#! /usr/bin/env python
# -*- coding: utf-8 -*-
#
# Implementation of elliptic curves, for cryptographic applications.
#
# This module doesn't provide any way to choose a random elliptic
# curve, nor to verify that an elliptic curve was chosen randomly,
# because one can simply use NIST's standard curves.
#
# Notes from X9.62-1998 (draft):
# Nomenclature:
# - Q is a public key.
# The "Elliptic Curve Domain Parameters" include:
# - q is the "field size", which in our case equals p.
# - p is a big prime.
# - G is a point of prime order (5.1.1.1).
# - n is the order of G (5.1.1.1).
# Public-key validation (5.2.2):
# - Verify that Q is not the point at infinity.
# - Verify that X_Q and Y_Q are in [0,p-1].
# - Verify that Q is on the curve.
# - Verify that nQ is the point at infinity.
# Signature generation (5.3):
# - Pick random k from [1,n-1].
# Signature checking (5.4.2):
# - Verify that r and s are in [1,n-1].
#
# Version of 2008.11.25.
#
# Revision history:
# 2005.12.31 - Initial version.
# 2008.11.25 - Change CurveFp.is_on to contains_point.
#
# Written in 2005 by Peter Pearson and placed in the public domain.
from __future__ import division
try:
from gmpy2 import mpz
GMPY = True
except ImportError:
try:
from gmpy import mpz
GMPY = True
except ImportError:
GMPY = False
from six import python_2_unicode_compatible
from . import numbertheory
from ._rwlock import RWLock
@python_2_unicode_compatible
class CurveFp(object):
"""Elliptic Curve over the field of integers modulo a prime."""
if GMPY:
def __init__(self, p, a, b, h=None):
"""
The curve of points satisfying y^2 = x^3 + a*x + b (mod p).
h is an integer that is the cofactor of the elliptic curve domain
parameters; it is the number of points satisfying the elliptic
curve equation divided by the order of the base point. It is used
for selection of efficient algorithm for public point verification.
"""
self.__p = mpz(p)
self.__a = mpz(a)
self.__b = mpz(b)
# h is not used in calculations and it can be None, so don't use
# gmpy with it
self.__h = h
else:
def __init__(self, p, a, b, h=None):
"""
The curve of points satisfying y^2 = x^3 + a*x + b (mod p).
h is an integer that is the cofactor of the elliptic curve domain
parameters; it is the number of points satisfying the elliptic
curve equation divided by the order of the base point. It is used
for selection of efficient algorithm for public point verification.
"""
self.__p = p
self.__a = a
self.__b = b
self.__h = h
def __eq__(self, other):
if isinstance(other, CurveFp):
"""Return True if the curves are identical, False otherwise."""
return (
self.__p == other.__p
and self.__a == other.__a
and self.__b == other.__b
)
return NotImplemented
def __ne__(self, other):
return not (self == other)
def __hash__(self):
return hash((self.__p, self.__a, self.__b))
def p(self):
return self.__p
def a(self):
return self.__a
def b(self):
return self.__b
def cofactor(self):
return self.__h
def contains_point(self, x, y):
"""Is the point (x,y) on this curve?"""
return (y * y - ((x * x + self.__a) * x + self.__b)) % self.__p == 0
def __str__(self):
return "CurveFp(p=%d, a=%d, b=%d, h=%d)" % (
self.__p,
self.__a,
self.__b,
self.__h,
)
class PointJacobi(object):
"""
Point on an elliptic curve. Uses Jacobi coordinates.
In Jacobian coordinates, there are three parameters, X, Y and Z.
They correspond to affine parameters 'x' and 'y' like so:
x = X / Z²
y = Y / Z³
"""
def __init__(self, curve, x, y, z, order=None, generator=False):
"""
Initialise a point that uses Jacobi representation internally.
