ed448

package module
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 20, 2022 License: GPL-3.0 Imports: 14 Imported by: 1

README

ED448-goldilocks

This is an implementation of the Edwards elliptic curve with a field size of 448, as described by Mike Hamburg in his paper "Ed448-Goldilocks, a new elliptic curve".

Disclaimer

This code is provided as is and does not have any warranty. Use it at your own risk.

License

GNU General Public License v3.0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// Cofactor is the ratio between the order of the group (p) and the one
	// from the subgroup (q).
	Cofactor = byte(4)

	//ScalarQ is the prime order of the curve (q).
	ScalarQ = &scalar{
		0xab5844f3, 0x2378c292, 0x8dc58f55, 0x216cc272,
		0xaed63690, 0xc44edb49, 0x7cca23e9, 0xffffffff,
		0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff,
		0xffffffff, 0x3fffffff,
	}

	//BasePoint is the base point of the curve.
	BasePoint = &twExtendedPoint{
		&bigNumber{
			0x0ffffffe, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x0fffffff, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x00000003, 0x00000000, 0x00000000, 0x00000000,
			0x00000000, 0x00000000, 0x00000000, 0x00000000,
		},
		&bigNumber{
			0x0f752992, 0x081e6d37, 0x01c28721, 0x03078ead,
			0x0394666c, 0x0135cfd2, 0x00506061, 0x041149c5,
			0x0f5490b3, 0x031d30e4, 0x090dc141, 0x09020149,
			0x04c1e328, 0x052341b0, 0x03c10a1b, 0x01423785,
		},
		&bigNumber{
			0x0ffffffb, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x0fffffff, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x0ffffffe, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x0fffffff, 0x0fffffff, 0x0fffffff, 0x0fffffff,
		},
		&bigNumber{
			0x00660415, 0x08f205b7, 0x0fd3824f, 0x0881c60c,
			0x0d08500d, 0x0377a638, 0x04672615, 0x08c66d5d,
			0x08e08e13, 0x0e52fa55, 0x01b6983d, 0x087770ae,
			0x0a0aa7ff, 0x04388f55, 0x05cf1a91, 0x0b4d9a78,
		},
	}
)
View Source 
var Basepoint []byte

Basepoint is the generator for curve448 in montgomery form

Functions

func DSASign 

func DSASign(sym [57]byte, pub Point, msg []byte) [114]byte

DSASign implements EdDSA style signing for Ed448 - equivalent of goldilocks_ed448_sign

func DSAVerify 

func DSAVerify(sig [114]byte, pub Point, msg []byte) bool

DSAVerify implements EdDSA style verifying for Ed448 equivalent of goldilocks_ed48_verify

func Ed448DeriveSecret 

func Ed448DeriveSecret(pubkey PublicKey, privkey PrivateKey) [56]byte

func Ed448Sign 

func Ed448Sign(privkey PrivateKey, message []byte) [114]byte

func Ed448Verify 

func Ed448Verify(pubkey PublicKey, signature, message []byte) bool

func EdPrivateKeyToX448 

func EdPrivateKeyToX448(edKey PrivateKey) [56]byte

func EdPublicKeyToX448 

func EdPublicKeyToX448(edKey PublicKey) [56]byte

func GenerateSeed 

func GenerateSeed(reader io.Reader) ([]uint8, error)

func LadderScalarBaseMult 

func LadderScalarBaseMult(curve GoldilocksCurve, k []byte) (*big.Int, *big.Int)

LadderScalarBaseMult returns k*G, where G is the base point of the group and k is an integer in big-endian form.

func LadderScalarMult 

func LadderScalarMult(curve GoldilocksCurve, x1, y1 *big.Int, k []byte) (*big.Int, *big.Int)

LadderScalarMult returns k*(Bx,By) where k is a number in little-endian form. This uses the montgomery ladder

func SHA512Hash 

func SHA512Hash(password, salt []uint8) []uint8

func SignSecretAndNonce 

func SignSecretAndNonce(secret, n PrivateKey, msg []byte) [114]byte

func SignWithPrivate 

func SignWithPrivate(privkey PrivateKey, message []byte) [114]byte

func ToMontgomeryCurve 

func ToMontgomeryCurve(x, y *big.Int) (*big.Int, *big.Int)

ToMontgomeryCurve converts from Weierstrass to Montgomery

func ToWeierstrassCurve 

func ToWeierstrassCurve(p, u, v *big.Int) (*big.Int, *big.Int, *big.Int)

ToWeierstrassCurve converts from Montgomery form to Weierstrass

Types

type Curve 

type Curve interface {
	GenerateKeys(read io.Reader) (priv [privKeyBytes]byte, pub [pubKeyBytes]byte, ok bool)
	Sign(priv [privKeyBytes]byte, message []byte) (signature [signatureBytes]byte, ok bool)
	Verify(signature [signatureBytes]byte, message []byte, pub [pubKeyBytes]byte) (valid bool)
	ComputeSecret(private [privKeyBytes]byte, public [pubKeyBytes]byte) (secret [sha512.Size]byte)
}

Curve is the interface that wraps the basic curve methods. TODO It would be better with the use of privateKey and publicKey types.

func NewCurve 

func NewCurve() Curve

NewCurve returns a Curve.

type Curve25519 

type Curve25519 interface {
	elliptic.Curve
}

A Curve25519 represents the curve25519.

func CurveP25519 

func CurveP25519() Curve25519

CurveP25519 returns a Curve which implements curve448

type Curve25519Params 

type Curve25519Params struct {
	// contains filtered or unexported fields
}

Curve25519Params contains the parameters of an elliptic curve and also provides a generic, non-constant time implementation of Curve. These are the Montgomery params.

func (*Curve25519Params) Add 

func (curve *Curve25519Params) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)

Add adds two points in montgomery x3 = ((y2-y1)^2/(x2-x1)^2)-A-x1-x2 y3 = (2*x1+x2+a)*(y2-y1)/(x2-x1)-b*(y2-y1)3/(x2-x1)3-y1 See: https://www.hyperelliptic.org/EFD/g1p/auto-montgom.html

func (*Curve25519Params) Double 

func (curve *Curve25519Params) Double(x1, y1 *big.Int) (*big.Int, *big.Int)

Double doubles two points in montgomery x3 = b*(3*x12+2*a*x1+1)2/(2*b*y1)2-a-x1-x1 y3 = (2*x1+x1+a)*(3*x12+2*a*x1+1)/(2*b*y1)-b*(3*x12+2*a*x1+1)3/(2*b*y1)3-y1 See: https://www.hyperelliptic.org/EFD/g1p/auto-montgom.html

func (*Curve25519Params) IsOnCurve 

func (curve *Curve25519Params) IsOnCurve(x, y *big.Int) bool

IsOnCurve verifies if a given point in montgomery is valid v^2 = u^3 + A*u^2 + u

func (*Curve25519Params) Params 

func (curve *Curve25519Params) Params() *elliptic.CurveParams

Params returns the parameters for the curve.

func (*Curve25519Params) ScalarBaseMult 

func (curve *Curve25519Params) ScalarBaseMult(k []byte) (*big.Int, *big.Int)

ScalarBaseMult returns k*(Bx,By) where k is a number in little-endian form.

func (*Curve25519Params) ScalarMult 

func (curve *Curve25519Params) ScalarMult(x1, y1 *big.Int, k []byte) (*big.Int, *big.Int)

ScalarMult returns k*(Bx,By) where k is a number in little-endian form.

type CurveParams 

type CurveParams struct {
	// contains filtered or unexported fields
}

CurveParams contains the parameters of an elliptic curve and also provides a generic, non-constant time implementation of Curve. These are the Montgomery params.

func (*CurveParams) Add 

func (curve *CurveParams) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)

Add adds two points in montgomery x3 = ((y2-y1)^2/(x2-x1)^2)-A-x1-x2 y3 = (2*x1+x2+a)*(y2-y1)/(x2-x1)-b*(y2-y1)3/(x2-x1)3-y1 See: https://www.hyperelliptic.org/EFD/g1p/auto-montgom.html

func (*CurveParams) Double 

func (curve *CurveParams) Double(x1, y1 *big.Int) (*big.Int, *big.Int)

Double doubles two points in montgomery x3 = b*(3*x12+2*a*x1+1)2/(2*b*y1)2-a-x1-x1 y3 = (2*x1+x1+a)*(3*x12+2*a*x1+1)/(2*b*y1)-b*(3*x12+2*a*x1+1)3/(2*b*y1)3-y1 See: https://www.hyperelliptic.org/EFD/g1p/auto-montgom.html

func (*CurveParams) IsOnCurve 

func (curve *CurveParams) IsOnCurve(x, y *big.Int) bool

IsOnCurve verifies if a given point in montgomery is valid v^2 = u^3 + A*u^2 + u

func (*CurveParams) MapToCurve 

func (curve *CurveParams) MapToCurve(u *big.Int) (*big.Int, *big.Int)

