In [48]:
# Pure python transcription of some tweet-nacl functions
#
# Only for evaluation. Not for real-world crypto use!

def ByteArrayToInteger(k,numBytes=32):
    return sum((k[i] << (8 * i)) for i in range(len(k)))

def IntegerToByteArray(k,numBytes = 32):
    result = bytearray(numBytes);
    for i in range(numBytes):
        result[i] = (k >> (8 * i)) & 0xff;
    return result

def sel25519(p,q,b):
    c = (b-1)
    c &= 2**255 - 1
    t = c & (p ^ q)
    return (q^t, p^t)

def inv25519(i):
    pr = 2**255 - 19
    c = i
    for a in range(253, -1, -1):
        c = (c * c) % pr
        if ((a!=2) and (a!=4)):
            c = (c * i) % pr
    return c

def pow2523(i):
    pr = 2**255 - 19
    c = i
    for a in range(250, -1, -1):
        c = (c * c) % pr
        if (a != 1):
            c = (c * i) % pr
    return c

# The chi(x) function for elligator 2 calculates x^ ((prime - 1) / 2)
# in case of curve25519, it calculates x ^ (2^254 - 10)
def elligator2Chi(x):
    pr = 2**255 - 19
    r = pow2523(x) #2^252 -3
    r = (r * r) % pr #2^253 -6
    r = (r * x) % pr #2^253 - 5
    r = (r * r) % pr #2^254 - 10
    return r

def elligator2v(r):
    pr = 2**255 - 19
    A = 486662
    
    v = (r * r) % pr
    v = v + v + 1 % pr
    t0 = inv25519(v)
    v = (t0 * (-A)) % pr
    return v

def elligator2epsilon(v):
    pr = 2**255 - 19
    A = 486662
    v2 = (v * v) % pr
    v3 = (v2 * v) % pr
    av2 = (v2 * A) % pr
    t = (v3 + av2 + v) % pr 
    return elligator2Chi(t)

def crypto_elligator2(values,numBytes):
    pr = 2**255 - 19
    A = 486662
    Ad2 = 243331
    r = ByteArrayToInteger(values,numBytes) % pr
    v = elligator2v(r)
    x = elligator2epsilon(v)
    t1 = 1 - x
    t2 = v * x
    t3 = ((-Ad2) * t1) % pr
    result = (t3 + t2) % pr
    return IntegerToByteArray(result,32) 

def inverse_sc25519(i):
    pr = 2**252 + 27742317777372353535851937790883648493
    exponent = pr - 2
    c = 1
    for a in range(253, -1, -1):
        c = (c * c) % pr
        if (exponent & (1<<a)):
            c = (c * i) % pr
    return c
    
# all inputs to be given as byte array.
def Inverse_X25519(basepoint,scalar):
    scalarClamped = scalar
    scalarClamped[0] &= 248
    scalarClamped[31] &= 127
    scalarClamped[31] |= 64
    
    coFactor = 8
    inverse_scalar = inverse_sc25519(ByteArrayToInteger(scalarClamped) * coFactor)
    inverse_scalar_int = inverse_scalar * 8
    inverse_scalar = IntegerToByteArray(inverse_scalar_int)
    return X25519(basepoint,inverse_scalar,withClamping=0)

# all inputs to be given as byte array.
def X25519(p,n,withClamping=1):
    print ("Not constant time. Only for use as evaluation. Not for cryptography!")
    pr = 2**255 - 19

    x = ByteArrayToInteger(p)
    z = n

    if (withClamping):
        z[0] &= 248
        z[31] &= 127
        z[31] |= 64
        maxExponent = 254
    else:
        maxExponent = 255
        
    a = 1
    b = x
    c = 0
    d = 1
    
    for i in range(maxExponent, -1, -1):
        r = (z[i>>3]>>(i&7))&1
        (a,b) = sel25519(a,b,r)
        (c,d) = sel25519(c,d,r)
        e = (a + c) % pr
        a = (a - c) % pr
        c = (b + d) % pr
        b = (b - d) % pr
        d = (e * e) % pr
        f = (a * a) % pr
        a = (c * a) % pr
        c = (b * e) % pr
        e = (a + c) % pr
        a = (a - c) % pr
        b = (a * a) % pr
        c = (d - f) % pr
        a = (c * 121665) % pr
        a = (a + d) % pr
        c = (c * a) % pr
        a = (d * f) % pr
        d = (b * x) % pr
        b = (e * e) % pr
        (a,b) = sel25519(a,b,r)
        (c,d) = sel25519(c,d,r)
    cinv = inv25519(c)
    res = (a * cinv) % pr
    return IntegerToByteArray(res)


