
351 rinda
12 KiB

package ristretto255
import (
// The encoding of the canonical generator.
var compressedRistrettoBasepoint, _ = hex.DecodeString("e2f2ae0a6abc4e71a884a961c500515f58e30b6aa582dd8db6a65945e08d2d76")
func TestRistrettoBasepointRoundTrip(t *testing.T) {
decodedBasepoint := &Element{}
err := decodedBasepoint.Decode(compressedRistrettoBasepoint)
if err != nil {
ristrettoBasepoint := (&Element{}).Base()
if decodedBasepoint.Equal(ristrettoBasepoint) != 1 {
t.Error("decode succeeded, but got wrong point")
roundtripBasepoint := decodedBasepoint.Encode(nil)
if !bytes.Equal(compressedRistrettoBasepoint, roundtripBasepoint) {
t.Error("decode<>encode roundtrip produced different results")
encodedBasepoint := ristrettoBasepoint.Encode(nil)
if !bytes.Equal(compressedRistrettoBasepoint, encodedBasepoint) {
t.Error("point encode produced different results")
func TestRistrettoRandomRoundtrip(t *testing.T) {
// TODO quickcheck
func TestRistrettoSmallMultiplesTestVectors(t *testing.T) {
var testVectors = [16]string{
// This is the identity point
// This is the basepoint
// These are small multiples of the basepoint
basepointMultiple := (&Element{}).Zero()
ristrettoBasepoint := (&Element{}).Base()
for i := range testVectors {
// Grab the bytes of the encoding
encoding, err := hex.DecodeString(testVectors[i])
if err != nil {
t.Fatalf("#%d: bad hex encoding in test vector: %v", i, err)
// Decode the test vector to a ristretto255 element
decodedPoint := Element{}
err = decodedPoint.Decode(encoding)
if err != nil {
t.Fatalf("#%d: could not decode test vector: %v", i, err)
// Re-encode and check round trips
roundtripEncoding := decodedPoint.Encode(nil)
if !bytes.Equal(encoding, roundtripEncoding) {
t.Errorf("#%d: decode<>encode roundtrip failed", i)
// Check that the test vector encodes i * B
if basepointMultiple.Equal(&decodedPoint) != 1 {
t.Errorf("decoded small multiple %d * B is not %d * B", i, i)
computedEncoding := basepointMultiple.Encode(nil)
if !bytes.Equal(encoding, computedEncoding) {
t.Errorf("#%d: encoding computed value did not match", i)
// Ensure basepointMultiple = i * B in the next iteration
basepointMultiple.Add(basepointMultiple, ristrettoBasepoint)
func TestRistrettoBadEncodingsTestVectors(t *testing.T) {
var testVectors = []string{
// These are all bad because they're non-canonical field encodings.
// These are all bad because they're negative field elements.
// These are all bad because they give a nonsquare x^2.
// These are all bad because they give a negative xy value.
// This is s = -1, which causes y = 0.
basepointMultiple := Element{}
for i := range testVectors {
// Grab the bytes of the encoding
encoding, err := hex.DecodeString(testVectors[i])
if err != nil {
t.Fatalf("#%d: bad hex encoding in test vector: %v", i, err)
// Attempt decoding
decodedPoint := Element{}
err = decodedPoint.Decode(encoding)
if err == nil {
t.Fatalf("#%d: did not fail on bad encoding", i)
func TestRistrettoFromUniformBytesTestVectors(t *testing.T) {
inputs := []string{
"Ristretto is traditionally a short shot of espresso coffee",
"made with the normal amount of ground coffee but extracted with",
"about half the amount of water in the same amount of time",
"by using a finer grind.",
"This produces a concentrated shot of coffee per volume.",
"Just pulling a normal shot short will produce a weaker shot",
"and is not a Ristretto as some believe.",
elements := []string{
var element Element
for i, input := range inputs {
hash := sha512.Sum512([]byte(input))
if encoding := hex.EncodeToString(element.Encode(nil)); encoding != elements[i] {
t.Errorf("#%d: expected %q, got %q", i, elements[i], encoding)
func TestEquivalentFromUniformBytes(t *testing.T) {
inputs := []string{
"edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" +
"edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f" +
"0000000000000000000000000000000000000000000000000000000000000080" +
"0000000000000000000000000000000000000000000000000000000000000000" +
expected := "304282791023b73128d277bdcb5c7746ef2eac08dde9f2983379cb8e5ef0517f"
var element Element
for i, input := range inputs {
h, err := hex.DecodeString(input)
if err != nil {
t.Fatalf("#%d: bad hex encoding in test vector: %v", i, err)
if encoding := hex.EncodeToString(element.Encode(nil)); encoding != expected {
t.Errorf("#%d: expected %q, got %q", i, expected, encoding)
func TestMarshalScalar(t *testing.T) {
x := new(Scalar)
// generate an arbitrary scalar
xbytes := sha512.Sum512([]byte("Hello World"))
text, err := json.Marshal(x)
if err != nil {
t.Fatalf("Could not marshal json: %v", err)
t.Logf("json: %s", text)
y := new(Scalar)
err = json.Unmarshal(text, y)
if err != nil || y.Equal(x) == 0 {
t.Fatalf("Error unmarshaling scalar from json: %s %v", text, err)
func TestMarshalElement(t *testing.T) {
x := new(Element)
// generate an arbitrary element
xbytes := sha512.Sum512([]byte("Hello World"))
text, err := json.Marshal(x)
if err != nil {
t.Fatalf("Could not marshal json: %v", err)
t.Logf("json: %s", text)
y := new(Element)
err = json.Unmarshal(text, y)
if err != nil || y.Equal(x) == 0 {
t.Fatalf("Error unmarshaling element from json: %s %v", text, err)
func TestElementSet(t *testing.T) {
// Test this, because the internal point type being hard-copyable isn't part of the spec.
el1 := NewIdentityElement()
el2 := NewGeneratorElement()
if el1.Equal(el2) == 1 {
t.Error("shouldn't be the same")
// Check new value
if el1.Equal(el2) == 0 {
t.Error("failed to set the value")
// Mutate source var
el2.Add(el2, el2)
if el1.Equal(el2) == 1 {
t.Error("shouldn't have changed")
func TestScalarSet(t *testing.T) {
// Test this, because the internal scalar representation being hard-copyable isn't part of the spec.
// 32-byte little endian value of "1"
scOne := make([]byte, 32)
scOne[0] = 0x01
sc1, sc2 := NewScalar(), NewScalar()
// sc1 <- 1
// 1 != 0
if sc1.Equal(sc2) == 1 {
t.Error("shouldn't be the same")
// sc2 <- sc1
// 1 == 1
if sc1.Equal(sc2) == 0 {
t.Error("failed to set the value")
// sc1 <- 1 + 1
sc1.Add(sc1, sc1)
// 2 != 1
if sc1.Equal(sc2) == 1 {
t.Error("shouldn't have changed")
func TestConstants(t *testing.T) {
// From draft-hdevalence-cfrg-ristretto-01, Section 3.1.
t.Run("d", func(t *testing.T) {
testConstant(t, d,
t.Run("sqrtM1", func(t *testing.T) {
testConstant(t, sqrtM1,
t.Run("sqrtADMinusOne", func(t *testing.T) {
testConstant(t, sqrtADMinusOne,
t.Run("invSqrtAMinusD", func(t *testing.T) {
testConstant(t, invSqrtAMinusD,
t.Run("oneMinusDSQ", func(t *testing.T) {
testConstant(t, oneMinusDSQ,
t.Run("dMinusOneSQ", func(t *testing.T) {
testConstant(t, dMinusOneSQ,
func testConstant(t *testing.T, f *field.Element, decimal string) {
b, ok := new(big.Int).SetString(decimal, 10)
if !ok {
t.Fatal("invalid decimal")
buf := b.FillBytes(make([]byte, 32))
for i := 0; i < len(buf)/2; i++ {
buf[i], buf[len(buf)-i-1] = buf[len(buf)-i-1], buf[i]
if !bytes.Equal(f.Bytes(), buf) {
t.Errorf("expected %x", buf)