secp256k1

package
v0.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 5, 2023 License: Apache-2.0 Imports: 9 Imported by: 4

Documentation

Overview

Package secp256k1 efficient elliptic curve implementation for secp256k1. This curve is defined in Standards for Efficient Cryptography (SEC) (Certicom Research, http://www.secg.org/sec2-v2.pdf) and appears in the Bitcoin and Ethereum ECDSA signatures.

secp256k1: A j=0 curve with 

𝔽r: r=115792089237316195423570985008687907852837564279074904382605163141518161494337
𝔽p: p=115792089237316195423570985008687907853269984665640564039457584007908834671663 (2^256 - 2^32 - 977)
(E/𝔽p): Y²=X³+7

Security: estimated 128-bit level using Pollard's \rho attack (r is 256 bits)

Warning

This code has been partially audited and is provided as-is. In particular, there is no security guarantees such as constant time implementation or side-channel attack resistance.

Index

Constants

View Source 
const ID = ecc.SECP256K1

ID secp256k1 ID

View Source 
const SizeOfG1AffineCompressed = 32

SizeOfG1AffineCompressed represents the size in bytes that a G1Affine need in binary form, compressed

View Source 
const SizeOfG1AffineUncompressed = SizeOfG1AffineCompressed * 2

SizeOfG1AffineUncompressed represents the size in bytes that a G1Affine need in binary form, uncompressed

Variables

This section is empty.

Functions

func CurveCoefficients added in v0.10.0 

func CurveCoefficients() (a, b fp.Element)

CurveCoefficients returns the a, b coefficients of the curve equation.

func Generators 

func Generators() (g1Jac G1Jac, g1Aff G1Affine)

Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr)

Types

type G1Affine 

type G1Affine struct {
	X, Y fp.Element
}

G1Affine point in affine coordinates

func BatchJacobianToAffineG1 

func BatchJacobianToAffineG1(points []G1Jac) []G1Affine

BatchJacobianToAffineG1 converts points in Jacobian coordinates to Affine coordinates performing a single field inversion (Montgomery batch inversion trick).

func BatchScalarMultiplicationG1 added in v0.9.1 

func BatchScalarMultiplicationG1(base *G1Affine, scalars []fr.Element) []G1Affine

BatchScalarMultiplicationG1 multiplies the same base by all scalars and return resulting points in affine coordinates uses a simple windowed-NAF like exponentiation algorithm

func EncodeToG1 

func EncodeToG1(msg, dst []byte) (G1Affine, error)

EncodeToG1 hashes a message to a point on the G1 curve using the SVDW map. It is faster than HashToG1, but the result is not uniformly distributed. Unsuitable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap

func HashToG1 

func HashToG1(msg, dst []byte) (G1Affine, error)

HashToG1 hashes a message to a point on the G1 curve using the SVDW map. Slower than EncodeToG1, but usable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap

func MapToCurve1 added in v0.11.0 

func MapToCurve1(u *fp.Element) G1Affine

MapToCurve1 implements the Shallue and van de Woestijne method, applicable to any elliptic curve in Weierstrass form No cofactor clearing or isogeny https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#straightline-svdw

func MapToG1 

func MapToG1(u fp.Element) G1Affine

MapToG1 invokes the SVDW map, and guarantees that the result is in g1

func (*G1Affine) Add 

func (p *G1Affine) Add(a, b *G1Affine) *G1Affine

Add adds two point in affine coordinates. This should rarely be used as it is very inefficient compared to Jacobian

func (*G1Affine) Double added in v0.11.0 

func (p *G1Affine) Double(a *G1Affine) *G1Affine

Double doubles a point in affine coordinates. This should rarely be used as it is very inefficient compared to Jacobian

func (*G1Affine) Equal 

func (p *G1Affine) Equal(a *G1Affine) bool

Equal tests if two points (in Affine coordinates) are equal

func (*G1Affine) FromJacobian 

func (p *G1Affine) FromJacobian(p1 *G1Jac) *G1Affine

FromJacobian rescales a point in Jacobian coord in z=1 plane

func (*G1Affine) IsInSubGroup 

func (p *G1Affine) IsInSubGroup() bool

IsInSubGroup returns true if p is in the correct subgroup, false otherwise

func (*G1Affine) IsInfinity 

func (p *G1Affine) IsInfinity() bool

IsInfinity checks if the point is infinity in affine, it's encoded as (0,0) (0,0) is never on the curve for j=0 curves

func (*G1Affine) IsOnCurve 

func (p *G1Affine) IsOnCurve() bool

IsOnCurve returns true if p in on the curve

func (*G1Affine) MultiExp added in v0.9.1 

func (p *G1Affine) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Affine, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

This call return an error if len(scalars) != len(points) or if provided config is invalid.

func (*G1Affine) Neg 

func (p *G1Affine) Neg(a *G1Affine) *G1Affine

Neg computes -G

func (*G1Affine) RawBytes added in v0.9.1 

func (p *G1Affine) RawBytes() (res [SizeOfG1AffineUncompressed]byte)

