//CONVERT #include "ge.h"
public static void ge_p3_tobytes(byte[] s, Ge_p3 h)
{
int[] recip = new int[10];
int[] x = new int[10];
int[] y = new int[10];
Fe_invert.fe_invert(recip, h.Z);
Fe_mul.fe_mul(x, h.X, recip);
Fe_mul.fe_mul(y, h.Y, recip);
Fe_tobytes.fe_tobytes(s, y);
s[31] ^= (byte)(Fe_isnegative.fe_isnegative(x) << 7);
}
public static bool fe_isreduced(byte[] curve25519_pubkey)
{
int[] fe = new int[10];
byte[] strict = new byte[32];
Fe_frombytes.fe_frombytes(fe, curve25519_pubkey);
Fe_tobytes.fe_tobytes(strict, fe);
if (Crypto_verify_32.crypto_verify_32(strict, curve25519_pubkey) != 0)
{
return(false);
}
return(true);
}
public static void curve25519_keygen(byte[] curve25519_pubkey_out, byte[] curve25519_privkey_in)
{
/* Perform a fixed-base multiplication of the Edwards base point,
* (which is efficient due to precalculated tables), then convert
* to the Curve25519 montgomery-format public key.
*
* NOTE: y=1 is converted to u=0 since fe_invert is mod-exp
*/
Ge_p3 ed = new Ge_p3(); /* Ed25519 pubkey point */
int[] u = new int[10];
Ge_scalarmult_base.ge_scalarmult_base(ed, curve25519_privkey_in);
Ge_p3_to_montx.ge_p3_to_montx(u, ed);
Fe_tobytes.fe_tobytes(curve25519_pubkey_out, u);
}
public void elligator_fast_test()
{
byte[] elligator_correct_output = new byte[]
{
0x5f, 0x35, 0x20, 0x00, 0x1c, 0x6c, 0x99, 0x36,
0xa3, 0x12, 0x06, 0xaf, 0xe7, 0xc7, 0xac, 0x22,
0x4e, 0x88, 0x61, 0x61, 0x9b, 0xf9, 0x88, 0x72,
0x44, 0x49, 0x15, 0x89, 0x9d, 0x95, 0xf4, 0x6e
};
byte[] hashtopoint_correct_output1 = new byte[]
{
0xce, 0x89, 0x9f, 0xb2, 0x8f, 0xf7, 0x20, 0x91,
0x5e, 0x14, 0xf5, 0xb7, 0x99, 0x08, 0xab, 0x17,
0xaa, 0x2e, 0xe2, 0x45, 0xb4, 0xfc, 0x2b, 0xf6,
0x06, 0x36, 0x29, 0x40, 0xed, 0x7d, 0xe7, 0xed
};
byte[] hashtopoint_correct_output2 = new byte[]
{
0xa0, 0x35, 0xbb, 0xa9, 0x4d, 0x30, 0x55, 0x33,
0x0d, 0xce, 0xc2, 0x7f, 0x83, 0xde, 0x79, 0xd0,
0x89, 0x67, 0x72, 0x4c, 0x07, 0x8d, 0x68, 0x9d,
0x61, 0x52, 0x1d, 0xf9, 0x2c, 0x5c, 0xba, 0x77
};
byte[] calculatev_correct_output = new byte[]
{
0x1b, 0x77, 0xb5, 0xa0, 0x44, 0x84, 0x7e, 0xb9,
0x23, 0xd7, 0x93, 0x18, 0xce, 0xc2, 0xc5, 0xe2,
0x84, 0xd5, 0x79, 0x6f, 0x65, 0x63, 0x1b, 0x60,
0x9b, 0xf1, 0xf8, 0xce, 0x88, 0x0b, 0x50, 0x9c,
};
int count;
