edwards

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 17, 2022 License: ISC Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source
const (
	PrivScalarSize  = 32
	PrivKeyBytesLen = 64
)

These constants define the lengths of serialized private keys.

View Source
const (
	PubKeyBytesLen = 32
)

These constants define the lengths of serialized public keys.

View Source
const SignatureSize = 64

SignatureSize is the size of an encoded ECDSA signature.

Variables

View Source
var (
	// ErrInvalidMAC occurs when Message Authentication Check (MAC) fails
	// during decryption. This happens because of either invalid private key or
	// corrupt ciphertext.
	ErrInvalidMAC = errors.New("invalid mac hash")
)
View Source
var Sha512VersionStringRFC6979 = []byte("Edwards+SHA512  ")

Sha512VersionStringRFC6979 is the RFC6979 nonce version for a Schnorr signature over the Curve25519 curve using BLAKE256 as the hash function.

Functions

func BigIntPointToEncodedBytes

func BigIntPointToEncodedBytes(x *big.Int, y *big.Int) *[32]byte

BigIntPointToEncodedBytes converts an affine point to a compressed 32 byte integer representation.

func BigIntToEncodedBytes

func BigIntToEncodedBytes(a *big.Int) *[32]byte

BigIntToEncodedBytes converts a big integer into its corresponding 32 byte little endian representation.

func BigIntToEncodedBytesNoReverse

func BigIntToEncodedBytesNoReverse(a *big.Int) *[32]byte

BigIntToEncodedBytesNoReverse converts a big integer into its corresponding 32 byte big endian representation.

func BigIntToFieldElement

func BigIntToFieldElement(a *big.Int) *edwards25519.FieldElement

BigIntToFieldElement converts a big little endian integer into its corresponding 40 byte field representation.

func Decrypt

func Decrypt(curve *TwistedEdwardsCurve, priv *PrivateKey, in []byte) ([]byte,
	error)

Decrypt decrypts data that was encrypted using the Encrypt function.

func EncodedBytesToBigInt

func EncodedBytesToBigInt(s *[32]byte) *big.Int

EncodedBytesToBigInt converts a 32 byte little endian representation of an integer into a big, big endian integer.

func EncodedBytesToBigIntNoReverse

func EncodedBytesToBigIntNoReverse(s *[32]byte) *big.Int

EncodedBytesToBigIntNoReverse converts a 32 byte big endian representation of an integer into a big little endian integer.

func EncodedBytesToFieldElement

func EncodedBytesToFieldElement(s *[32]byte) *edwards25519.FieldElement

EncodedBytesToFieldElement converts a 32 byte little endian integer into a field element.

func Encrypt

func Encrypt(curve *TwistedEdwardsCurve, pubkey *PublicKey, in []byte) ([]byte,
	error)

Encrypt encrypts data for the target public key using AES-256-CBC. It also generates a private key (the pubkey of which is also in the output).

struct {
	// Initialization Vector used for AES-256-CBC
	IV [16]byte
	// Public Key: curve(2) + len_of_pubkeyX(2) + pubkeyY (curve = 0xFFFF)
	PublicKey [36]byte
	// Cipher text
	Data []byte
	// HMAC-SHA-256 Message Authentication Code
	HMAC [32]byte
}

The primary aim is to ensure byte compatibility with Pyelliptic. Additionally, refer to section 5.8.1 of ANSI X9.63 for rationale on this format.

func FieldElementToBigInt

func FieldElementToBigInt(fe *edwards25519.FieldElement) *big.Int

FieldElementToBigInt converts a 40 byte field element into a big int.

func FieldElementToEncodedBytes

func FieldElementToEncodedBytes(fe *edwards25519.FieldElement) *[32]byte

FieldElementToEncodedBytes converts a 40 byte field element into a 32 byte little endian integer.

func GenerateKey

func GenerateKey(curve *TwistedEdwardsCurve, rand io.Reader) (priv []byte, x,
	y *big.Int, err error)

GenerateKey generates a key using a random number generator, returning the private scalar and the corresponding public key points from a random secret.

func GenerateKeyNew

func GenerateKeyNew(rand io.Reader) (priv []byte, x, y *big.Int, err error)

GenerateKey generates a key using a random number generator, returning the private scalar and the corresponding public key points from a random secret.

func GenerateNoncePair

func GenerateNoncePair(curve *TwistedEdwardsCurve, msg []byte,
	privkey *PrivateKey, extra []byte,
	version []byte) (*PrivateKey, *PublicKey, error)

