shrub/try/bin/ed.hoon

!:
::  /=try=/bin/ed/hoon
::
::  ed25519 as a toy in Hoon.
::
::  Needless to say, don't use this for anything real. Not only will it be
::  embarrassingly slow, but it'll probably mail your private key to the NSA.
::
=>  %=    .
        +
      =>  +
      =>  =+  b=256
          =+  q=(sub (bex 255) 19)
          =+  fq=~(. fo q)
          =+  ^=  l
            %+  add
              (bex 252)
            27.742.317.777.372.353.535.851.937.790.883.648.493
          =+  d=(dif.fq 0 (fra.fq 121.665 121.666))
          =+  ii=(exp.fq (div (dec q) 4) 2)
          |%
          ++  norm  |=(x=@ ?:(=(0 (mod x 2)) x (sub q x)))
          ++  xrec
            |=  y=@  ^-  @
            =+  ^=  xx
                %+  mul  (dif.fq (mul y y) 1)
                         (inv.fq +(:(mul d y y)))
            =+  x=(exp.fq (div (add 3 q) 8) xx)
            ?:  !=(0 (dif.fq (mul x x) (sit.fq xx)))
              (norm (pro.fq x ii))
            (norm x)
          --
      =+  ^=  bb
        =+  bby=(pro.fq 4 (inv.fq 5))
        [(xrec bby) bby]
      |%
      ++  ward
        |=  [pp=[@ @] qq=[@ @]]  ^-  [@ @]
        =+  dp=:(pro.fq d -.pp -.qq +.pp +.qq)
        =+  ^=  xt
            %+  pro.fq
              %+  sum.fq
                (pro.fq -.pp +.qq)
              (pro.fq -.qq +.pp)
            (inv.fq (sum.fq 1 dp))
        =+  ^=  yt
            %+  pro.fq
              %+  sum.fq
                (pro.fq +.pp +.qq)
              (pro.fq -.pp -.qq)
            (inv.fq (dif.fq 1 dp))
        [xt yt]
      ::
      ++  scam
        |=  [pp=[@ @] e=@]  ^-  [@ @]
        ?:  =(0 e)
          [0 1]
        =+  qq=$(e (div e 2))
        =>  .(qq (ward qq qq))
        ?:  =(1 (dis 1 e))
          (ward qq pp)
        qq
      ::
      ++  etch
        |=  pp=[@ @]  ^-  @
        (can 0 ~[[(sub b 1) +.pp] [1 (dis 1 -.pp)]])
      ::
      ++  puck
        |=  sk=@  ^-  @
        =+  h=(shal (rsh 0 3 b) sk)
        =+  ^=  a
            %+  add
              (bex (sub b 2))
            (lsh 0 3 (cut 0 [3 (sub b 5)] h))
        =+  aa=(scam bb a)
        (etch aa)
      ::
      ++  sign
        |=  [m=@ sk=@ pk=@]  ^-  @
        =+  h=(shal (rsh 0 3 b) sk)
        =+  ^=  a
            %+  add
              (bex (sub b 2))
            (lsh 0 3 (cut 0 [3 (sub b 5)] h))
        =+  ^=  r
            =+  hm=(cut 0 [b b] h)
            =+  ^=  i
                %+  can  0
                :~  [b hm]
                    [(met 0 m) m]
                ==
            (shaz i)
        =+  rr=(scam bb r)
        =+  ^=  ss
            =+  er=(etch rr)
            =+  ^=  ha
                %+  can  0
                :~  [b er]
                    [b pk]
                    [(met 0 m) m]
                ==
            (~(sit fo l) (add r (mul (shaz ha) a)))
        (can 0 ~[[b (etch rr)] [b ss]])
      ++  curv
        |=  [x=@ y=@]  ^-  ?
        .=  0
            %+  dif.fq
              %+  sum.fq
                (pro.fq (sub q (sit.fq x)) x)
              (pro.fq y y)
            (sum.fq 1 :(pro.fq d x x y y))
      ++  decp
        |=  s=@  ^-  (unit ,[@ @])
        =+  y=(cut 0 [0 (dec b)] s)
        =+  si=(cut 0 [(dec b) 1] s)
        =+  x=(xrec y)
        =>  .(x ?:(!=(si (dis 1 x)) (sub q x) x))
        =+  pp=[x y]
        ?.  (curv pp)
          ~
        [~ pp]
      ++  veri
        |=  [s=@ m=@ pk=@]  ^-  ?
