def __init__(self, t1, t2, t3, t4, bx, bz): """ B = 2 * Q where X(B) = bx/bz X(Q) = (t3+t4)/(t3-t4) clobbers t1 and t2, preserves t3 and t4 :param t1: Long10 :param t2: Long10 :param t3: Long10 :param t4: Long10 :param bx: Long10 :param bz: Long10 """ #print("Mont_Dbl") if isinstance(t1, Long10) and isinstance(t2, Long10) and isinstance( t3, Long10) and isinstance(t4, Long10) and isinstance( bx, Long10) and isinstance(bz, Long10): sqr(t1, t3) sqr(t2, t4) mul(bx, t1, t2) sub(t2, t1, t2) mul_small(bz, t2, 121665) add(t1, t1, bz) mul(bz, t1, t2)
def __init__(self, t, y2, x): """ Y^2 = X^3 + 486662 X^2 + X t is a temporary :param t: Long10 :param y2: Long10 :param x: Long10 """ sqr(t, x) mul_small(y2, x, 486662) add(t, t, y2) #print("before",t._0) t._0 = t._0 + 1 #print("after",t._0) mul(y2, t, x)
def __init__(self, t1, t2, t3, t4, ax, az, dx): """ A = P + Q where X(A) = ax/az X(P) = (t1+t2)/(t1-t2) X(Q) = (t3+t4)/(t3-t4) X(P-Q) = dx clobbers t1 and t2, preserves t3 and t4 */ :param t1: Long10 :param t2: Long10 :param t3: Long10 :param t4: Long10 :param ax: Long10 :param az: Long10 :param dx: Long10 """ #print("Mont_Add") if isinstance(t1, Long10) and isinstance(t2, Long10) and isinstance( t3, Long10) and isinstance(t4, Long10) and isinstance( ax, Long10) and isinstance(az, Long10) and isinstance( dx, Long10): mul(ax, t2, t3) mul(az, t1, t4) add(t1, ax, az) sub(t2, ax, az) sqr(ax, t1) sqr(t1, t2) mul(az, t1, dx)
def __init__(self, x, u): """ a square root :param x: Long10 :param u: Long10 :return: """ v = Long10() t1 = Long10() t2 = Long10() add(t1, u, u) # t1 = 2u recip(v, t1, 1) # v = (2u)^((p-5)/8) sqr(x, v) # x = v^2 mul(t2, t1, x) # t2 = 2uv^2 print(t2.printAll()) t2._0 = t2._0 - 1 # t2 = 2uv^2-1 print(t2.printAll()) mul(t1, v, t2) # t1 = v(2uv^2-1) mul(x, u, t1) # x = uv(2uv^2-1)
def __init__(self,Y, v, h, P): """ :param Y: list[] :param v: list[] :param h: list[] :param P: list[] """ BASE_2Y = Long10(39999547, 18689728, 59995525, 1648697, 57546132,24010086, 19059592, 5425144, 63499247, 16420658) # Y = v abs(P) + h G d = [] * 32 p = Long10(Long10(), Long10()) s = Long10(Long10(), Long10()) yx = Long10(Long10(), Long10(), Long10()) yz = Long10(Long10(), Long10(), Long10()) t1 = Long10(Long10(), Long10(), Long10()) t2 = Long10(Long10(), Long10(), Long10()) vi = 0 hi = 0 di = 0 nvh= 0 i = None j = None k = None # set p[0] to G and p[1] to P set(p[0], 9) unpack(p[1], P) # set s[0] to P+G and s[1] to P-G # # s[0] = (Py^2 + Gy^2 - 2 Py Gy)/(Px - Gx)^2 - Px - Gx - 486662 # s[1] = (Py^2 + Gy^2 + 2 Py Gy)/(Px - Gx)^2 - Px - Gx - 486662 x_to_y2(t1[0], t2[0], p[1]) # t2[0] = Py^2 sqrt(t1[0], t2[0]) # t1[0] = Py or -Py j = is_negative(t1[0]) # ... check