commit 39b5dca7201bb3f30606be199f4d234c86fcaded Author: George Kadianakis desnacked@riseup.net Date: Mon Apr 24 16:22:02 2017 +0300

ed25519: Add python code to test our ed25519 validation.

See https://lists.torproject.org/pipermail/tor-dev/2017-April/012213.html . --- src/test/ed25519_exts_ref.py | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)

diff --git a/src/test/ed25519_exts_ref.py b/src/test/ed25519_exts_ref.py index af50104..1898256 100644 --- a/src/test/ed25519_exts_ref.py +++ b/src/test/ed25519_exts_ref.py @@ -69,6 +69,11 @@ def signatureWithESK(m,h,pk): def newSK(): return os.urandom(32)

+def random_scalar(entropy_f): # 0..L-1 inclusive + # reduce the bias to a safe level by generating 256 extra bits + oversized = int(binascii.hexlify(entropy_f(32+32)), 16) + return oversized % ell + # ------------------------------------------------------------

MSG = "This is extremely silly. But it is also incredibly serious business!" @@ -126,6 +131,31 @@ class SelfTest(unittest.TestCase):

self._testSignatures(besk, bpk)

+ def testIdentity(self): + # Base point: + # B is the unique point (x, 4/5) \in E for which x is positive + By = 4 * inv(5) + Bx = xrecover(By) + B = [Bx % q,By % q] + + # Get identity E by doing: E = l*B, where l is the group order + identity = scalarmult(B, ell) + + # Get identity E by doing: E = l*A, where A is a random point + sk = newSK() + pk = decodepoint(publickey(sk)) + identity2 = scalarmult(pk, ell) + + # Check that identities match + assert(identity == identity2) + # Check that identity is the point (0,1) + assert(identity == [0L,1L]) + + # Check identity element: a*E = E, where a is a random scalar + scalar = random_scalar(os.urandom) + result = scalarmult(identity, scalar) + assert(result == identity == identity2) + # ------------------------------------------------------------

# From pprint.pprint([ binascii.b2a_hex(os.urandom(32)) for _ in xrange(8) ])