secp256k1

package
v0.0.0-...-4a97a7c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 3, 2024 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Overview

Package secp256k1 efficient elliptic curve implementation for secp256k1. This curve is defined in Standards for Efficient Cryptography (SEC) (Certicom Research, http://www.secg.org/sec2-v2.pdf) and appears in the Bitcoin and Ethereum ECDSA signatures.

secp256k1: A j=0 curve with 

𝔽r: r=115792089237316195423570985008687907852837564279074904382605163141518161494337
𝔽p: p=115792089237316195423570985008687907853269984665640564039457584007908834671663 (2^256 - 2^32 - 977)
(E/𝔽p): Y²=X³+7

Security: estimated 128-bit level using Pollard's \rho attack (r is 256 bits)

Warning

This code has been partially audited and is provided as-is. In particular, there is no security guarantees such as constant time implementation or side-channel attack resistance.

Index

Constants

View Source 
const ID = ecc.SECP256K1

ID secp256k1 ID

View Source 
const SizeOfG1AffineCompressed = 32

SizeOfG1AffineCompressed represents the size in bytes that a G1Affine need in binary form, compressed

View Source 
const SizeOfG1AffineUncompressed = SizeOfG1AffineCompressed * 2

SizeOfG1AffineUncompressed represents the size in bytes that a G1Affine need in binary form, uncompressed

Variables

This section is empty.

Functions

func CurveCoefficients 

func CurveCoefficients() (a, b fp.Element)

CurveCoefficients returns the a, b coefficients of the curve equation.

func Generators 

func Generators() (g1Jac G1Jac, g1Aff G1Affine)

Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr)

Types

type G1Affine 

type G1Affine struct {
	X, Y fp.Element
}

G1Affine is a point in affine coordinates (x,y)

func BatchJacobianToAffineG1 

func BatchJacobianToAffineG1(points []G1Jac) []G1Affine

BatchJacobianToAffineG1 converts points in Jacobian coordinates to Affine coordinates performing a single field inversion using the Montgomery batch inversion trick.

func BatchScalarMultiplicationG1 

func BatchScalarMultiplicationG1(base *G1Affine, scalars []fr.Element) []G1Affine

BatchScalarMultiplicationG1 multiplies the same base by all scalars and return resulting points in affine coordinates uses a simple windowed-NAF-like multiplication algorithm.

func EncodeToG1 

func EncodeToG1(msg, dst []byte) (G1Affine, error)

EncodeToG1 hashes a message to a point on the G1 curve using the SVDW map. It is faster than HashToG1, but the result is not uniformly distributed. Unsuitable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap

func HashToG1 

func HashToG1(msg, dst []byte) (G1Affine, error)

HashToG1 hashes a message to a point on the G1 curve using the SVDW map. Slower than EncodeToG1, but usable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap

func MapToCurve1 

func MapToCurve1(u *fp.Element) G1Affine

MapToCurve1 implements the Shallue and van de Woestijne method, applicable to any elliptic curve in Weierstrass form No cofactor clearing or isogeny https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#straightline-svdw

func MapToG1 

func MapToG1(u fp.Element) G1Affine

MapToG1 invokes the SVDW map, and guarantees that the result is in g1

func (*G1Affine) Add 

func (p *G1Affine) Add(a, b *G1Affine) *G1Affine

Add adds two points in affine coordinates. It uses the Jacobian addition with a.Z=b.Z=1 and converts the result to affine coordinates.

https://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-mmadd-2007-bl

func (*G1Affine) Double 

func (p *G1Affine) Double(a *G1Affine) *G1Affine

Double doubles a point in affine coordinates. It converts the point to Jacobian coordinates, doubles it using Jacobian addition with a.Z=1, and converts it back to affine coordinates.

http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-mdbl-2007-bl

func (*G1Affine) Equal 

func (p *G1Affine) Equal(a *G1Affine) bool

Equal tests if two points in affine coordinates are equal.