:param CurveFp curve: curve on which the point resides
:param int x: the X parameter of Jacobi representation (equal to x when
converting from affine coordinates
:param int y: the Y parameter of Jacobi representation (equal to y when
converting from affine coordinates
:param int z: the Z parameter of Jacobi representation (equal to 1 when
converting from affine coordinates
:param int order: the point order, must be non zero when using
generator=True
:param bool generator: the point provided is a curve generator, as
such, it will be commonly used with scalar multiplication. This will
cause to precompute multiplication table for it
"""
self.__curve = curve
# since it's generally better (faster) to use scaled points vs unscaled
# ones, use writer-biased RWLock for locking:
self._update_lock = RWLock()
if GMPY:
self.__x = mpz(x)
self.__y = mpz(y)
self.__z = mpz(z)
self.__order = order and mpz(order)
else:
self.__x = x
self.__y = y
self.__z = z
self.__order = order
self.__generator = generator
self.__precompute = []
def _maybe_precompute(self):
if self.__generator:
# since we lack promotion of read-locks to write-locks, we do a
# "acquire-read-lock, check, acquire-write-lock plus recheck" cycle
try:
self._update_lock.reader_acquire()
if self.__precompute:
return
finally:
self._update_lock.reader_release()
try:
self._update_lock.writer_acquire()
if self.__precompute:
return
order = self.__order
assert order
i = 1
order *= 2
doubler = PointJacobi(
self.__curve, self.__x, self.__y, self.__z, order
)
order *= 2
self.__precompute.append((doubler.x(), doubler.y()))
while i < order:
i *= 2
doubler = doubler.double().scale()
self.__precompute.append((doubler.x(), doubler.y()))
finally:
self._update_lock.writer_release()
def __getstate__(self):
try:
self._update_lock.reader_acquire()
state = self.__dict__.copy()
finally:
self._update_lock.reader_release()
del state["_update_lock"]
return state
def __setstate__(self, state):
self.__dict__.update(state)
self._update_lock = RWLock()
def __eq__(self, other):
"""Compare two points with each-other."""
try:
self._update_lock.reader_acquire()
if other is INFINITY:
return not self.__y or not self.__z
x1, y1, z1 = self.__x, self.__y, self.__z
finally:
self._update_lock.reader_release()
if isinstance(other, Point):
x2, y2, z2 = other.x(), other.y(), 1
elif isinstance(other, PointJacobi):
try:
other._update_lock.reader_acquire()
x2, y2, z2 = other.__x, other.__y, other.__z
finally:
other._update_lock.reader_release()
else:
return NotImplemented
if self.__curve != other.curve():
return False
p = self.__curve.p()
zz1 = z1 * z1 % p
zz2 = z2 * z2 % p
# compare the fractions by bringing them to the same denominator
# depend on short-circuit to save 4 multiplications in case of
# inequality
return (x1 * zz2 - x2 * zz1) % p == 0 and (
y1 * zz2 * z2 - y2 * zz1 * z1
) % p == 0
def order(self):
"""Return the order of the point.
None if it is undefined.
"""
return self.__order
def curve(self):
"""Return curve over which the point is defined."""
return self.__curve
def x(self):
"""
Return affine x coordinate.
This method should be used only when the 'y' coordinate is not needed.
It's computationally more efficient to use `to_affine()` and then
call x() and y() on the returned instance. Or call `scale()`
and then x() and y() on the returned instance.
"""
try:
self._update_lock.reader_acquire()
if self.__z == 1:
return self.__x
x = self.__x
z = self.__z
finally:
self._update_lock.reader_release()
p = self.__curve.p()
z = numbertheory.inverse_mod(z, p)
return x * z ** 2 % p
def y(self):
"""
Return affine y coordinate.
This method should be used only when the 'x' coordinate is not needed.
It's computationally more efficient to use `to_affine()` and then
call x() and y() on the returned instance. Or call `scale()`
and then x() and y() on the returned instance.
"""
try:
self._update_lock.reader_acquire()
if self.__z == 1:
return self.__y
y = self.__y
z = self.__z
finally:
self._update_lock.reader_release()
p = self.__curve.p()
z = numbertheory.inverse_mod(z, p)
return y * z ** 3 % p
def scale(self):
"""
Return point scaled so that z == 1.
Modifies point in place, returns self.
