ed448

package module
v0.0.0-...-a338597 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 17, 2022 License: GPL-3.0 Imports: 13 Imported by: 8

README

ed448-goldilocks

Build Status Go Report Card

This is an implementation of the Edwards elliptic curve with a field size of 448, as described by Mike Hamburg in his paper "Ed448-Goldilocks, a new elliptic curve".

API Documentation

GoDoc

Funding

The work made hare was partially supported by the NlNet Foundation. Find information here.

Disclaimer

This code is provided as is and does not have any warranty. Use it at your own risk.

This code is still under constant development so you might want to wait for a future release in order to use it.

This code is a proof of concept of various experiments. Do not use in production. I mainly use it to play with some ideas. Do not use in production.

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// Cofactor is the ratio between the order of the group (p) and the one
	// from the subgroup (q).
	Cofactor = byte(4)

	//ScalarQ is the prime order of the curve (q).
	ScalarQ = &scalar{
		0xab5844f3, 0x2378c292, 0x8dc58f55, 0x216cc272,
		0xaed63690, 0xc44edb49, 0x7cca23e9, 0xffffffff,
		0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff,
		0xffffffff, 0x3fffffff,
	}

	//BasePoint is the base point of the curve.
	BasePoint = &twExtendedPoint{
		&bigNumber{
			0x0ffffffe, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x0fffffff, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x00000003, 0x00000000, 0x00000000, 0x00000000,
			0x00000000, 0x00000000, 0x00000000, 0x00000000,
		},
		&bigNumber{
			0x0f752992, 0x081e6d37, 0x01c28721, 0x03078ead,
			0x0394666c, 0x0135cfd2, 0x00506061, 0x041149c5,
			0x0f5490b3, 0x031d30e4, 0x090dc141, 0x09020149,
			0x04c1e328, 0x052341b0, 0x03c10a1b, 0x01423785,
		},
		&bigNumber{
			0x0ffffffb, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x0fffffff, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x0ffffffe, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x0fffffff, 0x0fffffff, 0x0fffffff, 0x0fffffff,
		},
		&bigNumber{
			0x00660415, 0x08f205b7, 0x0fd3824f, 0x0881c60c,
			0x0d08500d, 0x0377a638, 0x04672615, 0x08c66d5d,
			0x08e08e13, 0x0e52fa55, 0x01b6983d, 0x087770ae,
			0x0a0aa7ff, 0x04388f55, 0x05cf1a91, 0x0b4d9a78,
		},
	}
)
View Source 
var Basepoint []byte

Basepoint is the generator for curve448 in montgomery form

Functions

func AddOnlyX 

func AddOnlyX(x1, x2 *big.Int) (*big.Int, *big.Int)

Add adds two points in montgomery with only the x Just for demostration purposes

func DSASign 

func DSASign(sym [57]byte, pub Point, msg []byte) [114]byte

DSASign implements EdDSA style signing for Ed448 - equivalent of goldilocks_ed448_sign

func DSAVerify 

func DSAVerify(sig [114]byte, pub Point, msg []byte) bool

DSAVerify implements EdDSA style verifying for Ed448 equivalent of goldilocks_ed48_verify

func LadderScalarBaseMult 

func LadderScalarBaseMult(curve GoldilocksCurve, k []byte) (*big.Int, *big.Int)

LadderScalarBaseMult returns k*G, where G is the base point of the group and k is an integer in big-endian form.

func LadderScalarMult 

func LadderScalarMult(curve GoldilocksCurve, x1, y1 *big.Int, k []byte) (*big.Int, *big.Int)

LadderScalarMult returns k*(Bx,By) where k is a number in little-endian form. This uses the montgomery ladder

func ToMontgomeryCurve 

func ToMontgomeryCurve(x, y *big.Int) (*big.Int, *big.Int)

