CurveParams contains the parameters of an elliptic curve and also provides
a generic, non-constant time implementation of Curve.
// the constant of the curve equation
// the size of the underlying field
// (x,y) of the base point
// (x,y) of the base point
// the order of the base point
// the canonical name of the curve
// the order of the underlying field
(*T) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)(*T) Double(x1, y1 *big.Int) (*big.Int, *big.Int)(*T) IsOnCurve(x, y *big.Int) bool(*T) Params() *CurveParams(*T) ScalarBaseMult(k []byte) (*big.Int, *big.Int)(*T) ScalarMult(Bx, By *big.Int, k []byte) (*big.Int, *big.Int)
addJacobian takes two points in Jacobian coordinates, (x1, y1, z1) and
(x2, y2, z2) and returns their sum, also in Jacobian form.
affineFromJacobian reverses the Jacobian transform. See the comment at the
top of the file. If the point is ∞ it returns 0, 0.
doubleJacobian takes a point in Jacobian coordinates, (x, y, z), and
returns its double, also in Jacobian form.
polynomial returns x³ - 3x + b.
*T : Curve
func Curve.Params() *CurveParams
func (*CurveParams).Params() *CurveParams
var p384 *CurveParams
var p521 *CurveParams
CurveParams*CurveParams
// the constant of the curve equation
// the size of the underlying field
// (x,y) of the base point
// (x,y) of the base point
// the order of the base point
// the canonical name of the curve
// the order of the underlying field
bp224FieldElementgxp224FieldElementgyp224FieldElement( T) Add(bigX1, bigY1, bigX2, bigY2 *big.Int) (x, y *big.Int)( T) Double(bigX1, bigY1 *big.Int) (x, y *big.Int)( T) IsOnCurve(bigX, bigY *big.Int) bool( T) Params() *CurveParams( T) ScalarBaseMult(scalar []byte) (x, y *big.Int)( T) ScalarMult(bigX1, bigY1 *big.Int, scalar []byte) (x, y *big.Int)
addJacobian takes two points in Jacobian coordinates, (x1, y1, z1) and
(x2, y2, z2) and returns their sum, also in Jacobian form.
affineFromJacobian reverses the Jacobian transform. See the comment at the
top of the file. If the point is ∞ it returns 0, 0.
doubleJacobian takes a point in Jacobian coordinates, (x, y, z), and
returns its double, also in Jacobian form.
polynomial returns x³ - 3x + b.
T : Curve
var p224
Field element functions.
The field that we're dealing with is ℤ/pℤ where p = 2**224 - 2**96 + 1.
Field elements are represented by a FieldElement, which is a typedef to an
array of 8 uint32's. The value of a FieldElement, a, is:
a[0] + 2**28·a[1] + 2**56·a[1] + ... + 2**196·a[7]
Using 28-bit limbs means that there's only 4 bits of headroom, which is less
than we would really like. But it has the useful feature that we hit 2**224
exactly, making the reflections during a reduce much nicer.
func p224Add(out, a, b *p224FieldElement)
func p224AddJacobian(x3, y3, z3, x1, y1, z1, x2, y2, z2 *p224FieldElement)
func p224Contract(out, in *p224FieldElement)
func p224CopyConditional(out, in *p224FieldElement, control uint32)
func p224DoubleJacobian(x3, y3, z3, x1, y1, z1 *p224FieldElement)
func p224FromBig(out *p224FieldElement, in *big.Int)
func p224Invert(out, in *p224FieldElement)
func p224IsZero(a *p224FieldElement) uint32
func p224Mul(out, a, b *p224FieldElement, tmp *p224LargeFieldElement)
func p224Reduce(a *p224FieldElement)
func p224ReduceLarge(out *p224FieldElement, in *p224LargeFieldElement)
func p224ScalarMult(outX, outY, outZ, inX, inY, inZ *p224FieldElement, scalar []byte)
func p224Square(out, a *p224FieldElement, tmp *p224LargeFieldElement)
func p224Sub(out, a, b *p224FieldElement)
func p224ToAffine(x, y, z *p224FieldElement) (*big.Int, *big.Int)
func p224ToBig(in *p224FieldElement) *big.Int
LargeFieldElement also represents an element of the field. The limbs are
still spaced 28-bits apart and in little-endian order. So the limbs are at
0, 28, 56, ..., 392 bits, each 64-bits wide.
func p224Mul(out, a, b *p224FieldElement, tmp *p224LargeFieldElement)
func p224ReduceLarge(out *p224FieldElement, in *p224LargeFieldElement)
func p224Square(out, a *p224FieldElement, tmp *p224LargeFieldElement)
CurveParams*CurveParams
// the constant of the curve equation
// the size of the underlying field
// (x,y) of the base point
// (x,y) of the base point
// the order of the base point
// the canonical name of the curve
// the order of the underlying field
( T) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)( T) CombinedMult(bigX, bigY *big.Int, baseScalar, scalar []byte) (x, y *big.Int)( T) Double(x1, y1 *big.Int) (*big.Int, *big.Int)( T) Inverse(k *big.Int) *big.Int( T) IsOnCurve(x, y *big.Int) bool( T) Params() *CurveParams( T) ScalarBaseMult(scalar []byte) (x, y *big.Int)( T) ScalarMult(bigX, bigY *big.Int, scalar []byte) (x, y *big.Int)
addJacobian takes two points in Jacobian coordinates, (x1, y1, z1) and
(x2, y2, z2) and returns their sum, also in Jacobian form.
