Lib.rs

Cryptography
#ed448-goldilocks #decaf #x448 #ed448 #elliptic-curve

no-std cx448

A pure-Rust implementation of Ed448 and Curve448 and Decaf. This crate also includes signing and verifying of Ed448 signatures, and x448

Owned by Friedel Ziegelmayer.

2 releases

new 0.1.1 Apr 10, 2025
0.1.0 Apr 10, 2025

#840 in Cryptography

Download history 1026/week @ 2025-04-08

1,026 downloads per month

BSD-3-Clause

260KB
5.5K SLoC

cx448

Implementation of ed448, curve448 and x448.

Note This code is based on

ported to the current stable releases of the rustcrypto ecoysystem. Once upstream updates have landed it will be retired again.

THIS CODE HAS NOT BEEN AUDITED OR REVIEWED. USE AT YOUR OWN RISK.

Field Choice

The field size is a Solinas trinomial prime 2^448 - 2^224 -1. This prime is called the Goldilocks prime.

Curves

This repository implements three curves explicitly and another curve implicitly.

The three explicitly implemented curves are:

  • Ed448-Goldilocks
  • Curve448
  • Twisted-Goldilocks

lib.rs:

This crate provides a pure Rust implementation of Curve448, Edwards, Decaf, and Ristretto. It is intended to be portable, fast, and safe.

Usage

use cx448::{EdwardsPoint, CompressedEdwardsY, Scalar, elliptic_curve::hash2curve::ExpandMsgXof, sha3::Shake256};
use elliptic_curve::Field;
use rand_core::OsRng;

let secret_key = Scalar::TWO;
let public_key = EdwardsPoint::GENERATOR * &secret_key;

assert_eq!(public_key, EdwardsPoint::GENERATOR + EdwardsPoint::GENERATOR);

let secret_key = Scalar::random(&mut OsRng);
let public_key = EdwardsPoint::GENERATOR * &secret_key;
let compressed_public_key = public_key.compress();

assert_eq!(compressed_public_key.to_bytes().len(), 57);

let hashed_scalar = Scalar::hash::<ExpandMsgXof<Shake256>>(b"test", b"edwards448_XOF:SHAKE256_ELL2_RO_");
let input = hex_literal::hex!("c8c6c8f584e0c25efdb6af5ad234583c56dedd7c33e0c893468e96740fa0cf7f1a560667da40b7bde340a39252e89262fcf707d1180fd43400");
let expected_scalar = Scalar::from_canonical_bytes(&input.into()).unwrap();
assert_eq!(hashed_scalar, expected_scalar);

let hashed_point = EdwardsPoint::hash::<ExpandMsgXof<Shake256>>(b"test", b"edwards448_XOF:SHAKE256_ELL2_RO_");
let expected = hex_literal::hex!("d15c4427b5c5611a53593c2be611fd3635b90272d331c7e6721ad3735e95dd8b9821f8e4e27501ce01aa3c913114052dce2e91e8ca050f4980");
let expected_point = CompressedEdwardsY(expected).decompress().unwrap();
assert_eq!(hashed_point, expected_point);

let hashed_point = EdwardsPoint::hash_with_defaults(b"test");
assert_eq!(hashed_point, expected_point);

EdwardsPoint implements the elliptic_curve::Group and elliptic_curve::group::GroupEncoding and Scalar implements elliptic_curve::Field and elliptic_curve::PrimeField traits.

Dependencies

~5.5MB
~106K SLoC