ed448_shake256

package
v0.1.5-alpha Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 27, 2025 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Overview

Package ed448_shake256 implements the FROST(Ed448, SHAKE256) ciphersuite.

This ciphersuite uses Ed448 for the prime-order group and SHAKE256 for all hash functions. It implements RFC 9591 Section 6.3.

Context string: "FROST-ED448-SHAKE256-v1"

CRITICAL DIFFERENCE from other ciphersuites: SHAKE256 is an extendable-output function (XOF), not a fixed-output hash. We use SHAKE256 to generate variable-length output as needed.

Per RFC 9591 Section 6.3, H2 uses the prefix "SigEd448" || 0x00 || 0x00 for compatibility with RFC 8032 Ed448 signatures. This is different from Ed25519 which has no prefix at all.

The ciphersuite provides five domain-separated hash functions: - H1: Used for binding factor computation (domain: "rho") - H2: Used for challenge computation (prefix: "SigEd448" || 0x00 || 0x00) - H3: Used for nonce generation (domain: "nonce") - H4: Used for message hashing (domain: "msg") - H5: Used for commitment list hashing (domain: "com")

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Ed448SHAKE256 

type Ed448SHAKE256 struct {
	// contains filtered or unexported fields
}

Ed448SHAKE256 implements the FROST(Ed448, SHAKE256) ciphersuite.

func New 

func New() *Ed448SHAKE256

New creates a new Ed448SHAKE256 ciphersuite instance.

func (*Ed448SHAKE256) ContextString 

func (cs *Ed448SHAKE256) ContextString() string

ContextString returns the domain separation context string.

func (*Ed448SHAKE256) Group 

func (cs *Ed448SHAKE256) Group() group.Group

Group returns the Ed448 group implementation.

func (*Ed448SHAKE256) H1 

func (cs *Ed448SHAKE256) H1(data []byte) group.Scalar

H1 is a domain-separated hash-to-scalar function for binding factor computation. Implements: SHAKE256(contextString || "rho" || data) -> Scalar

func (*Ed448SHAKE256) H2 

func (cs *Ed448SHAKE256) H2(data []byte) group.Scalar

H2 is a hash-to-scalar function for challenge computation. Per RFC 9591 Section 6.3, H2 uses the Ed448 signature prefix for RFC 8032 compatibility. Implements: SHAKE256("SigEd448" || 0x00 || 0x00 || data) -> Scalar

func (*Ed448SHAKE256) H3 

func (cs *Ed448SHAKE256) H3(data []byte) group.Scalar

H3 is a domain-separated hash-to-scalar function for nonce generation. Implements: SHAKE256(contextString || "nonce" || data) -> Scalar

func (*Ed448SHAKE256) H4 

func (cs *Ed448SHAKE256) H4(msg []byte) []byte

H4 is a domain-separated hash function for message hashing. Implements: SHAKE256(contextString || "msg" || data) -> bytes

func (*Ed448SHAKE256) H5 

func (cs *Ed448SHAKE256) H5(data []byte) []byte

H5 is a domain-separated hash function for commitment list hashing. Implements: SHAKE256(contextString || "com" || data) -> bytes

func (*Ed448SHAKE256) HDKG 

func (cs *Ed448SHAKE256) HDKG(data []byte) group.Scalar

HDKG is a domain-separated hash-to-scalar function for DKG operations. Used for computing challenges in the Schnorr proof of knowledge during DKG. Implements: SHAKE256(contextString || "dkg" || data) -> Scalar

func (*Ed448SHAKE256) HID 

func (cs *Ed448SHAKE256) HID(data []byte) group.Scalar

HID is a domain-separated hash-to-scalar function for identifier derivation. Used to derive participant identifiers from arbitrary byte strings. Implements: SHAKE256(contextString || "id" || data) -> Scalar

func (*Ed448SHAKE256) Hash 

func (cs *Ed448SHAKE256) Hash(data []byte) []byte

Hash computes SHAKE256 hash of the input data with a fixed output length. For general hashing, we use 114 bytes (2x the scalar size for wide reduction).

func (*Ed448SHAKE256) HashToCurve 

func (cs *Ed448SHAKE256) HashToCurve(data []byte) (group.Element, error)

HashToCurve maps arbitrary byte strings to group elements. This uses a hash-and-increment approach for edwards448. We hash the input and attempt to decode it as a point. If that fails, we increment a counter and try again until we find a valid point.

func (*Ed448SHAKE256) ID 

func (cs *Ed448SHAKE256) ID() string

ID returns the unique identifier for this ciphersuite.

func (*Ed448SHAKE256) Name 

func (cs *Ed448SHAKE256) Name() string

Name returns a human-readable name for this ciphersuite.

func (*Ed448SHAKE256) VerifySignature 

func (cs *Ed448SHAKE256) VerifySignature(message []byte, signature []byte, publicKey group.Element) error

VerifySignature verifies a FROST signature against a message and public key. Implements Schnorr signature verification for Ed448.

Signature format: R (57 bytes) || z (57 bytes) Verification equation: z * G == R + c * PK where c = H2(R || PK || msg)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.