CurveParams contains the parameters of an elliptic curve and also provides
a generic, non-constant time implementation of Curve.
// the constant of the curve equation
// the size of the underlying field
// (x,y) of the base point
// (x,y) of the base point
// the order of the base point
// the canonical name of the curve
// the order of the underlying field
(*CurveParams) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)(*CurveParams) Double(x1, y1 *big.Int) (*big.Int, *big.Int)(*CurveParams) IsOnCurve(x, y *big.Int) bool(*CurveParams) Params() *CurveParams(*CurveParams) ScalarBaseMult(k []byte) (*big.Int, *big.Int)(*CurveParams) ScalarMult(Bx, By *big.Int, k []byte) (*big.Int, *big.Int)
addJacobian takes two points in Jacobian coordinates, (x1, y1, z1) and
(x2, y2, z2) and returns their sum, also in Jacobian form.
affineFromJacobian reverses the Jacobian transform. See the comment at the
top of the file. If the point is ∞ it returns 0, 0.
doubleJacobian takes a point in Jacobian coordinates, (x, y, z), and
returns its double, also in Jacobian form.
polynomial returns x³ - 3x + b.
*CurveParams : Curve
func Curve.Params() *CurveParams
func (*CurveParams).Params() *CurveParams
func matchesSpecificCurve(params *CurveParams, available ...Curve) (Curve, bool)
p224Curve is a Curve implementation based on nistec.P224Point.
It's a wrapper that exposes the big.Int-based Curve interface and encodes the
legacy idiosyncrasies it requires, such as invalid and infinity point
handling.
To interact with the nistec package, points are encoded into and decoded from
properly formatted byte slices. All big.Int use is limited to this package.
Encoding and decoding is 1/1000th of the runtime of a scalar multiplication,
so the overhead is acceptable.
params*CurveParams( p224Curve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)( p224Curve) Double(x1, y1 *big.Int) (*big.Int, *big.Int)( p224Curve) IsOnCurve(x, y *big.Int) bool( p224Curve) Params() *CurveParams( p224Curve) ScalarBaseMult(scalar []byte) (*big.Int, *big.Int)( p224Curve) ScalarMult(Bx, By *big.Int, scalar []byte) (*big.Int, *big.Int)
p224Curve : Curve
var p224
CurveParams*CurveParams
// the constant of the curve equation
// the size of the underlying field
// (x,y) of the base point
// (x,y) of the base point
// the order of the base point
// the canonical name of the curve
// the order of the underlying field
( p256Curve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)( p256Curve) CombinedMult(bigX, bigY *big.Int, baseScalar, scalar []byte) (x, y *big.Int)( p256Curve) Double(x1, y1 *big.Int) (*big.Int, *big.Int)( p256Curve) Inverse(k *big.Int) *big.Int( p256Curve) IsOnCurve(x, y *big.Int) bool( p256Curve) Params() *CurveParams( p256Curve) ScalarBaseMult(scalar []byte) (x, y *big.Int)( p256Curve) ScalarMult(bigX, bigY *big.Int, scalar []byte) (x, y *big.Int)
addJacobian takes two points in Jacobian coordinates, (x1, y1, z1) and
(x2, y2, z2) and returns their sum, also in Jacobian form.
affineFromJacobian reverses the Jacobian transform. See the comment at the
top of the file. If the point is ∞ it returns 0, 0.
doubleJacobian takes a point in Jacobian coordinates, (x, y, z), and
returns its double, also in Jacobian form.
polynomial returns x³ - 3x + b.
p256Curve : Curve
p256Curve : crypto/ecdsa.combinedMult
p256Curve : crypto/ecdsa.invertible
var p256
p384Curve is a Curve implementation based on nistec.P384Point.
It's a wrapper that exposes the big.Int-based Curve interface and encodes the
legacy idiosyncrasies it requires, such as invalid and infinity point
handling.
To interact with the nistec package, points are encoded into and decoded from
properly formatted byte slices. All big.Int use is limited to this package.
Encoding and decoding is 1/1000th of the runtime of a scalar multiplication,
so the overhead is acceptable.
params*CurveParams( p384Curve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)( p384Curve) Double(x1, y1 *big.Int) (*big.Int, *big.Int)( p384Curve) IsOnCurve(x, y *big.Int) bool( p384Curve) Params() *CurveParams( p384Curve) ScalarBaseMult(scalar []byte) (*big.Int, *big.Int)( p384Curve) ScalarMult(Bx, By *big.Int, scalar []byte) (*big.Int, *big.Int)
p384Curve : Curve
var p384
p521Curve is a Curve implementation based on nistec.P521Point.
It's a wrapper that exposes the big.Int-based Curve interface and encodes the
legacy idiosyncrasies it requires, such as invalid and infinity point
handling.
To interact with the nistec package, points are encoded into and decoded from
properly formatted byte slices. All big.Int use is limited to this package.
Encoding and decoding is 1/1000th of the runtime of a scalar multiplication,
so the overhead is acceptable.
params*CurveParams( p521Curve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int)( p521Curve) Double(x1, y1 *big.Int) (*big.Int, *big.Int)( p521Curve) IsOnCurve(x, y *big.Int) bool( p521Curve) Params() *CurveParams( p521Curve) ScalarBaseMult(scalar []byte) (*big.Int, *big.Int)( p521Curve) ScalarMult(Bx, By *big.Int, scalar []byte) (*big.Int, *big.Int)
p521Curve : Curve
var p521
Package-Level Functions (total 49, in which 9 are exported)
GenerateKey returns a public/private key pair. The private key is
generated using the given reader, which must return random data.
