zed

package
v0.0.0-...-bb9b9f1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 29, 2020 License: MIT Imports: 5 Imported by: 1

Documentation

Overview

package ed25519

ZooBC zed25519

Copyright © 2020 Quasisoft Limited - Hong Kong

ZooBC is architected by Roberto Capodieci & Barton Johnston 

contact us at roberto.capodieci[at]blockchainzoo.com
and barton.johnston[at]blockchainzoo.com

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package ed25519

ZooBC zed25519

Copyright © 2020 Quasisoft Limited - Hong Kong

ZooBC is architected by Roberto Capodieci & Barton Johnston 

contact us at roberto.capodieci[at]blockchainzoo.com
and barton.johnston[at]blockchainzoo.com

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

ZooBC zed25519

Copyright © 2020 Quasisoft Limited - Hong Kong

ZooBC is architected by Roberto Capodieci & Barton Johnston 

contact us at roberto.capodieci[at]blockchainzoo.com
and barton.johnston[at]blockchainzoo.com

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

ZooBC zed25519

Copyright © 2020 Quasisoft Limited - Hong Kong

ZooBC is architected by Roberto Capodieci & Barton Johnston 

contact us at roberto.capodieci[at]blockchainzoo.com
and barton.johnston[at]blockchainzoo.com

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

ZooBC zed25519

Copyright © 2020 Quasisoft Limited - Hong Kong

ZooBC is architected by Roberto Capodieci & Barton Johnston 

contact us at roberto.capodieci[at]blockchainzoo.com
and barton.johnston[at]blockchainzoo.com

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Index

Constants

This section is empty.

Variables

View Source 
var A = FieldElement{
	486662, 0, 0, 0, 0, 0, 0, 0, 0, 0,
}

A is a constant in the Montgomery-form of curve25519.

View Source 
var SqrtM1 = FieldElement{
	-32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482,
}

SqrtM1 is the square-root of -1 in the field.

Functions

func CompressPoint 

func CompressPoint(r *Buffer256, p *Point)

CompressPoint reduces an ExtendedGroupElement Ed25519 curve point representation and reduces it to its 32-byte compressed canonical binary representation. It is a wrapper for the ref10-based function ExtendedGroupElement.ToBytes.

func DecompressPoint 

func DecompressPoint(r *Point, b *Buffer256) bool

DecompressPoint expands the 32-byte compressed canonical binary representation of an Ed25519 curve point into an ExtendedGroupElement. It is a wrapper for the ref10-based function ExtendedGroupElement.FromBytes.

func FeAdd 

func FeAdd(dst, a, b *FieldElement)

func FeCMove 

func FeCMove(f, g *FieldElement, b int32)

Replace (f,g) with (g,g) if b == 1; replace (f,g) with (f,g) if b == 0.

Preconditions: b in {0,1}.

func FeCombine 

func FeCombine(h *FieldElement, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64)

func FeCopy 

func FeCopy(dst, src *FieldElement)

func FeFromBytes 

func FeFromBytes(dst *FieldElement, src *[32]byte)

func FeInvert 

func FeInvert(out, z *FieldElement)

func FeIsNegative 

func FeIsNegative(f *FieldElement) byte

func FeIsNonZero 

func FeIsNonZero(f *FieldElement) int32

func FeMul 

func FeMul(h, f, g *FieldElement)

FeMul calculates h = f * g Can overlap h with f or g.

Preconditions: 

|f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
|g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.

Postconditions: 

|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

Notes on implementation strategy:

Using schoolbook multiplication. Karatsuba would save a little in some cost models.

Most multiplications by 2 and 19 are 32-bit precomputations; cheaper than 64-bit postcomputations.

There is one remaining multiplication by 19 in the carry chain; one *19 precomputation can be merged into this, but the resulting data flow is considerably less clean.

There are 12 carries below. 10 of them are 2-way parallelizable and vectorizable. Can get away with 11 carries, but then data flow is much deeper.

With tighter constraints on inputs, can squeeze carries into int32.

func FeNeg 

func FeNeg(h, f *FieldElement)

FeNeg sets h = -f

Preconditions: 

|f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

Postconditions: 

|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

func FeOne 

func FeOne(fe *FieldElement)

func FeSquare 

func FeSquare(h, f *FieldElement)

FeSquare calculates h = f*f. Can overlap h with f.

Preconditions: 

|f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.

Postconditions: 

|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

func FeSquare2 

func FeSquare2(h, f *FieldElement)

FeSquare2 sets h = 2 * f * f

Can overlap h with f.

Preconditions: 

|f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.

Postconditions: 

|h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.

See fe_mul.c for discussion of implementation strategy.

func FeSub 

func FeSub(dst, a, b *FieldElement)

func FeToBytes 

func FeToBytes(s *[32]byte, h *FieldElement)

FeToBytes marshals h to s. Preconditions: 

|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

Write p=2^255-19; q=floor(h/p). Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).

Proof: 

Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.

Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
Then 0<y<1.

Write r=h-pq.
Have 0<=r<=p-1=2^255-20.
Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.

Write x=r+19(2^-255)r+y.
Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.

Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.

func FeZero 

func FeZero(fe *FieldElement)

func GeDoubleScalarMultVartime 

func GeDoubleScalarMultVartime(r *ProjectiveGroupElement, a *[32]byte, A *ExtendedGroupElement, b *[32]byte)

GeDoubleScalarMultVartime sets r = a*A + b*B where a = a[0]+256*a[1]+...+256^31 a[31]. and b = b[0]+256*b[1]+...+256^31 b[31]. B is the Ed25519 base point (x,4/5) with x positive.

func GeScalarMultBase 

func GeScalarMultBase(h *ExtendedGroupElement, a *[32]byte)

GeScalarMultBase computes h = a*B, where 

a = a[0]+256*a[1]+...+256^31 a[31]
B is the Ed25519 base point (x,4/5) with x positive.

Preconditions: 

a[31] <= 127

func HashToPointVartime 

func HashToPointVartime(r *Point, x []byte)

Hash any byte array into a valid Ed25519 curve point, which is in the same subgroup as the Ed25519 base point.

This is a VARIABLE TIME algorithm, meaning that if it is used on inputs which are supposed to be secret, it can potentially reveal information about their value based on how long the function takes to execute. However, when its inputs are public information, then this reveals no information that the attacker does not already possess.

This function is not as nice as Dan Bernstein's "Elligator 2" hash-to-point function, which is constant-time and does not depend on an underlying crytographic hash function.

Basic Algorithm: 

ib = sha512(x)
ib[0] = 0
P = nil
while true:
  ob = sha512(ib || c)
  if ( p = decompress( ob[ 0:32] ) ) break
  if ( p = decompress( ob[32:64] ) ) break
  ib[0]++
return P

Intuition: initialize a 64-byte "In Buffer" (ib) with the hash of the input (x). Then set the first byte of ib to 0, and consider it a counter. Then run a loop, where at each iteration we store the hash of ib in a 64-byte "Out Buffer" (ob). Consier ob as 2 32-byte buffers, which are each used in one attempt to decode a valid curve point. If either succeeds, keep it as "p", otherwise increment the counter ib[0] and try again. Each attempt has ~50% chance of success, so getting through all 512 attempts (256 values of ib[0] with 2 attempts each) without finding a valid point has probability ~2^-512, which is harder than finding a hash collision (should never happen in practice.) After we find a valid point, return to caller.

func PointAdd 

func PointAdd(r, p, q *Point)

PointAdd is a helper function to perform the curve point operation P + Q. This is built using a private function from the ref10-based implementation called "geAdd", which takes an ExtendedGroupElement and a CachedGroupElement, and outputs a CompletedGroupElement, so we normalize the call signature by converting one of our ExtendedGroupElement inputs ito a CachedGroupElement, then converting the resulting CompletedGroupElement back into our normal ExtendedGroupElement.

func PointClearCofactor 

func PointClearCofactor(r, p *Point)

