tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE

slow_ed25519.py (2986B)

      1 # This is the ed25519 implementation from
      2 #     https://ed25519.cr.yp.to/python/ed25519.py .
      3 # It is in the public domain.
      4 #
      5 # It isn't constant-time.  Don't use it except for testing.  Also, see
      6 # warnings about how very slow it is.  Only use this for generating
      7 # test vectors, I'd suggest.
      8 #
      9 # Don't edit this file.  Mess with ed25519_ref.py
     10 
     11 # Future imports for Python 2.7, mandatory in 3.0
     12 from __future__ import division
     13 from __future__ import print_function
     14 from __future__ import unicode_literals
     15 
     16 import hashlib
     17 
     18 b = 256
     19 q = 2**255 - 19
     20 l = 2**252 + 27742317777372353535851937790883648493
     21 
     22 def H(m):
     23  return hashlib.sha512(m).digest()
     24 
     25 def expmod(b,e,m):
     26  if e == 0: return 1
     27  t = expmod(b,e//2,m)**2 % m
     28  if e & 1: t = (t*b) % m
     29  return t
     30 
     31 def inv(x):
     32  return expmod(x,q-2,q)
     33 
     34 d = -121665 * inv(121666)
     35 I = expmod(2,(q-1)//4,q)
     36 
     37 def xrecover(y):
     38  xx = (y*y-1) * inv(d*y*y+1)
     39  x = expmod(xx,(q+3)//8,q)
     40  if (x*x - xx) % q != 0: x = (x*I) % q
     41  if x % 2 != 0: x = q-x
     42  return x
     43 
     44 By = 4 * inv(5)
     45 Bx = xrecover(By)
     46 B = [Bx % q,By % q]
     47 
     48 def edwards(P,Q):
     49  x1 = P[0]
     50  y1 = P[1]
     51  x2 = Q[0]
     52  y2 = Q[1]
     53  x3 = (x1*y2+x2*y1) * inv(1+d*x1*x2*y1*y2)
     54  y3 = (y1*y2+x1*x2) * inv(1-d*x1*x2*y1*y2)
     55  return [x3 % q,y3 % q]
     56 
     57 def scalarmult(P,e):
     58  if e == 0: return [0,1]
     59  Q = scalarmult(P,e//2)
     60  Q = edwards(Q,Q)
     61  if e & 1: Q = edwards(Q,P)
     62  return Q
     63 
     64 def encodeint(y):
     65  bits = [(y >> i) & 1 for i in range(b)]
     66  return bytes(sum([bits[i * 8 + j] << j for j in range(8)]) for i in range(b//8))
     67 
     68 def encodepoint(P):
     69  x = P[0]
     70  y = P[1]
     71  bits = [(y >> i) & 1 for i in range(b - 1)] + [x & 1]
     72  return bytes([(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b//8)])
     73 
     74 def bit(h,i):
     75  return (h[i//8] >> (i%8)) & 1
     76 
     77 def publickey(sk):
     78  h = H(sk)
     79  a = 2**(b-2) + sum(2**i * bit(h,i) for i in range(3,b-2))
     80  A = scalarmult(B,a)
     81  return encodepoint(A)
     82 
     83 def Hint(m):
     84  h = H(m)
     85  return sum(2**i * bit(h,i) for i in range(2*b))
     86 
     87 def signature(m,sk,pk):
     88  h = H(sk)
     89  a = 2**(b-2) + sum(2**i * bit(h,i) for i in range(3,b-2))
     90  r = Hint(bytes([h[i] for i in range(b//8,b//4)]) + m)
     91  R = scalarmult(B,r)
     92  S = (r + Hint(encodepoint(R) + pk + m) * a) % l
     93  return encodepoint(R) + encodeint(S)
     94 
     95 def isoncurve(P):
     96  x = P[0]
     97  y = P[1]
     98  return (-x*x + y*y - 1 - d*x*x*y*y) % q == 0
     99 
    100 def decodeint(s):
    101  return sum(2**i * bit(s,i) for i in range(0,b))
    102 
    103 def decodepoint(s):
    104  y = sum(2**i * bit(s,i) for i in range(0,b-1))
    105  x = xrecover(y)
    106  if x & 1 != bit(s,b-1): x = q-x
    107  P = [x,y]
    108  if not isoncurve(P): raise Exception("decoding point that is not on curve")
    109  return P
    110 
    111 def checkvalid(s,m,pk):
    112  if len(s) != b//4: raise Exception("signature length is wrong")
    113  if len(pk) != b//8: raise Exception("public-key length is wrong")
    114  R = decodepoint(s[0:b//8])
    115  A = decodepoint(pk)
    116  S = decodeint(s[b//8:b//4])
    117  h = Hint(encodepoint(R) + pk + m)
    118  if scalarmult(B,S) != edwards(R,scalarmult(A,h)):
    119    raise Exception("signature does not pass verification")