In [20]:

def ByteArrayToInteger(k,numBytes=32):
    return sum((k[i] << (8 * i)) for i in range(len(k)))

def IntegerToByteArray(k,numBytes = 32):
    result = bytearray(numBytes);
    for i in range(numBytes):
        result[i] = (k >> (8 * i)) & 0xff;
    return result

def sel25519(p,q,b):
    c = (b-1)
    c &= 2**255 - 1
    t = c & (p ^ q)
    return (q^t, p^t)

def inv25519(i):
    pr = 2**255 - 19
    c = i
    for a in range(253, -1, -1):
        c = (c * c) % pr
        if ((a!=2) and (a!=4)):
            c = (c * i) % pr
    return c

def pow2523(i):
    pr = 2**255 - 19
    c = i
    for a in range(250, -1, -1):
        c = (c * c) % pr
        if (a != 1):
            c = (c * i) % pr
    return c

# The chi(x) function for elligator 2 calculates x^ ((prime - 1) / 2)
# in case of curve25519, it calculates x ^ (2^254 - 10)
def elligator2Chi(x):
    pr = 2**255 - 19
    r = pow2523(x) #2^252 -3
    r = (r * r) % pr #2^253 -6
    r = (r * x) % pr #2^253 - 5
    r = (r * r) % pr #2^254 - 10
    return r

def elligator2v(r):
    pr = 2**255 - 19
    A = 486662
    
    v = (r * r) % pr
    v = v + v + 1 % pr
    t0 = inv25519(v)
    v = (t0 * (-A)) % pr
    return v

def elligator2epsilon(v):
    pr = 2**255 - 19
    A = 486662
    v2 = (v * v) % pr
    v3 = (v2 * v) % pr
    av2 = (v2 * A) % pr
    t = (v3 + av2 + v) % pr 
    return elligator2Chi(t)

def crypto_elligator2(values,numBytes):
    pr = 2**255 - 19
    A = 486662
    Ad2 = A / 2
    r = ByteArrayToInteger(values,numBytes) % pr
    v = elligator2v(r)
    x = elligator2epsilon(v)
    t1 = 1 - x
    t2 = v * x
    t3 = ((-Ad2) * t1) % pr
    result = (t3 + t2) % pr
    return IntegerToByteArray(result,32) 
    
def inverse_sc25519(i):
    pr = 2**252 + 27742317777372353535851937790883648493
    exponent = OrderPrimeSubgroup - 1
    c = i % pr
    for a in range(253, -1, -1):
        c = (c * c) % pr
        if (exponent & (2**a)):
            c = (c * i) % pr
    return c

    
# all inputs to be given as byte array.
def Inverse_X25519(basepoint,scalar):
    OrderPrimeSubgroup = 2**252 + 27742317777372353535851937790883648493
    scalarClamped = scalar
    scalarClamped[0] &= 248
    scalarClamped[31] &= 127
    scalarClamped[31] |= 64
    
    coFactor = 8
    inverse_scalar = inverse_sc25519(ByteArrayToInteger(scalarClamped) * coFactor)
    inverse_scalar_int = inverse_scalar * 8
    inverse_scalar = IntegerToByteArray(inverse_scalar_int)
    return X25519(basepoint,inverse_scalar,withClamping=0)

# all inputs to be given as byte array.
def X25519(p,n,withClamping=1):
    pr = 2**255 - 19
    #  unpack25519(x,p);
    x = ByteArrayToInteger(p)
    z = n
    #  FOR(i,31) z[i]=n[i];
    #  z[31]=(n[31]&127)|64;
    #  z[0]&=248;
    #clamping of the scalar
    if (withClamping):
        z[0] &= 248
        z[31] &= 127
        z[31] |= 64
        maxExponent = 254
    else:
        maxExponent = 255
        
    #  FOR(i,16) {
    #    b[i]=x[i];
    #    d[i]=a[i]=c[i]=0;
    #  }
    #  a[0]=d[0]=1;
    a = 1
    b = x
    c = 0
    d = 1
    
    #  for(i=254;i>=0;--i) {
    for i in range(maxExponent, -1, -1):
        #    r=(z[i>>3]>>(i&7))&1;
        r = (z[i>>3]>>(i&7))&1
        #    sel25519(a,b,r);
        (a,b) = sel25519(a,b,r)
        #    sel25519(c,d,r);
        (c,d) = sel25519(c,d,r)
        #    A(e,a,c);
        e = (a + c) % pr
        #    Z(a,a,c);
        a = (a - c) % pr
        #    A(c,b,d);
        c = (b + d) % pr
        #    Z(b,b,d);
        b = (b - d) % pr
        #    S(d,e);
        d = (e * e) % pr
        #    S(f,a);
        f = (a * a) % pr
        #    M(a,c,a);
        a = (c * a) % pr
        #    M(c,b,e);
        c = (b * e) % pr
        #    A(e,a,c);
        e = (a + c) % pr
        #    Z(a,a,c);
        a = (a - c) % pr
        #    S(b,a);
        b = (a * a) % pr
        #    Z(c,d,f);
        c = (d - f) % pr
        #    M(a,c,_121665);
        a = (c * 121665) % pr
        #    A(a,a,d);
        a = (a + d) % pr
        #    M(c,c,a);
        c = (c * a) % pr
        #    M(a,d,f);
        a = (d * f) % pr
        #    M(d,b,x);
        d = (b * x) % pr
        #    S(b,e);
        b = (e * e) % pr
        #    sel25519(a,b,r);
        (a,b) = sel25519(a,b,r)
        #    sel25519(c,d,r);
        (c,d) = sel25519(c,d,r)
        #  }
    cinv = inv25519(c)
    res = (a * cinv) % pr
    return IntegerToByteArray(res)


