Module curve25519_dalek::edwards [] [src]

Group operations for Curve25519, in Edwards form.

Encoding and Decoding

Encoding is done by converting to and from a CompressedEdwardsY struct, which is a typed wrapper around [u8; 32].

Equality Testing

The EdwardsPoint struct implements the subtle::ConstantTimeEq trait for constant-time equality checking, and the Rust Eq trait for variable-time equality checking.

The order of the group of points on the curve \(\mathcal E\) is \(|\mathcal E| = 8\ell \), so its structure is \( \mathcal E = \mathcal E[8] \times \mathcal E[\ell]\). The torsion subgroup \( \mathcal E[8] \) consists of eight points of small order. Technically, all of \(\mathcal E\) is torsion, but we use the word only to refer to the small \(\mathcal E[8]\) part, not the large prime-order \(\mathcal E[\ell]\) part.

To test if a point is in \( \mathcal E[8] \), use EdwardsPoint::is_small_order().

To test if a point is in \( \mathcal E[\ell] \), use EdwardsPoint::is_torsion_free().

To multiply by the cofactor, use EdwardsPoint::mul_by_cofactor().

To avoid dealing with cofactors entirely, consider using Ristretto.

Scalars

Scalars are represented by the Scalar struct. To construct a scalar with a specific bit pattern, see Scalar::from_bits().

Scalar Multiplication

Scalar multiplication on Edwards points is provided by:

Implementation

The Edwards arithmetic is implemented using the “extended twisted coordinates” of Hisil, Wong, Carter, and Dawson, and the corresponding complete formulas. For more details, see the curve_models submodule of the internal documentation.

Validity Checking

There is no function for checking whether a point is valid. Instead, the EdwardsPoint struct is guaranteed to hold a valid point on the curve.

We use the Rust type system to make invalid points unrepresentable: EdwardsPoint objects can only be created via successful decompression of a compressed point, or else by operations on other (valid) EdwardsPoints.

Modules

vartime

Variable-time operations on curve points, useful for non-secret data.

Structs

CompressedEdwardsY

In "Edwards y" / "Ed25519" format, the curve point \((x,y)\) is determined by the \(y\)-coordinate and the sign of \(x\).

EdwardsBasepointTable

A precomputed table of multiples of a basepoint, for accelerating fixed-base scalar multiplication. One table, for the Ed25519 basepoint, is provided in the constants module.

EdwardsPoint

An EdwardsPoint represents a point on the Edwards form of Curve25519.

Functions

multiscalar_mul

Given an iterator of (possibly secret) scalars and an iterator of (possibly secret) points, compute $$ Q = c_1 P_1 + \cdots + c_n P_n. $$