2 # this implements a variant of SPAKE2 Elligator edition described in:
3 # https://www.mail-archive.com/curves@moderncrypto.org/msg00412.html
6 # derive points PM or PN from a (password) hash
7 spake2ee_h2P(p,a,d, h, PX,PY,PZ,PT){
8 # find a small non-square for elligator
10 while(legendresymbol(n, p) != -1)
12 PX,PY,PZ,PT = elligator2(p,a,d, n, h%p);
15 # Ya = xa*G+PM, Yb = xb*G+PN
16 spake2ee_1(p,a,d, x, GX,GY, PX,PY,PZ,PT, y){
17 mod(p) X,Y,Z,T = edwards_scale(p,a,d, x, GX,GY,1,GX*GY);
18 X,Y,Z,T = edwards_add(p,a,d, X,Y,Z,T, PX,PY,PZ,PT);
19 y = decaf_encode(p,a,d, X,Y,Z,T);
28 spake2ee_2(p,a,d, PX,PY,PZ,PT, x, y, ok, z){
29 ok, X,Y,Z,T = decaf_decode(p,a,d, y);
31 mod(p) X,Y,Z,T = edwards_add(p,a,d, X,Y,Z,T, -PX,PY,PZ,-PT);
32 X,Y,Z,T = edwards_scale(p,a,d, x, X,Y,Z,T);
33 z = decaf_encode(p,a,d, X,Y,Z,T);