common

package
v3.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 9, 2026 License: MIT Imports: 19 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrGeneratorCancelled = fmt.Errorf("generator work cancelled")

ErrGeneratorCancelled is an error returned from GetRandomSafePrimesConcurrent when the work of the generator has been cancelled as a result of the context being done (cancellation or timeout).

View Source
var File_protob_signature_proto protoreflect.FileDescriptor
View Source
var Logger = log.Logger("tss-lib")

Functions

func AppendBigIntToBytesSlice

func AppendBigIntToBytesSlice(commonBytes []byte, appended *big.Int) []byte

func BigIntsToBytes

func BigIntsToBytes(bigInts []*big.Int) [][]byte

func ConstantTimeCompare

func ConstantTimeCompare(a, b *big.Int, padLen int) int

ConstantTimeCompare compares two big.Int values in constant time. Both values are padded to padLen bytes before comparison to avoid leaking relative magnitude. If padLen is 0, the maximum of the two byte lengths is used.

func DisableConstantTimeOps

func DisableConstantTimeOps()

DisableConstantTimeOps disables constant-time operations (default).

func EnableConstantTimeOps

func EnableConstantTimeOps()

EnableConstantTimeOps enables constant-time cryptographic operations. Call this at application startup if timing side-channel protection is required.

func GetRandomBytes

func GetRandomBytes(rand io.Reader, length int) ([]byte, error)

GetRandomBytes returns random bytes of length.

func GetRandomGeneratorOfTheQuadraticResidue

func GetRandomGeneratorOfTheQuadraticResidue(rand io.Reader, n *big.Int) *big.Int
Return a random generator of RQn with high probability.
THIS METHOD ONLY WORKS IF N IS THE PRODUCT OF TWO SAFE PRIMES!

https://github.com/didiercrunch/paillier/blob/d03e8850a8e4c53d04e8016a2ce8762af3278b71/utils.go#L39

func GetRandomPositiveInt

func GetRandomPositiveInt(rand io.Reader, lessThan *big.Int) *big.Int

func GetRandomPositiveRelativelyPrimeInt

func GetRandomPositiveRelativelyPrimeInt(rand io.Reader, n *big.Int) *big.Int

Generate a random element in the group of all the elements in Z/nZ that has a multiplicative inverse.

func GetRandomPrimeInt

func GetRandomPrimeInt(rand io.Reader, bits int) *big.Int

func GetRandomQuadraticNonResidue

func GetRandomQuadraticNonResidue(rand io.Reader, n *big.Int) *big.Int

GetRandomQuadraticNonResidue returns a quadratic non residue of odd n.

func IsConstantTimeEnabled

func IsConstantTimeEnabled() bool

IsConstantTimeEnabled returns true if constant-time operations are enabled.

func IsInInterval

func IsInInterval(b *big.Int, bound *big.Int) bool

func IsNumberInMultiplicativeGroup

func IsNumberInMultiplicativeGroup(n, v *big.Int) bool

func ModInt

func ModInt(mod *big.Int) *modInt

func MultiBytesToBigInts

func MultiBytesToBigInts(bytes [][]byte) []*big.Int

func MustGetRandomInt

func MustGetRandomInt(rand io.Reader, bits int) *big.Int

MustGetRandomInt panics if it is unable to gather entropy from `io.Reader` or when `bits` is <= 0

func NonEmptyBytes

func NonEmptyBytes(bz []byte) bool

Returns true when the byte slice is non-nil and non-empty

func NonEmptyMultiBytes

func NonEmptyMultiBytes(bzs [][]byte, expectLen ...int) bool

Returns true when all of the slices in the multi-dimensional byte slice are non-nil and non-empty

func PadToLengthBytesInPlace

func PadToLengthBytesInPlace(src []byte, length int) []byte

PadToLengthBytesInPlace pad {0, ...} to the front of src if len(src) < length output length is equal to the parameter length

func RejectionSample

func RejectionSample(q *big.Int, eHash *big.Int) *big.Int

RejectionSample implements the rejection sampling logic for converting a SHA512/256 hash to a value between 0-q

func SHA512_256

func SHA512_256(in ...[]byte) []byte

SHA-512/256 is protected against length extension attacks and is more performant than SHA-256 on 64-bit architectures. https://en.wikipedia.org/wiki/Template:Comparison_of_SHA_functions

func SHA512_256i

func SHA512_256i(in ...*big.Int) *big.Int

func SHA512_256iOne

func SHA512_256iOne(in *big.Int) *big.Int

func SHA512_256i_TAGGED

func SHA512_256i_TAGGED(tag []byte, in ...*big.Int) *big.Int

SHA512_256i_TAGGED tagged version of SHA512_256i

Types

type CTModInt

type CTModInt struct {
	// contains filtered or unexported fields
}

CTModInt provides constant-time modular arithmetic using filippo.io/bigmod. This is the recommended implementation as bigmod is: 1. Maintained by the Go crypto team lead (Filippo Valsorda) 2. The same code used internally by crypto/rsa and crypto/ecdsa 3. Highly optimized with architecture-specific assembly

func NewCTModInt

func NewCTModInt(mod *big.Int) *CTModInt

NewCTModInt creates a constant-time modular context using bigmod. Note: bigmod requires odd modulus for Exp operations.

func NewCTModIntWithPhi

func NewCTModIntWithPhi(mod, phiN *big.Int) *CTModInt

NewCTModIntWithPhi creates a constant-time modular context for composite moduli. This is required for correct ModInverse on composite moduli where phi(n) is known. For RSA-like moduli n = p*q, pass phiN = (p-1)*(q-1).

func (*CTModInt) ExpCT

func (ct *CTModInt) ExpCT(base, exp *big.Int) *big.Int

ExpCT performs constant-time modular exponentiation using bigmod. IMPORTANT: The modulus must be odd. Negative exponents are not supported and will panic.

func (*CTModInt) Mod

func (ct *CTModInt) Mod() *big.Int

Mod returns the modulus as a big.Int.

func (*CTModInt) ModInverseCT

func (ct *CTModInt) ModInverseCT(a *big.Int) *big.Int

ModInverseCT computes the modular inverse in constant time using Fermat's little theorem. For a prime modulus p: a^(-1) = a^(p-2) mod p For a non-prime modulus n with known phi(n): a^(-1) = a^(phi(n)-1) mod n SECURITY: This uses constant-time Exp, making the entire operation constant-time. Note: The modulus should be prime for this to work correctly. For composite moduli, use NewCTModIntWithPhi to provide phi(n).

func (*CTModInt) MulCT

func (ct *CTModInt) MulCT(x, y *big.Int) *big.Int

MulCT performs constant-time modular multiplication using bigmod.

type GermainSafePrime

type GermainSafePrime struct {
	// contains filtered or unexported fields
}

func GetRandomSafePrimesConcurrent

func GetRandomSafePrimesConcurrent(ctx context.Context, bitLen, numPrimes int, concurrency int, rand io.Reader) ([]*GermainSafePrime, error)

GetRandomSafePrimesConcurrent tries to find safe primes concurrently. The returned results are safe primes `p` and prime `q` such that `p=2q+1`. Concurrency level can be controlled with the `concurrencyLevel` parameter. If a safe prime could not be found before the context is done, the error is returned. Also, if at least one search process failed, error is returned as well.

How fast we generate a prime number is mostly a matter of luck and it depends on how lucky we are with drawing the first bytes. With today's multi-core processors, we can execute the process on multiple cores concurrently, accept the first valid result and cancel the rest of work. This way, with the same finding algorithm, we can get the result faster.

Concurrency level should be set depending on what `bitLen` of prime is expected. For example, as of today, on a typical workstation, for 512-bit safe prime, `concurrencyLevel` should be set to `1` as generating the prime of this length is a matter of milliseconds for a single core. For 1024-bit safe prime, `concurrencyLevel` should be usually set to at least `2` and for 2048-bit safe prime, `concurrencyLevel` must be set to at least `4` to get the result in a reasonable time.

This function generates safe primes of at least 6 `bitLen`. For every generated safe prime, the two most significant bits are always set to `1` - we don't want the generated number to be too small.

func (*GermainSafePrime) Prime

func (sgp *GermainSafePrime) Prime() *big.Int

func (*GermainSafePrime) SafePrime

func (sgp *GermainSafePrime) SafePrime() *big.Int

func (*GermainSafePrime) Validate

func (sgp *GermainSafePrime) Validate() bool

type SignatureData

type SignatureData struct {
	Signature []byte `protobuf:"bytes,1,opt,name=signature,proto3" json:"signature,omitempty"`
	// Ethereum-style recovery byte; only the first byte is relevant
	SignatureRecovery []byte `protobuf:"bytes,2,opt,name=signature_recovery,json=signatureRecovery,proto3" json:"signature_recovery,omitempty"`
	// Signature components R, S
	R []byte `protobuf:"bytes,3,opt,name=r,proto3" json:"r,omitempty"`
	S []byte `protobuf:"bytes,4,opt,name=s,proto3" json:"s,omitempty"`
	// M represents the original message digest that was signed M
	M []byte `protobuf:"bytes,5,opt,name=m,proto3" json:"m,omitempty"`
	// contains filtered or unexported fields
}

Container for output signatures, mostly used for marshalling this data structure to a mobile app

func (*SignatureData) Descriptor deprecated

func (*SignatureData) Descriptor() ([]byte, []int)

Deprecated: Use SignatureData.ProtoReflect.Descriptor instead.

func (*SignatureData) GetM

func (x *SignatureData) GetM() []byte

func (*SignatureData) GetR

func (x *SignatureData) GetR() []byte

func (*SignatureData) GetS

func (x *SignatureData) GetS() []byte

func (*SignatureData) GetSignature

func (x *SignatureData) GetSignature() []byte

func (*SignatureData) GetSignatureRecovery

func (x *SignatureData) GetSignatureRecovery() []byte

func (*SignatureData) ProtoMessage

func (*SignatureData) ProtoMessage()

func (*SignatureData) ProtoReflect

func (x *SignatureData) ProtoReflect() protoreflect.Message

func (*SignatureData) Reset

func (x *SignatureData) Reset()

func (*SignatureData) String

func (x *SignatureData) String() string

type TimingProtection

type TimingProtection struct {
	// contains filtered or unexported fields
}

TimingProtection provides response time normalization to prevent timing attacks.

func NewTimingProtection

func NewTimingProtection(targetDuration, jitterRange time.Duration) *TimingProtection

NewTimingProtection creates a TimingProtection with custom parameters. targetDuration is the minimum padded duration for every operation. jitterRange adds a random delay on top of targetDuration to prevent fingerprinting the fixed padding boundary.

func (*TimingProtection) ProtectBigInt

func (tp *TimingProtection) ProtectBigInt(fn func() (*big.Int, error)) (*big.Int, error)

ProtectBigInt wraps a function that returns *big.Int with timing normalization. The total execution time is always >= targetDuration + a random jitter, regardless of how long the actual operation takes.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL