ed448

package module
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 20, 2022 License: GPL-3.0 Imports: 14 Imported by: 1

README

ED448-goldilocks

This is an implementation of the Edwards elliptic curve with a field size of 448, as described by Mike Hamburg in his paper "Ed448-Goldilocks, a new elliptic curve".

Disclaimer

This code is provided as is and does not have any warranty. Use it at your own risk.

License

GNU General Public License v3.0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// Cofactor is the ratio between the order of the group (p) and the one
	// from the subgroup (q).
	Cofactor = byte(4)

	//ScalarQ is the prime order of the curve (q).
	ScalarQ = &scalar{
		0xab5844f3, 0x2378c292, 0x8dc58f55, 0x216cc272,
		0xaed63690, 0xc44edb49, 0x7cca23e9, 0xffffffff,
		0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff,
		0xffffffff, 0x3fffffff,
	}

	//BasePoint is the base point of the curve.
	BasePoint = &twExtendedPoint{
		&bigNumber{
			0x0ffffffe, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x0fffffff, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x00000003, 0x00000000, 0x00000000, 0x00000000,
			0x00000000, 0x00000000, 0x00000000, 0x00000000,
		},
		&bigNumber{
			0x0f752992, 0x081e6d37, 0x01c28721, 0x03078ead,
			0x0394666c, 0x0135cfd2, 0x00506061, 0x041149c5,
			0x0f5490b3, 0x031d30e4, 0x090dc141, 0x09020149,
			0x04c1e328, 0x052341b0, 0x03c10a1b, 0x01423785,
		},
		&bigNumber{
			0x0ffffffb, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x0fffffff, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x0ffffffe, 0x0fffffff, 0x0fffffff, 0x0fffffff,
			0x0fffffff, 0x0fffffff, 0x0fffffff, 0x0fffffff,
		},
		&bigNumber{
			0x00660415, 0x08f205b7, 0x0fd3824f, 0x0881c60c,
			0x0d08500d, 0x0377a638, 0x04672615, 0x08c66d5d,
			0x08e08e13, 0x0e52fa55, 0x01b6983d, 0x087770ae,
			0x0a0aa7ff, 0x04388f55, 0x05cf1a91, 0x0b4d9a78,
		},
	}
)
View Source
var Basepoint []byte

Basepoint is the generator for curve448 in montgomery form

Functions

func DSASign

func DSASign(sym [57]byte, pub Point, msg []byte) [114]byte

DSASign implements EdDSA style signing for Ed448 - equivalent of goldilocks_ed448_sign

func DSAVerify

func DSAVerify(sig [114]byte, pub Point, msg []byte) bool

DSAVerify implements EdDSA style verifying for Ed448 equivalent of goldilocks_ed48_verify

func Ed448DeriveSecret

func Ed448DeriveSecret(pubkey PublicKey, privkey PrivateKey) [56]byte

func Ed448Sign

func Ed448Sign(privkey PrivateKey, message []byte) [114]byte

func Ed448Verify

func Ed448Verify(pubkey PublicKey, signature, message []byte) bool

func EdPrivateKeyToX448

func EdPrivateKeyToX448(edKey PrivateKey) [56]byte

func EdPublicKeyToX448

func EdPublicKeyToX448(edKey PublicKey) [56]byte

func GenerateSeed

func GenerateSeed(reader io.Reader) ([]uint8, error)

func LadderScalarBaseMult

func LadderScalarBaseMult(curve GoldilocksCurve, k []byte) (*big.Int, *big.Int)

LadderScalarBaseMult returns k*G, where G is the base point of the group and k is an integer in big-endian form.

func LadderScalarMult

func LadderScalarMult(curve GoldilocksCurve, x1, y1 *big.Int, k []byte) (*big.Int, *big.Int)

LadderScalarMult returns k*(Bx,By) where k is a number in little-endian form. This uses the montgomery ladder

func SHA512Hash

func SHA512Hash(password, salt []uint8) []uint8

func SignSecretAndNonce

func SignSecretAndNonce(secret, n PrivateKey, msg []byte) [114]byte

func SignWithPrivate

func SignWithPrivate(privkey PrivateKey, message []byte) [114]byte

func ToMontgomeryCurve

func ToMontgomeryCurve(x, y *big.Int) (*big.Int, *big.Int)

ToMontgomeryCurve converts from Weierstrass to Montgomery

func ToWeierstrassCurve

func ToWeierstrassCurve(p, u, v *big.Int) (*big.Int, *big.Int, *big.Int)

ToWeierstrassCurve converts from Montgomery form to Weierstrass

Types

type Curve

type Curve interface {
	GenerateKeys(read io.Reader) (priv [privKeyBytes]byte, pub [pubKeyBytes]byte, ok bool)
	Sign(priv [privKeyBytes]byte, message []byte) (signature [signatureBytes]byte, ok bool)
	Verify(signature [signatureBytes]byte, message []byte, pub [pubKeyBytes]byte) (valid bool)
	ComputeSecret(private [privKeyBytes]byte, public [pubKeyBytes]byte) (secret [sha512.Size]byte)
}

Curve is the interface that wraps the basic curve methods. TODO It would be better with the use of privateKey and publicKey types.

func NewCurve

func NewCurve() Curve

NewCurve returns a Curve.

type Curve25519

type Curve25519 interface {
	elliptic.Curve
}

A Curve25519 represents the curve25519.

func CurveP25519

func CurveP25519() Curve25519

CurveP25519 returns a Curve which implements curve448

type Curve25519Params

type Curve25519Params struct {
	// contains filtered or unexported fields
}

Curve25519Params contains the parameters of an elliptic curve and also provides a generic, non-constant time implementation of Curve. These are the Montgomery params.

func (*Curve25519Params) Add

func (curve *Curve25519Params) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)

Add adds two points in montgomery x3 = ((y2-y1)^2/(x2-x1)^2)-A-x1-x2 y3 = (2*x1+x2+a)*(y2-y1)/(x2-x1)-b*(y2-y1)3/(x2-x1)3-y1 See: https://www.hyperelliptic.org/EFD/g1p/auto-montgom.html

func (*Curve25519Params) Double

func (curve *Curve25519Params) Double(x1, y1 *big.Int) (*big.Int, *big.Int)

Double doubles two points in montgomery x3 = b*(3*x12+2*a*x1+1)2/(2*b*y1)2-a-x1-x1 y3 = (2*x1+x1+a)*(3*x12+2*a*x1+1)/(2*b*y1)-b*(3*x12+2*a*x1+1)3/(2*b*y1)3-y1 See: https://www.hyperelliptic.org/EFD/g1p/auto-montgom.html

func (*Curve25519Params) IsOnCurve

func (curve *Curve25519Params) IsOnCurve(x, y *big.Int) bool

IsOnCurve verifies if a given point in montgomery is valid v^2 = u^3 + A*u^2 + u

func (*Curve25519Params) Params

func (curve *Curve25519Params) Params() *elliptic.CurveParams

Params returns the parameters for the curve.

func (*Curve25519Params) ScalarBaseMult

func (curve *Curve25519Params) ScalarBaseMult(k []byte) (*big.Int, *big.Int)

ScalarBaseMult returns k*(Bx,By) where k is a number in little-endian form.

func (*Curve25519Params) ScalarMult

func (curve *Curve25519Params) ScalarMult(x1, y1 *big.Int, k []byte) (*big.Int, *big.Int)

ScalarMult returns k*(Bx,By) where k is a number in little-endian form.

type CurveParams

type CurveParams struct {
	// contains filtered or unexported fields
}

CurveParams contains the parameters of an elliptic curve and also provides a generic, non-constant time implementation of Curve. These are the Montgomery params.

func (*CurveParams) Add

func (curve *CurveParams) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)

Add adds two points in montgomery x3 = ((y2-y1)^2/(x2-x1)^2)-A-x1-x2 y3 = (2*x1+x2+a)*(y2-y1)/(x2-x1)-b*(y2-y1)3/(x2-x1)3-y1 See: https://www.hyperelliptic.org/EFD/g1p/auto-montgom.html

func (*CurveParams) Double

func (curve *CurveParams) Double(x1, y1 *big.Int) (*big.Int, *big.Int)

Double doubles two points in montgomery x3 = b*(3*x12+2*a*x1+1)2/(2*b*y1)2-a-x1-x1 y3 = (2*x1+x1+a)*(3*x12+2*a*x1+1)/(2*b*y1)-b*(3*x12+2*a*x1+1)3/(2*b*y1)3-y1 See: https://www.hyperelliptic.org/EFD/g1p/auto-montgom.html

func (*CurveParams) IsOnCurve

func (curve *CurveParams) IsOnCurve(x, y *big.Int) bool

IsOnCurve verifies if a given point in montgomery is valid v^2 = u^3 + A*u^2 + u

func (*CurveParams) MapToCurve

func (curve *CurveParams) MapToCurve(u *big.Int) (*big.Int, *big.Int)

MapToCurve calculates a point on the elliptic curve from an element of the finite field F. This implements Elligator2, according to https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05, section 6.7.1.1.

func (*CurveParams) Params

func (curve *CurveParams) Params() *elliptic.CurveParams

Params returns the parameters for the curve.

func (*CurveParams) ScalarBaseMult

func (curve *CurveParams) ScalarBaseMult(k []byte) (*big.Int, *big.Int)

ScalarBaseMult returns k*G, where G is the base point of the group and k is an integer in big-endian form.

func (*CurveParams) ScalarMult

func (curve *CurveParams) ScalarMult(x1, y1 *big.Int, k []byte) (*big.Int, *big.Int)

ScalarMult returns k*(Bx,By) where k is a number in little-endian form. This uses the double and add method

type DecafCurve

type DecafCurve interface {
	GenerateKeys() (priv [privKeyBytes]byte, pub [pubKeyBytes]byte, ok bool)
	Sign(priv [privKeyBytes]byte, message []byte) (signature [signatureBytes]byte, ok bool)
	Verify(signature [signatureBytes]byte, message []byte, pub [pubKeyBytes]byte) (valid bool, err error)
}

DecafCurve is the interface that wraps the basic curve methods in decaf. TODO: change this name

func NewDecafCurve

func NewDecafCurve() DecafCurve

NewDecafCurve returns a Curve.

type EdwardsCurveParams

type EdwardsCurveParams struct {
	P       *big.Int // the order of the underlying finite field
	N       *big.Int // the prime order of the base point
	D       *big.Int // the non-zero element
	Gx, Gy  *big.Int // (x,y) of the base point
	BitSize int      // the size of the underlying field
	Name    string   // the canonical name of the curve
}

EdwardsCurveParams contains the parameters of an elliptic curve and also provides a generic, non-constant time implementation of Curve. These are the Edwards params.

func (*EdwardsCurveParams) Add

func (curve *EdwardsCurveParams) Add(p, q Point) Point

Add gives the sum of two points (p, q) and produces a third point (p).

func (*EdwardsCurveParams) Double

func (curve *EdwardsCurveParams) Double(p Point) Point

Double gives the doubling of a point (p).

func (*EdwardsCurveParams) IsOnCurve

func (curve *EdwardsCurveParams) IsOnCurve(p Point) bool

IsOnCurve reports whether the given point (p) lies on the curve.

func (*EdwardsCurveParams) Params

func (curve *EdwardsCurveParams) Params() *EdwardsCurveParams

Params returns the parameters for the curve.

type ExtendedPrivate

type ExtendedPrivate [114]uint8

func ChildPrivateToPrivate

func ChildPrivateToPrivate(s ExtendedPrivate, index uint32) ExtendedPrivate

func SeedToExtendedPrivate

func SeedToExtendedPrivate(s []uint8) ExtendedPrivate

type ExtendedPublic

type ExtendedPublic [114]uint8

func ChildPrivateToPublic

func ChildPrivateToPublic(s ExtendedPrivate, index uint32) ExtendedPublic

func ChildPublicToPublic

func ChildPublicToPublic(pub ExtendedPublic, index uint32) ExtendedPublic

func ExtendedPrivateToPublic

func ExtendedPrivateToPublic(s ExtendedPrivate) ExtendedPublic

type GoldilocksCurve

type GoldilocksCurve interface {
	elliptic.Curve
}

A GoldilocksCurve represents the curve448.

func Curve448

func Curve448() GoldilocksCurve

Curve448 returns a Curve which implements curve448

type GoldilocksEdCurve

type GoldilocksEdCurve interface {
	// Params returns the parameters for the curve.
	Params() *EdwardsCurveParams
	// IsOnCurveEdwards reports whether the given p lies on the curve.
	IsOnCurve(p Point) bool
	// AddEdwards returns the sum of p and q
	Add(p, q Point) Point
	// DoubleEdwards returns 2*p
	Double(p Point) Point
	// ScalarMultEdwards returns k*(p) where k is an scalar.
	ScalarMult(p Point, k Scalar) Point
	// ScalarBaseMultEdwards returns k*G, where G is the base point of the group
	// and k is an scalar
	ScalarBaseMult(k Scalar) Point
}

A GoldilocksEdCurve represents Goldilocks edwards448. This uses the decaf technique

type Point

type Point interface {
	IsOnCurve() bool
	Equals(q Point) bool
	EqualsMask(q Point) uint32
	Copy() Point
	Add(q, r Point)
	Sub(q, r Point)
	Double() Point
	Encode() []byte
	Decode(src []byte, identity bool) (bool, error)
	EdDSAEncode() []byte
	EdDSADecode(src []byte) bool
	EdDSADecodeWithoutCofactor(src []byte) bool
}

Point is a interface of a Ed448 point

func ConstantTimeSelectPoint

func ConstantTimeSelectPoint(bfalse, btrue Point, mask uint32) Point

ConstantTimeSelectPoint will use constant time select to choose either the left or right point, depending on if the mask is either all zeroes, or all ones

func NewPoint

func NewPoint(a [nLimbs]uint32, b [nLimbs]uint32, c [nLimbs]uint32, d [nLimbs]uint32) Point

NewPoint returns an Ed448 point from 4 arrays of 16 uint32.

func NewPointFromBytes

func NewPointFromBytes(in ...[]byte) Point

NewPointFromBytes returns an Ed448 point from a byte slice.

func PointByPrivate

func PointByPrivate(p PrivateKey) Point

func PointBySecret

func PointBySecret(p PrivateKey) Point

func PointDoubleScalarMul

func PointDoubleScalarMul(q, r Point, a, b Scalar) Point

PointDoubleScalarMul returns the addition of two multiplications: a given point (q) by a given scalar (a) and a given point (r) by a given scalar (b): q * a + r * b.

func PointDoubleScalarMulNonsecret

func PointDoubleScalarMulNonsecret(q Point, a, b Scalar) Point

PointDoubleScalarMulNonsecret returns the addition of two multiplications: a given point (q) by a given scalar (b) and the base point of the curve by a given scalar (a): q * b + basePoint * a. @warning: This function takes variable time, and may leak the scalars used. It is designed for signature verification.

func PointScalarMul

func PointScalarMul(q Point, a Scalar) Point

PointScalarMul returns the multiplication of a given point (p) by a given scalar (a): q * a.

func PrecomputedScalarMul

func PrecomputedScalarMul(a Scalar) Point

PrecomputedScalarMul returns the multiplication of a given scalar (a) by the precomputed base point of the curve: basePoint * a.

func ScalarBaseMult

func ScalarBaseMult(k Scalar) Point

ScalarBaseMult returns the multiplication of a given scalar (k) by the precomputed base point of the curve: basePoint * k.

func ScalarMult

func ScalarMult(p Point, k Scalar) Point

ScalarMult returns the multiplication of a given point (p) by a given scalar (a): p * k.

type PrivateKey

type PrivateKey [57]byte

func BytesToPrivateKey

func BytesToPrivateKey(key []byte) (pk PrivateKey)

func Ed448GenerateKey

func Ed448GenerateKey(reader io.Reader) (PrivateKey, error)

func PrivateToSecret

func PrivateToSecret(pk PrivateKey) PrivateKey

type PublicKey

type PublicKey [57]byte

func BytesToPublicKey

func BytesToPublicKey(key []byte) (pk PublicKey)

func Ed448DerivePublicKey

func Ed448DerivePublicKey(privkey PrivateKey) PublicKey

func PrivateToPublic

func PrivateToPublic(privkey PrivateKey) PublicKey

func SecretToPublic

func SecretToPublic(sk PrivateKey) PublicKey

type Scalar

type Scalar interface {
	Equals(a Scalar) bool
	EqualsMask(a Scalar) uint32
	Copy() Scalar
	Add(a, b Scalar)
	Sub(a, b Scalar)
	Mul(a, b Scalar)
	Halve(a Scalar)
	Invert() bool
	Encode() []byte
	BarretDecode(src []byte) error
	Decode(src []byte)
}

Scalar is a interface of a Ed448 scalar

func ConstantTimeSelectScalar

func ConstantTimeSelectScalar(bfalse, btrue Scalar, mask uint32) Scalar

ConstantTimeSelectScalar will use constant time select to choose either the left or right scalar, depending on if the mask is either all zeroes, or all ones

func NewScalar

func NewScalar(in ...[]byte) Scalar

NewScalar returns a Scalar in Ed448 with decaf

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL