starkcurve

package
v0.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 5, 2023 License: Apache-2.0 Imports: 10 Imported by: 3

Documentation

Overview

Package starkcurve efficient elliptic curve implementation for stark_curve. This is curve used in StarkNet: https://docs.starkware.co/starkex/crypto/stark-curve.html.

stark_curve: A j!=0 curve with 

𝔽r: r=3618502788666131213697322783095070105526743751716087489154079457884512865583
𝔽p: p=3618502788666131213697322783095070105623107215331596699973092056135872020481 (2^251+17*2^192+1)
(E/𝔽p): Y²=X³+x+b where b=3141592653589793238462643383279502884197169399375105820974944592307816406665

Security: estimated 126-bit level using Pollard's \rho attack (r is 252 bits)

Warning

This code has been partially audited and is provided as-is. In particular, there is no security guarantees such as constant time implementation or side-channel attack resistance.

Index

Constants

View Source 
const ID = ecc.STARK_CURVE

ID stark_curve ID

View Source 
const SizeOfG1AffineCompressed = 32

SizeOfG1AffineCompressed represents the size in bytes that a G1Affine need in binary form, compressed

View Source 
const SizeOfG1AffineUncompressed = SizeOfG1AffineCompressed * 2

SizeOfG1AffineUncompressed represents the size in bytes that a G1Affine need in binary form, uncompressed

Variables

This section is empty.

Functions

func CurveCoefficients added in v0.10.0 

func CurveCoefficients() (a, b fp.Element)

CurveCoefficients returns the a, b coefficients of the curve equation.

func Generators 

func Generators() (g1Jac G1Jac, g1Aff G1Affine)

Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr)

func NoSubgroupChecks 

func NoSubgroupChecks() func(*Decoder)

NoSubgroupChecks returns an option to use in NewDecoder(...) which disable subgroup checks on the points the decoder will read. Use with caution, as crafted points from an untrusted source can lead to crypto-attacks.

func RawEncoding 

func RawEncoding() func(*Encoder)

RawEncoding returns an option to use in NewEncoder(...) which sets raw encoding mode to true points will not be compressed using this option

Types

type Decoder 

type Decoder struct {
	// contains filtered or unexported fields
}

Decoder reads stark-curve object values from an inbound stream

func NewDecoder 

func NewDecoder(r io.Reader, options ...func(*Decoder)) *Decoder

NewDecoder returns a binary decoder supporting curve stark-curve objects in both compressed and uncompressed (raw) forms

func (*Decoder) BytesRead 

func (dec *Decoder) BytesRead() int64

BytesRead return total bytes read from reader

func (*Decoder) Decode 

func (dec *Decoder) Decode(v interface{}) (err error)

Decode reads the binary encoding of v from the stream type must be *uint64, *fr.Element, *fp.Element, *G1Affine or *[]G1Affine

type Encoder 

type Encoder struct {
	// contains filtered or unexported fields
}

Encoder writes stark-curve object values to an output stream

func NewEncoder 

func NewEncoder(w io.Writer, options ...func(*Encoder)) *Encoder

NewEncoder returns a binary encoder supporting curve stark-curve objects

func (*Encoder) BytesWritten 

func (enc *Encoder) BytesWritten() int64

BytesWritten return total bytes written on writer

func (*Encoder) Encode 

func (enc *Encoder) Encode(v interface{}) (err error)

Encode writes the binary encoding of v to the stream type must be uint64, *fr.Element, *fp.Element, *G1Affine, *G2Affine, []G1Affine or []G2Affine

type G1Affine 

type G1Affine struct {
	X, Y fp.Element
}

G1Affine point in affine coordinates

func BatchJacobianToAffineG1 

func BatchJacobianToAffineG1(points []G1Jac) []G1Affine

BatchJacobianToAffineG1 converts points in Jacobian coordinates to Affine coordinates performing a single field inversion (Montgomery batch inversion trick).

func EncodeToG1 

func EncodeToG1(msg, dst []byte) (G1Affine, error)

