Module curve25519_dalek_ng::edwards [−][src]
Expand description
Group operations for Curve25519, in Edwards form.
Encoding and Decoding
Encoding is done by converting to and from a CompressedEdwardsY
struct, which is a typed wrapper around [u8; 32]
.
Equality Testing
The EdwardsPoint
struct implements the subtle::ConstantTimeEq
trait for constant-time equality checking, and the Rust Eq
trait
for variable-time equality checking.
Cofactor-related functions
The order of the group of points on the curve \(\mathcal E\) is \(|\mathcal E| = 8\ell \), so its structure is \( \mathcal E = \mathcal E[8] \times \mathcal E[\ell]\). The torsion subgroup \( \mathcal E[8] \) consists of eight points of small order. Technically, all of \(\mathcal E\) is torsion, but we use the word only to refer to the small \(\mathcal E[8]\) part, not the large prime-order \(\mathcal E[\ell]\) part.
To test if a point is in \( \mathcal E[8] \), use
EdwardsPoint::is_small_order()
.
To test if a point is in \( \mathcal E[\ell] \), use
EdwardsPoint::is_torsion_free()
.
To multiply by the cofactor, use EdwardsPoint::mul_by_cofactor()
.
To avoid dealing with cofactors entirely, consider using Ristretto.
Scalars
Scalars are represented by the Scalar
struct. To construct a scalar with a specific bit
pattern, see Scalar::from_bits()
.
Scalar Multiplication
Scalar multiplication on Edwards points is provided by:
-
the
*
operator between aScalar
and aEdwardsPoint
, which performs constant-time variable-base scalar multiplication; -
the
*
operator between aScalar
and aEdwardsBasepointTable
, which performs constant-time fixed-base scalar multiplication; -
an implementation of the
MultiscalarMul
trait for constant-time variable-base multiscalar multiplication; -
an implementation of the
VartimeMultiscalarMul
trait for variable-time variable-base multiscalar multiplication;
Implementation
The Edwards arithmetic is implemented using the “extended twisted
coordinates” of Hisil, Wong, Carter, and Dawson, and the
corresponding complete formulas. For more details,
see the curve_models
submodule
of the internal documentation.
Validity Checking
There is no function for checking whether a point is valid.
Instead, the EdwardsPoint
struct is guaranteed to hold a valid
point on the curve.
We use the Rust type system to make invalid points
unrepresentable: EdwardsPoint
objects can only be created via
successful decompression of a compressed point, or else by
operations on other (valid) EdwardsPoint
s.
Structs
In “Edwards y” / “Ed25519” format, the curve point \((x,y)\) is determined by the \(y\)-coordinate and the sign of \(x\).
A precomputed table of multiples of a basepoint, for accelerating
fixed-base scalar multiplication. One table, for the Ed25519
basepoint, is provided in the constants
module.
An EdwardsPoint
represents a point on the Edwards form of Curve25519.
Precomputation for variable-time multiscalar multiplication with EdwardsPoint
s.