Documentation
¶
Overview ¶
Package starkcurve efficient elliptic curve implementation for stark_curve. This is curve used in StarkNet: https://docs.starkware.co/starkex/crypto/stark-curve.html.
stark_curve: A j!=0 curve with
𝔽r: r=3618502788666131213697322783095070105526743751716087489154079457884512865583 𝔽p: p=3618502788666131213697322783095070105623107215331596699973092056135872020481 (2^251+17*2^192+1) (E/𝔽p): Y²=X³+x+b where b=3141592653589793238462643383279502884197169399375105820974944592307816406665
Security: estimated 126-bit level using Pollard's \rho attack (r is 252 bits)
Warning ¶
This code has been partially audited and is provided as-is. In particular, there is no security guarantees such as constant time implementation or side-channel attack resistance.
Index ¶
- Constants
- func CurveCoefficients() (a, b fp.Element)
- func Generators() (g1Jac G1Jac, g1Aff G1Affine)
- func NoSubgroupChecks() func(*Decoder)
- func RawEncoding() func(*Encoder)
- type Decoder
- type Encoder
- type G1Affine
- func (p *G1Affine) Add(a, b *G1Affine) *G1Affine
- func (p *G1Affine) Bytes() (res [SizeOfG1AffineCompressed]byte)
- func (p *G1Affine) Equal(a *G1Affine) bool
- func (p *G1Affine) FromJacobian(p1 *G1Jac) *G1Affine
- func (p *G1Affine) IsInSubGroup() bool
- func (p *G1Affine) IsInfinity() bool
- func (p *G1Affine) IsOnCurve() bool
- func (p *G1Affine) Marshal() []byte
- func (p *G1Affine) Neg(a *G1Affine) *G1Affine
- func (p *G1Affine) RawBytes() (res [SizeOfG1AffineUncompressed]byte)
- func (p *G1Affine) ScalarMultiplication(a *G1Affine, s *big.Int) *G1Affine
- func (p *G1Affine) ScalarMultiplicationBase(s *big.Int) *G1Affine
- func (p *G1Affine) Set(a *G1Affine) *G1Affine
- func (p *G1Affine) SetBytes(buf []byte) (int, error)
- func (p *G1Affine) String() string
- func (p *G1Affine) Sub(a, b *G1Affine) *G1Affine
- func (p *G1Affine) Unmarshal(buf []byte) error
- type G1Jac
- func (p *G1Jac) AddAssign(a *G1Jac) *G1Jac
- func (p *G1Jac) AddMixed(a *G1Affine) *G1Jac
- func (p *G1Jac) Double(q *G1Jac) *G1Jac
- func (p *G1Jac) DoubleAssign() *G1Jac
- func (p *G1Jac) Equal(a *G1Jac) bool
- func (p *G1Jac) FromAffine(Q *G1Affine) *G1Jac
- func (p *G1Jac) IsInSubGroup() bool
- func (p *G1Jac) IsOnCurve() bool
- func (p *G1Jac) JointScalarMultiplication(p1, p2 *G1Jac, s1, s2 *big.Int) *G1Jac
- func (p *G1Jac) JointScalarMultiplicationBase(a *G1Affine, s1, s2 *big.Int) *G1Jac
- func (p *G1Jac) Neg(q *G1Jac) *G1Jac
- func (p *G1Jac) ScalarMultiplication(a *G1Jac, s *big.Int) *G1Jac
- func (p *G1Jac) Set(q *G1Jac) *G1Jac
- func (p *G1Jac) String() string
- func (p *G1Jac) SubAssign(a *G1Jac) *G1Jac
Constants ¶
const ID = ecc.STARK_CURVE
ID stark_curve ID
const SizeOfG1AffineCompressed = 32
SizeOfG1AffineCompressed represents the size in bytes that a G1Affine need in binary form, compressed
const SizeOfG1AffineUncompressed = SizeOfG1AffineCompressed * 2
SizeOfG1AffineUncompressed represents the size in bytes that a G1Affine need in binary form, uncompressed
Variables ¶
This section is empty.
Functions ¶
func CurveCoefficients ¶ added in v0.10.0
CurveCoefficients returns the a, b coefficients of the curve equation.
func Generators ¶
Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr)
func NoSubgroupChecks ¶
func NoSubgroupChecks() func(*Decoder)
NoSubgroupChecks returns an option to use in NewDecoder(...) which disable subgroup checks on the points the decoder will read. Use with caution, as crafted points from an untrusted source can lead to crypto-attacks.
func RawEncoding ¶
func RawEncoding() func(*Encoder)
RawEncoding returns an option to use in NewEncoder(...) which sets raw encoding mode to true points will not be compressed using this option
Types ¶
type Decoder ¶
type Decoder struct {
// contains filtered or unexported fields
}
Decoder reads stark-curve object values from an inbound stream
func NewDecoder ¶
NewDecoder returns a binary decoder supporting curve stark-curve objects in both compressed and uncompressed (raw) forms
type Encoder ¶
type Encoder struct {
// contains filtered or unexported fields
}
Encoder writes stark-curve object values to an output stream
func NewEncoder ¶
NewEncoder returns a binary encoder supporting curve stark-curve objects
func (*Encoder) BytesWritten ¶
BytesWritten return total bytes written on writer
type G1Affine ¶
G1Affine is a point in affine coordinates (x,y)
func BatchJacobianToAffineG1 ¶
BatchJacobianToAffineG1 converts points in Jacobian coordinates to Affine coordinates performing a single field inversion using the Montgomery batch inversion trick.
