Merge pull request #60 from HarryR/jubjub-eddsa-tests

Jubjub EdDSA + Tests + solidity cleanups

Author: HarryR

.gitignore

@@ -12,3 +12,5 @@ __pycache__
 .coverage.*
 /node_modules
 package-lock.json
+lextab.py
+yacctab.py

.solhint.json

@@ -0,0 +1,15 @@
+{
+	"extends": "default",
+	"rules": {
+		"indent": false,
+		"var-name-mixedcase": false,
+		"func-name-mixedcase": false,
+		"func-param-name-mixedcase": false,
+		"not-rely-on-time": false,
+		"bracket-align": false,
+		"expression-indent": false,
+		"max-line-length": false,
+		"two-lines-top-level-separator": false,
+		"separate-by-one-line-in-contract": false
+	}
+}

Makefile

@@ -105,7 +105,7 @@ coverage-html:
 #######################################################################
 
 
-lint: python-pyflakes python-pylint cxx-lint
+lint: python-pyflakes python-pylint cxx-lint solidity-lint
 
 python-pyflakes:
 	$(PYTHON) -mpyflakes $(NAME)
@@ -141,6 +141,13 @@ mac-dependencies:
 #######################################################################
 
 
+solidity-lint:
+	$(NPM) run lint
+
+
+#######################################################################
+
+
 nvm-install:
 	./utils/nvm-install
 	nvm install --lts

appendix/ejubjub.sage

@@ -1,19 +1,7 @@
-p = 21888242871839275222246405745257275088548364400416034343698204186575808495617
-Fp = GF(p)
-R.<a,d,x,y>=QQ[]
-A=2*(a+d)/(a-d)
-B=4/(a-d)
-S=R.quotient(a*x^2+y^2-(1+d*x^2*y^2))
-u=(1+y)/(1-y)
-v=(1+y)/((1-y)*x)
-0 == S((B*v^2-u^3-A*u^2-u).numerator())
-
-
 JUBJUB_C = 8		# Cofactor
 JUBJUB_A = 168700	# Coefficient A
 JUBJUB_D = 168696	# Coefficient D
 MONT_A = 168698
-
 p = 21888242871839275222246405745257275088548364400416034343698204186575808495617
 Fp = GF(p)
 E = EllipticCurve(Fp, [0, MONT_A, 0, 1, 0])
@@ -23,6 +11,18 @@ assert E.order() == 218882428718392752222464057452572750886145117772685380736017
 assert E.quadratic_twist().order() == 21888242871839275222246405745257275088482217023563530613794683085564038006908
 # factor(E.quadratic_twist().order()) == 2^2 * 5472060717959818805561601436314318772120554255890882653448670771391009501727
 
+assert E.trace_of_frobenius() not in [0, 1]
+
+twistCofactor = 4
+curveCofactor = 8
+
+curveOrder = E.order()
+
+twistOrder = 2 * (p+1) - curveOrder
+assert E.quadratic_twist().order() == twistOrder
+assert is_prime(twistOrder // twistCofactor)
+assert is_prime(E.order() // curveCofactor)
+
 jubjub_valid = lambda x, y: (JUBJUB_A * x^2 + y^2) == 1 + JUBJUB_D * x^2 * y^2
 mont_valid = lambda x, y: E.is_on_curve(x, y)
 mont_to_jubjub = lambda x, y: (x/y, (x-1)/(x+1))

contracts/EdDSA.sol

@@ -0,0 +1,41 @@
+// Copyright (c) 2018 @HarryR
+// License: LGPL-3.0+
+
+pragma solidity 0.4.24;
+
+import "./JubJub.sol";
+
+
+contract EdDSA
+{
+    function HashToInt( bytes data )
+        public pure returns (uint256)
+    {
+        uint256 hashed = uint256(sha256(data));
+
+        // (2<<249) - 1
+        uint256 mask = 1809251394333065553493296640760748560207343510400633813116524750123642650623;
+
+        return hashed & mask;
+    }
+
+    function Verify( uint256[2] pubkey, uint256 hashed_msg, uint256[2] R, uint256 s )
+        public view returns (bool)
+    {
+        uint256[2] memory B = JubJub.Generator();
+        uint256[2] memory lhs;
+        uint256[2] memory rhs;
+
+        (lhs[0], lhs[1]) = JubJub.scalarMult(B[0], B[1], s);
+
+        uint256 t = HashToInt(abi.encodePacked(
+            R[0], R[1],
+            pubkey[0], pubkey[1],
+            hashed_msg
+            ));
+
+        (rhs[0], rhs[1]) = JubJub.scalarMult(pubkey[0], pubkey[1], t);
+
+        return lhs[0] == rhs[0] && lhs[1] == rhs[1];
+    }
+}