Module curve25519_dalek::edwards

Group operations for Curve25519, in Edwards form.

Encoding and Decoding

Encoding is done by converting to and from a CompressedEdwardsY struct, which is a typed wrapper around [u8; 32].

Equality Testing

The EdwardsPoint struct implements the subtle::ConstantTimeEq trait for constant-time equality checking, and the Rust Eq trait for variable-time equality checking.

Cofactor-related functions

The order of the group of points on the curve \(\mathcal E\) is \(|\mathcal E| = 8\ell \), so its structure is \( \mathcal E = \mathcal E[8] \times \mathcal E[\ell]\). The torsion subgroup \( \mathcal E[8] \) consists of eight points of small order. Technically, all of \(\mathcal E\) is torsion, but we use the word only to refer to the small \(\mathcal E[8]\) part, not the large prime-order \(\mathcal E[\ell]\) part.

To test if a point is in \( \mathcal E[8] \), use EdwardsPoint::is_small_order.

To test if a point is in \( \mathcal E[\ell] \), use EdwardsPoint::is_torsion_free.

To multiply by the cofactor, use EdwardsPoint::mul_by_cofactor.

To avoid dealing with cofactors entirely, consider using Ristretto.

Scalars

Scalars are represented by the Scalar struct. To construct a scalar with a specific bit pattern, see Scalar::from_bits.

Scalar Multiplication

Scalar multiplication on Edwards points is provided by:

• the * operator between a Scalar and a EdwardsPoint, which performs constant-time variable-base scalar multiplication;

• the * operator between a Scalar and a EdwardsBasepointTable, which performs constant-time fixed-base scalar multiplication;

• an implementation of the MultiscalarMul trait for constant-time variable-base multiscalar multiplication;

• an implementation of the VartimeMultiscalarMul trait for variable-time variable-base multiscalar multiplication;

Implementation

The Edwards arithmetic is implemented using the “extended twisted coordinates” of Hisil, Wong, Carter, and Dawson, and the corresponding complete formulas. For more details, see the curve_models submodule of the internal documentation.

Validity Checking

There is no function for checking whether a point is valid. Instead, the EdwardsPoint struct is guaranteed to hold a valid point on the curve.

We use the Rust type system to make invalid points unrepresentable: EdwardsPoint objects can only be created via successful decompression of a compressed point, or else by operations on other (valid) EdwardsPoints.

Structs

• CompressedEdwardsY
  In “Edwards y” / “Ed25519” format, the curve point \((x,y)\) is determined by the \(y\)-coordinate and the sign of \(x\).
• EdwardsBasepointTable
  A precomputed table of multiples of a basepoint, for accelerating fixed-base scalar multiplication. One table, for the Ed25519 basepoint, is provided in the constants module.
• EdwardsBasepointTableRadix32
  A precomputed table of multiples of a basepoint, for accelerating fixed-base scalar multiplication. One table, for the Ed25519 basepoint, is provided in the constants module.
• EdwardsBasepointTableRadix64
  A precomputed table of multiples of a basepoint, for accelerating fixed-base scalar multiplication. One table, for the Ed25519 basepoint, is provided in the constants module.
• EdwardsBasepointTableRadix128
  A precomputed table of multiples of a basepoint, for accelerating fixed-base scalar multiplication. One table, for the Ed25519 basepoint, is provided in the constants module.
• EdwardsBasepointTableRadix256
  A precomputed table of multiples of a basepoint, for accelerating fixed-base scalar multiplication. One table, for the Ed25519 basepoint, is provided in the constants module.
• EdwardsPoint
  An EdwardsPoint represents a point on the Edwards form of Curve25519.
• VartimeEdwardsPrecomputation
  Precomputation for variable-time multiscalar multiplication with EdwardsPoints.

Type Definitions

• EdwardsBasepointTableRadix16
  A type-alias for EdwardsBasepointTable because the latter is used as a constructor in the constants module.