jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

remove python dependency by checking in generated code

master
Michael Hamburg 9 years ago
parent
d1e2bbec15
commit
28086a96d1
48 changed files with 13463 additions and 31 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +34
    -31
      Makefile
  2. +234
    -0
      src/GENERATED/c/curve25519/crypto.c
  3. +1567
    -0
      src/GENERATED/c/curve25519/decaf.c
  4. +116
    -0
      src/GENERATED/c/curve25519/decaf_gen_tables.c
  5. +258
    -0
      src/GENERATED/c/curve25519/decaf_tables.c
  6. +267
    -0
      src/GENERATED/c/curve25519/eddsa.c
  7. +199
    -0
      src/GENERATED/c/curve25519/elligator.c
  8. +339
    -0
      src/GENERATED/c/curve25519/scalar.c
  9. +234
    -0
      src/GENERATED/c/ed448goldilocks/crypto.c
  10. +1567
    -0
      src/GENERATED/c/ed448goldilocks/decaf.c
  11. +116
    -0
      src/GENERATED/c/ed448goldilocks/decaf_gen_tables.c
  12. +354
    -0
      src/GENERATED/c/ed448goldilocks/decaf_tables.c
  13. +267
    -0
      src/GENERATED/c/ed448goldilocks/eddsa.c
  14. +199
    -0
      src/GENERATED/c/ed448goldilocks/elligator.c
  15. +339
    -0
      src/GENERATED/c/ed448goldilocks/scalar.c
  16. +108
    -0
      src/GENERATED/c/p25519/f_field.h
  17. +133
    -0
      src/GENERATED/c/p25519/f_generic.c
  18. +108
    -0
      src/GENERATED/c/p448/f_field.h
  19. +133
    -0
      src/GENERATED/c/p448/f_generic.c
  20. +32
    -0
      src/GENERATED/include/decaf.h
  21. +29
    -0
      src/GENERATED/include/decaf.hxx
  22. +111
    -0
      src/GENERATED/include/decaf/common.h
  23. +24
    -0
      src/GENERATED/include/decaf/crypto.h
  24. +24
    -0
      src/GENERATED/include/decaf/crypto.hxx
  25. +178
    -0
      src/GENERATED/include/decaf/crypto_255.h
  26. +216
    -0
      src/GENERATED/include/decaf/crypto_255.hxx
  27. +178
    -0
      src/GENERATED/include/decaf/crypto_448.h
  28. +216
    -0
      src/GENERATED/include/decaf/crypto_448.hxx
  29. +706
    -0
      src/GENERATED/include/decaf/decaf_255.h
  30. +714
    -0
      src/GENERATED/include/decaf/decaf_255.hxx
  31. +706
    -0
      src/GENERATED/include/decaf/decaf_448.h
  32. +714
    -0
      src/GENERATED/include/decaf/decaf_448.hxx
  33. +139
    -0
      src/GENERATED/include/decaf/ed255.h
  34. +458
    -0
      src/GENERATED/include/decaf/ed255.hxx
  35. +139
    -0
      src/GENERATED/include/decaf/ed448.h
  36. +460
    -0
      src/GENERATED/include/decaf/ed448.hxx
  37. +22
    -0
      src/GENERATED/include/decaf/eddsa.hxx
  38. +492
    -0
      src/GENERATED/include/decaf/secure_buffer.hxx
  39. +53
    -0
      src/GENERATED/include/decaf/sha512.h
  40. +103
    -0
      src/GENERATED/include/decaf/sha512.hxx
  41. +210
    -0
      src/GENERATED/include/decaf/shake.h
  42. +190
    -0
      src/GENERATED/include/decaf/shake.hxx
  43. +93
    -0
      src/GENERATED/include/decaf/spongerng.h
  44. +104
    -0
      src/GENERATED/include/decaf/spongerng.hxx
  45. +341
    -0
      src/GENERATED/include/decaf/strobe.h
  46. +239
    -0
      src/GENERATED/include/decaf/strobe.hxx
  47. +0
    -0
      src/generator/curve_data.py
  48. +0
    -0
      src/generator/template.py

+ 34
- 31
Makefile View File

@@ -9,11 +9,11 @@ MACHINE := $(shell uname -m)
# Many of them are mapped to build/obj right now, but could be split later.
# The non-build/obj directories are the public interface.
BUILD_OBJ = build/obj
BUILD_C = build/c
BUILD_H = build/c
BUILD_C = src/GENERATED/c
BUILD_H = src/GENERATED/c
BUILD_PY = build/obj
BUILD_LIB = build/lib
BUILD_INC = build/include
BUILD_INC = src/GENERATED/include
BUILD_BIN = build/bin
BUILD_IBIN = build/obj/bin
BATBASE=ed448goldilocks_decaf_bats_$(TODAY)
@@ -65,14 +65,14 @@ SAGE ?= sage
SAGES= $(shell ls test/*.sage)
BUILDPYS= $(SAGES:test/%.sage=$(BUILD_PY)/%.py)

.PHONY: clean all test test_ct bench todo doc lib bat sage sagetest gen_headers
.PHONY: clean all test test_ct bench todo doc lib bat sage sagetest gen_code
.PRECIOUS: $(BUILD_C)/*/%.c $(BUILD_H)/*/%.h $(BUILD_IBIN)/%

HEADER_SRCS= $(shell find src/public_include -name "*.h*")
GEN_HEADERS_0= $(HEADER_SRCS:src/public_include/%=$(BUILD_INC)/%)
GEN_HEADERS_1= $(GEN_HEADERS_0:%.tmpl.h=%.h)
GEN_HEADERS= $(GEN_HEADERS_1:%.tmpl.hxx=%.hxx)
HEADERS= Makefile $(shell find src test -name "*.h") $(BUILD_OBJ)/timestamp $(GEN_HEADERS)
GEN_CODE_0= $(HEADER_SRCS:src/public_include/%=$(BUILD_INC)/%)
GEN_CODE_1= $(GEN_CODE_0:%.tmpl.h=%.h)
GEN_CODE= $(GEN_CODE_1:%.tmpl.hxx=%.hxx)
HEADERS= Makefile $(shell find src test -name "*.h") $(BUILD_OBJ)/timestamp $(GEN_CODE)

# components needed by the lib
LIBCOMPONENTS = $(BUILD_OBJ)/utils.o $(BUILD_OBJ)/shake.o $(BUILD_OBJ)/sha512.o # and per-field components
@@ -117,16 +117,16 @@ $(BUILD_OBJ)/timestamp:
$(PER_OBJ_DIRS)
touch $@

gen_headers: $(GEN_HEADERS)
gen_code: $(GEN_CODE)

$(BUILD_INC)/%: src/public_include/% $(BUILD_OBJ)/timestamp
cp -f $< $@
$(BUILD_INC)/%.h: src/public_include/%.tmpl.h src/gen_headers/*
python -B src/gen_headers/template.py --per=global --guard=$(@:$(BUILD_INC)/%=%) -o $@ $<
$(BUILD_INC)/%.h: src/public_include/%.tmpl.h src/generator/*
python -B src/generator/template.py --per=global --guard=$(@:$(BUILD_INC)/%=%) -o $@ $<
$(BUILD_INC)/%.hxx: src/public_include/%.tmpl.hxx src/gen_headers/*
python -B src/gen_headers/template.py --per=global --guard=$(@:$(BUILD_INC)/%=%) -o $@ $<
$(BUILD_INC)/%.hxx: src/public_include/%.tmpl.hxx src/generator/*
python -B src/generator/template.py --per=global --guard=$(@:$(BUILD_INC)/%=%) -o $@ $<

################################################################
# Per-field code: call with field, arch
@@ -138,11 +138,11 @@ HEADERS_OF_$(1) = $(HEADERS) $$(BUILD_H)/$(1)/f_field.h
LIBCOMPONENTS += $$(COMPONENTS_OF_$(1))
PER_OBJ_DIRS += $$(BUILD_OBJ)/$(1)

$$(BUILD_C)/$(1)/%.c: src/per_field/%.tmpl.c src/gen_headers/* $(HEADERS)
python -B src/gen_headers/template.py --per=field --guard=$(1)/`basename $$@` --item=$(1) -o $$@ $$<
$$(BUILD_C)/$(1)/%.c: src/per_field/%.tmpl.c src/generator/* Makefile
python -B src/generator/template.py --per=field --guard=$(1)/`basename $$@` --item=$(1) -o $$@ $$<
$$(BUILD_H)/$(1)/%.h: src/per_field/%.tmpl.h src/gen_headers/* $(HEADERS)
python -B src/gen_headers/template.py --per=field --guard=$(1)/`basename $$@` --item=$(1) -o $$@ $$<
$$(BUILD_H)/$(1)/%.h: src/per_field/%.tmpl.h src/generator/* Makefile
python -B src/generator/template.py --per=field --guard=$(1)/`basename $$@` --item=$(1) -o $$@ $$<

$$(BUILD_OBJ)/$(1)/%.o: $$(BUILD_C)/$(1)/%.c $$(HEADERS_OF_$(1))
$$(CC) $$(CFLAGS) -I src/$(1) -I src/$(1)/$$(ARCH_FOR_$(1)) -I $(BUILD_H)/$(1) \
@@ -174,26 +174,26 @@ GLOBAL_HEADERS_OF_$(1) = $(BUILD_INC)/decaf/decaf_$(3).h $(BUILD_INC)/decaf/deca
HEADERS_OF_$(1) = $$(HEADERS_OF_$(2)) $$(GLOBAL_HEADERS_OF_$(1))
HEADERS += $$(GLOBAL_HEADERS_OF_$(1))

