Encoding and decoding byte byte representations of Edwards points

tomato42 · tomato42 · commit e37d06e4b88c · 2021-07-26T15:42:34.000+02:00
diff --git a/src/ecdsa/ellipticcurve.py b/src/ecdsa/ellipticcurve.py
@@ -49,7 +49,7 @@
 
 from six import python_2_unicode_compatible
 from . import numbertheory
-from ._compat import normalise_bytes
+from ._compat import normalise_bytes, int_to_bytes, bit_length, bytes_to_int
 from .errors import MalformedPointError
 from .util import orderlen, string_to_number, number_to_string
 
@@ -278,6 +278,41 @@ def _from_hybrid(cls, data, raw_encoding_length, validate_encoding):
 
         return x, y
 
+    @classmethod
+    def _from_edwards(cls, curve, data):
+        """Decode a point on an Edwards curve."""
+        data = bytearray(data)
+        p = curve.p()
+        # add 1 for the sign bit and then round up
+        exp_len = (bit_length(p) + 1 + 7) // 8
+        if len(data) != exp_len:
+            raise MalformedPointError("Point length doesn't match the curve.")
+        x_0 = (data[-1] & 0x80) >> 7
+
+        data[-1] &= 0x80 - 1
+
+        y = bytes_to_int(data, "little")
+        if GMPY:
+            y = mpz(y)
+
+        x2 = (
+            (y * y - 1)
+            * numbertheory.inverse_mod(curve.d() * y * y - curve.a(), p)
+            % p
+        )
+
+        try:
+            x = numbertheory.square_root_mod_prime(x2, p)
+        except numbertheory.SquareRootError as e:
+            raise MalformedPointError(
+                "Encoding does not correspond to a point on curve", e
+            )
+
+        if x % 2 != x_0:
+            x = -x % p
+
+        return x, y
+
     @classmethod
     def from_bytes(
         cls, curve, data, validate_encoding=True, valid_encodings=None
@@ -325,6 +360,10 @@ def from_bytes(
                 "supported."
             )
         data = normalise_bytes(data)
+
+        if isinstance(curve, CurveEdTw):
+            return cls._from_edwards(curve, data)
+
         key_len = len(data)
         raw_encoding_length = 2 * orderlen(curve.p())
         if key_len == raw_encoding_length and "raw" in valid_encodings:
@@ -381,6 +420,18 @@ def _hybrid_encode(self):
             return b"\x07" + raw_enc
         return b"\x06" + raw_enc
 
+    def _edwards_encode(self):
+        """Encode the point according to RFC8032 encoding."""
+        self.scale()
+        x, y, p = self.x(), self.y(), self.curve().p()
+
+        # add 1 for the sign bit and then round up
+        enc_len = (bit_length(p) + 1 + 7) // 8
+        y_str = int_to_bytes(y, enc_len, "little")
+        if x % 2:
+            y_str[-1] |= 0x80
+        return y_str
+
     def to_bytes(self, encoding="raw"):
         """
         Convert the point to a byte string.
@@ -389,11 +440,17 @@ def to_bytes(self, encoding="raw"):
         by `encoding="raw"`. It can also output points in :term:`uncompressed`,
         :term:`compressed`, and :term:`hybrid` formats.
 
+        For points on Edwards curves `encoding` is ignored and only the
+        encoding defined in RFC 8032 is supported.
+
         :return: :term:`raw encoding` of a public on the curve
         :rtype: bytes
         """
         assert encoding in ("raw", "uncompressed", "compressed", "hybrid")
-        if encoding == "raw":
+        curve = self.curve()
+        if isinstance(curve, CurveEdTw):
+            return self._edwards_encode()
+        elif encoding == "raw":
             return self._raw_encode()
         elif encoding == "uncompressed":
             return b"\x04" + self._raw_encode()
@@ -1219,6 +1276,48 @@ def __init__(self, curve, x, y, z, t, order=None):
             self.__coords = (x, y, z, t)
             self.__order = order
 
+    @classmethod
+    def from_bytes(
+        cls,
+        curve,
+        data,
+        validate_encoding=None,
+        valid_encodings=None,
+        order=None,
+        generator=False,
+    ):
+        """
+        Initialise the object from byte encoding of a point.
+
+        `validate_encoding` and `valid_encodings` are provided for
+        compatibility with Weierstrass curves, they are ignored for Edwards
+        points.
+
+        :param data: single point encoding of the public key
+        :type data: :term:`bytes-like object`
+        :param curve: the curve on which the public key is expected to lay
+        :type curve: ecdsa.ellipticcurve.CurveEdTw
+        :param None validate_encoding: Ignored, encoding is always validated
+        :param None valid_encodings: Ignored, there is just one encoding
+            supported
+        :param int order: the point order, must be non zero when using
+            generator=True
+        :param bool generator: Ignored, may be used in the future
+            to precompute point multiplication table.
+
+        :raises MalformedPointError: if the public point does not lay on the
+            curve or the encoding is invalid
+
+        :return: Initialised point on an Edwards curve
+        :rtype: PointEdwards
+        """
+        coord_x, coord_y = super(PointEdwards, cls).from_bytes(
+            curve, data, validate_encoding, valid_encodings
+        )
+        return PointEdwards(
+            curve, coord_x, coord_y, 1, coord_x * coord_y, order
+        )
+
     def x(self):
         """Return affine x coordinate."""
         X1, _, Z1, _ = self.__coords
diff --git a/src/ecdsa/test_eddsa.py b/src/ecdsa/test_eddsa.py
@@ -4,6 +4,8 @@
     import unittest2 as unittest
 except ImportError:
     import unittest
+from hypothesis import given, settings, example
+import hypothesis.strategies as st
 from .ellipticcurve import PointEdwards, INFINITY, CurveEdTw
 from .eddsa import (
     generator_ed25519,
@@ -12,6 +14,7 @@
     curve_ed448,
 )
 from .ecdsa import generator_256, curve_256
+from .errors import MalformedPointError
 