"""
try:
self._update_lock.reader_acquire()
if self.__z == 1:
return self
finally:
self._update_lock.reader_release()
try:
self._update_lock.writer_acquire()
# scaling already scaled point is safe (as inverse of 1 is 1) and
# quick so we don't need to optimise for the unlikely event when
# two threads hit the lock at the same time
p = self.__curve.p()
z_inv = numbertheory.inverse_mod(self.__z, p)
zz_inv = z_inv * z_inv % p
self.__x = self.__x * zz_inv % p
self.__y = self.__y * zz_inv * z_inv % p
# we are setting the z last so that the check above will return
# true only after all values were already updated
self.__z = 1
finally:
self._update_lock.writer_release()
return self
def to_affine(self):
"""Return point in affine form."""
if not self.__y or not self.__z:
return INFINITY
self.scale()
# after point is scaled, it's immutable, so no need to perform locking
return Point(self.__curve, self.__x, self.__y, self.__order)
@staticmethod
def from_affine(point, generator=False):
"""Create from an affine point.
:param bool generator: set to True to make the point to precalculate
multiplication table - useful for public point when verifying many
signatures (around 100 or so) or for generator points of a curve.
"""
return PointJacobi(
point.curve(), point.x(), point.y(), 1, point.order(), generator
)
# plese note that all the methods that use the equations from hyperelliptic
# are formatted in a way to maximise performance.
# Things that make code faster: multiplying instead of taking to the power
# (`xx = x * x; xxxx = xx * xx % p` is faster than `xxxx = x**4 % p` and
# `pow(x, 4, p)`),
# multiple assignments at the same time (`x1, x2 = self.x1, self.x2` is
# faster than `x1 = self.x1; x2 = self.x2`),
# similarly, sometimes the `% p` is skipped if it makes the calculation
# faster and the result of calculation is later reduced modulo `p`
def _double_with_z_1(self, X1, Y1, p, a):
"""Add a point to itself with z == 1."""
# after:
# http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-mdbl-2007-bl
XX, YY = X1 * X1 % p, Y1 * Y1 % p
if not YY:
return 0, 0, 1
YYYY = YY * YY % p
S = 2 * ((X1 + YY) ** 2 - XX - YYYY) % p
M = 3 * XX + a
T = (M * M - 2 * S) % p
# X3 = T
Y3 = (M * (S - T) - 8 * YYYY) % p
Z3 = 2 * Y1 % p
return T, Y3, Z3
def _double(self, X1, Y1, Z1, p, a):
"""Add a point to itself, arbitrary z."""
if Z1 == 1:
return self._double_with_z_1(X1, Y1, p, a)
if not Z1:
return 0, 0, 1
# after:
# http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-2007-bl
XX, YY = X1 * X1 % p, Y1 * Y1 % p
if not YY:
return 0, 0, 1
YYYY = YY * YY % p
ZZ = Z1 * Z1 % p
S = 2 * ((X1 + YY) ** 2 - XX - YYYY) % p
M = (3 * XX + a * ZZ * ZZ) % p
T = (M * M - 2 * S) % p
# X3 = T
Y3 = (M * (S - T) - 8 * YYYY) % p
Z3 = ((Y1 + Z1) ** 2 - YY - ZZ) % p
return T, Y3, Z3
def double(self):
"""Add a point to itself."""