$$(BUILD_C)/$(1)/%.c: src/per_curve/%.tmpl.c src/gen_headers/* $$(HEADERS_OF_$(2))
python -B src/gen_headers/template.py --per=curve --item=$(1) --guard=$(1)/`basename $$@` -o $$@ $$<
$$(BUILD_C)/$(1)/%.c: src/per_curve/%.tmpl.c src/generator/* Makefile
python -B src/generator/template.py --per=curve --item=$(1) --guard=$(1)/`basename $$@` -o $$@ $$<
$$(BUILD_H)/$(1)/%.h: src/per_curve/%.tmpl.h src/gen_headers/* $$(HEADERS_OF_$(2))
python -B src/gen_headers/template.py --per=curve --item=$(1) --guard=$(1)/`basename $$@` -o $$@ $$<
$$(BUILD_H)/$(1)/%.h: src/per_curve/%.tmpl.h src/generator/* Makefile
python -B src/generator/template.py --per=curve --item=$(1) --guard=$(1)/`basename $$@` -o $$@ $$<
$$(BUILD_INC)/decaf/decaf_$(3).%: src/per_curve/decaf.tmpl.% src/gen_headers/* $$(HEADERS_OF_$(2))
python -B src/gen_headers/template.py --per=curve --item=$(1) --guard=$$(@:$(BUILD_INC)/%=%) -o $$@ $$<
$$(BUILD_INC)/decaf/decaf_$(3).%: src/per_curve/decaf.tmpl.% src/generator/* Makefile
python -B src/generator/template.py --per=curve --item=$(1) --guard=$$(@:$(BUILD_INC)/%=%) -o $$@ $$<
$$(BUILD_INC)/decaf/ed$(3).%: src/per_curve/eddsa.tmpl.% src/gen_headers/* $$(HEADERS_OF_$(2))
python -B src/gen_headers/template.py --per=curve --item=$(1) --guard=$$(@:$(BUILD_INC)/%=%) -o $$@ $$<
$$(BUILD_INC)/decaf/ed$(3).%: src/per_curve/eddsa.tmpl.% src/generator/* Makefile
python -B src/generator/template.py --per=curve --item=$(1) --guard=$$(@:$(BUILD_INC)/%=%) -o $$@ $$<
$$(BUILD_INC)/decaf/elligator_$(3).%: src/per_curve/elligator.tmpl.% src/gen_headers/* $$(HEADERS_OF_$(2))
python -B src/gen_headers/template.py --per=curve --item=$(1) --guard=$$(@:$(BUILD_INC)/%=%) -o $$@ $$<
$$(BUILD_INC)/decaf/elligator_$(3).%: src/per_curve/elligator.tmpl.% src/generator/* Makefile
python -B src/generator/template.py --per=curve --item=$(1) --guard=$$(@:$(BUILD_INC)/%=%) -o $$@ $$<
$$(BUILD_INC)/decaf/scalar_$(3).%: src/per_curve/scalar.tmpl.% src/gen_headers/* $$(HEADERS_OF_$(2))
python -B src/gen_headers/template.py --per=curve --item=$(1) --guard=$$(@:$(BUILD_INC)/%=%) -o $$@ $$<
$$(BUILD_INC)/decaf/scalar_$(3).%: src/per_curve/scalar.tmpl.% src/generator/* Makefile
python -B src/generator/template.py --per=curve --item=$(1) --guard=$$(@:$(BUILD_INC)/%=%) -o $$@ $$<
$$(BUILD_INC)/decaf/crypto_$(3).%: src/per_curve/crypto.tmpl.% src/gen_headers/* $$(HEADERS_OF_$(2))
python -B src/gen_headers/template.py --per=curve --item=$(1) --guard=$$(@:$(BUILD_INC)/%=%) -o $$@ $$<
$$(BUILD_INC)/decaf/crypto_$(3).%: src/per_curve/crypto.tmpl.% src/generator/* Makefile
python -B src/generator/template.py --per=curve --item=$(1) --guard=$$(@:$(BUILD_INC)/%=%) -o $$@ $$<

$$(BUILD_IBIN)/decaf_gen_tables_$(1): $$(BUILD_OBJ)/$(1)/decaf_gen_tables.o \
$$(BUILD_OBJ)/$(1)/decaf.o $$(BUILD_OBJ)/$(1)/scalar.o $$(BUILD_OBJ)/utils.o \
@@ -332,3 +332,6 @@ microbench: $(BUILD_IBIN)/bench

clean:
rm -fr build

clean_generated:
rm -fr $(BUILD_C)/* $(BUILD_H)/* $(BUILD_INC)/*

+ 234
- 0
src/GENERATED/c/curve25519/crypto.c View File

@@ -0,0 +1,234 @@
/**
* @file curve25519/crypto.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @cond internal
* @brief Example Decaf crypto routines
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include <decaf/crypto.h>
#include <string.h>

#define API_NAME "decaf_255"
#define API_NS(_id) decaf_255_##_id
#define SCALAR_BITS DECAF_255_SCALAR_BITS
#define SCALAR_BYTES ((SCALAR_BITS + 7)/8)
#define SER_BYTES DECAF_255_SER_BYTES

/* TODO: canonicalize and freeze the STROBE constants in this file
* (and STROBE itself for that matter)
*/
static const char *DERIVE_MAGIC = API_NAME"::derive_private_key";
static const char *SIGN_MAGIC = API_NAME"::sign";
static const char *SHARED_SECRET_MAGIC = API_NAME"::shared_secret";
static const uint16_t SHARED_SECRET_MAX_BLOCK_SIZE = 1<<12;
static const unsigned int SCALAR_OVERKILL_BYTES = SCALAR_BYTES + 8;

void API_NS(derive_private_key) (
API_NS(private_key_t) priv,
const API_NS(symmetric_key_t) proto
) {
uint8_t encoded_scalar[SCALAR_OVERKILL_BYTES];
API_NS(point_t) pub;
keccak_strobe_t strobe;
strobe_init(strobe, &STROBE_256, DERIVE_MAGIC, 0);
strobe_fixed_key(strobe, proto, sizeof(API_NS(symmetric_key_t)));
strobe_prng(strobe, encoded_scalar, sizeof(encoded_scalar));
strobe_destroy(strobe);
memcpy(priv->sym, proto, sizeof(API_NS(symmetric_key_t)));
API_NS(scalar_decode_long)(priv->secret_scalar, encoded_scalar, sizeof(encoded_scalar));
API_NS(precomputed_scalarmul)(pub, API_NS(precomputed_base), priv->secret_scalar);
API_NS(point_encode)(priv->pub, pub);
decaf_bzero(encoded_scalar, sizeof(encoded_scalar));
}

void
API_NS(destroy_private_key) (
API_NS(private_key_t) priv
) {
decaf_bzero((void*)priv, sizeof(API_NS(private_key_t)));
}

void API_NS(private_to_public) (
API_NS(public_key_t) pub,
const API_NS(private_key_t) priv
) {
memcpy(pub, priv->pub, sizeof(API_NS(public_key_t)));
}

/* Performance vs consttime tuning.
* Specifying true here might give better DOS resistance in certain corner
* cases. Specifying false gives a tighter result in test_ct.
*/
#ifndef DECAF_CRYPTO_SHARED_SECRET_SHORT_CIRUIT
#define DECAF_CRYPTO_SHARED_SECRET_SHORT_CIRUIT DECAF_FALSE
#endif

decaf_error_t
API_NS(shared_secret) (
uint8_t *shared,
size_t shared_bytes,
const API_NS(private_key_t) my_privkey,
const API_NS(public_key_t) your_pubkey,
int me_first
) {
keccak_strobe_t strobe;
strobe_init(strobe, &STROBE_256, SHARED_SECRET_MAGIC, 0);
uint8_t ss_ser[SER_BYTES];
if (me_first) {
strobe_ad(strobe,my_privkey->pub,sizeof(API_NS(public_key_t)));
strobe_ad(strobe,your_pubkey,sizeof(API_NS(public_key_t)));
} else {
strobe_ad(strobe,your_pubkey,sizeof(API_NS(public_key_t)));
strobe_ad(strobe,my_privkey->pub,sizeof(API_NS(public_key_t)));
}
decaf_error_t ret = API_NS(direct_scalarmul)(
ss_ser, your_pubkey, my_privkey->secret_scalar, DECAF_FALSE,
DECAF_CRYPTO_SHARED_SECRET_SHORT_CIRUIT
);
strobe_transact(strobe,NULL,ss_ser,sizeof(ss_ser),STROBE_CW_DH_KEY);
while (shared_bytes) {
uint16_t cando = (shared_bytes > SHARED_SECRET_MAX_BLOCK_SIZE)
? SHARED_SECRET_MAX_BLOCK_SIZE : shared_bytes;
strobe_prng(strobe,shared,cando);
shared_bytes -= cando;
shared += cando;
}

strobe_destroy(strobe);
decaf_bzero(ss_ser, sizeof(ss_ser));
return ret;
}

void
API_NS(sign_strobe) (
keccak_strobe_t strobe,
API_NS(signature_t) sig,
const API_NS(private_key_t) priv
) {
uint8_t overkill[SCALAR_OVERKILL_BYTES];
API_NS(point_t) point;
API_NS(scalar_t) nonce, challenge;
/* Stir pubkey */
strobe_transact(strobe,NULL,priv->pub,sizeof(API_NS(public_key_t)),STROBE_CW_SIG_PK);
/* Derive nonce */
keccak_strobe_t strobe2;
memcpy(strobe2,strobe,sizeof(strobe2));
strobe_fixed_key(strobe2,priv->sym,sizeof(API_NS(symmetric_key_t)));
strobe_prng(strobe2,overkill,sizeof(overkill));
strobe_destroy(strobe2);
API_NS(scalar_decode_long)(nonce, overkill, sizeof(overkill));
API_NS(precomputed_scalarmul)(point, API_NS(precomputed_base), nonce);
API_NS(point_encode)(sig, point);

/* Derive challenge */
strobe_transact(strobe,NULL,sig,SER_BYTES,STROBE_CW_SIG_EPH);
strobe_transact(strobe,overkill,NULL,sizeof(overkill),STROBE_CW_SIG_CHAL);
API_NS(scalar_decode_long)(challenge, overkill, sizeof(overkill));
/* Respond */
API_NS(scalar_mul)(challenge, challenge, priv->secret_scalar);
API_NS(scalar_sub)(nonce, nonce, challenge);
/* Save results */
API_NS(scalar_encode)(overkill, nonce);
strobe_transact(strobe,&sig[SER_BYTES],overkill,SCALAR_BYTES,STROBE_CW_SIG_RESP);
/* Clean up */
API_NS(scalar_destroy)(nonce);
API_NS(scalar_destroy)(challenge);
decaf_bzero(overkill,sizeof(overkill));
}

decaf_error_t
API_NS(verify_strobe) (
keccak_strobe_t strobe,
const API_NS(signature_t) sig,
const API_NS(public_key_t) pub
) {
decaf_bool_t ret;
uint8_t overkill[SCALAR_OVERKILL_BYTES];
API_NS(point_t) point, pubpoint;
API_NS(scalar_t) challenge, response;
/* Stir pubkey */
strobe_transact(strobe,NULL,pub,sizeof(API_NS(public_key_t)),STROBE_CW_SIG_PK);
/* Derive nonce */
strobe_transact(strobe,NULL,sig,SER_BYTES,STROBE_CW_SIG_EPH);
ret = decaf_successful( API_NS(point_decode)(point, sig, DECAF_TRUE) );
/* Derive challenge */
strobe_transact(strobe,overkill,NULL,sizeof(overkill),STROBE_CW_SIG_CHAL);
API_NS(scalar_decode_long)(challenge, overkill, sizeof(overkill));
/* Decode response */
strobe_transact(strobe,overkill,&sig[SER_BYTES],SCALAR_BYTES,STROBE_CW_SIG_RESP);
ret &= decaf_successful( API_NS(scalar_decode)(response, overkill) );
ret &= decaf_successful( API_NS(point_decode)(pubpoint, pub, DECAF_FALSE) );