int[] iIn = new int[10];
int[] iOut = new int[10];
byte[] bytes = new byte[32];
Fe_0.fe_0(iIn);
Fe_0.fe_0(iOut);
for (count = 0; count < 32; count++)
{
bytes[count] = (byte)count;
}
Fe_frombytes.fe_frombytes(iIn, bytes);
Elligator.elligator(iOut, iIn);
Fe_tobytes.fe_tobytes(bytes, iOut);
CollectionAssert.AreEqual(elligator_correct_output, bytes, "Elligator vector");
/* Elligator(0) == 0 test */
Fe_0.fe_0(iIn);
Elligator.elligator(iOut, iIn);
CollectionAssert.AreEqual(iOut, iIn, "Elligator(0) == 0");
/* ge_montx_to_p3(0) -> order2 point test */
int[] one = new int[10];
int[] negone = new int[10];
int[] zero = new int[10];
Fe_1.fe_1(one);
Fe_0.fe_0(zero);
Fe_sub.fe_sub(negone, zero, one);
Ge_p3 p3 = new Ge_p3();
Ge_montx_to_p3.ge_montx_to_p3(p3, zero, 0);
Assert.IsTrue(Fe_isequal.fe_isequal(p3.X, zero) != 0 &&
Fe_isequal.fe_isequal(p3.Y, negone) != 0 &&
Fe_isequal.fe_isequal(p3.Z, one) != 0 &&
Fe_isequal.fe_isequal(p3.T, zero) != 0,
"ge_montx_to_p3(0) == order 2 point");
/* Hash to point vector test */
byte[] htp = new byte[32];
for (count = 0; count < 32; count++)
{
htp[count] = (byte)count;
}
ISha512 sha512provider = new BouncyCastleDotNETSha512Provider();
Elligator.hash_to_point(sha512provider, p3, htp, 32);
Ge_p3_tobytes.ge_p3_tobytes(htp, p3);
CollectionAssert.AreEqual(hashtopoint_correct_output1, htp, "hash_to_point #1");
for (count = 0; count < 32; count++)
{
htp[count] = (byte)(count + 1);
}
Elligator.hash_to_point(sha512provider, p3, htp, 32);
Ge_p3_tobytes.ge_p3_tobytes(htp, p3);
CollectionAssert.AreEqual(hashtopoint_correct_output2, htp, "hash_to_point #2");
/* calculate_U vector test */
Ge_p3 Bv = new Ge_p3();
byte[] V = new byte[32];
byte[] Vbuf = new byte[200];
byte[] a = new byte[32];
byte[] A = new byte[32];
byte[] Vmsg = new byte[3];
Vmsg[0] = 0;
Vmsg[1] = 1;
Vmsg[2] = 2;
for (count = 0; count < 32; count++)
{
a[count] = (byte)(8 + count);
A[count] = (byte)(9 + count);
}
Sc_clamp.sc_clamp(a);
Elligator.calculate_Bv_and_V(sha512provider, Bv, V, Vbuf, a, A, Vmsg, 3);
CollectionAssert.AreEqual(calculatev_correct_output, V, "calculate_Bv_and_V vector");
}
public static int fe_isnonzero(int[] f)
{
byte[] s = new byte[32];
Fe_tobytes.fe_tobytes(s, f);
return(Crypto_verify_32.crypto_verify_32(s, zero));
