native

package
v1.8.19 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 16, 2022 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source
const FieldBytes = 32

FieldBytes is the number of bytes needed to represent this field

View Source
const FieldLimbs = 4

FieldLimbs is the number of limbs needed to represent this field

View Source
const MaxDstLen = 255

MaxDstLen the max size for dst in hash to curve

View Source
const WideFieldBytes = 64

WideFieldBytes is the number of bytes needed for safe conversion to this field to avoid bias when reduced

Variables

View Source
var OversizeDstSalt = []byte("H2C-OVERSIZE-DST-")

OversizeDstSalt is the salt used to hash a dst over MaxDstLen

Functions

func ExpandMsgXmd

func ExpandMsgXmd(h *EllipticPointHasher, msg, domain []byte, outLen int) []byte

ExpandMsgXmd expands the msg with the domain to output a byte array with outLen in size using a fixed size hash. See https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-13#section-5.4.1

func ExpandMsgXof

func ExpandMsgXof(h *EllipticPointHasher, msg, domain []byte, outLen int) []byte

ExpandMsgXof expands the msg with the domain to output a byte array with outLen in size using a xof hash See https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-13#section-5.4.2

func Pow

func Pow(out, base, exp *[FieldLimbs]uint64, params *FieldParams, arithmetic FieldArithmetic)

Pow raises base^exp. The result is written to out. Public only for convenience for some internal implementations

func Pow2k

func Pow2k(out, arg *[FieldLimbs]uint64, k int, arithmetic FieldArithmetic)

Pow2k raises arg to the power `2^k`. This result is written to out. Public only for convenience for some internal implementations

Types

type EllipticPoint

type EllipticPoint struct {
	X          *Field
	Y          *Field
	Z          *Field
	Params     *EllipticPointParams
	Arithmetic EllipticPointArithmetic
}

EllipticPoint represents a Weierstrauss elliptic curve point

func (*EllipticPoint) Add

func (p *EllipticPoint) Add(lhs, rhs *EllipticPoint) *EllipticPoint

Add adds the two points

func (*EllipticPoint) BigInt

func (p *EllipticPoint) BigInt() (x, y *big.Int)

BigInt returns the x and y as big.Ints in affine

func (*EllipticPoint) Double

func (p *EllipticPoint) Double(point *EllipticPoint) *EllipticPoint

Double this point

func (*EllipticPoint) Equal

func (p *EllipticPoint) Equal(rhs *EllipticPoint) int

Equal returns 1 if the two points are equal 0 otherwise.

func (*EllipticPoint) Generator

func (p *EllipticPoint) Generator() *EllipticPoint

Generator returns the base point for the curve

func (*EllipticPoint) GetX

func (p *EllipticPoint) GetX() *Field

GetX returns the affine X coordinate

func (*EllipticPoint) GetY

func (p *EllipticPoint) GetY() *Field

GetY returns the affine Y coordinate

func (*EllipticPoint) Hash

func (p *EllipticPoint) Hash(bytes []byte, hasher *EllipticPointHasher) (*EllipticPoint, error)

Hash uses the hasher to map bytes to a valid point

func (*EllipticPoint) Identity

func (p *EllipticPoint) Identity() *EllipticPoint

Identity returns the identity point

func (*EllipticPoint) IsIdentity

func (p *EllipticPoint) IsIdentity() bool

IsIdentity returns true if this point is at infinity

func (*EllipticPoint) IsOnCurve

func (p *EllipticPoint) IsOnCurve() bool

IsOnCurve determines if this point represents a valid curve point

func (*EllipticPoint) Mul

func (p *EllipticPoint) Mul(point *EllipticPoint, scalar *Field) *EllipticPoint

Mul multiplies this point by the input scalar

func (*EllipticPoint) Neg

func (p *EllipticPoint) Neg(point *EllipticPoint) *EllipticPoint

Neg negates this point

func (*EllipticPoint) Random

func (p *EllipticPoint) Random(reader io.Reader) (*EllipticPoint, error)

Random creates a random point on the curve from the specified reader

func (*EllipticPoint) Set

func (p *EllipticPoint) Set(clone *EllipticPoint) *EllipticPoint

Set copies clone into p

func (*EllipticPoint) SetBigInt

func (p *EllipticPoint) SetBigInt(x, y *big.Int) (*EllipticPoint, error)