API_NS(base_double_scalarmul_non_secret) (
pubpoint, response, pubpoint, challenge
);

ret &= API_NS(point_eq)(pubpoint, point);
/* Nothing here is secret, so don't do these things:
decaf_bzero(overkill,sizeof(overkill));
API_NS(point_destroy)(point);
API_NS(point_destroy)(pubpoint);
API_NS(scalar_destroy)(challenge);
API_NS(scalar_destroy)(response);
*/
return decaf_succeed_if(ret);
}

void
API_NS(sign) (
API_NS(signature_t) sig,
const API_NS(private_key_t) priv,
const unsigned char *message,
size_t message_len
) {
keccak_strobe_t ctx;
strobe_init(ctx,&STROBE_256,SIGN_MAGIC,0);
strobe_transact(ctx, NULL, message, message_len, STROBE_CW_STREAMING_PLAINTEXT);
API_NS(sign_strobe)(ctx, sig, priv);
strobe_destroy(ctx);
}

decaf_error_t
API_NS(verify) (
const API_NS(signature_t) sig,
const API_NS(public_key_t) pub,
const unsigned char *message,
size_t message_len
) {
keccak_strobe_t ctx;
strobe_init(ctx,&STROBE_256,SIGN_MAGIC,0);
strobe_transact(ctx, NULL, message, message_len, STROBE_CW_STREAMING_PLAINTEXT);
decaf_error_t ret = API_NS(verify_strobe)(ctx, sig, pub);
strobe_destroy(ctx);
return ret;
}

+ 1567
- 0
src/GENERATED/c/curve25519/decaf.c
File diff suppressed because it is too large
View File


+ 116
- 0
src/GENERATED/c/curve25519/decaf_gen_tables.c View File

@@ -0,0 +1,116 @@
/**
* @file curve25519/decaf_gen_tables.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Decaf global constant table precomputation.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#define _XOPEN_SOURCE 600 /* for posix_memalign */
#include <stdio.h>
#include <stdlib.h>

#include "field.h"
#include "f_field.h"
#include "decaf.h"

#define API_NS(_id) decaf_255_##_id
static const unsigned char base_point_ser_for_pregen[SER_BYTES] = {
0x03
};

/* To satisfy linker. */
const gf API_NS(precomputed_base_as_fe)[1];
const API_NS(point_t) API_NS(point_base);

struct niels_s;
const gf_s *API_NS(precomputed_wnaf_as_fe);
extern const size_t API_NS(sizeof_precomputed_wnafs);

void API_NS(precompute_wnafs) (
struct niels_s *out,
const API_NS(point_t) base
);
static void field_print(const gf f) {
unsigned char ser[X_SER_BYTES];
gf_serialize(ser,f,1);
int b=0, i, comma=0;
unsigned long long limb = 0;
printf("{FIELD_LITERAL(");
for (i=0; i<X_SER_BYTES; i++) {
limb |= ((uint64_t)ser[i])<<b;
b += 8;
if (b >= GF_LIT_LIMB_BITS || i == SER_BYTES-1) {
limb &= (1ull<<GF_LIT_LIMB_BITS) -1;
b -= GF_LIT_LIMB_BITS;
if (comma) printf(",");
comma = 1;
printf("0x%016llx", limb);
limb = ((uint64_t)ser[i])>>(8-b);
}
}
printf(")}");
assert(b<8);
}

int main(int argc, char **argv) {
(void)argc; (void)argv;
API_NS(point_t) real_point_base;
int ret = API_NS(point_decode)(real_point_base,base_point_ser_for_pregen,0);
if (ret != DECAF_SUCCESS) return 1;
API_NS(precomputed_s) *pre;
ret = posix_memalign((void**)&pre, API_NS(alignof_precomputed_s), API_NS(sizeof_precomputed_s));
if (ret || !pre) return 1;
API_NS(precompute)(pre, real_point_base);
struct niels_s *pre_wnaf;
ret = posix_memalign((void**)&pre_wnaf, API_NS(alignof_precomputed_s), API_NS(sizeof_precomputed_wnafs));
if (ret || !pre_wnaf) return 1;
API_NS(precompute_wnafs)(pre_wnaf, real_point_base);

const gf_s *output;
unsigned i;
printf("/** @warning: this file was automatically generated. */\n");
printf("#include \"field.h\"\n\n");
printf("#include <decaf.h>\n\n");
printf("#define API_NS(_id) decaf_255_##_id\n");
output = (const gf_s *)real_point_base;
printf("const API_NS(point_t) API_NS(point_base) = {{\n");
for (i=0; i < sizeof(API_NS(point_t)); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n}};\n");
output = (const gf_s *)pre;
printf("const gf API_NS(precomputed_base_as_fe)[%d]\n",
(int)(API_NS(sizeof_precomputed_s) / sizeof(gf)));
printf("__attribute__((aligned(%d),visibility(\"hidden\"))) = {\n ", (int)API_NS(alignof_precomputed_s));
for (i=0; i < API_NS(sizeof_precomputed_s); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n};\n");
output = (const gf_s *)pre_wnaf;
printf("const gf API_NS(precomputed_wnaf_as_fe)[%d]\n",
(int)(API_NS(sizeof_precomputed_wnafs) / sizeof(gf)));
printf("__attribute__((aligned(%d),visibility(\"hidden\"))) = {\n ", (int)API_NS(alignof_precomputed_s));
for (i=0; i < API_NS(sizeof_precomputed_wnafs); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n};\n");
return 0;
}

+ 258
- 0
src/GENERATED/c/curve25519/decaf_tables.c View File

@@ -0,0 +1,258 @@
/** @warning: this file was automatically generated. */
#include "field.h"

