Filippo Valsorda
6b0cdf071a
internal/radix51: define a mask64Bits constant
2019-01-28 10:53:34 -05:00
Filippo Valsorda
032d7f64e8
internal/group: set Z to 1, not 0 in FromAffine
2019-01-28 10:53:34 -05:00
Filippo Valsorda
6781d1fcec
internal/group: fix typo
2019-01-28 10:53:34 -05:00
Filippo Valsorda
b9aebb71e8
internal/group: derive twoD from D
2019-01-28 10:53:34 -05:00
George Tankersley
968377f9c5
ed25519: fix ScalarMult and improve test to catch the bug ( #1 )
2019-01-28 10:53:34 -05:00
Filippo Valsorda
982236110c
internal/radix51: add MinusOne
2019-01-28 10:53:34 -05:00
Filippo Valsorda
380ecb67b1
internal/group: make conversion APIs caller-allocated
2019-01-28 10:53:34 -05:00
Filippo Valsorda
79589420d8
internal/group: rewrite DoubleZ1 because stack is cheaper than mental state
2019-01-28 10:53:34 -05:00
Filippo Valsorda
2925e841f7
internal: make all APIs chainable
2019-01-28 10:53:34 -05:00
Filippo Valsorda
6c2fda803c
internal/radix51: make all APIs not consider the receiver an input
2019-01-28 10:53:34 -05:00
Filippo Valsorda
930ef44224
all: refactor field API to be methods based
2019-01-28 10:53:34 -05:00
Filippo Valsorda
b0a75c0ab7
Import gtank/ed25519#8 and refactor on top of it
2019-01-26 22:20:45 -05:00
Filippo Valsorda
a3540ec35a
Implement FromUniformBytes
2019-01-21 23:39:45 -05:00
Filippo Valsorda
dcc5867ec2
Update gtank/ed25519 code to fe6e0954e0
...
Our Ristretto-agnostic field operations are now upstreamed, so we can
drop the internal package.
2019-01-21 18:13:23 -05:00
Filippo Valsorda
fe6e0954e0
internal/radix51: add constant time field operations
2019-01-21 17:58:03 -05:00
Filippo Valsorda
7ec609da40
internal/radix51: remove FeEqual
...
It does not normalize the representative before comparing them so it
will have false negatives.
2019-01-21 17:58:03 -05:00
Filippo Valsorda
0e8b4dbb24
internal/radix51: remove FeCSwap
...
It's unused and it does not do what it says in the docs.
2019-01-21 17:58:03 -05:00
Filippo Valsorda
7522470fbc
Replace x/crypto/ed25519 code with github.com/gtank/ed25519
...
Code pulled from commit 0a030f62c0
with
FeEqual and FeCSwap removed.
2019-01-21 17:43:47 -05:00
George Tankersley
2156d823cd
implement SQRT_RATIO_M1
2019-01-20 17:59:28 -05:00
Filippo Valsorda
6140fa2e7b
Refactor const.go
2019-01-20 17:36:31 -05:00
Filippo Valsorda
8264e09462
First ristretto255 function: EQUALS
2019-01-20 17:32:31 -05:00
Filippo Valsorda
268ae6be59
Selectively expose types and functions from the inner x/crypto implementation
2019-01-20 17:32:31 -05:00
George Tankersley
e93531adad
internal: initialize Ristretto constants
2019-01-20 16:53:02 -05:00
Filippo Valsorda
f963b4ec88
Add constant time field operations
2019-01-20 16:52:53 -05:00
Filippo Valsorda
f1ea30515a
Add FeEqual and feFromBig
2019-01-20 16:33:45 -05:00
George Tankersley
3db329037d
initial import from x/crypto ff983b9c42bc9fbf91556e191cc8efb585c16908
2019-01-20 15:44:03 -05:00
George Tankersley
0a030f62c0
make things more generally presentable
2017-07-25 16:24:16 -07:00
George Tankersley
08a76875a4
Cache the field representation of d
2017-07-25 16:23:20 -07:00
George Tankersley
ad98326f8c
Remove 32-bit code and update license.
...
The assembly is faster on target amd64 platforms.
2017-07-25 16:23:20 -07:00
George Tankersley
86c2863f5b
Add short randomized segment to TestScalarMult
2017-07-25 16:23:20 -07:00
George Tankersley
f8bd1037cf
Use Bits() for FeToBig.
...
This doesn't help quite as much as it does with FeFromBig, because
FeToBig runtime is dominated by the reduction step. Still helps though.
2017-07-25 16:23:19 -07:00
George Tankersley
0ba575b405
Implement ScalarMult using Montgomery pattern and dedicated
...
extended-coordinates doubling. This will be slow.
2017-07-25 16:23:19 -07:00
George Tankersley
ce27eaf07c
Explain Z1=1 again
2017-07-25 16:23:19 -07:00
George Tankersley
c9f6a1c183
use faster FeFromBig & a horrible assortment of other random changes
2017-07-25 16:23:19 -07:00
George Tankersley
4d11c7b5a6
group logic WIP
2017-07-25 16:23:19 -07:00
George Tankersley
7ae6271616
add equality for field elements
2017-07-25 16:23:19 -07:00
George Tankersley
ca2029ab22
Add radix51 FieldElement implementation
...
This contains both a pure Go and an amd64 assembly implementation of
operations over GF(2^255-19) using radix 2^51. This results in notable
speedups when using the assembly, but doesn't help much in pure Go -
most of the possible gains are lost to the lack of widening multiply for
64 bit integers.
2017-07-25 16:23:19 -07:00
George Tankersley
54cdb2aef0
Add documentation
2017-07-25 16:23:19 -07:00
George Tankersley
259e08bc29
Use mdbl-2008-bbjlp directly
...
Since we are always converting from affine, we know that Z1=1. This
formula is slightly faster and avoids converting through
CompletedGroupElement unnecessarily.
Assumptions: Z1=1.
Cost: 2M + 4S + 1*a + 7add + 1*2.
Source: 2008 Bernstein-Birkner-Joye-Lange-Peters,
https://eprint.iacr.org/2008/013 ,
plus Z1=1, plus standard simplification.
Explicit formulas:
B = (X1+Y1)^2
C = X1^2
D = Y1^2
E = a*C
F = E+D
X3 = (B-C-D)*(F-2)
Y3 = F*(E-D)
Z3 = F2-2*F
https://hyperelliptic.org/EFD/g1p/auto-twisted-projective.html#doubling-mdbl-2008-bbjlp
2017-07-25 16:23:19 -07:00
George Tankersley
26b25b0ac0
Add LICENSE
2017-07-25 16:23:19 -07:00
George Tankersley
19d7f4d83d
Implement an elliptic.Curve for ed25519
2017-07-25 16:23:19 -07:00