Expand description
This module provides an implementation of ElligatorSwift as well as a version of x-only ECDH using it (including compatibility with BIP324).
ElligatorSwift is described in https://eprint.iacr.org/2022/759 by
Chavez-Saab, Rodriguez-Henriquez, and Tibouchi. It permits encoding
uniformly chosen public keys as 64-byte arrays which are indistinguishable
from uniformly random arrays.
Let f be the function from pairs of field elements to point X coordinates, defined as follows (all operations modulo p = 2^256 - 2^32 - 977) f(u,t):
- Let C = 0xa2d2ba93507f1df233770c2a797962cc61f6d15da14ecd47d8d27ae1cd5f852, a square root of -3.
- If u=0, set u=1 instead.
- If t=0, set t=1 instead.
- If u^3 + t^2 + 7 = 0, multiply t by 2.
- Let X = (u^3 + 7 - t^2) / (2 * t)
- Let Y = (X + t) / (C * u)
- Return the first in [u + 4 * Y^2, (-X/Y - u) / 2, (X/Y - u) / 2] that is an X coordinate on the curve (at least one of them is, for any u and t).
Then an ElligatorSwift encoding of x consists of the 32-byte big-endian
encodings of field elements u and t concatenated, where f(u,t) = x.
The encoding algorithm is described in the paper, and effectively picks a
uniformly random pair (u,t) among those which encode x.
If the Y coordinate is relevant, it is given the same parity as t.
Changes w.r.t. the paper:
- The u=0, t=0, and u^3+t^2+7=0 conditions result in decoding to the point at infinity in the paper. Here they are remapped to finite points.
- The paper uses an additional encoding bit for the parity of y. Here the parity of t is used (negating t does not affect the decoded x coordinate, so this is possible).
Structs§
- An encoding of an elliptic curvepoint such that a uniformly random on-curve point will be encoded as uniformly random bits.
- The result of
ElligatorSwift::shared_secret, which is a shared secret computed from the x-only ECDH using both parties’ public keys (ElligatorSwiftencoded) and our own private key.
Enums§
- Represents which party we are in the ECDH.