#include <decaf.h>

#define API_NS(_id) decaf_255_##_id
const API_NS(point_t) API_NS(point_base) = {{
{FIELD_LITERAL(0x0004a2ebbc57c446,0x000501e3eb5a93b2,0x00079c37ac6e4a40,0x00052181e701cbb9,0x0000512db01de8b3)},
{FIELD_LITERAL(0x0005ef58002a189b,0x0000f03409118cd4,0x00033a3f7e448905,0x0006a725fcccd553,0x0000863a7a72a10d)},
{FIELD_LITERAL(0x000000000000000a,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000)},
{FIELD_LITERAL(0x00064dd34108cd8b,0x00074d6a76c1aa17,0x0007ee5469f0a08a,0x0007eb4b28e92c93,0x00076326b6a09052)}
}};
const gf API_NS(precomputed_base_as_fe)[144]
__attribute__((aligned(32),visibility("hidden"))) = {
{FIELD_LITERAL(0x00074308734f7d55,0x000380ac08a23a96,0x00024b4b5cef028b,0x000632cbb8646ab5,0x00075516b5681530)},
{FIELD_LITERAL(0x0005729461e535df,0x0004a8e85565dffb,0x000246a85e49fde1,0x000285c20023113d,0x00028a44366a7a53)},
{FIELD_LITERAL(0x0007900f448afdf1,0x0003b19d978aa5b4,0x00001f24c6a6a64c,0x0002087f8eafcb75,0x0002908747e585e7)},
{FIELD_LITERAL(0x00076d889cad4165,0x00071362fbf32e38,0x000690aefb540c46,0x000621cc7bb1b618,0x000221025cc4baa9)},
{FIELD_LITERAL(0x0007bebe4b16496c,0x0002e7f9398fd049,0x0000e75000bce490,0x000524d09bad6a16,0x0006e0956a9e4b96)},
{FIELD_LITERAL(0x00011021995f4d69,0x000408ad873a4a85,0x0001eabfb56a654e,0x0000c9929a913e80,0x000089c71d2ad5fb)},
{FIELD_LITERAL(0x0001074205aa7651,0x00070175da77bb6c,0x0003aabc342a7247,0x00053b258c3bfab2,0x00026b1876e97291)},
{FIELD_LITERAL(0x00011e80f790420b,0x00005b106301a4b8,0x0003655366fb76bd,0x0000db29fd744fb9,0x000421bcf8c7f1c9)},
{FIELD_LITERAL(0x00046711fde8d258,0x000470e3497ac3e2,0x000194ae035752d1,0x0004ae895c0abf15,0x0005ddd80811ad26)},
{FIELD_LITERAL(0x0005b4e34964bdc6,0x0001e81fa96ce1f5,0x0007e2df72008566,0x000168443f698ebe,0x000152ac0b755c25)},
{FIELD_LITERAL(0x000290744e6e5635,0x0006c5bc38e03bc3,0x0006c96e2fbd1fda,0x00013f648afeb2d4,0x0007c62b7a2c6a06)},
{FIELD_LITERAL(0x000318c70c2f945b,0x0004239d8e807a94,0x0004188e8a39e6a0,0x00059e2ee0252e08,0x00040068a0c16600)},
{FIELD_LITERAL(0x0006e6b7abb10734,0x0006c794fd3e62f5,0x00020e578b02d4d6,0x00071c80374f0b04,0x00012c3bfb2d0371)},
{FIELD_LITERAL(0x00055466e28f151e,0x0006b7f47234ae9b,0x00000e13de9f7ae1,0x000397ae5535fd30,0x0003770095a7d1b6)},
{FIELD_LITERAL(0x0000bf2a1151e097,0x00034b6f37a26f1c,0x0006c920dc5af278,0x00036a5fdeecf456,0x0000274e3992daca)},
{FIELD_LITERAL(0x00059e4ca2f8886f,0x0006b4750e946c95,0x00059eec7f9ece40,0x00005a4cea7306d6,0x0002942643555c80)},
{FIELD_LITERAL(0x000032272e61054e,0x0002fd234cb15146,0x00023e3ee1ef8f01,0x0004cbc46f7dc7bd,0x00012823d598d1eb)},
{FIELD_LITERAL(0x00038ad274b8a817,0x0004fc82ef8b5d5c,0x00041bd3024f4574,0x00055d7231efff55,0x0000c5645a2c0dfe)},
{FIELD_LITERAL(0x00046d0660706b4f,0x00026639b32bc46a,0x00047778c8f868cf,0x00026f6f03de7b3f,0x000152449d80f37a)},
{FIELD_LITERAL(0x000775f7d7c489e4,0x000753ccdcef1f73,0x0000794b3d428f1b,0x00069f835109615b,0x0007c293b3c9fd03)},
{FIELD_LITERAL(0x00023ede6e1d8634,0x0000a56181b173a2,0x0004562f62daae1f,0x00052816d45aa833,0x0007ff582bb6653c)},
{FIELD_LITERAL(0x0002454ac31a713a,0x00046a1aff243be4,0x00061d4625463d74,0x0007381029e9febe,0x0000d36e87e5c9f8)},
{FIELD_LITERAL(0x0000366482a905cf,0x0006027364c80753,0x00047dbd74ea5f7d,0x0007370de9872204,0x0001d4b014ca1204)},
{FIELD_LITERAL(0x00053ea1c4c97833,0x0002df62d318036e,0x000288c25f0a8ee5,0x0007b269312b6991,0x000605703efca474)},
{FIELD_LITERAL(0x0005411db67012d5,0x0003839ba04d414e,0x000427bac114c00c,0x0006101f4dbbd8ba,0x0005d0d37579b501)},
{FIELD_LITERAL(0x0003f868cecaff25,0x00050633eeea03f4,0x0005b378fd40553d,0x00022b1fd96bba9c,0x00038e387b07f4b2)},
{FIELD_LITERAL(0x00068bb1688f018a,0x00059ca4f89e5af1,0x0006cdd39e07c0ff,0x0001c41c8682a8f3,0x0002501bad194816)},
{FIELD_LITERAL(0x00057a048831afd7,0x0001db1d8848cb7c,0x0001c19664abd34d,0x000263448bc1ac3d,0x0000a1eb87cc5550)},
{FIELD_LITERAL(0x00071d63dc03d8dd,0x00054edf28315a40,0x0005fe7a8b0c9d28,0x0006e8ba1d5c3992,0x000178b0808a422d)},
{FIELD_LITERAL(0x00042084b3f0d594,0x0004fd2f47147e58,0x00063d8e820cc500,0x00010c06f4c00216,0x0004bd7eea1193b9)},
{FIELD_LITERAL(0x0007b23a241e726b,0x000282c8eb1f96ae,0x000248d8ea07c098,0x0003da55bdb3a408,0x0005ecfe96ec945e)},
{FIELD_LITERAL(0x000149c42977f67f,0x00047674073754cb,0x000775f8ea834290,0x000433d0d9140645,0x0003e8d14fa401e1)},
{FIELD_LITERAL(0x000698be8aeb7d5b,0x000492c2fc1e06a3,0x0003613444b366db,0x0001fc87dfbe6c92,0x0002de2e337b3729)},
{FIELD_LITERAL(0x00056790106623d8,0x00055d885f4a0c01,0x00033933a8257fe2,0x0002f1c5bf947de4,0x0000ae7e40035af0)},
{FIELD_LITERAL(0x000508a1f1d4682b,0x0003b54ef307cd48,0x0000a5d58aa5768e,0x0004517d377be18f,0x000593760533c5ff)},
{FIELD_LITERAL(0x000763e76811d43a,0x0005d342e8bf6b90,0x0002e1707e229c60,0x0003bbdc425fceed,0x0005a2ab1a4a0de9)},
{FIELD_LITERAL(0x0006b384c7e1e2b9,0x000164f357c822fd,0x0000c4c2d68283dc,0x0007b356c6bbf73b,0x0004a57a4935fc97)},
{FIELD_LITERAL(0x0000e3b94bdc9773,0x0003c3d5d69b31dc,0x00069a7f6da96736,0x0002be940a2193d7,0x00032f05636602b8)},
{FIELD_LITERAL(0x00070b26342e2300,0x0007357ea5a05bad,0x0003f322f4d1d92d,0x000254cdfca21e23,0x0003c784682a918b)},
{FIELD_LITERAL(0x00036fe4c08fe3a9,0x0005d27b152b9afe,0x0006e4037781ebf5,0x000588f5fe18f990,0x0006c18726bb2385)},
{FIELD_LITERAL(0x0005d22a0a21bdd4,0x00069bb3d6587726,0x0001187048cafffe,0x00038b6bb210a404,0x0001f9644d68f257)},
{FIELD_LITERAL(0x0000ca52c758f28b,0x00003d3ffb8ca649,0x0002c133f22ac9b8,0x000705af85c4ecdf,0x00049d2f4f3a6e62)},
{FIELD_LITERAL(0x0007da0f4e1565e0,0x0006fa7a1e4779d2,0x00003c3ea7568e41,0x00011f89f112d22c,0x00036de81e03d02d)},
{FIELD_LITERAL(0x0004d13807f938ee,0x000701c7c55031ce,0x0001d7e07fd92939,0x0000a1f04baafe91,0x0006505e3a8412b4)},
{FIELD_LITERAL(0x0005383940f7159b,0x000331630c6fa442,0x0001100ad7ae8320,0x0002e381cf7e6260,0x000072201917150f)},
{FIELD_LITERAL(0x000683d5cfeca129,0x0004dbe0eef910b4,0x0005abce5d5576c5,0x000396e6a3a58311,0x000752c6080343f2)},
{FIELD_LITERAL(0x0002e1404ee6d107,0x0004064a3bd93e57,0x00078a011f16378f,0x00032f7253e4b397,0x0006a54ad677432e)},
{FIELD_LITERAL(0x000734b7d62b820c,0x0004ad861c234f0b,0x00078691d4e8036c,0x000708b8ec865a61,0x000334c73b5b80d2)},
{FIELD_LITERAL(0x00063d326152d536,0x0001f0f272df8e88,0x00020d57f1ef5f0b,0x000049ae733cd741,0x000789b0bd910484)},
{FIELD_LITERAL(0x00049e000de68a33,0x0002569532faf05e,0x0002c360e2577651,0x00023e58038a73d4,0x0005cfd1c66aa5db)},
{FIELD_LITERAL(0x0005219445517667,0x00052a931068f3ea,0x0006cc6f70494867,0x00050f70ab70bd44,0x0004939aea5e18ae)},
{FIELD_LITERAL(0x0002a678bc8c2008,0x0001fd399c8dcbff,0x0006dbf73cfc616e,0x00011a6e85d57176,0x00002f713757e057)},
{FIELD_LITERAL(0x0006d9cd93b1ccdc,0x00043d4ce72bf50a,0x0003e999e2d35c59,0x00001ae0db65d2ee,0x0007c4b601137e07)},
{FIELD_LITERAL(0x0004bc6553755ebf,0x00056e8f93c8dfe2,0x000323b34a8ed19f,0x000571befc514dab,0x00036f0d981e9dde)},
{FIELD_LITERAL(0x000787c0309c0a03,0x0003dd7fb3241327,0x000256b73edcaac5,0x00071a11d2f00b44,0x0000f142397f3232)},
{FIELD_LITERAL(0x0006a965074f090a,0x000042537473c8c0,0x000479b523a03430,0x000302e712f49521,0x0001608d67c58b1d)},
{FIELD_LITERAL(0x00069a9d867a02ee,0x0006aba7c3abe71e,0x00014af6344d6d32,0x00059cbf2b8ec118,0x00034973bd8f91f0)},
{FIELD_LITERAL(0x00023c42f4d253af,0x0000e5db7f886ed7,0x00027c0ff78b7ca6,0x00065a9e8c1c8eef,0x000272b266b7869e)},
{FIELD_LITERAL(0x00034f5086c55cc1,0x0007caffb3de4006,0x0007408da6d8ce8d,0x00034209d1a9cf67,0x0001e4cdc7d3366b)},
{FIELD_LITERAL(0x00077be63c353577,0x0002ccc681b95e39,0x00037f489ba0c067,0x000324b1d14b3c85,0x000487692b3a4f7b)},
{FIELD_LITERAL(0x0000bb6427577218,0x000642b8e158c2af,0x0005c99574a589e5,0x00044af83be01b53,0x000438f19801c19b)},
{FIELD_LITERAL(0x000791929d3da811,0x000083ba42ca3968,0x00004f2efc6d4e98,0x0004c09456e25204,0x00038d89c4798c48)},
{FIELD_LITERAL(0x000484ded8ea3977,0x0002573a2b0d164d,0x000057d1bd825e97,0x00045b7f03279e7c,0x00078c7feaa36f36)},
{FIELD_LITERAL(0x00073ebf8e0c1412,0x00044117b35ee64b,0x0005d7b30a79d11e,0x000295b447408ddb,0x0006440cb28f3f89)},
{FIELD_LITERAL(0x00050222af21bf22,0x0007518c1f3d1e61,0x00053599bee31ff1,0x00077afb3e70937a,0x00039b5cdbf90290)},
{FIELD_LITERAL(0x0001f6f60a0b2349,0x000196f840181d05,0x0000014882eba793,0x0000fb413162d41e,0x00065dc343d01a50)},
{FIELD_LITERAL(0x00007a9f75d85906,0x000639d779f83bb4,0x0000654c3abe3b7f,0x000566f9422b66d3,0x00044df9faded77a)},
{FIELD_LITERAL(0x0001961e7e467418,0x0000df3ccd0d527d,0x0003d517d7c96d95,0x000018e4481528a1,0x00028b40aabc5df2)},
{FIELD_LITERAL(0x0007c47eab16ee70,0x000586b5f9af963a,0x0007aba880ca31a5,0x0000a08bc2d694ce,0x00026acdd7701b42)},
{FIELD_LITERAL(0x0000ad2aa0b6b20e,0x000124f37a928d92,0x00036d109f019a42,0x0000c818e5146232,0x00075d7792dfd807)},
{FIELD_LITERAL(0x00030503c28b9e47,0x0003e896b791c6fd,0x0007fa59adcbdb16,0x0005bf8d8a47c99e,0x0006531a5de1683f)},
{FIELD_LITERAL(0x0006ab691a3a6569,0x0003dd814fc3084a,0x0005d5c02cae4dd1,0x0005a3c0be0f3dbe,0x0006a73f5ac0a573)},
{FIELD_LITERAL(0x0001d99e44acd55a,0x0004c2f954291163,0x0005206a8b10bb02,0x0006c1ca2d70d6a8,0x0007d8a804f96343)},
{FIELD_LITERAL(0x00015b9bba5048e7,0x000713d7a01a2316,0x000650d90c2f5162,0x0007a598761ff94a,0x0000b72e05f1e2dc)},
{FIELD_LITERAL(0x000646e1d2ecb410,0x000629a2ef1cd6b4,0x0006d447b257582a,0x00079356a5148d1e,0x00024a066d77bb54)},
{FIELD_LITERAL(0x0006acb33791298f,0x0000e9c707f60f66,0x000440c5ef5f2d41,0x0005ba193ad0b6c2,0x00051456d8b751b6)},
{FIELD_LITERAL(0x000181a243ee09be,0x000488c253812ccf,0x0003375475f6cdd3,0x000779a477aa7ab9,0x0003542890204f44)},
{FIELD_LITERAL(0x0006266b7ddc99d7,0x00026d7bf53a4cbc,0x0001c742ceb53e2b,0x0003e527df9f0ad1,0x0006913c1028a1c2)},
{FIELD_LITERAL(0x00068cca5da0b76b,0x000669472a2d88b9,0x00013e607a86ad68,0x0003cb25c977181a,0x0002485317d021fa)},
{FIELD_LITERAL(0x00059c009c26a476,0x00051d0584a31e4e,0x00015fab3a664bac,0x0003de72394f1d5e,0x000531b00982956a)},
{FIELD_LITERAL(0x0005deab8a4a8b2b,0x0004ac53cff731b6,0x0001e7ff38f7f8c4,0x00039937580b474f,0x0006fb0db141f6c6)},
{FIELD_LITERAL(0x000648f2a92a9bf5,0x000797a08ad37a50,0x00068f6a0d3b9279,0x00019e4b8669991a,0x0003c73b04a84d00)},
{FIELD_LITERAL(0x0005e149c917e591,0x00054dbbf21fe5c9,0x00018a9fd4f4f805,0x0007de6e8e13e528,0x00003981cea7113c)},
{FIELD_LITERAL(0x0003bb66e15aee68,0x00075ef7f4cc4a19,0x00046c1c0f36ba47,0x00069ac998e2c6a7,0x000244eef875e3b2)},
{FIELD_LITERAL(0x000711616dd6701c,0x0001248a7f1a41d9,0x0000819f6a28c01f,0x0007d816d71513a4,0x00043b075bc1ea59)},
{FIELD_LITERAL(0x00035818217c67b2,0x0007cc8b4ea58e8f,0x0003946011ab16f9,0x0002733a0aacf9e7,0x00028be99e739df3)},
{FIELD_LITERAL(0x00059ef24f4a8db9,0x000250f76f1b6eae,0x00064a73d931fa0f,0x0000512f6d7d827e,0x000607f19cbfb816)},
{FIELD_LITERAL(0x000488ecf6f587f3,0x0006aa5804295f5e,0x0004ab3fe7880735,0x000239212d39956a,0x0003a4314607db78)},
{FIELD_LITERAL(0x00056654a668e8cb,0x00029bc320312a6b,0x0000a956cfa8fca9,0x0002e676e4806a32,0x00002add96616e38)},
{FIELD_LITERAL(0x000161d6844f4257,0x0007a504e9fff45b,0x0003a0a148c809fc,0x00063db7d31212b6,0x00020a34989479bc)},
{FIELD_LITERAL(0x000236b2c0390d34,0x0001a74fdf496cd3,0x0002cc55b8b7552b,0x0005df9eee2aa485,0x0006874ffe3c2b7e)},
{FIELD_LITERAL(0x0000845574316356,0x0003780d650baa54,0x00017cc695e858de,0x0005aa11874d3917,0x0001c1af7e47f3fd)},
{FIELD_LITERAL(0x0003df29aea62b35,0x0007d406471a4638,0x000485f2756aae73,0x0002fb1784f47d7b,0x0006dd1a972e152c)},
{FIELD_LITERAL(0x00016f1207ab7497,0x0000062e50652318,0x0006f768bd372106,0x000728ab08217dc3,0x0005954a56084ae3)},
{FIELD_LITERAL(0x0002f4ca1559675c,0x00019c318724c743,0x0001919d4fc633f8,0x0002fdfded9749ff,0x000501068fe92e49)},
{FIELD_LITERAL(0x000730eea5126d0b,0x0006efb26cb70e2a,0x00009dbb5ce158ce,0x000454ca0f64796a,0x0007c0f65d024355)},
{FIELD_LITERAL(0x0003611cfe11ef4b,0x0005aaeedb6155f0,0x0003e540aeabe6ef,0x0000f78b74065192,0x00047523af6151bf)},
{FIELD_LITERAL(0x0004f249dafd1300,0x00032429e4917ad4,0x000362c1b7b7f817,0x00075447f1280d80,0x000365750a59552e)},
{FIELD_LITERAL(0x0005dcac2d7b940d,0x0002b8eb45461bf5,0x00005d0b65e115aa,0x0000e005552b4796,0x0002f003a12ebfda)},
{FIELD_LITERAL(0x0000177220975d5d,0x0005ba8842cd8e02,0x0003c7bf472059a8,0x00055517e31c386f,0x0002c71c74d6488c)},
{FIELD_LITERAL(0x00072b957911c56c,0x0001569c007a9a12,0x0005ba20cbbaf70c,0x0006c3e6bdbb6099,0x00064e44e81c075b)},
{FIELD_LITERAL(0x00038366b3594f1e,0x00037fe532f6ad56,0x00021d700e67c81f,0x0003c9049dc3bd30,0x0003d151eaf6dc0e)},
{FIELD_LITERAL(0x00050abcda5829d7,0x0004609b5e96f68e,0x00067415655ea15d,0x0004cfb4509cc3ae,0x0006b23addefb8d0)},
{FIELD_LITERAL(0x000076496e346e13,0x00036367cfa1ccd3,0x00017e199e301bc2,0x00070478ab91ceed,0x0003045d7df7782a)},
{FIELD_LITERAL(0x000137f233113b35,0x0004ede6c0ec12a5,0x0003701a6e67cd58,0x0005946348005a23,0x0001f7da36bbf369)},
{FIELD_LITERAL(0x0007cf2d2da25631,0x00050e34993e6b2b,0x00077f65d18600d6,0x0001ab10e8df75ce,0x0003fb8162c6e646)},
{FIELD_LITERAL(0x0002affd3fb0b8eb,0x00038c4c5d8116e4,0x0006c890b6236df5,0x0001b0ca04a3dcd6,0x0004ede9e2b2d222)},
{FIELD_LITERAL(0x00049a95a4b4b531,0x0003137d86fc92ec,0x0003709d8be07c1c,0x0004d5e3f04ed703,0x0006c754f433c0f2)},
{FIELD_LITERAL(0x0002af05aa5bd69d,0x000036c6c197970a,0x00061b671a06458f,0x0006890eb541c3d2,0x000030815bc65879)},
{FIELD_LITERAL(0x0007e783c8a57961,0x0003501cfd53edaf,0x00060073b435c42d,0x0003e7635150fbf5,0x0001d52ce3e84f55)},
{FIELD_LITERAL(0x00028af6d7e017e5,0x00008e6916baca87,0x0003ea1cb0f4aecd,0x00047a27b5ebc7a2,0x0003d356c5dd17f7)},
{FIELD_LITERAL(0x0003e38a232359fe,0x0001952a402660cf,0x00026bbebb34c830,0x0007dbc423d78448,0x0000b832acb82968)},
{FIELD_LITERAL(0x0004f57d66ed277b,0x0004b8c1d3ec59de,0x0001d02cac505cf0,0x00004d06f0ae5d7c,0x00029cf74d6d4371)},
{FIELD_LITERAL(0x0006882580653583,0x000665e9c061f2bd,0x00065db6cc599ff2,0x0006b8046bdafeb5,0x0002ee9e3c7d3000)},
{FIELD_LITERAL(0x000737e14efec8fe,0x00022e5c3897d2b6,0x00011a58c95c2457,0x000780be40dda04a,0x00038e16a91c29e1)},
{FIELD_LITERAL(0x00017a10c6c37301,0x0005132acffcccc4,0x000773611bf4757c,0x00041c2066f29f1b,0x00022ea8f6d1f387)},
{FIELD_LITERAL(0x000393bee768a8e8,0x0002ce4f84e15737,0x0001de0b0519be3c,0x00042c68b40c0028,0x000006fbc742b126)},
{FIELD_LITERAL(0x0002820400093c87,0x00070ed1de439605,0x0001017da80352a5,0x0001dce313d6f74f,0x00041a495460a316)},
{FIELD_LITERAL(0x0003390059914aa6,0x0001dd4c7bf04d23,0x0005a9c9d1189c6d,0x000662ee3486ad47,0x0001eb8a3c364730)},
{FIELD_LITERAL(0x0007df6dea788200,0x0002ae3f37f070c7,0x000116afc9f98bee,0x00050fbd7c48d713,0x0001f36282673be4)},
{FIELD_LITERAL(0x0002e8411e56df21,0x000107b90a9670e3,0x000240f904990e84,0x0004fa5270ab1af9,0x0007c2f807b6bb1f)},
{FIELD_LITERAL(0x00047b6982cdef22,0x0002aaf520c595ef,0x0004d6dc2206f24e,0x000380af64e1b48a,0x0005c9328edeb007)},
{FIELD_LITERAL(0x0003c2c334a7ef3e,0x000400e6655a38b7,0x000522be6814d5ae,0x0002f23e0bc9a362,0x000298daf954ed77)},
{FIELD_LITERAL(0x0005f84382ee84b4,0x0000b91f89349166,0x00072d88b99f2ff3,0x0005479f3f7706b4,0x000035116e7285f4)},
{FIELD_LITERAL(0x0006d23691a8a99d,0x00048f42ff923c83,0x0000e5129684bc58,0x000630f9bc1192fd,0x000401284677ede3)},
{FIELD_LITERAL(0x0000eff3b8714d04,0x000433498e2034dc,0x00070ca8b9771326,0x0000a264970345ad,0x0007b6e44cd2dd5a)},
{FIELD_LITERAL(0x000175bf84b82b29,0x00065e0ea17de536,0x0006b02a0010a208,0x0000bbfa9b7e8884,0x0003c21f98c815b6)},
{FIELD_LITERAL(0x000679b185adb791,0x0003ccd7cdbcb48b,0x0001e6934282172d,0x000112213a7ca210,0x00045089bd5cfb9c)},
{FIELD_LITERAL(0x0002877a97e6aec5,0x00050083ca5fa04a,0x0006a401497d8419,0x0003ce63a2c47d37,0x00014809d3f5339b)},
{FIELD_LITERAL(0x00026e50855da5de,0x00004d0fc457ea77,0x0001e1f5e1f41496,0x000175c0cd2b4571,0x0001722f7954d4e2)},
{FIELD_LITERAL(0x0007ac38211e7835,0x00063d213473cbbf,0x00005b9eada0052f,0x0003477219f26d7f,0x000453ce683f056f)},
{FIELD_LITERAL(0x000726f104629123,0x000482b184152205,0x00054242cd088a37,0x00032fb6be9f2837,0x000734ca9dc7f7c3)},
{FIELD_LITERAL(0x00062509dec41627,0x000072099496b712,0x0007712db0b3effb,0x0001e9c85c77fd36,0x0007f4ceff4f568c)},
{FIELD_LITERAL(0x0002b1990238e0e3,0x0006c1901505e91e,0x00019f32cc8628f9,0x00011218171b4b26,0x0006dbdb25ce79e2)},
{FIELD_LITERAL(0x0005370ef67b47ee,0x0001580466943896,0x0003297e2638eea5,0x000416db4e7a73ef,0x0004b3ce39e7ef57)},
{FIELD_LITERAL(0x00071cc5c1b2d84d,0x0003fa3f1fe5ba11,0x0004520e1812cf04,0x000612f4378d5d14,0x00019041e8a9771c)},
{FIELD_LITERAL(0x00037a9adac7f13d,0x0004513446d45ac8,0x0004862022a5e9c2,0x00046d1fee26d322,0x00050314790c0eb5)},
{FIELD_LITERAL(0x00009f958ec7782b,0x000532691db95f11,0x0000787b85edae84,0x0003347ccb5b1b48,0x00048f02d0fe2f5f)},
{FIELD_LITERAL(0x0001bd035445c3cb,0x00020697cdb801da,0x00027c9cd108f106,0x0007f03792eba8ff,0x000785b24c8954e8)},
{FIELD_LITERAL(0x0003d9815d5b1459,0x00079cc56b9e7bce,0x00072c9f1a31c024,0x00053d9b96409fbf,0x0003527718dcab2f)},
{FIELD_LITERAL(0x00003c0929520d8a,0x0005b4e8fb91f6d2,0x0003f2da27d5d5df,0x0001c4bb87d9118d,0x00026b9976202bed)},
{FIELD_LITERAL(0x000395fd8480a669,0x0001dc9000e23bd0,0x000065404c59dfc6,0x000125765d7383d3,0x0000c7ff2cbfdb58)},
{FIELD_LITERAL(0x00038f76c23acfef,0x0005a6ffbb722028,0x0000ce1434dbd9ba,0x000128b22b63ce7d,0x0007e28492f0e311)},
{FIELD_LITERAL(0x0004ef6dec07d978,0x0001814721d17298,0x0002f3010824e385,0x0004dec0df1030ea,0x000732ccad416ca1)}
};
const gf API_NS(precomputed_wnaf_as_fe)[96]
__attribute__((aligned(32),visibility("hidden"))) = {
{FIELD_LITERAL(0x000743d2369750f6,0x000698b734af8c74,0x0003c7e6ca7de989,0x0004137b677d5a14,0x000602a70a1dd604)},
{FIELD_LITERAL(0x000620e9c96ce4a2,0x000718e799056806,0x0003bdec5bbc2429,0x0003ca0864fd880d,0x00013df868873a16)},
{FIELD_LITERAL(0x0005ac6e48dfc457,0x0004b83cf2fa3b88,0x000036ccd665d9e2,0x0003eb7fcdb11759,0x0001b35e6ddb1020)},
{FIELD_LITERAL(0x0007ccb3f6a10981,0x0000da543ce37bbf,0x00050b9209636544,0x0000d2b0429e9ce7,0x00074186575eae41)},
{FIELD_LITERAL(0x0002504ab1b01a82,0x000740ed4b7cc499,0x0003069cb6ca6ba3,0x0003c80e50487d68,0x0003342b644eef24)},
{FIELD_LITERAL(0x00049584d605e6e0,0x00016cad8c3a0b14,0x0002bf8a350d0042,0x0006bd8f108a926f,0x0002cc1d5eef3036)},
{FIELD_LITERAL(0x000224075358ec99,0x000230ff1b8a53aa,0x000252117056a351,0x00060743c508fae8,0x0001c04f5d1353b7)},
{FIELD_LITERAL(0x00062b5e839935b4,0x0005b02eb7b4e0d0,0x0002afa8629ae76f,0x0003bce28577fcae,0x0006041f9433c6e5)},
{FIELD_LITERAL(0x0003aa8f4a1d8f00,0x0002a8c9cce67276,0x000035ddc332a503,0x00007963621fb93b,0x00016176cef7ee40)},
{FIELD_LITERAL(0x0007844f7ba1cba7,0x0004289c1bd2a22a,0x0001b82a79e54f30,0x0003f2eafdf66144,0x0007da88f52cff12)},
{FIELD_LITERAL(0x0001435ccbef7ad2,0x0002ea3968864b1a,0x00028ffbb295dfb3,0x00005cc6454e1a56,0x000118fec97e8196)},
{FIELD_LITERAL(0x000039800ab41821,0x0000256683f84cd6,0x0004a13569b54086,0x0000f91fd3009a54,0x000032dcb2da50c3)},
{FIELD_LITERAL(0x0007839c8a17923b,0x000289a30b913a2d,0x00053c030ee71ea6,0x00002e6800c51b3e,0x0002b490d56ed17c)},
{FIELD_LITERAL(0x0005994df663e026,0x000768669098c9f0,0x000162cd08abef32,0x0004e454dc2612eb,0x0000e67536846b6c)},
