2 ### -*- mode: python; coding: utf-8 -*-
4 ###--------------------------------------------------------------------------
5 ### Some general utilities.
8 return 0 + sum(ord(v[i]) << 8*i for i in xrange(len(v)))
11 return ''.join(chr((x >> 8*i)&0xff) for i in xrange(n))
13 def piece_widths_offsets(wd, n):
14 o = [ceil(wd*i/n) for i in xrange(n + 1)]
15 w = [o[i + 1] - o[i] for i in xrange(n)]
18 def pieces(x, wd, n, bias = 0):
20 ## Figure out widths and offsets.
21 w, o = piece_widths_offsets(wd, n)
23 ## First, normalize |n| < bias/2.
24 if bias and n >= bias/2: n -= bias
26 ## First, collect the bits.
28 for i in xrange(n - 1):
34 ## Now normalize them to the appropriate interval.
36 for i in xrange(n - 1):
45 def combine(v, wd, n):
46 w, o = piece_widths_offsets(wd, n)
47 return sum(v[i] << o[i] for i in xrange(n))
49 ###--------------------------------------------------------------------------
52 p = 2^255 - 19; k = GF(p)
53 A = k(486662); A0 = (A - 2)/4
54 E = EllipticCurve(k, [0, A, 0, 1, 0]); P = E.lift_x(9)
55 l = 2^252 + 27742317777372353535851937790883648493
58 assert (l*P).is_zero()
59 assert (p + 1 - 8*l)^2 <= 4*p
61 ###--------------------------------------------------------------------------
62 ### Example points from `Cryptography in NaCl'.
64 x = ld(map(chr, [0x70,0x07,0x6d,0x0a,0x73,0x18,0xa5,0x7d
65 ,0x3c,0x16,0xc1,0x72,0x51,0xb2,0x66,0x45
66 ,0xdf,0x4c,0x2f,0x87,0xeb,0xc0,0x99,0x2a
67 ,0xb1,0x77,0xfb,0xa5,0x1d,0xb9,0x2c,0x6a]))
68 y = ld(map(chr, [0x58,0xab,0x08,0x7e,0x62,0x4a,0x8a,0x4b
69 ,0x79,0xe1,0x7f,0x8b,0x83,0x80,0x0e,0xe6
70 ,0x6f,0x3b,0xb1,0x29,0x26,0x18,0xb6,0xfd
71 ,0x1c,0x2f,0x8b,0x27,0xff,0x88,0xe0,0x6b]))
77 ###--------------------------------------------------------------------------
78 ### Arithmetic implementation.
81 for i in xrange(n): x = x*x
87 t2 = sqrn(x, 1) # 1 | 2
88 u = sqrn(t2, 2) # 3 | 8
91 u = sqrn(t11, 1) # 6 | 22
92 t = u*t # 7 | 2^5 - 1 = 31
93 u = sqrn(t, 5) # 12 | 2^10 - 2^5
94 t2p10m1 = u*t # 13 | 2^10 - 1
95 u = sqrn(t2p10m1, 10) # 23 | 2^20 - 2^10
96 t = u*t2p10m1 # 24 | 2^20 - 1
97 u = sqrn(t, 20) # 44 | 2^40 - 2^20
98 t = u*t # 45 | 2^40 - 1
99 u = sqrn(t, 10) # 55 | 2^50 - 2^10
100 t2p50m1 = u*t2p10m1 # 56 | 2^50 - 1
101 u = sqrn(t2p50m1, 50) # 106 | 2^100 - 2^50
102 t = u*t2p50m1 # 107 | 2^100 - 1
103 u = sqrn(t, 100) # 207 | 2^200 - 2^100
104 t = u*t # 208 | 2^200 - 1
105 u = sqrn(t, 50) # 258 | 2^250 - 2^50
106 t = u*t2p50m1 # 259 | 2^250 - 1
107 u = sqrn(t, 5) # 264 | 2^255 - 2^5
108 t = u*t11 # 265 | 2^255 - 21
113 ## First, some preliminary values.
114 y2 = sqrn(y, 1) # 1 | 0, 2
116 xy3 = x*y3 # 3 | 1, 3
117 y4 = sqrn(y2, 1) # 4 | 0, 4
118 w = xy3*y4 # 5 | 1, 7
120 ## Now calculate w^(p - 5)/8. Notice that (p - 5)/8 =
121 ## (2^255 - 24)/8 = 2^252 - 3.
