jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
559 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: da2f2f9b2a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'da2f2f9b2a'
${ noResults }
ed448goldilocks/_aux/decaffeinate_curve25519.sage

140 lines
3.2 KiB
Raw Blame History 

  1. # This is as sketch of how to decaffeinate Curve25519

  2. 

  3. F = GF(2^255-19)

  4. 

  5. doPinkBikeShed = True

  6. 

  7. if doPinkBikeShed: d = -89747 # PinkBikeShed

  8. else: d = -121665 # Curve25519

  9. 

  10. M = EllipticCurve(F,[0,2-4*d,0,1,0])

  11.     

  12. sqrtN1 = sqrt(F(-1))

  13.     

  14. def maybe(): return randint(0,1)

  15. 

  16. def qpositive(x):

  17.     return int(x) <= (2^255-19-1)/2

  18. 

  19. def M_to_E(P):

  20.     # P must be even

  21.     (x,y) = P.xy()

  22.     assert x.is_square()

  23.     

  24.     s = sqrt(x)

  25.     if s == 0: t = 1

  26.     else: t = y/s

  27.     

  28.     X,Y = 2*s / (1+s^2), (1-s^2) / t

  29.     if maybe(): X,Y = -X,-Y

  30.     if maybe(): X,Y = Y,-X

  31.     # OK, have point in ed

  32.     return X,Y

  33. 

  34. def decaf_encode_from_E(X,Y):

  35.     assert X^2 + Y^2 == 1 + d*X^2*Y^2

  36.     if not (X==0 or Y==0 or qpositive(1/(X*Y)) or doPinkBikeShed): X,Y = Y,-X

  37.     assert X==0 or Y==0 or qpositive(1/(X*Y))

  38.     

  39.     assert (1-X^2).is_square()

  40.     sx = sqrt(1-X^2)

  41.     tos = -2*sx/X/Y

  42.     if not qpositive(tos): sx = -sx

  43.     s = (1 + sx) / X

  44.     if not qpositive(s): s = -s

  45.     

  46.     return s

  47. 

  48. def isqrt(x):

  49.     ops = [(1,2),(1,2),(3,1),(6,0),(1,2),(12,1),(25,1),(25,1),(50,0),(125,0),(2,2),(1,2)]

  50.     st = [x,x,x]

  51.     for i,(sh,add) in enumerate(ops):

  52.         od = i&1

  53.         st[od] = st[od^^1]^(2^sh)*st[add]

  54.     # assert st[2] == x^(2^252-3)

  55.     

  56.     assert st[1] == 1 or st[1] == -1

  57.     if st[1] == 1: return st[0]

  58.     else: return st[0] * sqrtN1

  59. 

  60. def decaf_encode_from_E_c(X,Y):

  61.     Z = F.random_element()

  62.     T = X*Y*Z

  63.     X = X*Z

  64.     Y = Y*Z

  65.     assert X^2 + Y^2 == Z^2 + d*T^2

  66.     

  67.     # Precompute

  68.     sd = sqrt(F(1-d))

  69.     

  70.     # comments in case of identity point

  71.     # (1,0) or (0,1)

  72.     zx = Z^2-X^2 # 0^2 or 1 * Z^2

  73.     TZ = T*Z # 0 * Z^2

  74.     assert zx.is_square

  75.     ooAll = isqrt(zx*TZ^2) # inf^2 or inf * 1/Z^3

  76.     osx = ooAll * TZ # inf or 1 * 1/Z

  77.     ooTZ = ooAll * zx * osx # inf * 1/Z^2

  78.     

  79.     floop = qpositive(Z^2 * ooTZ) or doPinkBikeShed # 0

  80.     if floop:

  81.         frob = zx * ooTZ # 0 or inf

  82.         # Y = 0 or 1

  83.     else:

  84.         frob = sd # sd

  85.         Y = -X # -1 or 0 * Z

  86.         

  87.     osx *= frob # 1 or inf * 1/Z || inf sd or sd * 1/Z

  88.     # y * osx = 0 or inf or -inf sd or 0 sd

  89.     # y * ootz * z = 1 or inf or inf sd or 0^2 sd

  90.     # s = 0 or 1 or inf sd or 

  91.     

  92.     if qpositive(-2*osx*Z) != floop: osx = -osx

  93.     s = Y*(ooTZ*Z + osx) # 

  94.     if not qpositive(s): s = -s

  95.     

  96.     return s

  97.     

  98. def is_rotation((X,Y),(x,y)):

  99.     return x*Y == X*y or x*X == -y*Y

  100.     

  101. def decaf_decode_to_E(s):

  102.     assert qpositive(s)

  103.     t = sqrt(s^4 + (2-4*d)*s^2 + 1)

  104.     if not qpositive(t/s): t = -t

  105.     X,Y = 2*s / (1+s^2), (1-s^2) / t

  106.     assert X==0 or Y==0 or qpositive(1/(X*Y)) or doPinkBikeShed

  107.     return X,Y

  108.     

  109. def decaf_decode_to_E_c(s):

  110.     assert qpositive(s)

  111.     

  112.     s2 = s^2

  113.     s21 = 1+s2

  114.     t2 = s21^2 - 4*d*s2

  115.     

  116.     alt  = s21*s

  117.     the  = isqrt(t2*alt^2)

  118.     oot  = the * alt

  119.     the *= t2

  120.     tos  = the * s21

  121.     X = 2 * (tos-the) * oot

  122.     Y = (1-s2) * oot

  123.     

  124.     if not qpositive(tos): Y = -Y

  125.     assert qpositive(X*Y) or doPinkBikeShed

  126.     

  127.     return X,Y

  128. 

  129. def test():

  130.     P = 2*M.random_point()

  131.     X,Y = M_to_E(P)

  132.     s = decaf_encode_from_E(X,Y)

  133.     assert s == decaf_encode_from_E_c(X,Y)

  134.     XX,YY = decaf_decode_to_E(s)

  135.     XX2,YY2 = decaf_decode_to_E_c(s)

  136.     assert is_rotation((X,Y),(XX,YY))

  137.     assert is_rotation((X,Y),(XX2,YY2))

  138. 

  139. 

  140.