Module edwards

Source
Expand description

Group operations for Curve25519, in Edwards form.

§Encoding and Decoding

Encoding is done by converting to and from a CompressedEdwardsY struct, which is a typed wrapper around [u8; 32].

§Equality Testing

The EdwardsPoint struct implements the subtle::ConstantTimeEq trait for constant-time equality checking, and the Rust Eq trait for variable-time equality checking.

The order of the group of points on the curve \(\mathcal E\) is \(|\mathcal E| = 8\ell \), so its structure is \( \mathcal E = \mathcal E[8] \times \mathcal E[\ell]\). The torsion subgroup \( \mathcal E[8] \) consists of eight points of small order. Technically, all of \(\mathcal E\) is torsion, but we use the word only to refer to the small \(\mathcal E[8]\) part, not the large prime-order \(\mathcal E[\ell]\) part.

To test if a point is in \( \mathcal E[8] \), use EdwardsPoint::is_small_order.

To test if a point is in \( \mathcal E[\ell] \), use EdwardsPoint::is_torsion_free.

To multiply by the cofactor, use EdwardsPoint::mul_by_cofactor.

To avoid dealing with cofactors entirely, consider using Ristretto.

§Scalars

Scalars are represented by the Scalar struct. To construct a scalar, see Scalar::from_canonical_bytes or Scalar::from_bytes_mod_order_wide.

§Scalar Multiplication

Scalar multiplication on Edwards points is provided by:

  • the * operator between a Scalar and a EdwardsPoint, which performs constant-time variable-base scalar multiplication;

  • the * operator between a Scalar and a EdwardsBasepointTable, which performs constant-time fixed-base scalar multiplication;

  • an implementation of the MultiscalarMul trait for constant-time variable-base multiscalar multiplication;

  • an implementation of the VartimeMultiscalarMul trait for variable-time variable-base multiscalar multiplication;

§Implementation

The Edwards arithmetic is implemented using the “extended twisted coordinates” of Hisil, Wong, Carter, and Dawson, and the corresponding complete formulas. For more details, see the curve_models submodule of the internal documentation.

§Validity Checking

There is no function for checking whether a point is valid. Instead, the EdwardsPoint struct is guaranteed to hold a valid point on the curve.

We use the Rust type system to make invalid points unrepresentable: EdwardsPoint objects can only be created via successful decompression of a compressed point, or else by operations on other (valid) EdwardsPoints.

Structs§

CompressedEdwardsY
In “Edwards y” / “Ed25519” format, the curve point \((x,y)\) is determined by the \(y\)-coordinate and the sign of \(x\).
EdwardsBasepointTable
A precomputed table of multiples of a basepoint, for accelerating fixed-base scalar multiplication. One table, for the Ed25519 basepoint, is provided in the constants module.
EdwardsBasepointTableRadix32
A precomputed table of multiples of a basepoint, for accelerating fixed-base scalar multiplication. One table, for the Ed25519 basepoint, is provided in the constants module.
EdwardsBasepointTableRadix64
A precomputed table of multiples of a basepoint, for accelerating fixed-base scalar multiplication. One table, for the Ed25519 basepoint, is provided in the constants module.
EdwardsBasepointTableRadix128
A precomputed table of multiples of a basepoint, for accelerating fixed-base scalar multiplication. One table, for the Ed25519 basepoint, is provided in the constants module.
EdwardsBasepointTableRadix256
A precomputed table of multiples of a basepoint, for accelerating fixed-base scalar multiplication. One table, for the Ed25519 basepoint, is provided in the constants module.
EdwardsPoint
An EdwardsPoint represents a point on the Edwards form of Curve25519.
SubgroupPointgroup
A SubgroupPoint represents a point on the Edwards form of Curve25519, that is guaranteed to be in the prime-order subgroup.
VartimeEdwardsPrecomputationalloc
Precomputation for variable-time multiscalar multiplication with EdwardsPoints.

Type Aliases§

EdwardsBasepointTableRadix16
A type-alias for EdwardsBasepointTable because the latter is used as a constructor in the constants module.