}
//CONVERT #include "crypto_scalarmult.h"
//CONVERT #include "fe.h"
public static int crypto_scalarmult(byte[] q,
byte[] n,
byte[] p)
{
byte[] e = new byte[32];
int i;
int[] x1 = new int[10];
int[] x2 = new int[10];
int[] z2 = new int[10];
int[] x3 = new int[10];
int[] z3 = new int[10];
int[] tmp0 = new int[10];
int[] tmp1 = new int[10];
int pos;
int swap;
int b;
for (i = 0; i < 32; ++i)
{
e[i] = n[i];
}
// e[0] &= 248;
// e[31] &= 127;
// e[31] |= 64;
Fe_frombytes.fe_frombytes(x1, p);
Fe_1.fe_1(x2);
Fe_0.fe_0(z2);
Fe_copy.fe_copy(x3, x1);
Fe_1.fe_1(z3);
swap = 0;
for (pos = 254; pos >= 0; --pos)
{
b = (int)(((uint)e[pos / 8]) >> (pos & 7));
b &= 1;
swap ^= b;
Fe_cswap.fe_cswap(x2, x3, swap);
Fe_cswap.fe_cswap(z2, z3, swap);
swap = b;
//CONVERT #include "montgomery.h"
/* qhasm: fe X2 */
/* qhasm: fe Z2 */
/* qhasm: fe X3 */
/* qhasm: fe Z3 */
/* qhasm: fe X4 */
/* qhasm: fe Z4 */
/* qhasm: fe X5 */
/* qhasm: fe Z5 */
/* qhasm: fe A */
/* qhasm: fe B */
/* qhasm: fe C */
/* qhasm: fe D */
/* qhasm: fe E */
/* qhasm: fe AA */
/* qhasm: fe BB */
/* qhasm: fe DA */
/* qhasm: fe CB */
/* qhasm: fe t0 */
/* qhasm: fe t1 */
/* qhasm: fe t2 */
/* qhasm: fe t3 */
/* qhasm: fe t4 */
/* qhasm: enter ladder */
/* qhasm: D = X3-Z3 */
/* asm 1: fe_sub.fe_sub(>D=fe#5,<X3=fe#3,<Z3=fe#4); */
/* asm 2: fe_sub.fe_sub(>D=tmp0,<X3=x3,<Z3=z3); */
Fe_sub.fe_sub(tmp0, x3, z3);
/* qhasm: B = X2-Z2 */
/* asm 1: fe_sub.fe_sub(>B=fe#6,<X2=fe#1,<Z2=fe#2); */
/* asm 2: fe_sub.fe_sub(>B=tmp1,<X2=x2,<Z2=z2); */
Fe_sub.fe_sub(tmp1, x2, z2);
/* qhasm: A = X2+Z2 */
/* asm 1: fe_add.fe_add(>A=fe#1,<X2=fe#1,<Z2=fe#2); */
/* asm 2: fe_add.fe_add(>A=x2,<X2=x2,<Z2=z2); */
Fe_add.fe_add(x2, x2, z2);
/* qhasm: C = X3+Z3 */
/* asm 1: fe_add.fe_add(>C=fe#2,<X3=fe#3,<Z3=fe#4); */
/* asm 2: fe_add.fe_add(>C=z2,<X3=x3,<Z3=z3); */
Fe_add.fe_add(z2, x3, z3);
/* qhasm: DA = D*A */
/* asm 1: fe_mul.fe_mul(>DA=fe#4,<D=fe#5,<A=fe#1); */
/* asm 2: fe_mul.fe_mul(>DA=z3,<D=tmp0,<A=x2); */
Fe_mul.fe_mul(z3, tmp0, x2);
/* qhasm: CB = C*B */
/* asm 1: fe_mul.fe_mul(>CB=fe#2,<C=fe#2,<B=fe#6); */
/* asm 2: fe_mul.fe_mul(>CB=z2,<C=z2,<B=tmp1); */
Fe_mul.fe_mul(z2, z2, tmp1);
/* qhasm: BB = B^2 */
/* asm 1: fe_sq.fe_sq(>BB=fe#5,<B=fe#6); */