EncodeToG1 hashes a message to a point on the G1 curve using the SVDW map. It is faster than HashToG1, but the result is not uniformly distributed. Unsuitable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap

func HashToG1 

func HashToG1(msg, dst []byte) (G1Affine, error)

HashToG1 hashes a message to a point on the G1 curve using the SVDW map. Slower than EncodeToG1, but usable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap

func MapToCurve1 added in v0.11.0 

func MapToCurve1(u *fp.Element) G1Affine

MapToCurve1 implements the Shallue and van de Woestijne method, applicable to any elliptic curve in Weierstrass form No cofactor clearing or isogeny https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#straightline-svdw

func MapToG1 

func MapToG1(u fp.Element) G1Affine

MapToG1 invokes the SVDW map, and guarantees that the result is in g1

func (*G1Affine) Add 

func (p *G1Affine) Add(a, b *G1Affine) *G1Affine

Add adds two point in affine coordinates. This should rarely be used as it is very inefficient compared to Jacobian

func (*G1Affine) Bytes 

func (p *G1Affine) Bytes() (res [SizeOfG1AffineCompressed]byte)

Bytes returns binary representation of p will store X coordinate in regular form and a parity bit as we have less than 3 bits available in our coordinate, we can't follow BLS12-381 style encoding (ZCash/IETF)

we use the 2 most significant bits instead 

00 -> uncompressed
10 -> compressed, use smallest lexicographically square root of Y^2
11 -> compressed, use largest lexicographically square root of Y^2
01 -> compressed infinity point
the "uncompressed infinity point" will just have 00 (uncompressed) followed by zeroes (infinity = 0,0 in affine coordinates)

func (*G1Affine) Equal 

func (p *G1Affine) Equal(a *G1Affine) bool

Equal tests if two points (in Affine coordinates) are equal

func (*G1Affine) FromJacobian 

func (p *G1Affine) FromJacobian(p1 *G1Jac) *G1Affine

FromJacobian rescales a point in Jacobian coord in z=1 plane

func (*G1Affine) IsInSubGroup 

func (p *G1Affine) IsInSubGroup() bool

IsInSubGroup returns true if p is in the correct subgroup, false otherwise

func (*G1Affine) IsInfinity 

func (p *G1Affine) IsInfinity() bool

IsInfinity checks if the point is infinity in affine, it's encoded as (0,0) (0,0) is never on the curve for j=0 curves

func (*G1Affine) IsOnCurve 

func (p *G1Affine) IsOnCurve() bool

IsOnCurve returns true if p in on the curve

func (*G1Affine) Marshal 

func (p *G1Affine) Marshal() []byte

Marshal converts p to a byte slice (without point compression)

func (*G1Affine) Neg 

func (p *G1Affine) Neg(a *G1Affine) *G1Affine

Neg computes -G

func (*G1Affine) RawBytes 

func (p *G1Affine) RawBytes() (res [SizeOfG1AffineUncompressed]byte)

RawBytes returns binary representation of p (stores X and Y coordinate) see Bytes() for a compressed representation

func (*G1Affine) ScalarMultiplication 

func (p *G1Affine) ScalarMultiplication(a *G1Affine, s *big.Int) *G1Affine

ScalarMultiplication computes and returns p = a ⋅ s

func (*G1Affine) ScalarMultiplicationBase 

func (p *G1Affine) ScalarMultiplicationBase(s *big.Int) *G1Affine

ScalarMultiplication computes and returns p = g ⋅ s where g is the prime subgroup generator

func (*G1Affine) Set 

func (p *G1Affine) Set(a *G1Affine) *G1Affine

Set sets p to the provided point

func (*G1Affine) SetBytes 

func (p *G1Affine) SetBytes(buf []byte) (int, error)

