def test_mimc_eddsa(self): A = Point(FQ(1301009284721359989986872336829887838687570550075011148323334415657243668534), FQ(6027072831423449649615427623935115177649426117898838224822914942466592945166)) R = Point(FQ(16697780772074863636681870538986108875460311579901354831891912949591301444465), FQ(4226867824412371436973606126220323912943722787513450804471487686191426145939)) s = 740212824778436527565151771778503009743408793780835234261147965780852431216 m = [1, 2, 3] self.assertTrue(MiMCEdDSA.verify(A, (R,s), m))
def test_pure_eddsa(self): # Used to verify compatibility with test_jubjub_eddsa.cpp A = Point(FQ(333671881179914989291633188949569309119725676183802886621140166987382124337), FQ(4050436616325076046600891135828313078248584449767955905006778857958871314574)) R = Point(FQ(17815983127755465894346158776246779862712623073638768513395595796132990361464), FQ(947174453624106321442736396890323086851143728754269151257776508699019857364)) s = 13341814865473145800030207090487687417599620847405735706082771659861699337012 m = b'abcd' self.assertTrue(PureEdDSA.verify(A, (R, s), m)) self.assertFalse(EdDSA.verify(A, (R, s), m))
def test_hash_eddsa(self): # Used to verify compatibility with test_jubjub_eddsa.cpp A = Point(FQ(333671881179914989291633188949569309119725676183802886621140166987382124337), FQ(4050436616325076046600891135828313078248584449767955905006778857958871314574)) R = Point(FQ(21473010389772475573783051334263374448039981396476357164143587141689900886674), FQ(11330590229113935667895133446882512506792533479705847316689101265088791098646)) s = 21807294168737929637405719327036335125520717961882955117047593281820367379946 m = b'abc' self.assertTrue(EdDSA.verify(A, (R, s), m)) self.assertFalse(PureEdDSA.verify(A, (R, s), m))
def test_hash_bits_known(self):
self.assertEqual(
pedersen_hash_bits(
'EdDSA_Verify.RAM',
'101100110011111001100100101100010100011010100100001011101001000100100000001111101101111001001010111011101101011010010101101101101000000010000000101010110100011110101110111100111100011110110011100101011000000000110101111001110000101011011110100100011110010000110111010011000001000100101100101111001100100010110101100010001000000101111011011010010011110001110111101011110001111111100010010000110101000001010111000111011110111010010010000101110000011001111000101010001101100000110111111110011001110101011000110010111111000101001100010001011011101010101011101010110000111100101000000110011000011001101000001010110110010000110101011111100010111011100110111101110111011001001110100100110010100111001000001010101010010100010100101101000010100010000111110101111000101110'
),
Point(
FQ(16391910732431349989910402670442677728780476741314399751389577385062806845560
),
FQ(9557600014660247419117975756584483223203707451467643504980876223495155042156
)))
def test_hash_bytes_known(self):
self.assertEqual(
pedersen_hash_bytes(b'test', b"abc"),
Point(
FQ(9869277320722751484529016080276887338184240285836102740267608137843906399765
),
FQ(19790690237145851554496394080496962351633528315779989340140084430077208474328
)))
self.assertEqual(
pedersen_hash_bytes(b'test', b"abcdefghijklmnopqrstuvwx"),
Point(
FQ(3966548799068703226441887746390766667253943354008248106643296790753369303077
),
FQ(12849086395963202120677663823933219043387904870880733726805962981354278512988
)))
def sign(value, k):
k = FQ(k)
B = Point.from_hash(b'eddsa_base')
m = bytes.fromhex(hex(int(toBinaryString(value), 2))[2:])
R, S, A = eddsa_sign(m, k, B)
assert eddsa_verify(A, R, S, m, B)
return R, S
