src/test/slow_ed25519.py

   1 # This is the ed25519 implementation from
   2 #     https://ed25519.cr.yp.to/python/ed25519.py .
   3 # It is in the public domain.
   4 #
   5 # It isn't constant-time.  Don't use it except for testing.  Also, see
   6 # warnings about how very slow it is.  Only use this for generating
   7 # test vectors, I'd suggest.
   8 #
   9 # Don't edit this file.  Mess with ed25519_ref.py
  10
  11 # Future imports for Python 2.7, mandatory in 3.0
  12 from __future__ import division
  13 from __future__ import print_function
  14 from __future__ import unicode_literals
  15
  16 import hashlib
  17
  18 b = 256
  19 q = 2**255 - 19
  20 l = 2**252 + 27742317777372353535851937790883648493
  21
  22 def H(m):
  23   return hashlib.sha512(m).digest()
  24
  25 def expmod(b,e,m):
  26   if e == 0: return 1
  27   t = expmod(b,e//2,m)**2 % m
  28   if e & 1: t = (t*b) % m
  29   return t
  30
  31 def inv(x):
  32   return expmod(x,q-2,q)
  33
  34 d = -121665 * inv(121666)
  35 I = expmod(2,(q-1)//4,q)
  36
  37 def xrecover(y):
  38   xx = (y*y-1) * inv(d*y*y+1)
  39   x = expmod(xx,(q+3)//8,q)
  40   if (x*x - xx) % q != 0: x = (x*I) % q
  41   if x % 2 != 0: x = q-x
  42   return x
  43
  44 By = 4 * inv(5)
  45 Bx = xrecover(By)
  46 B = [Bx % q,By % q]
  47
  48 def edwards(P,Q):
  49   x1 = P[0]
  50   y1 = P[1]
  51   x2 = Q[0]
  52   y2 = Q[1]
  53   x3 = (x1*y2+x2*y1) * inv(1+d*x1*x2*y1*y2)
  54   y3 = (y1*y2+x1*x2) * inv(1-d*x1*x2*y1*y2)
  55   return [x3 % q,y3 % q]
  56
  57 def scalarmult(P,e):
  58   if e == 0: return [0,1]
  59   Q = scalarmult(P,e//2)
  60   Q = edwards(Q,Q)
  61   if e & 1: Q = edwards(Q,P)
  62   return Q
  63
  64 def encodeint(y):
  65   bits = [(y >> i) & 1 for i in range(b)]
  66   return bytes(sum([bits[i * 8 + j] << j for j in range(8)]) for i in range(b//8))
  67
  68 def encodepoint(P):
  69   x = P[0]
  70   y = P[1]
  71   bits = [(y >> i) & 1 for i in range(b - 1)] + [x & 1]
  72   return bytes([(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b//8)])
  73
  74 def bit(h,i):
  75   return (h[i//8] >> (i%8)) & 1
  76
  77 def publickey(sk):
  78   h = H(sk)
  79   a = 2**(b-2) + sum(2**i * bit(h,i) for i in range(3,b-2))
  80   A = scalarmult(B,a)
  81   return encodepoint(A)
  82
  83 def Hint(m):
  84   h = H(m)
  85   return sum(2**i * bit(h,i) for i in range(2*b))
  86
  87 def signature(m,sk,pk):
  88   h = H(sk)
  89   a = 2**(b-2) + sum(2**i * bit(h,i) for i in range(3,b-2))
  90   r = Hint(bytes([h[i] for i in range(b//8,b//4)]) + m)
  91   R = scalarmult(B,r)
  92   S = (r + Hint(encodepoint(R) + pk + m) * a) % l
  93   return encodepoint(R) + encodeint(S)
  94
  95 def isoncurve(P):
  96   x = P[0]
  97   y = P[1]
  98   return (-x*x + y*y - 1 - d*x*x*y*y) % q == 0
  99
 100 def decodeint(s):
 101   return sum(2**i * bit(s,i) for i in range(0,b))
 102
 103 def decodepoint(s):
 104   y = sum(2**i * bit(s,i) for i in range(0,b-1))
 105   x = xrecover(y)
 106   if x & 1 != bit(s,b-1): x = q-x
 107   P = [x,y]
 108   if not isoncurve(P): raise Exception("decoding point that is not on curve")
 109   return P
 110
 111 def checkvalid(s,m,pk):
 112   if len(s) != b//4: raise Exception("signature length is wrong")
 113   if len(pk) != b//8: raise Exception("public-key length is wrong")
 114   R = decodepoint(s[0:b//8])
 115   A = decodepoint(pk)
 116   S = decodeint(s[b//8:b//4])
 117   h = Hint(encodepoint(R) + pk + m)
 118   if scalarmult(B,S) != edwards(R,scalarmult(A,h)):
 119     raise Exception("signature does not pass verification")