crypto: golang.org/x/crypto/ed25519/internal/edwards25519 Index | Files

package edwards25519

import "golang.org/x/crypto/ed25519/internal/edwards25519"

Index

Package Files

const.go edwards25519.go

Variables

var A = FieldElement{
    486662, 0, 0, 0, 0, 0, 0, 0, 0, 0,
}

A is a constant in the Montgomery-form of curve25519.

var SqrtM1 = FieldElement{
    -32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482,
}

SqrtM1 is the square-root of -1 in the field.

func FeAdd Uses

func FeAdd(dst, a, b *FieldElement)

func FeCMove Uses

func FeCMove(f, g *FieldElement, b int32)

Replace (f,g) with (g,g) if b == 1; replace (f,g) with (f,g) if b == 0.

Preconditions: b in {0,1}.

func FeCombine Uses

func FeCombine(h *FieldElement, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64)

func FeCopy Uses

func FeCopy(dst, src *FieldElement)

func FeFromBytes Uses

func FeFromBytes(dst *FieldElement, src *[32]byte)

func FeInvert Uses

func FeInvert(out, z *FieldElement)

func FeIsNegative Uses

func FeIsNegative(f *FieldElement) byte

func FeIsNonZero Uses

func FeIsNonZero(f *FieldElement) int32

func FeMul Uses

func FeMul(h, f, g *FieldElement)

FeMul calculates h = f * g Can overlap h with f or g.

Preconditions:

|f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
|g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.

Postconditions:

|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

Notes on implementation strategy:

Using schoolbook multiplication. Karatsuba would save a little in some cost models.

Most multiplications by 2 and 19 are 32-bit precomputations; cheaper than 64-bit postcomputations.

There is one remaining multiplication by 19 in the carry chain; one *19 precomputation can be merged into this, but the resulting data flow is considerably less clean.

There are 12 carries below. 10 of them are 2-way parallelizable and vectorizable. Can get away with 11 carries, but then data flow is much deeper.

With tighter constraints on inputs, can squeeze carries into int32.

func FeNeg Uses

func FeNeg(h, f *FieldElement)

FeNeg sets h = -f

Preconditions:

|f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

Postconditions:

|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

func FeOne Uses

func FeOne(fe *FieldElement)

func FeSquare Uses

func FeSquare(h, f *FieldElement)

FeSquare calculates h = f*f. Can overlap h with f.

Preconditions:

|f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.

Postconditions:

|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

func FeSquare2 Uses

func FeSquare2(h, f *FieldElement)

FeSquare2 sets h = 2 * f * f

Can overlap h with f.

Preconditions:

|f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.

Postconditions:

|h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.

See fe_mul.c for discussion of implementation strategy.

func FeSub Uses

func FeSub(dst, a, b *FieldElement)

func FeToBytes Uses

func FeToBytes(s *[32]byte, h *FieldElement)

FeToBytes marshals h to s. Preconditions:

|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

Write p=2^255-19; q=floor(h/p). Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).

Proof:

Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.

Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
Then 0<y<1.

Write r=h-pq.
Have 0<=r<=p-1=2^255-20.
Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.

Write x=r+19(2^-255)r+y.
Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.

Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.

func FeZero Uses

func FeZero(fe *FieldElement)

func GeDoubleScalarMultVartime Uses

func GeDoubleScalarMultVartime(r *ProjectiveGroupElement, a *[32]byte, A *ExtendedGroupElement, b *[32]byte)

GeDoubleScalarMultVartime sets r = a*A + b*B where a = a[0]+256*a[1]+...+256^31 a[31]. and b = b[0]+256*b[1]+...+256^31 b[31]. B is the Ed25519 base point (x,4/5) with x positive.

func GeScalarMultBase Uses

func GeScalarMultBase(h *ExtendedGroupElement, a *[32]byte)

GeScalarMultBase computes h = a*B, where

a = a[0]+256*a[1]+...+256^31 a[31]
B is the Ed25519 base point (x,4/5) with x positive.

Preconditions:

a[31] <= 127

func PreComputedGroupElementCMove Uses

func PreComputedGroupElementCMove(t, u *PreComputedGroupElement, b int32)

func ScMulAdd Uses

func ScMulAdd(s, a, b, c *[32]byte)

Input:

a[0]+256*a[1]+...+256^31*a[31] = a
b[0]+256*b[1]+...+256^31*b[31] = b
c[0]+256*c[1]+...+256^31*c[31] = c

Output:

s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
where l = 2^252 + 27742317777372353535851937790883648493.

func ScReduce Uses

func ScReduce(out *[32]byte, s *[64]byte)

Input:

s[0]+256*s[1]+...+256^63*s[63] = s

Output:

s[0]+256*s[1]+...+256^31*s[31] = s mod l
where l = 2^252 + 27742317777372353535851937790883648493.

type CachedGroupElement Uses

type CachedGroupElement struct {
    Z, T2d FieldElement
    // contains filtered or unexported fields
}

type CompletedGroupElement Uses

type CompletedGroupElement struct {
    X, Y, Z, T FieldElement
}

func (*CompletedGroupElement) ToExtended Uses

func (p *CompletedGroupElement) ToExtended(r *ExtendedGroupElement)

func (*CompletedGroupElement) ToProjective Uses

func (p *CompletedGroupElement) ToProjective(r *ProjectiveGroupElement)

type ExtendedGroupElement Uses

type ExtendedGroupElement struct {
    X, Y, Z, T FieldElement
}

func (*ExtendedGroupElement) Double Uses

func (p *ExtendedGroupElement) Double(r *CompletedGroupElement)

func (*ExtendedGroupElement) FromBytes Uses

func (p *ExtendedGroupElement) FromBytes(s *[32]byte) bool

func (*ExtendedGroupElement) ToBytes Uses

func (p *ExtendedGroupElement) ToBytes(s *[32]byte)

func (*ExtendedGroupElement) ToCached Uses

func (p *ExtendedGroupElement) ToCached(r *CachedGroupElement)

func (*ExtendedGroupElement) ToProjective Uses

func (p *ExtendedGroupElement) ToProjective(r *ProjectiveGroupElement)

func (*ExtendedGroupElement) Zero Uses

func (p *ExtendedGroupElement) Zero()

type FieldElement Uses

type FieldElement [10]int32

FieldElement represents an element of the field GF(2^255 - 19). An element t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on context.

type PreComputedGroupElement Uses

type PreComputedGroupElement struct {
    // contains filtered or unexported fields
}

func (*PreComputedGroupElement) Zero Uses

func (p *PreComputedGroupElement) Zero()

type ProjectiveGroupElement Uses

type ProjectiveGroupElement struct {
    X, Y, Z FieldElement
}

func (*ProjectiveGroupElement) Double Uses

func (p *ProjectiveGroupElement) Double(r *CompletedGroupElement)

func (*ProjectiveGroupElement) ToBytes Uses

func (p *ProjectiveGroupElement) ToBytes(s *[32]byte)

func (*ProjectiveGroupElement) Zero Uses

func (p *ProjectiveGroupElement) Zero()

Package edwards25519 is imported by 6 packages. Updated 2017-03-20. Refresh now. Tools for package owners.