/*
* return 1 if p is the neutral point
* return 0 otherwise
*/
public static int ge_isneutral(Ge_p3 p)
{
int[] zero = new int[10];
Fe_0.fe_0(zero);
/* Check if p == neutral element == (0, 1) */
return(Fe_isequal.fe_isequal(p.X, zero) & Fe_isequal.fe_isequal(p.Y, p.Z));
}
/*
* return 1 if f == g
* return 0 if f != g
*/
public static int ge_is_small_order(Ge_p3 p)
{
Ge_p1p1 p1p1 = new Ge_p1p1();
Ge_p2 p2 = new Ge_p2();
int[] zero = new int[10];
Ge_p3_dbl.ge_p3_dbl(p1p1, p);
Ge_p1p1_to_p2.ge_p1p1_to_p2(p2, p1p1);
Ge_p2_dbl.ge_p2_dbl(p1p1, p2);
Ge_p1p1_to_p2.ge_p1p1_to_p2(p2, p1p1);
Ge_p2_dbl.ge_p2_dbl(p1p1, p2);
Ge_p1p1_to_p2.ge_p1p1_to_p2(p2, p1p1);
Fe_0.fe_0(zero);
/* Check if 8*p == neutral element == (0, 1) */
return(Fe_isequal.fe_isequal(p2.X, zero) & Fe_isequal.fe_isequal(p2.Y, p2.Z));
}
/* Preconditions: a is square or zero */
public static void fe_sqrt(int[] iOut, int[] a)
{
int[] exp = new int[10];
int[] b = new int[10];
int[] b2 = new int[10];
int[] bi = new int[10];
int[] i = new int[10];
Fe_frombytes.fe_frombytes(i, i_bytes);
Fe_pow22523.fe_pow22523(exp, a); /* b = a^(q-5)/8 */
/* PRECONDITION: legendre symbol == 1 (square) or 0 (a == zero) */
//#ifndef NDEBUG
//fe legendre, zero, one;
//fe_sq(legendre, exp); /* in^((q-5)/4) */
//fe_sq(legendre, legendre); /* in^((q-5)/2) */
//fe_mul(legendre, legendre, a); /* in^((q-3)/2) */
//fe_mul(legendre, legendre, a); /* in^((q-1)/2) */
//fe_0(zero);
//fe_1(one);
//assert(fe_isequal(legendre, zero) || fe_isequal(legendre, one));
//#endif
Fe_mul.fe_mul(b, a, exp); /* b = a * a^(q-5)/8 */
Fe_sq.fe_sq(b2, b); /* b^2 = a * a^(q-1)/4 */
/* note b^4 == a^2, so b^2 == a or -a
* if b^2 != a, multiply it by sqrt(-1) */
Fe_mul.fe_mul(bi, b, i);
Fe_cmov.fe_cmov(b, bi, 1 ^ Fe_isequal.fe_isequal(b2, a));
Fe_copy.fe_copy(iOut, b);
/* PRECONDITION: out^2 == a */
//#ifndef NDEBUG
//fe_sq(b2, out);
//assert(fe_isequal(a, b2));
//#endif
}
public void elligator_fast_test()
{
byte[] elligator_correct_output = new byte[]
{
0x5f, 0x35, 0x20, 0x00, 0x1c, 0x6c, 0x99, 0x36,
0xa3, 0x12, 0x06, 0xaf, 0xe7, 0xc7, 0xac, 0x22,
0x4e, 0x88, 0x61, 0x61, 0x9b, 0xf9, 0x88, 0x72,
0x44, 0x49, 0x15, 0x89, 0x9d, 0x95, 0xf4, 0x6e
};
byte[] hashtopoint_correct_output1 = new byte[]
{
0xce, 0x89, 0x9f, 0xb2, 0x8f, 0xf7, 0x20, 0x91,
0x5e, 0x14, 0xf5, 0xb7, 0x99, 0x08, 0xab, 0x17,
0xaa, 0x2e, 0xe2, 0x45, 0xb4, 0xfc, 0x2b, 0xf6,
0x06, 0x36, 0x29, 0x40, 0xed, 0x7d, 0xe7, 0xed
};
byte[] hashtopoint_correct_output2 = new byte[]
{
0xa0, 0x35, 0xbb, 0xa9, 0x4d, 0x30, 0x55, 0x33,
0x0d, 0xce, 0xc2, 0x7f, 0x83, 0xde, 0x79, 0xd0,
0x89, 0x67, 0x72, 0x4c, 0x07, 0x8d, 0x68, 0x9d,
0x61, 0x52, 0x1d, 0xf9, 0x2c, 0x5c, 0xba, 0x77
};
byte[] calculatev_correct_output = new byte[]
{
0x1b, 0x77, 0xb5, 0xa0, 0x44, 0x84, 0x7e, 0xb9,
0x23, 0xd7, 0x93, 0x18, 0xce, 0xc2, 0xc5, 0xe2,
0x84, 0xd5, 0x79, 0x6f, 0x65, 0x63, 0x1b, 0x60,
0x9b, 0xf1, 0xf8, 0xce, 0x88, 0x0b, 0x50, 0x9c,
};
int count;
int[] iIn = new int[10];
int[] iOut = new int[10];
byte[] bytes = new byte[32];
Fe_0.fe_0(iIn);
Fe_0.fe_0(iOut);
for (count = 0; count < 32; count++)
{
bytes[count] = (byte)count;
}
Fe_frombytes.fe_frombytes(iIn, bytes);
Elligator.elligator(iOut, iIn);
Fe_tobytes.fe_tobytes(bytes, iOut);
CollectionAssert.AreEqual(elligator_correct_output, bytes, "Elligator vector");
/* Elligator(0) == 0 test */
Fe_0.fe_0(iIn);
Elligator.elligator(iOut, iIn);
CollectionAssert.AreEqual(iOut, iIn, "Elligator(0) == 0");
/* ge_montx_to_p3(0) -> order2 point test */
int[] one = new int[10];
int[] negone = new int[10];
int[] zero = new int[10];
Fe_1.fe_1(one);
Fe_0.fe_0(zero);
Fe_sub.fe_sub(negone, zero, one);
Ge_p3 p3 = new Ge_p3();
Ge_montx_to_p3.ge_montx_to_p3(p3, zero, 0);
Assert.IsTrue(Fe_isequal.fe_isequal(p3.X, zero) != 0 &&
Fe_isequal.fe_isequal(p3.Y, negone) != 0 &&
Fe_isequal.fe_isequal(p3.Z, one) != 0 &&
Fe_isequal.fe_isequal(p3.T, zero) != 0,
"ge_montx_to_p3(0) == order 2 point");
/* Hash to point vector test */
byte[] htp = new byte[32];
for (count = 0; count < 32; count++)
{
htp[count] = (byte)count;
}
ISha512 sha512provider = new BouncyCastleDotNETSha512Provider();
Elligator.hash_to_point(sha512provider, p3, htp, 32);
Ge_p3_tobytes.ge_p3_tobytes(htp, p3);
CollectionAssert.AreEqual(hashtopoint_correct_output1, htp, "hash_to_point #1");
for (count = 0; count < 32; count++)
{
htp[count] = (byte)(count + 1);
}
Elligator.hash_to_point(sha512provider, p3, htp, 32);
Ge_p3_tobytes.ge_p3_tobytes(htp, p3);
CollectionAssert.AreEqual(hashtopoint_correct_output2, htp, "hash_to_point #2");
/* calculate_U vector test */
Ge_p3 Bv = new Ge_p3();
byte[] V = new byte[32];
byte[] Vbuf = new byte[200];
byte[] a = new byte[32];
byte[] A = new byte[32];
byte[] Vmsg = new byte[3];
Vmsg[0] = 0;
Vmsg[1] = 1;
Vmsg[2] = 2;
for (count = 0; count < 32; count++)
{
a[count] = (byte)(8 + count);
A[count] = (byte)(9 + count);
}
Sc_clamp.sc_clamp(a);
Elligator.calculate_Bv_and_V(sha512provider, Bv, V, Vbuf, a, A, Vmsg, 3);
CollectionAssert.AreEqual(calculatev_correct_output, V, "calculate_Bv_and_V vector");
}