if not self.__y:
return INFINITY
p, a = self.__curve.p(), self.__curve.a()
try:
self._update_lock.reader_acquire()
X1, Y1, Z1 = self.__x, self.__y, self.__z
finally:
self._update_lock.reader_release()
X3, Y3, Z3 = self._double(X1, Y1, Z1, p, a)
if not Y3 or not Z3:
return INFINITY
return PointJacobi(self.__curve, X3, Y3, Z3, self.__order)
def _add_with_z_1(self, X1, Y1, X2, Y2, p):
"""add points when both Z1 and Z2 equal 1"""
# after:
# http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#addition-mmadd-2007-bl
H = X2 - X1
HH = H * H
I = 4 * HH % p
J = H * I
r = 2 * (Y2 - Y1)
if not H and not r:
return self._double_with_z_1(X1, Y1, p, self.__curve.a())
V = X1 * I
X3 = (r ** 2 - J - 2 * V) % p
Y3 = (r * (V - X3) - 2 * Y1 * J) % p
Z3 = 2 * H % p
return X3, Y3, Z3
def _add_with_z_eq(self, X1, Y1, Z1, X2, Y2, p):
"""add points when Z1 == Z2"""
# after:
# http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#addition-zadd-2007-m
A = (X2 - X1) ** 2 % p
B = X1 * A % p
C = X2 * A
D = (Y2 - Y1) ** 2 % p
if not A and not D:
return self._double(X1, Y1, Z1, p, self.__curve.a())
X3 = (D - B - C) % p
Y3 = ((Y2 - Y1) * (B - X3) - Y1 * (C - B)) % p
Z3 = Z1 * (X2 - X1) % p
return X3, Y3, Z3
def _add_with_z2_1(self, X1, Y1, Z1, X2, Y2, p):
"""add points when Z2 == 1"""
# after:
# http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#addition-madd-2007-bl
Z1Z1 = Z1 * Z1 % p
U2, S2 = X2 * Z1Z1 % p, Y2 * Z1 * Z1Z1 % p
H = (U2 - X1) % p
HH = H * H % p
I = 4 * HH % p
J = H * I
r = 2 * (S2 - Y1) % p
if not r and not H:
return self._double_with_z_1(X2, Y2, p, self.__curve.a())
V = X1 * I
X3 = (r * r - J - 2 * V) % p
Y3 = (r * (V - X3) - 2 * Y1 * J) % p
Z3 = ((Z1 + H) ** 2 - Z1Z1 - HH) % p
return X3, Y3, Z3
def _add_with_z_ne(self, X1, Y1, Z1, X2, Y2, Z2, p):
"""add points with arbitrary z"""
# after:
# http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#addition-add-2007-bl
Z1Z1 = Z1 * Z1 % p
Z2Z2 = Z2 * Z2 % p
U1 = X1 * Z2Z2 % p
U2 = X2 * Z1Z1 % p
S1 = Y1 * Z2 * Z2Z2 % p
S2 = Y2 * Z1 * Z1Z1 % p
H = U2 - U1
I = 4 * H * H % p
J = H * I % p
r = 2 * (S2 - S1) % p
if not H and not r:
return self._double(X1, Y1, Z1, p, self.__curve.a())
V = U1 * I
X3 = (r * r - J - 2 * V) % p
Y3 = (r * (V - X3) - 2 * S1 * J) % p
Z3 = ((Z1 + Z2) ** 2 - Z1Z1 - Z2Z2) * H % p
return X3, Y3, Z3
def __radd__(self, other):
"""Add other to self."""
return self + other
def _add(self, X1, Y1, Z1, X2, Y2, Z2, p):
"""add two points, select fastest method."""
if not Y1 or not Z1:
return X2, Y2, Z2
if not Y2 or not Z2:
return X1, Y1, Z1
if Z1 == Z2:
if Z1 == 1:
return self._add_with_z_1(X1, Y1, X2, Y2, p)
return self._add_with_z_eq(X1, Y1, Z1, X2, Y2, p)
if Z1 == 1:
return self._add_with_z2_1(X2, Y2, Z2, X1, Y1, p)
if Z2 == 1:
return self._add_with_z2_1(X1, Y1, Z1, X2, Y2, p)
return self._add_with_z_ne(X1, Y1, Z1, X2, Y2, Z2, p)
def __add__(self, other):
"""Add two points on elliptic curve."""
if self == INFINITY:
return other
if other == INFINITY:
return self
if isinstance(other, Point):
other = PointJacobi.from_affine(other)
if self.__curve != other.__curve:
raise ValueError("The other point is on different curve")
p = self.__curve.p()
try:
self._update_lock.reader_acquire()
X1, Y1, Z1 = self.__x, self.__y, self.__z
finally:
self._update_lock.reader_release()
try:
other._update_lock.reader_acquire()
X2, Y2, Z2 = other.__x, other.__y, other.__z
finally:
other._update_lock.reader_release()
X3, Y3, Z3 = self._add(X1, Y1, Z1, X2, Y2, Z2, p)
if not Y3 or not Z3:
return INFINITY
return PointJacobi(self.__curve, X3, Y3, Z3, self.__order)
def __rmul__(self, other):
"""Multiply point by an integer."""
return self * other
def _mul_precompute(self, other):
"""Multiply point by integer with precomputation table."""
