native

package
v1.7.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 11, 2022 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source 
const FieldBytes = 32

FieldBytes is the number of bytes needed to represent this field

View Source 
const FieldLimbs = 4

FieldLimbs is the number of limbs needed to represent this field

View Source 
const MaxDstLen = 255

MaxDstLen the max size for dst in hash to curve

View Source 
const WideFieldBytes = 64

WideFieldBytes is the number of bytes needed for safe conversion to this field to avoid bias when reduced

Variables

View Source 
var OversizeDstSalt = []byte("H2C-OVERSIZE-DST-")

OversizeDstSalt is the salt used to hash a dst over MaxDstLen

Functions

func ExpandMsgXmd 

func ExpandMsgXmd(h *EllipticPointHasher, msg, domain []byte, outLen int) []byte

ExpandMsgXmd expands the msg with the domain to output a byte array with outLen in size using a fixed size hash. See https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-13#section-5.4.1

func ExpandMsgXof 

func ExpandMsgXof(h *EllipticPointHasher, msg, domain []byte, outLen int) []byte

ExpandMsgXof expands the msg with the domain to output a byte array with outLen in size using a xof hash See https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-13#section-5.4.2

func Pow 

func Pow(out, base, exp *[FieldLimbs]uint64, params *FieldParams, arithmetic FieldArithmetic)

Pow raises base^exp. The result is written to out. Public only for convenience for some internal implementations

func Pow2k 

func Pow2k(out, arg *[FieldLimbs]uint64, k int, arithmetic FieldArithmetic)

Pow2k raises arg to the power `2^k`. This result is written to out. Public only for convenience for some internal implementations

Types

type EllipticPoint 

type EllipticPoint struct {
	X          *Field
	Y          *Field
	Z          *Field
	Params     *EllipticPointParams
	Arithmetic EllipticPointArithmetic
}

EllipticPoint represents a Weierstrauss elliptic curve point

func (*EllipticPoint) Add 

func (p *EllipticPoint) Add(lhs, rhs *EllipticPoint) *EllipticPoint

Add adds the two points

func (*EllipticPoint) BigInt 

func (p *EllipticPoint) BigInt() (x, y *big.Int)

BigInt returns the x and y as big.Ints in affine

func (*EllipticPoint) Double 

func (p *EllipticPoint) Double(point *EllipticPoint) *EllipticPoint

Double this point

func (*EllipticPoint) Equal 

func (p *EllipticPoint) Equal(rhs *EllipticPoint) int

Equal returns 1 if the two points are equal 0 otherwise.

func (*EllipticPoint) Generator 

func (p *EllipticPoint) Generator() *EllipticPoint

Generator returns the base point for the curve

func (*EllipticPoint) GetX 

func (p *EllipticPoint) GetX() *Field

GetX returns the affine X coordinate

func (*EllipticPoint) GetY 

func (p *EllipticPoint) GetY() *Field

GetY returns the affine Y coordinate

func (*EllipticPoint) Hash 

func (p *EllipticPoint) Hash(bytes []byte, hasher *EllipticPointHasher) (*EllipticPoint, error)

Hash uses the hasher to map bytes to a valid point

func (*EllipticPoint) Identity 

func (p *EllipticPoint) Identity() *EllipticPoint

Identity returns the identity point

func (*EllipticPoint) IsIdentity 

func (p *EllipticPoint) IsIdentity() bool

IsIdentity returns true if this point is at infinity

func (*EllipticPoint) IsOnCurve 

func (p *EllipticPoint) IsOnCurve() bool

IsOnCurve determines if this point represents a valid curve point

func (*EllipticPoint) Mul 

func (p *EllipticPoint) Mul(point *EllipticPoint, scalar *Field) *EllipticPoint

Mul multiplies this point by the input scalar

func (*EllipticPoint) Neg 

func (p *EllipticPoint) Neg(point *EllipticPoint) *EllipticPoint

Neg negates this point

func (*EllipticPoint) Random 

func (p *EllipticPoint) Random(reader io.Reader) (*EllipticPoint, error)

