Struct curve25519_dalek::field::FieldElement [] [src]

pub struct FieldElement(pub [i32; 10]);

A FieldElement represents an element of the field GF(2255 - 19).

With the radix_51 feature, a FieldElement is represented in radix 225.5 as ten i32s, so that an element t, entries t[0],...,t[9], represents the integer t[0]+226 t[1]+251 t[2]+277 t[3]+2102 t[4]+...+2230 t[9]. Bounds on each t[i] vary depending on context.

Methods

impl FieldElement
[src]

Invert the sign of this field element

Construct zero.

Construct one.

Construct -1.

Create a FieldElement by demarshalling an array of 32 bytes.

Example

XXX eliminate limbs

let data: [u8; 32] = [ 1,  2,  3,  4,  5,  6,  7,  8,
                       9, 10, 11, 12, 13, 14, 15, 16,
                      17, 18, 19, 20, 21, 22, 23, 24,
                      25, 26, 27, 28, 29, 30, 31, 32 ];
let fe: FieldElement = FieldElement::from_bytes(&data);
assert_eq!(fe,
           FieldElement([ 197121, -4095679,  21045505,  6840408, 4209720,
                         1249809, -7665014, -12377341, 30523826, 8420472]))

Return

Returns a new FieldElement.

Marshal this FieldElement into a 32-byte array.

XXX eliminate limbs

Example

Continuing from the previous example in FieldElement::from_bytes:

let data: [u8; 32] = [ 1,  2,  3,  4,  5,  6,  7,  8,
                       9, 10, 11, 12, 13, 14, 15, 16,
                      17, 18, 19, 20, 21, 22, 23, 24,
                      25, 26, 27, 28, 29, 30, 31, 32 ];
let fe: FieldElement = FieldElement([ 197121, -4095679,  21045505,  6840408, 4209720,
                                     1249809, -7665014, -12377341, 30523826, 8420472]);
let bytes: [u8; 32] = fe.to_bytes();
assert!(data == bytes);

Determine if this FieldElement is negative, in the sense used in the ed25519 paper: x is negative if the low bit is set.

Return

If negative, return 1u8. Otherwise, return 0u8.

Determine if this FieldElement is negative, in the sense used by Decaf: x is nonnegative if the least absolute residue for x lies in [0, (p-1)/2], and is negative otherwise.

Return

Returns 1u8 if negative, 0u8 if nonnegative.

Implementation

Uses a trick borrowed from Mike Hamburg's code. Let x \in F_p and let y \in Z be the least absolute residue for x. Suppose y ≤ (p-1)/2. Then 2y < p so 2y = 2y mod p and 2y mod p is even. On the other hand, if y > (p-1)/2 then 2y ≥ p; since y < p, 2y \in [p, 2p), so 2y mod p = 2y-p, which is odd.

Thus we can test whether y ≤ (p-1)/2 by checking whether 2y mod p is even.

Determine if this FieldElement is nonnegative, in the sense used by Decaf: x is nonnegative if the least absolute residue for x lies in [0, (p-1)/2], and is negative otherwise.

Determine if this FieldElement is zero.

Return

If zero, return 1u8. Otherwise, return 0u8.

Determine if this FieldElement is non-zero.

Return

If non-zero, return 1u8. Otherwise, return 0u8.

Calculates h = f*f. Can overlap h with f.

XXX limbs: better to talk about headroom?

Preconditions

  • |f[i]| bounded by 1.1*226, 1.1*225, 1.1*226, 1.1*225, etc.

Postconditions

  • |h[i]| bounded by 1.1*225, 1.1*224, 1.1*225, 1.1*224, etc.

Square this field element and multiply the result by 2.

XXX explain why square2 exists vs square (overflow)

Preconditions

  • |f[i]| bounded by 1.65*226, 1.65*225, 1.65*226, 1.65*225, etc.

Postconditions

  • |h[i]| bounded by 1.01*225, 1.01*224, 1.01*225, 1.01*224, etc.

Notes

See fe_mul.c in ref10 implementation for discussion of implementation strategy.

Given a nonzero field element, compute its inverse. The inverse is computed as selfp-2, since xp-2x = xp-1 = 1 (mod p).

XXX should we add a debug_assert that self is nonzero?

Raise this field element to the power (p-5)/8 = 2252 -3. Used in decoding.

Given FieldElements u and v, attempt to compute sqrt(u/v) in constant time.

It would be much better to use an Option type here, but doing so forces the caller to branch, which we don't want to do. This seems like the least bad solution.

Return

  • (1u8, sqrt(u/v)) if v is nonzero and u/v is square;
  • (0u8, zero) if v is zero;
  • (0u8, garbage) if u/v is nonsquare.

For self a nonzero square, compute 1/sqrt(self) in constant time.

It would be much better to use an Option type here, but doing so forces the caller to branch, which we don't want to do. This seems like the least bad solution.

Return

  • (1u8, 1/sqrt(self)) if self is a nonzero square;
  • (0u8, zero) if self is zero;
  • (0u8, garbage) if self is nonsquare.

chi calculates self^((p-1)/2).

Return

  • If this element is a non-zero square, returns 1.
  • If it is zero, returns 0.
  • If it is non-square, returns -1.

Trait Implementations

impl Copy for FieldElement
[src]

impl Clone for FieldElement
[src]

Returns a copy of the value. Read more

Performs copy-assignment from source. Read more

impl Eq for FieldElement
[src]

impl PartialEq for FieldElement
[src]

Test equality between two FieldElements by converting them to bytes.

Warning

This comparison is not constant time. It could easily be made to be, but the main use of an Eq implementation is for branching, so it seems pointless.

This method tests for !=.

impl CTEq for FieldElement
[src]

Test equality between two FieldElements by converting them to bytes.

Returns

1u8 if the two FieldElements are equal, and 0u8 otherwise.

impl Debug for FieldElement
[src]

Formats the value using the given formatter.

impl Index<usize> for FieldElement
[src]

The returned type after indexing

The method for the indexing (container[index]) operation

impl IndexMut<usize> for FieldElement
[src]

The method for the mutable indexing (container[index]) operation

impl<'b> AddAssign<&'b FieldElement> for FieldElement
[src]

The method for the += operator

impl<'a, 'b> Add<&'b FieldElement> for &'a FieldElement
[src]

The resulting type after applying the + operator

The method for the + operator

impl<'b> SubAssign<&'b FieldElement> for FieldElement
[src]

The method for the -= operator

impl<'a, 'b> Sub<&'b FieldElement> for &'a FieldElement
[src]

The resulting type after applying the - operator

The method for the - operator

impl<'b> MulAssign<&'b FieldElement> for FieldElement
[src]

The method for the *= operator

impl<'a, 'b> Mul<&'b FieldElement> for &'a FieldElement
[src]

The resulting type after applying the * operator

The method for the * operator

impl<'a> Neg for &'a FieldElement
[src]

The resulting type after applying the - operator

The method for the unary - operator

impl CTAssignable for FieldElement
[src]

Conditionally assign another FieldElement to this one.

XXX fixup tests to avoid limb specs XXX_radix_51

If choice == 0, replace self with self:

let f     = FieldElement([1,1,1,1,1,1,1,1,1,1]);
let g     = FieldElement([2,2,2,2,2,2,2,2,2,2]);
let mut h = FieldElement([1,1,1,1,1,1,1,1,1,1]);
h.conditional_assign(&g, 0);
assert!(h == f);

If choice == 1, replace self with f:

h.conditional_assign(&g, 1);
assert!(h == g);

Preconditions

  • choice in {0,1}