Struct Level5 

pub struct Level5;

NIST Security Level V (256-bit post-quantum security).

Prime: p = 27 * 2^500 - 1, encoded in 64 bytes.

Trait Implementations

impl Clone for Level5

fn clone(&self) -> Level5

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Level5

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for Level5

fn default() -> Level5

Returns the “default value” for a type.

impl FpBackend for Level5

fn set_zero(out: &mut Array<u64, Self::FpLimbs>)

out <- 0.

fn set_one(out: &mut Array<u64, Self::FpLimbs>)

out <- 1 in Montgomery form.

fn set_small(out: &mut Array<u64, Self::FpLimbs>, val: u64)

out <- val in Montgomery form, treating val as an unsigned integer that fits in the field.

fn is_equal( a: &Array<u64, Self::FpLimbs>, b: &Array<u64, Self::FpLimbs>, ) -> Choice

Constant-time equality test. Returns Choice(1) if a == b (after full reduction), Choice(0) otherwise.

fn is_zero(a: &Array<u64, Self::FpLimbs>) -> Choice

Constant-time zero test. Returns Choice(1) if a == 0 (after full reduction), Choice(0) otherwise.

fn copy(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- a (copy).

fn add( out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>, b: &Array<u64, Self::FpLimbs>, )

out <- a + b mod 2p.

fn sub( out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>, b: &Array<u64, Self::FpLimbs>, )

out <- a - b mod 2p.

fn neg(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- -a mod 2p.

fn mul( out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>, b: &Array<u64, Self::FpLimbs>, )

Montgomery multiplication: out ← a · b · R⁻¹ mod 2p.

fn sqr(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

Specialized Montgomery squaring: out ← a² · R⁻¹ mod 2p.

fn inv(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- 1 / a mod p. If a == 0 the output is 0 (no panic).

fn sqrt(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- sqrt(a) mod p. The caller is responsible for ensuring a is a quadratic residue; on non-QR inputs the output is well-defined but is not a square root of a. The result is determined only up to sign.

fn is_square(a: &Array<u64, Self::FpLimbs>) -> Choice

Returns Choice(1) if a is a quadratic residue (or zero) in Fp, Choice(0) otherwise.

fn half(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- a / 2 mod p.

fn div3(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

out <- a / 3 mod p.

fn exp3div4(out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>)

Square root progenitor: out <- a^((p-3)/4) mod p. Combined with one extra multiplication this yields sqrt(a) when p = 3 mod 4.

fn mul_small( out: &mut Array<u64, Self::FpLimbs>, a: &Array<u64, Self::FpLimbs>, val: u32, )

out <- a * val mod 2p for a small (32-bit) integer multiplier.

fn encode(out: &mut [u8], a: &Array<u64, Self::FpLimbs>)

Serialize a to its canonical little-endian byte form. Writes exactly Self::FpEncodedBytes::USIZE bytes.

fn decode(out: &mut Array<u64, Self::FpLimbs>, bytes: &[u8]) -> Choice

Deserialize an Fp element from Self::FpEncodedBytes::USIZE canonical little-endian bytes. Returns Choice(1) if the input represented an integer in [0, p), Choice(0) otherwise. On out-of-range input the output is zeroed.

fn decode_reduce(out: &mut Array<u64, Self::FpLimbs>, bytes: &[u8])

Decode a possibly-longer little-endian byte string with full modular reduction. Used to map a hash output uniformly into Fp.

fn cswap( a: &mut Array<u64, Self::FpLimbs>, b: &mut Array<u64, Self::FpLimbs>, ctl: Choice, )

Constant-time conditional swap: if ctl is set, swap a and b; otherwise leave them unchanged.

fn select( out: &mut Array<u64, Self::FpLimbs>, a0: &Array<u64, Self::FpLimbs>, a1: &Array<u64, Self::FpLimbs>, ctl: Choice, )

