package edwards25519

Import Path
	crypto/ed25519/internal/edwards25519 (on golang.org and go.dev)

Dependency Relation
	imports one package, and imported by one package

Involved Source Files

	      const.go
	      edwards25519.go
Package-Level Type Names (total 6, all are exported)

	/* sort exporteds by: alphabet | popularity */
	 type CachedGroupElement (struct)

		Fields (total 4, in which 2 are exported)
			T2d FieldElement
			Z FieldElement
			/* 2 unexporteds ... *//* 2 unexporteds: */
			yMinusX FieldElement
			yPlusX FieldElement
		As Inputs Of (at least 3, in which 1 are exported)
			func (*ExtendedGroupElement).ToCached(r *CachedGroupElement)
			/* 2+ unexporteds ... *//* 2+ unexporteds: */
			func geAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement)
			func geSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement)

	 type CompletedGroupElement (struct)

		Fields (total 4, all are exported)
			T FieldElement
			X FieldElement
			Y FieldElement
			Z FieldElement
		Methods (total 2, both are exported)
			(*T) ToExtended(r *ExtendedGroupElement)
			(*T) ToProjective(r *ProjectiveGroupElement)
		As Inputs Of (at least 6, in which 2 are exported)
			func (*ExtendedGroupElement).Double(r *CompletedGroupElement)
			func (*ProjectiveGroupElement).Double(r *CompletedGroupElement)
			/* 4+ unexporteds ... *//* 4+ unexporteds: */
			func geAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement)
			func geMixedAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement)
			func geMixedSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement)
			func geSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement)

	 type ExtendedGroupElement (struct)

		Fields (total 4, all are exported)
			T FieldElement
			X FieldElement
			Y FieldElement
			Z FieldElement
		Methods (total 6, all are exported)
			(*T) Double(r *CompletedGroupElement)
			(*T) FromBytes(s *[32]byte) bool
			(*T) ToBytes(s *[32]byte)
			(*T) ToCached(r *CachedGroupElement)
			(*T) ToProjective(r *ProjectiveGroupElement)
			(*T) Zero()
		As Inputs Of (at least 7, in which 3 are exported)
			func GeDoubleScalarMultVartime(r *ProjectiveGroupElement, a *[32]byte, A *ExtendedGroupElement, b *[32]byte)
			func GeScalarMultBase(h *ExtendedGroupElement, a *[32]byte)
			func (*CompletedGroupElement).ToExtended(r *ExtendedGroupElement)
			/* 4+ unexporteds ... *//* 4+ unexporteds: */
			func geAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement)
			func geMixedAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement)
			func geMixedSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement)
			func geSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement)

	 type FieldElement ([...]T)
		FieldElement represents an element of the field GF(2^255 - 19).  An element
		t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
		t[3]+2^102 t[4]+...+2^230 t[9].  Bounds on each t[i] vary depending on
		context.

		As Inputs Of (at least 18, in which 16 are exported)
			func FeAdd(dst, a, b *FieldElement)
			func FeCMove(f, g *FieldElement, b int32)
			func FeCombine(h *FieldElement, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64)
			func FeCopy(dst, src *FieldElement)
			func FeFromBytes(dst *FieldElement, src *[32]byte)
			func FeInvert(out, z *FieldElement)
			func FeIsNegative(f *FieldElement) byte
			func FeIsNonZero(f *FieldElement) int32
			func FeMul(h, f, g *FieldElement)
			func FeNeg(h, f *FieldElement)
			func FeOne(fe *FieldElement)
			func FeSquare(h, f *FieldElement)
			func FeSquare2(h, f *FieldElement)
			func FeSub(dst, a, b *FieldElement)
			func FeToBytes(s *[32]byte, h *FieldElement)
			func FeZero(fe *FieldElement)
			/* 2+ unexporteds ... *//* 2+ unexporteds: */
			func fePow22523(out, z *FieldElement)
			func feSquare(f *FieldElement) (h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64)
		As Types Of (total 5, in which 2 are exported)
			  var A
			  var SqrtM1
			/* 3 unexporteds ... *//* 3 unexporteds: */
			  var d
			  var d2
			  var zero

	 type PreComputedGroupElement (struct)