func EncodeToG1 ¶
EncodeToG1 hashes a message to a point on the G1 curve using the SVDW map. It is faster than HashToG1, but the result is not uniformly distributed. Unsuitable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap
func HashToG1 ¶
HashToG1 hashes a message to a point on the G1 curve using the SVDW map. Slower than EncodeToG1, but usable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap
func MapToCurve1 ¶ added in v0.11.0
MapToCurve1 implements the Shallue and van de Woestijne method, applicable to any elliptic curve in Weierstrass form No cofactor clearing or isogeny https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#straightline-svdw
func (*G1Affine) Add ¶
Add adds two points in affine coordinates. It uses the Jacobian addition with a.Z=b.Z=1 and converts the result to affine coordinates.
https://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-mmadd-2007-bl
func (*G1Affine) Bytes ¶
func (p *G1Affine) Bytes() (res [SizeOfG1AffineCompressed]byte)
Bytes returns binary representation of p will store X coordinate in regular form and a parity bit as we have less than 3 bits available in our coordinate, we can't follow BLS12-381 style encoding (ZCash/IETF)
we use the 2 most significant bits instead
00 -> uncompressed 10 -> compressed, use smallest lexicographically square root of Y^2 11 -> compressed, use largest lexicographically square root of Y^2 01 -> compressed infinity point the "uncompressed infinity point" will just have 00 (uncompressed) followed by zeroes (infinity = 0,0 in affine coordinates)
func (*G1Affine) FromJacobian ¶
FromJacobian converts a point p1 from Jacobian to affine coordinates.
func (*G1Affine) IsInSubGroup ¶
IsInSubGroup returns true if the affine point p is in the correct subgroup, false otherwise.
func (*G1Affine) IsInfinity ¶
IsInfinity checks if the affine point p is infinity, which is encoded as (0,0). N.B.: (0,0) is not on the STARK curve (Y²=X³+X+B).
func (*G1Affine) RawBytes ¶
func (p *G1Affine) RawBytes() (res [SizeOfG1AffineUncompressed]byte)
RawBytes returns binary representation of p (stores X and Y coordinate) see Bytes() for a compressed representation
func (*G1Affine) ScalarMultiplication ¶
ScalarMultiplication computes and returns p = [s]a where p and a are affine points.
func (*G1Affine) ScalarMultiplicationBase ¶
ScalarMultiplicationBase computes and returns p = [s]g where g is the affine point generating the prime subgroup.
func (*G1Affine) SetBytes ¶
SetBytes sets p from binary representation in buf and returns number of consumed bytes
bytes in buf must match either RawBytes() or Bytes() output
if buf is too short io.ErrShortBuffer is returned
if buf contains compressed representation (output from Bytes()) and we're unable to compute the Y coordinate (i.e the square root doesn't exist) this function returns an error
this check if the resulting point is on the curve and in the correct subgroup
func (*G1Affine) String ¶
String returns the string representation E(x,y) of the affine point p or "O" if it is infinity.
type G1Jac ¶
G1Jac is a point in Jacobian coordinates (x=X/Z², y=Y/Z³)
func (*G1Jac) AddAssign ¶
AddAssign sets p to p+a in Jacobian coordinates.
https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl
func (*G1Jac) AddMixed ¶
AddMixed sets p to p+a in Jacobian coordinates, where a.Z = 1.
http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl
func (*G1Jac) Double ¶
Double sets p to [2]q in Jacobian coordinates.
https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl
func (*G1Jac) DoubleAssign ¶
DoubleAssign doubles p in Jacobian coordinates.
https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl
func (*G1Jac) FromAffine ¶
FromAffine converts a point a from affine to Jacobian coordinates.
func (*G1Jac) IsInSubGroup ¶
IsInSubGroup returns true if p is on the r-torsion, false otherwise. the curve is of prime order i.e. E(𝔽p) is the full group so we just check that the point is on the curve.
func (*G1Jac) JointScalarMultiplication ¶
JointScalarMultiplication computes [s1]p1+[s2]p1 using Straus-Shamir technique where g is the prime subgroup generator
func (*G1Jac) JointScalarMultiplicationBase ¶
JointScalarMultiplicationBase computes [s1]g+[s2]a using Straus-Shamir technique where g is the prime subgroup generator
func (*G1Jac) ScalarMultiplication ¶
ScalarMultiplication computes and returns p = [s]a using a 2-bits windowed double-and-add method.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package ecdsa provides ECDSA signature scheme on the stark-curve curve.
|
Package ecdsa provides ECDSA signature scheme on the stark-curve curve. |
|
Package fp contains field arithmetic operations for modulus = 0x800000...000001.
|
Package fp contains field arithmetic operations for modulus = 0x800000...000001. |
|
Package fr contains field arithmetic operations for modulus = 0x800000...c64d2f.
|
Package fr contains field arithmetic operations for modulus = 0x800000...c64d2f. |