In [49]:
# 2.) Definitions for the X25519 test cases

class X25519_testCase:
    def __init__(self,u_in, s_in, u_out):
        self.u_in = u_in
        self.s_in = s_in
        self.u_out = u_out

    def runTest(self):
        us = IntegerToByteArray(self.u_in)
        ss = IntegerToByteArray(self.s_in)
        r  = IntegerToByteArray(self.u_out)
        u = X25519(us,ss)
        if (u != r):
            print ("Fail")
            print ("Input u :\n0x%032x\n" % self.u_in)
            print ("Input s :\n0x%032x\n" % self.s_in)
            print ("Correct Result :\n0x%032x\n" % self.u_out)
            print ("Actual Result :\n0x%032x\n" % ByteArrayToInteger(u))
            return False
        print ("Pass")
        return True
    
    def docOutput(self):
        print ("Test case for X25519:")
        print ("u:"),
        print ("0x%x" % (self.u_in))
        print ("s:"),
        print ("0x%x" % (self.s_in))
        print ("r:"),
        print ("0x%x" % (self.u_out))
        

testCases = []

tv = \
    X25519_testCase(0x4c1cabd0a603a9103b35b326ec2466727c5fb124a4c19435db3030586768dbe6,\
                    0xc49a44ba44226a50185afcc10a4c1462dd5e46824b15163b9d7c52f06be346a5,\
                    0x5285a2775507b454f7711c4903cfec324f088df24dea948e90c6e99d3755dac3)
testCases.append(tv)


tv = X25519_testCase(0x13a415c749d54cfc3e3cc06f10e7db312cae38059d95b7f4d3116878120f21e5,\
                     0xdba18799e16a42cd401eae021641bc1f56a7d959126d25a3c67b4d1d4e9664b,\
                    0x5779ac7a64f7f8e652a19f79685a598bf873b8b45ce4ad7a7d90e87694decb95)
testCases.append(tv)

tv = X25519_testCase(0,\
                     0xc49a44ba44226a50185afcc10a4c1462dd5e46824b15163b9d7c52f06be346a5,\
                     0)
testCases.append(tv)
    
weakp = []
weakp.append(0)
weakp.append(1)
weakp.append(325606250916557431795983626356110631294008115727848805560023387167927233504) #(which has order 8)
weakp.append(39382357235489614581723060781553021112529911719440698176882885853963445705823) #(which also has order 8)
weakp.append(2**255 - 19 - 1)
weakp.append(2**255 - 19)
weakp.append(2**255 - 19 + 1)
weakp.append(2**255 - 19 + 325606250916557431795983626356110631294008115727848805560023387167927233504)
weakp.append(2**255 - 19 + 39382357235489614581723060781553021112529911719440698176882885853963445705823)
weakp.append(2 * (2**255 - 19) - 1)
weakp.append(2 * (2**255 - 19))
weakp.append(2 * (2**255 - 19) + 1)

for x in weakp:
    tv = X25519_testCase (x,0xff9a44ba44226a50185afcc10a4c1462dd5e46824b15163b9d7c52f06be346af,0)
    testCases.append(tv)

for x in testCases:
    x.runTest()

for x in testCases:
    x.docOutput()


Not constant time. Only for use as evaluation. Not for cryptography!
Pass
Not constant time. Only for use as evaluation. Not for cryptography!
Pass
Not constant time. Only for use as evaluation. Not for cryptography!
Pass
Not constant time. Only for use as evaluation. Not for cryptography!
Pass
Not constant time. Only for use as evaluation. Not for cryptography!
Pass
Not constant time. Only for use as evaluation. Not for cryptography!
Pass
Not constant time. Only for use as evaluation. Not for cryptography!
Pass
Not constant time. Only for use as evaluation. Not for cryptography!
Pass
Not constant time. Only for use as evaluation. Not for cryptography!
Pass
Not constant time. Only for use as evaluation. Not for cryptography!
Pass
Not constant time. Only for use as evaluation. Not for cryptography!
Pass
Not constant time. Only for use as evaluation. Not for cryptography!
Pass
Not constant time. Only for use as evaluation. Not for cryptography!
Pass
Not constant time. Only for use as eva

