/** * h = a * B where a = a[0]+256*a[1]+...+256^31 a[31] and * B is this point. If its lookup table has not been precomputed, it * will be at the start of the method (and cached for later calls). * Constant time. * <p> * Preconditions: (TODO: Check this applies here) * a[31] <= 127 * @param a = a[0]+256*a[1]+...+256^31 a[31] * @return the GroupElement */ public GroupElement scalarMultiply(final byte[] a) { GroupElement t; int i; final byte[] e = toRadix16(a); GroupElement h = this.curve.getZero(Representation.P3); for (i = 1; i < 64; i += 2) { t = select(i/2, e[i]); h = h.madd(t).toP3(); } h = h.dbl().toP2().dbl().toP2().dbl().toP2().dbl().toP3(); for (i = 0; i < 64; i += 2) { t = select(i/2, e[i]); h = h.madd(t).toP3(); } return h; }
@Test public void dblReturnsExpectedResult() { for (int i=0; i<1000; i++) { // Arrange: final GroupElement g = MathUtils.getRandomGroupElement(); // Act: final GroupElement h1 = g.dbl(); final GroupElement h2 = MathUtils.doubleGroupElement(g); // Assert: Assert.assertThat(h2, IsEqual.equalTo(h1)); } }
/** * Test method for {@link GroupElement#dbl()}. */ @Test public void testDbl() { GroupElement B = ed25519.getB(); // 2 * B = B + B assertThat(B.dbl(), is(equalTo(B.add(B.toCached())))); }
/** * Test method for {@link GroupElement#scalarMultiply(byte[])}. * Test values generated with Python Ed25519 implementation. */ @Test public void testScalarMultiplyByteArray() { // Little-endian byte[] zero = Utils.hexToBytes("0000000000000000000000000000000000000000000000000000000000000000"); byte[] one = Utils.hexToBytes("0100000000000000000000000000000000000000000000000000000000000000"); byte[] two = Utils.hexToBytes("0200000000000000000000000000000000000000000000000000000000000000"); byte[] a = Utils.hexToBytes("d072f8dd9c07fa7bc8d22a4b325d26301ee9202f6db89aa7c3731529e37e437c"); GroupElement A = new GroupElement(curve, Utils.hexToBytes("d4cf8595571830644bd14af416954d09ab7159751ad9e0f7a6cbd92379e71a66")); assertThat("scalarMultiply(0) failed", ed25519.getB().scalarMultiply(zero), is(equalTo(curve.getZero(GroupElement.Representation.P3)))); assertThat("scalarMultiply(1) failed", ed25519.getB().scalarMultiply(one), is(equalTo(ed25519.getB()))); assertThat("scalarMultiply(2) failed", ed25519.getB().scalarMultiply(two), is(equalTo(ed25519.getB().dbl()))); assertThat("scalarMultiply(a) failed", ed25519.getB().scalarMultiply(a), is(equalTo(A))); }
GroupElement t = r.dbl();
/** * $h = a * B$ where $a = a[0]+256*a[1]+\dots+256^{31} a[31]$ and * $B$ is this point. If its lookup table has not been precomputed, it * will be at the start of the method (and cached for later calls). * Constant time. * <p> * Preconditions: (TODO: Check this applies here) * $a[31] \le 127$ * @param a $= a[0]+256*a[1]+\dots+256^{31} a[31]$ * @return the GroupElement */ public GroupElement scalarMultiply(final byte[] a) { GroupElement t; int i; final byte[] e = toRadix16(a); GroupElement h = this.curve.getZero(Representation.P3); for (i = 1; i < 64; i += 2) { t = select(i/2, e[i]); h = h.madd(t).toP3(); } h = h.dbl().toP2().dbl().toP2().dbl().toP2().dbl().toP3(); for (i = 0; i < 64; i += 2) { t = select(i/2, e[i]); h = h.madd(t).toP3(); } return h; }
GroupElement t = r.dbl();