        ?:  (gth (div b 4) (met 3 s))  |
        ?:  (gth (div b 8) (met 3 pk))  |
        =+  rr=(decp (cut 0 [0 b] s))
        ?~  rr  |
        =+  aa=(decp pk)
        ?~  aa  |
        =+  ss=(cut 0 [b b] s)
        =+  ha=(can 0 ~[[b (etch u.rr)] [b pk] [(met 0 m) m]])
        =+  h=(shaz ha)
        =((scam bb ss) (ward u.rr (scam u.aa h)))
      --
    ==
|=  [est=time eny=@uw]
|=  [sk=@ m=@ ~]
^-  bowl
=+  pk=(puck sk)
~&  [%pk `@ux`pk]
=+  si=(sign m sk pk)
~&  [%si `@ux`si]
:_  ~  :_  ~
:-  %$
!>
=+  ^=  sis
    ?:  (veri si m pk)
  'valid sig'
'invalid sig'
=+  ^=  fos
    ?.  (veri si +(m) pk)
  'detected forgery'
'undetected forgery'
[sis fos]
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`!:`
			`:: /=try=/bin/ed/hoon`
			`::`
Add disclaimer 2014-01-24 00:31:12 +04:00			`:: ed25519 as a toy in Hoon.`
			`::`
			`:: Needless to say, don't use this for anything real. Not only will it be`
			`:: embarrassingly slow, but it'll probably mail your private key to the NSA.`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`::`
			`=> %= .`
			`+`
			`=> +`
Inner/outer core structure, more constants 2014-01-23 23:55:59 +04:00			`=> =+ b=256`
			`=+ q=(sub (bex 255) 19)`
			`=+ fq=~(. fo q)`
			`=+ ^= l`
			`%+ add`
			`(bex 252)`
			`27.742.317.777.372.353.535.851.937.790.883.648.493`
			`=+ d=(dif.fq 0 (fra.fq 121.665 121.666))`
			`=+ ii=(exp.fq (div (dec q) 4) 2)`
			`\|%`
			`++ norm \|=(x=@ ?:(=(0 (mod x 2)) x (sub q x)))`
			`++ xrec`
			`\|= y=@ ^- @`
			`=+ ^= xx`
			`%+ mul (dif.fq (mul y y) 1)`
			`(inv.fq +(:(mul d y y)))`
			`=+ x=(exp.fq (div (add 3 q) 8) xx)`
			`?: !=(0 (dif.fq (mul x x) (sit.fq xx)))`
			`(norm (pro.fq x ii))`
			`(norm x)`
			`--`
			`=+ ^= bb`
Indentation and unitization 2014-01-24 00:15:58 +04:00			`=+ bby=(pro.fq 4 (inv.fq 5))`
			`[(xrec bby) bby]`
Constant-ize constants and prime field 2014-01-23 23:44:20 +04:00			`\|%`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`++ ward`
			`\|= [pp=[@ @] qq=[@ @]] ^- [@ @]`
Constant-ize constants and prime field 2014-01-23 23:44:20 +04:00			`=+ dp=:(pro.fq d -.pp -.qq +.pp +.qq)`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`=+ ^= xt`
Constant-ize constants and prime field 2014-01-23 23:44:20 +04:00			`%+ pro.fq`
			`%+ sum.fq`
			`(pro.fq -.pp +.qq)`
			`(pro.fq -.qq +.pp)`
			`(inv.fq (sum.fq 1 dp))`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`=+ ^= yt`
Constant-ize constants and prime field 2014-01-23 23:44:20 +04:00			`%+ pro.fq`
			`%+ sum.fq`
			`(pro.fq +.pp +.qq)`
			`(pro.fq -.pp -.qq)`
			`(inv.fq (dif.fq 1 dp))`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`[xt yt]`
			`::`
			`++ scam`
			`\|= [pp=[@ @] e=@] ^- [@ @]`
			`?: =(0 e)`
			`[0 1]`
			`=+ qq=$(e (div e 2))`
			`=> .(qq (ward qq qq))`
			`?: =(1 (dis 1 e))`
			`(ward qq pp)`
			`qq`
			`::`
			`++ etch`
			`\|= pp=[@ @] ^- @`
			`(can 0 ~[[(sub b 1) +.pp] [1 (dis 1 -.pp)]])`
			`::`
			`++ puck`
			`\|= sk=@ ^- @`
Remove magic numbers 2014-01-23 23:23:28 +04:00			`=+ h=(shal (rsh 0 3 b) sk)`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`=+ ^= a`
			`%+ add`
			`(bex (sub b 2))`
