Java VRF support

common/src/main/java/org/whispersystems/curve25519/BaseJavaCurve25519Provider.java

@@ -9,6 +9,7 @@
 import org.whispersystems.curve25519.java.Sha512;
 import org.whispersystems.curve25519.java.curve_sigs;
 import org.whispersystems.curve25519.java.scalarmult;
+import org.whispersystems.curve25519.java.ed25519.veddsa_sigs;
 
 abstract class BaseJavaCurve25519Provider implements Curve25519Provider {
 
@@ -69,18 +70,31 @@ public byte[] calculateSignature(byte[] random, byte[] privateKey, byte[] messag
     return result;
   }
 
-  public boolean verifySignature(byte[] publicKey, byte[] message, byte[] signature) {
+  public boolean verifySignature(byte[] publicKey, byte[] message, byte[] signature)
+  {
     return curve_sigs.curve25519_verify(sha512provider, signature, publicKey, message, message.length) == 0;
   }
 
   public byte[] calculateVrfSignature(byte[] random, byte[] privateKey, byte[] message) {
-    throw new AssertionError("NYI");
+    byte[] result = new byte[96];
+
+    if (veddsa_sigs.VRFsign(sha512provider, result, privateKey, message, message.length, random) != 0) {
+      throw new IllegalArgumentException("Message exceeds max length!");
+    }
+
+    return result;
   }
 
   public byte[] verifyVrfSignature(byte[] publicKey, byte[] message, byte[] signature)
       throws VrfSignatureVerificationFailedException
   {
-    throw new AssertionError("NYI");
+      byte[] result = new byte[32];
+
+      if (veddsa_sigs.VRFverify(sha512provider, result, signature, publicKey, message, message.length) != 0) {
+        throw new VrfSignatureVerificationFailedException();
+      }
+
+      return result;
   }
 
   public byte[] getRandom(int length) {

common/src/main/java/org/whispersystems/curve25519/java/ed25519/constants.java

@@ -0,0 +1,19 @@
+package org.whispersystems.curve25519.java.ed25519;
+
+public class constants {
+
+    static final int LABELSETMAXLEN = 512;
+    static final int LABELMAXLEN = 128;
+    static final int BUFLEN = 1024;
+    static final int BLOCKLEN = 128; /* SHA512 */
+    static final int HASHLEN = 64; /* SHA512 */
+    static final int POINTLEN = 32;
+    static final int SCALARLEN = 32;
+    static final int RANDLEN = 32;
+    static final int SIGNATURELEN = 64;
+    static final int VRFSIGNATURELEN = 96;
+    static final int VRFOUTPUTLEN = 32;
+    static final int MSTART = 2048;
+    static final int MSGMAXLEN = 1048576;
+
+}

common/src/main/java/org/whispersystems/curve25519/java/ed25519/elligator.java

@@ -0,0 +1,102 @@
+package org.whispersystems.curve25519.java.ed25519;
+
+import org.whispersystems.curve25519.java.Sha512;
+import org.whispersystems.curve25519.java.ge_p3;
+
+import static org.whispersystems.curve25519.java.fe_0.fe_0;
+import static org.whispersystems.curve25519.java.fe_1.fe_1;
+import static org.whispersystems.curve25519.java.fe_add.fe_add;
+import static org.whispersystems.curve25519.java.fe_cmov.fe_cmov;
+import static org.whispersystems.curve25519.java.fe_frombytes.fe_frombytes;
+import static org.whispersystems.curve25519.java.fe_invert.fe_invert;
+import static org.whispersystems.curve25519.java.fe_mul.fe_mul;
+import static org.whispersystems.curve25519.java.fe_neg.fe_neg;
+import static org.whispersystems.curve25519.java.fe_pow22523.fe_pow22523;
+import static org.whispersystems.curve25519.java.fe_sq.fe_sq;
+import static org.whispersystems.curve25519.java.fe_sq2.fe_sq2;
+import static org.whispersystems.curve25519.java.fe_tobytes.fe_tobytes;
+
+public class elligator {
+
+    /**
+     * @param in
+     * @return   1 -> square
+     *           0 -> 0
+     *          -1 -> nonsquare
+     */
+    static int legendre_is_nonsquare(int[] in)
+    {
+        int[] temp = new int[10];
+        byte[] bytes =  new byte[32];
+        fe_pow22523(temp, in);  /* temp = in^((q-5)/8) */
+        fe_sq(temp, temp);      /*        in^((q-5)/4) */
+        fe_sq(temp, temp);      /*        in^((q-5)/2) */
+        fe_mul(temp, temp, in); /*        in^((q-3)/2) */
+        fe_mul(temp, temp, in); /*        in^((q-1)/2) */
+
+        fe_tobytes(bytes, temp);
+        return 1 & bytes[31];
+    }
+
+    /**
+     * Elligator2 uniform random bit string
+     * @param u
+     * @param r
+     */
+
+    static void elligator(int[] u, int[] r)
+    {
+        int[] A = new int[10], one = new int[10], twor2 = new int[10], twor2plus1 = new int[10], twor2plus1inv = new int[10];
+        int[] x = new int[10], e = new int[10], Atemp = new int[10], uneg = new int[10];
+        int nonsquare;
+
+        fe_1(one);
+        fe_0(A);
+        A[0] = 486662;
+
+        fe_sq2(twor2, r);
+        fe_add(twor2plus1, twor2, one);
+        fe_invert(twor2plus1inv, twor2plus1);
+        fe_mul(x, twor2plus1inv, A);
+        fe_neg(x, x);
+
+        fe_mont_rhs.fe_mont_rhs(e, x);
+        nonsquare = legendre_is_nonsquare(e);
+
+        fe_0(Atemp);
+        fe_cmov(Atemp, A, nonsquare);
+        fe_add(u, x, Atemp);
+        fe_neg(uneg, u);
+        fe_cmov(u, uneg, nonsquare);
+    }
+
+    /**
+     * hash byte string to EC25519 Point
+     * @param p
+     * @param in
+     * @param in_len
+     * @param sha512provider
+     */
+    static int hash_to_point(ge_p3 p, byte[] in, long in_len, Sha512 sha512provider)
+    {
+        byte[] hash = new byte[64];
+        int[] h = new int[10], u = new int[10];
+        int sign_bit;
+        ge_p3 p3 = new ge_p3();
+
+        sha512provider.calculateDigest(hash, in, in_len);
+
+        /* take the high bit as Edwards sign bit */
+        sign_bit = (hash[31] & 0x80) >> 7;
+        hash[31] &= 0x7F;
+        fe_frombytes(h, hash);
+        elligator(u, h);
+
+        if (ge_montx_to_p3.ge_montx_to_p3(p3, u, sign_bit) !=0)
+            return -1;
+        ge_scalarmult_cofactor.ge_scalarmult_cofactor(p, p3);
+
+        return 0;
+    }
+
+}

