ed25519: Add python code to test our ed25519 validation.

See
https://lists.torproject.org/pipermail/tor-dev/2017-April/012213.html .

diff --git a/src/test/ed25519_exts_ref.py b/src/test/ed25519_exts_ref.py
index af5010415e27567c9e68fb68979cd80ccf6f1abc..1898256540541d6b4d8d7c45cbb20113376b3dcb 100644 (file)
--- a/src/test/ed25519_exts_ref.py
+++ b/src/test/ed25519_exts_ref.py
@@ -69,6 +69,11 @@ def signatureWithESK(m,h,pk):
 def newSK():
     return os.urandom(32)
 
+def random_scalar(entropy_f): # 0..L-1 inclusive
+    # reduce the bias to a safe level by generating 256 extra bits
+    oversized = int(binascii.hexlify(entropy_f(32+32)), 16)
+    return oversized % ell
+
 # ------------------------------------------------------------
 
 MSG = "This is extremely silly. But it is also incredibly serious business!"
@@ -126,6 +131,31 @@ class SelfTest(unittest.TestCase):
 
         self._testSignatures(besk, bpk)
 
+    def testIdentity(self):
+        # Base point:
+        # B is the unique point (x, 4/5) \in E for which x is positive
+        By = 4 * inv(5)
+        Bx = xrecover(By)
+        B = [Bx % q,By % q]
+
+        # Get identity E by doing: E = l*B, where l is the group order
+        identity = scalarmult(B, ell)
+
+        # Get identity E by doing: E = l*A, where A is a random point
+        sk = newSK()
+        pk = decodepoint(publickey(sk))
+        identity2 = scalarmult(pk, ell)
+
+        # Check that identities match
+        assert(identity == identity2)
+        # Check that identity is the point (0,1)
+        assert(identity == [0L,1L])
+
+        # Check identity element: a*E = E, where a is a random scalar
+        scalar = random_scalar(os.urandom)
+        result = scalarmult(identity, scalar)
+        assert(result == identity == identity2)
+
 # ------------------------------------------------------------
 
 # From pprint.pprint([ binascii.b2a_hex(os.urandom(32)) for _ in xrange(8) ])