Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] VXEdDSA #167

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
[WIP] hash_to_point works with test-vectors
liamsi committed Feb 5, 2017

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
commit b7df9e602ff6c357f829dab462cf1186884ba777
22 changes: 19 additions & 3 deletions crypto/internal/ed25519/edwards25519/edwards25519.go
Original file line number Diff line number Diff line change
@@ -861,6 +861,22 @@ func FeSquare2(h, f *FieldElement) {
h[9] = int32(h9)
}

func FeSqrt(out, a *FieldElement) {
var exp, b, b2, bi, i FieldElement

i = SqrtM1
FePow22523(&exp, a) /* b = a^(q-5)/8 */
FeMul(&b, a, &exp) /* b = a * a^(q-5)/8 */
FeSquare(&b2, &b) /* b^2 = a * a^(q-1)/4 */

/* note b^4 == a^2, so b^2 == a or -a
* if b^2 != a, multiply it by sqrt(-1) */
FeMul(&bi, &b, &i)
FeCMove(&b, &bi, int32(1^FeIsequal(b2, *a)))

FeCopy(out, &b)
}

func FeInvert(out, z *FieldElement) {
var t0, t1, t2, t3 FieldElement
var i int
@@ -2261,12 +2277,12 @@ func feIsNonzero(f FieldElement) int {
var s [32]byte
FeToBytes(&s, &f)
var zero [32]byte
d := byte(0)
d := 0
x := s
y := zero

for i := 0; i < 32; i++ {
d |= x[i] ^ y[i]
d |= int(x[i]) ^ int(y[i])
}
return int((1 & ((d - 1) >> 8)) - 1)
return (1 & ((d - 1) >> 8)) - 1
}
32 changes: 22 additions & 10 deletions crypto/internal/ed25519/extra25519/extra25519.go
Original file line number Diff line number Diff line change
@@ -454,31 +454,43 @@ func HashToPoint(p *edwards25519.ExtendedGroupElement, in []byte) {
copy(hs[:], hash[:32])

edwards25519.FeFromBytes(&h, &hs)

Elligator(&u, h)
var p3 edwards25519.ExtendedGroupElement

var p3 edwards25519.ExtendedGroupElement
geMontXtoExtendedFieldElement(&p3, u, sign_bit)
// TODO compare with ge_scalarmult_cofactor ...
edwards25519.GeDouble(p, &p3)
edwards25519.GeDouble(p, &p3)

edwards25519.GeDouble(p, &p3)
edwards25519.GeDouble(p, p)
edwards25519.GeDouble(p, p)
}

/* sqrt(-(A+2)) */
var a_bytes = [32]byte{
0x06, 0x7e, 0x45, 0xff, 0xaa, 0x04, 0x6e, 0xcc,
0x82, 0x1a, 0x7d, 0x4b, 0xd1, 0xd3, 0xa1, 0xc5,
0x7e, 0x4f, 0xfc, 0x03, 0xdc, 0x08, 0x7b, 0xd2,
0xbb, 0x06, 0xa0, 0x60, 0xf4, 0xed, 0x26, 0x0f,
}

func geMontXtoExtendedFieldElement(p *edwards25519.ExtendedGroupElement, u edwards25519.FieldElement, edSignBit byte) {
var x, y, v, v2, iv, nx edwards25519.FieldElement
var x, y, v, A, v2, iv, nx edwards25519.FieldElement

edwards25519.FeFromBytes(&A, &a_bytes)

/* given u, recover edwards y */
/* given u, recover v */
/* given u and v, recover edwards x */

montgomeryXToEdwardsY(&y, &u) /* y = (u - 1) / (u + 1) */

FeMontRhs(&v2, &u) /* v^2 = u(u^2 + Au + 1) */
edwards25519.FeSquare(&v, &v2) /* v = sqrt(v^2) */
FeMontRhs(&v2, &u) /* v^2 = u(u^2 + Au + 1) */

edwards25519.FeSqrt(&v, &v2) /* v = sqrt(v^2) */

edwards25519.FeMul(&x, &u, &edwards25519.A) /* x = u * sqrt(-(A+2)) */
edwards25519.FeInvert(&iv, &v) /* 1/v */
edwards25519.FeMul(&x, &x, &iv) /* x = (u/v) * sqrt(-(A+2)) */
edwards25519.FeMul(&x, &u, &A) /* x = u * sqrt(-(A+2)) */
edwards25519.FeInvert(&iv, &v) /* 1/v */
edwards25519.FeMul(&x, &x, &iv) /* x = (u/v) * sqrt(-(A+2)) */

edwards25519.FeNeg(&nx, &x) /* negate x to match sign bit */
edwards25519.FeCMove(&x, &nx, int32(edwards25519.FeIsNegative(&x)^edSignBit))
9 changes: 4 additions & 5 deletions crypto/internal/ed25519/extra25519/extra25519_test.go
Original file line number Diff line number Diff line change
@@ -233,10 +233,9 @@ func TestElligatorFast(t *testing.T) {

HashToPoint(&p3, htp[:])

var htpb [32]byte
p3.ToBytes(&htpb)
if !bytes.Equal(htpb[:], hashtopoint_correct_output1[:]) {
fmt.Println(hex.Dump(htpb[:]))
p3.ToBytes(&htp)
if !bytes.Equal(htp[:], hashtopoint_correct_output1[:]) {
fmt.Println(hex.Dump(htp[:]))
fmt.Println(hex.Dump(hashtopoint_correct_output1[:]))
t.Fatal("hash_to_point #1 failed")
}
@@ -248,7 +247,7 @@ func TestElligatorFast(t *testing.T) {
HashToPoint(&p3, htp[:])
p3.ToBytes(&htp)
//TEST("hash_to_point #2", memcmp(htp, hashtopoint_correct_output2, 32) == 0);
if !bytes.Equal(htpb[:], hashtopoint_correct_output2[:]) {
if !bytes.Equal(htp[:], hashtopoint_correct_output2[:]) {
fmt.Println(hex.Dump(htp[:]))
fmt.Println(hex.Dump(hashtopoint_correct_output2[:]))
t.Fatal("hash_to_point #2 failed")