From e89a42eede1d46bf7bbd9a5287754eba87790653 Mon Sep 17 00:00:00 2001 From: Daniel Bourdrez <3641580+bytemare@users.noreply.github.com> Date: Tue, 1 Oct 2024 20:08:38 +0200 Subject: [PATCH] Return groups for elements and scalars (#66) * Elements and Scalars can now return their group with the Group() method --------- Signed-off-by: bytemare <3641580+bytemare@users.noreply.github.com> --- .github/workflows/tests.yml | 2 +- element.go | 5 + go.mod | 6 +- go.sum | 12 +-- groups.go | 2 +- internal/edwards25519/element.go | 5 + internal/edwards25519/group.go | 3 + internal/edwards25519/scalar.go | 9 +- internal/element.go | 3 + internal/field/field.go | 28 +----- internal/nist/curve.go | 2 +- internal/nist/element.go | 19 +++- internal/nist/group.go | 18 +++- internal/nist/scalar.go | 31 +++--- internal/ristretto/element.go | 5 + internal/ristretto/ristretto.go | 3 + internal/ristretto/scalar.go | 5 + internal/scalar.go | 3 + internal/secp256k1/element.go | 5 + internal/secp256k1/group.go | 3 + internal/secp256k1/scalar.go | 5 + scalar.go | 5 + tests/element_test.go | 13 ++- tests/scalar_test.go | 13 ++- tests/table_test.go | 156 +++++++++++++++---------------- 25 files changed, 222 insertions(+), 139 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b1d734d..b3917b6 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -15,7 +15,7 @@ jobs: strategy: fail-fast: false matrix: - go: [ '1.22', '1.21' ] + go: [ '1.23.2', '1.22.8', '1.21.13' ] uses: bytemare/workflows/.github/workflows/test-go.yml@f572ea606a74fe011e68a23c19f8d4f5daf58488 with: command: cd .github && make test diff --git a/element.go b/element.go index f7e1dea..7bf40d3 100644 --- a/element.go +++ b/element.go @@ -26,6 +26,11 @@ func newPoint(p internal.Element) *Element { return &Element{Element: p} } +// Group returns the group's Identifier. +func (e *Element) Group() Group { + return Group(e.Element.Group()) +} + // Base sets the element to the group's base point a.k.a. canonical generator. func (e *Element) Base() *Element { return &Element{Element: e.Element.Base()} diff --git a/go.mod b/go.mod index 212199b..d76314f 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/bytemare/crypto -go 1.22.2 +go 1.23.1 require ( filippo.io/edwards25519 v1.1.0 @@ -12,6 +12,6 @@ require ( require ( github.com/bytemare/hash v0.3.0 // indirect - golang.org/x/crypto v0.25.0 // indirect - golang.org/x/sys v0.22.0 // indirect + golang.org/x/crypto v0.27.0 // indirect + golang.org/x/sys v0.25.0 // indirect ) diff --git a/go.sum b/go.sum index 965b789..dce1810 100644 --- a/go.sum +++ b/go.sum @@ -10,11 +10,7 @@ github.com/bytemare/secp256k1 v0.1.4 h1:6F1yP6RiUiWwH7AsGHsHktmHm24QcetdDcc39roB github.com/bytemare/secp256k1 v0.1.4/go.mod h1:Pxb9miDs8PTt5mOktvvXiRflvLxI1wdxbXrc6IYsaho= github.com/gtank/ristretto255 v0.1.2 h1:JEqUCPA1NvLq5DwYtuzigd7ss8fwbYay9fi4/5uMzcc= github.com/gtank/ristretto255 v0.1.2/go.mod h1:Ph5OpO6c7xKUGROZfWVLiJf9icMDwUeIvY4OmlYW69o= -golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= -golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= -golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= -golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= -golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= +golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= diff --git a/groups.go b/groups.go index fd91536..462f86e 100644 --- a/groups.go +++ b/groups.go @@ -47,7 +47,7 @@ const ( // Edwards25519Sha512 identifies the Edwards25519 group with SHA2-512 hash-to-group hashing. Edwards25519Sha512 - // Secp256k1 identifies the Secp256k1 