Group operations for Curve25519, in Edwards form.
Encoding is done by converting to and from a
struct, which is a typed wrapper around
EdwardsPoint struct implements the
trait for constant-time equality checking, and the Rust
for variable-time equality checking.
The order of the group of points on the curve \(\mathcal E\) is \(|\mathcal E| = 8\ell \), so its structure is \( \mathcal E = \mathcal E \times \mathcal E[\ell]\). The torsion subgroup \( \mathcal E \) consists of eight points of small order. Technically, all of \(\mathcal E\) is torsion, but we use the word only to refer to the small \(\mathcal E\) part, not the large prime-order \(\mathcal E[\ell]\) part.
To test if a point is in \( \mathcal E \), use
To test if a point is in \( \mathcal E[\ell] \), use
To multiply by the cofactor, use
To avoid dealing with cofactors entirely, consider using Ristretto.
Scalars are represented by the
Scalar struct. To construct a scalar with a specific bit
Scalar multiplication on Edwards points is provided by:
*operator between a
EdwardsPoint, which performs constant-time variable-base scalar multiplication;
*operator between a
EdwardsBasepointTable, which performs constant-time fixed-base scalar multiplication;
edwards::multiscalar_mulfunction, which performs constant-time variable-base multiscalar multiplication;
edwards::vartime::multiscalar_mulfunction, which performs variable-time variable-base multiscalar multiplication.
The Edwards arithmetic is implemented using the “extended twisted
coordinates” of Hisil, Wong, Carter, and Dawson, and the
corresponding complete formulas. For more details,
of the internal documentation.
There is no function for checking whether a point is valid.
EdwardsPoint struct is guaranteed to hold a valid
point on the curve.
We use the Rust type system to make invalid points
EdwardsPoint objects can only be created via
successful decompression of a compressed point, or else by
operations on other (valid)
Variable-time operations on curve points, useful for non-secret data.
In "Edwards y" / "Ed25519" format, the curve point \((x,y)\) is determined by the \(y\)-coordinate and the sign of \(x\).
A precomputed table of multiples of a basepoint, for accelerating
fixed-base scalar multiplication. One table, for the Ed25519
basepoint, is provided in the
Given an iterator of (possibly secret) scalars and an iterator of (possibly secret) points, compute $$ Q = c_1 P_1 + \cdots + c_n P_n. $$