add two points together.

compute a*G + b*B.

addKeys3aAbB = a*A + b*B where a, b are scalars, A, B are curve pointsB must be input after applying "precomp".

addKeys3_3 this is similiar to addkeys3 except it allows for use of precomputed A,BaAbB = a*A + b*B where a, b are scalars, A, B are curve pointsA,B must be input after applying "precomp".

BuildMerkleTreeStore creates a merkle tree from a slice of transaction hashes or tips hashes, stores it using a linear array, and returns a slice of the backing array.

does output = s1*A + s2*B using precomputed tables for A and B providing scalars in wrong order will give wrong results bases are as they were provide in the order tables must have been prepared using GenDoublePrecompute.

does output = s1*A + s2*B using precomputed tables for A and B providing scalars in wrong order will give wrong results bases are as they were provide in the order tables must have been prepared using GenDoublePrecompute this multiplies 64 double scalars and is used for bulletproofs.

FeAdd sets out = a + b.

go:noescape FeMul calculates out = a * b.

FeNeg sets out = -a.

go:noescape FeSquare calculates out = a * a.

FeSquare2 calculates out = 2 * a * a.

FeSub sets out = a - b.

exported version for ringct.

sets r = a*A + b*B where Bi is the [8]CachedGroupElement consisting of B,3B,5B,7B,9B,11B,13B,15B.

sets r = a*A + b*B where Bi is the [8]CachedGroupElement consisting of B,3B,5B,7B,9B,11B,13B,15B.

sets r = a*A + b*G this is an optimised version, unoptimised version is 4 lines below.

r = 16 * t.

r = 8 * t.

this table can be used for double scalar, double base multiplication only if the bases are fixed and scalars change.

NewKeyImage creates a new KeyImage from the given public and private keys.

precompuate table of the form A,2A,4A,8A,16A.....2^255A se gemul8 pre compute table size in bytes 256 * 4 field elemets * 5 limbs * 8 bytes.

this generates a very large 32*256 cached elements table roughly 1.28 MB.

caches s into an array of CachedGroupElements for scalar multiplication later.

GeScalarMult computes h = a*A, where a = a[0]+256*a[1]+...+256^31 a[31] A is a point on the curve Preconditions: a[31] <= 127.

GeScalarMultBase computes h = a*B, where a = a[0]+256*a[1]+...+256^31 a[31] B is the Ed25519 base point (x,4/5) with x positive.

it finds the highest bit that is high remember the scalar is stored in little Endian.

convert a hash of hex form to binary form, returns a zero hash if any error TODO this should be in crypto.

HashMerkleBranches takes two hashes, treated as the left and right tree nodes, and returns the hash of their concatenation.

convert a hex string to a key.

quick keccak wrapper.

generate tables of the form, first element is identity 0,A,2A,3A........255A.

generate a new private-public key pair.

RandomPubKey takes a random scalar, interprets it as a point on the curve remember the low order bug and do more auditing of the entire thing.

this uses random number generator from the OS.

zero fill the key.

equivalent to sc_check.

multiply a scalar by H (second curve point of Pedersen Commitment).

does a * P where a is a scalar and P is an arbitrary point.

fastest Fixed based multiplicatipnn in 7.5 microseconds.

copied from above and modifiedInput: a[0]+256*a[1]+...+256^31*a[31] = a b[0]+256*b[1]+...+256^31*b[31] = b Output: s[0]+256*s[1]+...+256^31*s[31] = (ab) mod l where l = 2^252 + 27742317777372353535851937790883648493.

Input: a[0]+256*a[1]+...+256^31*a[31] = a b[0]+256*b[1]+...+256^31*b[31] = b c[0]+256*c[1]+...+256^31*c[31] = c Output: s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l where l = 2^252 + 27742317777372353535851937790883648493.

Input: a[0]+256*a[1]+...+256^31*a[31] = a b[0]+256*b[1]+...+256^31*b[31] = b c[0]+256*c[1]+...+256^31*c[31] = c Output: s[0]+256*s[1]+...+256^31*s[31] = (c-ab) mod l where l = 2^252 + 27742317777372353535851937790883648493.

Input: s[0]+256*s[1]+...+256^63*s[63] = s Output: s[0]+256*s[1]+...+256^31*s[31] = s mod l where l = 2^252 + 27742317777372353535851937790883648493.

quick scrypt wrapper.

subtract two points A - B.

for addresses.

basepoint of curve basically Gvar GBASE = ScalarmultBase(*(d2h(1))).

filled in below.

The other basepoint for use in Pedersen Commitments, which is used for Confidential Transactions H = G.HashToEC(), where G is the basepoint basically H = toPoint(cn_fast_hash(G)).

this is the curve order of ed25519.

Zero, Identity and L.

FieldElement represents an element of the field GF(2^255-19).

FieldElement32 represents an element of the field GF(2^255 - 19).

FieldElement64 represents an element of the field GF(2^255-19).

Key can be a Scalar or a Point.

table types.