In [22]:
# 2.) Definitions for the X25519 test cases

class X25519_testCase:
    def __init__(self,u_in, s_in, u_out):
        self.u_in = u_in
        self.s_in = s_in
        self.u_out = u_out

    def runTest(self):
        us = IntegerToByteArray(self.u_in)
        ss = IntegerToByteArray(self.s_in)
        r  = IntegerToByteArray(self.u_out)
        u = X25519(us,ss)
        if (u != r):
            print ("Fail")
            print ("Input u :\n0x%032x\n" % self.u_in)
            print ("Input s :\n0x%032x\n" % self.s_in)
            print ("Correct Result :\n0x%032x\n" % self.u_out)
            print ("Actual Result :\n0x%032x\n" % ByteArrayToInteger(u))
            return False
        print ("Pass")
        return True
    
    def docOutput(self):
        print ("Test case for X25519:")
        print ("u:"),
        print ("0x%x" % (self.u_in))
        print ("s:"),
        print ("0x%x" % (self.s_in))
        print ("r:"),
        print ("0x%x" % (self.u_out))
        

testCases = []

tv = \
    X25519_testCase(0x4c1cabd0a603a9103b35b326ec2466727c5fb124a4c19435db3030586768dbe6,\
                    0xc49a44ba44226a50185afcc10a4c1462dd5e46824b15163b9d7c52f06be346a5,\
                    0x5285a2775507b454f7711c4903cfec324f088df24dea948e90c6e99d3755dac3)
testCases.append(tv)


tv = X25519_testCase(0x13a415c749d54cfc3e3cc06f10e7db312cae38059d95b7f4d3116878120f21e5,\
                     0xdba18799e16a42cd401eae021641bc1f56a7d959126d25a3c67b4d1d4e9664b,\
                    0x5779ac7a64f7f8e652a19f79685a598bf873b8b45ce4ad7a7d90e87694decb95)
testCases.append(tv)

tv = X25519_testCase(0,\
                     0xc49a44ba44226a50185afcc10a4c1462dd5e46824b15163b9d7c52f06be346a5,\
                     0)
testCases.append(tv)
    
weakp = []
weakp.append(0)
weakp.append(1)
weakp.append(325606250916557431795983626356110631294008115727848805560023387167927233504) #(which has order 8)
weakp.append(39382357235489614581723060781553021112529911719440698176882885853963445705823) #(which also has order 8)
weakp.append(2**255 - 19 - 1)
weakp.append(2**255 - 19)
weakp.append(2**255 - 19 + 1)
weakp.append(2**255 - 19 + 325606250916557431795983626356110631294008115727848805560023387167927233504)
weakp.append(2**255 - 19 + 39382357235489614581723060781553021112529911719440698176882885853963445705823)
weakp.append(2 * (2**255 - 19) - 1)
weakp.append(2 * (2**255 - 19))
weakp.append(2 * (2**255 - 19) + 1)

for x in weakp:
    tv = X25519_testCase (x,0xff9a44ba44226a50185afcc10a4c1462dd5e46824b15163b9d7c52f06be346af,0)
    testCases.append(tv)

for x in testCases:
    x.runTest()

for x in testCases:
    x.docOutput()


Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Test case for X25519:
u:
0x4c1cabd0a603a9103b35b326ec2466727c5fb124a4c19435db3030586768dbe6
s:
0xc49a44ba44226a50185afcc10a4c1462dd5e46824b15163b9d7c52f06be346a5
r:
0x5285a2775507b454f7711c4903cfec324f088df24dea948e90c6e99d3755dac3
Test case for X25519:
u:
0x13a415c749d54cfc3e3cc06f10e7db312cae38059d95b7f4d3116878120f21e5
s:
0xdba18799e16a42cd401eae021641bc1f56a7d959126d25a3c67b4d1d4e9664b
r:
0x5779ac7a64f7f8e652a19f79685a598bf873b8b45ce4ad7a7d90e87694decb95
Test case for X25519:
u:
0x0
s:
0xc49a44ba44226a50185afcc10a4c1462dd5e46824b15163b9d7c52f06be346a5
r:
0x0
Test case for X25519:
u:
0x0
s:
0xff9a44ba44226a50185afcc10a4c1462dd5e46824b15163b9d7c52f06be346af
r:
0x0
Test case for X25519:
u:
0x1
s:
0xff9a44ba44226a50185afcc10a4c1462dd5e46824b15163b9d7c52f06be346af
r:
0x0
Test case for X25519:
u:
0xb8495f16056286fdb1329ceb8d09da6ac49ff1fae35616aeb8413b7c7aebe0
s:
0xff9a44ba44226a50185afcc10a4c1462dd5e46824b15163b9

57896044618658097711785492504343953926634992332820282019728792003956564819968