common/src/main/java/org/whispersystems/curve25519/java/ed25519/fe_isequal.java

@@ -0,0 +1,22 @@
+package org.whispersystems.curve25519.java.ed25519;
+
+import static org.whispersystems.curve25519.java.fe_isnonzero.fe_isnonzero;
+import static org.whispersystems.curve25519.java.fe_sub.fe_sub;
+
+public class fe_isequal {
+
+    /**
+     *
+     * @param f
+     * @param g
+     * @return 1 if f==g
+     *         0 if f!= g
+     */
+
+    static int fe_isequal(int[] f, int[] g)
+    {
+        int[] h = new int[10];
+        fe_sub(h, f, g);
+        return (1 ^ (1 & (fe_isnonzero(h) >> 8)));
+    }
+}

common/src/main/java/org/whispersystems/curve25519/java/ed25519/fe_isreduced.java

@@ -0,0 +1,25 @@
+package org.whispersystems.curve25519.java.ed25519;
+
+import static org.whispersystems.curve25519.java.crypto_verify_32.crypto_verify_32;
+import static org.whispersystems.curve25519.java.fe_frombytes.fe_frombytes;
+import static org.whispersystems.curve25519.java.fe_tobytes.fe_tobytes;
+
+public class fe_isreduced {
+
+    /**
+     *
+     * @param s
+     * @return true if fe_isrecuded
+     *         false otherwise
+     */
+    static boolean fe_isreduced(byte[] s){
+        int[] f = new int[10];
+        byte[] strict = new byte[32];
+
+        fe_frombytes(f, s);
+        fe_tobytes(strict, f);
+        if (crypto_verify_32(strict, s) != 0)
+            return false;
+        return true;
+    }
+}

common/src/main/java/org/whispersystems/curve25519/java/ed25519/fe_mont_rhs.java

@@ -0,0 +1,26 @@
+package org.whispersystems.curve25519.java.ed25519;
+
+import static org.whispersystems.curve25519.java.fe_0.fe_0;
+import static org.whispersystems.curve25519.java.fe_1.fe_1;
+import static org.whispersystems.curve25519.java.fe_add.fe_add;
+import static org.whispersystems.curve25519.java.fe_mul.fe_mul;
+import static org.whispersystems.curve25519.java.fe_sq.fe_sq;
+
+public class fe_mont_rhs {
+
+    static void fe_mont_rhs(int[] v2, int[] u) {
+        int[] A = new int[10], one = new int[10];
+        int[] u2 = new int[10], Au = new int[10], inner = new int[10];
+
+        fe_1(one);
+        fe_0(A);
+        A[0] = 486662;
+
+        fe_sq(u2, u);
+        fe_mul(Au, A, u);
+        fe_add(inner, u2, Au);
+        fe_add(inner, inner, one);
+        fe_mul(v2, u, inner);
+    }
+
+}

common/src/main/java/org/whispersystems/curve25519/java/ed25519/fe_montx_to_edy.java