func (*G1Affine) Fold 

func (p *G1Affine) Fold(points []G1Affine, combinationCoeff fr.Element, config ecc.MultiExpConfig) (*G1Affine, error)

Fold computes the multi-exponentiation \sum_{i=0}^{len(points)-1} points[i] * combinationCoeff^i and stores the result in p. It returns error in case configuration is invalid.

func (*G1Affine) FromJacobian 

func (p *G1Affine) FromJacobian(p1 *G1Jac) *G1Affine

FromJacobian converts a point p1 from Jacobian to affine coordinates.

func (*G1Affine) IsInSubGroup 

func (p *G1Affine) IsInSubGroup() bool

IsInSubGroup returns true if the affine point p is in the correct subgroup, false otherwise.

func (*G1Affine) IsInfinity 

func (p *G1Affine) IsInfinity() bool

IsInfinity checks if the affine point p is infinity, which is encoded as (0,0). N.B.: (0,0) is never on the curve for j=0 curves (Y²=X³+B).

func (*G1Affine) IsOnCurve 

func (p *G1Affine) IsOnCurve() bool

IsOnCurve returns true if the affine point p in on the curve.

func (*G1Affine) MultiExp 

func (p *G1Affine) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Affine, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

This call return an error if len(scalars) != len(points) or if provided config is invalid.

func (*G1Affine) Neg 

func (p *G1Affine) Neg(a *G1Affine) *G1Affine

Neg sets p to the affine negative point -a = (a.X, -a.Y).

func (*G1Affine) RawBytes 

func (p *G1Affine) RawBytes() (res [SizeOfG1AffineUncompressed]byte)

RawBytes returns binary representation of p (stores X and Y coordinate)

func (*G1Affine) ScalarMultiplication 

func (p *G1Affine) ScalarMultiplication(a *G1Affine, s *big.Int) *G1Affine

ScalarMultiplication computes and returns p = [s]a where p and a are affine points.

func (*G1Affine) ScalarMultiplicationBase 

func (p *G1Affine) ScalarMultiplicationBase(s *big.Int) *G1Affine

ScalarMultiplicationBase computes and returns p = [s]g where g is the affine point generating the prime subgroup.

func (*G1Affine) Set 

func (p *G1Affine) Set(a *G1Affine) *G1Affine

Set sets p to a in affine coordinates.

func (*G1Affine) SetBytes 

func (p *G1Affine) SetBytes(buf []byte) (int, error)

SetBytes sets p from binary representation in buf and returns number of consumed bytes

bytes in buf must match RawBytes()

if buf is too short io.ErrShortBuffer is returned

this check if the resulting point is on the curve and in the correct subgroup

func (*G1Affine) SetInfinity 

func (p *G1Affine) SetInfinity() *G1Affine

SetInfinity sets p to the infinity point, which is encoded as (0,0). N.B.: (0,0) is never on the curve for j=0 curves (Y²=X³+B).

func (*G1Affine) String 

func (p *G1Affine) String() string

String returns the string representation E(x,y) of the affine point p or "O" if it is infinity.

func (*G1Affine) Sub 

func (p *G1Affine) Sub(a, b *G1Affine) *G1Affine

Sub subtracts two points in affine coordinates. It uses a similar approach to Add, but negates the second point before adding.

type G1Jac 

type G1Jac struct {
	X, Y, Z fp.Element
}

G1Jac is a point in Jacobian coordinates (x=X/Z², y=Y/Z³)

func (*G1Jac) AddAssign 

func (p *G1Jac) AddAssign(q *G1Jac) *G1Jac

AddAssign sets p to p+a in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl

func (*G1Jac) AddMixed 

func (p *G1Jac) AddMixed(a *G1Affine) *G1Jac

AddMixed sets p to p+a in Jacobian coordinates, where a.Z = 1.

