Beispiel #1
0
// Compute the square root function,
// specified in section 5.5 of the Elligator paper.
func (el *el2param) sqrt(r, a *nist.Int) {
	var b, b2 nist.Int
	b.Exp(a, &el.pp3d8) // b = a^((p+3)/8); b in {a,-a}

	b2.Mul(&b, &b) // b^2 = a?
	if !b2.Equal(a) {
		b.Mul(&b, &el.sqrtm1) // b*sqrt(-1)
	}

	if b.V.Cmp(&el.pm1d2) > 0 { // |b|
		b.Neg(&b)
	}

	r.Set(&b)
}
Beispiel #2
0
// Elligator 2 forward-map from representative to Edwards curve point.
// Currently a straightforward, unoptimized implementation.
// See section 5.2 of the Elligator paper.
func (el *el2param) HideDecode(P point, rep []byte) {
	ec := el.ec
	var r, v, x, y, t1, edx, edy nist.Int

	l := ec.PointLen()
	if len(rep) != l {
		panic("el2Map: wrong representative length")
	}

	// Take the appropriate number of bits from the representative.
	buf := make([]byte, l)
	copy(buf, rep)
	buf[0] &^= el.padmask() // mask off the padding bits
	r.InitBytes(buf, &ec.P)

	// v = -A/(1+ur^2)
	v.Mul(&r, &r).Mul(&el.u, &v).Add(&ec.one, &v).Div(&el.negA, &v)

	// e = Chi(v^3+Av^2+Bv), where B=1 because of ed2mont equivalence
	t1.Add(&v, &el.A).Mul(&t1, &v).Add(&t1, &ec.one).Mul(&t1, &v)
	e := math.Jacobi(&t1.V, t1.M)

	// x = ev-(1-e)A/2
	if e == 1 {
		x.Set(&v)
	} else {
		x.Add(&v, &el.A).Neg(&x)
	}

	// y = -e sqrt(x^3+Ax^2+Bx), where B=1
	y.Add(&x, &el.A).Mul(&y, &x).Add(&y, &ec.one).Mul(&y, &x)
	el.sqrt(&y, &y)
	if e == 1 {
		y.Neg(&y) // -e factor
	}

	// Convert Montgomery to Edwards coordinates
	el.mont2ed(&edx, &edy, &x, &y)

	// Sanity-check
	if !ec.onCurve(&edx, &edy) {
		panic("elligator2 produced invalid point")
	}

	P.initXY(&edx.V, &edy.V, ec.self)
}