Lib.rs

Cryptography
#decaf #ed448-goldilocks #crypto

ed448

A pure-Rust implementation of Ed448 and Curve448 and Decaf

by Kevaundray Wedderburn

4 releases (breaking)

0.4.0 May 4, 2020
0.3.0 May 4, 2020
0.2.0 May 4, 2020
0.1.0 May 4, 2020

#1425 in Cryptography

BSD-3-Clause

240KB
5K SLoC

Goldilocks

VERY BIG WIP

Field Choice

  • The field size is a Solinas trinomial prime 2^448 - 2^224 -1. This prime is called the Goldilocks prime.
  • We will denote the Goldilocks prime with the variable q.

Goldilocks Curve

The goldilocks curve is an untwisted edwards curve. x^2 + y^2 = 1 -39081x^2y^2.

N.B. The paper says "Ed448-Goldilocks" is the curve and Goldilocks is the prime subgroup, ie the group we get after applying the decaf strategy. This is different from the Goldilocks prime defined above as that is the prime the curve is defined over.

Twisted Curve

This library will also implement the Twisted variation by using a dual isogeny which is a variation of the affine doubling formula. This dual isogeny will effectively clear the cofactor for the computation on the Twisted curve, and it will allow us to use the faster twisted curve arithmetics. However, this strategy does not clear the cofactor entirely. If the point is of low order, then the Twisted curve arithmetic will produce the identity point, while the remaining untwisted curve arithmetic will produce a point in the small order subgroup.

Computing the dual isogeny to clear the cofactor has the same cost as clearing the cofactor through doubling. [Link paper]

Decaf/Ristretto

Due to the rationale in the Twisted Curve section, this library will also implement Decaf and Ristretto over the Twisted Edwards Curve.

Completed Point vs Extensible Point

Deviating from Curve25519-Dalek, this library will implement Extensible points instead of Completed Points. Due to the following observation:

  • There is a cost of 3/4 Field multiplications to switch from the CompletedPoint. SO if we were to perform repeated doubling, this would add an extra cost for each doubling.

Interesting Notes

Goldilocks is defined using an untwisted edwards curve, Curve25519 is defined using a Montgomery Curve. Both use an isogeny to compute the corresponding Twisted Edwards

Perhaps for interopability in naming:

  • CurveXXX = MontgomeryCurve

DONT FORGET CREDITS FOR DESIGN(DALEK) AND MOTGOMERY CODE AND MIKE AND GOLANG IMPLEMENTATION

Dependencies