affineFromJacobian reverses the Jacobian transform. See the comment at the
top of the file. If the point is ∞ it returns 0, 0.
doubleJacobian takes a point in Jacobian coordinates, (x, y, z), and
returns its double, also in Jacobian form.
polynomial returns x³ - 3x + b.
T : Curve
T : crypto/ecdsa.combinedMult
T : crypto/ecdsa.invertible
var p256
Package-Level Functions (total 55, in which 9 are exported)
GenerateKey returns a public/private key pair. The private key is
generated using the given reader, which must return random data.
Marshal converts a point on the curve into the uncompressed form specified in
section 4.3.6 of ANSI X9.62.
MarshalCompressed converts a point on the curve into the compressed form
specified in section 4.3.6 of ANSI X9.62.
P224 returns a Curve which implements P-224 (see FIPS 186-3, section D.2.2).
The cryptographic operations are implemented using constant-time algorithms.
P256 returns a Curve which implements NIST P-256 (FIPS 186-3, section D.2.3),
also known as secp256r1 or prime256v1. The CurveParams.Name of this Curve is
"P-256".
Multiple invocations of this function will return the same value, so it can
be used for equality checks and switch statements.
The cryptographic operations are implemented using constant-time algorithms.
P384 returns a Curve which implements NIST P-384 (FIPS 186-3, section D.2.4),
also known as secp384r1. The CurveParams.Name of this Curve is "P-384".
Multiple invocations of this function will return the same value, so it can
be used for equality checks and switch statements.
The cryptographic operations do not use constant-time algorithms.
P521 returns a Curve which implements NIST P-521 (FIPS 186-3, section D.2.5),
also known as secp521r1. The CurveParams.Name of this Curve is "P-521".
Multiple invocations of this function will return the same value, so it can
be used for equality checks and switch statements.
The cryptographic operations do not use constant-time algorithms.
Unmarshal converts a point, serialized by Marshal, into an x, y pair.
It is an error if the point is not in uncompressed form or is not on the curve.
On error, x = nil.
UnmarshalCompressed converts a point, serialized by MarshalCompressed, into an x, y pair.
It is an error if the point is not in compressed form or is not on the curve.
On error, x = nil.
p224ToAffine converts from Jacobian to affine form.
p224ToBig returns in as a big.Int.
Endianness swap
Montgomery multiplication by 1
p256GetScalar endian-swaps the big-endian scalar value from in and writes it
to out. If the scalar is equal or greater than the order of the group, it's
reduced modulo that order.
Functions implemented in p256_asm_*64.s
Montgomery multiplication modulo P256
iff cond == 1 val <- -val
Montgomery multiplication modulo Ord(G)
Montgomery square modulo Ord(G), repeated n times
Point add with in2 being affine point
If sign == 1 -> in2 = -in2
If sel == 0 -> res = in1
if zero == 0 -> res = in2
Point add. Returns one if the two input points were equal and zero
otherwise. (Note that, due to the way that the equations work out, some
representations of ∞ are considered equal to everything by this function.)
Montgomery square modulo P256, repeated n times (n >= 1)
scalarIsZero returns 1 if scalar represents the zero value, and zero
otherwise.
uint64IsZero returns 1 if x is zero and zero otherwise.
zForAffine returns a Jacobian Z value for the affine point (x, y). If x and
y are zero, it assumes that they represent the point at infinity because (0,
0) is not on the any of the curves handled here.
Package-Level Variables (total 12, none are exported)
p224P is the order of the field, represented as a p224FieldElement.
p224ZeroModP31 is 0 mod p where bit 31 is set in all limbs so that we can
subtract smaller amounts without underflow. See the section "Subtraction" in
[1] for reasoning.
p224ZeroModP63 is 0 mod p where bit 63 is set in all limbs. See the section
"Subtraction" in [1] for why.
p256Mul operates in a Montgomery domain with R = 2^256 mod p, where p is the
underlying field of the curve. (See initP256 for the value.) Thus rr here is
R×R mod p. See comment in Inverse about how this is used.
Package-Level Constants (total 8, none are exported)
The pages are generated with Goldsv0.4.2. (GOOS=darwin GOARCH=amd64)
Golds is a Go 101 project developed by Tapir Liu.
PR and bug reports are welcome and can be submitted to the issue list.
Please follow @Go100and1 (reachable from the left QR code) to get the latest news of Golds.