GenerateNoncePair is the generalized and exported version of generateNoncePair.

func GenerateSharedSecret

func GenerateSharedSecret(privkey *PrivateKey, pubkey *PublicKey) []byte

GenerateSharedSecret generates a shared secret based on a private key and a private key using Diffie-Hellman key exchange (ECDH) (RFC 4753). RFC5903 Section 9 states we should only return y.

func Marshal

func Marshal(curve TwistedEdwardsCurve, x, y *big.Int) []byte

Marshal converts a point into the 32 byte encoded Ed25519 form.

func NonceRFC6979

func NonceRFC6979(curve *TwistedEdwardsCurve, privkey *big.Int, hash []byte,
	extra []byte, version []byte) *big.Int

NonceRFC6979 generates an ECDSA nonce (`k`) deterministically according to RFC 6979. It takes a 32-byte hash as an input and returns 32-byte nonce to be used in ECDSA algorithm.

func PrivKeyFromBytes

func PrivKeyFromBytes(curve *TwistedEdwardsCurve,
	pkBytes []byte) (*PrivateKey, *PublicKey)

PrivKeyFromBytes returns a private and public key for `curve' based on the private key passed as an argument as a byte slice.

func PrivKeyFromScalar

func PrivKeyFromScalar(curve *TwistedEdwardsCurve, p []byte) (*PrivateKey,
	*PublicKey, error)

PrivKeyFromScalar returns a private and public key for `curve' based on the 32-byte private scalar passed as an argument as a byte slice (encoded big endian int).

func PrivKeyFromSecret

func PrivKeyFromSecret(curve *TwistedEdwardsCurve, s []byte) (*PrivateKey,
	*PublicKey)

PrivKeyFromSecret returns a private and public key for `curve' based on the 32-byte private key secret passed as an argument as a byte slice.

func ScalarAdd

func ScalarAdd(a, b *big.Int) *big.Int

ScalarAdd adds two scalars and returns the sum mod N.

func SchnorrPartialSign

func SchnorrPartialSign(curve *TwistedEdwardsCurve, msg []byte,
	priv *PrivateKey, groupPub *PublicKey, privNonce *PrivateKey,
	pubSum *PublicKey) (*big.Int, *big.Int, error)

SchnorrPartialSign is the generalized and exported version of schnorrPartialSign.

func Sign

func Sign(curve *TwistedEdwardsCurve, priv *PrivateKey, hash []byte) (r,
	s *big.Int, err error)

Sign is the generalized and exported version of Ed25519 signing, that handles both standard private secrets and non-standard scalars.

func SignFromScalar

func SignFromScalar(curve *TwistedEdwardsCurve, priv *PrivateKey,
	nonce []byte, hash []byte) (r, s *big.Int, err error)

SignFromScalar signs a message 'hash' using the given private scalar priv. It uses RFC6979 to generate a deterministic nonce. Considered experimental. r = kG, where k is the RFC6979 nonce s = r + hash512(k || A || M) * a

func SignFromSecret

func SignFromSecret(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int,
	err error)

SignFromSecret signs a message 'hash' using the given private key priv. It doesn't actually user the random reader (the lib is maybe deterministic???).

func SignFromSecretNoReader

func SignFromSecretNoReader(priv *PrivateKey, hash []byte) (r, s *big.Int,
	err error)

SignFromSecretNoReader signs a message 'hash' using the given private key priv. It doesn't actually user the random reader.

func SignThreshold

func SignThreshold(curve *TwistedEdwardsCurve, priv *PrivateKey,
	groupPub *PublicKey, hash []byte, privNonce *PrivateKey,
	pubNonceSum *PublicKey) (r, s *big.Int, err error)

SignThreshold signs a message 'hash' using the given private scalar priv in a threshold group signature. It uses RFC6979 to generate a deterministic nonce. Considered experimental. As opposed to the threshold signing function for secp256k1, this function takes the entirety of the public nonce point (all points added) instead of the public nonce point with n-1 keys added. r = K_Sum s = r + hash512(k || A || M) * a

func Unmarshal

func Unmarshal(curve *TwistedEdwardsCurve, data []byte) (x, y *big.Int)

Unmarshal converts a point into the 32 byte encoded Ed25519 form.

func Verify

func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool

Verify verifies a message 'hash' using the given public keys and signature.

Types

type PrivateKey

type PrivateKey struct {
	// contains filtered or unexported fields
}

PrivateKey wraps an ecdsa.PrivateKey as a convenience mainly for signing things with the the private key without having to directly import the ecdsa package.

func GeneratePrivateKey

func GeneratePrivateKey(curve *TwistedEdwardsCurve) (*PrivateKey, error)

GeneratePrivateKey is a wrapper for ecdsa.GenerateKey that returns a PrivateKey instead of the normal ecdsa.PrivateKey.

func NewPrivateKey

func NewPrivateKey(curve *TwistedEdwardsCurve, d *big.Int) *PrivateKey

NewPrivateKey instantiates a new private key from a scalar encoded as a big integer.

func (PrivateKey) GetD

func (p PrivateKey) GetD() *big.Int

GetD satisfies the chainec PrivateKey interface.

func (PrivateKey) GetType

func (p PrivateKey) GetType() int

GetType satisfies the chainec PrivateKey interface.

func (PrivateKey) Public

func (p PrivateKey) Public() (*big.Int, *big.Int)

Public returns the PublicKey corresponding to this private key.

func (PrivateKey) Serialize

func (p PrivateKey) Serialize() []byte

Serialize returns the private key as a 32 byte big endian number.

func (PrivateKey) SerializeSecret

func (p PrivateKey) SerializeSecret() []byte

SerializeSecret returns the 32 byte secret along with its public key as 64 bytes.

func (PrivateKey) ToECDSA

func (p PrivateKey) ToECDSA() *ecdsa.PrivateKey

ToECDSA returns the private key as a *ecdsa.PrivateKey.

type PublicKey

type PublicKey ecdsa.PublicKey

PublicKey is an ecdsa.PublicKey with an additional function to serialize.

func CombinePubkeys

func CombinePubkeys(curve *TwistedEdwardsCurve,
	pks []*PublicKey) *PublicKey

CombinePubkeys combines a slice of public keys into a single public key by adding them together with point addition.

func NewPublicKey

func NewPublicKey(curve *TwistedEdwardsCurve, x *big.Int, y *big.Int) *PublicKey

NewPublicKey instantiates a new public key.

func ParsePubKey

func ParsePubKey(curve *TwistedEdwardsCurve, pubKeyStr []byte) (key *PublicKey,
	err error)

ParsePubKey parses a public key for an edwards curve from a bytestring into a ecdsa.Publickey, verifying that it is valid.

func RecoverCompact

func RecoverCompact(signature, hash []byte) (*PublicKey, bool, error)

RecoverCompact uses a signature and a hash to recover is private key, is not yet implemented. TODO: Implement.

func (PublicKey) GetCurve

func (p PublicKey) GetCurve() interface{}

GetCurve satisfies the chainec PublicKey interface.

func (PublicKey) GetType

func (p PublicKey) GetType() int

GetType satisfies the chainec PublicKey interface.

func (PublicKey) GetX

func (p PublicKey) GetX() *big.Int

GetX satisfies the chainec PublicKey interface.

func (PublicKey) GetY

func (p PublicKey) GetY() *big.Int

GetY satisfies the chainec PublicKey interface.

func (PublicKey) Serialize

func (p PublicKey) Serialize() []byte

Serialize serializes a public key in a 32-byte compressed little endian format.

func (PublicKey) SerializeCompressed

func (p PublicKey) SerializeCompressed() []byte

SerializeCompressed satisfies the chainec PublicKey interface.

func (PublicKey) SerializeHybrid

func (p PublicKey) SerializeHybrid() []byte

SerializeHybrid satisfies the chainec PublicKey interface.

func (PublicKey) SerializeUncompressed

func (p PublicKey) SerializeUncompressed() []byte

SerializeUncompressed satisfies the chainec PublicKey interface.

func (PublicKey) ToECDSA

func (p PublicKey) ToECDSA() *ecdsa.PublicKey

ToECDSA returns the public key as a *ecdsa.PublicKey.

type Signature

type Signature struct {
	R *big.Int
	S *big.Int
}

Signature is a type representing an ecdsa signature.

func NewSignature

func NewSignature(r, s *big.Int) *Signature

NewSignature instantiates a new signature given some R,S values.

func ParseDERSignature

func ParseDERSignature(curve *TwistedEdwardsCurve, sigStr []byte) (*Signature,
	error)

ParseDERSignature offers a legacy function for plugging into Hcd, which is based off btcec.

func ParseSignature

func ParseSignature(curve *TwistedEdwardsCurve, sigStr []byte) (*Signature,
	error)

