1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798(*****************************************************************************)(* *)(* MIT License *)(* Copyright (c) 2023 Nomadic Labs <contact@nomadic-labs.com> *)(* *)(* Permission is hereby granted, free of charge, to any person obtaining a *)(* copy of this software and associated documentation files (the "Software"),*)(* to deal in the Software without restriction, including without limitation *)(* the rights to use, copy, modify, merge, publish, distribute, sublicense, *)(* and/or sell copies of the Software, and to permit persons to whom the *)(* Software is furnished to do so, subject to the following conditions: *)(* *)(* The above copyright notice and this permission notice shall be included *)(* in all copies or substantial portions of the Software. *)(* *)(* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR*)(* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, *)(* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL *)(* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER*)(* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING *)(* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER *)(* DEALINGS IN THE SOFTWARE. *)(* *)(*****************************************************************************)openLang_coreopenLang_stdlibmoduletypeS=sigmoduleL:LIBopenL(** Represents a point on the curve in affine coordinates *)typepoint=scalar*scalar(** Returns a Plompiler representation of a point *)valinput_point:?kind:input_kind->S.t*S.t->pointreprt(** [is_on_curve p] checks whether a point [p] is on the curve *)valis_on_curve:pointrepr->boolreprt(** [assert_is_on_curve p] asserts that a point [p] is on the curve *)valassert_is_on_curve:pointrepr->unitreprt(** [from_coordinates x y] constructs a point [p = (x, y)] from coordinates
[x] and [y]. The function also checks whether the point is on the curve
(but not necessarily in the subgroup) *)valfrom_coordinates:scalarrepr->scalarrepr->pointreprt(** [unsafe_from_coordinates x y] is similar to {!from_coordinates} but
does not verify the point is on the curve. It can be used to build a
variable of type [point] without adding any constraint *)valunsafe_from_coordinates:scalarrepr->scalarrepr->pointreprt(** [get_x_coordinate p] returns a first coordinate [x] of a point [p] *)valget_x_coordinate:pointrepr->scalarrepr(** [get_y_coordinate p] returns a second coordinate [y] of a point [p] *)valget_y_coordinate:pointrepr->scalarrepr(** [add p q] computes a point addition [p + q] *)valadd:pointrepr->pointrepr->pointreprt(** [double p] computes a point doubling [p + p] *)valdouble:pointrepr->pointreprt(** [scalar_mul s p] computes a point multiplication [p] by a scalar [s].
The scalar [s] is encoded in little-endian order *)valscalar_mul:boollistrepr->pointrepr->pointreprt(** Returns the order of the prime-order subgroup of the elliptic curve group *)valscalar_order:Z.t(** Returns the prime number defining the underlying field *)valbase_order:Z.tendmoduletypeS_Edwards=sigincludeSopenL(** Returns the point at infinity of the curve (additive identity) *)valid:S.t*S.t(** [cond_add p q b] returns [p + b * q], i.e., either a point addition [p] and [q]
or a point [p] based on the value [b] *)valcond_add:pointrepr->pointrepr->boolrepr->pointreprt(** [multi_scalar_mul ls lp] computes the multi-scalar multiplication
[s₁·p₁ + s₂·p₂ + … + sₖ·pₖ] *)valmulti_scalar_mul:boollistlistrepr->pointlistrepr->pointreprtendmoduletypeWEIERSTRASS=functor(L:LIB)->SwithmoduleL=LmoduletypeEDWARDS=functor(L:LIB)->S_EdwardswithmoduleL=L