Documentation ¶
Overview ¶
package ed25519
ZooBC zed25519 ¶
Copyright © 2020 Quasisoft Limited - Hong Kong ¶
ZooBC is architected by Roberto Capodieci & Barton Johnston
contact us at roberto.capodieci[at]blockchainzoo.com and barton.johnston[at]blockchainzoo.com
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
package ed25519
ZooBC zed25519 ¶
Copyright © 2020 Quasisoft Limited - Hong Kong ¶
ZooBC is architected by Roberto Capodieci & Barton Johnston
contact us at roberto.capodieci[at]blockchainzoo.com and barton.johnston[at]blockchainzoo.com
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
ZooBC zed25519 ¶
Copyright © 2020 Quasisoft Limited - Hong Kong ¶
ZooBC is architected by Roberto Capodieci & Barton Johnston
contact us at roberto.capodieci[at]blockchainzoo.com and barton.johnston[at]blockchainzoo.com
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
ZooBC zed25519 ¶
Copyright © 2020 Quasisoft Limited - Hong Kong ¶
ZooBC is architected by Roberto Capodieci & Barton Johnston
contact us at roberto.capodieci[at]blockchainzoo.com and barton.johnston[at]blockchainzoo.com
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
ZooBC zed25519 ¶
Copyright © 2020 Quasisoft Limited - Hong Kong ¶
ZooBC is architected by Roberto Capodieci & Barton Johnston
contact us at roberto.capodieci[at]blockchainzoo.com and barton.johnston[at]blockchainzoo.com
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Index ¶
- Variables
- func CompressPoint(r *Buffer256, p *Point)
- func DecompressPoint(r *Point, b *Buffer256) bool
- func FeAdd(dst, a, b *FieldElement)
- func FeCMove(f, g *FieldElement, b int32)
- func FeCombine(h *FieldElement, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64)
- func FeCopy(dst, src *FieldElement)
- func FeFromBytes(dst *FieldElement, src *[32]byte)
- func FeInvert(out, z *FieldElement)
- func FeIsNegative(f *FieldElement) byte
- func FeIsNonZero(f *FieldElement) int32
- func FeMul(h, f, g *FieldElement)
- func FeNeg(h, f *FieldElement)
- func FeOne(fe *FieldElement)
- func FeSquare(h, f *FieldElement)
- func FeSquare2(h, f *FieldElement)
- func FeSub(dst, a, b *FieldElement)
- func FeToBytes(s *[32]byte, h *FieldElement)
- func FeZero(fe *FieldElement)
- func GeDoubleScalarMultVartime(r *ProjectiveGroupElement, a *[32]byte, A *ExtendedGroupElement, b *[32]byte)
- func GeScalarMultBase(h *ExtendedGroupElement, a *[32]byte)
- func HashToPointVartime(r *Point, x []byte)
- func PointAdd(r, p, q *Point)
- func PointClearCofactor(r, p *Point)
- func PointCopy(r, p *Point)
- func PointEqual(a, b *ExtendedGroupElement) bool
- func PointIdentity(r *Point)
- func PointNeg(r, p *Point)
- func PointSub(r, p, q *Point)
- func PreComputedGroupElementCMove(t, u *PreComputedGroupElement, b int32)
- func ScMinimal(scalar *[32]byte) bool
- func ScMulAdd(s, a, b, c *[32]byte)
- func ScReduce(out *[32]byte, s *[64]byte)
- func ScalarMultBase(r *Point, s *Scalar)
- func ScalarMultPointVartime(r *ExtendedGroupElement, a *[32]byte, p *ExtendedGroupElement)
- func ScalarMultScalar(r, a, b *Scalar)
- func ScalarMultScalarAddScalar(r, a, b, c *Scalar)
- func ScalarReduce512(r *Scalar, b *Buffer512)
- func ValidScalar(s *Scalar) bool
- type Buffer256
- type Buffer512
- type CachedGroupElement
- type CompletedGroupElement
- type ExtendedGroupElement
- func (p *ExtendedGroupElement) Double(r *CompletedGroupElement)
- func (p *ExtendedGroupElement) FromBytes(s *[32]byte) bool
- func (p *ExtendedGroupElement) ToBytes(s *[32]byte)
- func (p *ExtendedGroupElement) ToCached(r *CachedGroupElement)
- func (p *ExtendedGroupElement) ToProjective(r *ProjectiveGroupElement)
- func (p *ExtendedGroupElement) Zero()
- type FieldElement
- type Point
- type PreComputedGroupElement
- type ProjectiveGroupElement
- type Public
- type Scalar
- type Secret
- type Signature
- type VrfProof
- type VrfResult
Constants ¶
This section is empty.
Variables ¶
var A = FieldElement{
486662, 0, 0, 0, 0, 0, 0, 0, 0, 0,
}
A is a constant in the Montgomery-form of curve25519.
var SqrtM1 = FieldElement{
-32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482,
}
SqrtM1 is the square-root of -1 in the field.
Functions ¶
func CompressPoint ¶
CompressPoint reduces an ExtendedGroupElement Ed25519 curve point representation and reduces it to its 32-byte compressed canonical binary representation. It is a wrapper for the ref10-based function ExtendedGroupElement.ToBytes.
func DecompressPoint ¶
DecompressPoint expands the 32-byte compressed canonical binary representation of an Ed25519 curve point into an ExtendedGroupElement. It is a wrapper for the ref10-based function ExtendedGroupElement.FromBytes.
func FeAdd ¶
func FeAdd(dst, a, b *FieldElement)
func FeCMove ¶
func FeCMove(f, g *FieldElement, b int32)
Replace (f,g) with (g,g) if b == 1; replace (f,g) with (f,g) if b == 0.
Preconditions: b in {0,1}.
func FeCombine ¶
func FeCombine(h *FieldElement, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64)
func FeCopy ¶
func FeCopy(dst, src *FieldElement)
func FeFromBytes ¶
func FeFromBytes(dst *FieldElement, src *[32]byte)
func FeInvert ¶
func FeInvert(out, z *FieldElement)
func FeIsNegative ¶
func FeIsNegative(f *FieldElement) byte
func FeIsNonZero ¶
func FeIsNonZero(f *FieldElement) int32
func FeMul ¶
func FeMul(h, f, g *FieldElement)
FeMul calculates h = f * g Can overlap h with f or g.
Preconditions:
|f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
Postconditions:
|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
Notes on implementation strategy:
Using schoolbook multiplication. Karatsuba would save a little in some cost models.
Most multiplications by 2 and 19 are 32-bit precomputations; cheaper than 64-bit postcomputations.
There is one remaining multiplication by 19 in the carry chain; one *19 precomputation can be merged into this, but the resulting data flow is considerably less clean.
There are 12 carries below. 10 of them are 2-way parallelizable and vectorizable. Can get away with 11 carries, but then data flow is much deeper.
With tighter constraints on inputs, can squeeze carries into int32.
func FeNeg ¶
func FeNeg(h, f *FieldElement)
FeNeg sets h = -f
Preconditions:
|f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
Postconditions:
|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
func FeOne ¶
func FeOne(fe *FieldElement)
func FeSquare ¶
func FeSquare(h, f *FieldElement)
FeSquare calculates h = f*f. Can overlap h with f.
Preconditions:
|f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
Postconditions:
|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
func FeSquare2 ¶
func FeSquare2(h, f *FieldElement)
FeSquare2 sets h = 2 * f * f
Can overlap h with f.
Preconditions:
|f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
Postconditions:
|h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
See fe_mul.c for discussion of implementation strategy.
func FeSub ¶
func FeSub(dst, a, b *FieldElement)
func FeToBytes ¶
func FeToBytes(s *[32]byte, h *FieldElement)
FeToBytes marshals h to s. Preconditions:
|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
Write p=2^255-19; q=floor(h/p). Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
Proof:
Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4. Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4. Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9). Then 0<y<1. Write r=h-pq. Have 0<=r<=p-1=2^255-20. Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1. Write x=r+19(2^-255)r+y. Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q. Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1)) so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
func FeZero ¶
func FeZero(fe *FieldElement)
func GeDoubleScalarMultVartime ¶
func GeDoubleScalarMultVartime(r *ProjectiveGroupElement, a *[32]byte, A *ExtendedGroupElement, b *[32]byte)
GeDoubleScalarMultVartime sets r = a*A + b*B where a = a[0]+256*a[1]+...+256^31 a[31]. and b = b[0]+256*b[1]+...+256^31 b[31]. B is the Ed25519 base point (x,4/5) with x positive.
func GeScalarMultBase ¶
func GeScalarMultBase(h *ExtendedGroupElement, a *[32]byte)
GeScalarMultBase computes h = a*B, where
a = a[0]+256*a[1]+...+256^31 a[31] B is the Ed25519 base point (x,4/5) with x positive.
Preconditions:
a[31] <= 127
func HashToPointVartime ¶
Hash any byte array into a valid Ed25519 curve point, which is in the same subgroup as the Ed25519 base point.
This is a VARIABLE TIME algorithm, meaning that if it is used on inputs which are supposed to be secret, it can potentially reveal information about their value based on how long the function takes to execute. However, when its inputs are public information, then this reveals no information that the attacker does not already possess.
This function is not as nice as Dan Bernstein's "Elligator 2" hash-to-point function, which is constant-time and does not depend on an underlying crytographic hash function.
Basic Algorithm:
ib = sha512(x) ib[0] = 0 P = nil while true: ob = sha512(ib || c) if ( p = decompress( ob[ 0:32] ) ) break if ( p = decompress( ob[32:64] ) ) break ib[0]++ return P
Intuition: initialize a 64-byte "In Buffer" (ib) with the hash of the input (x). Then set the first byte of ib to 0, and consider it a counter. Then run a loop, where at each iteration we store the hash of ib in a 64-byte "Out Buffer" (ob). Consier ob as 2 32-byte buffers, which are each used in one attempt to decode a valid curve point. If either succeeds, keep it as "p", otherwise increment the counter ib[0] and try again. Each attempt has ~50% chance of success, so getting through all 512 attempts (256 values of ib[0] with 2 attempts each) without finding a valid point has probability ~2^-512, which is harder than finding a hash collision (should never happen in practice.) After we find a valid point, return to caller.
func PointAdd ¶
func PointAdd(r, p, q *Point)
PointAdd is a helper function to perform the curve point operation P + Q. This is built using a private function from the ref10-based implementation called "geAdd", which takes an ExtendedGroupElement and a CachedGroupElement, and outputs a CompletedGroupElement, so we normalize the call signature by converting one of our ExtendedGroupElement inputs ito a CachedGroupElement, then converting the resulting CompletedGroupElement back into our normal ExtendedGroupElement.
func PointClearCofactor ¶
func PointClearCofactor(r, p *Point)
PointClearCofactor is a utility which multiplies a curve point by Ed25519's "cofactor", which is 8. This is functionally equivalent to doubling the point 3 times. Clearing the cofactor of a point prevents some malleability which would otherwise allow multiple unique points to have the same mathematical features modulo the group order.
func PointCopy ¶
func PointCopy(r, p *Point)
PointCopy duplicates the data of the input Point into a new Point object.
func PointEqual ¶
func PointEqual(a, b *ExtendedGroupElement) bool
PointEqual compares whether two points are equal. Right now it does this a rather silly way, by serializing both points then checking that the two 32-byte buffers are equal. bzpython: this is done because I don't know the math well enough to say if there are multiple "ExtendedGroupElement" representations of the same value or not, because this representation stores ratios between X, Y and Z points internally.
func PointIdentity ¶
func PointIdentity(r *Point)
PointIdentity is a helper function to "zero" an ExtendedGroupElement curve point representation. This is a wrapper function for ExtendedGroupElement's "Zero" method.
func PointNeg ¶
func PointNeg(r, p *Point)
PointNeg flips the x-axis of an ExtendedGroupElement, such that P' = -P.
func PointSub ¶
func PointSub(r, p, q *Point)
PointSub works the same way as PointAdd, using the ref10-based function "geSub", in order to compute P - Q. Otherwise the representation conversion logic is the same.
func PreComputedGroupElementCMove ¶
func PreComputedGroupElementCMove(t, u *PreComputedGroupElement, b int32)
func ScMulAdd ¶
func ScMulAdd(s, a, b, c *[32]byte)
Input:
a[0]+256*a[1]+...+256^31*a[31] = a b[0]+256*b[1]+...+256^31*b[31] = b c[0]+256*c[1]+...+256^31*c[31] = c
Output:
s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l where l = 2^252 + 27742317777372353535851937790883648493.
func ScReduce ¶
Input:
s[0]+256*s[1]+...+256^63*s[63] = s
Output:
s[0]+256*s[1]+...+256^31*s[31] = s mod l where l = 2^252 + 27742317777372353535851937790883648493.
func ScalarMultBase ¶
ScalarMultBase is a wrapper function around the ref10-based implementation's "GeScalarMultBase" function, which takes a Scalar value s, and the implicit Ed25519 base point B, and computes s * B.
func ScalarMultPointVartime ¶
func ScalarMultPointVartime(r *ExtendedGroupElement, a *[32]byte, p *ExtendedGroupElement)
ScalarMultPointVartime performs a "variable-time" multiplication of a scalar with an arbitrary curve point, resulting in a new curve point. bzpython: I just realized this is Vartime, I can't use it a few places.
func ScalarMultScalar ¶
func ScalarMultScalar(r, a, b *Scalar)
ScalarMultScalar performs the scalar operation (a * b). The ref10-based implementation does not support this operation directly, therefore we actually compute the equivalent (ab + 0) using the optimized function "ScMulAdd".
func ScalarMultScalarAddScalar ¶
func ScalarMultScalarAddScalar(r, a, b, c *Scalar)
ScalarMultScalarAddScalar is a wrapper for the ref10-based function "ScMulAdd", an optimized implementation of the scalar operation: (ab + c).
func ScalarReduce512 ¶
ScalarReduce512 takes a 64-byte buffer and "reduces" it "mod q", producing a valid scalar value. When the 64-byte input is a good unbiased random value, then the output scalar is also a (nearly) unbiased random value. This is a wrapper which renames the ref10-based function "ScReduce".
Types ¶
type Buffer256 ¶
type Buffer256 = [32]byte
Buffer256 is syntax sugar for a generic 32-byte (256-bit) buffer.
type Buffer512 ¶
type Buffer512 = [64]byte
Buffer512 is syntax sugar for a generic 64-byte (512-bit) buffer.
type CachedGroupElement ¶
type CachedGroupElement struct {
Z, T2d FieldElement
// contains filtered or unexported fields
}
type CompletedGroupElement ¶
type CompletedGroupElement struct {
X, Y, Z, T FieldElement
}
func (*CompletedGroupElement) ToExtended ¶
func (p *CompletedGroupElement) ToExtended(r *ExtendedGroupElement)
func (*CompletedGroupElement) ToProjective ¶
func (p *CompletedGroupElement) ToProjective(r *ProjectiveGroupElement)
type ExtendedGroupElement ¶
type ExtendedGroupElement struct {
X, Y, Z, T FieldElement
}
func (*ExtendedGroupElement) Double ¶
func (p *ExtendedGroupElement) Double(r *CompletedGroupElement)
func (*ExtendedGroupElement) FromBytes ¶
func (p *ExtendedGroupElement) FromBytes(s *[32]byte) bool
func (*ExtendedGroupElement) ToBytes ¶
func (p *ExtendedGroupElement) ToBytes(s *[32]byte)
func (*ExtendedGroupElement) ToCached ¶
func (p *ExtendedGroupElement) ToCached(r *CachedGroupElement)
func (*ExtendedGroupElement) ToProjective ¶
func (p *ExtendedGroupElement) ToProjective(r *ProjectiveGroupElement)
func (*ExtendedGroupElement) Zero ¶
func (p *ExtendedGroupElement) Zero()
type FieldElement ¶
type FieldElement [10]int32
FieldElement represents an element of the field GF(2^255 - 19). An element t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on context.
type Point ¶
type Point = ExtendedGroupElement
Point is syntax sugar for an ExtendedGroupElement object, one of the more flexible curve point representations in Golang's ref10-based implementation. Util functions that operate on curve points will make sure to return them back into this format before returning the result to caller.
type PreComputedGroupElement ¶
type PreComputedGroupElement struct {
// contains filtered or unexported fields
}
func (*PreComputedGroupElement) Zero ¶
func (p *PreComputedGroupElement) Zero()
type ProjectiveGroupElement ¶
type ProjectiveGroupElement struct {
X, Y, Z FieldElement
}
func (*ProjectiveGroupElement) Double ¶
func (p *ProjectiveGroupElement) Double(r *CompletedGroupElement)
func (*ProjectiveGroupElement) ToBytes ¶
func (p *ProjectiveGroupElement) ToBytes(s *[32]byte)
func (*ProjectiveGroupElement) ToExtended ¶
func (p *ProjectiveGroupElement) ToExtended(r *ExtendedGroupElement)
ToExtended is a hack that allows recovering an ExtendedGroupElement curve point representation from the ProjectiveGroupElement representation. It does this, highly inefficiently, by serializing the Projective element, then de-serializing the Extended element. bzpython: If I learn a little more about the math or study the deserialization function a little closer, will re-write this transform more efficently. It just needs to recover the Field Element "T" which is lost in the Projective representation.
