Version: v4.15.0+incompatible Latest Latest Go to latest
Published: Feb 7, 2019 License: MIT, BSD-3-Clause, MIT

## Documentation ¶

### Constants ¶

View Source
```const (
FP_MAX_WORDS = 12 // Currently p751.NumWords
)```

### Variables ¶

This section is empty.

### Functions ¶

This section is empty.

### Types ¶

#### type CurveCoefficientsEquiv ¶

```type CurveCoefficientsEquiv struct {
A Fp2Element
C Fp2Element
}```

Stores curve projective parameters equivalent to A/C. Meaning of the values depends on the context. When working with isogenies over subgroup that are powers of: * three then (A:C) ~ (A+2C:A-2C) * four then (A:C) ~ (A+2C: 4C) See Appendix A of SIKE for more details

#### type CurveOperations ¶

```type CurveOperations struct {
Params *SidhParams
}```

#### func (*CurveOperations) CalcAplus2Over4 ¶

`func (c *CurveOperations) CalcAplus2Over4(cparams *ProjectiveCurveParameters) (ret Fp2Element)`

Helper function for RightToLeftLadder(). Returns A+2C / 4.

#### func (*CurveOperations) CalcCurveParamsEquiv3 ¶

`func (c *CurveOperations) CalcCurveParamsEquiv3(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv`

Computes equivalence (A:C) ~ (A+2C : A-2C)

#### func (*CurveOperations) CalcCurveParamsEquiv4 ¶

`func (c *CurveOperations) CalcCurveParamsEquiv4(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv`

Computes equivalence (A:C) ~ (A+2C : 4C)

#### func (*CurveOperations) Fp2Batch3Inv ¶

`func (c *CurveOperations) Fp2Batch3Inv(x1, x2, x3, y1, y2, y3 *Fp2Element)`

Set (y1, y2, y3) = (1/x1, 1/x2, 1/x3).

All xi, yi must be distinct.

#### func (*CurveOperations) Fp2FromBytes ¶

`func (c *CurveOperations) Fp2FromBytes(fp2 *Fp2Element, input []byte)`

Read 2*bytelen(p) bytes into the given ExtensionFieldElement.

It is an error to call this function if the input byte slice is less than 2*bytelen(p) bytes long.

#### func (*CurveOperations) Fp2ToBytes ¶

`func (c *CurveOperations) Fp2ToBytes(output []byte, fp2 *Fp2Element)`

Convert the input to wire format.

The output byte slice must be at least 2*bytelen(p) bytes long.

#### func (*CurveOperations) Jinvariant ¶

`func (c *CurveOperations) Jinvariant(cparams *ProjectiveCurveParameters, jBytes []byte)`

Computes j-invariant for a curve y2=x3+A/Cx+x with A,C in F_(p^2). Result is returned in jBytes buffer, encoded in little-endian format. Caller provided jBytes buffer has to be big enough to j-invariant value. In case of SIDH, buffer size must be at least size of shared secret. Implementation corresponds to Algorithm 9 from SIKE.

#### func (*CurveOperations) Pow2k ¶

`func (c *CurveOperations) Pow2k(xP *ProjectivePoint, params *CurveCoefficientsEquiv, k uint32)`

Given the curve parameters, xP = x(P), computes xP = x([2^k]P) Safe to overlap xP, x2P.

#### func (*CurveOperations) Pow3k ¶

`func (c *CurveOperations) Pow3k(xP *ProjectivePoint, params *CurveCoefficientsEquiv, k uint32)`

Given the curve parameters, xP = x(P), and k >= 0, compute xP = x([3^k]P).

Safe to overlap xP, xR.

#### func (*CurveOperations) RecoverCoordinateA ¶

`func (c *CurveOperations) RecoverCoordinateA(curve *ProjectiveCurveParameters, xp, xq, xr *Fp2Element)`

Given affine points x(P), x(Q) and x(Q-P) in a extension field F_{p^2}, function recorvers projective coordinate A of a curve. This is Algorithm 10 from SIKE.

#### func (*CurveOperations) RecoverCurveCoefficients3 ¶

`func (c *CurveOperations) RecoverCurveCoefficients3(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv)`

Recovers (A:C) curve parameters from projectively equivalent (A+2C:A-2C).

#### func (*CurveOperations) RecoverCurveCoefficients4 ¶

`func (c *CurveOperations) RecoverCurveCoefficients4(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv)`

Recovers (A:C) curve parameters from projectively equivalent (A+2C:4C).

#### func (*CurveOperations) ScalarMul3Pt ¶

`func (c *CurveOperations) ScalarMul3Pt(cparams *ProjectiveCurveParameters, P, Q, PmQ *ProjectivePoint, nbits uint, scalar []uint8) ProjectivePoint`

ScalarMul3Pt is a right-to-left point multiplication that given the x-coordinate of P, Q and P-Q calculates the x-coordinate of R=Q+[scalar]P. nbits must be smaller or equal to len(scalar).

#### type DomainParams ¶

