# [−][src]Module curve25519_dalek::edwards

Group operations for Curve25519, in Edwards form.

## Encoding and Decoding

Encoding is done by converting to and from a CompressedEdwardsY struct, which is a typed wrapper around [u8; 32].

## Equality Testing

The EdwardsPoint struct implements the subtle::ConstantTimeEq trait for constant-time equality checking, and the Rust Eq trait for variable-time equality checking.

The order of the group of points on the curve $$\mathcal E$$ is $$|\mathcal E| = 8\ell$$, so its structure is $$\mathcal E = \mathcal E \times \mathcal E[\ell]$$. The torsion subgroup $$\mathcal E$$ consists of eight points of small order. Technically, all of $$\mathcal E$$ is torsion, but we use the word only to refer to the small $$\mathcal E$$ part, not the large prime-order $$\mathcal E[\ell]$$ part.

To test if a point is in $$\mathcal E$$, use EdwardsPoint::is_small_order().

To test if a point is in $$\mathcal E[\ell]$$, use EdwardsPoint::is_torsion_free().

To multiply by the cofactor, use EdwardsPoint::mul_by_cofactor().

To avoid dealing with cofactors entirely, consider using Ristretto.

## Scalars

Scalars are represented by the Scalar struct. To construct a scalar with a specific bit pattern, see Scalar::from_bits().

## Scalar Multiplication

Scalar multiplication on Edwards points is provided by:

• the * operator between a Scalar and a EdwardsPoint, which performs constant-time variable-base scalar multiplication;

• the * operator between a Scalar and a EdwardsBasepointTable, which performs constant-time fixed-base scalar multiplication;

• an implementation of the MultiscalarMul trait for constant-time variable-base multiscalar multiplication;

• an implementation of the VartimeMultiscalarMul trait for variable-time variable-base multiscalar multiplication;

## Implementation

The Edwards arithmetic is implemented using the “extended twisted coordinates” of Hisil, Wong, Carter, and Dawson, and the corresponding complete formulas. For more details, see the curve_models submodule of the internal documentation.

## Validity Checking

There is no function for checking whether a point is valid. Instead, the EdwardsPoint struct is guaranteed to hold a valid point on the curve.

We use the Rust type system to make invalid points unrepresentable: EdwardsPoint objects can only be created via successful decompression of a compressed point, or else by operations on other (valid) EdwardsPoints.

## Structs

 CompressedEdwardsY In "Edwards y" / "Ed25519" format, the curve point $$(x,y)$$ is determined by the $$y$$-coordinate and the sign of $$x$$. EdwardsBasepointTable A precomputed table of multiples of a basepoint, for accelerating fixed-base scalar multiplication. One table, for the Ed25519 basepoint, is provided in the constants module. EdwardsPoint An EdwardsPoint represents a point on the Edwards form of Curve25519. VartimeEdwardsPrecomputation Precomputation for variable-time multiscalar multiplication with EdwardsPoints.