curve25519_dalek/
constants.rs

1// -*- mode: rust; -*-
2//
3// This file is part of curve25519-dalek.
4// Copyright (c) 2016-2021 isis lovecruft
5// Copyright (c) 2016-2019 Henry de Valence
6// See LICENSE for licensing information.
7//
8// Authors:
9// - isis agora lovecruft <isis@patternsinthevoid.net>
10// - Henry de Valence <hdevalence@hdevalence.ca>
11//! Various constants, such as the Ristretto and Ed25519 basepoints.
12
13#![allow(non_snake_case)]
14
15use cfg_if::cfg_if;
16
17use crate::edwards::CompressedEdwardsY;
18use crate::montgomery::MontgomeryPoint;
19use crate::ristretto::{CompressedRistretto, RistrettoPoint};
20use crate::scalar::Scalar;
21
22#[cfg(feature = "precomputed-tables")]
23use crate::edwards::EdwardsBasepointTable;
24
25cfg_if! {
26    if #[cfg(curve25519_dalek_backend = "fiat")] {
27        #[cfg(curve25519_dalek_bits = "32")]
28        pub use crate::backend::serial::fiat_u32::constants::*;
29        #[cfg(curve25519_dalek_bits = "64")]
30        pub use crate::backend::serial::fiat_u64::constants::*;
31    } else {
32        #[cfg(curve25519_dalek_bits = "32")]
33        pub use crate::backend::serial::u32::constants::*;
34        #[cfg(curve25519_dalek_bits = "64")]
35        pub use crate::backend::serial::u64::constants::*;
36    }
37}
38
39/// The Ed25519 basepoint, in `CompressedEdwardsY` format.
40///
41/// This is the little-endian byte encoding of \\( 4/5 \pmod p \\),
42/// which is the \\(y\\)-coordinate of the Ed25519 basepoint.
43///
44/// The sign bit is 0 since the basepoint has \\(x\\) chosen to be positive.
45pub const ED25519_BASEPOINT_COMPRESSED: CompressedEdwardsY = CompressedEdwardsY([
46    0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
47    0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
48]);
49
50/// The X25519 basepoint, in `MontgomeryPoint` format.
51pub const X25519_BASEPOINT: MontgomeryPoint = MontgomeryPoint([
52    0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
53    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
54]);
55
56/// The Ristretto basepoint, in `CompressedRistretto` format.
57pub const RISTRETTO_BASEPOINT_COMPRESSED: CompressedRistretto = CompressedRistretto([
58    0xe2, 0xf2, 0xae, 0x0a, 0x6a, 0xbc, 0x4e, 0x71, 0xa8, 0x84, 0xa9, 0x61, 0xc5, 0x00, 0x51, 0x5f,
59    0x58, 0xe3, 0x0b, 0x6a, 0xa5, 0x82, 0xdd, 0x8d, 0xb6, 0xa6, 0x59, 0x45, 0xe0, 0x8d, 0x2d, 0x76,
60]);
61
62/// The Ristretto basepoint, as a `RistrettoPoint`.
63///
64/// This is called `_POINT` to distinguish it from `_TABLE`, which
65/// provides fast scalar multiplication.
66pub const RISTRETTO_BASEPOINT_POINT: RistrettoPoint = RistrettoPoint(ED25519_BASEPOINT_POINT);
67
68/// `BASEPOINT_ORDER` is the order of the Ristretto group and of the Ed25519 basepoint, i.e.,
69/// $$
70/// \ell = 2^\{252\} + 27742317777372353535851937790883648493.
71/// $$
72#[deprecated(since = "4.1.1", note = "Should not have been in public API")]
73pub const BASEPOINT_ORDER: Scalar = BASEPOINT_ORDER_PRIVATE;
74
75pub(crate) const BASEPOINT_ORDER_PRIVATE: Scalar = Scalar {
76    bytes: [
77        0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde,
78        0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
79        0x00, 0x10,
80    ],
81};
82
83#[cfg(feature = "precomputed-tables")]
84use crate::ristretto::RistrettoBasepointTable;
85
86/// The Ristretto basepoint, as a `RistrettoBasepointTable` for scalar multiplication.
87#[cfg(feature = "precomputed-tables")]
88pub static RISTRETTO_BASEPOINT_TABLE: &RistrettoBasepointTable = unsafe {
89    // SAFETY: `RistrettoBasepointTable` is a `#[repr(transparent)]` newtype of
90    // `EdwardsBasepointTable`
91    &*(ED25519_BASEPOINT_TABLE as *const EdwardsBasepointTable as *const RistrettoBasepointTable)
92};
93
94#[cfg(test)]
95mod test {
96    use crate::constants;
97    use crate::field::FieldElement;
98    use crate::traits::{IsIdentity, ValidityCheck};
99
100    #[test]
101    fn test_eight_torsion() {
102        for i in 0..8 {
103            let Q = constants::EIGHT_TORSION[i].mul_by_pow_2(3);
104            assert!(Q.is_valid());
105            assert!(Q.is_identity());
106        }
107    }
108
109    #[test]
110    fn test_four_torsion() {
111        for i in (0..8).filter(|i| i % 2 == 0) {
112            let Q = constants::EIGHT_TORSION[i].mul_by_pow_2(2);
113            assert!(Q.is_valid());
114            assert!(Q.is_identity());
115        }
116    }
117
118    #[test]
119    fn test_two_torsion() {
120        for i in (0..8).filter(|i| i % 4 == 0) {
121            let Q = constants::EIGHT_TORSION[i].mul_by_pow_2(1);
122            assert!(Q.is_valid());
123            assert!(Q.is_identity());
124        }
125    }
126
127    /// Test that SQRT_M1 is the positive square root of -1
128    #[test]
129    fn test_sqrt_minus_one() {
130        let minus_one = FieldElement::MINUS_ONE;
131        let sqrt_m1_sq = &constants::SQRT_M1 * &constants::SQRT_M1;
132        assert_eq!(minus_one, sqrt_m1_sq);
133        assert!(bool::from(!constants::SQRT_M1.is_negative()));
134    }
135
136    #[test]
137    fn test_sqrt_constants_sign() {
138        let minus_one = FieldElement::MINUS_ONE;
139        let (was_nonzero_square, invsqrt_m1) = minus_one.invsqrt();
140        assert!(bool::from(was_nonzero_square));
141        let sign_test_sqrt = &invsqrt_m1 * &constants::SQRT_M1;
142        assert_eq!(sign_test_sqrt, minus_one);
143    }
144
145    /// Test that d = -121665/121666
146    #[test]
147    #[cfg(all(curve25519_dalek_bits = "32", not(curve25519_dalek_backend = "fiat")))]
148    fn test_d_vs_ratio() {
149        use crate::backend::serial::u32::field::FieldElement2625;
150        let a = -&FieldElement2625([121665, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
151        let b = FieldElement2625([121666, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
152        let d = &a * &b.invert();
153        let d2 = &d + &d;
154        assert_eq!(d, constants::EDWARDS_D);
155        assert_eq!(d2, constants::EDWARDS_D2);
156    }
157
158    /// Test that d = -121665/121666
159    #[test]
160    #[cfg(all(curve25519_dalek_bits = "64", not(curve25519_dalek_backend = "fiat")))]
161    fn test_d_vs_ratio() {
162        use crate::backend::serial::u64::field::FieldElement51;
163        let a = -&FieldElement51([121665, 0, 0, 0, 0]);
164        let b = FieldElement51([121666, 0, 0, 0, 0]);
165        let d = &a * &b.invert();
166        let d2 = &d + &d;
167        assert_eq!(d, constants::EDWARDS_D);
168        assert_eq!(d2, constants::EDWARDS_D2);
169    }
170
171    #[test]
172    fn test_sqrt_ad_minus_one() {
173        let a = FieldElement::MINUS_ONE;
174        let ad_minus_one = &(&a * &constants::EDWARDS_D) + &a;
175        let should_be_ad_minus_one = constants::SQRT_AD_MINUS_ONE.square();
176        assert_eq!(should_be_ad_minus_one, ad_minus_one);
177    }
178}
curve25519_dalek/constants.rs

curve25519_dalek/
constants.rs