func (*ProjectiveGroupElement) Zero ¶
func (p *ProjectiveGroupElement) Zero()
type Public ¶
type Public struct {
// contains filtered or unexported fields
}
Public is the working form of an Ed25519 public key.
func PublicFromKey ¶
PublicFromKey is a helper function which takes the 32-byte canonical Ed25519 public key string and converts it into a working form.
func (*Public) Derive ¶
Derive generates child public key from this public key for a given "index" string, such that the corresponding child secret key could be generated by calling Derive on this public key's corresponding secret with the same index.
func (*Public) Key ¶
Key gets the canonical serialized ("compressed") form of the public key, which is typically accepted by Ed25519 applications and protocols, in a 32-byte buffer.
func (*Public) Verify ¶
Verify checks whether the signature sig on the message msg is valid for the Public Key pk, proving it must have been produced by a party which holds the corresponding Secret Key.
func (*Public) VrfVerify ¶
VrfVerify accepts an input x of arbitrary length, a Public Key pk, and a 96-byte "proof" produced by the owner of the corresponding secret key sk. VrfVerify outputs a 32-byte result y, and a verification result bool (note that y will be 32 zero-bytes if the validation fails.)
type Scalar ¶
type Scalar = [32]byte
Scalar is syntax sugar for a 32-byte buffer, used to inidicate that it contains a "scalar" with maximum size of the group order of Ed25519. Usually a Scalar will be multiplied by a curve point.
type Secret ¶
type Secret struct {
// contains filtered or unexported fields
}
Secret is the workinig form of an Ed25519 priivte key.
func SecretFromKey ¶
SecretFromKey is a helper function which builds a working form of the Secret Key from its 64-byte serialized form.
func SecretFromSeed ¶
SecretFromSeed is a helper function which derives a working form of the Secret Key from a 32-byte seed by the original Ed25519 algorithm. This allows full compatibility with other Ed25519 implementations.
func (*Secret) Derive ¶
Derive has two modes for Secret Keys, which we can call "public" derivation and "secret" derivation. "Public" derivation allows a child keypair to be derived for an index string such that the public key can also be derived from this secret's public key with the same index. "Secret" derivation takes an extra arbitrary byte string, "skey", and derives a new keypair for a given (index, skey) pair. The public key of a "secret" child key cannot be identified with a parent public key.
func (*Secret) Key ¶
Key gets a 64-byte serialized representation of the private key data. Note, this is NOT in the canonical form, which either stores the 32-byte seed, or the seed concatenated by the 32-byte serialized public key. Instead, this form stores the private scalar and prefix directly, and does not store the original seed. This is a much more useful format for derived keys, for which the seed which would generate them is infeasible to find.
func (*Secret) Prefix ¶
Prefix gets the private "prefix" of the secret key. While not strictly needed to produce valid signatures, this value is used in the secret deterministic selection of nonces for each signature produced. Leaking it could result in an adversary being able to compute the private scalar from any valid signature.
func (*Secret) Scalar ¶
Scalar gets the private "scalar" of the secret key. This is the key piece of data which allows valid signatures to be produced for the public key.
func (*Secret) Sign ¶
Sign produces a standard Ed25519 signature by the Secret Key sk on the message msg. Such a valid signature on msg can only be produced by a party holding sk, although it can be verified by any party holding the corresponding Public Key.
func (*Secret) VrfEval ¶
VrfEval accepts an input x of arbitrary length, along with a Secret Key sk, and produces a 32-byte deterministic pseudo-random output y, along wiith a 96-byte "proof" that y is the exact correct output for the input pair (sk, x). The output y cannot be predicted by any party who does not possess the secret key sk, but given the "proof", can be verified by any party which possesses the corresponding public key.
type Signature ¶
type Signature = [64]byte
Signature is syntax sugar for a 64-byte buffer, used in the code to indicate it is intended to contain an Ed25519 signature.