@@ -0,0 +1,28 @@
+package org.whispersystems.curve25519.java.ed25519;
+
+import static org.whispersystems.curve25519.java.fe_1.fe_1;
+import static org.whispersystems.curve25519.java.fe_add.fe_add;
+import static org.whispersystems.curve25519.java.fe_invert.fe_invert;
+import static org.whispersystems.curve25519.java.fe_mul.fe_mul;
+import static org.whispersystems.curve25519.java.fe_sub.fe_sub;
+
+public class fe_montx_to_edy {
+
+    /**
+     * y = (u - 1) / (u + 1)
+     * @param y
+     * @param u
+     */
+    static void fe_montx_to_edy(int[] y, int[] u)
+    {
+
+        int[] one = new int[10], um1 = new int[10], up1 = new int[10];
+
+        fe_1(one);
+        fe_sub(um1, u, one);
+        fe_add(up1, u, one);
+        fe_invert(up1, up1);
+        fe_mul(y, um1, up1);
+    }
+
+}

common/src/main/java/org/whispersystems/curve25519/java/ed25519/fe_sqrt.java

@@ -0,0 +1,66 @@
+package org.whispersystems.curve25519.java.ed25519;
+
+import static org.whispersystems.curve25519.java.fe_0.fe_0;
+import static org.whispersystems.curve25519.java.fe_1.fe_1;
+import static org.whispersystems.curve25519.java.fe_cmov.fe_cmov;
+import static org.whispersystems.curve25519.java.fe_copy.fe_copy;
+import static org.whispersystems.curve25519.java.fe_frombytes.fe_frombytes;
+import static org.whispersystems.curve25519.java.fe_mul.fe_mul;
+import static org.whispersystems.curve25519.java.fe_pow22523.fe_pow22523;
+import static org.whispersystems.curve25519.java.fe_sq.fe_sq;
+
+public class fe_sqrt {
+
+    // sqrt(-1)
+    static final byte[] i_bytes = {
+            (byte) 0xb0, (byte) 0xa0, (byte) 0x0e, (byte) 0x4a, (byte) 0x27, (byte) 0x1b, (byte) 0xee, (byte) 0xc4,
+            (byte) 0x78, (byte) 0xe4, (byte) 0x2f, (byte) 0xad, (byte) 0x06, (byte) 0x18, (byte) 0x43, (byte) 0x2f,
+            (byte) 0xa7, (byte) 0xd7, (byte) 0xfb, (byte) 0x3d, (byte) 0x99, (byte) 0x00, (byte) 0x4d, (byte) 0x2b,
+            (byte) 0x0b, (byte) 0xdf, (byte) 0xc1, (byte) 0x4f, (byte) 0x80, (byte) 0x24, (byte) 0x83, (byte) 0x2b
+    };
+
+
+    /**
+     * calc sqrt(a)
+     * @param out
+     * @param a
+     * @pre a is square or zero
+     * @post out^2 = a
+     * @return
+     */
+    static int fe_sqrt(int[] out, int[] a)
+    {
+        int[] exp = new int[10], b = new int[10], b2 = new int[10], bi = new int[10], i = new int[10];
+        int[] legendre = new int[10], zero = new int[10], one = new int[10];
+
+        fe_frombytes(i, i_bytes);
+        fe_pow22523(exp, a);
+
+        fe_sq(legendre, exp);
+        fe_sq(legendre, legendre);
+        fe_mul(legendre, legendre, a);
+        fe_mul(legendre, legendre, a);
+
+        fe_0(zero);
+        fe_1(one);
+        if (fe_isequal.fe_isequal(legendre, zero) == 0 && fe_isequal.fe_isequal(legendre, one) == 0)
+            return -1;
+
+        fe_mul(b, a, exp);
+        fe_sq(b2, b);
+
+        fe_mul(bi, b, i);
+        fe_cmov(b, bi, 1 ^ fe_isequal.fe_isequal(b2, a));
+        fe_copy(out, b);
+
+
+        fe_sq(b2, out);
+        if (fe_isequal.fe_isequal(a, b2) == 0)
+            return -1;
+
+        return 0;
+
+    }
+
+
+}

common/src/main/java/org/whispersystems/curve25519/java/ed25519/ge_isneutral.java

@@ -0,0 +1,22 @@
+package org.whispersystems.curve25519.java.ed25519;
+
+import org.whispersystems.curve25519.java.ge_p3;
+
+import static org.whispersystems.curve25519.java.fe_0.fe_0;
+
+public class ge_isneutral {
+
+    /**
+     * Check if p neutral point
+     * @param p
+     * @return  1 if p neutral point
+     *          0 otherwise
+     */
+    public static int ge_isneutral(ge_p3 p)
+    {
+        int[] zero = new int[10];
+        fe_0(zero);
+
+        return (fe_isequal.fe_isequal(p.X, zero) & fe_isequal.fe_isequal(p.Y, p.Z));
+    }
+}