group with SHA2-256 hash-to-group hashing. + // Secp256k1 identifies the SECp256k1 group with SHA2-256 hash-to-group hashing. Secp256k1 maxID diff --git a/internal/edwards25519/element.go b/internal/edwards25519/element.go index 938d8bc..a8c9822 100644 --- a/internal/edwards25519/element.go +++ b/internal/edwards25519/element.go @@ -35,6 +35,11 @@ func checkElement(element internal.Element) *Element { return ec } +// Group returns the group's Identifier. +func (e *Element) Group() byte { + return Identifier +} + // Base sets the element to the group's base point a.k.a. canonical generator. func (e *Element) Base() internal.Element { e.element.Set(ed.NewGeneratorPoint()) diff --git a/internal/edwards25519/group.go b/internal/edwards25519/group.go index 712a59d..51bb6ea 100644 --- a/internal/edwards25519/group.go +++ b/internal/edwards25519/group.go @@ -18,6 +18,9 @@ import ( ) const ( + // Identifier distinguishes this group from the others by a byte representation. + Identifier = byte(6) + canonicalEncodingLength = 32 orderPrime = "7237005577332262213973186563042994240857116359379907606001950938285454250989" ) diff --git a/internal/edwards25519/scalar.go b/internal/edwards25519/scalar.go index 6f35503..c6a3e41 100644 --- a/internal/edwards25519/scalar.go +++ b/internal/edwards25519/scalar.go @@ -19,9 +19,7 @@ import ( "github.com/bytemare/crypto/internal" ) -const ( - inputLength = 64 -) +const inputLength = 64 var ( scZero Scalar @@ -69,6 +67,11 @@ func (s *Scalar) set(scalar *ed.Scalar) { s.scalar = *scalar } +// Group returns the group's Identifier. +func (s *Scalar) Group() byte { + return Identifier +} + // Zero sets the scalar to 0, and returns it. func (s *Scalar) Zero() internal.Scalar { s.scalar = *ed.NewScalar() diff --git a/internal/element.go b/internal/element.go index 7c7f95f..afe4798 100644 --- a/internal/element.go +++ b/internal/element.go @@ -11,6 +11,9 @@ package internal // Element interface abstracts common operations on an Element in a prime-order Group. type Element interface { + // Group returns the group's Identifier. + Group() byte + // Base sets the element to the group's base point a.k.a. canonical generator. Base() Element diff --git a/internal/field/field.go b/internal/field/field.go index 2219940..74f596e 100644 --- a/internal/field/field.go +++ b/internal/field/field.go @@ -15,11 +15,6 @@ import ( "math/big" ) -var ( - zero = big.NewInt(0) - one = big.NewInt(1) -) - // String2Int returns a big.Int representation of the integer s. func String2Int(s string) big.Int { if p, _ := new(big.Int).SetString(s, 0); p != nil { @@ -35,6 +30,7 @@ type Field struct { pMinus1div2 *big.Int // used in IsSquare pMinus2 *big.Int // used for Field big.Int inversion exp *big.Int + byteLen int } // NewField returns a newly instantiated field for the given prime order. @@ -58,19 +54,10 @@ func NewField(prime *big.Int) Field { pMinus1div2: pMinus1div2, pMinus2: pMinus2, exp: exp, + byteLen: (prime.BitLen() + 7) / 8, } } -// Zero returns the zero big.Int of the finite Field. -func (f Field) Zero() *big.Int { - return zero -} - -// One returns one big.Int of the finite Field. -func (f Field) One() *big.Int { - return one -} - // Random sets res to a random big.Int in the Field. func (f Field) Random(res *big.Int) *big.Int { tmp, err := rand.Int(rand.Reader, f.order) @@ -89,14 +76,9 @@ func (f Field) Order() *big.Int { return f.order } -// BitLen of the order. -func (f Field) BitLen() int { - return f.order.BitLen() -} - -// AreEqual returns whether both elements are equal. -func (f Field) AreEqual(f1, f2 *big.Int) bool { - return f.IsZero(f.Sub(&big.Int{}, f1, f2)) +// ByteLen returns the length of the field order in bytes. +func (f Field) ByteLen() int { + return f.byteLen } // IsZero returns whether the big.Int is equivalent to zero. diff --git a/internal/nist/curve.go b/internal/nist/curve.go index ec77873..7655790 100644 --- a/internal/nist/curve.go +++ b/internal/nist/curve.go @@ -71,7 +71,7 @@ var ( func (c *curve[point]) affineToPoint(pxc, pyc *big.Int) point { var decompressed []byte - byteLen := (c.field.BitLen() + 7) / 8 + byteLen := c.field.ByteLen() switch byteLen { case 32: decompressed = decompressed256[:] diff --git a/internal/nist/element.go b/internal/nist/element.go index 3ff55f7..53a2d9f 100644 --- a/internal/nist/element.go +++ b/internal/nist/element.go @@ -12,6 +12,9 @@ import ( "crypto/subtle" "encoding/hex" "fmt" + "reflect" + + "filippo.io/nistec" "github.com/bytemare/crypto/internal" ) @@ -41,6 +44,20 @@ func checkElement[Point nistECPoint[Point]](element internal.Element) *Element[P return ec } +// Group returns the group's Identifier. +func (e *Element[Point]) Group() byte { + switch any(e.p).(type) { + case *nistec.P256Point: + return IdentifierP256 + case *nistec.P384Point: + return IdentifierP384 + case *nistec.P521Point: + return IdentifierP521 + } + + panic(fmt.Sprintf("invalid point type %v", reflect.TypeFor[Point]())) +} + // Base sets the element to the group's base point a.k.a. canonical generator. func (e *Element[Point]) Base() internal.Element { e.p.SetGenerator() @@ -67,7 +84,7 @@ func (e *Element[Point]) Double() internal.Element { return e } -// negateSmall returns the compressed byte encoding of the negated element e with 5 allocs in 13000 ns/op. +// negateSmall returns the compressed byte encoding of the negated element e with 5 allocations in 13000 ns/op. func (e *Element[Point]) negateSmall() []byte { enc := e.p.BytesCompressed() diff --git a/internal/nist/group.go b/internal/nist/group.go index de5a803..4f515b6 100644 --- a/internal/nist/group.go +++ b/internal/nist/group.go @@ -6,7 +6,8 @@ // LICENSE file in the root directory of this source tree or at // https://spdx.org/licenses/MIT.html -// Package nist allows simple and abstracted operations in the NIST P-256, P-384, and P-521 groups. +// Package nist allows simple and abstracted operations in the NIST P-256, P-384, and +// P-521 groups, wrapping filippo.io/nistec. package nist import ( @@ -39,6 +40,15 @@ const ( // E2CP521 represents the encode-to-curve string identifier for P521. E2CP521 = "P521_XMD:SHA-512_SSWU_NU_" + + // IdentifierP256 distinguishes this group from the others by a byte representation. + IdentifierP256 = byte(3) + + // IdentifierP384 distinguishes this group from the others by a byte representation. + IdentifierP384 = byte(4) + + // IdentifierP521 distinguishes this group from the others by a byte representation. + IdentifierP521 = byte(5) ) // P256 returns the single instantiation of the P256 Group. @@ -140,14 +150,12 @@ func (g Group[P]) Ciphersuite() string { // ScalarLength returns the byte size of an encoded element. func (g Group[P]) ScalarLength() int { - byteLen := (g.scalarField.BitLen() + 7) / 8 - return byteLen + return g.scalarField.ByteLen() } // ElementLength returns the byte size of an encoded element. func (g Group[P]) ElementLength() int { - byteLen := (g.curve.field.BitLen() + 7) / 8 - return 1 + byteLen + return 1 + g.scalarField.ByteLen() } // Order returns the order of the canonical group of scalars. diff --git a/internal/nist/scalar.go b/internal/nist/scalar.go index