		Fields (total 3, none are exported)
			/* 3 unexporteds ... *//* 3 unexporteds: */
			xy2d FieldElement
			yMinusX FieldElement
			yPlusX FieldElement
		Methods (only one, which is exported)
			(*T) Zero()
		As Inputs Of (at least 4, in which 1 are exported)
			func PreComputedGroupElementCMove(t, u *PreComputedGroupElement, b int32)
			/* 3+ unexporteds ... *//* 3+ unexporteds: */
			func geMixedAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement)
			func geMixedSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement)
			func selectPoint(t *PreComputedGroupElement, pos int32, b int32)

	 type ProjectiveGroupElement (struct)

		Fields (total 3, all are exported)
			X FieldElement
			Y FieldElement
			Z FieldElement
		Methods (total 3, all are exported)
			(*T) Double(r *CompletedGroupElement)
			(*T) ToBytes(s *[32]byte)
			(*T) Zero()
		As Inputs Of (at least 3, all are exported)
			func GeDoubleScalarMultVartime(r *ProjectiveGroupElement, a *[32]byte, A *ExtendedGroupElement, b *[32]byte)
			func (*CompletedGroupElement).ToProjective(r *ProjectiveGroupElement)
			func (*ExtendedGroupElement).ToProjective(r *ProjectiveGroupElement)


Package-Level Functions (total 34, in which 22 are exported)

	 func FeAdd(dst, a, b *FieldElement)
	 func FeCMove(f, g *FieldElement, b int32)
		Replace (f,g) with (g,g) if b == 1;
		replace (f,g) with (f,g) if b == 0.

		Preconditions: b in {0,1}.

	 func FeCombine(h *FieldElement, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64)
	 func FeCopy(dst, src *FieldElement)
	 func FeFromBytes(dst *FieldElement, src *[32]byte)
	 func FeInvert(out, z *FieldElement)
	 func FeIsNegative(f *FieldElement) byte
	 func FeIsNonZero(f *FieldElement) int32
	 func FeMul(h, f, g *FieldElement)
		FeMul calculates h = f * g
		Can overlap h with f or g.

		Preconditions:
		   |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
		   |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.

		Postconditions:
		   |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

		Notes on implementation strategy:

		Using schoolbook multiplication.
		Karatsuba would save a little in some cost models.

		Most multiplications by 2 and 19 are 32-bit precomputations;
		cheaper than 64-bit postcomputations.

		There is one remaining multiplication by 19 in the carry chain;
		one *19 precomputation can be merged into this,
		but the resulting data flow is considerably less clean.

		There are 12 carries below.
		10 of them are 2-way parallelizable and vectorizable.
		Can get away with 11 carries, but then data flow is much deeper.

		With tighter constraints on inputs, can squeeze carries into int32.

	 func FeNeg(h, f *FieldElement)
		FeNeg sets h = -f

		Preconditions:
		   |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

		Postconditions:
		   |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

	 func FeOne(fe *FieldElement)
	 func FeSquare(h, f *FieldElement)
		FeSquare calculates h = f*f. Can overlap h with f.

		Preconditions:
		   |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.

		Postconditions:
		   |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

	 func FeSquare2(h, f *FieldElement)
		FeSquare2 sets h = 2 * f * f

		Can overlap h with f.

		Preconditions:
		   |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.

		Postconditions:
		   |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
		See fe_mul.c for discussion of implementation strategy.

	 func FeSub(dst, a, b *FieldElement)
	 func FeToBytes(s *[32]byte, h *FieldElement)
		FeToBytes marshals h to s.
		Preconditions:
		  |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

		Write p=2^255-19; q=floor(h/p).
		Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).