 
 def test_ed25519_curve_compare():
@@ -405,3 +408,104 @@ def test_ed448_add_and_mul_equivalence():
 
     assert g + g == g * 2
     assert g + g + g == g * 3
+
+
+def test_ed25519_encode():
+    g = generator_ed25519
+    g_bytes = g.to_bytes()
+    assert len(g_bytes) == 32
+    exp_bytes = (
+        b"\x58\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66"
+        b"\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66"
+    )
+    assert g_bytes == exp_bytes
+
+
+def test_ed25519_decode():
+    exp_bytes = (
+        b"\x58\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66"
+        b"\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66"
+    )
+    a = PointEdwards.from_bytes(curve_ed25519, exp_bytes)
+
+    assert a == generator_ed25519
+
+
+class TestEdwardsMalformed(unittest.TestCase):
+    def test_invalid_point(self):
+        exp_bytes = (
+            b"\x78\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66"
+            b"\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66"
+        )
+        with self.assertRaises(MalformedPointError):
+            PointEdwards.from_bytes(curve_ed25519, exp_bytes)
+
+    def test_invalid_length(self):
+        exp_bytes = (
+            b"\x58\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66"
+            b"\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66\x66"
+            b"\x66"
+        )
+        with self.assertRaises(MalformedPointError) as e:
+            PointEdwards.from_bytes(curve_ed25519, exp_bytes)
+
+        self.assertIn("length", str(e.exception))
+
+    def test_ed448_invalid(self):
+        exp_bytes = b"\xff" * 57
+        with self.assertRaises(MalformedPointError):
+            PointEdwards.from_bytes(curve_ed448, exp_bytes)
+
+
+def test_ed448_encode():
+    g = generator_ed448
+    g_bytes = g.to_bytes()
+    assert len(g_bytes) == 57
+    exp_bytes = (
+        b"\x14\xfa\x30\xf2\x5b\x79\x08\x98\xad\xc8\xd7\x4e\x2c\x13\xbd"
+        b"\xfd\xc4\x39\x7c\xe6\x1c\xff\xd3\x3a\xd7\xc2\xa0\x05\x1e\x9c"
+        b"\x78\x87\x40\x98\xa3\x6c\x73\x73\xea\x4b\x62\xc7\xc9\x56\x37"
+        b"\x20\x76\x88\x24\xbc\xb6\x6e\x71\x46\x3f\x69\x00"
+    )
+    assert g_bytes == exp_bytes
+
+
+def test_ed448_decode():
+    exp_bytes = (
+        b"\x14\xfa\x30\xf2\x5b\x79\x08\x98\xad\xc8\xd7\x4e\x2c\x13\xbd"
+        b"\xfd\xc4\x39\x7c\xe6\x1c\xff\xd3\x3a\xd7\xc2\xa0\x05\x1e\x9c"
+        b"\x78\x87\x40\x98\xa3\x6c\x73\x73\xea\x4b\x62\xc7\xc9\x56\x37"
+        b"\x20\x76\x88\x24\xbc\xb6\x6e\x71\x46\x3f\x69\x00"
+    )
+
+    a = PointEdwards.from_bytes(curve_ed448, exp_bytes)
+
+    assert a == generator_ed448
+
+
+HYP_SETTINGS = dict()
+HYP_SETTINGS["max_examples"] = 10
+
+
+@settings(**HYP_SETTINGS)
+@example(1)
+@example(5)  # smallest multiple that requires changing sign of x
+@given(st.integers(min_value=1, max_value=int(generator_ed25519.order() - 1)))
+def test_ed25519_encode_decode(multiple):
+    a = generator_ed25519 * multiple
+
+    b = PointEdwards.from_bytes(curve_ed25519, a.to_bytes())
+
+    assert a == b
+
+
+@settings(**HYP_SETTINGS)
+@example(1)
+@example(2)  # smallest multiple that requires changing the sign of x
+@given(st.integers(min_value=1, max_value=int(generator_ed448.order() - 1)))
+def test_ed448_encode_decode(multiple):
+    a = generator_ed448 * multiple
+
+    b = PointEdwards.from_bytes(curve_ed448, a.to_bytes())
+
+    assert a == b