{FIELD_LITERAL(0x00038e9c32917745,0x00043ced54b6ba1e,0x0004fde18248c8a5,0x0002a04384c093f9,0x00058d130d26a4b1)},
{FIELD_LITERAL(0x0006b2bedf0160b4,0x0004c358673bc4df,0x00004b7cb73858dc,0x0003ce1efb2bb821,0x0004678c0b830186)},
{FIELD_LITERAL(0x0007ca530af5c4f0,0x00016b5286e93694,0x000659359b212d67,0x00049b8a75475c8d,0x00060315a6cbe365)},
{FIELD_LITERAL(0x0006e25ec0d1f161,0x00055570af71e028,0x0003ed583cc18071,0x0004af3d5eed4270,0x00046fc5b551e1ce)},
{FIELD_LITERAL(0x000109b61d35f784,0x00006f9c76807b2a,0x00016785e92d7d92,0x0001259af252e1fc,0x0001b26b4c137c2f)},
{FIELD_LITERAL(0x00044ca6598cc832,0x000665b54839a384,0x0001e6ac6ab983a7,0x0001fdd6b13cdb62,0x0007deb170a5cdd6)},
{FIELD_LITERAL(0x0007e80f449d9a39,0x0003484eb5cd07d7,0x00047caa9ec3f9f4,0x000500ef87bc5ada,0x000187a67cc2f430)},
{FIELD_LITERAL(0x0007c02cdacf8a52,0x00079d67ea5c92b3,0x0002f0a7f9d32d93,0x0006fab780441ed9,0x0003168c11a2dd70)},
{FIELD_LITERAL(0x0007b23805768cf7,0x0001b85ac1197abe,0x0000a84d11198b19,0x0001554cd3699a16,0x0000b2d83584a435)},
{FIELD_LITERAL(0x0000420968ce6088,0x0000cc5150df8ac3,0x000417109dda028d,0x00035a467ace9b33,0x00001f365e1c5d3f)},
{FIELD_LITERAL(0x0006a07632f786c1,0x00072b0af45dcdb7,0x00071e70402c687b,0x0005718eb4d6b056,0x00010d977fb49765)},
{FIELD_LITERAL(0x0005a3beb1d34a87,0x000179261d82fa41,0x00027ef49938fbd9,0x000393146b5d52b8,0x0003d532d9c7fd8b)},
{FIELD_LITERAL(0x00028db255727690,0x000723b04a325e5e,0x0002351555604a71,0x000533831cacd285,0x000073463e9558c6)},
{FIELD_LITERAL(0x00076ceb26b3c5d4,0x000118ee75e27eca,0x0006c8f5746eb4d9,0x000108f3ab526482,0x0007814bee3f31ea)},
{FIELD_LITERAL(0x0005469b27b0273f,0x000722c4740b42ed,0x00003774b73b1ec2,0x0006975e5845ba85,0x000279f0b9aef6d8)},
{FIELD_LITERAL(0x000086e7726efe30,0x00046f84a1d534a8,0x00070dfe952cd70e,0x0005a9c277bc3691,0x0004dab8837a8f79)},
{FIELD_LITERAL(0x00015857a17c5473,0x0006c6f1f9ecee05,0x000142ff5cfa92e9,0x0002fadbc290acba,0x0002afe96b249c8e)},
{FIELD_LITERAL(0x000534f64fe6546e,0x0007b9d6e279298a,0x00039d003aef00b2,0x00059f49b9a4852d,0x00014231773d812c)},
{FIELD_LITERAL(0x0002240be6516279,0x0003718ee020a890,0x0000af97358cd479,0x00011746695ab6ef,0x00008dd9f53c8e71)},
{FIELD_LITERAL(0x00056e798b523179,0x00061c15a11e6553,0x000127cdf4dba7fe,0x0004ec0a026fe93f,0x0006f81c908a88b8)},
{FIELD_LITERAL(0x000687514dfa3a3b,0x0003dede73973032,0x0006848771c31d8b,0x00035001bf224172,0x00045c2c0115e2a5)},
{FIELD_LITERAL(0x000273710ccec161,0x000301989216eaf3,0x00078ecdd4517c80,0x00038e65639bcbe8,0x00074c272578c47e)},
{FIELD_LITERAL(0x000697f25f2c6de4,0x0001c40484164b5a,0x0006e268824a8cdb,0x000189aeb1055818,0x00010d43bf6ed421)},
{FIELD_LITERAL(0x0001b2b89e1685bd,0x00037dc20eb9d1fc,0x0004dfeab3a62c72,0x000103f9cffa384a,0x00067a6fbbd0d79f)},
{FIELD_LITERAL(0x000277a74a9d1b19,0x0000558a9562cc3f,0x00072aea9d8917b7,0x0002cb9e55344e41,0x0007fc2fc3988035)},
{FIELD_LITERAL(0x000749bf55899998,0x00071fc079537515,0x000175bc8875f5ae,0x00028cd79c84d4ff,0x00060cff8d61fcb9)},
{FIELD_LITERAL(0x000619495eef1208,0x0003ae99098e8a9e,0x0003736d7378cdcd,0x0004c9c881e59d8d,0x00060f51372948ca)},
{FIELD_LITERAL(0x000653ad6e70b35f,0x0000f2e72673c00b,0x00041a8cd4eaac24,0x0000d20b9168b162,0x0006dd0479c03028)},
{FIELD_LITERAL(0x000224c166967a71,0x0003b68b7f69a426,0x0004e031ef85509f,0x0006eddf508d3143,0x00034644b2fded93)},
{FIELD_LITERAL(0x0007f8fa58983740,0x000591f53ca681ae,0x00018b202d61b69a,0x0004fc0280de98fe,0x0006785de5920076)},
{FIELD_LITERAL(0x00041699232389e1,0x0003822a5c348c53,0x0001e29ca07ec9da,0x000128910390a845,0x0002b213535bf600)},
{FIELD_LITERAL(0x000417bc4d41cf19,0x00031c294352e330,0x00020a94ff61c9d5,0x00031858c5974e19,0x00058517be5b44d0)},
{FIELD_LITERAL(0x00017d3e06b8a658,0x000143bb6ba1cf12,0x000719f71ff82335,0x0005940429c47d68,0x0003b60dd1548856)},
{FIELD_LITERAL(0x00004c2bddb8b3dc,0x0004a028442be56e,0x00047cec2a9828b9,0x0003b41d389be98c,0x0004304d1864f24b)},
{FIELD_LITERAL(0x000649f3323200e1,0x0007efe729c48cce,0x000786d72426898b,0x0001da85f6f36d7f,0x0007afaf872e143b)},
{FIELD_LITERAL(0x0000c5b03a9ad985,0x00001cb1fa90f4d4,0x0000dd387fb86459,0x00027a356d168448,0x00042ada3a8601d0)},
{FIELD_LITERAL(0x00032c3175e087f6,0x0004e9886f0f8a4e,0x00031943180b56fb,0x00032d332e84f78b,0x000022fe4c9f0a99)},
{FIELD_LITERAL(0x00004e12e08f3cf1,0x00059187b665bc45,0x0007256e995bdef2,0x0000262f4793b87f,0x000367324411af89)},
{FIELD_LITERAL(0x00010f9e0f6efa7b,0x00036f8f54758003,0x00013f525e654d31,0x0002192ebcf9f453,0x0002e0f80630b257)},
{FIELD_LITERAL(0x0001e68e538e7134,0x00053124b27c4383,0x0003afa7e55b7619,0x00077a5411f3b516,0x00048a1cfbcea526)},
{FIELD_LITERAL(0x0002d8e9a252d6bb,0x00027ad3c557244c,0x0005c8fd932f4ed4,0x0006fad7ca74e589,0x000423ad018bc13d)},
{FIELD_LITERAL(0x0000a1da6d58cf72,0x00025c445f860800,0x000698590629c3ab,0x0003c3a59208ffe8,0x000169000ba9197f)},
{FIELD_LITERAL(0x0005e5bcd4e61d7d,0x0001bb779e9dc08f,0x0003c7c5aff92ebf,0x0003d921c5764bbc,0x0006d695748c1b54)},
{FIELD_LITERAL(0x00020303a62cd160,0x000347eb92fc693a,0x0004850e9f667fcf,0x000208e2e66428a6,0x0006e21933165db3)},
{FIELD_LITERAL(0x000492a0691faaf3,0x000381f60373488c,0x0003d6f183197f09,0x00040163d988c397,0x0004e0d5bbeaa234)},
{FIELD_LITERAL(0x00015c50e219a243,0x000279df295b9db5,0x0001d3a06b1ce50c,0x0001a0d41ae8bef3,0x0001e12777751552)},
{FIELD_LITERAL(0x00073984cea05b9b,0x0000deff48eae16e,0x00040dd1d363093a,0x000125195e7f0589,0x00037a4d480f49a3)},
{FIELD_LITERAL(0x0004106c5e793fd3,0x000514a760ed60b3,0x00007a66701ef207,0x0002bea3ba33657f,0x0007af61727fd2d9)},
{FIELD_LITERAL(0x00043e7c7334b0e7,0x0003cc0e9c6c62d0,0x00043ba8761df2f1,0x000333e22830d325,0x00035c2e2471d04f)},
{FIELD_LITERAL(0x00013082646c1f9c,0x000362ef8568ffd2,0x00067b2ba55e12c3,0x0000a9825fde937b,0x0000c769bb66060c)},
{FIELD_LITERAL(0x0002367467a85096,0x0001133815110a70,0x0000ab74011fdc31,0x000100a78312f6df,0x00029c7cc3eb674b)},
{FIELD_LITERAL(0x00047e13df7b9ff7,0x0006fd78b662bee6,0x0000e0a5e1ed9a65,0x0000ee6133b13803,0x0001a49790841cb9)},
{FIELD_LITERAL(0x0003d887edc2ac17,0x00034ca9e5fb9a49,0x0006fa601857d317,0x00028c1c25f0a90f,0x000177f44e824cf9)},
{FIELD_LITERAL(0x0007c3e3a1f49841,0x0006ddd51697801e,0x0001b24bfd50f063,0x00013782899c047b,0x00056c54300ac2cf)},
{FIELD_LITERAL(0x0000756a8926c43e,0x00054d58198a5543,0x00008330139de7a0,0x0004f31feb6a6b14,0x00006525c89b0161)},
{FIELD_LITERAL(0x000650e695c5da40,0x0001033c791eabeb,0x00056f2360fb33b3,0x00047bdaa765f629,0x0006945f8a73a000)},
{FIELD_LITERAL(0x0002f9a99b7729ec,0x0003decb7e034d67,0x0005097cfcdc63d5,0x0001b9a8f6131bde,0x00056f1fdc6c596a)},
{FIELD_LITERAL(0x00070cee95c4544c,0x0007781e63838577,0x0001b1520dd885b0,0x0000265e72115db1,0x0005fb0324a91d4a)},
{FIELD_LITERAL(0x000650f5f8fbdd64,0x00031c2678c34c82,0x000065353f0cf936,0x0002491692e94e39,0x0006c3b66eb95cad)},
{FIELD_LITERAL(0x0007bb94b92d721a,0x000448c1a7a663f9,0x0005ec6c88be1b48,0x000683856f731a08,0x000411cf4c796636)},
{FIELD_LITERAL(0x000291a06b298f50,0x000745565bb5621a,0x000506925fdd5f18,0x0002dd0e5cefdf2b,0x00053a9ec799d04e)},
{FIELD_LITERAL(0x0005797b7369b0b2,0x000155565f699e37,0x0002b176d189610f,0x00058199f8d7fc6a,0x0007566e666e3a30)},
{FIELD_LITERAL(0x00073dda6e080b0a,0x00001193e044b254,0x00077e225d7670be,0x0000639a471cc676,0x0001261c25a7bd1c)},
{FIELD_LITERAL(0x0007024967ec86ea,0x000204ae4dc589af,0x000293680fe404f4,0x0005375c121f1939,0x000720010ab2b942)},
{FIELD_LITERAL(0x00007e6d310ec5dc,0x000047ac0cce852a,0x00043e23334c026a,0x0006ed366b38ee5a,0x0000d1458ba5a6df)},
{FIELD_LITERAL(0x00021b90f03cbf2d,0x0007977528da577d,0x000427536441d483,0x00029da71b8e79d3,0x00036ec244e19089)},
{FIELD_LITERAL(0x00019dbd0a87d8a2,0x000275ffe2770607,0x0004951784ea41c8,0x00069242bc5080c1,0x000631809b789f7a)},
{FIELD_LITERAL(0x000073405335f633,0x0006bc653424f657,0x0000f51782d233b8,0x00006bc1af07bb36,0x0002565b5c69b722)},
{FIELD_LITERAL(0x00017c7391d3e6b9,0x0005eddc736945f7,0x000368b0f32ec6dc,0x0005b00a58d2f62d,0x000262d4dc5fde05)},
{FIELD_LITERAL(0x0003effc881c81dc,0x000753b7016dba17,0x0007673af68eee2a,0x00073ce00df1f3ee,0x00032e60f04936ec)},
{FIELD_LITERAL(0x00016eb1e06b15da,0x00043a71fa2e28a9,0x00015971af1affe4,0x0003efc95563ffda,0x00000c34ebdda4e3)},
{FIELD_LITERAL(0x00019e3b9f82ba88,0x0002fa37a814d2a8,0x0006196e62b9f46b,0x0003e7590757040d,0x00001e1f5a5bed8e)},
{FIELD_LITERAL(0x00031322bd434d6b,0x000491460ddbbf29,0x0006a8c7420141a7,0x00002592832e7a12,0x0006eb32d11aebda)},
{FIELD_LITERAL(0x0000be17064868aa,0x0000e11f8e414f0c,0x0001d178e11b5113,0x0000d9c0407c52d7,0x00027cbd7ccc2804)},
{FIELD_LITERAL(0x0004f0667ec85b85,0x0002cd4060677445,0x0004234b38aba23a,0x00065332ae9516f1,0x00056dc729ea4b26)},
{FIELD_LITERAL(0x000119ab40400ee4,0x0001fe7cae43441d,0x0002869b20e7e0dd,0x0004c1f98c26304e,0x0001b1020675efbf)},
{FIELD_LITERAL(0x000369f957477df9,0x0004806fc3a6b4c4,0x0000682fc6009497,0x0000190600762d8c,0x0000105698d28452)},
{FIELD_LITERAL(0x0000db58e90b0258,0x0002faa725dd0cb8,0x0006bcd0fb7d7773,0x000025525eeafd1d,0x00032541b927bcd7)},
{FIELD_LITERAL(0x0004f1e166f0bd7e,0x00075f57198553f9,0x00022a3bd982e093,0x0002e4f143a9eb47,0x000735c8594a0a9c)},
{FIELD_LITERAL(0x00070ac72f9780aa,0x0003e873b4d59105,0x0007f6c02aa0281c,0x00024fa03888dad7,0x00009c751940b87e)},
{FIELD_LITERAL(0x000297476c6d9690,0x000689d5de7319f7,0x0002ba11aa2814f7,0x00003265301b3019,0x0003a1cc84857e0c)},
{FIELD_LITERAL(0x0003b824eb77c5ed,0x000533420322f935,0x0002d51e82c71d7b,0x000528ab31dfcc63,0x00069ca6b033d9fc)}
};