/* asm 2: fe_sq.fe_sq(>BB=tmp0,<B=tmp1); */
Fe_sq.fe_sq(tmp0, tmp1);
/* qhasm: AA = A^2 */
/* asm 1: fe_sq.fe_sq(>AA=fe#6,<A=fe#1); */
/* asm 2: fe_sq.fe_sq(>AA=tmp1,<A=x2); */
Fe_sq.fe_sq(tmp1, x2);
/* qhasm: t0 = DA+CB */
/* asm 1: fe_add.fe_add(>t0=fe#3,<DA=fe#4,<CB=fe#2); */
/* asm 2: fe_add.fe_add(>t0=x3,<DA=z3,<CB=z2); */
Fe_add.fe_add(x3, z3, z2);
/* qhasm: assign x3 to t0 */
/* qhasm: t1 = DA-CB */
/* asm 1: fe_sub.fe_sub(>t1=fe#2,<DA=fe#4,<CB=fe#2); */
/* asm 2: fe_sub.fe_sub(>t1=z2,<DA=z3,<CB=z2); */
Fe_sub.fe_sub(z2, z3, z2);
/* qhasm: X4 = AA*BB */
/* asm 1: fe_mul.fe_mul(>X4=fe#1,<AA=fe#6,<BB=fe#5); */
/* asm 2: fe_mul.fe_mul(>X4=x2,<AA=tmp1,<BB=tmp0); */
Fe_mul.fe_mul(x2, tmp1, tmp0);
/* qhasm: E = AA-BB */
/* asm 1: fe_sub.fe_sub(>E=fe#6,<AA=fe#6,<BB=fe#5); */
/* asm 2: fe_sub.fe_sub(>E=tmp1,<AA=tmp1,<BB=tmp0); */
Fe_sub.fe_sub(tmp1, tmp1, tmp0);
/* qhasm: t2 = t1^2 */
/* asm 1: fe_sq.fe_sq(>t2=fe#2,<t1=fe#2); */
/* asm 2: fe_sq.fe_sq(>t2=z2,<t1=z2); */
Fe_sq.fe_sq(z2, z2);
/* qhasm: t3 = a24*E */
/* asm 1: fe_mul121666(>t3=fe#4,<E=fe#6); */
/* asm 2: fe_mul121666(>t3=z3,<E=tmp1); */
Fe_mul121666.fe_mul121666(z3, tmp1);
/* qhasm: X5 = t0^2 */
/* asm 1: fe_sq.fe_sq(>X5=fe#3,<t0=fe#3); */
/* asm 2: fe_sq.fe_sq(>X5=x3,<t0=x3); */
Fe_sq.fe_sq(x3, x3);
/* qhasm: t4 = BB+t3 */
/* asm 1: fe_add.fe_add(>t4=fe#5,<BB=fe#5,<t3=fe#4); */
/* asm 2: fe_add.fe_add(>t4=tmp0,<BB=tmp0,<t3=z3); */
Fe_add.fe_add(tmp0, tmp0, z3);
/* qhasm: Z5 = X1*t2 */
/* asm 1: fe_mul.fe_mul(>Z5=fe#4,x1,<t2=fe#2); */
/* asm 2: fe_mul.fe_mul(>Z5=z3,x1,<t2=z2); */
Fe_mul.fe_mul(z3, x1, z2);
/* qhasm: Z4 = E*t4 */
/* asm 1: fe_mul.fe_mul(>Z4=fe#2,<E=fe#6,<t4=fe#5); */
/* asm 2: fe_mul.fe_mul(>Z4=z2,<E=tmp1,<t4=tmp0); */
Fe_mul.fe_mul(z2, tmp1, tmp0);
/* qhasm: return */
}
Fe_cswap.fe_cswap(x2, x3, swap);
Fe_cswap.fe_cswap(z2, z3, swap);
Fe_invert.fe_invert(z2, z2);
Fe_mul.fe_mul(x2, x2, z2);
Fe_tobytes.fe_tobytes(q, x2);
return(0);
}
//CONVERT #include "fe.h"
/*
* return 1 if f is in {1,3,5,...,q-2}
* return 0 if f is in {0,2,4,...,q-1}
*
* Preconditions:
|f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*/
public static int fe_isnegative(int[] f)
{
byte[] s = new byte[32];
Fe_tobytes.fe_tobytes(s, f);
return(s[0] & 1);
}