In [50]:
# 4.) Definitions of the Elligator2 test cases
#
# Elligator 2 test cases
#
#
# Testvector from the NaCl M0 testsuite from E+H
#

etc1_in =  0x00c84eddfa9bcd7973d6021153cd965a8a2fd749135834eaaeb093d2469a14bc
etc1_out = 0x67d305efdb0a7c7f24ce1655ecc103126004ff23d32bfc032428cd75758fb666

etc2_in =  0x7563f23b0c0aa7bc27b2961a4711ba842ba303c57a9534164bf8d3b5d455cf89
etc2_out = 0x08a3bb40e5b594b192d0ee87b663d24e1bc76d2d41c9031962a7ec6cc863b11d

# as Byte arrays
etc1_in_ba = IntegerToByteArray(etc1_in)
etc1_out_ba = IntegerToByteArray(etc1_out)
etc2_in_ba = IntegerToByteArray(etc2_in)
etc2_out_ba = IntegerToByteArray(etc2_out)

ourResult1 = ByteArrayToInteger(crypto_elligator2(etc1_in_ba,32))
ourResult2 = ByteArrayToInteger(crypto_elligator2(etc2_in_ba,32))

if (ourResult1 != etc1_out):
    print ("Elligator test case #1 failed.")
else:
    print ("Elligator test case #1 pass.")

if (ourResult2 != etc2_out):
    print ("Elligator test case #2 failed.")
else:
    print ("Elligator test case #2 pass.")
    
print ("Elligator test case #1:")
print ("In:  0x%x" % etc1_in)
print ("Out: 0x%x" % etc1_out)

print ("Elligator test case #1:")
print ("In:  0x%x" % etc2_in)
print ("Out: 0x%x" % etc2_out)


Elligator test case #1 pass.
Elligator test case #2 pass.
Elligator test case #1:
In:  0xc84eddfa9bcd7973d6021153cd965a8a2fd749135834eaaeb093d2469a14bc
Out: 0x67d305efdb0a7c7f24ce1655ecc103126004ff23d32bfc032428cd75758fb666
Elligator test case #1:
In:  0x7563f23b0c0aa7bc27b2961a4711ba842ba303c57a9534164bf8d3b5d455cf89
Out: 0x8a3bb40e5b594b192d0ee87b663d24e1bc76d2d41c9031962a7ec6cc863b11d


In [51]:
# Tests for inverse_X25519
import hashlib

print ("\n\n\nRandom test vectors:")
        
inStr = "a"
for m in range(10):
    s = hashlib.sha512(inStr.encode()).digest()
    inStr += "x"
    s = bytearray(s [:32])

    T = X25519(B,s)
    print ("T : 0x%x" % ByteArrayToInteger(T))

    inStr += "x"

    r = hashlib.sha512(inStr.encode()).digest()
    r = bytearray(r [:32])
    print ("r : 0x%x" % ByteArrayToInteger(r))

    U = X25519(T,r)
    print ("U : 0x%x" % ByteArrayToInteger(U))

    IU = Inverse_X25519(U,r)
    #integerToLittleEndianString(Inverse_X25519(U,r))
    print ("IU : 0x%x" % ByteArrayToInteger(IU))
    error = ByteArrayToInteger(IU) - ByteArrayToInteger(T)
    if (error):
        print ("Error : 0x%x" % (error))

print ("End")




Random test vectors:
Not constant time. Only for use as evaluation. Not for cryptography!
T : 0x2d35dedf40001fbcdd2c937463f77d4afbcb9fa8e7b4437f16db639991e31d6f
r : 0x943f6e29367840ecf9035dfff06cbcda53c06ea13c6925ae17de6d1016b62bc0
Not constant time. Only for use as evaluation. Not for cryptography!
U : 0x54ff931740f15a8368673c1f40e09fc5cc48a50943d0d38e91e7def3f059429d
Not constant time. Only for use as evaluation. Not for cryptography!
IU : 0x2d35dedf40001fbcdd2c937463f77d4afbcb9fa8e7b4437f16db639991e31d6f
Not constant time. Only for use as evaluation. Not for cryptography!
T : 0xf2440139827808dde0453da516c0ddf4d8a640c1c2c7765d65f951d09f8934
r : 0xf45d4141eff12fd4e6c3d30ec89d250987cd848a44833fbe173898824e82a5b7
Not constant time. Only for use as evaluation. Not for cryptography!
U : 0x7a9807fc61652c0e3d647327211bdd3d2b66bbd98c9b8747fd342ea60eb69d9b
Not constant time. Only for use as evaluation. Not for cryptography!
IU : 0xf2440139827808dde0453da516c0ddf4d8a640c1c2c7765d65f951d09f8