ToMontgomeryCurve converts from Weierstrass to Montgomery

func ToWeierstrassCurve 

func ToWeierstrassCurve(p, u, v *big.Int) (*big.Int, *big.Int, *big.Int)

ToWeierstrassCurve converts from Montgomery form to Weierstrass

Types

type Curve 

type Curve interface {
	GenerateKeys() (priv [privKeyBytes]byte, pub [pubKeyBytes]byte, ok bool)
	Sign(priv [privKeyBytes]byte, message []byte) (signature [signatureBytes]byte, ok bool)
	Verify(signature [signatureBytes]byte, message []byte, pub [pubKeyBytes]byte) (valid bool)
	ComputeSecret(private [privKeyBytes]byte, public [pubKeyBytes]byte) (secret [sha512.Size]byte)
}

Curve is the interface that wraps the basic curve methods. TODO It would be better with the use of privateKey and publicKey types.

func NewCurve 

func NewCurve() Curve

NewCurve returns a Curve.

type Curve25519 

type Curve25519 interface {
	elliptic.Curve
}

A Curve25519 represents the curve25519.

func CurveP25519 

func CurveP25519() Curve25519

CurveP25519 returns a Curve which implements curve448

type Curve25519Params 

type Curve25519Params struct {
	// contains filtered or unexported fields
}

Curve25519Params contains the parameters of an elliptic curve and also provides a generic, non-constant time implementation of Curve. These are the Montgomery params.

func (*Curve25519Params) Add 

func (curve *Curve25519Params) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)

Add adds two points in montgomery x3 = ((y2-y1)^2/(x2-x1)^2)-A-x1-x2 y3 = (2*x1+x2+a)*(y2-y1)/(x2-x1)-b*(y2-y1)3/(x2-x1)3-y1 See: https://www.hyperelliptic.org/EFD/g1p/auto-montgom.html

func (*Curve25519Params) Double 

func (curve *Curve25519Params) Double(x1, y1 *big.Int) (*big.Int, *big.Int)

Double doubles two points in montgomery x3 = b*(3*x12+2*a*x1+1)2/(2*b*y1)2-a-x1-x1 y3 = (2*x1+x1+a)*(3*x12+2*a*x1+1)/(2*b*y1)-b*(3*x12+2*a*x1+1)3/(2*b*y1)3-y1 See: https://www.hyperelliptic.org/EFD/g1p/auto-montgom.html

func (*Curve25519Params) IsOnCurve 

func (curve *Curve25519Params) IsOnCurve(x, y *big.Int) bool

IsOnCurve verifies if a given point in montgomery is valid v^2 = u^3 + A*u^2 + u

func (*Curve25519Params) Params 

func (curve *Curve25519Params) Params() *elliptic.CurveParams

Params returns the parameters for the curve.

func (*Curve25519Params) ScalarBaseMult 

func (curve *Curve25519Params) ScalarBaseMult(k []byte) (*big.Int, *big.Int)

ScalarBaseMult returns k*(Bx,By) where k is a number in little-endian form.

func (*Curve25519Params) ScalarMult 

func (curve *Curve25519Params) ScalarMult(x1, y1 *big.Int, k []byte) (*big.Int, *big.Int)

ScalarMult returns k*(Bx,By) where k is a number in little-endian form.

type CurveParams 

type CurveParams struct {
	// contains filtered or unexported fields
}

CurveParams contains the parameters of an elliptic curve and also provides a generic, non-constant time implementation of Curve. These are the Montgomery params.

func (*CurveParams) Add 

func (curve *CurveParams) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)

Add adds two points in montgomery x3 = ((y2-y1)^2/(x2-x1)^2)-A-x1-x2 y3 = (2*x1+x2+a)*(y2-y1)/(x2-x1)-b*(y2-y1)3/(x2-x1)3-y1 See: https://www.hyperelliptic.org/EFD/g1p/auto-montgom.html

func (*CurveParams) Double 

func (curve *CurveParams) Double(x1, y1 *big.Int) (*big.Int, *big.Int)

