ristretto255: add uniform string->element map & fast equivalence check

author: Frank Denis <github@pureftpd.org> 2020-08-17 15:48:41 +0200
committer: Andrew Kelley <andrew@ziglang.org> 2020-08-18 00:31:02 -0400
commit: 8d6004769731deaabbed014c79b4066bd9e380e8 (patch)
tree: 0fd6b1abdb2572ca4423f3522f05fcbef636df32 /lib/std
parent: fa8935426b425110a89c6a2008013c500b7a3a79 (diff)
download: zig-8d6004769731deaabbed014c79b4066bd9e380e8.tar.gz
zig-8d6004769731deaabbed014c79b4066bd9e380e8.zip
2 files changed, 60 insertions, 15 deletions
diff --git a/lib/std/crypto/25519/field.zig b/lib/std/crypto/25519/field.zig
index 121d187e17..85b8c68315 100644
--- a/lib/std/crypto/25519/field.zig
+++ b/lib/std/crypto/25519/field.zig
@@ -21,6 +21,12 @@ pub const Fe = struct {
 
     pub const edwards25519sqrtamd = Fe{ .limbs = .{ 278908739862762, 821645201101625, 8113234426968, 1777959178193151, 2118520810568447 } }; // 1/sqrt(a-d)
 
+    pub const edwards25519eonemsqd = Fe{ .limbs = .{ 1136626929484150, 1998550399581263, 496427632559748, 118527312129759, 45110755273534 } }; // 1-d^2
+
+    pub const edwards25519sqdmone = Fe{ .limbs = .{ 1507062230895904, 1572317787530805, 683053064812840, 317374165784489, 1572899562415810 } }; // (d-1)^2
+
+    pub const edwards25519sqrtadm1 = Fe{ .limbs = .{ 2241493124984347, 425987919032274, 2207028919301688, 1220490630685848, 974799131293748 } };
+
     pub inline fn isZero(fe: Fe) bool {
         var reduced = fe;
         reduced.reduce();
diff --git a/lib/std/crypto/25519/ristretto255.zig b/lib/std/crypto/25519/ristretto255.zig
index bfdeb41f9d..a9636074a6 100644
--- a/lib/std/crypto/25519/ristretto255.zig
+++ b/lib/std/crypto/25519/ristretto255.zig
@@ -12,7 +12,7 @@ pub const Ristretto255 = struct {
 
     p: Curve,
 
-    fn sqrtRatioM1(u: Fe, v: Fe) !Fe {
+    fn sqrtRatioM1(u: Fe, v: Fe) struct { ratio_is_square: u32, root: Fe } {
         const v3 = v.sq().mul(v); // v^3
         var x = v3.sq().mul(u).mul(v).pow2523().mul(v3).mul(u); // uv^3(uv^7)^((q-5)/8)
         const vxx = x.sq().mul(v); // vx^2
@@ -24,11 +24,7 @@ pub const Ristretto255 = struct {
         const has_f_root = f_root_check.isZero();
         const x_sqrtm1 = x.mul(Fe.sqrtm1); // x*sqrt(-1)
         x.cMov(x_sqrtm1, @boolToInt(has_p_root) | @boolToInt(has_f_root));
-        const xa = x.abs();
-        if ((@boolToInt(has_m_root) | @boolToInt(has_p_root)) == 0) {
-            return error.NoRoot;
-        }
-        return xa;
+        return .{ .ratio_is_square = @boolToInt(has_m_root) | @boolToInt(has_p_root), .root = x.abs() };
     }
 
     fn rejectNonCanonical(s: [32]u8) !void {
@@ -57,15 +53,14 @@ pub const Ristretto255 = struct {
         const u2u2 = u2_.sq(); // (1+s^2)^2
         const v = Fe.edwards25519d.mul(u1u1).neg().sub(u2u2); // -(d*u1^2)-u2^2
         const v_u2u2 = v.mul(u2u2); // v*u2^2
-        const inv_sqrt = sqrtRatioM1(Fe.one, v_u2u2) catch |e| {
-            return error.InvalidEncoding;
-        };
-        var x = inv_sqrt.mul(u2_);
-        const y = inv_sqrt.mul(x).mul(v).mul(u1_);
+
+        const inv_sqrt = sqrtRatioM1(Fe.one, v_u2u2);
+        var x = inv_sqrt.root.mul(u2_);
+        const y = inv_sqrt.root.mul(x).mul(v).mul(u1_);
         x = x.mul(s_);
         x = x.add(x).abs();
         const t = x.mul(y);
-        if ((@boolToInt(t.isNegative()) | @boolToInt(y.isZero())) != 0) {
+        if ((1 - inv_sqrt.ratio_is_square) | @boolToInt(t.isNegative()) | @boolToInt(y.isZero()) != 0) {
             return error.InvalidEncoding;
         }
         const p: Curve = .{
@@ -85,9 +80,9 @@ pub const Ristretto255 = struct {
         u1_ = u1_.mul(zmy); // (Z+Y)*(Z-Y)
         const u2_ = p.x.mul(p.y); // X*Y
         const u1_u2u2 = u2_.sq().mul(u1_); // u1*u2^2
-        const inv_sqrt = sqrtRatioM1(Fe.one, u1_u2u2) catch unreachable;
-        const den1 = inv_sqrt.mul(u1_);
-        const den2 = inv_sqrt.mul(u2_);
+        const inv_sqrt = sqrtRatioM1(Fe.one, u1_u2u2);
+        const den1 = inv_sqrt.root.mul(u1_);
+        const den2 = inv_sqrt.root.mul(u2_);
         const z_inv = den1.mul(den2).mul(p.t); // den1*den2*T
         const ix = p.x.mul(Fe.sqrtm1); // X*sqrt(-1)
         const iy = p.y.mul(Fe.sqrtm1); // Y*sqrt(-1)
@@ -109,6 +104,35 @@ pub const Ristretto255 = struct {
         return p.z.sub(y).mul(den_inv).abs().toBytes();
     }
 
+    fn elligator(t: Fe) Curve {
+        const r = t.sq().mul(Fe.sqrtm1); // sqrt(-1)*t^2
+        const u = r.add(Fe.one).mul(Fe.edwards25519eonemsqd); // (r+1)*(1-d^2)
+        var c = comptime Fe.one.neg(); // -1
+        const v = c.sub(r.mul(Fe.edwards25519d)).mul(r.add(Fe.edwards25519d)); // (c-r*d)*(r+d)
+        const ratio_sqrt = sqrtRatioM1(u, v);
+        const wasnt_square = 1 - ratio_sqrt.ratio_is_square;
+        var s = ratio_sqrt.root;
+        const s_prime = s.mul(t).abs().neg(); // -|s*t|
+        s.cMov(s_prime, wasnt_square);
+        c.cMov(r, wasnt_square);
+
+        const n = r.sub(Fe.one).mul(c).mul(Fe.edwards25519sqdmone).sub(v); // c*(r-1)*(d-1)^2-v
+        const w0 = s.add(s).mul(v); // 2s*v
+        const w1 = n.mul(Fe.edwards25519sqrtadm1); // n*sqrt(ad-1)
+        const ss = s.sq(); // s^2
+        const w2 = Fe.one.sub(ss); // 1-s^2
+        const w3 = Fe.one.add(ss); // 1+s^2
+
+        return .{ .x = w0.mul(w3), .y = w2.mul(w1), .z = w1.mul(w3), .t = w0.mul(w2) };
+    }
+
+    /// Map a 64-bit string into a Ristretto255 group element
+    pub fn fromUniform(h: [64]u8) Ristretto255 {
+        const p0 = elligator(Fe.fromBytes(h[0..32].*));
+        const p1 = elligator(Fe.fromBytes(h[32..64].*));
+        return Ristretto255{ .p = p0.add(p1) };
+    }
+
     /// Double a Ristretto255 element.
     pub inline fn dbl(p: Ristretto255) Ristretto255 {
         return .{ .p = p.p.dbl() };
@@ -125,6 +149,15 @@ pub const Ristretto255 = struct {
     pub inline fn mul(p: Ristretto255, s: [32]u8) !Ristretto255 {
         return Ristretto255{ .p = try p.p.mul(s) };
     }
+
+    /// Return true if two Ristretto255 elements are equivalent
+    pub fn equivalent(p: Ristretto255, q: Ristretto255) bool {
+        const p_ = &p.p;
+        const q_ = &q.p;
+        const a = p_.x.mul(q_.y).equivalent(p_.y.mul(q_.x));
+        const b = p_.y.mul(q_.y).equivalent(p_.x.mul(q_.x));
+        return (@boolToInt(a) | @boolToInt(b)) != 0;
+    }
 };
 
 test "ristretto255" {
@@ -141,4 +174,10 @@ test "ristretto255" {
     const s = [_]u8{15} ++ [_]u8{0} ** 31;
     const w = try p.mul(s);
     std.testing.expectEqualStrings(try std.fmt.bufPrint(&buf, "{X}", .{w.toBytes()}), "E0C418F7C8D9C4CDD7395B93EA124F3AD99021BB681DFC3302A9D99A2E53E64E");
+
+    std.testing.expect(p.dbl().dbl().dbl().dbl().equivalent(w.add(p)));
+
+    const h = [_]u8{69} ** 32 ++ [_]u8{42} ** 32;
+    const ph = Ristretto255.fromUniform(h);
+    std.testing.expectEqualStrings(try std.fmt.bufPrint(&buf, "{X}", .{ph.toBytes()}), "DCCA54E037A4311EFBEEF413ACD21D35276518970B7A61DC88F8587B493D5E19");
 }
author	Frank Denis <github@pureftpd.org>	2020-08-17 15:48:41 +0200
committer	Andrew Kelley <andrew@ziglang.org>	2020-08-18 00:31:02 -0400
commit	8d6004769731deaabbed014c79b4066bd9e380e8 (patch)
tree	0fd6b1abdb2572ca4423f3522f05fcbef636df32 /lib/std
parent	fa8935426b425110a89c6a2008013c500b7a3a79 (diff)
download	zig-8d6004769731deaabbed014c79b4066bd9e380e8.tar.gz zig-8d6004769731deaabbed014c79b4066bd9e380e8.zip