f(x) = p(x)^k
. x
is the input sent to the second party by the first party after blinding it using a random invertible scalar r
, and k
is a secret key only known by the second party. p(x)
is a hash-to-curve function.crypto_core_ed25519_is_valid_point()
function checks that p
represents a point on the edwards25519 curve, in canonical form, on the main subgroup, and that the point doesn't have a small order.1
on success, and 0
if the checks didn't pass.p
with the representation of a random group element.crypto_core_ed25519_from_uniform()
function maps a 32 bytes vector r
to a point, and stores its compressed representation into p
.crypto_scalarmult_ed25519()
function multiplies a point p
by a scalar n
and puts the Y coordinate of the resulting point into q
.q
should not be used as a shared key prior to hashing.0
on success, or -1
if n
is 0
or if p
is not on the curve, not on the main subgroup, is a point of small order, or is not provided in canonical form.n
is "clamped" (the 3 low bits are cleared to make it a multiple of the cofactor, bit 254 is set and bit 255 is cleared to respect the original design).crypto_scalarmult_ed25519_base()
function multiplies the base point (x, 4/5)
by a scalar n
(clamped) and puts the Y coordinate of the resulting point into q
.-1
if n
is 0
, and 0
otherwise.scalarmult
functions above clear lower bits of the scalar. This may be indesirable to build protocols that requires n
to be invertible.noclamp
variants of these functions do not clear these bits, and do not set the high bit either. These variants expect a scalar in the ]0..L[
range.p
is on the prime-order subgroup before performing the multiplication, and return -1
if this is not the case or n
is 0
. It returns 0
on success.0
on success, or -1
if n
is 0
.crypto_core_ed25519_add()
function adds the point p
to the point q
and stores the resulting point into r
.0
on success, or -1
if p
and/or q
are not valid points.crypto_core_ed25519_sub()
function subtracts the point p
to the point q
and stores the resulting point into r
.0
on success, or -1
if p
and/or q
are not valid points.crypto_core_ed25519_scalar_*()
function set operates over scalars in the [0..L[
interval, L
being the order of the main subgroup (2^252 + 27742317777372353535851937790883648493).crypto_core_ed25519_scalar_random()
function introduced in libsodium 1.0.17:crypto_core_ed25519_scalar_random()
fills r
with a crypto_core_ed25519_SCALARBYTES
bytes representation of the scalar in the ]0..L[
interval.[0..L[
interval can also be obtained by reducing a possibly larger value:crypto_core_ed25519_scalar_reduce()
function reduces s
to s mod L
and puts the crypto_core_ed25519_SCALARBYTES
integer into r
.s
is much larger than r
(64 bytes vs 32 bytes). Bits of s
can be left to 0
, but the interval s
is sampled from should be at least 317 bits to ensure almost uniformity of r
over L
.crypto_core_ed25519_scalar_invert()
function computes the multiplicative inverse of s
over L
, and puts it into recip
.crypto_core_ed25519_scalar_negate()
function returns neg
so that s + neg = 0 (mod L)
.crypto_core_ed25519_scalar_complement()
function returns comp
so that s + comp = 1 (mod L)
.crypto_core_ed25519_scalar_add()
function stores x + y (mod L)
into z
.crypto_core_ed25519_scalar_sub()
function stores x - y (mod L)
into z
.crypto_core_ed25519_scalar_mul()
function stores x * y (mod L)
into z
.crypto_scalarmult_ed25519_BYTES
crypto_scalarmult_ed25519_SCALARBYTES
crypto_core_ed25519_BYTES
crypto_core_ed25519_UNIFORMBYTES
crypto_core_ed25519_SCALARBYTES
crypto_core_ed25519_NONREDUCEDSCALARBYTES
crypto_core_ed25519_from_uniform()
exposes the Elligator 2 map, using the high bit for the sign of the X coordinate.