163 lines
4.6 KiB
Go
163 lines
4.6 KiB
Go
// Copyright (c) 2021 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package edwards25519
|
|
|
|
import (
|
|
"encoding/hex"
|
|
"testing"
|
|
"testing/quick"
|
|
)
|
|
|
|
// TestBytesMontgomery tests the SetBytesWithClamping+BytesMontgomery path
|
|
// equivalence to curve25519.X25519 for basepoint scalar multiplications.
|
|
//
|
|
// Note that you can't actually implement X25519 with this package because
|
|
// there is no SetBytesMontgomery, and it would not be possible to implement
|
|
// it properly: points on the twist would get rejected, and the Scalar returned
|
|
// by SetBytesWithClamping does not preserve its cofactor-clearing properties.
|
|
//
|
|
// Disabled to avoid the golang.org/x/crypto module dependency.
|
|
/* func TestBytesMontgomery(t *testing.T) {
|
|
f := func(scalar [32]byte) bool {
|
|
s := NewScalar().SetBytesWithClamping(scalar[:])
|
|
p := (&Point{}).ScalarBaseMult(s)
|
|
got := p.BytesMontgomery()
|
|
want, _ := curve25519.X25519(scalar[:], curve25519.Basepoint)
|
|
return bytes.Equal(got, want)
|
|
}
|
|
if err := quick.Check(f, nil); err != nil {
|
|
t.Error(err)
|
|
}
|
|
} */
|
|
|
|
func TestBytesMontgomerySodium(t *testing.T) {
|
|
// Generated with libsodium.js 1.0.18
|
|
// crypto_sign_keypair().publicKey
|
|
publicKey := "3bf918ffc2c955dc895bf145f566fb96623c1cadbe040091175764b5fde322c0"
|
|
p, err := (&Point{}).SetBytes(decodeHex(publicKey))
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
// crypto_sign_ed25519_pk_to_curve25519(publicKey)
|
|
want := "efc6c9d0738e9ea18d738ad4a2653631558931b0f1fde4dd58c436d19686dc28"
|
|
if got := hex.EncodeToString(p.BytesMontgomery()); got != want {
|
|
t.Errorf("got %q, want %q", got, want)
|
|
}
|
|
}
|
|
|
|
func TestBytesMontgomeryInfinity(t *testing.T) {
|
|
p := NewIdentityPoint()
|
|
want := "0000000000000000000000000000000000000000000000000000000000000000"
|
|
if got := hex.EncodeToString(p.BytesMontgomery()); got != want {
|
|
t.Errorf("got %q, want %q", got, want)
|
|
}
|
|
}
|
|
|
|
func TestMultByCofactor(t *testing.T) {
|
|
lowOrderBytes := "26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85"
|
|
lowOrder, err := (&Point{}).SetBytes(decodeHex(lowOrderBytes))
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if p := (&Point{}).MultByCofactor(lowOrder); p.Equal(NewIdentityPoint()) != 1 {
|
|
t.Errorf("expected low order point * cofactor to be the identity")
|
|
}
|
|
|
|
f := func(scalar [64]byte) bool {
|
|
s := NewScalar().SetUniformBytes(scalar[:])
|
|
p := (&Point{}).ScalarBaseMult(s)
|
|
p8 := (&Point{}).MultByCofactor(p)
|
|
checkOnCurve(t, p8)
|
|
|
|
// 8 * p == (8 * s) * B
|
|
s.Multiply(s, &Scalar{[32]byte{8}})
|
|
pp := (&Point{}).ScalarBaseMult(s)
|
|
if p8.Equal(pp) != 1 {
|
|
return false
|
|
}
|
|
|
|
// 8 * p == 8 * (lowOrder + p)
|
|
pp.Add(p, lowOrder)
|
|
pp.MultByCofactor(pp)
|
|
if p8.Equal(pp) != 1 {
|
|
return false
|
|
}
|
|
|
|
// 8 * p == p + p + p + p + p + p + p + p
|
|
pp.Set(NewIdentityPoint())
|
|
for i := 0; i < 8; i++ {
|
|
pp.Add(pp, p)
|
|
}
|
|
return p8.Equal(pp) == 1
|
|
}
|
|
if err := quick.Check(f, nil); err != nil {
|
|
t.Error(err)
|
|
}
|
|
}
|
|
|
|
func TestScalarInvert(t *testing.T) {
|
|
invertWorks := func(xInv Scalar, x notZeroScalar) bool {
|
|
xInv.Invert((*Scalar)(&x))
|
|
var check Scalar
|
|
check.Multiply((*Scalar)(&x), &xInv)
|
|
return check == scOne && isReduced(&xInv)
|
|
}
|
|
|
|
if err := quick.Check(invertWorks, quickCheckConfig32); err != nil {
|
|
t.Error(err)
|
|
}
|
|
}
|
|
|
|
func TestMultiScalarMultMatchesBaseMult(t *testing.T) {
|
|
multiScalarMultMatchesBaseMult := func(x, y, z Scalar) bool {
|
|
var p, q1, q2, q3, check Point
|
|
|
|
p.MultiScalarMult([]*Scalar{&x, &y, &z}, []*Point{B, B, B})
|
|
|
|
q1.ScalarBaseMult(&x)
|
|
q2.ScalarBaseMult(&y)
|
|
q3.ScalarBaseMult(&z)
|
|
check.Add(&q1, &q2).Add(&check, &q3)
|
|
|
|
checkOnCurve(t, &p, &check, &q1, &q2, &q3)
|
|
return p.Equal(&check) == 1
|
|
}
|
|
|
|
if err := quick.Check(multiScalarMultMatchesBaseMult, quickCheckConfig32); err != nil {
|
|
t.Error(err)
|
|
}
|
|
}
|
|
|
|
func TestVarTimeMultiScalarMultMatchesBaseMult(t *testing.T) {
|
|
varTimeMultiScalarMultMatchesBaseMult := func(x, y, z Scalar) bool {
|
|
var p, q1, q2, q3, check Point
|
|
|
|
p.VarTimeMultiScalarMult([]*Scalar{&x, &y, &z}, []*Point{B, B, B})
|
|
|
|
q1.ScalarBaseMult(&x)
|
|
q2.ScalarBaseMult(&y)
|
|
q3.ScalarBaseMult(&z)
|
|
check.Add(&q1, &q2).Add(&check, &q3)
|
|
|
|
checkOnCurve(t, &p, &check, &q1, &q2, &q3)
|
|
return p.Equal(&check) == 1
|
|
}
|
|
|
|
if err := quick.Check(varTimeMultiScalarMultMatchesBaseMult, quickCheckConfig32); err != nil {
|
|
t.Error(err)
|
|
}
|
|
}
|
|
|
|
func BenchmarkMultiScalarMultSize8(t *testing.B) {
|
|
var p Point
|
|
x := dalekScalar
|
|
|
|
for i := 0; i < t.N; i++ {
|
|
p.MultiScalarMult([]*Scalar{&x, &x, &x, &x, &x, &x, &x, &x},
|
|
[]*Point{B, B, B, B, B, B, B, B})
|
|
}
|
|
}
|