SetBigInt creates a point from affine x, y and returns the point if it is on the curve

func (*EllipticPoint) Sub

func (p *EllipticPoint) Sub(lhs, rhs *EllipticPoint) *EllipticPoint

Sub subtracts the two points

func (*EllipticPoint) SumOfProducts

func (p *EllipticPoint) SumOfProducts(points []*EllipticPoint, scalars []*Field) (*EllipticPoint, error)

SumOfProducts computes the multi-exponentiation for the specified points and scalars and stores the result in `p`. Returns an error if the lengths of the arguments is not equal.

func (*EllipticPoint) ToAffine

func (p *EllipticPoint) ToAffine(clone *EllipticPoint) *EllipticPoint

ToAffine converts the point into affine coordinates

type EllipticPointArithmetic

type EllipticPointArithmetic interface {
	// Hash a byte sequence to the curve using the specified hasher
	// and dst and store the result in out
	Hash(out *EllipticPoint, hasher *EllipticPointHasher, bytes, dst []byte) error
	// Double arg and store the result in out
	Double(out, arg *EllipticPoint)
	// Add arg1 with arg2 and store the result in out
	Add(out, arg1, arg2 *EllipticPoint)
	// IsOnCurve tests arg if it represents a valid point on the curve
	IsOnCurve(arg *EllipticPoint) bool
	// ToAffine converts arg to affine coordinates storing the result in out
	ToAffine(out, arg *EllipticPoint)
	// RhsEq computes the right-hand side of the ecc equation
	RhsEq(out, x *Field)
}

EllipticPointArithmetic are the methods that specific curves need to implement for higher abstractions to wrap the point

type EllipticPointHashName

type EllipticPointHashName uint

EllipticPointHashName is to indicate the hash function is used for hash to curve operations

const (
	SHA256 EllipticPointHashName = iota
	SHA512
	SHA3_256
	SHA3_384
	SHA3_512
	BLAKE2B
	SHAKE128
	SHAKE256
)

func (EllipticPointHashName) String

func (n EllipticPointHashName) String() string

type EllipticPointHashType

type EllipticPointHashType uint

EllipticPointHashType is to indicate which expand operation is used for hash to curve operations

const (
	// XMD - use ExpandMsgXmd
	XMD EllipticPointHashType = iota
	// XOF - use ExpandMsgXof
	XOF
)

func (EllipticPointHashType) String

func (t EllipticPointHashType) String() string

type EllipticPointHasher

type EllipticPointHasher struct {
	// contains filtered or unexported fields
}

EllipticPointHasher is the type of hashing methods for hashing byte sequences to curve point.

func EllipticPointHasherBlake2b

func EllipticPointHasherBlake2b() *EllipticPointHasher

EllipticPointHasherBlake2b creates a point hasher that uses Blake2b

func EllipticPointHasherSha256

func EllipticPointHasherSha256() *EllipticPointHasher

EllipticPointHasherSha256 creates a point hasher that uses Sha256

func EllipticPointHasherSha3256

func EllipticPointHasherSha3256() *EllipticPointHasher

EllipticPointHasherSha3256 creates a point hasher that uses Sha3256

func EllipticPointHasherSha3384

func EllipticPointHasherSha3384() *EllipticPointHasher

EllipticPointHasherSha3384 creates a point hasher that uses Sha3384

func EllipticPointHasherSha3512

func EllipticPointHasherSha3512() *EllipticPointHasher

EllipticPointHasherSha3512 creates a point hasher that uses Sha3512

func EllipticPointHasherSha512

func EllipticPointHasherSha512() *EllipticPointHasher

EllipticPointHasherSha512 creates a point hasher that uses Sha512

func EllipticPointHasherShake128

func EllipticPointHasherShake128() *EllipticPointHasher

EllipticPointHasherShake128 creates a point hasher that uses Shake128

func EllipticPointHasherShake256

func EllipticPointHasherShake256() *EllipticPointHasher

EllipticPointHasherShake256 creates a point hasher that uses Shake256

func (*EllipticPointHasher) Name

func (e *EllipticPointHasher) Name() string

Name returns the hash name for this hasher

func (*EllipticPointHasher) Type

Type returns the hash type for this hasher

func (*EllipticPointHasher) Xmd

func (e *EllipticPointHasher) Xmd() hash.Hash

Xmd returns the hash method for ExpandMsgXmd

func (*EllipticPointHasher) Xof

Xof returns the hash method for ExpandMsgXof

type EllipticPointParams

type EllipticPointParams struct {
	Name    string
	A       *Field
	B       *Field
	Gx      *Field
	Gy      *Field
	BitSize int
}

