Documentation
¶
Overview ¶
Package edwards25519 implements group logic for the twisted Edwards curve
-x^2 + y^2 = 1 + -(121665/121666)*x^2*y^2
This is better known as the Edwards curve equivalent to Curve25519, and is the curve used by the Ed25519 signature scheme.
Most users don't need this package, and should instead use crypto/ed25519 for signatures, golang.org/x/crypto/curve25519 for Diffie-Hellman, or github.com/gtank/ristretto255 for prime order group logic.
However, developers who do need to interact with low-level edwards25519 operations can use filippo.io/edwards25519, an extended version of this package repackaged as an importable module.
(Note that filippo.io/edwards25519 and github.com/gtank/ristretto255 are not maintained by the Go team and are not covered by the Go 1 Compatibility Promise.)
Index ¶
- type Point
- func (v *Point) Add(p, q *Point) *Point
- func (v *Point) Bytes() []byte
- func (v *Point) Equal(u *Point) int
- func (v *Point) Negate(p *Point) *Point
- func (v *Point) ScalarBaseMult(x *Scalar) *Point
- func (v *Point) ScalarMult(x *Scalar, q *Point) *Point
- func (v *Point) Set(u *Point) *Point
- func (v *Point) SetBytes(x []byte) (*Point, error)
- func (v *Point) Subtract(p, q *Point) *Point
- func (v *Point) VarTimeDoubleScalarBaseMult(a *Scalar, A *Point, b *Scalar) *Point
- type Scalar
- func (s *Scalar) Add(x, y *Scalar) *Scalar
- func (s *Scalar) Bytes() []byte
- func (s *Scalar) Equal(t *Scalar) int
- func (s *Scalar) Multiply(x, y *Scalar) *Scalar
- func (s *Scalar) MultiplyAdd(x, y, z *Scalar) *Scalar
- func (s *Scalar) Negate(x *Scalar) *Scalar
- func (s *Scalar) Set(x *Scalar) *Scalar
- func (s *Scalar) SetBytesWithClamping(x []byte) *Scalar
- func (s *Scalar) SetCanonicalBytes(x []byte) (*Scalar, error)
- func (s *Scalar) SetUniformBytes(x []byte) *Scalar
- func (s *Scalar) Subtract(x, y *Scalar) *Scalar
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Point ¶ added in go1.17
type Point struct {
// contains filtered or unexported fields
}
Point represents a point on the edwards25519 curve.
This type works similarly to math/big.Int, and all arguments and receivers are allowed to alias.
The zero value is NOT valid, and it may be used only as a receiver.
func NewGeneratorPoint ¶ added in go1.17
func NewGeneratorPoint() *Point
NewGeneratorPoint returns a new Point set to the canonical generator.
func NewIdentityPoint ¶ added in go1.17
func NewIdentityPoint() *Point
NewIdentityPoint returns a new Point set to the identity.
func (*Point) Bytes ¶ added in go1.17
Bytes returns the canonical 32-byte encoding of v, according to RFC 8032, Section 5.1.2.
func (*Point) ScalarBaseMult ¶ added in go1.17
ScalarBaseMult sets v = x * B, where B is the canonical generator, and returns v.
The scalar multiplication is done in constant time.
func (*Point) ScalarMult ¶ added in go1.17
ScalarMult sets v = x * q, and returns v.
The scalar multiplication is done in constant time.
func (*Point) SetBytes ¶ added in go1.17
SetBytes sets v = x, where x is a 32-byte encoding of v. If x does not represent a valid point on the curve, SetBytes returns nil and an error and the receiver is unchanged. Otherwise, SetBytes returns v.
Note that SetBytes accepts all non-canonical encodings of valid points. That is, it follows decoding rules that match most implementations in the ecosystem rather than RFC 8032.
type Scalar ¶ added in go1.17
type Scalar struct {
// contains filtered or unexported fields
}
A Scalar is an integer modulo
l = 2^252 + 27742317777372353535851937790883648493
which is the prime order of the edwards25519 group.
This type works similarly to math/big.Int, and all arguments and receivers are allowed to alias.
The zero value is a valid zero element.
func (*Scalar) Bytes ¶ added in go1.17
Bytes returns the canonical 32-byte little-endian encoding of s.
func (*Scalar) MultiplyAdd ¶ added in go1.17
MultiplyAdd sets s = x * y + z mod l, and returns s.
func (*Scalar) SetBytesWithClamping ¶ added in go1.17
SetBytesWithClamping applies the buffer pruning described in RFC 8032, Section 5.1.5 (also known as clamping) and sets s to the result. The input must be 32 bytes, and it is not modified.
Note that since Scalar values are always reduced modulo the prime order of the curve, the resulting value will not preserve any of the cofactor-clearing properties that clamping is meant to provide. It will however work as expected as long as it is applied to points on the prime order subgroup, like in Ed25519. In fact, it is lost to history why RFC 8032 adopted the irrelevant RFC 7748 clamping, but it is now required for compatibility.
func (*Scalar) SetCanonicalBytes ¶ added in go1.17
SetCanonicalBytes sets s = x, where x is a 32-byte little-endian encoding of s, and returns s. If x is not a canonical encoding of s, SetCanonicalBytes returns nil and an error, and the receiver is unchanged.
func (*Scalar) SetUniformBytes ¶ added in go1.17
SetUniformBytes sets s to an uniformly distributed value given 64 uniformly distributed random bytes.
Source Files
Directories