Constant-time conditional select: if ctl is clear, set out <- a0; if ctl is set, set out <- a1.

impl LevelPrecomp for Level5

fn basis_e0_px_bytes() -> &'static [u8]

Canonical 𝔽p²-encoded bytes for the x-coordinate of the first generator of the 2ᶠ-torsion basis on E0.

fn basis_e0_qx_bytes() -> &'static [u8]

Canonical 𝔽p²-encoded bytes for the x-coordinate of the second generator of the 2ᶠ-torsion basis on E0.

fn p_cofactor_for_2f() -> &'static [u64]

The odd cofactor (p+1) / 2ᶠ as 64-bit limbs (little-endian).

fn p_cofactor_for_2f_bitlength() -> u32

Bit-length of the odd cofactor.

fn torsion_even_power() -> u32

Exponent f such that the torsion subgroup is ℤ/2ᶠ × ℤ/2ᶠ.

fn splitting_transforms() -> &'static [[[u8; 4]; 4]; 10]

10 precomputed 4×4 basis change matrices for splitting transforms.

fn normalization_transforms() -> &'static [[[u8; 4]; 4]; 6]

6 precomputed 4×4 normalization matrices for splitting.

fn chi_eval() -> &'static [[i32; 4]; 4]

Character evaluation table for splitting.

fn even_index() -> &'static [[i32; 2]; 10]

Pairs of indices for the 10 possible zero-positions in splitting.

impl SecurityLevel for Level5

const LAMBDA: u32 = 256

256-bit post-quantum security.

const F_CHR: u32 = 500

p + 1 = 27 * 2^500, so the full 2^500-torsion is available.

const E_RSP: u32 = 253

Response isogeny has degree 2^253.

const E_CHL: u32 = 256

Challenge scalar is 256 bits (matching LAMBDA).

const HASH_ITERATIONS: u32 = 512

Up to 512 SHAKE256 squeeze attempts to find a valid challenge.

const NWORDS_ORDER: usize = 8

8 limbs × 64 = 512-bit scalar width.

const TORSION_EVEN_POWER: u32 = 500

v_2(p + 1) = 500.

const P_COFACTOR_FOR_2F_BITLENGTH: usize = 5

(p + 1) / 2^500 = 27 = 0b11011, which is 5 bits.

const SQISIGN_RESPONSE_LENGTH: u32 = 253

Response isogeny length = 253 bits (same as E_RSP).

type FpLimbs = UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B1>

9 limbs × 57-bit radix = 513 bits of storage for the 505-bit prime.

type MpLimbs = UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B0>

8 limbs × 64 bits = 512-bit scalars for order arithmetic.

type FpEncodedBytes = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B0>, B0>, B0>, B0>

p fits in 64 bytes (505 bits).

type Fp2EncodedBytes = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B0>, B0>, B0>, B0>, B0>

Two Fp elements = 128 bytes.

type PkLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B0>, B0>, B0>, B0>, B1>

Public key: 1-byte header + 2 × 64 bytes for the Fp2 j-invariant.

type SigLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B1>, B0>, B0>, B1>, B0>, B0>

Signature: compressed response isogeny encoding (292 bytes).

type ExpandedSigLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B1>, B0>, B1>, B0>, B0>, B1>, B0>, B0>

Expanded signature (420 bytes).

type CompressedSigLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B0>, B0>, B0>, B0>, B0>, B1>

Compressed signature (257 bytes).

type SkLen = UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UInt<UTerm, B1>, B0>, B0>, B1>, B0>, B0>, B0>, B0>, B0>, B0>

Secret key: ideal norm + generator coords + basis-change matrix. Actual content is 572 bytes; U576 is the next upstream hybrid-array size. The 4 trailing bytes are zero-padded.

fn prime_le_bytes() -> &'static [u8]

The prime p as a static byte slice (little-endian canonical encoding, length FP_ENCODED_BYTES).