Documentation ¶
Overview ¶
Package secp256k1 efficient elliptic curve implementation for secp256k1. This curve is defined in Standards for Efficient Cryptography (SEC) (Certicom Research, http://www.secg.org/sec2-v2.pdf) and appears in the Bitcoin and Ethereum ECDSA signatures.
secp256k1: A j=0 curve with
𝔽r: r=115792089237316195423570985008687907852837564279074904382605163141518161494337 𝔽p: p=115792089237316195423570985008687907853269984665640564039457584007908834671663 (2^256 - 2^32 - 977) (E/𝔽p): Y²=X³+7
Security: estimated 128-bit level using Pollard's \rho attack (r is 256 bits)
Warning ¶
This code has been partially audited and is provided as-is. In particular, there is no security guarantees such as constant time implementation or side-channel attack resistance.
Index ¶
- Constants
- func CurveCoefficients() (a, b fp.Element)
- func Generators() (g1Jac G1Jac, g1Aff G1Affine)
- type G1Affine
- func BatchJacobianToAffineG1(points []G1Jac) []G1Affine
- func BatchScalarMultiplicationG1(base *G1Affine, scalars []fr.Element) []G1Affine
- func EncodeToG1(msg, dst []byte) (G1Affine, error)
- func HashToG1(msg, dst []byte) (G1Affine, error)
- func MapToCurve1(u *fp.Element) G1Affine
- func MapToG1(u fp.Element) G1Affine
- func (p *G1Affine) Add(a, b *G1Affine) *G1Affine
- func (p *G1Affine) Double(a *G1Affine) *G1Affine
- func (p *G1Affine) Equal(a *G1Affine) bool
- func (p *G1Affine) FromJacobian(p1 *G1Jac) *G1Affine
- func (p *G1Affine) IsInSubGroup() bool
- func (p *G1Affine) IsInfinity() bool
- func (p *G1Affine) IsOnCurve() bool
- func (p *G1Affine) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Affine, error)
- func (p *G1Affine) Neg(a *G1Affine) *G1Affine
- func (p *G1Affine) RawBytes() (res [SizeOfG1AffineUncompressed]byte)
- func (p *G1Affine) ScalarMultiplication(a *G1Affine, s *big.Int) *G1Affine
- func (p *G1Affine) ScalarMultiplicationBase(s *big.Int) *G1Affine
- func (p *G1Affine) Set(a *G1Affine) *G1Affine
- func (p *G1Affine) SetBytes(buf []byte) (int, error)
- func (p *G1Affine) String() string
- func (p *G1Affine) Sub(a, b *G1Affine) *G1Affine
- type G1Jac
- func (p *G1Jac) AddAssign(a *G1Jac) *G1Jac
- func (p *G1Jac) AddMixed(a *G1Affine) *G1Jac
- func (p *G1Jac) Double(q *G1Jac) *G1Jac
- func (p *G1Jac) DoubleAssign() *G1Jac
- func (p *G1Jac) Equal(a *G1Jac) bool
- func (p *G1Jac) FromAffine(Q *G1Affine) *G1Jac
- func (p *G1Jac) IsInSubGroup() bool
- func (p *G1Jac) IsOnCurve() bool
- func (p *G1Jac) JointScalarMultiplicationBase(a *G1Affine, s1, s2 *big.Int) *G1Jac
- func (p *G1Jac) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Jac, error)
- func (p *G1Jac) Neg(a *G1Jac) *G1Jac
- func (p *G1Jac) ScalarMultiplication(a *G1Jac, s *big.Int) *G1Jac
- func (p *G1Jac) ScalarMultiplicationAffine(a *G1Affine, s *big.Int) *G1Jac
- func (p *G1Jac) Set(a *G1Jac) *G1Jac
- func (p *G1Jac) String() string
- func (p *G1Jac) SubAssign(a *G1Jac) *G1Jac
Constants ¶
const ID = ecc.SECP256K1
ID secp256k1 ID
const SizeOfG1AffineCompressed = 32
SizeOfG1AffineCompressed represents the size in bytes that a G1Affine need in binary form, compressed
const SizeOfG1AffineUncompressed = SizeOfG1AffineCompressed * 2
SizeOfG1AffineUncompressed represents the size in bytes that a G1Affine need in binary form, uncompressed
Variables ¶
This section is empty.
Functions ¶
func CurveCoefficients ¶ added in v0.10.0
CurveCoefficients returns the a, b coefficients of the curve equation.
func Generators ¶
Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr)
Types ¶
type G1Affine ¶
G1Affine point in affine coordinates
func BatchJacobianToAffineG1 ¶
BatchJacobianToAffineG1 converts points in Jacobian coordinates to Affine coordinates performing a single field inversion (Montgomery batch inversion trick).
func BatchScalarMultiplicationG1 ¶ added in v0.9.1
BatchScalarMultiplicationG1 multiplies the same base by all scalars and return resulting points in affine coordinates uses a simple windowed-NAF like exponentiation algorithm
func EncodeToG1 ¶
EncodeToG1 hashes a message to a point on the G1 curve using the SVDW map. It is faster than HashToG1, but the result is not uniformly distributed. Unsuitable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap
func HashToG1 ¶
HashToG1 hashes a message to a point on the G1 curve using the SVDW map. Slower than EncodeToG1, but usable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap
func MapToCurve1 ¶ added in v0.11.0
MapToCurve1 implements the Shallue and van de Woestijne method, applicable to any elliptic curve in Weierstrass form No cofactor clearing or isogeny https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#straightline-svdw
func (*G1Affine) Add ¶
Add adds two point in affine coordinates. This should rarely be used as it is very inefficient compared to Jacobian
func (*G1Affine) Double ¶ added in v0.11.0
Double doubles a point in affine coordinates. This should rarely be used as it is very inefficient compared to Jacobian
func (*G1Affine) FromJacobian ¶
FromJacobian rescales a point in Jacobian coord in z=1 plane
func (*G1Affine) IsInSubGroup ¶
IsInSubGroup returns true if p is in the correct subgroup, false otherwise
func (*G1Affine) IsInfinity ¶
IsInfinity checks if the point is infinity in affine, it's encoded as (0,0) (0,0) is never on the curve for j=0 curves
func (*G1Affine) MultiExp ¶ added in v0.9.1
func (p *G1Affine) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Affine, error)
MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf
This call return an error if len(scalars) != len(points) or if provided config is invalid.
func (*G1Affine) RawBytes ¶ added in v0.9.1
func (p *G1Affine) RawBytes() (res [SizeOfG1AffineUncompressed]byte)
RawBytes returns binary representation of p (stores X and Y coordinate)
func (*G1Affine) ScalarMultiplication ¶
ScalarMultiplication computes and returns p = a ⋅ s
func (*G1Affine) ScalarMultiplicationBase ¶ added in v0.9.1
ScalarMultiplicationBase computes and returns p = g ⋅ s where g is the prime subgroup generator
func (*G1Affine) SetBytes ¶ added in v0.9.1
SetBytes sets p from binary representation in buf and returns number of consumed bytes
bytes in buf must match RawBytes()
if buf is too short io.ErrShortBuffer is returned
this check if the resulting point is on the curve and in the correct subgroup
type G1Jac ¶
G1Jac is a point with fp.Element coordinates
func (*G1Jac) AddAssign ¶
AddAssign point addition in montgomery form https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl
func (*G1Jac) AddMixed ¶
AddMixed point addition http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl
func (*G1Jac) Double ¶
Double doubles a point in Jacobian coordinates https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl
func (*G1Jac) DoubleAssign ¶
DoubleAssign doubles a point in Jacobian coordinates https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl
func (*G1Jac) FromAffine ¶
FromAffine sets p = Q, p in Jacobian, Q in affine
func (*G1Jac) IsInSubGroup ¶
IsInSubGroup returns true if p is on the r-torsion, false otherwise. the curve is of prime order i.e. E(𝔽p) is the full group so we just check that the point is on the curve.
func (*G1Jac) JointScalarMultiplicationBase ¶ added in v0.9.1
JointScalarMultiplicationBase computes [s1]g+[s2]a using Straus-Shamir technique where g is the prime subgroup generator
func (*G1Jac) MultiExp ¶ added in v0.9.1
func (p *G1Jac) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Jac, error)
MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf
This call return an error if len(scalars) != len(points) or if provided config is invalid.
func (*G1Jac) ScalarMultiplication ¶
ScalarMultiplication computes and returns p = a ⋅ s see https://www.iacr.org/archive/crypto2001/21390189.pdf
func (*G1Jac) ScalarMultiplicationAffine ¶
ScalarMultiplicationAffine computes and returns p = a ⋅ s Takes an affine point and returns a Jacobian point (useful for KZG)
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package ecdsa provides ECDSA signature scheme on the secp256k1 curve.
|
Package ecdsa provides ECDSA signature scheme on the secp256k1 curve. |
Package fp contains field arithmetic operations for modulus = 0xffffff...fffc2f.
|
Package fp contains field arithmetic operations for modulus = 0xffffff...fffc2f. |
Package fr contains field arithmetic operations for modulus = 0xffffff...364141.
|
Package fr contains field arithmetic operations for modulus = 0xffffff...364141. |