jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
195 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 40b1f8b85e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '40b1f8b85e'
${ noResults }
ed448goldilocks/aux/decaffeinate_curve25519.sage

129 lines
2.6 KiB
Raw Blame History 

  1. # This is as sketch of how to decaffeinate Curve25519

  2. 

  3. F = GF(2^255-19)

  4. d = -121665

  5. M = EllipticCurve(F,[0,2-4*d,0,1,0])

  6.     

  7. sqrtN1 = sqrt(F(-1))

  8.     

  9. def maybe(): return randint(0,1)

  10. 

  11. def qpositive(x):

  12.     return int(x) <= (2^255-19-1)/2

  13. 

  14. def M_to_E(P):

  15.     # P must be even

  16.     (x,y) = P.xy()

  17.     assert x.is_square()

  18.     

  19.     s = sqrt(x)

  20.     if s == 0: t = 1

  21.     else: t = y/s

  22.     

  23.     X,Y = 2*s / (1+s^2), (1-s^2) / t

  24.     if maybe(): X,Y = -X,-Y

  25.     if maybe(): X,Y = Y,-X

  26.     # OK, have point in ed

  27.     return X,Y

  28. 

  29. def decaf_encode_from_E(X,Y):

  30.     assert X^2 + Y^2 == 1 + d*X^2*Y^2

  31.     if not qpositive(X*Y): X,Y = Y,-X

  32.     assert qpositive(X*Y)

  33.     

  34.     assert (1-X^2).is_square()

  35.     sx = sqrt(1-X^2)

  36.     tos = -2*sx/X/Y

  37.     if not qpositive(tos): sx = -sx

  38.     s = (1 + sx) / X

  39.     if not qpositive(s): s = -s

  40.     

  41.     return s

  42. 

  43. def isqrt(x):

  44.     ops = [(1,2),(1,2),(3,1),(6,0),(1,2),(12,1),(25,1),(25,1),(50,0),(125,0),(2,2),(1,2)]

  45.     st = [x,x,x]

  46.     for i,(sh,add) in enumerate(ops):

  47.         od = i&1

  48.         st[od] = st[od^^1]^(2^sh)*st[add]

  49.     # assert st[2] == x^(2^252-3)

  50.     

  51.     assert st[1] == 1 or st[1] == -1

  52.     if st[1] == 1: return st[0]

  53.     else: return st[0] * sqrtN1

  54. 

  55. def decaf_encode_from_E_c(X,Y):

  56.     Z = F.random_element()

  57.     T = X*Y*Z

  58.     X = X*Z

  59.     Y = Y*Z

  60.     assert X^2 + Y^2 == Z^2 + d*T^2

  61.     

  62.     # Precompute

  63.     sd = sqrt(F(1-d))

  64.     

  65.     zx = Z^2-X^2

  66.     TZ = T*Z

  67.     assert zx.is_square

  68.     ooAll = isqrt(zx*TZ^2)

  69.     osx = ooAll * TZ

  70.     ooTZ = ooAll * zx * osx

  71.     

  72.     floop = qpositive(T^2 * ooTZ)

  73.     if floop:

  74.         frob = zx * ooTZ

  75.     else:

  76.         frob = sd

  77.         Y = -X

  78.         

  79.     osx *= frob

  80.     

  81.     if qpositive(-2*osx*Z) != floop: osx = -osx

  82.     s = Y*(ooTZ*Z + osx)

  83.     if not qpositive(s): s = -s

  84.     

  85.     return s

  86.     

  87. def is_rotation((X,Y),(x,y)):

  88.     return x*Y == X*y or x*X == -y*Y

  89.     

  90. def decaf_decode_to_E(s):

  91.     assert qpositive(s)

  92.     t = sqrt(s^4 + (2-4*d)*s^2 + 1)

  93.     if not qpositive(t/s): t = -t

  94.     X,Y = 2*s / (1+s^2), (1-s^2) / t

  95.     assert qpositive(X*Y)

  96.     return X,Y

  97.     

  98. def decaf_decode_to_E_c(s):

  99.     assert qpositive(s)

  100.     

  101.     s2 = s^2

  102.     s21 = 1+s2

  103.     t2 = s21^2 - 4*d*s2

  104.     

  105.     alt  = s21*s

  106.     the  = isqrt(t2*alt^2)

  107.     oot  = the * alt

  108.     the *= t2

  109.     tos  = the * s21

  110.     X = 2 * (tos-the) * oot

  111.     Y = (1-s2) * oot

  112.     

  113.     if not qpositive(tos): Y = -Y

  114.     assert qpositive(X*Y)

  115.     

  116.     return X,Y

  117. 

  118. def test():

  119.     P = 2*M.random_point()

  120.     X,Y = M_to_E(P)

  121.     s = decaf_encode_from_E(X,Y)

  122.     assert s == decaf_encode_from_E_c(X,Y)

  123.     XX,YY = decaf_decode_to_E(s)

  124.     XX2,YY2 = decaf_decode_to_E_c(s)

  125.     assert is_rotation((X,Y),(XX,YY))

  126.     assert is_rotation((X,Y),(XX2,YY2))

  127. 

  128. 

  129.