// Compute the square root function, // specified in section 5.5 of the Elligator paper. func (el *el2param) sqrt(r, a *nist.Int) { var b, b2 nist.Int b.Exp(a, &el.pp3d8) // b = a^((p+3)/8); b in {a,-a} b2.Mul(&b, &b) // b^2 = a? if !b2.Equal(a) { b.Mul(&b, &el.sqrtm1) // b*sqrt(-1) } if b.V.Cmp(&el.pm1d2) > 0 { // |b| b.Neg(&b) } r.Set(&b) }
// Elligator 2 forward-map from representative to Edwards curve point. // Currently a straightforward, unoptimized implementation. // See section 5.2 of the Elligator paper. func (el *el2param) HideDecode(P point, rep []byte) { ec := el.ec var r, v, x, y, t1, edx, edy nist.Int l := ec.PointLen() if len(rep) != l { panic("el2Map: wrong representative length") } // Take the appropriate number of bits from the representative. buf := make([]byte, l) copy(buf, rep) buf[0] &^= el.padmask() // mask off the padding bits r.InitBytes(buf, &ec.P) // v = -A/(1+ur^2) v.Mul(&r, &r).Mul(&el.u, &v).Add(&ec.one, &v).Div(&el.negA, &v) // e = Chi(v^3+Av^2+Bv), where B=1 because of ed2mont equivalence t1.Add(&v, &el.A).Mul(&t1, &v).Add(&t1, &ec.one).Mul(&t1, &v) e := math.Jacobi(&t1.V, t1.M) // x = ev-(1-e)A/2 if e == 1 { x.Set(&v) } else { x.Add(&v, &el.A).Neg(&x) } // y = -e sqrt(x^3+Ax^2+Bx), where B=1 y.Add(&x, &el.A).Mul(&y, &x).Add(&y, &ec.one).Mul(&y, &x) el.sqrt(&y, &y) if e == 1 { y.Neg(&y) // -e factor } // Convert Montgomery to Edwards coordinates el.mont2ed(&edx, &edy, &x, &y) // Sanity-check if !ec.onCurve(&edx, &edy) { panic("elligator2 produced invalid point") } P.initXY(&edx.V, &edy.V, ec.self) }