Module curve25519_dalek::edwards [] [src]

Group operations for Curve25519, in Edwards form.

Encoding and Decoding

Encoding is done by converting to and from a CompressedEdwardsY struct, which is a typed wrapper around [u8; 32].

Equality Testing

The EdwardsPoint struct implements the subtle::Equal trait for constant-time equality checking, and the Rust Eq trait for variable-time equality checking.

The order of the group of points on the curve \(\mathcal E\) is \(|\mathcal E| = 8\ell \), so its structure is \( \mathcal E = \mathcal E[8] \times \mathcal E[\ell]\). The torsion subgroup \( \mathcal E[8] \) consists of eight points of small order. Technically, all of \(\mathcal E\) is torsion, but we use the word only to refer to the small \(\mathcal E[8]\) part, not the large prime-order \(\mathcal E[\ell]\) part.

To test if a point is in \( \mathcal E[8] \), use EdwardsPoint::is_small_order().

To test if a point is in \( \mathcal E[\ell] \), use EdwardsPoint::is_torsion_free().

To multiply by the cofactor, use EdwardsPoint::mult_by_cofactor().

To avoid dealing with cofactors entirely, consider using Ristretto.

Scalars

Scalars are represented by the Scalar struct. To construct a scalar with a specific bit pattern, see Scalar::from_bits().

Scalar Multiplication

Scalar multiplication on Edwards points is provided by:

  • the * operator between a Scalar and a EdwardsPoint, which performs constant-time variable-base scalar multiplication;

  • the * operator between a Scalar and a EdwardsBasepointTable, which performs constant-time fixed-base scalar multiplication;

  • the edwards::multiscalar_mult function, which performs constant-time variable-base multiscalar multiplication;

  • the edwards::vartime::multiscalar_mult function, which performs variable-time variable-base multiscalar multiplication.

Implementation

The Edwards arithmetic is implemented using the “extended twisted coordinates” of Hisil, Wong, Carter, and Dawson, and the corresponding complete formulas. For more details, see the curve_models submodule of the internal documentation.

Validity Checking

There is no function for checking whether a point is valid. Instead, the EdwardsPoint struct is guaranteed to hold a valid point on the curve.

We use the Rust type system to make invalid points unrepresentable: EdwardsPoint objects can only be created via successful decompression of a compressed point, or else by operations on other (valid) EdwardsPoints.

Modules

vartime

Variable-time operations on curve points, useful for non-secret data.

Structs

CompressedEdwardsY

In "Edwards y" / "Ed25519" format, the curve point \((x,y)\) is determined by the \(y\)-coordinate and the sign of \(x\).
EdwardsBasepointTable

A precomputed table of multiples of a basepoint, for accelerating fixed-base scalar multiplication. One table, for the Ed25519 basepoint, is provided in the constants module.
EdwardsPoint

An EdwardsPoint represents a point on the Edwards form of Curve25519.

Functions

multiscalar_mult

Given an iterator of (possibly secret) scalars and an iterator of (possibly secret) points, compute $$ Q = c_1 P_1 + \cdots + c_n P_n. $$