def test_signverify(self):
B = Point.from_hash(b'eddsa_base')
k = FQ.random(JUBJUB_L)
A = B * k
m = urandom(32)
R, s = eddsa_sign(m, k, B, A)
self.assertTrue(eddsa_verify(A, R, s, m, B))
def test_hash_scalars_known(self):
self.assertEqual(
pedersen_hash_scalars(b'test', 267),
Point(
FQ(6790798216812059804926342266703617627640027902964190490794793207272357201212
),
FQ(2522797517250455013248440571887865304858084343310097011302610004060289809689
)))
self.assertEqual(
pedersen_hash_scalars(
b'test',
6453482891510615431577168724743356132495662554103773572771861111634748265227
),
Point(
FQ(6545697115159207040330446958704617656199928059562637738348733874272425400594
),
FQ(16414097465381367987194277536478439232201417933379523927469515207544654431390
)))
self.assertEqual(
pedersen_hash_scalars(
b'test',
21888242871839275222246405745257275088548364400416034343698204186575808495616
),
Point(
FQ(16322787121012335146141962340685388833598805940095898416175167744309692564601
),
FQ(7671892447502767424995649701270280747270481283542925053047237428072257876309
)))
def point_add(P1, P2):
d = JUBJUB_D
nega = -FQ(JUBJUB_A)
X1 = P1.x
X2 = P2.x
Y1 = P1.y
Y2 = P2.y
P3 = P1 + P2
# https://z.cash/technology/jubjub/
# Variables
beta = X1 * Y2
gamma = Y1 * X2
delta = Y1 * Y2
epsilon = X1 * X2
tau = delta * epsilon
# Constants, calculated out of circuit
X3 = (beta + gamma) / (1 + (d * tau))
Y3 = (delta + (nega * epsilon)) / (1 - (d * tau))
# 7 Constraints
assert beta == X1 * Y2
assert gamma == Y1 * X2
assert delta == Y1 * Y2
assert epsilon == X1 * X2
assert tau == delta * epsilon
assert X3 * (1 + (d * tau)) == (beta + gamma)
assert Y3 * (1 - (d * tau)) == (delta + (nega * epsilon))
print(X3, P3.x)
print(Y3, P3.y)
print()
return Point(X3, Y3)
def test_hash_eddsa(self):
# Used to verify compatibility with test_jubjub_eddsa.cpp
B = Point(
FQ(21609035313031231356478892405209584931807557563713540183143349090940105307553
),
FQ(845281570263603011277359323511710394920357596931617398831207691379369851278
))
A = Point(
FQ(5616630816018221659484394091994939318481030030481519242876140465113436048304
),
FQ(8476221375891900895034976644661703008703725320613595264559419965669922411183
))
R = Point(
FQ(17883110238616315155327756854433987355427639458557188556819876765548551765197
),
FQ(11833558192785987866925773659755699683735551950878443451361314529874236222818
))
s = 9920504625278683304895036460477595239370241328717115039061027107077120437288
m = b'abc'
self.assertTrue(eddsa_verify(A, (R, s), m, B))
self.assertFalse(pureeddsa_verify(A, (R, s), m, B))
def test_pure_eddsa(self):
# Used to verify compatibility with test_jubjub_eddsa.cpp
B = Point(
FQ(16117159321177103813813294286550615556837550473658220567209763364611339839115
),
FQ(11465736382824868633493204496205282307637286781164666440541087834417561817657
))
A = Point(
FQ(7232078318593313024960606529959628262327760580530543297615441605656275483008
),
FQ(13445187542498117393920468884784587115570437154948817232436446927611108297778
))
R = Point(
FQ(16748186150368319377210820880944935248945916993910817768852007732596413990860
),
FQ(4850962850934517657076914998696277193398065576910427229359881798401199408131
))
s = 9530517511211249528464523051059372760063486304291273287859289432498093931519
m = b'abcd'
self.assertTrue(pureeddsa_verify(A, (R, s), m, B))
self.assertFalse(eddsa_verify(A, (R, s), m, B))
Z3 = (((Y1*c_Y2) + (c_aX2*X1)) * ((X1*c_X2plusY2) + (Y1*c_negX2plusY2) + (Y1*c_Y2) + (c_negX2 * X1)))
"""
# Conditional addition of the delta to get the result
X4 = (X3 - X1) * bit_flag
Y4 = (Y3 - Y1) * bit_flag
T4 = (T3 - T1) * bit_flag
Z4 = (Z3 - Z1) * bit_flag
return ((X1 + X4), (Y1 + Y4), (T1 + T4), (Z1 + Z4))
if __name__ == "__main__":
summed = (FQ(0), FQ(1), FQ(0), FQ(1))
base_start = Point.from_hash(urandom(32))
scalar = randint(1, JUBJUB_L-1)
result = base_start * scalar
while scalar != 0:
base_powered = (base_start.x, base_start.y)
summed = mixed_add(summed, base_powered, (scalar & 1))
base_start = base_start.double()
scalar = scalar // 2
X3 = summed[0] / summed[3]
Y3 = summed[1] / summed[3]
assert X3 == result.x
assert Y3 == result.y
def verify(value, R, S, A):
R = Point(FQ(R[0]), FQ(R[1]))
A = Point(FQ(A[0]), FQ(A[1]))
B = Point.from_hash(b'eddsa_base')
m = bytes.fromhex(hex(int(toBinaryString(value), 2))[2:])
return eddsa_verify(A, R, S, m, B)
def keypair():
B = Point.from_hash(b'eddsa_base') # base point
k = FQ.random(JUBJUB_L) # secret key
A = B * k # public key
return k, A
def test_zcash(self):
d = randint(1, 1024)
p = pedersen_hash_zcash_scalars(b'test', d)
q = pedersen_hash_zcash_scalars(b'test', d, d)
self.assertTrue(p.valid)
self.assertTrue(q.valid)
self.assertNotEqual(p, q)
self.assertEqual(
pedersen_hash_zcash_scalars(b'test', 267),
Point(
FQ(6790798216812059804926342266703617627640027902964190490794793207272357201212
),
FQ(2522797517250455013248440571887865304858084343310097011302610004060289809689
)))
self.assertEqual(
pedersen_hash_zcash_scalars(
b'test',
6453482891510615431577168724743356132495662554103773572771861111634748265227
),
Point(
FQ(6545697115159207040330446958704617656199928059562637738348733874272425400594
),
FQ(16414097465381367987194277536478439232201417933379523927469515207544654431390
)))
self.assertEqual(
pedersen_hash_zcash_scalars(
b'test',
21888242871839275222246405745257275088548364400416034343698204186575808495616
),
Point(
FQ(16322787121012335146141962340685388833598805940095898416175167744309692564601
),
FQ(7671892447502767424995649701270280747270481283542925053047237428072257876309
)))
self.assertEqual(
pedersen_hash_zcash_bytes(b'test', b"abc"),
Point(
FQ(9869277320722751484529016080276887338184240285836102740267608137843906399765
),
FQ(19790690237145851554496394080496962351633528315779989340140084430077208474328
)))
self.assertEqual(
pedersen_hash_zcash_bytes(b'test', b"abcdefghijklmnopqrstuvwx"),
Point(
FQ(3966548799068703226441887746390766667253943354008248106643296790753369303077
),
FQ(12849086395963202120677663823933219043387904870880733726805962981354278512988
)))
self.assertEqual(
pedersen_hash_zcash_bits(
'EdDSA_Verify.RAM',
'101100110011111001100100101100010100011010100100001011101001000100100000001111101101111001001010111011101101011010010101101101101000000010000000101010110100011110101110111100111100011110110011100101011000000000110101111001110000101011011110100100011110010000110111010011000001000100101100101111001100100010110101100010001000000101111011011010010011110001110111101011110001111111100010010000110101000001010111000111011110111010010010000101110000011001111000101010001101100000110111111110011001110101011000110010111111000101001100010001011011101010101011101010110000111100101000000110011000011001101000001010110110010000110101011111100010111011100110111101110111011001001110100100110010100111001000001010101010010100010100101101000010100010000111110101111000101110'
),
Point(
FQ(16391910732431349989910402670442677728780476741314399751389577385062806845560
),
FQ(9557600014660247419117975756584483223203707451467643504980876223495155042156
)))