Struct curve25519_dalek::edwards::EdwardsBasepointTable
source · pub struct EdwardsBasepointTable(/* private fields */);
Expand description
A precomputed table of multiples of a basepoint, for accelerating
fixed-base scalar multiplication. One table, for the Ed25519
basepoint, is provided in the constants
module.
The basepoint tables are reasonably large, so they should probably be boxed.
The sizes for the tables and the number of additions required for one scalar multiplication are as follows:
EdwardsBasepointTableRadix16
: 30KB, 64A (this is the default size, and is used forconstants::ED25519_BASEPOINT_TABLE
)EdwardsBasepointTableRadix64
: 120KB, 43AEdwardsBasepointTableRadix128
: 240KB, 37AEdwardsBasepointTableRadix256
: 480KB, 33A
§Why 33 additions for radix-256?
Normally, the radix-256 tables would allow for only 32 additions per scalar
multiplication. However, due to the fact that standardised definitions of
legacy protocols—such as x25519—require allowing unreduced 255-bit scalars
invariants, when converting such an unreduced scalar’s representation to
radix-\(2^{8}\), we cannot guarantee the carry bit will fit in the last
coefficient (the coefficients are i8
s). When, \(w\), the power-of-2 of
the radix, is \(w < 8\), we can fold the final carry onto the last
coefficient, \(d\), because \(d < 2^{w/2}\), so
$$
d + carry \cdot 2^{w} = d + 1 \cdot 2^{w} < 2^{w+1} < 2^{8}
$$
When \(w = 8\), we can’t fit \(carry \cdot 2^{w}\) into an i8
, so we
add the carry bit onto an additional coefficient.
Trait Implementations§
source§impl BasepointTable for EdwardsBasepointTable
impl BasepointTable for EdwardsBasepointTable
source§fn create(basepoint: &EdwardsPoint) -> EdwardsBasepointTable
fn create(basepoint: &EdwardsPoint) -> EdwardsBasepointTable
Create a table of precomputed multiples of basepoint
.
source§fn basepoint(&self) -> EdwardsPoint
fn basepoint(&self) -> EdwardsPoint
Get the basepoint for this table as an EdwardsPoint
.
source§fn mul_base(&self, scalar: &Scalar) -> EdwardsPoint
fn mul_base(&self, scalar: &Scalar) -> EdwardsPoint
The computation uses Pippeneger’s algorithm, as described for the specific case of radix-16 on page 13 of the Ed25519 paper.
§Piggenger’s Algorithm Generalised
Write the scalar \(a\) in radix-\(w\), where \(w\) is a power of 2, with coefficients in \([\frac{-w}{2},\frac{w}{2})\), i.e., $$ a = a_0 + a_1 w^1 + \cdots + a_{x} w^{x}, $$ with $$ \begin{aligned} \frac{-w}{2} \leq a_i < \frac{w}{2} &&\cdots&& \frac{-w}{2} \leq a_{x} \leq \frac{w}{2} \end{aligned} $$ and the number of additions, \(x\), is given by \(x = \lceil \frac{256}{w} \rceil\). Then $$ a B = a_0 B + a_1 w^1 B + \cdots + a_{x-1} w^{x-1} B. $$ Grouping even and odd coefficients gives $$ \begin{aligned} a B = \quad a_0 w^0 B +& a_2 w^2 B + \cdots + a_{x-2} w^{x-2} B \\ + a_1 w^1 B +& a_3 w^3 B + \cdots + a_{x-1} w^{x-1} B \\ = \quad(a_0 w^0 B +& a_2 w^2 B + \cdots + a_{x-2} w^{x-2} B) \\ + w(a_1 w^0 B +& a_3 w^2 B + \cdots + a_{x-1} w^{x-2} B). \\ \end{aligned} $$ For each \(i = 0 \ldots 31\), we create a lookup table of $$ [w^{2i} B, \ldots, \frac{w}{2}\cdot w^{2i} B], $$ and use it to select \( y \cdot w^{2i} \cdot B \) in constant time.
The radix-\(w\) representation requires that the scalar is bounded by \(2^{255}\), which is always the case.