		Proof:
		  Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
		  Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.

		  Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
		  Then 0<y<1.

		  Write r=h-pq.
		  Have 0<=r<=p-1=2^255-20.
		  Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.

		  Write x=r+19(2^-255)r+y.
		  Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.

		  Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
		  so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.

	 func FeZero(fe *FieldElement)
	 func GeDoubleScalarMultVartime(r *ProjectiveGroupElement, a *[32]byte, A *ExtendedGroupElement, b *[32]byte)
		GeDoubleScalarMultVartime sets r = a*A + b*B
		where a = a[0]+256*a[1]+...+256^31 a[31].
		and b = b[0]+256*b[1]+...+256^31 b[31].
		B is the Ed25519 base point (x,4/5) with x positive.

	 func GeScalarMultBase(h *ExtendedGroupElement, a *[32]byte)
		GeScalarMultBase computes h = a*B, where
		  a = a[0]+256*a[1]+...+256^31 a[31]
		  B is the Ed25519 base point (x,4/5) with x positive.

		Preconditions:
		  a[31] <= 127

	 func PreComputedGroupElementCMove(t, u *PreComputedGroupElement, b int32)
	 func ScMinimal(scalar *[32]byte) bool
		ScMinimal returns true if the given scalar is less than the order of the
		curve.

	 func ScMulAdd(s, a, b, c *[32]byte)
		Input:
		  a[0]+256*a[1]+...+256^31*a[31] = a
		  b[0]+256*b[1]+...+256^31*b[31] = b
		  c[0]+256*c[1]+...+256^31*c[31] = c

		Output:
		  s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
		  where l = 2^252 + 27742317777372353535851937790883648493.

	 func ScReduce(out *[32]byte, s *[64]byte)
		Input:
		  s[0]+256*s[1]+...+256^63*s[63] = s

		Output:
		  s[0]+256*s[1]+...+256^31*s[31] = s mod l
		  where l = 2^252 + 27742317777372353535851937790883648493.

	/* 12 unexporteds ... *//* 12 unexporteds: */
	 func equal(b, c int32) int32
		equal returns 1 if b == c and 0 otherwise, assuming that b and c are
		non-negative.

	 func fePow22523(out, z *FieldElement)
	 func feSquare(f *FieldElement) (h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64)
	 func geAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement)
	 func geMixedAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement)
	 func geMixedSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement)
	 func geSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement)
	 func load3(in []byte) int64
	 func load4(in []byte) int64
	 func negative(b int32) int32
		negative returns 1 if b < 0 and 0 otherwise.

	 func selectPoint(t *PreComputedGroupElement, pos int32, b int32)
	 func slide(r *[256]int8, a *[32]byte)
Package-Level Variables (total 8, in which 2 are exported)

	  var A FieldElement
		A is a constant in the Montgomery-form of curve25519.

	  var SqrtM1 FieldElement
		SqrtM1 is the square-root of -1 in the field.

	/* 6 unexporteds ... *//* 6 unexporteds: */
	  var base [32][8]PreComputedGroupElement
		base contains precomputed multiples of the base-point. See the Ed25519 paper
		for a discussion about how these values are used.

	  var bi [8]PreComputedGroupElement
		bi contains precomputed multiples of the base-point. See the Ed25519 paper
		for a discussion about how these values are used.

	  var d FieldElement
		d is a constant in the Edwards curve equation.

	  var d2 FieldElement
		d2 is 2*d.

	  var order [4]uint64
		order is the order of Curve25519 in little-endian form.

	  var zero FieldElement

The pages are generated with Golds v0.3.2. (GOOS=linux GOARCH=amd64)
Golds is a Go 101 project developed by Tapir Liu.
PR and bug reports are welcome and can be submitted to the issue list.
Please follow @Go100and1 (reachable from the left QR code) to get the latest news of Golds.