+ 267
- 0
src/GENERATED/c/curve25519/eddsa.c View File

@@ -0,0 +1,267 @@
/**
* @file curve25519/eddsa.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @cond internal
* @brief EdDSA routines.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "word.h"
#include <decaf/ed255.h>
#include <decaf/shake.h>
#include <decaf/sha512.h>
#include <string.h>

#define API_NAME "decaf_255"
#define API_NS(_id) decaf_255_##_id

#define hash_ctx_t decaf_sha512_ctx_t
#define hash_init decaf_sha512_init
#define hash_update decaf_sha512_update
#define hash_final decaf_sha512_final
#define hash_destroy decaf_sha512_destroy
#define hash_hash decaf_sha512_hash

#define SUPPORTS_CONTEXTS DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
#define EDDSA_USE_SIGMA_ISOGENY 1
#define COFACTOR 8

/* EDDSA_BASE_POINT_RATIO = 1 or 2
* Because EdDSA25519 is not on E_d but on the isogenous E_sigma_d,
* its base point is twice ours.
*/
#define EDDSA_BASE_POINT_RATIO (1+EDDSA_USE_SIGMA_ISOGENY)

static void clamp (
uint8_t secret_scalar_ser[DECAF_EDDSA_25519_PRIVATE_BYTES]
) {
/* Blarg */
secret_scalar_ser[0] &= -COFACTOR;
uint8_t hibit = (1<<7)>>1;
if (hibit == 0) {
secret_scalar_ser[DECAF_EDDSA_25519_PRIVATE_BYTES - 1] = 0;
secret_scalar_ser[DECAF_EDDSA_25519_PRIVATE_BYTES - 2] |= 0x80;
} else {
secret_scalar_ser[DECAF_EDDSA_25519_PRIVATE_BYTES - 1] &= hibit-1;
secret_scalar_ser[DECAF_EDDSA_25519_PRIVATE_BYTES - 1] |= hibit;
}
}

static void hash_init_with_dom(
hash_ctx_t hash,
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len
) {
hash_init(hash);
#if SUPPORTS_CONTEXTS
const char *dom_s = "";
const uint8_t dom[2] = {1+word_is_zero(prehashed), context_len};
hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
hash_update(hash,dom,2);
hash_update(hash,context,context_len);
#else
(void)prehashed;
(void)context;
assert(context==NULL);
(void)context_len;
assert(context_len == 0);
#endif
}

void decaf_ed25519_derive_public_key (
uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES]
) {
/* only this much used for keygen */
uint8_t secret_scalar_ser[DECAF_EDDSA_25519_PRIVATE_BYTES];
hash_hash(
secret_scalar_ser,
sizeof(secret_scalar_ser),
privkey,
DECAF_EDDSA_25519_PRIVATE_BYTES
);
clamp(secret_scalar_ser);
API_NS(scalar_t) secret_scalar;
API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));
/* Since we are going to mul_by_cofactor during encoding, divide by it here.
* However, the EdDSA base point is not the same as the decaf base point if
* the sigma isogeny is in use: the EdDSA base point is on Etwist_d/(1-d) and
* the decaf base point is on Etwist_d, and when converted it effectively
* picks up a factor of 2 from the isogenies. So we might start at 2 instead of 1.
*/
for (unsigned int c = EDDSA_BASE_POINT_RATIO; c < COFACTOR; c <<= 1) {
API_NS(scalar_halve)(secret_scalar,secret_scalar);
}
API_NS(point_t) p;
API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),secret_scalar);
API_NS(point_mul_by_cofactor_and_encode_like_eddsa)(pubkey, p);
/* Cleanup */
API_NS(scalar_destroy)(secret_scalar);
API_NS(point_destroy)(p);
decaf_bzero(secret_scalar_ser, sizeof(secret_scalar_ser));
}

