// Elligator 1 forward-map from representative to Edwards curve point.
// Currently a straightforward, unoptimized implementation.
// See section 3.2 of the Elligator paper.
func (el *el1param) HideDecode(P point, rep []byte) {
ec := el.ec
var t, u, u2, v, Chiv, X, Y, x, y, t1, t2 nist.Int
l := ec.PointLen()
if len(rep) != l {
panic("el1Map: wrong representative length")
}
// Take the appropriate number of bits from the representative.
b := make([]byte, l)
copy(b, rep)
b[0] &^= el.padmask() // mask off the padding bits
t.InitBytes(b, &ec.P)
// u = (1-t)/(1+t)
u.Div(t1.Sub(&ec.one, &t), t2.Add(&ec.one, &t))
// v = u^5 + (r^2-2)u^3 + u
u2.Mul(&u, &u) // u2 = u^2
v.Mul(&u2, &u2) // v = u^4
v.Add(&v, t1.Mul(&el.r2m2, &u2)) // v = u^4 + (r^2-2)u^2
v.Add(&v, &ec.one).Mul(&v, &u) // v = u^5 + (r^2-2)u^3 + u
// X = Chi(v)u
chi(&Chiv, &v)
X.Mul(&Chiv, &u)
// Y = (Chi(v)v)^((q+1)/4) Chi(v) Chi(u^2+1/c^2)
t1.Add(&u2, &el.invc2)
chi(&t1, &t1) // t1 = Chi(u^2+1/c^2)
Y.Mul(&Chiv, &v)
Y.Exp(&Y, &el.pp1d4).Mul(&Y, &Chiv).Mul(&Y, &t1)
// x = (c-1)sX(1+X)/Y
x.Add(&ec.one, &X).Mul(&X, &x).Mul(&el.cm1s, &x).Div(&x, &Y)
// y = (rX-(1+X)^2)/(rX+(1+X)^2)
t1.Mul(&el.r, &X) // t1 = rX
t2.Add(&ec.one, &X).Mul(&t2, &t2) // t2 = (1+X)^2
y.Div(u.Sub(&t1, &t2), v.Add(&t1, &t2))
// Sanity-check
if !ec.onCurve(&x, &y) {
panic("elligator1 produced invalid point")
}
P.initXY(&x.V, &y.V, ec.self)
}
// Elligator 2 forward-map from representative to Edwards curve point.
// Currently a straightforward, unoptimized implementation.
// See section 5.2 of the Elligator paper.
func (el *el2param) HideDecode(P point, rep []byte) {
ec := el.ec
var r, v, x, y, t1, edx, edy nist.Int
l := ec.PointLen()
if len(rep) != l {
panic("el2Map: wrong representative length")
}
// Take the appropriate number of bits from the representative.
buf := make([]byte, l)
copy(buf, rep)
buf[0] &^= el.padmask() // mask off the padding bits
r.InitBytes(buf, &ec.P)
// v = -A/(1+ur^2)
v.Mul(&r, &r).Mul(&el.u, &v).Add(&ec.one, &v).Div(&el.negA, &v)
// e = Chi(v^3+Av^2+Bv), where B=1 because of ed2mont equivalence
t1.Add(&v, &el.A).Mul(&t1, &v).Add(&t1, &ec.one).Mul(&t1, &v)
e := math.Jacobi(&t1.V, t1.M)
// x = ev-(1-e)A/2
if e == 1 {
x.Set(&v)
} else {
x.Add(&v, &el.A).Neg(&x)
}
// y = -e sqrt(x^3+Ax^2+Bx), where B=1
y.Add(&x, &el.A).Mul(&y, &x).Add(&y, &ec.one).Mul(&y, &x)
el.sqrt(&y, &y)
if e == 1 {
y.Neg(&y) // -e factor
}
// Convert Montgomery to Edwards coordinates
el.mont2ed(&edx, &edy, &x, &y)
// Sanity-check
if !ec.onCurve(&edx, &edy) {
panic("elligator2 produced invalid point")
}
P.initXY(&edx.V, &edy.V, ec.self)
}