Marshal converts a point on the curve into the uncompressed form specified in
SEC 1, Version 2.0, Section 2.3.3. If the point is not on the curve (or is
the conventional point at infinity), the behavior is undefined.
MarshalCompressed converts a point on the curve into the compressed form
specified in SEC 1, Version 2.0, Section 2.3.3. If the point is not on the
curve (or is the conventional point at infinity), the behavior is undefined.
P224 returns a Curve which implements NIST P-224 (FIPS 186-3, section D.2.2),
also known as secp224r1. The CurveParams.Name of this Curve is "P-224".
Multiple invocations of this function will return the same value, so it can
be used for equality checks and switch statements.
The cryptographic operations are implemented using constant-time algorithms.
P256 returns a Curve which implements NIST P-256 (FIPS 186-3, section D.2.3),
also known as secp256r1 or prime256v1. The CurveParams.Name of this Curve is
"P-256".
Multiple invocations of this function will return the same value, so it can
be used for equality checks and switch statements.
ScalarMult and ScalarBaseMult are implemented using constant-time algorithms.
P384 returns a Curve which implements NIST P-384 (FIPS 186-3, section D.2.4),
also known as secp384r1. The CurveParams.Name of this Curve is "P-384".
Multiple invocations of this function will return the same value, so it can
be used for equality checks and switch statements.
The cryptographic operations are implemented using constant-time algorithms.
P521 returns a Curve which implements NIST P-521 (FIPS 186-3, section D.2.5),
also known as secp521r1. The CurveParams.Name of this Curve is "P-521".
Multiple invocations of this function will return the same value, so it can
be used for equality checks and switch statements.
The cryptographic operations are implemented using constant-time algorithms.
Unmarshal converts a point, serialized by Marshal, into an x, y pair. It is
an error if the point is not in uncompressed form, is not on the curve, or is
the point at infinity. On error, x = nil.
UnmarshalCompressed converts a point, serialized by MarshalCompressed, into
an x, y pair. It is an error if the point is not in compressed form, is not
on the curve, or is the point at infinity. On error, x = nil.
p224RandomPoint returns a random point on the curve. It's used when Add,
Double, or ScalarMult are fed a point not on the curve, which is undefined
behavior. Originally, we used to do the math on it anyway (which allows
invalid curve attacks) and relied on the caller and Unmarshal to avoid this
happening in the first place. Now, we just can't construct a nistec.P224Point
for an invalid pair of coordinates, because that API is safer. If we panic,
we risk introducing a DoS. If we return nil, we risk a panic. If we return
the input, ecdsa.Verify might fail open. The safest course seems to be to
return a valid, random point, which hopefully won't help the attacker.
Endianness swap
Montgomery multiplication by 1
p256GetScalar endian-swaps the big-endian scalar value from in and writes it
to out. If the scalar is equal or greater than the order of the group, it's
reduced modulo that order.
Functions implemented in p256_asm_*64.s
Montgomery multiplication modulo P256
iff cond == 1 val <- -val
Montgomery multiplication modulo Ord(G)
Montgomery square modulo Ord(G), repeated n times
Point add with in2 being affine point
If sign == 1 -> in2 = -in2
If sel == 0 -> res = in1
if zero == 0 -> res = in2
Point add. Returns one if the two input points were equal and zero
otherwise. (Note that, due to the way that the equations work out, some
representations of ∞ are considered equal to everything by this function.)
p384RandomPoint returns a random point on the curve. It's used when Add,
Double, or ScalarMult are fed a point not on the curve, which is undefined
behavior. Originally, we used to do the math on it anyway (which allows
invalid curve attacks) and relied on the caller and Unmarshal to avoid this
happening in the first place. Now, we just can't construct a nistec.P384Point
for an invalid pair of coordinates, because that API is safer. If we panic,
we risk introducing a DoS. If we return nil, we risk a panic. If we return
the input, ecdsa.Verify might fail open. The safest course seems to be to
return a valid, random point, which hopefully won't help the attacker.
p521RandomPoint returns a random point on the curve. It's used when Add,
Double, or ScalarMult are fed a point not on the curve, which is undefined
behavior. Originally, we used to do the math on it anyway (which allows
invalid curve attacks) and relied on the caller and Unmarshal to avoid this
happening in the first place. Now, we just can't construct a nistec.P521Point
for an invalid pair of coordinates, because that API is safer. If we panic,
we risk introducing a DoS. If we return nil, we risk a panic. If we return
the input, ecdsa.Verify might fail open. The safest course seems to be to
return a valid, random point, which hopefully won't help the attacker.
scalarIsZero returns 1 if scalar represents the zero value, and zero
otherwise.
uint64IsZero returns 1 if x is zero and zero otherwise.
zForAffine returns a Jacobian Z value for the affine point (x, y). If x and
y are zero, it assumes that they represent the point at infinity because (0,
0) is not on the any of the curves handled here.
Package-Level Variables (total 8, none are exported)
p256Mul operates in a Montgomery domain with R = 2^256 mod p, where p is the
underlying field of the curve. (See initP256 for the value.) Thus rr here is
R×R mod p. See comment in Inverse about how this is used.
The pages are generated with Goldsv0.4.9. (GOOS=linux GOARCH=amd64)