			`(lsh 0 3 (cut 0 [3 (sub b 5)] h))`
			`=+ aa=(scam bb a)`
			`(etch aa)`
			`::`
			`++ sign`
			`\|= [m=@ sk=@ pk=@] ^- @`
Remove magic numbers 2014-01-23 23:23:28 +04:00			`=+ h=(shal (rsh 0 3 b) sk)`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`=+ ^= a`
			`%+ add`
			`(bex (sub b 2))`
			`(lsh 0 3 (cut 0 [3 (sub b 5)] h))`
			`=+ ^= r`
			`=+ hm=(cut 0 [b b] h)`
			`=+ ^= i`
			`%+ can 0`
			`:~ [b hm]`
			`[(met 0 m) m]`
			`==`
			`(shaz i)`
			`=+ rr=(scam bb r)`
			`=+ ^= ss`
			`=+ er=(etch rr)`
			`=+ ^= ha`
			`%+ can 0`
			`:~ [b er]`
			`[b pk]`
			`[(met 0 m) m]`
			`==`
			`(~(sit fo l) (add r (mul (shaz ha) a)))`
			`(can 0 ~[[b (etch rr)] [b ss]])`
			`++ curv`
			`\|= [x=@ y=@] ^- ?`
			`.= 0`
Constant-ize constants and prime field 2014-01-23 23:44:20 +04:00			`%+ dif.fq`
			`%+ sum.fq`
			`(pro.fq (sub q (sit.fq x)) x)`
			`(pro.fq y y)`
			`(sum.fq 1 :(pro.fq d x x y y))`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`++ decp`
Indentation and unitization 2014-01-24 00:15:58 +04:00			`\|= s=@ ^- (unit ,[@ @])`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`=+ y=(cut 0 [0 (dec b)] s)`
			`=+ si=(cut 0 [(dec b) 1] s)`
			`=+ x=(xrec y)`
			`=> .(x ?:(!=(si (dis 1 x)) (sub q x) x))`
			`=+ pp=[x y]`
Indentation and unitization 2014-01-24 00:15:58 +04:00			`?. (curv pp)`
			`~`
			`[~ pp]`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`++ veri`
			`\|= [s=@ m=@ pk=@] ^- ?`
Indentation and unitization 2014-01-24 00:15:58 +04:00			`?: (gth (div b 4) (met 3 s)) \|`
			`?: (gth (div b 8) (met 3 pk)) \|`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`=+ rr=(decp (cut 0 [0 b] s))`
Indentation and unitization 2014-01-24 00:15:58 +04:00			`?~ rr \|`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`=+ aa=(decp pk)`
Indentation and unitization 2014-01-24 00:15:58 +04:00			`?~ aa \|`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`=+ ss=(cut 0 [b b] s)`
Indentation and unitization 2014-01-24 00:15:58 +04:00			`=+ ha=(can 0 ~[[b (etch u.rr)] [b pk] [(met 0 m) m]])`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`=+ h=(shaz ha)`
Indentation and unitization 2014-01-24 00:15:58 +04:00			`=((scam bb ss) (ward u.rr (scam u.aa h)))`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`--`
			`==`
			`\|= [est=time eny=@uw]`
Make ed toy more interesting 2014-01-24 00:26:02 +04:00			`\|= [sk=@ m=@ ~]`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`^- bowl`
			`=+ pk=(puck sk)`
			~& [%pk `@ux`pk]
Make ed toy more interesting 2014-01-24 00:26:02 +04:00			`=+ si=(sign m sk pk)`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			~& [%si `@ux`si]
			`:_ ~ :_ ~`
			`:- %$`
			`!>`
Check forged sigs as well 2014-01-23 23:22:41 +04:00			`=+ ^= sis`
Make ed toy more interesting 2014-01-24 00:26:02 +04:00			`?: (veri si m pk)`
ed25519 toy in hoon 2014-01-23 08:40:43 +04:00			`'valid sig'`
			`'invalid sig'`
Check forged sigs as well 2014-01-23 23:22:41 +04:00			`=+ ^= fos`
Make ed toy more interesting 2014-01-24 00:26:02 +04:00			`?. (veri si +(m) pk)`
Check forged sigs as well 2014-01-23 23:22:41 +04:00			`'detected forgery'`
			`'undetected forgery'`
			`[sis fos]`