ParseSignature parses a signature in BER format for the curve type `curve' into a Signature type, perfoming some basic sanity checks.

func SchnorrCombineSigs

func SchnorrCombineSigs(curve *TwistedEdwardsCurve,
	sigs []*Signature) (*Signature, error)

SchnorrCombineSigs is the generalized and exported version of generateNoncePair.

func (Signature) GetR

func (sig Signature) GetR() *big.Int

GetR satisfies the chainec Signature interface.

func (Signature) GetS

func (sig Signature) GetS() *big.Int

GetS satisfies the chainec Signature interface.

func (Signature) GetType

func (sig Signature) GetType() int

GetType satisfies the chainec Signature interface.

func (Signature) Serialize

func (sig Signature) Serialize() []byte

Serialize returns the ECDSA signature in the more strict format.

The signatures are encoded as

sig[0:32]  R, a point encoded as little endian
sig[32:64] S, scalar multiplication/addition results = (ab+c) mod l
  encoded also as little endian

type TwistedEdwardsCurve

type TwistedEdwardsCurve struct {
	*elliptic.CurveParams
	H int // Cofactor of the curve

	A, D, I *big.Int // Edwards curve equation parameter constants
	// contains filtered or unexported fields
}

TwistedEdwardsCurve extended an elliptical curve set of parameters to satisfy the interface of the elliptic package.

func Edwards

func Edwards() *TwistedEdwardsCurve

Edwards returns a Curve which implements Ed25519.

func (*TwistedEdwardsCurve) Add

func (curve *TwistedEdwardsCurve) Add(x1, y1, x2, y2 *big.Int) (x, y *big.Int)

Add adds two points represented by pairs of big integers on the elliptical curve.

func (*TwistedEdwardsCurve) Double

func (curve *TwistedEdwardsCurve) Double(x1, y1 *big.Int) (x, y *big.Int)

Double adds the same pair of big integer coordinates to itself on the elliptical curve.

func (*TwistedEdwardsCurve) EncodedBytesToBigIntPoint

func (curve *TwistedEdwardsCurve) EncodedBytesToBigIntPoint(s *[32]byte) (*big.Int,
	*big.Int, error)

EncodedBytesToBigIntPoint converts a 32 byte representation of a point on the elliptical curve into a big integer point. It returns an error if the point does not fall on the curve.

func (*TwistedEdwardsCurve) InitParam25519

func (curve *TwistedEdwardsCurve) InitParam25519()

InitParam25519 initializes an instance of the Ed25519 curve.

func (*TwistedEdwardsCurve) IsOnCurve

func (curve *TwistedEdwardsCurve) IsOnCurve(x *big.Int, y *big.Int) bool

IsOnCurve returns bool to say if the point (x,y) is on the curve by checking (y^2 - x^2 - 1 - dx^2y^2) % P == 0.

func (TwistedEdwardsCurve) Params

func (curve TwistedEdwardsCurve) Params() *elliptic.CurveParams

Params returns the parameters for the curve.

func (*TwistedEdwardsCurve) RecoverXBigInt

func (curve *TwistedEdwardsCurve) RecoverXBigInt(xIsNeg bool,
	y *big.Int) *big.Int

RecoverXBigInt recovers the X value for some Y value, for a coordinate on the Ed25519 curve given as a big integer Y value.

func (*TwistedEdwardsCurve) RecoverXFieldElement

func (curve *TwistedEdwardsCurve) RecoverXFieldElement(xIsNeg bool,
	y *edwards25519.FieldElement) *edwards25519.FieldElement

RecoverXFieldElement recovers the X value for some Y value, for a coordinate on the Ed25519 curve given as a field element. Y value. Probably the fastest way to get your respective X from Y.

func (*TwistedEdwardsCurve) ScalarBaseMult

func (curve *TwistedEdwardsCurve) ScalarBaseMult(k []byte) (x, y *big.Int)

ScalarBaseMult returns k*G, where G is the base point of the group and k is an integer in big-endian form. TODO Optimize this with field elements

func (*TwistedEdwardsCurve) ScalarMult

func (curve *TwistedEdwardsCurve) ScalarMult(x1, y1 *big.Int,
	k []byte) (x, y *big.Int)

ScalarMult returns k*(Bx,By) where k is a number in big-endian form. This uses the repeated doubling method, which is variable time. TODO use a constant time method to prevent side channel attacks.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL