Version: v4.15.0+incompatible Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Feb 7, 2019 License: MIT, BSD-3-Clause, MIT Imports: 0 Imported by: 0




View Source
const (
	FP_MAX_WORDS = 12 // Currently p751.NumWords


This section is empty.


This section is empty.


type CurveCoefficientsEquiv

type CurveCoefficientsEquiv struct {
	A Fp2Element
	C Fp2Element

Stores curve projective parameters equivalent to A/C. Meaning of the values depends on the context. When working with isogenies over subgroup that are powers of: * three then (A:C) ~ (A+2C:A-2C) * four then (A:C) ~ (A+2C: 4C) See Appendix A of SIKE for more details

type CurveOperations

type CurveOperations struct {
	Params *SidhParams

func (*CurveOperations) CalcAplus2Over4

func (c *CurveOperations) CalcAplus2Over4(cparams *ProjectiveCurveParameters) (ret Fp2Element)

Helper function for RightToLeftLadder(). Returns A+2C / 4.

func (*CurveOperations) CalcCurveParamsEquiv3

func (c *CurveOperations) CalcCurveParamsEquiv3(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv

Computes equivalence (A:C) ~ (A+2C : A-2C)

func (*CurveOperations) CalcCurveParamsEquiv4

func (c *CurveOperations) CalcCurveParamsEquiv4(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv

Computes equivalence (A:C) ~ (A+2C : 4C)

func (*CurveOperations) Fp2Batch3Inv

func (c *CurveOperations) Fp2Batch3Inv(x1, x2, x3, y1, y2, y3 *Fp2Element)

Set (y1, y2, y3) = (1/x1, 1/x2, 1/x3).

All xi, yi must be distinct.

func (*CurveOperations) Fp2FromBytes

func (c *CurveOperations) Fp2FromBytes(fp2 *Fp2Element, input []byte)

Read 2*bytelen(p) bytes into the given ExtensionFieldElement.

It is an error to call this function if the input byte slice is less than 2*bytelen(p) bytes long.

func (*CurveOperations) Fp2ToBytes

func (c *CurveOperations) Fp2ToBytes(output []byte, fp2 *Fp2Element)

Convert the input to wire format.

The output byte slice must be at least 2*bytelen(p) bytes long.

func (*CurveOperations) Jinvariant

func (c *CurveOperations) Jinvariant(cparams *ProjectiveCurveParameters, jBytes []byte)

Computes j-invariant for a curve y2=x3+A/Cx+x with A,C in F_(p^2). Result is returned in jBytes buffer, encoded in little-endian format. Caller provided jBytes buffer has to be big enough to j-invariant value. In case of SIDH, buffer size must be at least size of shared secret. Implementation corresponds to Algorithm 9 from SIKE.

func (*CurveOperations) Pow2k

Given the curve parameters, xP = x(P), computes xP = x([2^k]P) Safe to overlap xP, x2P.

func (*CurveOperations) Pow3k

Given the curve parameters, xP = x(P), and k >= 0, compute xP = x([3^k]P).

Safe to overlap xP, xR.

func (*CurveOperations) RecoverCoordinateA

func (c *CurveOperations) RecoverCoordinateA(curve *ProjectiveCurveParameters, xp, xq, xr *Fp2Element)

Given affine points x(P), x(Q) and x(Q-P) in a extension field F_{p^2}, function recorvers projective coordinate A of a curve. This is Algorithm 10 from SIKE.

func (*CurveOperations) RecoverCurveCoefficients3

func (c *CurveOperations) RecoverCurveCoefficients3(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv)

Recovers (A:C) curve parameters from projectively equivalent (A+2C:A-2C).

func (*CurveOperations) RecoverCurveCoefficients4

func (c *CurveOperations) RecoverCurveCoefficients4(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv)

Recovers (A:C) curve parameters from projectively equivalent (A+2C:4C).

func (*CurveOperations) ScalarMul3Pt

func (c *CurveOperations) ScalarMul3Pt(cparams *ProjectiveCurveParameters, P, Q, PmQ *ProjectivePoint, nbits uint, scalar []uint8) ProjectivePoint

ScalarMul3Pt is a right-to-left point multiplication that given the x-coordinate of P, Q and P-Q calculates the x-coordinate of R=Q+[scalar]P. nbits must be smaller or equal to len(scalar).

type DomainParams

type DomainParams struct {
	// P, Q and R=P-Q base points
	Affine_P, Affine_Q, Affine_R Fp2Element
	// Size of a compuatation strategy for x-torsion group
	IsogenyStrategy []uint32
	// Max size of secret key for x-torsion group
	SecretBitLen uint
	// Max size of secret key for x-torsion group
	SecretByteLen uint

type FieldOps

type FieldOps interface {
	// Set res = lhs + rhs.
	// Allowed to overlap lhs or rhs with res.
	Add(res, lhs, rhs *Fp2Element)

	// Set res = lhs - rhs.
	// Allowed to overlap lhs or rhs with res.
	Sub(res, lhs, rhs *Fp2Element)

	// Set res = lhs * rhs.
	// Allowed to overlap lhs or rhs with res.
	Mul(res, lhs, rhs *Fp2Element)
	// Set res = x * x
	// Allowed to overlap res with x.
	Square(res, x *Fp2Element)
	// Set res = 1/x
	// Allowed to overlap res with x.
	Inv(res, x *Fp2Element)
	// If choice = 1u8, set (x,y) = (y,x). If choice = 0u8, set (x,y) = (x,y).
	CondSwap(xPx, xPz, xQx, xQz *Fp2Element, choice uint8)
	// Converts Fp2Element to Montgomery domain (x*R mod p)
	ToMontgomery(x *Fp2Element)
	// Converts 'a' in montgomery domain to element from Fp2Element
	// and stores it in 'x'
	FromMontgomery(x *Fp2Element, a *Fp2Element)

type Fp2Element

type Fp2Element struct {
	A FpElement
	B FpElement

Represents an element of the extended field Fp^2 = Fp(x+i)

func (*Fp2Element) Zeroize

func (fp *Fp2Element) Zeroize()

Cleans data in fp

type FpElement

type FpElement [FP_MAX_WORDS]uint64

Representation of an element of the base field F_p.

No particular meaning is assigned to the representation -- it could represent an element in Montgomery form, or not. Tracking the meaning of the field element is left to higher types.

type FpElementX2

type FpElementX2 [2 * FP_MAX_WORDS]uint64

Represents an intermediate product of two elements of the base field F_p.

type Isogeny

type Isogeny interface {
	// Given a torsion point on a curve computes isogenous curve.
	// Returns curve coefficients (A:C), so that E_(A/C) = E_(A/C)/<P>,
	// where P is a provided projective point. Sets also isogeny constants
	// that are needed for isogeny evaluation.
	GenerateCurve(*ProjectivePoint) CurveCoefficientsEquiv
	// Evaluates isogeny at caller provided point. Requires isogeny curve constants
	// to be earlier computed by GenerateCurve.
	EvaluatePoint(*ProjectivePoint) ProjectivePoint

Interface for working with isogenies.

func Newisogeny3

func Newisogeny3(op FieldOps) Isogeny

Constructs isogeny3 objects

func Newisogeny4

func Newisogeny4(op FieldOps) Isogeny

Constructs isogeny4 objects

type ProjectiveCurveParameters

type ProjectiveCurveParameters struct {
	A Fp2Element
	C Fp2Element

A point on the projective line P^1(F_{p^2}).

This is used to work projectively with the curve coefficients.

type ProjectivePoint

type ProjectivePoint struct {
	X Fp2Element
	Z Fp2Element

A point on the projective line P^1(F_{p^2}).

This represents a point on the Kummer line of a Montgomery curve. The curve is specified by a ProjectiveCurveParameters struct.

func (*ProjectivePoint) ToAffine

func (point *ProjectivePoint) ToAffine(c *CurveOperations) *Fp2Element



type SidhParams

type SidhParams struct {
	Id uint8
	// Bytelen of P
	Bytelen int
	// The public key size, in bytes.
	PublicKeySize int
	// The shared secret size, in bytes.
	SharedSecretSize uint
	// 2- and 3-torsion group parameter definitions
	A, B DomainParams
	// Precomputed identity element in the Fp2 in Montgomery domain
	OneFp2 Fp2Element
	// Precomputed 1/2 in the Fp2 in Montgomery domain
	HalfFp2 Fp2Element
	// Length of SIKE secret message. Must be one of {24,32,40},
	// depending on size of prime field used (see [SIKE], 1.4 and 5.1)
	MsgLen uint
	// Length of SIKE ephemeral KEM key (see [SIKE], 1.4 and 5.1)
	KemSize uint
	// Access to field arithmetic
	Op FieldOps

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL