jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
453 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: b423ac359c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b423ac359c'
${ noResults }
ed448goldilocks/aux/decaffeinate_ed25519_too.sage

88 lines
2.5 KiB
Raw Blame History 

  1. F = GF(2^255-19)

  2. dM = F(-121665)

  3. d = F(-121665/121666)

  4. ii = sqrt(F(-1))

  5. def lobit(x): return int(x) & 1

  6. def hibit(x): return lobit(2*x)

  7. 

  8. magic = sqrt(F(-121666))

  9. if lobit(magic): magic = -magic

  10. 

  11. def eddsa_to_decaf(x,y):

  12.     """

  13.     Converts an EdDSA point to a Decaf representation, in a manner compatible

  14.     with libdecaf.

  15.     

  16.     The input point must be even.

  17.     

  18.     Note well!  Decaf does not represent the cofactor information of a point.

  19.     So e2d(d2e(s)) = s, but d2e(e2d(x,y)) might not be (x,y).

  20.     """

  21.     if x*y == 0: return 0 # This will happen anyway with straightforward square root trick

  22.     if not is_square((1-y)/(1+y)): raise Exception("Unimplemented: odd point in eddsa_to_decaf")

  23.     if hibit(magic/(x*y)): (x,y) = (ii*y,ii*x)

  24.     if hibit(2*magic/x): y = -y

  25.     s = sqrt((1-y)/(1+y))

  26.     if hibit(s): s = -s

  27.     return s

  28. 

  29. def isqrt_trick(to_isr,to_inv):

  30.     to_sqrt = to_isr*to_inv^2

  31.     if to_sqrt == 0: return 0,0 # This happens automatically in C; just to avoid problems in SAGE

  32.     if not is_square(to_sqrt): raise Exception("Not square in isqrt_trick!")

  33.     tmp = 1/sqrt(to_sqrt)

  34.     isr = tmp * to_inv

  35.     inv = tmp * isr * to_isr

  36.     assert isr^2 == 1/to_isr

  37.     assert inv == 1/to_inv

  38.     return isr, inv

  39.     

  40. 

  41. def eddsa_to_decaf_opt(x,y,z=None):

  42.     """

  43.     Optimized version of eddsa_to_decaf.

  44.     

  45.     Uses only one isqrt.

  46.     """

  47.     if z is None:

  48.         # Pretend that we're in projective

  49.         z = F.random_element()

  50.         x *= z

  51.         y *= z

  52.     

  53.     isr,inv = isqrt_trick(z^2-y^2,x*y)

  54.     inv *= magic

  55.     

  56.     rotate = hibit(inv*z^2)

  57.     if rotate:

  58.         isr *= (z^2-y^2)*inv

  59.         y = ii*x

  60.     

  61.     if hibit(2*inv*y*z) != rotate: y = -y

  62.     s = (z-y) * isr

  63.     

  64.     if hibit(s): s = -s

  65.     return s

  66. 

  67. print [eddsa_to_decaf_opt(x,y) == eddsa_to_decaf(x,y) for _,_,_,_,y1,y2 in points for x,y in [decode(y1,y2)]]

  68. 

  69. def decaf_to_eddsa(s):

  70.     """

  71.     Convert a Decaf representation to an EdDSA point, in a manner compatible

  72.     with libdecaf.

  73.     

  74.     Note well! The Decaf representation of a point is canonical, but the EdDSA one

  75.     is not, in that  

  76.     """

  77.     if s == 0: return (0,1)

  78.     if hibit(s): raise Exception("invalid: s has high bit")

  79.     if not is_square(s^4 + (2-4*dM)*s^2 + 1): raise Exception("invalid: not on curve")

  80.     

  81.     t = sqrt(s^4 + (2-4*dM)*s^2 + 1)/s

  82.     if hibit(t): t = -t

  83.     y = (1-s^2)/(1+s^2)

  84.     x = 2*magic/t

  85.     if y == 0 or lobit(t/y): raise Exception("invalid: t/y has high bit")

  86.     assert y^2 - x^2 == 1+d*x^2*y^2

  87.     return (x,y)