Random creates a random point on the curve from the specified reader

func (*EllipticPoint) Set 

func (p *EllipticPoint) Set(clone *EllipticPoint) *EllipticPoint

Set copies clone into p

func (*EllipticPoint) SetBigInt 

func (p *EllipticPoint) SetBigInt(x, y *big.Int) (*EllipticPoint, error)

SetBigInt creates a point from affine x, y and returns the point if it is on the curve

func (*EllipticPoint) Sub 

func (p *EllipticPoint) Sub(lhs, rhs *EllipticPoint) *EllipticPoint

Sub subtracts the two points

func (*EllipticPoint) SumOfProducts 

func (p *EllipticPoint) SumOfProducts(points []*EllipticPoint, scalars []*Field) (*EllipticPoint, error)

SumOfProducts computes the multi-exponentiation for the specified points and scalars and stores the result in `p`. Returns an error if the lengths of the arguments is not equal.

func (*EllipticPoint) ToAffine 

func (p *EllipticPoint) ToAffine(clone *EllipticPoint) *EllipticPoint

ToAffine converts the point into affine coordinates

type EllipticPointArithmetic 

type EllipticPointArithmetic interface {
	// Hash a byte sequence to the curve using the specified hasher
	// and dst and store the result in out
	Hash(out *EllipticPoint, hasher *EllipticPointHasher, bytes, dst []byte) error
	// Double arg and store the result in out
	Double(out, arg *EllipticPoint)
	// Add arg1 with arg2 and store the result in out
	Add(out, arg1, arg2 *EllipticPoint)
	// IsOnCurve tests arg if it represents a valid point on the curve
	IsOnCurve(arg *EllipticPoint) bool
	// ToAffine converts arg to affine coordinates storing the result in out
	ToAffine(out, arg *EllipticPoint)
	// RhsEq computes the right-hand side of the ecc equation
	RhsEq(out, x *Field)
}

EllipticPointArithmetic are the methods that specific curves need to implement for higher abstractions to wrap the point

type EllipticPointHashName 

type EllipticPointHashName uint

EllipticPointHashName is to indicate the hash function is used for hash to curve operations 

const (
	SHA256 EllipticPointHashName = iota
	SHA512
	SHA3_256
	SHA3_384
	SHA3_512
	BLAKE2B
	SHAKE128
	SHAKE256
)

func (EllipticPointHashName) String 

func (n EllipticPointHashName) String() string

type EllipticPointHashType 

type EllipticPointHashType uint

EllipticPointHashType is to indicate which expand operation is used for hash to curve operations 

const (
	// XMD - use ExpandMsgXmd
	XMD EllipticPointHashType = iota
	// XOF - use ExpandMsgXof
	XOF
)

func (EllipticPointHashType) String 

func (t EllipticPointHashType) String() string

type EllipticPointHasher 

type EllipticPointHasher struct {
	// contains filtered or unexported fields
}

EllipticPointHasher is the type of hashing methods for hashing byte sequences to curve point.

