In [9]:
from sage import *
import hashlib

In [32]:
class TwistedEdwardsCurve:
    def __init__(self, curve_name):
        if curve_name == "edwards25519":
            self.E = EllipticCurve(GF(2**255 - 19), [0,486662,0,1,0])
            self.q = self.E.base_field().order()
        elif curve_name == "edwards448":
            self.curve = edwards448()
            self.q = self.curve.field_modulus()
        else:
            raise ValueError("Curva inválida: " + curve_name)
    def generator(self):
        # Lógica para encontrar as coordenadas do ponto gerador
        # Neste exemplo, estou utilizando as mesmas expressões usadas para criar self.generator

        # Parâmetros da curva Edwards25519
        p = 2**255 - 19
        a = -1
        d = 486662

        # Encontrando as coordenadas x e y do ponto gerador
        x = 4 * (d - 1) * inverse_mod(4 * a * (d - 1), p)  # coordenada x
        y_sd = x**3 + a * x**2 + x  # coordenada y
        y = Mod(y_sd,p).sqrt()

        return (x, y)
    
    def point_add(self, P, Q):
        x1, y1 = P
        x2, y2 = Q
        return (x1 * y2 + x2 * y1, y1 * y2 - x1 * x2)

    def point_double(self, P):
        x, y = P
        return (x * y, 2 * x * y)

    def point_scalar_mult(self, P, k):
        R = (0, 1)
        while k > 0:
            if k%2 == 1:
                R = self.point_add(R,P)
            P = self.point_double(P)
            k//=2
#        for i in range(k.bit_length() - 1, -1, -1):
 #           if (k >> 1) & 1:
  #              R = self.point_add(R, P)
   #         P = self.point_double(P)
        return R

    def point_to_bytes(self, P):
        x = P[0].lift()   # Converte o primeiro elemento para um inteiro
        x_digits = x.digits(base=256)
        x_bytes = bytes(x_digits)
        
        #x_bytes = int.to_bytes(x, (self.q.bit_length() + 7) // 8, byteorder="big")
        if x_bytes[0] & 0x80:
            x_bytes = b"\x00" + x_bytes
        return x_bytes

    def bytes_to_point(self, b):
        # Split the bytes into x and y components
        x_bytes = b[:32]
        y_bytes = b[32:]

        # Convert bytes to integers
        x = Integer(int.from_bytes(x_bytes, byteorder='big'))
        y = Integer(int.from_bytes(y_bytes, byteorder='big'))

        # Check if y is negative
        if (x * y) % self.q != 1:
            y = -y

        return (x, y)
    
        # Método para encontrar um ponto gerador para a curva Edwards25519
#        a = 486662  # Parâmetro 'a' da curva de Edwards25519
#        for x in range(2, self.q):  # Começa a partir de 2 para evitar o ponto de identidade
#            y_sqr = x**3 + a * x**2 + x  # Substituir na equação da curva para encontrar y^2
#            y = y_sqr.sqrt()  # Calcula a raiz quadrada modular
#        
#            if y is not None:  # Se a raiz quadrada existe (ou seja, y^2 é um quadrado)
#                if self.E.lift_x(x, extend=False):  # Verifica se x é uma coordenada x válida na curva
#                    return x, y[0]  # Retorna o primeiro ponto encontrado

        raise ValueError("Nenhum ponto gerador encontrado para a curva Edwards25519")
    
class EdDSA:
    def __init__(self, curve_name):
        self.curve = TwistedEdwardsCurve(curve_name)

    def generate_keypair(self):
        sk = randint(1, self.curve.q - 1)
        pk = self.curve.point_scalar_mult(self.curve.generator(), sk)
        return sk, self.curve.point_to_bytes(pk)

    def sign(self, sk, message):
        h = hashlib.sha512(message).digest()
        r = randint(1, self.curve.q - 1)
        R = self.curve.point_scalar_mult(self.curve.generator(), r)
        k = self.scalar_reduce(h + self.curve.point_to_bytes(R))
        S = (r + k * sk) % self.curve.q
        S_bytes = bytearray()
        while S:
            S_bytes.append(S & 0xff)
            S >>= 8
        S_bytes.reverse()  # Reverse the byte array to get the correct byte order
        S_bytes = bytes(S_bytes)

        return self.curve.point_to_bytes(R) + S_bytes
       # return self.curve.point_to_bytes(R) + S.to_bytes((self.curve.q.bit_length() + 7) // 8, byteorder="big")

    def verify(self, pk, message, signature):
        h = hashlib.sha512(message).digest()
        R_bytes = signature[:32]  # Extract R as bytes
        R = self.curve.bytes_to_point(R_bytes)  # Convert R to point
        S_bytes = signature[32:]  # Extract S as bytes
        S = Integer(int.from_bytes(S_bytes, byteorder='big'))  # Convert S to integer
        
        k = self.scalar_reduce(h + R_bytes)  # Use R as bytes for scalar reduction
        A = self.curve.point_scalar_mult(self.curve.generator(), k)
        B = self.curve.point_scalar_mult(R, S)
        return A == B
        
#    def verify(self, pk, message, signature):
#        h = hashlib.sha512(message).digest()
#        R = self.curve.bytes_to_point(signature[:32])
#        
#        S_bytes = signature[32:]
#        S = Integer(int.from_bytes(S_bytes, byteorder='big'))
#        
#        k = self.scalar_reduce(h + self.curve.point_to_bytes(R))
#        A = self.curve.point_scalar_mult(self.curve.generator(), k)
#        B = self.curve.point_scalar_mult(R, S)
#        return A == B

    def scalar_reduce(self, k):
        k = int.from_bytes(k, byteorder='big')
        return (k + (self.curve.q - 1) * (k >> (self.curve.q -1).bit_length())) % self.curve.q

In [33]:
curve_name = "edwards25519"

# Gerando par de chaves
sk, pk = EdDSA(curve_name).generate_keypair()
print("Chave Privada: ", sk)
print("Chave Pública: ", pk)


# Mensagem a ser assinada
message = b"Exemplo de mensagem para assinatura EdDSA"

signature = EdDSA(curve_name).sign(sk, message)  # Include the message argument here
print("Assinatura: ", signature)

verify_signature = EdDSA(curve_name).verify(pk, message, signature)
print(verify_signature)

Chave Privada:  30568692701566809308317253957149819384218591707455440818070277587197072459887
Chave Pública:  b'\x00\x86\xedy\x02\x08u\xd50\xb8\xd8a\xde0l\x90y\xf2\xbc\xbf\xcf\xac\x86\x83\x03G\xa5U\x11%\xd6\xffi'
Assinatura:  b'e\xcfI\xe0\xde\x88\x19+\xa5R\xbf\xc6\xd6\xee\xef8\xeaJ \x0f\x17\xae\xdeq\x17\r=\x8b\xe0\xbdPb\x12\xbc\xb7\x06m\x89\xee \x9f\xfa\xd5;;\x1c+\xdb\xfc\xe2p\x10\xf2z\xf6\xe7&\xfc\xc3I^\xd9\xe3\xff'
False