122 u = sqrn(w, 1) # 6 | 2
124 u = sqrn(t, 1) # 8 | 6
126 u = sqrn(t, 3) # 12 | 56
127 t = u*t # 13 | 63 = 2^6 - 1
128 u = sqrn(t, 6) # 19 | 2^12 - 2^6
129 t = u*t # 20 | 2^12 - 1
130 u = sqrn(t, 12) # 32 | 2^24 - 2^12
131 t = u*t # 33 | 2^24 - 1
132 u = sqrn(t, 1) # 34 | 2^25 - 2
133 t = u*w # 35 | 2^25 - 1
134 u = sqrn(t, 25) # 60 | 2^50 - 2^25
135 t2p50m1 = u*t # 61 | 2^50 - 1
136 u = sqrn(t2p50m1, 50) # 111 | 2^100 - 2^50
137 t = u*t2p50m1 # 112 | 2^100 - 1
138 u = sqrn(t, 100) # 212 | 2^200 - 2^100
139 t = u*t # 213 | 2^200 - 1
140 u = sqrn(t, 50) # 263 | 2^250 - 2^50
141 t = u*t2p50m1 # 264 | 2^250 - 1
142 u = sqrn(t, 2) # 266 | 2^252 - 4
143 t = u*w # 267 | 2^252 - 3
146 ## Now we have beta = (x y^3) (x y^7)^((p - 5)/8) =
147 ## x^((p + 3)/8) y^((7 p - 11)/8) = (x/y)^((p + 3)/8).
148 ## Suppose alpha^2 = x/y. Then beta^4 = (x/y)^((p + 3)/2) =
149 ## alpha^(p + 3) = alpha^4 = (x/y)^2, so beta^2 = ±x/y. If
150 ## y beta^2 = x then alpha = beta and we're done; if
151 ## y beta^2 = -x, then alpha = beta sqrt(-1); otherwise x/y
152 ## wasn't actually a square after all.
154 if t == x: return beta
155 elif t == -x: return beta*sqrtm1
156 else: raise ValueError, 'not a square'
158 assert inv(k(9))*9 == 1
159 assert 5*quosqrt(k(4), k(5))^2 == 4
161 ###--------------------------------------------------------------------------
162 ### The Montgomery ladder.
168 ## Let Q = (x_1 : y_1 : 1) be an input point. We calculate
169 ## n Q = (x_n : y_n : z_n), returning x_n/z_n (unless z_n = 0,
170 ## in which case we return zero).
172 ## We're given that n = 2^254 + n'_254, where 0 <= n'_254 < 2^254.
177 ## Initially, let i = 255.
178 for i in xrange(len(bb) - 1, -1, -1):
180 ## Split n = n_i 2^i + n'_i, where 0 <= n'_i < 2^i, so n_0 = n.
181 ## We have x, z = x_{n_{i+1}}, z_{n_{i+1}}, and
182 ## u, w = x_{n_{i+1}+1}, z_{n_{i+1}+1}.
183 ## Now either n_i = 2 n_{i+1} or n_i = 2 n_{i+1} + 1, depending
186 ## Swap (x : z) and (u : w) if bit i of n is set.
187 if bb[i]: x, z, u, w = u, w, x, z
189 ## Do the ladder step.
190 xmz, xpz = x - z, x + z
191 umw, upw = u - w, u + w
192 xmz2, xpz2 = xmz^2, xpz^2
193 xpz2mxmz2 = xpz2 - xmz2
194 xmzupw, xpzumw = xmz*upw, xpz*umw
195 x, z = xmz2*xpz2, xpz2mxmz2*(xpz2 + A0*xpz2mxmz2)
196 u, w = (xmzupw + xpzumw)^2, x1*(xmzupw - xpzumw)^2
199 if bb[i]: x, z, u, w = u, w, x, z
204 assert x25519(y, k(9)) == Y[0]
205 assert x25519(x, Y[0]) == x25519(y, X[0]) == Z[0]
207 ###----- That's all, folks --------------------------------------------------
~mdw / catacomb / blob