From d95a1f229dfccf98b854b04af078bbab70de7a0d Mon Sep 17 00:00:00 2001
From: Michael Hamburg <mike@shiftleft.org>
Date: Thu, 18 Jun 2015 17:24:51 -0700
Subject: [PATCH] auxilliary sage scripts, working on
 decaffeinate_curve25519.sage"

---
 {test => aux}/curve.sage         |  0
 aux/decaffeinate_curve25519.sage | 61 ++++++++++++++++++++++++++++++++
 {test => aux}/idealized.sage     |  0
 3 files changed, 61 insertions(+)
 rename {test => aux}/curve.sage (100%)
 create mode 100644 aux/decaffeinate_curve25519.sage
 rename {test => aux}/idealized.sage (100%)

diff --git a/test/curve.sage b/aux/curve.sage
similarity index 100%
rename from test/curve.sage
rename to aux/curve.sage
diff --git a/aux/decaffeinate_curve25519.sage b/aux/decaffeinate_curve25519.sage
new file mode 100644
index 0000000..05594d1
--- /dev/null
+++ b/aux/decaffeinate_curve25519.sage
@@ -0,0 +1,61 @@
+# This is as sketch of how to decaffeinate Curve25519
+
+F = GF(2^255-19)
+d = -121665
+M = EllipticCurve(F,[0,2-4*d,0,1,0])
+
+def maybe(): return randint(0,1)
+
+def qpositive(x):
+    return int(x) <= (2^255-19-1)/2
+
+def M_to_E(P):
+    # P must be even
+    (x,y) = P.xy()
+    assert x.is_square()
+    
+    s = sqrt(x)
+    if s == 0: t = 1
+    else: t = y/s
+    
+    X,Y = 2*s / (1+s^2), (1-s^2) / t
+    if maybe(): X,Y = -X,-Y
+    if maybe(): X,Y = Y,-X
+    # OK, have point in ed
+    return X,Y
+    
+
+def decaf_encode_from_E(X,Y):
+    assert X^2 + Y^2 == 1 + d*X^2*Y^2
+    if not qpositive(X*Y): X,Y = Y,-X
+    assert qpositive(X*Y)
+    
+    assert (1-X^2).is_square()
+    sx = sqrt(1-X^2)
+    tos = -2*sx/X/Y
+    if not qpositive(tos): sx = -sx
+    s = (1 + sx) / X
+    if not qpositive(s): s = -s
+    
+    return s
+    
+def is_rotation((X,Y),(x,y)):
+    return x*Y == X*y or x*X == -y*Y
+    
+def decaf_decode_to_E(s):
+    assert qpositive(s)
+    t = sqrt(s^4 + (2-4*d)*s^2 + 1)
+    if not qpositive(t/s): t = -t
+    X,Y = 2*s / (1+s^2), (1-s^2) / t
+    assert qpositive(X*Y)
+    return X,Y
+
+def test():
+    P = 2*M.random_point()
+    X,Y = M_to_E(P)
+    s = decaf_encode_from_E(X,Y)
+    XX,YY = decaf_decode_to_E(s)
+    assert is_rotation((X,Y),(XX,YY))
+
+
+    
\ No newline at end of file
diff --git a/test/idealized.sage b/aux/idealized.sage
similarity index 100%
rename from test/idealized.sage
rename to aux/idealized.sage