MapToCurve calculates a point on the elliptic curve from an element of the finite field F. This implements Elligator2, according to https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05, section 6.7.1.1.

func (*CurveParams) Params 

func (curve *CurveParams) Params() *elliptic.CurveParams

Params returns the parameters for the curve.

func (*CurveParams) ScalarBaseMult 

func (curve *CurveParams) ScalarBaseMult(k []byte) (*big.Int, *big.Int)

ScalarBaseMult returns k*G, where G is the base point of the group and k is an integer in big-endian form.

func (*CurveParams) ScalarMult 

func (curve *CurveParams) ScalarMult(x1, y1 *big.Int, k []byte) (*big.Int, *big.Int)

ScalarMult returns k*(Bx,By) where k is a number in little-endian form. This uses the double and add method

type DecafCurve 

type DecafCurve interface {
	GenerateKeys() (priv [privKeyBytes]byte, pub [pubKeyBytes]byte, ok bool)
	Sign(priv [privKeyBytes]byte, message []byte) (signature [signatureBytes]byte, ok bool)
	Verify(signature [signatureBytes]byte, message []byte, pub [pubKeyBytes]byte) (valid bool, err error)
}

DecafCurve is the interface that wraps the basic curve methods in decaf. TODO: change this name

func NewDecafCurve 

func NewDecafCurve() DecafCurve

NewDecafCurve returns a Curve.

type EdwardsCurveParams 

type EdwardsCurveParams struct {
	P       *big.Int // the order of the underlying finite field
	N       *big.Int // the prime order of the base point
	D       *big.Int // the non-zero element
	Gx, Gy  *big.Int // (x,y) of the base point
	BitSize int      // the size of the underlying field
	Name    string   // the canonical name of the curve
}

EdwardsCurveParams contains the parameters of an elliptic curve and also provides a generic, non-constant time implementation of Curve. These are the Edwards params.

func (*EdwardsCurveParams) Add 

func (curve *EdwardsCurveParams) Add(p, q Point) Point

Add gives the sum of two points (p, q) and produces a third point (p).

func (*EdwardsCurveParams) Double 

func (curve *EdwardsCurveParams) Double(p Point) Point

Double gives the doubling of a point (p).

func (*EdwardsCurveParams) IsOnCurve 

func (curve *EdwardsCurveParams) IsOnCurve(p Point) bool

IsOnCurve reports whether the given point (p) lies on the curve.

func (*EdwardsCurveParams) Params 

func (curve *EdwardsCurveParams) Params() *EdwardsCurveParams

Params returns the parameters for the curve.

type ExtendedPrivate 

type ExtendedPrivate [114]uint8

func ChildPrivateToPrivate 

func ChildPrivateToPrivate(s ExtendedPrivate, index uint32) ExtendedPrivate

func SeedToExtendedPrivate 

func SeedToExtendedPrivate(s []uint8) ExtendedPrivate

type ExtendedPublic 

type ExtendedPublic [114]uint8

func ChildPrivateToPublic 

func ChildPrivateToPublic(s ExtendedPrivate, index uint32) ExtendedPublic

func ChildPublicToPublic 

func ChildPublicToPublic(pub ExtendedPublic, index uint32) ExtendedPublic

func ExtendedPrivateToPublic 

func ExtendedPrivateToPublic(s ExtendedPrivate) ExtendedPublic

type GoldilocksCurve 

type GoldilocksCurve interface {
	elliptic.Curve
}

A GoldilocksCurve represents the curve448.

func Curve448 

func Curve448() GoldilocksCurve

Curve448 returns a Curve which implements curve448

type GoldilocksEdCurve 

type GoldilocksEdCurve interface {
	// Params returns the parameters for the curve.
	Params() *EdwardsCurveParams
	// IsOnCurveEdwards reports whether the given p lies on the curve.
	IsOnCurve(p Point) bool
	// AddEdwards returns the sum of p and q
	Add(p, q Point) Point
	// DoubleEdwards returns 2*p
	Double(p Point) Point
	// ScalarMultEdwards returns k*(p) where k is an scalar.
	ScalarMult(p Point, k Scalar) Point
	// ScalarBaseMultEdwards returns k*G, where G is the base point of the group
	// and k is an scalar
	ScalarBaseMult(k Scalar) Point
}

A GoldilocksEdCurve represents Goldilocks edwards448. This uses the decaf technique

type Point 

type Point interface {
	IsOnCurve() bool
	Equals(q Point) bool
	EqualsMask(q Point) uint32
	Copy() Point
	Add(q, r Point)
	Sub(q, r Point)
	Double() Point
	Encode() []byte
	Decode(src []byte, identity bool) (bool, error)
	EdDSAEncode() []byte
	EdDSADecode(src []byte) bool
	EdDSADecodeWithoutCofactor(src []byte) bool
}

Point is a interface of a Ed448 point

func ConstantTimeSelectPoint 

func ConstantTimeSelectPoint(bfalse, btrue Point, mask uint32) Point

ConstantTimeSelectPoint will use constant time select to choose either the left or right point, depending on if the mask is either all zeroes, or all ones

func NewPoint 

func NewPoint(a [nLimbs]uint32, b [nLimbs]uint32, c [nLimbs]uint32, d [nLimbs]uint32) Point

NewPoint returns an Ed448 point from 4 arrays of 16 uint32.

func NewPointFromBytes 

func NewPointFromBytes(in ...[]byte) Point

NewPointFromBytes returns an Ed448 point from a byte slice.

func PointByPrivate 

func PointByPrivate(p PrivateKey) Point

func PointBySecret 

func PointBySecret(p PrivateKey) Point

func PointDoubleScalarMul 

func PointDoubleScalarMul(q, r Point, a, b Scalar) Point

PointDoubleScalarMul returns the addition of two multiplications: a given point (q) by a given scalar (a) and a given point (r) by a given scalar (b): q * a + r * b.

func PointDoubleScalarMulNonsecret 

func PointDoubleScalarMulNonsecret(q Point, a, b Scalar) Point

PointDoubleScalarMulNonsecret returns the addition of two multiplications: a given point (q) by a given scalar (b) and the base point of the curve by a given scalar (a): q * b + basePoint * a. @warning: This function takes variable time, and may leak the scalars used. It is designed for signature verification.

func PointScalarMul 

func PointScalarMul(q Point, a Scalar) Point

PointScalarMul returns the multiplication of a given point (p) by a given scalar (a): q * a.

func PrecomputedScalarMul 

func PrecomputedScalarMul(a Scalar) Point

PrecomputedScalarMul returns the multiplication of a given scalar (a) by the precomputed base point of the curve: basePoint * a.

func ScalarBaseMult 

func ScalarBaseMult(k Scalar) Point

ScalarBaseMult returns the multiplication of a given scalar (k) by the precomputed base point of the curve: basePoint * k.

func ScalarMult 

func ScalarMult(p Point, k Scalar) Point

ScalarMult returns the multiplication of a given point (p) by a given scalar (a): p * k.

type PrivateKey 

type PrivateKey [57]byte

func BytesToPrivateKey 

func BytesToPrivateKey(key []byte) (pk PrivateKey)

func Ed448GenerateKey 

func Ed448GenerateKey(reader io.Reader) (PrivateKey, error)

func PrivateToSecret 

func PrivateToSecret(pk PrivateKey) PrivateKey

type PublicKey 

type PublicKey [57]byte

func BytesToPublicKey 

func BytesToPublicKey(key []byte) (pk PublicKey)

func Ed448DerivePublicKey 

func Ed448DerivePublicKey(privkey PrivateKey) PublicKey

func PrivateToPublic 

func PrivateToPublic(privkey PrivateKey) PublicKey

func SecretToPublic 

func SecretToPublic(sk PrivateKey) PublicKey

type Scalar 

type Scalar interface {
	Equals(a Scalar) bool
	EqualsMask(a Scalar) uint32
	Copy() Scalar
	Add(a, b Scalar)
	Sub(a, b Scalar)
	Mul(a, b Scalar)
	Halve(a Scalar)
	Invert() bool
	Encode() []byte
	BarretDecode(src []byte) error
	Decode(src []byte)
}

Scalar is a interface of a Ed448 scalar

func ConstantTimeSelectScalar 

func ConstantTimeSelectScalar(bfalse, btrue Scalar, mask uint32) Scalar

ConstantTimeSelectScalar will use constant time select to choose either the left or right scalar, depending on if the mask is either all zeroes, or all ones

func NewScalar 

func NewScalar(in ...[]byte) Scalar

NewScalar returns a Scalar in Ed448 with decaf

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.