which t2[0]._0 += 39420360 # t2[0] = Py^2 + Gy^2 mul(t2[1], BASE_2Y, t1[0]) # t2[1] = 2 Py Gy or -2 Py Gy sub(t1[j], t2[0], t2[1]) # t1[0] = Py^2 + Gy^2 - 2 Py Gy add(t1[1-j], t2[0], t2[1]) # t1[1] = Py^2 + Gy^2 + 2 Py Gy cpy(t2[0], p[1]) # t2[0] = Px t2[0]._0 -= 9; # t2[0] = Px - Gx sqr(t2[1], t2[0]) # t2[1] = (Px - Gx)^2 recip(t2[0], t2[1], 0) # t2[0] = 1/(Px - Gx)^2 mul(s[0], t1[0], t2[0]) # s[0] = t1[0]/(Px - Gx)^2 sub(s[0], s[0], p[1]) # s[0] = t1[0]/(Px - Gx)^2 - Px s[0]._0 -= 9 + 486662 # s[0] = X(P+G) mul(s[1], t1[1], t2[0]) # s[1] = t1[1]/(Px - Gx)^2 sub(s[1], s[1], p[1]) # s[1] = t1[1]/(Px - Gx)^2 - Px s[1]._0 -= 9 + 486662 # s[1] = X(P-G) mul_small(s[0], s[0], 1) # reduce s[0] mul_small(s[1], s[1], 1) # reduce s[1] # prepare the chain # for i in range(32): vi = (vi >> 8) ^ (v[i] & 0xFF) ^ ((v[i] & 0xFF) << 1) hi = (hi >> 8) ^ (h[i] & 0xFF) ^ ((h[i] & 0xFF) << 1) nvh = ~(vi ^ hi) di = (nvh & (di & 0x80) >> 7) ^ vi di ^= nvh & (di & 0x01) << 1 di ^= nvh & (di & 0x02) << 1 di ^= nvh & (di & 0x04) << 1 di ^= nvh & (di & 0x08) << 1 di ^= nvh & (di & 0x10) << 1 di ^= nvh & (di & 0x20) << 1 di ^= nvh & (di & 0x40) << 1 #d[i] = (byte)di d[i] = packl_ctypes(di).value di = ((nvh & (di & 0x80) << 1) ^ vi) >> 8 # initialize state # set(yx[0], 1) cpy(yx[1], p[di]) cpy(yx[2], s[0]) set(yz[0], 0) set(yz[1], 1) set(yz[2], 1) """ y[0] is (even)P + (even)G y[1] is (even)P + (odd)G if current d-bit is 0 y[1] is (odd)P + (even)G if current d-bit is 1 y[2] is (odd)P + (odd)G """ vi = 0 hi = 0 # and go for it! # start last element of 32 list object backward and stop at 0 # for i in range(31, -1, -1): vi = (vi << 8) | (v[i] & 0xFF) hi = (hi << 8) | (h[i] & 0xFF) di = (di << 8) | (d[i] & 0xFF) for j in range(7,-1,-1): mont_prep(t1[0], t2[0], yx[0], yz[0]) mont_prep(t1[1], t2[1], yx[1], yz[1]) mont_prep(t1[2], t2[2], yx[2], yz[2]) k = ((vi ^ vi >> 1) >> j & 1) + ((hi ^ hi >> 1) >> j & 1) mont_dbl(yx[2], yz[2], t1[k], t2[k], yx[0], yz[0]) k = (di >> j & 2) ^ ((di >> j & 1) << 1) mont_add(t1[1], t2[1], t1[k], t2[k], yx[1], yz[1], p[di >> j & 1]) mont_add(t1[2], t2[2], t1[0], t2[0], yx[2], yz[2], s[((vi ^ hi) >> j & 2) >> 1]) k = (vi & 1) + (hi & 1) recip(t1[0], yz[k], 0) mul(t1[1], yx[k], t1[0]) pack(t1[1], Y)
def __init__(self, y, x, sqrtassist): """ Calculates a reciprocal. The output is in reduced form, the inputs need notbe. Simply calculates y = x^(p-2) so it's not too fast. When sqrtassist is true, it instead calculates y = x^((p-5)/8) :param y: Long10 :param x: Long10 :param sqrtassist: int """ #print("Recip") t0 = Long10() t1 = Long10() t2 = Long10() t3 = Long10() t4 = Long10() i = 0 """/ *the chain for x ^ (2 ^ 255 - 21) is straight from djb's