jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
193 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 6c81eec339
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6c81eec339'
${ noResults }
ed448goldilocks/aux/decaffeinate_curve25519.sage

132 lines
2.7 KiB
Raw Blame History 

  1. # This is as sketch of how to decaffeinate Curve25519

  2. 

  3. F = GF(2^255-19)

  4. d = -121665

  5. M = EllipticCurve(F,[0,2-4*d,0,1,0])

  6. 

  7. def maybe(): return randint(0,1)

  8. 

  9. def qpositive(x):

  10.     return int(x) <= (2^255-19-1)/2

  11. 

  12. def M_to_E(P):

  13.     # P must be even

  14.     (x,y) = P.xy()

  15.     assert x.is_square()

  16.     

  17.     s = sqrt(x)

  18.     if s == 0: t = 1

  19.     else: t = y/s

  20.     

  21.     X,Y = 2*s / (1+s^2), (1-s^2) / t

  22.     if maybe(): X,Y = -X,-Y

  23.     if maybe(): X,Y = Y,-X

  24.     # OK, have point in ed

  25.     return X,Y

  26. 

  27. def decaf_encode_from_E(X,Y):

  28.     assert X^2 + Y^2 == 1 + d*X^2*Y^2

  29.     if not qpositive(X*Y): X,Y = Y,-X

  30.     assert qpositive(X*Y)

  31.     

  32.     assert (1-X^2).is_square()

  33.     sx = sqrt(1-X^2)

  34.     tos = -2*sx/X/Y

  35.     if not qpositive(tos): sx = -sx

  36.     s = (1 + sx) / X

  37.     if not qpositive(s): s = -s

  38.     

  39.     return s

  40. 

  41. def isqrt(x):

  42.     assert(x.is_square())

  43.     

  44.     def op(st,sh,add):

  45.         x,y,z = st

  46.         return x,st[1]^(2^sh)*st[add],y

  47.     

  48.     ops = [(1,0),(1,0),(3,1),(6,1),(1,0),(12,2),(25,1),(25,2),(50,2),(125,1),(2,0),(1,0)]

  49.     st = (x,x,x)

  50.     for sh,add in ops:

  51.         st = op(st,sh,add)

  52.     #assert st[2] == x^(2^252-3)

  53.     

  54.     i = sqrt(F(-1))

  55.     if st[1] == 1: return st[2]

  56.     else: return st[2] * i

  57. 

  58. def decaf_encode_from_E_c(X,Y):

  59.     Z = F.random_element()

  60.     T = X*Y*Z

  61.     X = X*Z

  62.     Y = Y*Z

  63.     assert X^2 + Y^2 == Z^2 + d*T^2

  64.     

  65.     # Precompute

  66.     sd = sqrt(F(1-d))

  67.     

  68.     zx = Z^2-X^2

  69.     TZ = T*Z

  70.     assert zx.is_square

  71.     ooAll = isqrt(zx*TZ^2)

  72.     osx = ooAll * TZ

  73.     ooTZ = ooAll * zx * osx

  74.     

  75.     floop = qpositive(T^2 * ooTZ)

  76.     if floop:

  77.         frob = zx * ooTZ

  78.     else:

  79.         frob = sd

  80.         Y = -X

  81.         

  82.     osx *= frob

  83.     

  84.     if qpositive(-2*osx*Z) != floop: osx = -osx

  85.     s = Y*(ooTZ*Z + osx)

  86.     if not qpositive(s): s = -s

  87.     

  88.     return s

  89.     

  90. def is_rotation((X,Y),(x,y)):

  91.     return x*Y == X*y or x*X == -y*Y

  92.     

  93. def decaf_decode_to_E(s):

  94.     assert qpositive(s)

  95.     t = sqrt(s^4 + (2-4*d)*s^2 + 1)

  96.     if not qpositive(t/s): t = -t

  97.     X,Y = 2*s / (1+s^2), (1-s^2) / t

  98.     assert qpositive(X*Y)

  99.     return X,Y

  100.     

  101. def decaf_decode_to_E_c(s):

  102.     assert qpositive(s)

  103.     

  104.     s2 = s^2

  105.     s21 = 1+s2

  106.     t2 = s21^2 - 4*d*s2

  107.     

  108.     alt  = s21*s

  109.     the  = isqrt(t2*alt^2)

  110.     oot  = the * alt

  111.     the *= t2

  112.     tos  = the * s21

  113.     X = 2 * (tos-the) * oot

  114.     Y = (1-s2) * oot

  115.     

  116.     if not qpositive(tos): Y = -Y

  117.     assert qpositive(X*Y)

  118.     

  119.     return X,Y

  120. 

  121. def test():

  122.     P = 2*M.random_point()

  123.     X,Y = M_to_E(P)

  124.     s = decaf_encode_from_E(X,Y)

  125.     assert s == decaf_encode_from_E_c(X,Y)

  126.     XX,YY = decaf_decode_to_E(s)

  127.     XX2,YY2 = decaf_decode_to_E_c(s)

  128.     assert is_rotation((X,Y),(XX,YY))

  129.     assert is_rotation((X,Y),(XX2,YY2))

  130. 

  131. 

  132.