Crate ed448_goldilocks_plus

This crate provides a pure Rust implementation of Curve448, Edwards, Decaf, and Ristretto. It is intended to be portable, fast, and safe.

Usage

use ed448_goldilocks_plus::{EdwardsPoint, CompressedEdwardsY, Scalar, elliptic_curve::hash2curve::ExpandMsgXof, sha3::Shake256};
use rand_core::OsRng;

let secret_key = Scalar::TWO;
let public_key = EdwardsPoint::GENERATOR * &secret_key;

assert_eq!(public_key, EdwardsPoint::GENERATOR + EdwardsPoint::GENERATOR);

let secret_key = Scalar::random(&mut OsRng);
let public_key = EdwardsPoint::GENERATOR * &secret_key;
let compressed_public_key = public_key.compress();

assert_eq!(compressed_public_key.to_bytes().len(), 57);

let hashed_scalar = Scalar::hash::<ExpandMsgXof<Shake256>>(b"test", b"edwards448_XOF:SHAKE256_ELL2_RO_");
let input = hex_literal::hex!("c8c6c8f584e0c25efdb6af5ad234583c56dedd7c33e0c893468e96740fa0cf7f1a560667da40b7bde340a39252e89262fcf707d1180fd43400");
let expected_scalar = Scalar::from_canonical_bytes(&input.into()).unwrap();
assert_eq!(hashed_scalar, expected_scalar);

let hashed_point = EdwardsPoint::hash::<ExpandMsgXof<Shake256>>(b"test", b"edwards448_XOF:SHAKE256_ELL2_RO_");
let expected = hex_literal::hex!("d15c4427b5c5611a53593c2be611fd3635b90272d331c7e6721ad3735e95dd8b9821f8e4e27501ce01aa3c913114052dce2e91e8ca050f4980");
let expected_point = CompressedEdwardsY(expected).decompress().unwrap();
assert_eq!(hashed_point, expected_point);

let hashed_point = EdwardsPoint::hash_with_defaults(b"test");
assert_eq!(hashed_point, expected_point);

EdwardsPoint implements the [elliptic_curve::Group] and [elliptic_curve::group::GroupEncoding] and Scalar implements [elliptic_curve::Field] and [elliptic_curve::PrimeField] traits.

Re-exports

• pub use elliptic_curve;
• pub use rand_core;
• pub use sha3;
• pub use subtle;

Structs

• AffinePoint
• CompressedDecaf
  A compressed decaf point
• CompressedEdwardsY
  Represents a point on the Compressed Twisted Edwards Curve in little endian format where the most significant bit is the sign bit and the remaining 448 bits represent the y-coordinate
• CompressedRistretto
• DecafPoint
• EdwardsPoint
  Represent points on the (untwisted) edwards curve using Extended Homogenous Projective Co-ordinates (x, y) -> (X/Z, Y/Z, Z, T) a = 1, d = -39081 XXX: Make this more descriptive Should this be renamed to EdwardsPoint so that we are consistent with Dalek crypto? Necessary as ExtendedPoint is not regular lingo?
• MontgomeryPoint
• ProjectiveMontgomeryPoint
• RistrettoPoint
• Scalar
  This is the scalar field size = 4q = 2^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d We can therefore use 14 saturated 32-bit limbs

Type Aliases

• ScalarBytes
  The number of bytes needed to represent the scalar field
• WideScalarBytes
  The number of bytes needed to represent the safely create a scalar from a random bytes