# Module curve25519_dalek::edwards [−] [src]

Group operations for Curve25519, in Edwards form.

## Encoding and Decoding

Encoding is done by converting to and from a CompressedEdwardsY struct, which is a typed wrapper around [u8; 32].

## Equality Testing

The EdwardsPoint struct implements the subtle::ConstantTimeEq trait for constant-time equality checking, and the Rust Eq trait for variable-time equality checking.

The order of the group of points on the curve $$\mathcal E$$ is $$|\mathcal E| = 8\ell$$, so its structure is $$\mathcal E = \mathcal E[8] \times \mathcal E[\ell]$$. The torsion subgroup $$\mathcal E[8]$$ consists of eight points of small order. Technically, all of $$\mathcal E$$ is torsion, but we use the word only to refer to the small $$\mathcal E[8]$$ part, not the large prime-order $$\mathcal E[\ell]$$ part.

To test if a point is in $$\mathcal E[8]$$, use EdwardsPoint::is_small_order().

To test if a point is in $$\mathcal E[\ell]$$, use EdwardsPoint::is_torsion_free().

To multiply by the cofactor, use EdwardsPoint::mul_by_cofactor().

To avoid dealing with cofactors entirely, consider using Ristretto.

## Scalars

Scalars are represented by the Scalar struct. To construct a scalar with a specific bit pattern, see Scalar::from_bits().

## Scalar Multiplication

Scalar multiplication on Edwards points is provided by:

• the * operator between a Scalar and a EdwardsPoint, which performs constant-time variable-base scalar multiplication;

• the * operator between a Scalar and a EdwardsBasepointTable, which performs constant-time fixed-base scalar multiplication;

• the edwards::multiscalar_mul function, which performs constant-time variable-base multiscalar multiplication;

• the edwards::vartime::multiscalar_mul function, which performs variable-time variable-base multiscalar multiplication.

## Implementation

The Edwards arithmetic is implemented using the “extended twisted coordinates” of Hisil, Wong, Carter, and Dawson, and the corresponding complete formulas. For more details, see the curve_models submodule of the internal documentation.

## Validity Checking

There is no function for checking whether a point is valid. Instead, the EdwardsPoint struct is guaranteed to hold a valid point on the curve.

We use the Rust type system to make invalid points unrepresentable: EdwardsPoint objects can only be created via successful decompression of a compressed point, or else by operations on other (valid) EdwardsPoints.

## Modules

 vartime Variable-time operations on curve points, useful for non-secret data.

## Structs

 CompressedEdwardsY In "Edwards y" / "Ed25519" format, the curve point $$(x,y)$$ is determined by the $$y$$-coordinate and the sign of $$x$$. EdwardsBasepointTable A precomputed table of multiples of a basepoint, for accelerating fixed-base scalar multiplication. One table, for the Ed25519 basepoint, is provided in the constants module. EdwardsPoint An EdwardsPoint represents a point on the Edwards form of Curve25519.

## Functions

 multiscalar_mul Given an iterator of (possibly secret) scalars and an iterator of (possibly secret) points, compute $$Q = c_1 P_1 + \cdots + c_n P_n.$$