Module curve25519_dalek::edwards
[−]
[src]
Group operations for Curve25519, in Edwards form.
Encoding and Decoding
Encoding is done by converting to and from a CompressedEdwardsY
struct, which is a typed wrapper around [u8; 32]
.
Equality Testing
The EdwardsPoint
struct implements the subtle::ConstantTimeEq
trait for constanttime equality checking, and the Rust Eq
trait
for variabletime equality checking.
Cofactorrelated functions
The order of the group of points on the curve \(\mathcal E\) is \(\mathcal E = 8\ell \), so its structure is \( \mathcal E = \mathcal E[8] \times \mathcal E[\ell]\). The torsion subgroup \( \mathcal E[8] \) consists of eight points of small order. Technically, all of \(\mathcal E\) is torsion, but we use the word only to refer to the small \(\mathcal E[8]\) part, not the large primeorder \(\mathcal E[\ell]\) part.
To test if a point is in \( \mathcal E[8] \), use
EdwardsPoint::is_small_order()
.
To test if a point is in \( \mathcal E[\ell] \), use
EdwardsPoint::is_torsion_free()
.
To multiply by the cofactor, use EdwardsPoint::mul_by_cofactor()
.
To avoid dealing with cofactors entirely, consider using Ristretto.
Scalars
Scalars are represented by the Scalar
struct. To construct a scalar with a specific bit
pattern, see Scalar::from_bits()
.
Scalar Multiplication
Scalar multiplication on Edwards points is provided by:

the
*
operator between aScalar
and aEdwardsPoint
, which performs constanttime variablebase scalar multiplication; 
the
*
operator between aScalar
and aEdwardsBasepointTable
, which performs constanttime fixedbase scalar multiplication; 
the
edwards::multiscalar_mul
function, which performs constanttime variablebase multiscalar multiplication; 
the
edwards::vartime::multiscalar_mul
function, which performs variabletime variablebase multiscalar multiplication.
Implementation
The Edwards arithmetic is implemented using the “extended twisted
coordinates” of Hisil, Wong, Carter, and Dawson, and the
corresponding complete formulas. For more details,
see the curve_models
submodule
of the internal documentation.
Validity Checking
There is no function for checking whether a point is valid.
Instead, the EdwardsPoint
struct is guaranteed to hold a valid
point on the curve.
We use the Rust type system to make invalid points
unrepresentable: EdwardsPoint
objects can only be created via
successful decompression of a compressed point, or else by
operations on other (valid) EdwardsPoint
s.
Modules
vartime 
Variabletime operations on curve points, useful for nonsecret data. 
Structs
CompressedEdwardsY 
In "Edwards y" / "Ed25519" format, the curve point \((x,y)\) is determined by the \(y\)coordinate and the sign of \(x\). 
EdwardsBasepointTable 
A precomputed table of multiples of a basepoint, for accelerating
fixedbase scalar multiplication. One table, for the Ed25519
basepoint, is provided in the 
EdwardsPoint 
An 
Functions
multiscalar_mul 
Given an iterator of (possibly secret) scalars and an iterator of (possibly secret) points, compute $$ Q = c_1 P_1 + \cdots + c_n P_n. $$ 