Double doubles two points in montgomery x3 = b*(3*x12+2*a*x1+1)2/(2*b*y1)2-a-x1-x1 y3 = (2*x1+x1+a)*(3*x12+2*a*x1+1)/(2*b*y1)-b*(3*x12+2*a*x1+1)3/(2*b*y1)3-y1 See: https://www.hyperelliptic.org/EFD/g1p/auto-montgom.html

func (*CurveParams) IsOnCurve 

func (curve *CurveParams) IsOnCurve(x, y *big.Int) bool

IsOnCurve verifies if a given point in montgomery is valid v^2 = u^3 + A*u^2 + u

func (*CurveParams) MapToCurve 

func (curve *CurveParams) MapToCurve(u *big.Int) (*big.Int, *big.Int)

MapToCurve calculates a point on the elliptic curve from an element of the finite field F. This implements Elligator2, according to https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05, section 6.7.1.1.

func (*CurveParams) Params 

func (curve *CurveParams) Params() *elliptic.CurveParams

Params returns the parameters for the curve.

func (*CurveParams) ScalarBaseMult 

func (curve *CurveParams) ScalarBaseMult(k []byte) (*big.Int, *big.Int)

ScalarBaseMult returns k*G, where G is the base point of the group and k is an integer in big-endian form.

func (*CurveParams) ScalarMult 

func (curve *CurveParams) ScalarMult(x1, y1 *big.Int, k []byte) (*big.Int, *big.Int)

ScalarMult returns k*(Bx,By) where k is a number in little-endian form. This uses the double and add method

type DecafCurve 

type DecafCurve interface {
	GenerateKeys() (priv [privKeyBytes]byte, pub [pubKeyBytes]byte, ok bool)
	Sign(priv [privKeyBytes]byte, message []byte) (signature [signatureBytes]byte, ok bool)
	Verify(signature [signatureBytes]byte, message []byte, pub [pubKeyBytes]byte) (valid bool, err error)
}

DecafCurve is the interface that wraps the basic curve methods in decaf. TODO: change this name

func NewDecafCurve 

func NewDecafCurve() DecafCurve

NewDecafCurve returns a Curve.

type EdwardsCurveParams 

type EdwardsCurveParams struct {
	P       *big.Int // the order of the underlying finite field
	N       *big.Int // the prime order of the base point
	D       *big.Int // the non-zero element
	Gx, Gy  *big.Int // (x,y) of the base point
	BitSize int      // the size of the underlying field
	Name    string   // the canonical name of the curve
}

EdwardsCurveParams contains the parameters of an elliptic curve and also provides a generic, non-constant time implementation of Curve. These are the Edwards params.

func (*EdwardsCurveParams) Add 

func (curve *EdwardsCurveParams) Add(p, q Point) Point

Add gives the sum of two points (p, q) and produces a third point (p).

func (*EdwardsCurveParams) Double 

func (curve *EdwardsCurveParams) Double(p Point) Point

Double gives the doubling of a point (p).

func (*EdwardsCurveParams) IsOnCurve 

func (curve *EdwardsCurveParams) IsOnCurve(p Point) bool

IsOnCurve reports whether the given point (p) lies on the curve.

func (*EdwardsCurveParams) Params 

func (curve *EdwardsCurveParams) Params() *EdwardsCurveParams

Params returns the parameters for the curve.

type GoldilocksCurve 

type GoldilocksCurve interface {
	elliptic.Curve
}

A GoldilocksCurve represents the curve448.