implementation */ """ sqr(t1, x) # 2 == 2 * 1 sqr(t2, t1) # 4 == 2 * 2 sqr(t0, t2) # 8 == 2 * 4 mul(t2, t0, x) # 9 == 8 + 1 mul(t0, t2, t1) # 11 == 9 + 2 sqr(t1, t0) # 22 == 2 * 11 mul(t3, t1, t2) # 31 == 22 + 9 == 2 ^ 5 - 2 ^ 0 sqr(t1, t3) # 2 ^ 6 - 2 ^ 1 sqr(t2, t1) # 2 ^ 7 - 2 ^ 2 * / sqr(t1, t2) # 2 ^ 8 - 2 ^ 3 * / sqr(t2, t1) # 2 ^ 9 - 2 ^ 4 * / sqr(t1, t2) # 2 ^ 10 - 2 ^ 5 * / mul(t2, t1, t3) # 2 ^ 10 - 2 ^ 0 * / sqr(t1, t2) # 2 ^ 11 - 2 ^ 1 * / sqr(t3, t1) # 2 ^ 12 - 2 ^ 2 * / for i in range(1, 5, 1): sqr(t1, t3) sqr(t3, t1) # t3 * / / * 2 ^ 20 - 2 ^ 10 mul(t1, t3, t2) # 2 ^ 20 - 2 ^ 0 sqr(t3, t1) # 2 ^ 21 - 2 ^ 1 sqr(t4, t3) # 2 ^ 22 - 2 ^ 2 for i in range(1, 10, 1): sqr(t3, t4) sqr(t4, t3) # t4 * / / * 2 ^ 40 - 2 ^ 20 mul(t3, t4, t1) # 2 ^ 40 - 2 ^ 0 for i in range(0, 5, 1): sqr(t1, t3) sqr(t3, t1) # t3 * / / * 2 ^ 50 - 2 ^ 10 mul(t1, t3, t2) # 2 ^ 50 - 2 ^ 0 sqr(t2, t1) # 2 ^ 51 - 2 ^ 1 sqr(t3, t2) # 2 ^ 52 - 2 ^ 2 for i in range(1, 25, 1): sqr(t2, t3) sqr(t3, t2) # t3 * / / * 2 ^ 100 - 2 ^ 50 mul(t2, t3, t1) # 2 ^ 100 - 2 ^ 0 sqr(t3, t2) # 2 ^ 101 - 2 ^ 1 sqr(t4, t3) # 2 ^ 102 - 2 ^ 2 for i in range(1, 50, 1): sqr(t3, t4) sqr(t4, t3) # t4 * / / * 2 ^ 200 - 2 ^ 100 mul(t3, t4, t2) # 2 ^ 200 - 2 ^ 0 for i in range(0, 25, 1): sqr(t4, t3) sqr(t3, t4) # t3 * / / * 2 ^ 250 - 2 ^ 50 mul(t2, t3, t1) # 2 ^ 250 - 2 ^ 0 sqr(t1, t2) # 2 ^ 251 - 2 ^ 1 sqr(t2, t1) # 2 ^ 252 - 2 ^ 2 if (sqrtassist != 0): mul(y, x, t2) # 2 ^ 252 - 3 else: sqr(t1, t2) # 2 ^ 253 - 2 ^ 3 sqr(t2, t1) # 2 ^ 254 - 2 ^ 4 sqr(t1, t2) # 2 ^ 255 - 2 ^ 5 mul(y, t1, t0) # 2 ^ 255 - 21
def __init__(self, Px, s, k, Gx): """ :param Px: list[] :param s: list[] :param k: list[] :param Gx: list[] """ bit0 = None bit1 = None BASE_R2Y = Long10(5744, 8160848, 4790893, 13779497, 35730846, 12541209, 49101323, 30047407, 40071253, 6226132) ORDER_TIMES_8 = [] * 32 ORDER_TIMES_8.append(packl_ctypes(104).value) ORDER_TIMES_8.append(packl_ctypes(159).value) ORDER_TIMES_8.append(packl_ctypes(174).value) ORDER_TIMES_8.append(packl_ctypes(231).value) ORDER_TIMES_8.append(packl_ctypes(210).value) ORDER_TIMES_8.append(packl_ctypes(24).value) ORDER_TIMES_8.append(packl_ctypes(147).value) ORDER_TIMES_8.append(packl_ctypes(192).value) ORDER_TIMES_8.append(packl_ctypes(178).value) ORDER_TIMES_8.append(packl_ctypes(230).value) ORDER_TIMES_8.append(packl_ctypes(188).value) ORDER_TIMES_8.append(packl_ctypes(23).value) ORDER_TIMES_8.append(packl_ctypes(245).value) ORDER_TIMES_8.append(packl_ctypes(206).value) ORDER_TIMES_8.append(packl_ctypes(247).value) ORDER_TIMES_8.append(packl_ctypes(166).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(0).value) ORDER_TIMES_8.append(packl_ctypes(128).value) ORDER = [] * 32 ORDER.append(packl_ctypes(237).value) ORDER.append(packl_ctypes(211).value) ORDER.append(packl_ctypes(245).value) ORDER.append(packl_ctypes(92).value) ORDER.append(packl_ctypes(26).value) ORDER.append(packl_ctypes(99).value) ORDER.append(packl_ctypes(18).value) ORDER.append(packl_ctypes(88).value) ORDER.append(packl_ctypes(214).value) ORDER.append(packl_ctypes(156).value) ORDER.append(packl_ctypes(247).value) ORDER.append(packl_ctypes(162).value) ORDER.append(packl_ctypes(222).value) ORDER.append(packl_ctypes(249).value) ORDER.append(packl_ctypes(222).value) ORDER.append(packl_ctypes(20).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(0).value) ORDER.append(packl_ctypes(16).value) #print("ORDER ", ToHexString(ORDER).getString()) dx = Long10() t1 = Long10() t2 = Long10() t3 = Long10() t4 = Long10() x = [Long10(), Long10()] z = [Long10(), Long10()] i = 32 j = 0 # unpack the base if (Gx != None): unpack(dx, Gx) else: mset(dx, 9) # 0G = point-at-infinity mset(x[0], 1) mset(z[0], 0) # 1G = G cpy(x[1], dx) mset(z[1], 1) #range(10, 0, -1) for i in range(31, -1, -1): if (i == 0): i = 0 for j in range(7, -1, -1): # swap arguments depending on bit * / bit1 = int((k[i] & 0xFF) >> j & 1) bit0 = int(~(k[i] & 0xFF) >> j & 1) ax = x[bit0] az = z[bit0] bx = x[bit1] bz = z[bit1] # a' = a + b */ # b' = 2 b */ mont_prep(t1, t2, ax, az) mont_prep(t3, t4, bx, bz) mont_add(t1, t2, t3, t4, ax, az, dx) mont_dbl(t1, t2, t3, t4, bx, bz) recip(t1, z[0], 0) mul(dx, x[0], t1) pack(dx, Px) if s is not None: x_to_y2(t2, t1, dx) # t1 = Py ^ 2 recip(t3, z[1], 0) # where Q=P+G... mul(t2, x[1], t3) # t2 = Qx add(t2, t2, dx) # t2 = Qx + Px t2._0 += 9 + 486662 # t2 = Qx + Px + Gx + 486662 dx._0 -= 9 # dx = Px - Gx sqr(t3, dx) # t3 = (Px - Gx) ^ 2 mul(dx, t2, t3) # dx = t2 (Px - Gx) ^ 2 sub(dx, dx, t1) # dx = t2 (Px - Gx) ^ 2 - Py ^ 2 dx._0 -= 39420360 # dx = t2 (Px - Gx) ^ 2 - Py ^ 2 - Gy ^ 2 mul(t1, dx, BASE_R2Y) # t1 = -Py if is_negative(t1).value != 0: # sign is 1, so just copy cpy32(s, k) else: # sign is -1, so negate * mula_small(s, ORDER_TIMES_8, 0, k, 32, -1) # reduce s mod q # ( is this needed? do it just in case, it's fast anyway) */ #// divmod((dstptr) t1, s, 32, order25519, 32); # take reciprocal of s mod q ## Ok dobbiamo modificarli in liste ## in quanto all'interno #temp1 = bytearray() #temp2 = bytearray() #temp3 = bytearray() temp1 = [0] * 32 temp2 = [0] * 64 temp3 = [0] * 64 #for i in range(32): # temp1.append(0x00) #for i in range(64): # temp2.append(0x00) # temp3.append(0x00) cpy32(temp1, ORDER) vediamo = egcd32(temp2, temp3, s, temp1).value cpy32(s, vediamo) if s[31] & 0x80 != 0: mula_small(s, s, 0, ORDER, 32, 1) else: print("CORE S --> IS NULL !!!!")