Struct Level1 

pub struct Level1;

NIST Security Level I (128-bit post-quantum security).

Prime: p = 5 * 2^248 - 1, encoded in 32 bytes.

Trait Implementations

impl Clone for Level1

fn clone(&self) -> Level1

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Level1

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for Level1

fn default() -> Level1

Returns the “default value” for a type.

impl FpBackend for Level1

fn set_zero(out: &mut Array<u64, Self::FpLimbs>)

out <- 0.

fn set_one(out: &mut Array<u64, Self::FpLimbs>)

out <- 1 in Montgomery form.

fn set_small(out: &mut Array<u64, Self::FpLimbs>, val: u64)

out <- val in Montgomery form, treating val as an unsigned integer that fits in the field.

fn is_equal( a: &Array<u64, Self::FpLimbs>, b: &Array<u64, Self::FpLimbs>, ) -> Choice

Constant-time equality test. Returns Choice(1) if a == b (after full reduction), Choice(0) otherwise.

fn is_zero(a: &Array<u64, Self::FpLimbs>) -> Choice

Constant-time zero test. Returns Choice(1) if a == 0 (after full reduction), Choice(0) otherwise.

fn copy(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- a (copy).

fn add( out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>, b: &Array<u64, Self::FpLimbs>, )

out <- a + b mod 2p.

fn sub( out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>, b: &Array<u64, Self::FpLimbs>, )

out <- a - b mod 2p.

fn neg(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- -a mod 2p.

fn mul( out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>, b: &Array<u64, Self::FpLimbs>, )

Montgomery multiplication: out ← a · b · R⁻¹ mod 2p.

fn sqr(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

Specialized Montgomery squaring: out ← a² · R⁻¹ mod 2p.

fn inv(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- 1 / a mod p. If a == 0 the output is 0 (no panic).

fn sqrt(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- sqrt(a) mod p. The caller is responsible for ensuring a is a quadratic residue; on non-QR inputs the output is well-defined but is not a square root of a. The result is determined only up to sign.

fn is_square(a: &Array<u64, Self::FpLimbs>) -> Choice

Returns Choice(1) if a is a quadratic residue (or zero) in Fp, Choice(0) otherwise.

fn half(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- a / 2 mod p.

fn div3(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- a / 3 mod p.

fn exp3div4(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

Square root progenitor: out <- a^((p-3)/4) mod p. Combined with one extra multiplication this yields sqrt(a) when p = 3 mod 4.

fn mul_small( out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>, val: u32, )

out <- a * val mod 2p for a small (32-bit) integer multiplier.

fn encode(out: &mut [u8], a: &Array<u64, Self::FpLimbs>)

Serialize a to its canonical little-endian byte form. Writes exactly Self::FpEncodedBytes::USIZE bytes.

fn decode(out: &mut Array<u64, Self::FpLimbs>, bytes: &[u8]) -> Choice

Deserialize an Fp element from Self::FpEncodedBytes::USIZE canonical little-endian bytes. Returns Choice(1) if the input represented an integer in [0, p), Choice(0) otherwise. On out-of-range input the output is zeroed.

fn decode_reduce(out: &mut Array<u64, Self::FpLimbs>, bytes: &[u8])

Decode a possibly-longer little-endian byte string with full modular reduction. Used to map a hash output uniformly into Fp.

fn cswap( a: &mut Array<u64, Self::FpLimbs>, b: &mut Array<u64, Self::FpLimbs>, ctl: Choice, )

Constant-time conditional swap: if ctl is set, swap a and b; otherwise leave them unchanged.

fn select( out: &mut Array<u64, Self::FpLimbs>, a0: &Array<u64, Self::FpLimbs>, a1: &Array<u64, Self::FpLimbs>, ctl: Choice, )

Constant-time conditional select: if ctl is clear, set out <- a0; if ctl is set, set out <- a1.

impl LevelPrecomp for Level1

fn basis_e0_px_bytes() -> &'static [u8]

Canonical 𝔽p²-encoded bytes for the x-coordinate of the first generator of the 2ᶠ-torsion basis on E0.

fn basis_e0_qx_bytes() -> &'static [u8]

Canonical 𝔽p²-encoded bytes for the x-coordinate of the second generator of the 2ᶠ-torsion basis on E0.

fn p_cofactor_for_2f() -> &'static [u64]

The odd cofactor (p+1) / 2ᶠ as 64-bit limbs (little-endian).

fn p_cofactor_for_2f_bitlength() -> u32

Bit-length of the odd cofactor.

fn torsion_even_power() -> u32

Exponent f such that the torsion subgroup is ℤ/2ᶠ × ℤ/2ᶠ.

fn splitting_transforms() -> &'static [[[u8; 4]; 4]; 10]

10 precomputed 4×4 basis change matrices for splitting transforms.

fn normalization_transforms() -> &'static [[[u8; 4]; 4]; 6]

6 precomputed 4×4 normalization matrices for splitting.

fn chi_eval() -> &'static [[i32; 4]; 4]

Character evaluation table for splitting.

fn even_index() -> &'static [[i32; 2]; 10]

Pairs of indices for the 10 possible zero-positions in splitting.

impl SecurityLevel for Level1

const LAMBDA: u32 = 128

128-bit post-quantum security.

const F_CHR: u32 = 248

p + 1 = 5 × 2^248, so the full 2^248-torsion is available.

const E_RSP: u32 = 126

Response isogeny has degree 2^126.

const E_CHL: u32 = 128

Challenge scalar is 128 bits (matching LAMBDA).

const HASH_ITERATIONS: u32 = 64

Up to 64 SHAKE256 squeeze attempts to find a valid challenge.

const NWORDS_ORDER: usize = 4

4 limbs × 64 = 256-bit scalar width.

const TORSION_EVEN_POWER: u32 = 248

v_2(p + 1) = 248.

const P_COFACTOR_FOR_2F_BITLENGTH: usize = 3

(p + 1) / 2^248 = 5, which is 3 bits.

const SQISIGN_RESPONSE_LENGTH: u32 = 126

Response isogeny length = 126 bits (same as E_RSP).

type FpLimbs = UInt<UInt<UInt<UTerm, B1>, B0>, B1>

5 limbs × 51-bit radix = 255 bits of storage for the 251-bit prime.

type MpLimbs = UInt<UInt<UInt<UTerm, B1>, B0>, B0>

4 limbs × 64 bits = 256-bit scalars for order arithmetic.

type FpEncodedBytes = UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B0>, B0>, B0>

p fits in 32 bytes (251 bits).

type Fp2EncodedBytes = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B0>, B0>, B0>, B0>

Two Fp elements = 64 bytes.

type PkLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B0>, B0>, B0>, B1>

Public key: 1-byte header + 2 × 32 bytes for the Fp2 j-invariant.

type SigLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B1>, B0>, B1>, B0>, B0>

Standard signature (148 bytes).

type ExpandedSigLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B1>, B0>, B1>, B0>, B1>, B0>, B0>

Expanded signature (212 bytes).

type CompressedSigLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B0>, B0>, B0>, B0>, B1>

Compressed signature (129 bytes).

type SkLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B1>, B0>, B0>, B0>, B0>, B0>

Secret key: ideal norm + generator coords + basis-change matrix (288 bytes).

fn prime_le_bytes() -> &'static [u8]

The prime p as a static byte slice (little-endian canonical encoding, length FP_ENCODED_BYTES).