From 9f4736407e97bd4f939961704e3e4c1c7efaa0cb Mon Sep 17 00:00:00 2001 From: Nicholas Dudfield Date: Wed, 20 Sep 2023 16:21:15 +0700 Subject: [PATCH] feat: impl Group for X in DecafPoint/RistrettoPoint --- src/ed25519.ts | 80 ++++++++++++++++++++++++-------------------------- 1 file changed, 39 insertions(+), 41 deletions(-) diff --git a/src/ed25519.ts b/src/ed25519.ts index 1dfe769..79340f8 100644 --- a/src/ed25519.ts +++ b/src/ed25519.ts @@ -176,7 +176,6 @@ export function edwardsToMontgomeryPub(edwardsPub: Hex): Uint8Array { const _1n = BigInt(1); return Fp.toBytes(Fp.create((_1n + y) * Fp.inv(_1n - y))); } - export const edwardsToMontgomery = edwardsToMontgomeryPub; // deprecated /** @@ -204,45 +203,45 @@ const ELL2_J = BigInt(486662); // prettier-ignore function map_to_curve_elligator2_curve25519(u: bigint) { - let tv1 = Fp.sqr(u); // 1. tv1 = u^2 - tv1 = Fp.mul(tv1, _2n); // 2. tv1 = 2 * tv1 - let xd = Fp.add(tv1, Fp.ONE); // 3. xd = tv1 + 1 # Nonzero: -1 is square (mod p), tv1 is not - let x1n = Fp.neg(ELL2_J); // 4. x1n = -J # x1 = x1n / xd = -J / (1 + 2 * u^2) - let tv2 = Fp.sqr(xd); // 5. tv2 = xd^2 - let gxd = Fp.mul(tv2, xd); // 6. gxd = tv2 * xd # gxd = xd^3 - let gx1 = Fp.mul(tv1, ELL2_J); // 7. gx1 = J * tv1 # x1n + J * xd - gx1 = Fp.mul(gx1, x1n); // 8. gx1 = gx1 * x1n # x1n^2 + J * x1n * xd - gx1 = Fp.add(gx1, tv2); // 9. gx1 = gx1 + tv2 # x1n^2 + J * x1n * xd + xd^2 - gx1 = Fp.mul(gx1, x1n); // 10. gx1 = gx1 * x1n # x1n^3 + J * x1n^2 * xd + x1n * xd^2 - let tv3 = Fp.sqr(gxd); // 11. tv3 = gxd^2 - tv2 = Fp.sqr(tv3); // 12. tv2 = tv3^2 # gxd^4 - tv3 = Fp.mul(tv3, gxd); // 13. tv3 = tv3 * gxd # gxd^3 - tv3 = Fp.mul(tv3, gx1); // 14. tv3 = tv3 * gx1 # gx1 * gxd^3 - tv2 = Fp.mul(tv2, tv3); // 15. tv2 = tv2 * tv3 # gx1 * gxd^7 - let y11 = Fp.pow(tv2, ELL2_C4); // 16. y11 = tv2^c4 # (gx1 * gxd^7)^((p - 5) / 8) - y11 = Fp.mul(y11, tv3); // 17. y11 = y11 * tv3 # gx1*gxd^3*(gx1*gxd^7)^((p-5)/8) - let y12 = Fp.mul(y11, ELL2_C3); // 18. y12 = y11 * c3 - tv2 = Fp.sqr(y11); // 19. tv2 = y11^2 - tv2 = Fp.mul(tv2, gxd); // 20. tv2 = tv2 * gxd - let e1 = Fp.eql(tv2, gx1); // 21. e1 = tv2 == gx1 - let y1 = Fp.cmov(y12, y11, e1); // 22. y1 = CMOV(y12, y11, e1) # If g(x1) is square, this is its sqrt - let x2n = Fp.mul(x1n, tv1); // 23. x2n = x1n * tv1 # x2 = x2n / xd = 2 * u^2 * x1n / xd - let y21 = Fp.mul(y11, u); // 24. y21 = y11 * u - y21 = Fp.mul(y21, ELL2_C2); // 25. y21 = y21 * c2 - let y22 = Fp.mul(y21, ELL2_C3); // 26. y22 = y21 * c3 - let gx2 = Fp.mul(gx1, tv1); // 27. gx2 = gx1 * tv1 # g(x2) = gx2 / gxd = 2 * u^2 * g(x1) - tv2 = Fp.sqr(y21); // 28. tv2 = y21^2 - tv2 = Fp.mul(tv2, gxd); // 29. tv2 = tv2 * gxd - let e2 = Fp.eql(tv2, gx2); // 30. e2 = tv2 == gx2 - let y2 = Fp.cmov(y22, y21, e2); // 31. y2 = CMOV(y22, y21, e2) # If g(x2) is square, this is its sqrt - tv2 = Fp.sqr(y1); // 32. tv2 = y1^2 - tv2 = Fp.mul(tv2, gxd); // 33. tv2 = tv2 * gxd - let e3 = Fp.eql(tv2, gx1); // 34. e3 = tv2 == gx1 - let xn = Fp.cmov(x2n, x1n, e3); // 35. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2 - let y = Fp.cmov(y2, y1, e3); // 36. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2 - let e4 = Fp.isOdd(y); // 37. e4 = sgn0(y) == 1 # Fix sign of y - y = Fp.cmov(y, Fp.neg(y), e3 !== e4); // 38. y = CMOV(y, -y, e3 XOR e4) - return {xMn: xn, xMd: xd, yMn: y, yMd: _1n}; // 39. return (xn, xd, y, 1) + let tv1 = Fp.sqr(u); // 1. tv1 = u^2 + tv1 = Fp.mul(tv1, _2n); // 2. tv1 = 2 * tv1 + let xd = Fp.add(tv1, Fp.ONE); // 3. xd = tv1 + 1 # Nonzero: -1 is square (mod p), tv1 is not + let x1n = Fp.neg(ELL2_J); // 4. x1n = -J # x1 = x1n / xd = -J / (1 + 2 * u^2) + let tv2 = Fp.sqr(xd); // 5. tv2 = xd^2 + let gxd = Fp.mul(tv2, xd); // 6. gxd = tv2 * xd # gxd = xd^3 + let gx1 = Fp.mul(tv1, ELL2_J); // 7. gx1 = J * tv1 # x1n + J * xd + gx1 = Fp.mul(gx1, x1n); // 8. gx1 = gx1 * x1n # x1n^2 + J * x1n * xd + gx1 = Fp.add(gx1, tv2); // 9. gx1 = gx1 + tv2 # x1n^2 + J * x1n * xd + xd^2 + gx1 = Fp.mul(gx1, x1n); // 10. gx1 = gx1 * x1n # x1n^3 + J * x1n^2 * xd + x1n * xd^2 + let tv3 = Fp.sqr(gxd); // 11. tv3 = gxd^2 + tv2 = Fp.sqr(tv3); // 12. tv2 = tv3^2 # gxd^4 + tv3 = Fp.mul(tv3, gxd); // 13. tv3 = tv3 * gxd # gxd^3 + tv3 = Fp.mul(tv3, gx1); // 14. tv3 = tv3 * gx1 # gx1 * gxd^3 + tv2 = Fp.mul(tv2, tv3); // 15. tv2 = tv2 * tv3 # gx1 * gxd^7 + let y11 = Fp.pow(tv2, ELL2_C4); // 16. y11 = tv2^c4 # (gx1 * gxd^7)^((p - 5) / 8) + y11 = Fp.mul(y11, tv3); // 17. y11 = y11 * tv3 # gx1*gxd^3*(gx1*gxd^7)^((p-5)/8) + let y12 = Fp.mul(y11, ELL2_C3); // 18. y12 = y11 * c3 + tv2 = Fp.sqr(y11); // 19. tv2 = y11^2 + tv2 = Fp.mul(tv2, gxd); // 20. tv2 = tv2 * gxd + let e1 = Fp.eql(tv2, gx1); // 21. e1 = tv2 == gx1 + let y1 = Fp.cmov(y12, y11, e1); // 22. y1 = CMOV(y12, y11, e1) # If g(x1) is square, this is its sqrt + let x2n = Fp.mul(x1n, tv1); // 23. x2n = x1n * tv1 # x2 = x2n / xd = 2 * u^2 * x1n / xd + let y21 = Fp.mul(y11, u); // 24. y21 = y11 * u + y21 = Fp.mul(y21, ELL2_C2); // 25. y21 = y21 * c2 + let y22 = Fp.mul(y21, ELL2_C3); // 26. y22 = y21 * c3 + let gx2 = Fp.mul(gx1, tv1); // 27. gx2 = gx1 * tv1 # g(x2) = gx2 / gxd = 2 * u^2 * g(x1) + tv2 = Fp.sqr(y21); // 28. tv2 = y21^2 + tv2 = Fp.mul(tv2, gxd); // 29. tv2 = tv2 * gxd + let e2 = Fp.eql(tv2, gx2); // 30. e2 = tv2 == gx2 + let y2 = Fp.cmov(y22, y21, e2); // 31. y2 = CMOV(y22, y21, e2) # If g(x2) is square, this is its sqrt + tv2 = Fp.sqr(y1); // 32. tv2 = y1^2 + tv2 = Fp.mul(tv2, gxd); // 33. tv2 = tv2 * gxd + let e3 = Fp.eql(tv2, gx1); // 34. e3 = tv2 == gx1 + let xn = Fp.cmov(x2n, x1n, e3); // 35. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2 + let y = Fp.cmov(y2, y1, e3); // 36. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2 + let e4 = Fp.isOdd(y); // 37. e4 = sgn0(y) == 1 # Fix sign of y + y = Fp.cmov(y, Fp.neg(y), e3 !== e4); // 38. y = CMOV(y, -y, e3 XOR e4) + return { xMn: xn, xMd: xd, yMn: y, yMd: _1n }; // 39. return (xn, xd, y, 1) } const ELL2_C1_EDWARDS = FpSqrtEven(Fp, Fp.neg(BigInt(486664))); // sgn0(c1) MUST equal 0 @@ -481,7 +480,6 @@ class RistPoint implements Group { return new RistPoint(this.ep.negate()); } } - export const RistrettoPoint = /* @__PURE__ */ (() => { if (!RistPoint.BASE) RistPoint.BASE = new RistPoint(ed25519.ExtendedPoint.BASE); if (!RistPoint.ZERO) RistPoint.ZERO = new RistPoint(ed25519.ExtendedPoint.ZERO);