cd1f348..dc536a4 100644 --- a/internal/nist/scalar.go +++ b/internal/nist/scalar.go @@ -30,7 +30,6 @@ func newScalar(f *field.Field) *Scalar { field: f, scalar: big.Int{}, } - s.scalar.Set(s.field.Zero()) return s } @@ -48,15 +47,29 @@ func (s *Scalar) assert(scalar internal.Scalar) *Scalar { return _sc } +// Group returns the group's Identifier. +func (s *Scalar) Group() byte { + switch *s.field { + case p256.scalarField: + return IdentifierP256 + case p384.scalarField: + return IdentifierP384 + case p521.scalarField: + return IdentifierP521 + } + + panic(fmt.Sprintf("invalid field order for scalar %s", s.field.Order().String())) +} + // Zero sets s to 0, and returns it. func (s *Scalar) Zero() internal.Scalar { - s.scalar.Set(s.field.Zero()) + s.scalar.Set(big.NewInt(0)) return s } // One sets s to 1, and returns it. func (s *Scalar) One() internal.Scalar { - s.scalar.Set(s.field.One()) + s.scalar.Set(big.NewInt(1)) return s } @@ -168,7 +181,7 @@ func (s *Scalar) LessOrEqual(scalar internal.Scalar) int { // IsZero returns whether the scalar is 0. func (s *Scalar) IsZero() bool { - return s.field.AreEqual(&s.scalar, s.field.Zero()) + return s.field.IsZero(&s.scalar) } // Set sets the receiver to the value of the argument scalar, and returns the receiver. @@ -194,7 +207,7 @@ func (s *Scalar) SetUInt64(i uint64) internal.Scalar { func (s *Scalar) UInt64() (uint64, error) { b := s.Encode() overflows := byte(0) - scalarLength := (s.field.BitLen() + 7) / 8 + scalarLength := s.field.ByteLen() for _, bx := range b[:scalarLength-8] { overflows |= bx @@ -217,20 +230,16 @@ func (s *Scalar) Copy() internal.Scalar { // Encode returns the compressed byte encoding of the scalar. func (s *Scalar) Encode() []byte { - byteLen := (s.field.BitLen() + 7) / 8 - scalar := make([]byte, byteLen) - + scalar := make([]byte, s.field.ByteLen()) return s.scalar.FillBytes(scalar) } // Decode sets the receiver to a decoding of the input data, and returns an error on failure. func (s *Scalar) Decode(in []byte) error { - expectedLength := (s.field.BitLen() + 7) / 8 - switch len(in) { case 0: return internal.ErrParamNilScalar - case expectedLength: + case s.field.ByteLen(): break default: return internal.ErrParamScalarLength diff --git a/internal/ristretto/element.go b/internal/ristretto/element.go index 400bf72..d330aa4 100644 --- a/internal/ristretto/element.go +++ b/internal/ristretto/element.go @@ -36,6 +36,11 @@ func checkElement(element internal.Element) *Element { return ec } +// Group returns the group's Identifier. +func (e *Element) Group() byte { + return Identifier +} + // Base sets the element to the group's base point a.k.a. canonical generator. func (e *Element) Base() internal.Element { e.element.Base() diff --git a/internal/ristretto/ristretto.go b/internal/ristretto/ristretto.go index c1fdfeb..0955dd1 100644 --- a/internal/ristretto/ristretto.go +++ b/internal/ristretto/ristretto.go @@ -19,6 +19,9 @@ import ( ) const ( + // Identifier distinguishes this group from the others by a byte representation. + Identifier = byte(1) + inputLength = 64 // H2C represents the hash-to-curve string identifier. diff --git a/internal/ristretto/scalar.go b/internal/ristretto/scalar.go index 1f1821a..72fb629 100644 --- a/internal/ristretto/scalar.go +++ b/internal/ristretto/scalar.go @@ -60,6 +60,11 @@ func (s *Scalar) set(scalar *ristretto255.Scalar) { s.scalar = *ristretto255.NewScalar().Add(&scZero.scalar, scalar) } +// Group returns the group's Identifier. +func (s *Scalar) Group() byte { + return Identifier +} + // Zero sets the scalar to 0, and