```type DomainParams struct {
// P, Q and R=P-Q base points
Affine_P, Affine_Q, Affine_R Fp2Element
// Size of a compuatation strategy for x-torsion group
IsogenyStrategy []uint32
// Max size of secret key for x-torsion group
SecretBitLen uint
// Max size of secret key for x-torsion group
SecretByteLen uint
}```

#### type FieldOps ¶

```type FieldOps interface {
// Set res = lhs + rhs.
//
// Allowed to overlap lhs or rhs with res.

// Set res = lhs - rhs.
//
// Allowed to overlap lhs or rhs with res.
Sub(res, lhs, rhs *Fp2Element)

// Set res = lhs * rhs.
//
// Allowed to overlap lhs or rhs with res.
Mul(res, lhs, rhs *Fp2Element)
// Set res = x * x
//
// Allowed to overlap res with x.
Square(res, x *Fp2Element)
// Set res = 1/x
//
// Allowed to overlap res with x.
Inv(res, x *Fp2Element)
// If choice = 1u8, set (x,y) = (y,x). If choice = 0u8, set (x,y) = (x,y).
CondSwap(xPx, xPz, xQx, xQz *Fp2Element, choice uint8)
// Converts Fp2Element to Montgomery domain (x*R mod p)
ToMontgomery(x *Fp2Element)
// Converts 'a' in montgomery domain to element from Fp2Element
// and stores it in 'x'
FromMontgomery(x *Fp2Element, a *Fp2Element)
}```

#### type Fp2Element ¶

```type Fp2Element struct {
A FpElement
B FpElement
}```

Represents an element of the extended field Fp^2 = Fp(x+i)

#### func (*Fp2Element) Zeroize ¶

`func (fp *Fp2Element) Zeroize()`

Cleans data in fp

#### type FpElement ¶

`type FpElement [FP_MAX_WORDS]uint64`

Representation of an element of the base field F_p.

No particular meaning is assigned to the representation -- it could represent an element in Montgomery form, or not. Tracking the meaning of the field element is left to higher types.

#### type FpElementX2 ¶

`type FpElementX2 [2 * FP_MAX_WORDS]uint64`

Represents an intermediate product of two elements of the base field F_p.

#### type Isogeny ¶

```type Isogeny interface {
// Given a torsion point on a curve computes isogenous curve.
// Returns curve coefficients (A:C), so that E_(A/C) = E_(A/C)/<P>,
// where P is a provided projective point. Sets also isogeny constants
// that are needed for isogeny evaluation.
GenerateCurve(*ProjectivePoint) CurveCoefficientsEquiv
// Evaluates isogeny at caller provided point. Requires isogeny curve constants
// to be earlier computed by GenerateCurve.
EvaluatePoint(*ProjectivePoint) ProjectivePoint
}```

Interface for working with isogenies.

#### func Newisogeny3 ¶

`func Newisogeny3(op FieldOps) Isogeny`

Constructs isogeny3 objects

#### func Newisogeny4 ¶

`func Newisogeny4(op FieldOps) Isogeny`

Constructs isogeny4 objects

#### type ProjectiveCurveParameters ¶

```type ProjectiveCurveParameters struct {
A Fp2Element
C Fp2Element
}```

A point on the projective line P^1(F_{p^2}).

This is used to work projectively with the curve coefficients.

#### type ProjectivePoint ¶

```type ProjectivePoint struct {
X Fp2Element
Z Fp2Element
}```

A point on the projective line P^1(F_{p^2}).

This represents a point on the Kummer line of a Montgomery curve. The curve is specified by a ProjectiveCurveParameters struct.

#### func (*ProjectivePoint) ToAffine ¶

`func (point *ProjectivePoint) ToAffine(c *CurveOperations) *Fp2Element`

-------------------------------------------------------------------------

```Utils
-------------------------------------------------------------------------
```

#### type SidhParams ¶

```type SidhParams struct {
Id uint8
// Bytelen of P
Bytelen int
// The public key size, in bytes.
PublicKeySize int
// The shared secret size, in bytes.
SharedSecretSize uint
// 2- and 3-torsion group parameter definitions
A, B DomainParams
// Precomputed identity element in the Fp2 in Montgomery domain
OneFp2 Fp2Element
// Precomputed 1/2 in the Fp2 in Montgomery domain
HalfFp2 Fp2Element
// Length of SIKE secret message. Must be one of {24,32,40},
// depending on size of prime field used (see [SIKE], 1.4 and 5.1)
MsgLen uint
// Length of SIKE ephemeral KEM key (see [SIKE], 1.4 and 5.1)
KemSize uint