The Edwards25519 curve has a mapping of \(−x^2 + y^2 = 1 − (121665/121666) \times x^2 \times y^2\). It has a base point of \(G\), and which is equal to \((x, 4/5)\). In a hexadecimal form, the base point is defined by 5866666666666666 ... 666666666666666666666666. In this case Alice creates \(A=aG\) and then hides this value using a secret value of \(b\), so that we get \(B=abG\). Bob then calculates \(b^{-1} \pmod n\) and can then determine \(Q=b^{-1} a b G = aG\). We define \(a\) and \(b\) as scalar values, while \(A\), \(B\) and \(Q\) are points on the elliptic curves. In this case we will use the Curve25519 Dalek library.
Inverse scalar with Ed25519 using Rust |
secp256k1
Alice wants to send Bob a secret value of \(aG \pmod p\). Alice initially create a secret value of \(b\), and then sends:
\(A= aG \)
Alice then takes the value of \(b\) creates:
\(B=baG\)
When Bob received this, he calculates \(b^{-1} \pmod n\) to give:
\(K_{inv}= b^{-1} baG = aG\)
Bob now knows \(aG\) and is a shared secret with Alice. So here is a basic Rust program to implement:
extern crate curve25519_dalek; extern crate rand_core; use crypto::sha2::Sha256; use curve25519_dalek::constants; use curve25519_dalek::ristretto::{RistrettoPoint, RistrettoBasepointTable}; use curve25519_dalek::scalar::Scalar; use curve25519_dalek::edwards; use std::env; use rand_core::OsRng; extern crate sha2; use sha2::Sha512; fn main() { // Base point let G = &constants::ED25519_BASEPOINT_POINT; let a = Scalar::random(&mut OsRng); let b = Scalar::random(&mut OsRng); let A=a*G; let B=b*A; let kinv=b.invert(); let Q=kinv*B; println!("--- Edwards Ed25519 Curve ---"); println!("G={:}",hex::encode(G.compress().to_bytes())); println!("a={:}",hex::encode(a.to_bytes())); println!("A=aG={:}",hex::encode(A.compress().to_bytes())); println!("\nb={:}",hex::encode(b.to_bytes())); println!("B=kA={:}",hex::encode(B.compress().to_bytes())); println!("\nk^(-1)={:}",hex::encode(kinv.to_bytes())); println!("\nQ=k^(-1)B={:}",hex::encode(Q.compress().to_bytes())); }
A sample run is:
--- Edwards Curve --- G=5866666666666666666666666666666666666666666666666666666666666666 a=23d535d788457dfd89061b12338928076e6f41acfc090190ba69b1069d65fa05 A=aG=f91c0d61ea5bba324496accf6a1c0534b5cfef7ade3b799ba5171942b248c187 b=8d6590c848d06dc90adc4907cb0a20a8bad0f6c70798dc627b155d7fc1fc7f0c B=kA=215d591b02645a1b35332603d27bf1cb953872df6f72bc9934331baac7b3e031 k^(-1)=dd1db84f16d764d0b647d12bb4c3075584422a6279cef47c10db701494c9ad03 Q=k^(-1)B=f91c0d61ea5bba324496accf6a1c0534b5cfef7ade3b799ba5171942b248c187