The above algorithm is trivially generalised to other powers-of-2 radices.
source§type Point = EdwardsPoint
type Point = EdwardsPoint
source§fn mul_base_clamped(&self, bytes: [u8; 32]) -> Self::Point
fn mul_base_clamped(&self, bytes: [u8; 32]) -> Self::Point
clamp_integer(bytes)
by this precomputed basepoint table, in constant time. For
a description of clamping, see clamp_integer
.source§impl Clone for EdwardsBasepointTable
impl Clone for EdwardsBasepointTable
source§fn clone(&self) -> EdwardsBasepointTable
fn clone(&self) -> EdwardsBasepointTable
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source
. Read moresource§impl Debug for EdwardsBasepointTable
impl Debug for EdwardsBasepointTable
source§impl<'a> From<&'a EdwardsBasepointTable> for EdwardsBasepointTableRadix128
impl<'a> From<&'a EdwardsBasepointTable> for EdwardsBasepointTableRadix128
source§fn from(
table: &'a EdwardsBasepointTableRadix16,
) -> EdwardsBasepointTableRadix128
fn from( table: &'a EdwardsBasepointTableRadix16, ) -> EdwardsBasepointTableRadix128
source§impl<'a> From<&'a EdwardsBasepointTable> for EdwardsBasepointTableRadix256
impl<'a> From<&'a EdwardsBasepointTable> for EdwardsBasepointTableRadix256
source§fn from(
table: &'a EdwardsBasepointTableRadix16,
) -> EdwardsBasepointTableRadix256
fn from( table: &'a EdwardsBasepointTableRadix16, ) -> EdwardsBasepointTableRadix256
source§impl<'a> From<&'a EdwardsBasepointTable> for EdwardsBasepointTableRadix32
impl<'a> From<&'a EdwardsBasepointTable> for EdwardsBasepointTableRadix32
source§fn from(table: &'a EdwardsBasepointTableRadix16) -> EdwardsBasepointTableRadix32
fn from(table: &'a EdwardsBasepointTableRadix16) -> EdwardsBasepointTableRadix32
source§impl<'a> From<&'a EdwardsBasepointTable> for EdwardsBasepointTableRadix64
impl<'a> From<&'a EdwardsBasepointTable> for EdwardsBasepointTableRadix64
source§fn from(table: &'a EdwardsBasepointTableRadix16) -> EdwardsBasepointTableRadix64
fn from(table: &'a EdwardsBasepointTableRadix16) -> EdwardsBasepointTableRadix64
source§impl<'a, 'b> Mul<&'a EdwardsBasepointTable> for &'b Scalar
impl<'a, 'b> Mul<&'a EdwardsBasepointTable> for &'b Scalar
source§fn mul(self, basepoint_table: &'a EdwardsBasepointTable) -> EdwardsPoint
fn mul(self, basepoint_table: &'a EdwardsBasepointTable) -> EdwardsPoint
Construct an EdwardsPoint
from a Scalar
\(a\) by
computing the multiple \(aB\) of this basepoint \(B\).
source§type Output = EdwardsPoint
type Output = EdwardsPoint
*
operator.source§impl<'a, 'b> Mul<&'b Scalar> for &'a EdwardsBasepointTable
impl<'a, 'b> Mul<&'b Scalar> for &'a EdwardsBasepointTable
source§fn mul(self, scalar: &'b Scalar) -> EdwardsPoint
fn mul(self, scalar: &'b Scalar) -> EdwardsPoint
Construct an EdwardsPoint
from a Scalar
\(a\) by
computing the multiple \(aB\) of this basepoint \(B\).
source§type Output = EdwardsPoint
type Output = EdwardsPoint
*
operator.Auto Trait Implementations§
impl Freeze for EdwardsBasepointTable
impl RefUnwindSafe for EdwardsBasepointTable
impl Send for EdwardsBasepointTable
impl Sync for EdwardsBasepointTable
impl Unpin for EdwardsBasepointTable
impl UnwindSafe for EdwardsBasepointTable
Blanket Implementations§
source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
source§unsafe fn clone_to_uninit(&self, dst: *mut T)
unsafe fn clone_to_uninit(&self, dst: *mut T)
clone_to_uninit
)