func EllipticPointHasherBlake2b 

func EllipticPointHasherBlake2b() *EllipticPointHasher

EllipticPointHasherBlake2b creates a point hasher that uses Blake2b

func EllipticPointHasherSha256 

func EllipticPointHasherSha256() *EllipticPointHasher

EllipticPointHasherSha256 creates a point hasher that uses Sha256

func EllipticPointHasherSha3256 

func EllipticPointHasherSha3256() *EllipticPointHasher

EllipticPointHasherSha3256 creates a point hasher that uses Sha3256

func EllipticPointHasherSha3384 

func EllipticPointHasherSha3384() *EllipticPointHasher

EllipticPointHasherSha3384 creates a point hasher that uses Sha3384

func EllipticPointHasherSha3512 

func EllipticPointHasherSha3512() *EllipticPointHasher

EllipticPointHasherSha3512 creates a point hasher that uses Sha3512

func EllipticPointHasherSha512 

func EllipticPointHasherSha512() *EllipticPointHasher

EllipticPointHasherSha512 creates a point hasher that uses Sha512

func EllipticPointHasherShake128 

func EllipticPointHasherShake128() *EllipticPointHasher

EllipticPointHasherShake128 creates a point hasher that uses Shake128

func EllipticPointHasherShake256 

func EllipticPointHasherShake256() *EllipticPointHasher

EllipticPointHasherShake256 creates a point hasher that uses Shake256

func (*EllipticPointHasher) Name 

func (e *EllipticPointHasher) Name() string

Name returns the hash name for this hasher

func (*EllipticPointHasher) Type 

func (e *EllipticPointHasher) Type() EllipticPointHashType

Type returns the hash type for this hasher

func (*EllipticPointHasher) Xmd 

func (e *EllipticPointHasher) Xmd() hash.Hash

Xmd returns the hash method for ExpandMsgXmd

func (*EllipticPointHasher) Xof 

func (e *EllipticPointHasher) Xof() sha3.ShakeHash

Xof returns the hash method for ExpandMsgXof

type EllipticPointParams 

type EllipticPointParams struct {
	Name    string
	A       *Field
	B       *Field
	Gx      *Field
	Gy      *Field
	BitSize int
}

EllipticPointParams are the Weierstrauss curve parameters such as the name, the coefficients the generator point, and the prime bit size

type Field 

type Field struct {
	// Value is the field elements value
	Value [FieldLimbs]uint64
	// Params are the field parameters
	Params *FieldParams
	// Arithmetic are the field methods
	Arithmetic FieldArithmetic
}

Field represents a field element

func (*Field) Add 

func (f *Field) Add(lhs, rhs *Field) *Field

Add returns the result from adding rhs to this element

func (*Field) BigInt 

func (f *Field) BigInt() *big.Int

BigInt converts this element into the big.Int struct

func (*Field) Bytes 

func (f *Field) Bytes() [FieldBytes]byte

Bytes converts this element into a byte representation in little endian byte order

func (*Field) CMove 

func (f *Field) CMove(lhs, rhs *Field, choice int) *Field

CMove sets f = lhs if choice == 0 and f = rhs if choice == 1

func (*Field) Cmp 

func (f *Field) Cmp(rhs *Field) int

Cmp returns -1 if f < rhs 0 if f == rhs 1 if f > rhs

func (*Field) Double 

func (f *Field) Double(a *Field) *Field

Double this element

func (*Field) Equal 

func (f *Field) Equal(rhs *Field) int

Equal returns 1 if f == rhs, 0 otherwise

func (*Field) Exp 

func (f *Field) Exp(base, exp *Field) *Field

Exp raises base^exp

func (*Field) Invert 

func (f *Field) Invert(a *Field) (*Field, bool)

Invert this element i.e. compute the multiplicative inverse return false, zero if this element is zero.

func (*Field) IsNonZero 

func (f *Field) IsNonZero() int

IsNonZero returns 1 if f != 0, 0 otherwise

func (*Field) IsOne 

func (f *Field) IsOne() int

IsOne returns 1 if f == 1, 0 otherwise

func (*Field) IsZero 

func (f *Field) IsZero() int

IsZero returns 1 if f == 0, 0 otherwise

func (*Field) Mul 

func (f *Field) Mul(lhs, rhs *Field) *Field

Mul returns the result from multiplying this element by rhs

func (*Field) Neg 

func (f *Field) Neg(input *Field) *Field

Neg returns negation of this element

func (*Field) Raw 

func (f *Field) Raw() [FieldLimbs]uint64

Raw converts this element into the a [FieldLimbs]uint64

func (*Field) Set 

func (f *Field) Set(rhs *Field) *Field

Set f = rhs

func (*Field) SetBigInt 

func (f *Field) SetBigInt(bi *big.Int) *Field

SetBigInt initializes an element from big.Int The value is reduced by the modulus

func (*Field) SetBytes 

func (f *Field) SetBytes(input *[FieldBytes]byte) (*Field, error)

SetBytes attempts to convert a little endian byte representation of a scalar into a `Fp`, failing if input is not canonical

func (*Field) SetBytesWide 

func (f *Field) SetBytesWide(input *[WideFieldBytes]byte) *Field

SetBytesWide takes 64 bytes as input and treats them as a 512-bit number. Attributed to https://github.com/zcash/pasta_curves/blob/main/src/fields/Fp.rs#L255 We reduce an arbitrary 512-bit number by decomposing it into two 256-bit digits with the higher bits multiplied by 2^256. Thus, we perform two reductions

1. the lower bits are multiplied by r^2, as normal 2. the upper bits are multiplied by r^2 * 2^256 = r^3

and computing their sum in the field. It remains to see that arbitrary 256-bit numbers can be placed into Montgomery form safely using the reduction. The reduction works so long as the product is less than r=2^256 multiplied by the modulus. This holds because for any `c` smaller than the modulus, we have that (2^256 - 1)*c is an acceptable product for the reduction. Therefore, the reduction always works so long as `c` is in the field; in this case it is either the constant `r2` or `r3`.

func (*Field) SetLimbs 

func (f *Field) SetLimbs(input *[FieldLimbs]uint64) *Field

SetLimbs converts an array into a field element by converting to montgomery form

func (*Field) SetOne 

func (f *Field) SetOne() *Field

SetOne f = r

func (*Field) SetRaw 

func (f *Field) SetRaw(input *[FieldLimbs]uint64) *Field

SetRaw converts a raw array into a field element Assumes input is already in montgomery form

func (*Field) SetUint64 

func (f *Field) SetUint64(rhs uint64) *Field

SetUint64 f = rhs

func (*Field) SetZero 

func (f *Field) SetZero() *Field

SetZero f = 0

func (*Field) Sqrt 

func (f *Field) Sqrt(a *Field) (*Field, bool)

Sqrt this element, if it exists. If true, then value is a square root. If false, value is a QNR

func (*Field) Square 

func (f *Field) Square(a *Field) *Field

Square this element

func (*Field) Sub 

func (f *Field) Sub(lhs, rhs *Field) *Field

Sub returns the result from subtracting rhs from this element

type FieldArithmetic 

type FieldArithmetic interface {
	// ToMontgomery converts this field to montgomery form
	ToMontgomery(out, arg *[FieldLimbs]uint64)
	// FromMontgomery converts this field from montgomery form
	FromMontgomery(out, arg *[FieldLimbs]uint64)
	// Neg performs modular negation
	Neg(out, arg *[FieldLimbs]uint64)
	// Square performs modular square
	Square(out, arg *[FieldLimbs]uint64)
	// Mul performs modular multiplication
	Mul(out, arg1, arg2 *[FieldLimbs]uint64)
	// Add performs modular addition
	Add(out, arg1, arg2 *[FieldLimbs]uint64)
	// Sub performs modular subtraction
	Sub(out, arg1, arg2 *[FieldLimbs]uint64)
	// Sqrt performs modular square root
	Sqrt(wasSquare *int, out, arg *[FieldLimbs]uint64)
	// Invert performs modular inverse
	Invert(wasInverted *int, out, arg *[FieldLimbs]uint64)
	// FromBytes converts a little endian byte array into a field element
	FromBytes(out *[FieldLimbs]uint64, arg *[FieldBytes]byte)
	// ToBytes converts a field element to a little endian byte array
	ToBytes(out *[FieldBytes]byte, arg *[FieldLimbs]uint64)
	// Selectznz performs conditional select.
	// selects arg1 if choice == 0 and arg2 if choice == 1
	Selectznz(out, arg1, arg2 *[FieldLimbs]uint64, choice int)
}