SetBytes sets p from binary representation in buf and returns number of consumed bytes

bytes in buf must match either RawBytes() or Bytes() output

if buf is too short io.ErrShortBuffer is returned

if buf contains compressed representation (output from Bytes()) and we're unable to compute the Y coordinate (i.e the square root doesn't exist) this function returns an error

this check if the resulting point is on the curve and in the correct subgroup

func (*G1Affine) String 

func (p *G1Affine) String() string

String returns the string representation of the point or "O" if it is infinity

func (*G1Affine) Sub 

func (p *G1Affine) Sub(a, b *G1Affine) *G1Affine

Sub subs two point in affine coordinates. This should rarely be used as it is very inefficient compared to Jacobian

func (*G1Affine) Unmarshal 

func (p *G1Affine) Unmarshal(buf []byte) error

Unmarshal is an alias to SetBytes()

type G1Jac 

type G1Jac struct {
	X, Y, Z fp.Element
}

G1Jac is a point with fp.Element coordinates

func (*G1Jac) AddAssign 

func (p *G1Jac) AddAssign(a *G1Jac) *G1Jac

AddAssign point addition in montgomery form https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl

func (*G1Jac) AddMixed 

func (p *G1Jac) AddMixed(a *G1Affine) *G1Jac

AddMixed point addition http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl

func (*G1Jac) Double 

func (p *G1Jac) Double(q *G1Jac) *G1Jac

Double doubles a point in Jacobian coordinates https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) DoubleAssign 

func (p *G1Jac) DoubleAssign() *G1Jac

DoubleAssign doubles a point in Jacobian coordinates https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) Equal 

func (p *G1Jac) Equal(a *G1Jac) bool

Equal tests if two points (in Jacobian coordinates) are equal

func (*G1Jac) FromAffine 

func (p *G1Jac) FromAffine(Q *G1Affine) *G1Jac

FromAffine sets p = Q, p in Jacobian, Q in affine

func (*G1Jac) IsInSubGroup 

func (p *G1Jac) IsInSubGroup() bool

IsInSubGroup returns true if p is on the r-torsion, false otherwise.

func (*G1Jac) IsOnCurve 

func (p *G1Jac) IsOnCurve() bool

IsOnCurve returns true if p in on the curve Y^2=X^3+X*Z^4+b*Z^6

func (*G1Jac) JointScalarMultiplication 

func (p *G1Jac) JointScalarMultiplication(p1, p2 *G1Jac, s1, s2 *big.Int) *G1Jac

JointScalarMultiplication computes [s1]p1+[s2]p1 using Straus-Shamir technique where g is the prime subgroup generator

func (*G1Jac) JointScalarMultiplicationBase 

func (p *G1Jac) JointScalarMultiplicationBase(a *G1Affine, s1, s2 *big.Int) *G1Jac

JointScalarMultiplicationBase computes [s1]g+[s2]a using Straus-Shamir technique where g is the prime subgroup generator

func (*G1Jac) Neg 

func (p *G1Jac) Neg(a *G1Jac) *G1Jac

Neg computes -G

func (*G1Jac) ScalarMultiplication 

func (p *G1Jac) ScalarMultiplication(a *G1Jac, s *big.Int) *G1Jac

ScalarMultiplication computes and returns p = a ⋅ s using 2-bits windowed exponentiation

func (*G1Jac) ScalarMultiplicationAffine 

func (p *G1Jac) ScalarMultiplicationAffine(a *G1Affine, s *big.Int) *G1Jac

ScalarMultiplicationAffine computes and returns p = a ⋅ s Takes an affine point and returns a Jacobian point (useful for KZG)

func (*G1Jac) Set 

func (p *G1Jac) Set(a *G1Jac) *G1Jac

Set sets p to the provided point

func (*G1Jac) String 

func (p *G1Jac) String() string

String returns canonical representation of the point in affine coordinates

func (*G1Jac) SubAssign 

func (p *G1Jac) SubAssign(a *G1Jac) *G1Jac

SubAssign subtracts two points on the curve

Source Files

View all Source files

Directories

Path Synopsis
Package ecdsa provides ECDSA signature scheme on the stark-curve curve.
 Package ecdsa provides ECDSA signature scheme on the stark-curve curve.
Package fp contains field arithmetic operations for modulus = 0x800000...000001.
 Package fp contains field arithmetic operations for modulus = 0x800000...000001.
Package fr contains field arithmetic operations for modulus = 0x800000...c64d2f.
 Package fr contains field arithmetic operations for modulus = 0x800000...c64d2f.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.