func Curve448 

func Curve448() GoldilocksCurve

Curve448 returns a Curve which implements curve448

type GoldilocksEdCurve 

type GoldilocksEdCurve interface {
	// Params returns the parameters for the curve.
	Params() *EdwardsCurveParams
	// IsOnCurveEdwards reports whether the given p lies on the curve.
	IsOnCurve(p Point) bool
	// AddEdwards returns the sum of p and q
	Add(p, q Point) Point
	// DoubleEdwards returns 2*p
	Double(p Point) Point
	// ScalarMultEdwards returns k*(p) where k is an scalar.
	ScalarMult(p Point, k Scalar) Point
	// ScalarBaseMultEdwards returns k*G, where G is the base point of the group
	// and k is an scalar
	ScalarBaseMult(k Scalar) Point
}

A GoldilocksEdCurve represents Goldilocks edwards448. This uses the decaf technique

type Point 

type Point interface {
	IsOnCurve() bool
	Equals(q Point) bool
	EqualsMask(q Point) uint32
	Copy() Point
	Add(q, r Point)
	Sub(q, r Point)
	Double() Point
	Encode() []byte
	Decode(src []byte, identity bool) (bool, error)
	EdDSAEncode() []byte
	EdDSADecode(src []byte) bool
}

Point is a interface of a Ed448 point

func ConstantTimeSelectPoint 

func ConstantTimeSelectPoint(bfalse, btrue Point, mask uint32) Point

ConstantTimeSelectPoint will use constant time select to choose either the left or right point, depending on if the mask is either all zeroes, or all ones

func NewPoint 

func NewPoint(a [nLimbs]uint32, b [nLimbs]uint32, c [nLimbs]uint32, d [nLimbs]uint32) Point

NewPoint returns an Ed448 point from 4 arrays of 16 uint32.

func NewPointFromBytes 

func NewPointFromBytes(in ...[]byte) Point

NewPointFromBytes returns an Ed448 point from a byte slice.

func PointDoubleScalarMul 

func PointDoubleScalarMul(q, r Point, a, b Scalar) Point

PointDoubleScalarMul returns the addition of two multiplications: a given point (q) by a given scalar (a) and a given point (r) by a given scalar (b): q * a + r * b.

func PointDoubleScalarMulNonsecret 

func PointDoubleScalarMulNonsecret(q Point, a, b Scalar) Point

PointDoubleScalarMulNonsecret returns the addition of two multiplications: a given point (q) by a given scalar (b) and the base point of the curve by a given scalar (a): q * b + basePoint * a. @warning: This function takes variable time, and may leak the scalars used. It is designed for signature verification.

func PointScalarMul 

func PointScalarMul(q Point, a Scalar) Point

PointScalarMul returns the multiplication of a given point (p) by a given scalar (a): q * a.

func PrecomputedScalarMul 

func PrecomputedScalarMul(a Scalar) Point

PrecomputedScalarMul returns the multiplication of a given scalar (a) by the precomputed base point of the curve: basePoint * a.

func ScalarBaseMult 

func ScalarBaseMult(k Scalar) Point

ScalarBaseMult returns the multiplication of a given scalar (k) by the precomputed base point of the curve: basePoint * k.

func ScalarMult 

func ScalarMult(p Point, k Scalar) Point

ScalarMult returns the multiplication of a given point (p) by a given scalar (a): p * k.

type Scalar 

type Scalar interface {
	Equals(a Scalar) bool
	EqualsMask(a Scalar) uint32
	Copy() Scalar
	Add(a, b Scalar)
	Sub(a, b Scalar)
	Mul(a, b Scalar)
	Halve(a Scalar)
	Invert() bool
	Encode() []byte
	BarretDecode(src []byte) error
	Decode(src []byte)
}

Scalar is a interface of a Ed448 scalar

func ConstantTimeSelectScalar 

func ConstantTimeSelectScalar(bfalse, btrue Scalar, mask uint32) Scalar

ConstantTimeSelectScalar will use constant time select to choose either the left or right scalar, depending on if the mask is either all zeroes, or all ones

func NewScalar 

func NewScalar(in ...[]byte) Scalar

NewScalar returns a Scalar in Ed448 with decaf

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.