FieldArithmetic are the methods that can be done on a field

type FieldParams 

type FieldParams struct {
	// R is 2^256 mod Modulus
	R [FieldLimbs]uint64
	// R2 is 2^512 mod Modulus
	R2 [FieldLimbs]uint64
	// R3 is 2^768 mod Modulus
	R3 [FieldLimbs]uint64
	// Modulus of the field
	Modulus [FieldLimbs]uint64
	// Modulus as big.Int
	BiModulus *big.Int
}

FieldParams are the field parameters

type IsogenyParams 

type IsogenyParams struct {
	XNum [][FieldLimbs]uint64
	XDen [][FieldLimbs]uint64
	YNum [][FieldLimbs]uint64
	YDen [][FieldLimbs]uint64
}

IsogenyParams are the parameters needed to map from an isogeny to the main curve

func (*IsogenyParams) Map 

func (p *IsogenyParams) Map(xIn, yIn *Field) (x, y *Field)

Map from the isogeny curve to the main curve using the parameters

type SswuParams 

type SswuParams struct {
	C1, C2, A, B, Z [FieldLimbs]uint64
}

SswuParams for computing the Simplified SWU mapping for hash to curve implementations

func (*SswuParams) Osswu3mod4 

func (p *SswuParams) Osswu3mod4(u *Field) (x, y *Field)

Osswu3mod4 computes the simplified map optmized for 3 mod 4 primes https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-11#appendix-G.2.1

Source Files

View all Source files

Directories

Path Synopsis
fp
Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography.
 Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography.
fq
Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography.
 Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography.
fp
Code generated by Fiat Cryptography.
 Code generated by Fiat Cryptography.
fq
Code generated by Fiat Cryptography.
 Code generated by Fiat Cryptography.
fp
Autogenerated: './src/ExtractionOCaml/word_by_word_montgomery' --lang Go pasta_fp 64 '2^254 + 45560315531419706090280762371685220353' curve description: pasta_fp machine_wordsize = 64 (from "64") requested operations: (all) m = 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001 (from "2^254 + 45560315531419706090280762371685220353") NOTE: In addition to the bounds specified above each function, all functions synthesized for this Montgomery arithmetic require the input to be strictly less than the prime modulus (m), and also require the input to be in the unique saturated representation.
 Autogenerated: './src/ExtractionOCaml/word_by_word_montgomery' --lang Go pasta_fp 64 '2^254 + 45560315531419706090280762371685220353' curve description: pasta_fp machine_wordsize = 64 (from "64") requested operations: (all) m = 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001 (from "2^254 + 45560315531419706090280762371685220353") NOTE: In addition to the bounds specified above each function, all functions synthesized for this Montgomery arithmetic require the input to be strictly less than the prime modulus (m), and also require the input to be in the unique saturated representation.
fq
Autogenerated: './src/ExtractionOCaml/word_by_word_montgomery' --lang Go pasta_fq 64 '2^254 + 45560315531506369815346746415080538113' curve description: pasta_fq machine_wordsize = 64 (from "64") requested operations: (all) m = 0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001 (from "2^254 + 45560315531506369815346746415080538113") NOTE: In addition to the bounds specified above each function, all functions synthesized for this Montgomery arithmetic require the input to be strictly less than the prime modulus (m), and also require the input to be in the unique saturated representation.
 Autogenerated: './src/ExtractionOCaml/word_by_word_montgomery' --lang Go pasta_fq 64 '2^254 + 45560315531506369815346746415080538113' curve description: pasta_fq machine_wordsize = 64 (from "64") requested operations: (all) m = 0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001 (from "2^254 + 45560315531506369815346746415080538113") NOTE: In addition to the bounds specified above each function, all functions synthesized for this Montgomery arithmetic require the input to be strictly less than the prime modulus (m), and also require the input to be in the unique saturated representation.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.