Module curve25519_dalek::edwards
source · [−]Expand description
Group operations for Curve25519, in Edwards form.
Encoding and Decoding
Encoding is done by converting to and from a CompressedEdwardsY
struct, which is a typed wrapper around [u8; 32]
.
Equality Testing
The EdwardsPoint
struct implements the subtle::ConstantTimeEq
trait for constanttime equality checking, and the Rust Eq
trait
for variabletime equality checking.
Cofactorrelated functions
The order of the group of points on the curve \(\mathcal E\) is \(\mathcal E = 8\ell \), so its structure is \( \mathcal E = \mathcal E[8] \times \mathcal E[\ell]\). The torsion subgroup \( \mathcal E[8] \) consists of eight points of small order. Technically, all of \(\mathcal E\) is torsion, but we use the word only to refer to the small \(\mathcal E[8]\) part, not the large primeorder \(\mathcal E[\ell]\) part.
To test if a point is in \( \mathcal E[8] \), use
EdwardsPoint::is_small_order()
.
To test if a point is in \( \mathcal E[\ell] \), use
EdwardsPoint::is_torsion_free()
.
To multiply by the cofactor, use EdwardsPoint::mul_by_cofactor()
.
To avoid dealing with cofactors entirely, consider using Ristretto.
Scalars
Scalars are represented by the Scalar
struct. To construct a scalar with a specific bit
pattern, see Scalar::from_bits()
.
Scalar Multiplication
Scalar multiplication on Edwards points is provided by:

the
*
operator between aScalar
and aEdwardsPoint
, which performs constanttime variablebase scalar multiplication; 
the
*
operator between aScalar
and aEdwardsBasepointTable
, which performs constanttime fixedbase scalar multiplication; 
an implementation of the
MultiscalarMul
trait for constanttime variablebase multiscalar multiplication; 
an implementation of the
VartimeMultiscalarMul
trait for variabletime variablebase multiscalar multiplication;
Implementation
The Edwards arithmetic is implemented using the “extended twisted
coordinates” of Hisil, Wong, Carter, and Dawson, and the
corresponding complete formulas. For more details,
see the curve_models
submodule
of the internal documentation.
Validity Checking
There is no function for checking whether a point is valid.
Instead, the EdwardsPoint
struct is guaranteed to hold a valid
point on the curve.
We use the Rust type system to make invalid points
unrepresentable: EdwardsPoint
objects can only be created via
successful decompression of a compressed point, or else by
operations on other (valid) EdwardsPoint
s.
Structs
In “Edwards y” / “Ed25519” format, the curve point \((x,y)\) is determined by the \(y\)coordinate and the sign of \(x\).
A precomputed table of multiples of a basepoint, for accelerating
fixedbase scalar multiplication. One table, for the Ed25519
basepoint, is provided in the constants
module.
A precomputed table of multiples of a basepoint, for accelerating
fixedbase scalar multiplication. One table, for the Ed25519
basepoint, is provided in the constants
module.
A precomputed table of multiples of a basepoint, for accelerating
fixedbase scalar multiplication. One table, for the Ed25519
basepoint, is provided in the constants
module.
A precomputed table of multiples of a basepoint, for accelerating
fixedbase scalar multiplication. One table, for the Ed25519
basepoint, is provided in the constants
module.
A precomputed table of multiples of a basepoint, for accelerating
fixedbase scalar multiplication. One table, for the Ed25519
basepoint, is provided in the constants
module.
A precomputed table of multiples of a basepoint, for accelerating
fixedbase scalar multiplication. One table, for the Ed25519
basepoint, is provided in the constants
module.
An EdwardsPoint
represents a point on the Edwards form of Curve25519.
Precomputation for variabletime multiscalar multiplication with EdwardsPoint
s.