RawBytes returns binary representation of p (stores X and Y coordinate)

func (*G1Affine) ScalarMultiplication 

func (p *G1Affine) ScalarMultiplication(a *G1Affine, s *big.Int) *G1Affine

ScalarMultiplication computes and returns p = a ⋅ s

func (*G1Affine) ScalarMultiplicationBase added in v0.9.1 

func (p *G1Affine) ScalarMultiplicationBase(s *big.Int) *G1Affine

ScalarMultiplicationBase computes and returns p = g ⋅ s where g is the prime subgroup generator

func (*G1Affine) Set 

func (p *G1Affine) Set(a *G1Affine) *G1Affine

Set sets p to the provided point

func (*G1Affine) SetBytes added in v0.9.1 

func (p *G1Affine) SetBytes(buf []byte) (int, error)

SetBytes sets p from binary representation in buf and returns number of consumed bytes

bytes in buf must match RawBytes()

if buf is too short io.ErrShortBuffer is returned

this check if the resulting point is on the curve and in the correct subgroup

func (*G1Affine) String 

func (p *G1Affine) String() string

String returns the string representation of the point or "O" if it is infinity

func (*G1Affine) Sub 

func (p *G1Affine) Sub(a, b *G1Affine) *G1Affine

Sub subs two point in affine coordinates. This should rarely be used as it is very inefficient compared to Jacobian

type G1Jac 

type G1Jac struct {
	X, Y, Z fp.Element
}

G1Jac is a point with fp.Element coordinates

func (*G1Jac) AddAssign 

func (p *G1Jac) AddAssign(a *G1Jac) *G1Jac

AddAssign point addition in montgomery form https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl

func (*G1Jac) AddMixed 

func (p *G1Jac) AddMixed(a *G1Affine) *G1Jac

AddMixed point addition http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl

func (*G1Jac) Double 

func (p *G1Jac) Double(q *G1Jac) *G1Jac

Double doubles a point in Jacobian coordinates https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) DoubleAssign 

func (p *G1Jac) DoubleAssign() *G1Jac

DoubleAssign doubles a point in Jacobian coordinates https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) Equal 

func (p *G1Jac) Equal(a *G1Jac) bool

Equal tests if two points (in Jacobian coordinates) are equal

func (*G1Jac) FromAffine 

func (p *G1Jac) FromAffine(Q *G1Affine) *G1Jac

FromAffine sets p = Q, p in Jacobian, Q in affine

func (*G1Jac) IsInSubGroup 

func (p *G1Jac) IsInSubGroup() bool

IsInSubGroup returns true if p is on the r-torsion, false otherwise. the curve is of prime order i.e. E(𝔽p) is the full group so we just check that the point is on the curve.

func (*G1Jac) IsOnCurve 

func (p *G1Jac) IsOnCurve() bool

IsOnCurve returns true if p in on the curve

func (*G1Jac) JointScalarMultiplicationBase added in v0.9.1 

func (p *G1Jac) JointScalarMultiplicationBase(a *G1Affine, s1, s2 *big.Int) *G1Jac

JointScalarMultiplicationBase computes [s1]g+[s2]a using Straus-Shamir technique where g is the prime subgroup generator

func (*G1Jac) MultiExp added in v0.9.1 

func (p *G1Jac) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Jac, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

This call return an error if len(scalars) != len(points) or if provided config is invalid.

func (*G1Jac) Neg 

func (p *G1Jac) Neg(a *G1Jac) *G1Jac

Neg computes -G

func (*G1Jac) ScalarMultiplication 

func (p *G1Jac) ScalarMultiplication(a *G1Jac, s *big.Int) *G1Jac

ScalarMultiplication computes and returns p = a ⋅ s see https://www.iacr.org/archive/crypto2001/21390189.pdf

func (*G1Jac) ScalarMultiplicationAffine 

func (p *G1Jac) ScalarMultiplicationAffine(a *G1Affine, s *big.Int) *G1Jac

ScalarMultiplicationAffine computes and returns p = a ⋅ s Takes an affine point and returns a Jacobian point (useful for KZG)

func (*G1Jac) Set 

func (p *G1Jac) Set(a *G1Jac) *G1Jac

Set sets p to the provided point

func (*G1Jac) String 

func (p *G1Jac) String() string

String returns canonical representation of the point in affine coordinates

func (*G1Jac) SubAssign 

func (p *G1Jac) SubAssign(a *G1Jac) *G1Jac

SubAssign subtracts two points on the curve

Source Files

View all Source files

Directories

Path Synopsis
Package ecdsa provides ECDSA signature scheme on the secp256k1 curve.
 Package ecdsa provides ECDSA signature scheme on the secp256k1 curve.
Package fp contains field arithmetic operations for modulus = 0xffffff...fffc2f.
 Package fp contains field arithmetic operations for modulus = 0xffffff...fffc2f.
Package fr contains field arithmetic operations for modulus = 0xffffff...364141.
 Package fr contains field arithmetic operations for modulus = 0xffffff...364141.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.