Struct Level3 

pub struct Level3;

NIST Security Level III (192-bit post-quantum security).

Prime: p = 65 * 2^376 - 1, encoded in 48 bytes.

Trait Implementations

impl Clone for Level3

fn clone(&self) -> Level3

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Level3

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for Level3

fn default() -> Level3

Returns the “default value” for a type.

impl FpBackend for Level3

fn set_zero(out: &mut Array<u64, Self::FpLimbs>)

out <- 0.

fn set_one(out: &mut Array<u64, Self::FpLimbs>)

out <- 1 in Montgomery form.

fn set_small(out: &mut Array<u64, Self::FpLimbs>, val: u64)

out <- val in Montgomery form, treating val as an unsigned integer that fits in the field.

fn is_equal( a: &Array<u64, Self::FpLimbs>, b: &Array<u64, Self::FpLimbs>, ) -> Choice

Constant-time equality test. Returns Choice(1) if a == b (after full reduction), Choice(0) otherwise.

fn is_zero(a: &Array<u64, Self::FpLimbs>) -> Choice

Constant-time zero test. Returns Choice(1) if a == 0 (after full reduction), Choice(0) otherwise.

fn copy(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- a (copy).

fn add( out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>, b: &Array<u64, Self::FpLimbs>, )

out <- a + b mod 2p.

fn sub( out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>, b: &Array<u64, Self::FpLimbs>, )

out <- a - b mod 2p.

fn neg(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- -a mod 2p.

fn mul( out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>, b: &Array<u64, Self::FpLimbs>, )

Montgomery multiplication: out ← a · b · R⁻¹ mod 2p.

fn sqr(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

Specialized Montgomery squaring: out ← a² · R⁻¹ mod 2p.

fn inv(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- 1 / a mod p. If a == 0 the output is 0 (no panic).

fn sqrt(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- sqrt(a) mod p. The caller is responsible for ensuring a is a quadratic residue; on non-QR inputs the output is well-defined but is not a square root of a. The result is determined only up to sign.

fn is_square(a: &Array<u64, Self::FpLimbs>) -> Choice

Returns Choice(1) if a is a quadratic residue (or zero) in Fp, Choice(0) otherwise.

fn half(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- a / 2 mod p.

fn div3(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- a / 3 mod p.

fn exp3div4(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

Square root progenitor: out <- a^((p-3)/4) mod p. Combined with one extra multiplication this yields sqrt(a) when p = 3 mod 4.

fn mul_small( out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>, val: u32, )

out <- a * val mod 2p for a small (32-bit) integer multiplier.

fn encode(out: &mut [u8], a: &Array<u64, Self::FpLimbs>)

Serialize a to its canonical little-endian byte form. Writes exactly Self::FpEncodedBytes::USIZE bytes.

fn decode(out: &mut Array<u64, Self::FpLimbs>, bytes: &[u8]) -> Choice

Deserialize an Fp element from Self::FpEncodedBytes::USIZE canonical little-endian bytes. Returns Choice(1) if the input represented an integer in [0, p), Choice(0) otherwise. On out-of-range input the output is zeroed.

fn decode_reduce(out: &mut Array<u64, Self::FpLimbs>, bytes: &[u8])

Decode a possibly-longer little-endian byte string with full modular reduction. Used to map a hash output uniformly into Fp.

fn cswap( a: &mut Array<u64, Self::FpLimbs>, b: &mut Array<u64, Self::FpLimbs>, ctl: Choice, )

Constant-time conditional swap: if ctl is set, swap a and b; otherwise leave them unchanged.

fn select( out: &mut Array<u64, Self::FpLimbs>, a0: &Array<u64, Self::FpLimbs>, a1: &Array<u64, Self::FpLimbs>, ctl: Choice, )

Constant-time conditional select: if ctl is clear, set out <- a0; if ctl is set, set out <- a1.

impl LevelPrecomp for Level3

fn basis_e0_px_bytes() -> &'static [u8]

Canonical 𝔽p²-encoded bytes for the x-coordinate of the first generator of the 2ᶠ-torsion basis on E0.

fn basis_e0_qx_bytes() -> &'static [u8]

Canonical 𝔽p²-encoded bytes for the x-coordinate of the second generator of the 2ᶠ-torsion basis on E0.

fn p_cofactor_for_2f() -> &'static [u64]

The odd cofactor (p+1) / 2ᶠ as 64-bit limbs (little-endian).

fn p_cofactor_for_2f_bitlength() -> u32

Bit-length of the odd cofactor.

fn torsion_even_power() -> u32

Exponent f such that the torsion subgroup is ℤ/2ᶠ × ℤ/2ᶠ.

fn splitting_transforms() -> &'static [[[u8; 4]; 4]; 10]

10 precomputed 4×4 basis change matrices for splitting transforms.

fn normalization_transforms() -> &'static [[[u8; 4]; 4]; 6]

6 precomputed 4×4 normalization matrices for splitting.

fn chi_eval() -> &'static [[i32; 4]; 4]

Character evaluation table for splitting.

fn even_index() -> &'static [[i32; 2]; 10]

Pairs of indices for the 10 possible zero-positions in splitting.

impl SecurityLevel for Level3

const LAMBDA: u32 = 192

192-bit post-quantum security.

const F_CHR: u32 = 376

p + 1 = 65 × 2^376, so the full 2^376-torsion is available.

const E_RSP: u32 = 192

Response isogeny has degree 2^192.

const E_CHL: u32 = 192

Challenge scalar is 192 bits (matching LAMBDA).

const HASH_ITERATIONS: u32 = 256

Up to 256 SHAKE256 squeeze attempts to find a valid challenge.

const NWORDS_ORDER: usize = 6

6 limbs × 64 = 384-bit scalar width.

const TORSION_EVEN_POWER: u32 = 376

v_2(p + 1) = 376.

const P_COFACTOR_FOR_2F_BITLENGTH: usize = 7

(p + 1) / 2^376 = 65, which is 7 bits.

const SQISIGN_RESPONSE_LENGTH: u32 = 192

Response isogeny length = 192 bits (same as E_RSP).

type FpLimbs = UInt<UInt<UInt<UTerm, B1>, B1>, B1>

7 limbs × 55-bit radix = 385 bits of storage for the 383-bit prime.

type MpLimbs = UInt<UInt<UInt<UTerm, B1>, B1>, B0>

6 limbs × 64 bits = 384-bit scalars for order arithmetic.

type FpEncodedBytes = UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B1>, B0>, B0>, B0>, B0>

p fits in 48 bytes (383 bits).

type Fp2EncodedBytes = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B1>, B0>, B0>, B0>, B0>, B0>

Two Fp elements = 96 bytes.

type PkLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B1>, B0>, B0>, B0>, B0>, B1>

Public key: 1-byte header + 2 × 48 bytes for the Fp2 j-invariant.

type SigLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B1>, B1>, B0>, B0>, B0>, B0>, B0>

Signature: compressed response isogeny encoding (224 bytes).

type ExpandedSigLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B1>, B1>, B1>, B1>, B0>, B0>

Expanded signature (316 bytes).

type CompressedSigLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B1>, B0>, B0>, B0>, B1>, B0>, B0>

Compressed signature (196 bytes).

type SkLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B1>, B0>, B1>, B1>, B0>, B0>, B0>, B0>

Secret key: ideal norm + generator coords + basis-change matrix (432 bytes).

fn prime_le_bytes() -> &'static [u8]

The prime p as a static byte slice (little-endian canonical encoding, length FP_ENCODED_BYTES).