X3, Y3, Z3, p = 0, 0, 1, self.__curve.p()
_add = self._add
for X2, Y2 in self.__precompute:
if other % 2:
if other % 4 >= 2:
other = (other + 1) // 2
X3, Y3, Z3 = _add(X3, Y3, Z3, X2, -Y2, 1, p)
else:
other = (other - 1) // 2
X3, Y3, Z3 = _add(X3, Y3, Z3, X2, Y2, 1, p)
else:
other //= 2
if not Y3 or not Z3:
return INFINITY
return PointJacobi(self.__curve, X3, Y3, Z3, self.__order)
@staticmethod
def _naf(mult):
"""Calculate non-adjacent form of number."""
ret = []
while mult:
if mult % 2:
nd = mult % 4
if nd >= 2:
nd = nd - 4
ret += [nd]
mult -= nd
else:
ret += [0]
mult //= 2
return ret
def __mul__(self, other):
"""Multiply point by an integer."""
if not self.__y or not other:
return INFINITY
if other == 1:
return self
if self.__order:
# order*2 as a protection for Minerva
other = other % (self.__order * 2)
self._maybe_precompute()
if self.__precompute:
return self._mul_precompute(other)
self = self.scale()
# once scaled, point is immutable, not need to lock
X2, Y2 = self.__x, self.__y
X3, Y3, Z3 = 0, 0, 1
p, a = self.__curve.p(), self.__curve.a()
_double = self._double
_add = self._add
# since adding points when at least one of them is scaled
# is quicker, reverse the NAF order
for i in reversed(self._naf(other)):
X3, Y3, Z3 = _double(X3, Y3, Z3, p, a)
if i < 0:
X3, Y3, Z3 = _add(X3, Y3, Z3, X2, -Y2, 1, p)
elif i > 0:
X3, Y3, Z3 = _add(X3, Y3, Z3, X2, Y2, 1, p)
if not Y3 or not Z3:
return INFINITY
return PointJacobi(self.__curve, X3, Y3, Z3, self.__order)
@staticmethod
def _leftmost_bit(x):
"""Return integer with the same magnitude as x but only one bit set"""
assert x > 0
result = 1
while result <= x:
result = 2 * result
return result // 2
def mul_add(self, self_mul, other, other_mul):
"""
Do two multiplications at the same time, add results.
calculates self*self_mul + other*other_mul
"""
if other is INFINITY or other_mul == 0:
return self * self_mul
if self_mul == 0:
return other * other_mul
if not isinstance(other, PointJacobi):
other = PointJacobi.from_affine(other)
# when the points have precomputed answers, then multiplying them alone
# is faster (as it uses NAF)
self._maybe_precompute()
other._maybe_precompute()
if self.__precompute and other.__precompute:
return self * self_mul + other * other_mul
if self.__order:
self_mul = self_mul % self.__order
other_mul = other_mul % self.__order
i = self._leftmost_bit(max(self_mul, other_mul)) * 2
X3, Y3, Z3 = 0, 0, 1
p, a = self.__curve.p(), self.__curve.a()
self = self.scale()
# after scaling, point is immutable, no need for locking
X1, Y1 = self.__x, self.__y
other = other.scale()
X2, Y2 = other.__x, other.__y
both = self + other
if both is INFINITY:
X4, Y4 = 0, 0
else:
both.scale()
X4, Y4 = both.__x, both.__y
_double = self._double
_add = self._add
while i > 1:
X3, Y3, Z3 = _double(X3, Y3, Z3, p, a)
i = i // 2
if self_mul & i and other_mul & i:
X3, Y3, Z3 = _add(X3, Y3, Z3, X4, Y4, 1, p)
elif self_mul & i:
X3, Y3, Z3 = _add(X3, Y3, Z3, X1, Y1, 1, p)
elif other_mul & i:
X3, Y3, Z3 = _add(X3, Y3, Z3, X2, Y2, 1, p)
if not Y3 or not Z3:
return INFINITY
return PointJacobi(self.__curve, X3, Y3, Z3, self.__order)
def __neg__(self):
"""Return negated point."""
try:
self._update_lock.reader_acquire()
return PointJacobi(
self.__curve, self.__x, -self.__y, self.__z, self.__order
)
finally:
self._update_lock.reader_release()
class Point(object):
"""A point on an elliptic curve. Altering x and y is forbidding,
but they can be read by the x() and y() methods."""
def __init__(self, curve, x, y, order=None):
"""curve, x, y, order; order (optional) is the order of this point."""
self.__curve = curve
if GMPY:
self.__x = x and mpz(x)
self.__y = y and mpz(y)
self.__order = order and mpz(order)
else:
self.__x = x
self.__y = y
self.__order = order
# self.curve is allowed to be None only for INFINITY:
if self.__curve:
assert self.__curve.contains_point(x, y)
# for curves with cofactor 1, all points that are on the curve are
# scalar multiples of the base point, so performing multiplication is
# not necessary to verify that. See Section 3.2.2.1 of SEC 1 v2
if curve and curve.cofactor() != 1 and order:
assert self * order == INFINITY
def __eq__(self, other):
"""Return True if the points are identical, False otherwise."""
if isinstance(other, Point):
return (
self.__curve == other.__curve
and self.__x == other.__x
and self.__y == other.__y
)
return NotImplemented
def __neg__(self):
return Point(self.__curve, self.__x, self.__curve.p() - self.__y)
def __add__(self, other):
"""Add one point to another point."""
# X9.62 B.3:
if not isinstance(other, Point):
return NotImplemented
if other == INFINITY:
return self
if self == INFINITY:
return other
assert self.__curve == other.__curve
if self.__x == other.__x:
if (self.__y + other.__y) % self.__curve.p() == 0:
return INFINITY
else:
return self.double()
p = self.__curve.p()
l = (
(other.__y - self.__y)
* numbertheory.inverse_mod(other.__x - self.__x, p)
) % p
x3 = (l * l - self.__x - other.__x) % p
y3 = (l * (self.__x - x3) - self.__y) % p
return Point(self.__curve, x3, y3)
def __mul__(self, other):
"""Multiply a point by an integer."""
def leftmost_bit(x):
assert x > 0
result = 1
while result <= x:
result = 2 * result
return result // 2
e = other
if e == 0 or (self.__order and e % self.__order == 0):
return INFINITY
if self == INFINITY:
return INFINITY
if e < 0:
return (-self) * (-e)
# From X9.62 D.3.2:
e3 = 3 * e
negative_self = Point(self.__curve, self.__x, -self.__y, self.__order)
i = leftmost_bit(e3) // 2
result = self
# print_("Multiplying %s by %d (e3 = %d):" % (self, other, e3))
while i > 1:
result = result.double()
if (e3 & i) != 0 and (e & i) == 0:
result = result + self
if (e3 & i) == 0 and (e & i) != 0:
result = result + negative_self
# print_(". . . i = %d, result = %s" % ( i, result ))
i = i // 2
return result
def __rmul__(self, other):
"""Multiply a point by an integer."""
return self * other
def __str__(self):
if self == INFINITY:
return "infinity"
return "(%d,%d)" % (self.__x, self.__y)
def double(self):
"""Return a new point that is twice the old."""
if self == INFINITY:
return INFINITY
# X9.62 B.3:
p = self.__curve.p()
a = self.__curve.a()
l = (
(3 * self.__x * self.__x + a)
* numbertheory.inverse_mod(2 * self.__y, p)
) % p
x3 = (l * l - 2 * self.__x) % p
y3 = (l * (self.__x - x3) - self.__y) % p
return Point(self.__curve, x3, y3)
def x(self):
return self.__x
def y(self):
return self.__y
def curve(self):
return self.__curve
def order(self):
return self.__order
# This one point is the Point At Infinity for all purposes:
INFINITY = Point(None, None, None)