http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl

func (*G1Jac) Double 

func (p *G1Jac) Double(q *G1Jac) *G1Jac

Double sets p to [2]q in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) DoubleAssign 

func (p *G1Jac) DoubleAssign() *G1Jac

DoubleAssign doubles p in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) DoubleMixed 

func (p *G1Jac) DoubleMixed(a *G1Affine) *G1Jac

Double sets p to [2]q in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) Equal 

func (p *G1Jac) Equal(q *G1Jac) bool

Equal tests if two points in Jacobian coordinates are equal.

func (*G1Jac) Fold 

func (p *G1Jac) Fold(points []G1Affine, combinationCoeff fr.Element, config ecc.MultiExpConfig) (*G1Jac, error)

Fold computes the multi-exponentiation \sum_{i=0}^{len(points)-1} points[i] * combinationCoeff^i and stores the result in p. It returns error in case configuration is invalid.

func (*G1Jac) FromAffine 

func (p *G1Jac) FromAffine(a *G1Affine) *G1Jac

FromAffine converts a point a from affine to Jacobian coordinates.

func (*G1Jac) IsInSubGroup 

func (p *G1Jac) IsInSubGroup() bool

IsInSubGroup returns true if p is on the r-torsion, false otherwise. the curve is of prime order i.e. E(𝔽p) is the full group so we just check that the point is on the curve.

func (*G1Jac) IsOnCurve 

func (p *G1Jac) IsOnCurve() bool

IsOnCurve returns true if the Jacobian point p in on the curve.

func (*G1Jac) JointScalarMultiplication 

func (p *G1Jac) JointScalarMultiplication(a1, a2 *G1Affine, s1, s2 *big.Int) *G1Jac

JointScalarMultiplication computes [s1]a1+[s2]a2 using Strauss-Shamir technique where a1 and a2 are affine points.

func (*G1Jac) JointScalarMultiplicationBase 

func (p *G1Jac) JointScalarMultiplicationBase(a *G1Affine, s1, s2 *big.Int) *G1Jac

JointScalarMultiplicationBase computes [s1]g+[s2]a using Straus-Shamir technique where g is the prime subgroup generator.

func (*G1Jac) MultiExp 

func (p *G1Jac) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Jac, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

This call return an error if len(scalars) != len(points) or if provided config is invalid.

func (*G1Jac) Neg 

func (p *G1Jac) Neg(q *G1Jac) *G1Jac

Neg sets p to the Jacobian negative point -q = (q.X, -q.Y, q.Z).

func (*G1Jac) ScalarMultiplication 

func (p *G1Jac) ScalarMultiplication(q *G1Jac, s *big.Int) *G1Jac

ScalarMultiplication computes and returns p = [s]a where p and a are Jacobian points. using the GLV technique. see https://www.iacr.org/archive/crypto2001/21390189.pdf

func (*G1Jac) ScalarMultiplicationBase 

func (p *G1Jac) ScalarMultiplicationBase(s *big.Int) *G1Jac

ScalarMultiplicationBase computes and returns p = [s]g where g is the prime subgroup generator.

func (*G1Jac) Set 

func (p *G1Jac) Set(q *G1Jac) *G1Jac

Set sets p to a in Jacobian coordinates.

func (*G1Jac) String 

func (p *G1Jac) String() string

String converts p to affine coordinates and returns its string representation E(x,y) or "O" if it is infinity.

func (*G1Jac) SubAssign 

func (p *G1Jac) SubAssign(q *G1Jac) *G1Jac

SubAssign sets p to p-a in Jacobian coordinates. It uses a similar approach to AddAssign, but negates the point a before adding.

Source Files

View all Source files

Directories

Path Synopsis
Package ecdsa provides ECDSA signature scheme on the secp256k1 curve.
 Package ecdsa provides ECDSA signature scheme on the secp256k1 curve.
Package fp contains field arithmetic operations for modulus = 0xffffff...fffc2f.
 Package fp contains field arithmetic operations for modulus = 0xffffff...fffc2f.
Package fr contains field arithmetic operations for modulus = 0xffffff...364141.
 Package fr contains field arithmetic operations for modulus = 0xffffff...364141.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.