EllipticPointParams are the Weierstrauss curve parameters such as the name, the coefficients the generator point, and the prime bit size

type Field

type Field struct {
	// Value is the field elements value
	Value [FieldLimbs]uint64
	// Params are the field parameters
	Params *FieldParams
	// Arithmetic are the field methods
	Arithmetic FieldArithmetic
}

Field represents a field element

func (*Field) Add

func (f *Field) Add(lhs, rhs *Field) *Field

Add returns the result from adding rhs to this element

func (*Field) BigInt

func (f *Field) BigInt() *big.Int

BigInt converts this element into the big.Int struct

func (*Field) Bytes

func (f *Field) Bytes() [FieldBytes]byte

Bytes converts this element into a byte representation in little endian byte order

func (*Field) CMove

func (f *Field) CMove(lhs, rhs *Field, choice int) *Field

CMove sets f = lhs if choice == 0 and f = rhs if choice == 1

func (*Field) Cmp

func (f *Field) Cmp(rhs *Field) int

Cmp returns -1 if f < rhs 0 if f == rhs 1 if f > rhs

func (*Field) Double

func (f *Field) Double(a *Field) *Field

Double this element

func (*Field) Equal

func (f *Field) Equal(rhs *Field) int

Equal returns 1 if f == rhs, 0 otherwise

func (*Field) Exp

func (f *Field) Exp(base, exp *Field) *Field

Exp raises base^exp

func (*Field) Invert

func (f *Field) Invert(a *Field) (*Field, bool)

Invert this element i.e. compute the multiplicative inverse return false, zero if this element is zero.

func (*Field) IsNonZero

func (f *Field) IsNonZero() int

IsNonZero returns 1 if f != 0, 0 otherwise

func (*Field) IsOne

func (f *Field) IsOne() int

IsOne returns 1 if f == 1, 0 otherwise

func (*Field) IsZero

func (f *Field) IsZero() int

IsZero returns 1 if f == 0, 0 otherwise

func (*Field) Mul

func (f *Field) Mul(lhs, rhs *Field) *Field

Mul returns the result from multiplying this element by rhs

func (*Field) Neg

func (f *Field) Neg(input *Field) *Field

Neg returns negation of this element

func (*Field) Raw

func (f *Field) Raw() [FieldLimbs]uint64

Raw converts this element into the a [FieldLimbs]uint64

func (*Field) Set

func (f *Field) Set(rhs *Field) *Field

Set f = rhs

func (*Field) SetBigInt

func (f *Field) SetBigInt(bi *big.Int) *Field

SetBigInt initializes an element from big.Int The value is reduced by the modulus

func (*Field) SetBytes

func (f *Field) SetBytes(input *[FieldBytes]byte) (*Field, error)

SetBytes attempts to convert a little endian byte representation of a scalar into a `Fp`, failing if input is not canonical

func (*Field) SetBytesWide

func (f *Field) SetBytesWide(input *[WideFieldBytes]byte) *Field

SetBytesWide takes 64 bytes as input and treats them as a 512-bit number. Attributed to https://github.com/zcash/pasta_curves/blob/main/src/fields/Fp.rs#L255 We reduce an arbitrary 512-bit number by decomposing it into two 256-bit digits with the higher bits multiplied by 2^256. Thus, we perform two reductions

1. the lower bits are multiplied by r^2, as normal 2. the upper bits are multiplied by r^2 * 2^256 = r^3

and computing their sum in the field. It remains to see that arbitrary 256-bit numbers can be placed into Montgomery form safely using the reduction. The reduction works so long as the product is less than r=2^256 multiplied by the modulus. This holds because for any `c` smaller than the modulus, we have that (2^256 - 1)*c is an acceptable product for the reduction. Therefore, the reduction always works so long as `c` is in the field; in this case it is either the constant `r2` or `r3`.

func (*Field) SetLimbs

func (f *Field) SetLimbs(input *[FieldLimbs]uint64) *Field

SetLimbs converts an array into a field element by converting to montgomery form

func (*Field) SetOne

func (f *Field) SetOne() *Field

SetOne f = r

func (*Field) SetRaw

func (f *Field) SetRaw(input *[FieldLimbs]uint64) *Field

SetRaw converts a raw array into a field element Assumes input is already in montgomery form

func (*Field) SetUint64

func (f *Field) SetUint64(rhs uint64) *Field

SetUint64 f = rhs

func (*Field) SetZero

func (f *Field) SetZero() *Field

SetZero f = 0

func (*Field) Sqrt

func (f *Field) Sqrt(a *Field) (*Field, bool)

Sqrt this element, if it exists. If true, then value is a square root. If false, value is a QNR

func (*Field) Square

func (f *Field) Square(a *Field) *Field

Square this element

func (*Field) Sub

func (f *Field) Sub(lhs, rhs *Field) *Field

Sub returns the result from subtracting rhs from this element

type FieldArithmetic

type FieldArithmetic interface {
	// ToMontgomery converts this field to montgomery form
	ToMontgomery(out, arg *[FieldLimbs]uint64)
	// FromMontgomery converts this field from montgomery form
	FromMontgomery(out, arg *[FieldLimbs]uint64)
	// Neg performs modular negation
	Neg(out, arg *[FieldLimbs]uint64)
	// Square performs modular square
	Square(out, arg *[FieldLimbs]uint64)
	// Mul performs modular multiplication
	Mul(out, arg1, arg2 *[FieldLimbs]uint64)
	// Add performs modular addition
	Add(out, arg1, arg2 *[FieldLimbs]uint64)
	// Sub performs modular subtraction
	Sub(out, arg1, arg2 *[FieldLimbs]uint64)
	// Sqrt performs modular square root
	Sqrt(wasSquare *int, out, arg *[FieldLimbs]uint64)
	// Invert performs modular inverse
	Invert(wasInverted *int, out, arg *[FieldLimbs]uint64)
	// FromBytes converts a little endian byte array into a field element
	FromBytes(out *[FieldLimbs]uint64, arg *[FieldBytes]byte)
	// ToBytes converts a field element to a little endian byte array
	ToBytes(out *[FieldBytes]byte, arg *[FieldLimbs]uint64)
	// Selectznz performs conditional select.
	// selects arg1 if choice == 0 and arg2 if choice == 1
	Selectznz(out, arg1, arg2 *[FieldLimbs]uint64, choice int)
}

FieldArithmetic are the methods that can be done on a field

type FieldParams

type FieldParams struct {
	// R is 2^256 mod Modulus
	R [FieldLimbs]uint64
	// R2 is 2^512 mod Modulus
	R2 [FieldLimbs]uint64
	// R3 is 2^768 mod Modulus
	R3 [FieldLimbs]uint64
	// Modulus of the field
	Modulus [FieldLimbs]uint64
	// Modulus as big.Int
	BiModulus *big.Int
}

FieldParams are the field parameters

type IsogenyParams

type IsogenyParams struct {
	XNum [][FieldLimbs]uint64
	XDen [][FieldLimbs]uint64
	YNum [][FieldLimbs]uint64
	YDen [][FieldLimbs]uint64
}

IsogenyParams are the parameters needed to map from an isogeny to the main curve

func (*IsogenyParams) Map

func (p *IsogenyParams) Map(xIn, yIn *Field) (x, y *Field)

Map from the isogeny curve to the main curve using the parameters

type SswuParams

type SswuParams struct {
	C1, C2, A, B, Z [FieldLimbs]uint64
}

SswuParams for computing the Simplified SWU mapping for hash to curve implementations

func (*SswuParams) Osswu3mod4

func (p *SswuParams) Osswu3mod4(u *Field) (x, y *Field)

Osswu3mod4 computes the simplified map optmized for 3 mod 4 primes https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-11#appendix-G.2.1

Directories

Path Synopsis
fp
Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography.
Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography.
fq
Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography.
Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --relax-primitive-carry-to-bitwidth 32,64 --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-newline-in-typedef-bounds --doc-prepend-header 'Code generated by Fiat Cryptography.
fp
Code generated by Fiat Cryptography.
Code generated by Fiat Cryptography.
fq
Code generated by Fiat Cryptography.
Code generated by Fiat Cryptography.
fp
fq

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL