. If x does not represent a valid point on the curve, SetBytes returns nil and an error and the receiver is unchanged. Otherwise, SetBytes returns v. Note that SetBytes accepts all non-canonical encodings of valid points. That is, it follows decoding rules that match most implementations in the ecosystem rather than RFC 8032.

func (v *Point) SetBytes(x []byte) (*Point, error)

SetBytesWithClamping method #

SetBytesWithClamping applies the buffer pruning described in RFC 8032, Section 5.1.5 (also known as clamping) and sets s to the result. The input must be 32 bytes, and it is not modified. If x is not of the right length, SetBytesWithClamping returns nil and an error, and the receiver is unchanged. Note that since Scalar values are always reduced modulo the prime order of the curve, the resulting value will not preserve any of the cofactor-clearing properties that clamping is meant to provide. It will however work as expected as long as it is applied to points on the prime order subgroup, like in Ed25519. In fact, it is lost to history why RFC 8032 adopted the irrelevant RFC 7748 clamping, but it is now required for compatibility.

func (s *Scalar) SetBytesWithClamping(x []byte) (*Scalar, error)

SetCanonicalBytes method #

SetCanonicalBytes sets s = x, where x is a 32-byte little-endian encoding of s, and returns s. If x is not a canonical encoding of s, SetCanonicalBytes returns nil and an error, and the receiver is unchanged.

func (s *Scalar) SetCanonicalBytes(x []byte) (*Scalar, error)

SetUniformBytes method #

SetUniformBytes sets s = x mod l, where x is a 64-byte little-endian integer. If x is not of the right length, SetUniformBytes returns nil and an error, and the receiver is unchanged. SetUniformBytes can be used to set s to a uniformly distributed value given 64 uniformly distributed random bytes.

func (s *Scalar) SetUniformBytes(x []byte) (*Scalar, error)

Sub method # 

func (v *projP1xP1) Sub(p *Point, q *projCached) *projP1xP1

SubAffine method # 

func (v *projP1xP1) SubAffine(p *Point, q *affineCached) *projP1xP1

Subtract method #

Subtract sets s = x - y mod l, and returns s.

func (s *Scalar) Subtract(x *Scalar, y *Scalar) *Scalar

Subtract method #

Subtract sets v = p - q, and returns v.

func (v *Point) Subtract(p *Point, q *Point) *Point

VarTimeDoubleScalarBaseMult method #

VarTimeDoubleScalarBaseMult sets v = a * A + b * B, where B is the canonical generator, and returns v. Execution time depends on the inputs.

func (v *Point) VarTimeDoubleScalarBaseMult(a *Scalar, A *Point, b *Scalar) *Point

Zero method # 

func (v *projCached) Zero() *projCached

Zero method # 

func (v *affineCached) Zero() *affineCached

Zero method # 

func (v *projP2) Zero() *projP2

basepointNafTable function #

basepointNafTable is the nafLookupTable8 for the basepoint. It is precomputed the first time it's used.

func basepointNafTable() *nafLookupTable8

basepointTable function #

basepointTable is a set of 32 affineLookupTables, where table i is generated from 256i * basepoint. It is precomputed the first time it's used.

func basepointTable() *[32]affineLookupTable

bytes method # 

func (v *Point) bytes(buf *[32]byte) []byte

bytes method # 

func (s *Scalar) bytes(out *[32]byte) []byte

checkInitialized function # 

func checkInitialized(points ...*Point)

copyFieldElement function # 

func copyFieldElement(buf *[32]byte, v *field.Element) []byte

fiatScalarAdd function #

fiatScalarAdd adds two field elements in the Montgomery domain. Preconditions: 0 ≤ eval arg1 < m 0 ≤ eval arg2 < m Postconditions: eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m 0 ≤ eval out1 < m

func fiatScalarAdd(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement, arg2 *fiatScalarMontgomeryDomainFieldElement)

fiatScalarCmovznzU64 function #

fiatScalarCmovznzU64 is a single-word conditional move. Postconditions: out1 = (if arg1 = 0 then arg2 else arg3) Input Bounds: arg1: [0x0 ~> 0x1] arg2: [0x0 ~> 0xffffffffffffffff] arg3: [0x0 ~> 0xffffffffffffffff] Output Bounds: out1: [0x0 ~> 0xffffffffffffffff]

func fiatScalarCmovznzU64(out1 *uint64, arg1 fiatScalarUint1, arg2 uint64, arg3 uint64)

fiatScalarFromBytes function #

fiatScalarFromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. Preconditions: 0 ≤ bytes_eval arg1 < m Postconditions: eval out1 mod m = bytes_eval arg1 mod m 0 ≤ eval out1 < m Input Bounds: arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1f]] Output Bounds: out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x1fffffffffffffff]]

func fiatScalarFromBytes(out1 *[4]uint64, arg1 *[32]uint8)

fiatScalarFromMontgomery function #

fiatScalarFromMontgomery translates a field element out of the Montgomery domain. Preconditions: 0 ≤ eval arg1 < m Postconditions: eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m 0 ≤ eval out1 < m

func fiatScalarFromMontgomery(out1 *fiatScalarNonMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement)

fiatScalarMul function #

fiatScalarMul multiplies two field elements in the Montgomery domain. Preconditions: 0 ≤ eval arg1 < m 0 ≤ eval arg2 < m Postconditions: eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m 0 ≤ eval out1 < m

func fiatScalarMul(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement, arg2 *fiatScalarMontgomeryDomainFieldElement)

fiatScalarNonzero function #

fiatScalarNonzero outputs a single non-zero word if the input is non-zero and zero otherwise. Preconditions: 0 ≤ eval arg1 < m Postconditions: out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 Input Bounds: arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] Output Bounds: out1: [0x0 ~> 0xffffffffffffffff]

func fiatScalarNonzero(out1 *uint64, arg1 *[4]uint64)

fiatScalarOpp function #

fiatScalarOpp negates a field element in the Montgomery domain. Preconditions: 0 ≤ eval arg1 < m Postconditions: eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m 0 ≤ eval out1 < m

func fiatScalarOpp(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement)

fiatScalarSub function #

fiatScalarSub subtracts two field elements in the Montgomery domain. Preconditions: 0 ≤ eval arg1 < m 0 ≤ eval arg2 < m Postconditions: eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m 0 ≤ eval out1 < m

func fiatScalarSub(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement, arg2 *fiatScalarMontgomeryDomainFieldElement)

fiatScalarToBytes function #

fiatScalarToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. Preconditions: 0 ≤ eval arg1 < m Postconditions: out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] Input Bounds: arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x1fffffffffffffff]] Output Bounds: out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1f]]

func fiatScalarToBytes(out1 *[32]uint8, arg1 *[4]uint64)

fiatScalarToMontgomery function #

fiatScalarToMontgomery translates a field element into the Montgomery domain. Preconditions: 0 ≤ eval arg1 < m Postconditions: eval (from_montgomery out1) mod m = eval arg1 mod m 0 ≤ eval out1 < m

func fiatScalarToMontgomery(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarNonMontgomeryDomainFieldElement)

fromP1xP1 method # 

func (v *Point) fromP1xP1(p *projP1xP1) *Point

fromP2 method # 

func (v *Point) fromP2(p *projP2) *Point

isReduced function #

isReduced returns whether the given scalar in 32-byte little endian encoded form is reduced modulo l.

func isReduced(s []byte) bool

nonAdjacentForm method #

nonAdjacentForm computes a width-w non-adjacent form for this scalar. w must be between 2 and 8, or nonAdjacentForm will panic.

func (s *Scalar) nonAdjacentForm(w uint) [256]int8

setShortBytes method #

setShortBytes sets s = x mod l, where x is a little-endian integer shorter than 32 bytes.

func (s *Scalar) setShortBytes(x []byte) *Scalar

signedRadix16 method # 

func (s *Scalar) signedRadix16() [64]int8

Generated with Arrow