returns it. func (s *Scalar) Zero() internal.Scalar { s.scalar.Zero() diff --git a/internal/scalar.go b/internal/scalar.go index 0d14b9f..a345512 100644 --- a/internal/scalar.go +++ b/internal/scalar.go @@ -11,6 +11,9 @@ package internal // Scalar interface abstracts common operations on scalars in a prime-order Group. type Scalar interface { + // Group returns the group's Identifier. + Group() byte + // Zero sets the scalar to 0, and returns it. Zero() Scalar diff --git a/internal/secp256k1/element.go b/internal/secp256k1/element.go index 2f8a2d4..90ed786 100644 --- a/internal/secp256k1/element.go +++ b/internal/secp256k1/element.go @@ -40,6 +40,11 @@ func assertElement(element internal.Element) *Element { return ec } +// Group returns the group's Identifier. +func (e *Element) Group() byte { + return Identifier +} + // Base sets the element to the group's base point a.k.a. canonical generator. func (e *Element) Base() internal.Element { e.element.Base() diff --git a/internal/secp256k1/group.go b/internal/secp256k1/group.go index c9f52f8..081f51a 100644 --- a/internal/secp256k1/group.go +++ b/internal/secp256k1/group.go @@ -18,6 +18,9 @@ import ( ) const ( + // Identifier distinguishes this group from the others by a byte representation. + Identifier = byte(7) + // H2CSECP256K1 represents the hash-to-curve string identifier for Secp256k1. H2CSECP256K1 = "secp256k1_XMD:SHA-256_SSWU_RO_" diff --git a/internal/secp256k1/scalar.go b/internal/secp256k1/scalar.go index 8f2d17f..149c5d9 100644 --- a/internal/secp256k1/scalar.go +++ b/internal/secp256k1/scalar.go @@ -35,6 +35,11 @@ func assert(scalar internal.Scalar) *Scalar { return sc } +// Group returns the group's Identifier. +func (s *Scalar) Group() byte { + return Identifier +} + // Zero sets the scalar to 0, and returns it. func (s *Scalar) Zero() internal.Scalar { s.scalar.Zero() diff --git a/scalar.go b/scalar.go index 7c32465..f92b6f5 100644 --- a/scalar.go +++ b/scalar.go @@ -26,6 +26,11 @@ func newScalar(s internal.Scalar) *Scalar { return &Scalar{Scalar: s} } +// Group returns the group's Identifier. +func (s *Scalar) Group() Group { + return Group(s.Scalar.Group()) +} + // Zero sets the scalar to 0, and returns it. func (s *Scalar) Zero() *Scalar { s.Scalar.Zero() diff --git a/tests/element_test.go b/tests/element_test.go index 8d74789..2ffd116 100644 --- a/tests/element_test.go +++ b/tests/element_test.go @@ -54,7 +54,16 @@ func testElementCopySet(t *testing.T, element, other *crypto.Element) { } } -func TestElementCopy(t *testing.T) { +func TestElement_Group(t *testing.T) { + testAllGroups(t, func(group *testGroup) { + e := group.group.NewElement() + if e.Group() != group.group { + t.Fatal(errWrongGroup) + } + }) +} + +func TestElement_Copy(t *testing.T) { testAllGroups(t, func(group *testGroup) { base := group.group.Base() cpy := base.Copy() @@ -62,7 +71,7 @@ func TestElementCopy(t *testing.T) { }) } -func TestElementSet(t *testing.T) { +func TestElement_Set(t *testing.T) { testAllGroups(t, func(group *testGroup) { base := group.group.Base() other := group.group.NewElement() diff --git a/tests/scalar_test.go b/tests/scalar_test.go index 7508e60..872415d 100644 --- a/tests/scalar_test.go +++ b/tests/scalar_test.go @@ -22,6 +22,15 @@ import ( "github.com/bytemare/crypto/internal" ) +func TestScalar_Group(t *testing.T) { + testAllGroups(t, func(group *testGroup) { + s := group.group.NewScalar() + if s.Group() != group.group { + t.Fatal(errWrongGroup) + } + }) +} + func TestScalar_WrongInput(t *testing.T) { exec := func(f func(*crypto.Scalar) *crypto.Scalar, arg *crypto.Scalar) func() { return func() { @@ -99,7 +108,7 @@ func testScalarCopySet(t *testing.T, scalar, other *crypto.Scalar) { } } -func TestScalarCopy(t *testing.T) { +func TestScalar_Copy(t *testing.T) { testAllGroups(t, func(group *testGroup) { random := group.group.NewScalar().Random() cpy := random.Copy() @@ -107,7 +116,7 @@ func TestScalarCopy(t *testing.T) { }) } -func TestScalarSet(t *testing.T) { +func TestScalar_Set(t *testing.T) { testAllGroups(t, func(group *testGroup) { random := group.group.NewScalar().Random() other := group.group.NewScalar() diff --git a/tests/table_test.go b/tests/table_test.go index 3bb1252..f46f3d7 100644 --- a/tests/table_test.go +++ b/tests/table_test.go @@ -54,7 +54,7 @@ type testGroup struct { var testTable = []*testGroup{ { - [15]string{ + multBase: [15]string{ "e2f2ae0a6abc4e71a884a961c500515f58e30b6aa582dd8db6a65945e08d2d76", "6a493210f7499cd17fecb510ae0cea23a110e8d5b901f8acadd3095c73a3b919", "94741f5d5d52755ece4f23f044ee27d5d1ea1e2bd196b462166b16152a9d0259", @@ -71,26 +71,26 @@ var testTable = []*testGroup{ "46376b80f409b29dc2b5f6f0c52591990896e5716f41477cd30085ab7f10301e", "e0c418f7c8d9c4cdd7395b93ea124f3ad99021bb681dfc3302a9d99a2e53e64e", }, - "Ristretto255", - "ristretto255_XMD:SHA-512_R255MAP_RO_", - "ristretto255_XMD:SHA-512_R255MAP_RO_", - ristrettoBasePoint, - ristrettoBasePoint, - "0000000000000000000000000000000000000000000000000000000000000000", - "57896044618658097711785492504343953926634992332820282019728792003956564819949", - testHashToCurve{ + name: "Ristretto255", + h2c: "ristretto255_XMD:SHA-512_R255MAP_RO_", + e2c: "ristretto255_XMD:SHA-512_R255MAP_RO_", + basePoint: ristrettoBasePoint, + basePointX: ristrettoBasePoint, + identity: "0000000000000000000000000000000000000000000000000000000000000000", + fieldOrder: "57896044618658097711785492504343953926634992332820282019728792003956564819949", + hashToCurve: testHashToCurve{ input: testHashToGroupInput, dst: testHashToGroupDST, hashToScalar: "7cf9410111022202c71f9d317d6fcd711a84fee5a406063f8376379bbe8a3f03", hashToGroup: "d0f15a907366d66998784ff0148356bb0de24088680fb29d5fbe1a629d743b10", }, - 32, - 32, - 1, - crypto.SHA512, + elementLength: 32, + scalarLength: 32, + group: 1, + hash: crypto.SHA512, }, { - [15]string{ + multBase: [15]string{ "036b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", "037cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978", "025ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c", @@ -107,26 +107,26 @@ var testTable = []*testGroup{ "0354e77a001c3862b97a76647f4336df3cf126acbe7a069c5e5709277324d2920b", "02f0454dc6971abae7adfb378999888265ae03af92de3a0ef163668c63e59b9d5f", }, - "P256", - "P256_XMD:SHA-256_SSWU_RO_", - "P256_XMD:SHA-256_SSWU_NU_", - "036b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", - "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", - "000000000000000000000000000000000000000000000000000000000000000000", - "115792089210356248762697446949407573530086143415290314195533631308867097853951", - testHashToCurve{ + name: "P256", + h2c: "P256_XMD:SHA-256_SSWU_RO_", + e2c: "P256_XMD:SHA-256_SSWU_NU_", + basePoint: "036b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", + basePointX: "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", + identity: "000000000000000000000000000000000000000000000000000000000000000000", + fieldOrder: "115792089210356248762697446949407573530086143415290314195533631308867097853951", + hashToCurve: testHashToCurve{ input: testHashToGroupInput, dst: testHashToGroupDST, hashToScalar: "4b51fd1148439c3a30539e87a2a75c63d72f71b74d108184beeb933d259456b9", hashToGroup: "03536d17bf54e34ebc3926d425e76502b54bc2c393369fc6df0c729a18df667f4c", }, - 33, - 32, - 3, - crypto.SHA256, + elementLength: 33, + scalarLength: 32, + group: 3, + hash: crypto.SHA256, }, { - [15]string{ + multBase: [15]string{ "03aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7", "0208d999057ba3d2d969260045c55b97f089025959a6f434d651d207d19fb96e9e4fe0e86ebe0e64f85b96a9c75295df61", "03077a41d4606ffa1464793c7e5fdc7d98cb9d3910202dcd06bea4f240d3566da6b408bbae5026580d02d7e5c70500c831", @@ -143,26 +143,26 @@ var testTable = []*testGroup{ "02e8c8f94d44fbc2396bbeac481b89d2b0877b1dffd23e7dc95de541eb651cca2c41aba24dbc02de6637209accf0f59ea0", "02b3d13fc8b32b01058cc15c11d813525522a94156fff01c205b21f9f7da7c4e9ca849557a10b6383b4b88701a9606860b", }, - "P384", - "P384_XMD:SHA-384_SSWU_RO_", - "P384_XMD:SHA-384_SSWU_NU_", - "03aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7", - "aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7", - "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", - "39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319", - testHashToCurve{ + name: "P384", + h2c: "P384_XMD:SHA-384_SSWU_RO_", + e2c: "P384_XMD:SHA-384_SSWU_NU_", + basePoint: "03aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7", + basePointX: "aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7", + identity: "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + fieldOrder: "39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319", + hashToCurve: testHashToCurve{ input: testHashToGroupInput, dst: testHashToGroupDST, hashToScalar: "d22b5352caa675f8a2f385236b95cbc1f84b9e34540b3587d6d55bd5032bf51aeb54ccab701c6f05a489b82ec301012d", hashToGroup: "02777ff137e17b48ab4984de510461af79cf34609ac27f98eb2a4a553f94dbf31bf97b5cf7bac08f60bb8c7ee474a26202", }, - 49, - 48, - 4, - crypto.SHA384, + elementLength: 49, + scalarLength: 48, + group: 4, + hash: crypto.SHA384, }, { - [15]string{ + multBase: [15]string{ "0200c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", "0200433c219024277e7e682fcb288148c282747403279b1ccc06352c6e5505d769be97b3b204da6ef55507aa104a3a35c5af41cf2fa364d60fd967f43e3933ba6d783d", "0301a73d352443de29195dd91d6a64b5959479b52a6e5b123d9ab9e5ad7a112d7a8dd1ad3f164a3a4832051da6bd16b59fe21baeb490862c32ea05a5919d2ede37ad7d", @@ -179,26 +179,26 @@ var testTable = []*testGroup{ "0201875bc7dc551b1b65a9e1b8ccfaaf84ded1958b401494116a2fd4fb0babe0b3199974fc06c8b897222d79df3e4b7bc744aa6767f6b812efbf5d2c9e682dd3432d74", "03006b6ad89abcb92465f041558fc546d4300fb8fbcc30b40a0852d697b532df128e11b91cce27dbd00ffe7875bd1c8fc0331d9b8d96981e3f92bde9afe337bcb8db55", }, - "P521", - "P521_XMD:SHA-512_SSWU_RO_", - "P521_XMD:SHA-512_SSWU_NU_", - "0200c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", - "00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", - "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", - "6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151", - testHashToCurve{ + name: "P521", + h2c: "P521_XMD:SHA-512_SSWU_RO_", + e2c: "P521_XMD:SHA-512_SSWU_NU_", + basePoint: "0200c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", + basePointX: "00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", + identity: "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + fieldOrder: "6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151", + hashToCurve: testHashToCurve{ input: testHashToGroupInput, dst: testHashToGroupDST, hashToScalar: "01f4e5806586dbebd01e85b17da1eb2df4ac678bc8683b9baa5dd5fba6a0f9d1ff5621ed342a90273150fd095c7abc07f97d202183ec804d063b9fcc0b95daec0614", hashToGroup: "0300d24ae26cefe28681d4cf35cf7bea7de3acd15f38ba0b835303c9cdc641d1912566041cb5f6939ad43f0b21e506cecc4a8124a0517dce94f2f1affa47f052f25bf0", }, - 67, - 66, - 5, - crypto.SHA512, + elementLength: 67, + scalarLength: 66, + group: 5, + hash: crypto.SHA512, }, { - [15]string{ + multBase: [15]string{ "5866666666666666666666666666666666666666666666666666666666666666", "c9a3f86aae465f0e56513864510f3997561fa2c9e85ea21dc2292309f3cd6022", "d4b4f5784868c3020403246717ec169ff79e26608ea126a1ab69ee77d1b16712", @@ -215,26 +215,26 @@ var testTable = []*testGroup{ "39289c8998fd69835c26b619e89848a7bf02b7cb7ad1ba1581cbc4506f2550ce", "df5c2eadc44c6d94a19a9aa118afe5ac3193d26401f76251f522ff042dfbcb92", }, - "Edwards25519", - "edwards25519_XMD:SHA-512_ELL2_RO_", - "edwards25519_XMD:SHA-512_ELL2_NU_", - "5866666666666666666666666666666666666666666666666666666666666666", - "0900000000000000000000000000000000000000000000000000000000000000", - "0100000000000000000000000000000000000000000000000000000000000000", - "57896044618658097711785492504343953926634992332820282019728792003956564819949", - testHashToCurve{ + name: "Edwards25519", + h2c: "edwards25519_XMD:SHA-512_ELL2_RO_", + e2c: "edwards25519_XMD:SHA-512_ELL2_NU_", + basePoint: "5866666666666666666666666666666666666666666666666666666666666666", + basePointX: "0900000000000000000000000000000000000000000000000000000000000000", + identity: "0100000000000000000000000000000000000000000000000000000000000000", + fieldOrder: "57896044618658097711785492504343953926634992332820282019728792003956564819949", + hashToCurve: testHashToCurve{ input: testHashToGroupInput, dst: testHashToGroupDST, hashToScalar: "90249f56fa61b29fc09b8787d9954a6beba6ca49e25c80f78560ca5458e5b807", hashToGroup: "a2ca6693cdda5b8d204a506fe873ce1d3e58d5b14d04635e13c10ba9d5637f8f", }, - 32, - 32, - 6, - crypto.SHA512, + elementLength: 32, + scalarLength: 32, + group: 6, + hash: crypto.SHA512, }, { - [15]string{ + multBase: [15]string{ "0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798", "02c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5", "02f9308a019258c31049344f85f89d5229b531c845836f99b08601f113bce036f9", @@ -251,22 +251,22 @@ var testTable = []*testGroup{ "03499fdf9e895e719cfd64e67f07d38e3226aa7b63678949e6e49b241a60e823e4", "02d7924d4f7d43ea965a465ae3095ff41131e5946f3c85f79e44adbcf8e27e080e", }, - "Secp256k1", - "secp256k1_XMD:SHA-256_SSWU_RO_", - "secp256k1_XMD:SHA-256_SSWU_NU_", - "0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798", - "79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798", - "000000000000000000000000000000000000000000000000000000000000000000", - "115792089237316195423570985008687907853269984665640564039457584007908834671663", - testHashToCurve{ + name: "Secp256k1", + h2c: "secp256k1_XMD:SHA-256_SSWU_RO_", + e2c: "secp256k1_XMD:SHA-256_SSWU_NU_", + basePoint: "0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798", + basePointX: "79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798", + identity: "000000000000000000000000000000000000000000000000000000000000000000", + fieldOrder: "115792089237316195423570985008687907853269984665640564039457584007908834671663", + hashToCurve: testHashToCurve{ input: testHashToGroupInput, dst: testHashToGroupDST, hashToScalar: "782a63d48eace435ac06468208d9a62e3680e4ddc3977c4345b2c6de08258b69", hashToGroup: "0210dca4244e263298000ff1e9f0dfbf1c28333e1f0a252024e8b20b9921cdf3b2", }, - 33, - 32, - 7, - crypto.SHA256, + elementLength: 33, + scalarLength: 32, + group: 7, + hash: crypto.SHA256, }, }