PointClearCofactor is a utility which multiplies a curve point by Ed25519's "cofactor", which is 8. This is functionally equivalent to doubling the point 3 times. Clearing the cofactor of a point prevents some malleability which would otherwise allow multiple unique points to have the same mathematical features modulo the group order.

func PointCopy 

func PointCopy(r, p *Point)

PointCopy duplicates the data of the input Point into a new Point object.

func PointEqual 

func PointEqual(a, b *ExtendedGroupElement) bool

PointEqual compares whether two points are equal. Right now it does this a rather silly way, by serializing both points then checking that the two 32-byte buffers are equal. bzpython: this is done because I don't know the math well enough to say if there are multiple "ExtendedGroupElement" representations of the same value or not, because this representation stores ratios between X, Y and Z points internally.

func PointIdentity 

func PointIdentity(r *Point)

PointIdentity is a helper function to "zero" an ExtendedGroupElement curve point representation. This is a wrapper function for ExtendedGroupElement's "Zero" method.

func PointNeg 

func PointNeg(r, p *Point)

PointNeg flips the x-axis of an ExtendedGroupElement, such that P' = -P.

func PointSub 

func PointSub(r, p, q *Point)

PointSub works the same way as PointAdd, using the ref10-based function "geSub", in order to compute P - Q. Otherwise the representation conversion logic is the same.

func PreComputedGroupElementCMove 

func PreComputedGroupElementCMove(t, u *PreComputedGroupElement, b int32)

func ScMinimal 

func ScMinimal(scalar *[32]byte) bool

ScMinimal returns true if the given scalar is less than the order of the curve.

func ScMulAdd 

func ScMulAdd(s, a, b, c *[32]byte)

Input: 

a[0]+256*a[1]+...+256^31*a[31] = a
b[0]+256*b[1]+...+256^31*b[31] = b
c[0]+256*c[1]+...+256^31*c[31] = c

Output: 

s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
where l = 2^252 + 27742317777372353535851937790883648493.

func ScReduce 

func ScReduce(out *[32]byte, s *[64]byte)

Input: 

s[0]+256*s[1]+...+256^63*s[63] = s

Output: 

s[0]+256*s[1]+...+256^31*s[31] = s mod l
where l = 2^252 + 27742317777372353535851937790883648493.

func ScalarMultBase 

func ScalarMultBase(r *Point, s *Scalar)

ScalarMultBase is a wrapper function around the ref10-based implementation's "GeScalarMultBase" function, which takes a Scalar value s, and the implicit Ed25519 base point B, and computes s * B.

func ScalarMultPointVartime 

func ScalarMultPointVartime(r *ExtendedGroupElement, a *[32]byte, p *ExtendedGroupElement)

ScalarMultPointVartime performs a "variable-time" multiplication of a scalar with an arbitrary curve point, resulting in a new curve point. bzpython: I just realized this is Vartime, I can't use it a few places.

func ScalarMultScalar 

func ScalarMultScalar(r, a, b *Scalar)

ScalarMultScalar performs the scalar operation (a * b). The ref10-based implementation does not support this operation directly, therefore we actually compute the equivalent (ab + 0) using the optimized function "ScMulAdd".

func ScalarMultScalarAddScalar 

func ScalarMultScalarAddScalar(r, a, b, c *Scalar)

ScalarMultScalarAddScalar is a wrapper for the ref10-based function "ScMulAdd", an optimized implementation of the scalar operation: (ab + c).

func ScalarReduce512 

func ScalarReduce512(r *Scalar, b *Buffer512)

ScalarReduce512 takes a 64-byte buffer and "reduces" it "mod q", producing a valid scalar value. When the 64-byte input is a good unbiased random value, then the output scalar is also a (nearly) unbiased random value. This is a wrapper which renames the ref10-based function "ScReduce".

func ValidScalar 

func ValidScalar(s *Scalar) bool

TODO: Understand this function better.

Types

type Buffer256 

type Buffer256 = [32]byte

Buffer256 is syntax sugar for a generic 32-byte (256-bit) buffer.

type Buffer512 

type Buffer512 = [64]byte

Buffer512 is syntax sugar for a generic 64-byte (512-bit) buffer.

type CachedGroupElement 

type CachedGroupElement struct {
	Z, T2d FieldElement
	// contains filtered or unexported fields
}

type CompletedGroupElement 

type CompletedGroupElement struct {
	X, Y, Z, T FieldElement
}

func (*CompletedGroupElement) ToExtended 

func (p *CompletedGroupElement) ToExtended(r *ExtendedGroupElement)

func (*CompletedGroupElement) ToProjective 

func (p *CompletedGroupElement) ToProjective(r *ProjectiveGroupElement)

type ExtendedGroupElement 

type ExtendedGroupElement struct {
	X, Y, Z, T FieldElement
}

func (*ExtendedGroupElement) Double 

func (p *ExtendedGroupElement) Double(r *CompletedGroupElement)

func (*ExtendedGroupElement) FromBytes 

func (p *ExtendedGroupElement) FromBytes(s *[32]byte) bool

func (*ExtendedGroupElement) ToBytes 

func (p *ExtendedGroupElement) ToBytes(s *[32]byte)

func (*ExtendedGroupElement) ToCached 

func (p *ExtendedGroupElement) ToCached(r *CachedGroupElement)

func (*ExtendedGroupElement) ToProjective 

func (p *ExtendedGroupElement) ToProjective(r *ProjectiveGroupElement)

func (*ExtendedGroupElement) Zero 

func (p *ExtendedGroupElement) Zero()

type FieldElement 

type FieldElement [10]int32

FieldElement represents an element of the field GF(2^255 - 19). An element t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on context.

type Point 

type Point = ExtendedGroupElement

Point is syntax sugar for an ExtendedGroupElement object, one of the more flexible curve point representations in Golang's ref10-based implementation. Util functions that operate on curve points will make sure to return them back into this format before returning the result to caller.

type PreComputedGroupElement 

type PreComputedGroupElement struct {
	// contains filtered or unexported fields
}

func (*PreComputedGroupElement) Zero 

func (p *PreComputedGroupElement) Zero()

type ProjectiveGroupElement 

type ProjectiveGroupElement struct {
	X, Y, Z FieldElement
}

func (*ProjectiveGroupElement) Double 

func (p *ProjectiveGroupElement) Double(r *CompletedGroupElement)

func (*ProjectiveGroupElement) ToBytes 

func (p *ProjectiveGroupElement) ToBytes(s *[32]byte)

func (*ProjectiveGroupElement) ToExtended 

func (p *ProjectiveGroupElement) ToExtended(r *ExtendedGroupElement)

ToExtended is a hack that allows recovering an ExtendedGroupElement curve point representation from the ProjectiveGroupElement representation. It does this, highly inefficiently, by serializing the Projective element, then de-serializing the Extended element. bzpython: If I learn a little more about the math or study the deserialization function a little closer, will re-write this transform more efficently. It just needs to recover the Field Element "T" which is lost in the Projective representation.

func (*ProjectiveGroupElement) Zero 

func (p *ProjectiveGroupElement) Zero()

type Public 

type Public struct {
	// contains filtered or unexported fields
}

Public is the working form of an Ed25519 public key.

func PublicFromKey 

func PublicFromKey(key []byte) *Public

PublicFromKey is a helper function which takes the 32-byte canonical Ed25519 public key string and converts it into a working form.

func (*Public) Derive 

func (pk *Public) Derive(index []byte) *Public

Derive generates child public key from this public key for a given "index" string, such that the corresponding child secret key could be generated by calling Derive on this public key's corresponding secret with the same index.

func (*Public) Key 

func (pk *Public) Key() Buffer256

Key gets the canonical serialized ("compressed") form of the public key, which is typically accepted by Ed25519 applications and protocols, in a 32-byte buffer.

func (*Public) Point 

func (pk *Public) Point() Point

Point gets the Ed25519 curve point of the public key.

func (*Public) Verify 

func (pk *Public) Verify(msg, sig []byte) bool

Verify checks whether the signature sig on the message msg is valid for the Public Key pk, proving it must have been produced by a party which holds the corresponding Secret Key.

func (*Public) VrfVerify 

func (pk *Public) VrfVerify(x, proof []byte) (VrfResult, bool)

VrfVerify accepts an input x of arbitrary length, a Public Key pk, and a 96-byte "proof" produced by the owner of the corresponding secret key sk. VrfVerify outputs a 32-byte result y, and a verification result bool (note that y will be 32 zero-bytes if the validation fails.)

type Scalar 

type Scalar = [32]byte

Scalar is syntax sugar for a 32-byte buffer, used to inidicate that it contains a "scalar" with maximum size of the group order of Ed25519. Usually a Scalar will be multiplied by a curve point.

type Secret 

type Secret struct {
	// contains filtered or unexported fields
}

Secret is the workinig form of an Ed25519 priivte key.

func SecretFromKey 

func SecretFromKey(key []byte) *Secret

SecretFromKey is a helper function which builds a working form of the Secret Key from its 64-byte serialized form.

func SecretFromSeed 

func SecretFromSeed(seed []byte) *Secret

SecretFromSeed is a helper function which derives a working form of the Secret Key from a 32-byte seed by the original Ed25519 algorithm. This allows full compatibility with other Ed25519 implementations.

func (*Secret) Derive 

func (sk *Secret) Derive(index, skey []byte) *Secret

Derive has two modes for Secret Keys, which we can call "public" derivation and "secret" derivation. "Public" derivation allows a child keypair to be derived for an index string such that the public key can also be derived from this secret's public key with the same index. "Secret" derivation takes an extra arbitrary byte string, "skey", and derives a new keypair for a given (index, skey) pair. The public key of a "secret" child key cannot be identified with a parent public key.

func (*Secret) Key 

func (sk *Secret) Key() Buffer512

Key gets a 64-byte serialized representation of the private key data. Note, this is NOT in the canonical form, which either stores the 32-byte seed, or the seed concatenated by the 32-byte serialized public key. Instead, this form stores the private scalar and prefix directly, and does not store the original seed. This is a much more useful format for derived keys, for which the seed which would generate them is infeasible to find.

func (*Secret) Prefix 

func (sk *Secret) Prefix() Buffer256

Prefix gets the private "prefix" of the secret key. While not strictly needed to produce valid signatures, this value is used in the secret deterministic selection of nonces for each signature produced. Leaking it could result in an adversary being able to compute the private scalar from any valid signature.

func (*Secret) Public 

func (sk *Secret) Public() *Public

Public creates the corresponding public key object for this secret key.

func (*Secret) Scalar 

func (sk *Secret) Scalar() Scalar

Scalar gets the private "scalar" of the secret key. This is the key piece of data which allows valid signatures to be produced for the public key.

func (*Secret) Sign 

func (sk *Secret) Sign(msg []byte) Signature

Sign produces a standard Ed25519 signature by the Secret Key sk on the message msg. Such a valid signature on msg can only be produced by a party holding sk, although it can be verified by any party holding the corresponding Public Key.

func (*Secret) VrfEval 

func (sk *Secret) VrfEval(x []byte) (VrfResult, VrfProof)

VrfEval accepts an input x of arbitrary length, along with a Secret Key sk, and produces a 32-byte deterministic pseudo-random output y, along wiith a 96-byte "proof" that y is the exact correct output for the input pair (sk, x). The output y cannot be predicted by any party who does not possess the secret key sk, but given the "proof", can be verified by any party which possesses the corresponding public key.

type Signature 

type Signature = [64]byte

Signature is syntax sugar for a 64-byte buffer, used in the code to indicate it is intended to contain an Ed25519 signature.

type VrfProof 

type VrfProof = [96]byte

VrfProof is syntax sugar for a 96-byte buffer, used to indicate that the buffer is a "proof" string generated by calling VrfEval, which can be used with VrfVerify to re-generate the VrfResult.

type VrfResult 

type VrfResult = [32]byte

VrfResult is syntax sugar for a 32-byte buffer, used to indicate that a buffer is the output pseudo-random result of a VRF evaluation or proof.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.