void decaf_ed25519_sign (
uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
#if !SUPPORTS_CONTEXTS
const uint8_t *const context = NULL;
const uint8_t context_len = 0;
#endif
API_NS(scalar_t) secret_scalar;
hash_ctx_t hash;
{
/* Schedule the secret key */
struct {
uint8_t secret_scalar_ser[DECAF_EDDSA_25519_PRIVATE_BYTES];
uint8_t seed[DECAF_EDDSA_25519_PRIVATE_BYTES];
} __attribute__((packed)) expanded;
hash_hash(
(uint8_t *)&expanded,
sizeof(expanded),
privkey,
DECAF_EDDSA_25519_PRIVATE_BYTES
);
clamp(expanded.secret_scalar_ser);
API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
/* Hash to create the nonce */
hash_init_with_dom(hash,prehashed,context,context_len);
hash_update(hash,expanded.seed,sizeof(expanded.seed));
hash_update(hash,message,message_len);
decaf_bzero(&expanded, sizeof(expanded));
}
/* Decode the nonce */
API_NS(scalar_t) nonce_scalar;
{
uint8_t nonce[2*DECAF_EDDSA_25519_PRIVATE_BYTES];
hash_final(hash,nonce,sizeof(nonce));
API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));
decaf_bzero(nonce, sizeof(nonce));
}
uint8_t nonce_point[DECAF_EDDSA_25519_PUBLIC_BYTES] = {0};
{
/* Scalarmul to create the nonce-point */
API_NS(scalar_t) nonce_scalar_2;
API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar);
for (unsigned int c = 2*EDDSA_BASE_POINT_RATIO; c < COFACTOR; c <<= 1) {
API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);
}
API_NS(point_t) p;
API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),nonce_scalar_2);
API_NS(point_mul_by_cofactor_and_encode_like_eddsa)(nonce_point, p);
API_NS(point_destroy)(p);
API_NS(scalar_destroy)(nonce_scalar_2);
}
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_init_with_dom(hash,prehashed,context,context_len);
hash_update(hash,nonce_point,sizeof(nonce_point));
hash_update(hash,pubkey,DECAF_EDDSA_25519_PUBLIC_BYTES);
hash_update(hash,message,message_len);
uint8_t challenge[2*DECAF_EDDSA_25519_PRIVATE_BYTES];
hash_final(hash,challenge,sizeof(challenge));
hash_destroy(hash);
API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
decaf_bzero(challenge,sizeof(challenge));
}
API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);
API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);
decaf_bzero(signature,DECAF_EDDSA_25519_SIGNATURE_BYTES);
memcpy(signature,nonce_point,sizeof(nonce_point));
API_NS(scalar_encode)(&signature[DECAF_EDDSA_25519_PUBLIC_BYTES],challenge_scalar);
API_NS(scalar_destroy)(secret_scalar);
API_NS(scalar_destroy)(nonce_scalar);
API_NS(scalar_destroy)(challenge_scalar);
}


decaf_error_t decaf_ed25519_verify (
const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
#if !SUPPORTS_CONTEXTS
const uint8_t *const context = NULL;
const uint8_t context_len = 0;
#endif
API_NS(point_t) pk_point, r_point;
decaf_error_t error = API_NS(point_decode_like_eddsa_and_ignore_cofactor)(pk_point,pubkey);
if (DECAF_SUCCESS != error) { return error; }
error = API_NS(point_decode_like_eddsa_and_ignore_cofactor)(r_point,signature);
if (DECAF_SUCCESS != error) { return error; }
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_ctx_t hash;
hash_init_with_dom(hash,prehashed,context,context_len);
hash_update(hash,signature,DECAF_EDDSA_25519_PUBLIC_BYTES);
hash_update(hash,pubkey,DECAF_EDDSA_25519_PUBLIC_BYTES);
hash_update(hash,message,message_len);
uint8_t challenge[2*DECAF_EDDSA_25519_PRIVATE_BYTES];
hash_final(hash,challenge,sizeof(challenge));
hash_destroy(hash);
API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
decaf_bzero(challenge,sizeof(challenge));
}
API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar);
API_NS(scalar_t) response_scalar;
API_NS(scalar_decode_long)(
response_scalar,
&signature[DECAF_EDDSA_25519_PUBLIC_BYTES],
DECAF_EDDSA_25519_PRIVATE_BYTES
);
#if EDDSA_BASE_POINT_RATIO == 2
API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);
#endif
/* pk_point = -c(x(P)) + (cx + k)G = kG */
API_NS(base_double_scalarmul_non_secret)(
pk_point,
response_scalar,
pk_point,
challenge_scalar
);
return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
}

+ 199
- 0
src/GENERATED/c/curve25519/elligator.c View File

@@ -0,0 +1,199 @@
/**
* @file curve25519/elligator.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Elligator high-level functions.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "word.h"
#include "field.h"
#include <decaf.h>

/* Template stuff */
#define API_NS(_id) decaf_255_##_id
#define point_t API_NS(point_t)
#define IMAGINE_TWIST 1
#define COFACTOR 8
static const int EDWARDS_D = -121665;
/* End of template stuff */

extern void API_NS(deisogenize) (
gf_s *__restrict__ s,
gf_s *__restrict__ minus_t_over_s,
const point_t p,
mask_t toggle_hibit_s,
mask_t toggle_hibit_t_over_s,
mask_t toggle_rotation
);

void API_NS(point_from_hash_nonuniform) (
point_t p,
const unsigned char ser[SER_BYTES]
) {
gf r0,r,a,b,c,N,e;
ignore_result(gf_deserialize(r0,ser,0));
gf_strong_reduce(r0);
gf_sqr(a,r0);
gf_mul_qnr(r,a);

/* Compute D@c := (dr+a-d)(dr-ar-d) with a=1 */
gf_sub(a,r,ONE);
gf_mulw(b,a,EDWARDS_D); /* dr-d */
gf_add(a,b,ONE);
gf_sub(b,b,r);
gf_mul(c,a,b);
/* compute N := (r+1)(a-2d) */
gf_add(a,r,ONE);
gf_mulw(N,a,1-2*EDWARDS_D);
/* e = +-sqrt(1/ND) or +-r0 * sqrt(qnr/ND) */
gf_mul(a,c,N);
mask_t square = gf_isr(b,a);
gf_cond_sel(c,r0,ONE,square); /* r? = square ? 1 : r0 */
gf_mul(e,b,c);
/* s@a = +-|N.e| */
gf_mul(a,N,e);
gf_cond_neg(a,gf_hibit(a)^square); /* NB this is - what is listen in the paper */
/* t@b = -+ cN(r-1)((a-2d)e)^2 - 1 */
gf_mulw(c,e,1-2*EDWARDS_D); /* (a-2d)e */
gf_sqr(b,c);
gf_sub(e,r,ONE);
gf_mul(c,b,e);
gf_mul(b,c,N);
gf_cond_neg(b,square);
gf_sub(b,b,ONE);

/* isogenize */
#if IMAGINE_TWIST
gf_mul(c,a,SQRT_MINUS_ONE);
gf_copy(a,c);
#endif
gf_sqr(c,a); /* s^2 */
gf_add(a,a,a); /* 2s */
gf_add(e,c,ONE);
gf_mul(p->t,a,e); /* 2s(1+s^2) */
gf_mul(p->x,a,b); /* 2st */
gf_sub(a,ONE,c);
gf_mul(p->y,e,a); /* (1+s^2)(1-s^2) */
gf_mul(p->z,a,b); /* (1-s^2)t */
assert(API_NS(point_valid)(p));
}

void API_NS(point_from_hash_uniform) (
point_t pt,
const unsigned char hashed_data[2*SER_BYTES]
) {
point_t pt2;
API_NS(point_from_hash_nonuniform)(pt,hashed_data);
API_NS(point_from_hash_nonuniform)(pt2,&hashed_data[SER_BYTES]);
API_NS(point_add)(pt,pt,pt2);
}

/* Elligator_onto:
* Make elligator-inverse onto at the cost of roughly halving the success probability.
* Currently no effect for curves with field size 1 bit mod 8 (where the top bit
* is chopped off). FUTURE MAGIC: automatic at least for brainpool-style curves; support
* log p == 1 mod 8 brainpool curves maybe?
*/
#define MAX(A,B) (((A)>(B)) ? (A) : (B))
#define PKP_MASK ((1<<(MAX(8*SER_BYTES + 0 - 255,0)))-1)
#if PKP_MASK != 0
static UNUSED mask_t plus_k_p (
uint8_t x[SER_BYTES],
uint32_t factor_
) {
uint32_t carry = 0;
uint64_t factor = factor_;
const uint8_t p[SER_BYTES] = { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f };
for (unsigned int i=0; i<SER_BYTES; i++) {
uint64_t tmp = carry + p[i] * factor + x[i];
/* tmp <= 2^32-1 + (2^32-1)*(2^8-1) + (2^8-1) = 2^40-1 */
x[i] = tmp; carry = tmp>>8;
}
return word_is_zero(carry);
}
#endif

decaf_error_t
API_NS(invert_elligator_nonuniform) (
unsigned char recovered_hash[SER_BYTES],
const point_t p,
uint32_t hint_
) {
mask_t hint = hint_;
mask_t sgn_s = -(hint & 1),
sgn_t_over_s = -(hint>>1 & 1),
sgn_r0 = -(hint>>2 & 1),
/* FUTURE MAGIC: eventually if there's a curve which needs sgn_ed_T but not sgn_r0,
* change this mask extraction.
*/
sgn_ed_T = -(hint>>3 & 1);
gf a, b, c, d;
API_NS(deisogenize)(a,c,p,sgn_s,sgn_t_over_s,sgn_ed_T);
#if 255 == 8*SER_BYTES + 1 /* p521. */
sgn_r0 = 0;
#endif
/* ok, a = s; c = -t/s */
gf_mul(b,c,a);
gf_sub(b,ONE,b); /* t+1 */
gf_sqr(c,a); /* s^2 */
mask_t is_identity = gf_eq(p->t,ZERO);

/* identity adjustments */
/* in case of identity, currently c=0, t=0, b=1, will encode to 1 */
/* if hint is 0, -> 0 */
/* if hint is to neg t/s, then go to infinity, effectively set s to 1 */
gf_cond_sel(c,c,ONE,is_identity & sgn_t_over_s);
gf_cond_sel(b,b,ZERO,is_identity & ~sgn_t_over_s & ~sgn_s);
gf_mulw(d,c,2*EDWARDS_D-1); /* $d = (2d-a)s^2 */
gf_add(a,b,d); /* num? */
gf_sub(d,d,b); /* den? */
gf_mul(b,a,d); /* n*d */
gf_cond_sel(a,d,a,sgn_s);
gf_mul_qnr(d,b);
mask_t succ = gf_isr(c,d)|gf_eq(d,ZERO);
gf_mul(b,a,c);
gf_cond_neg(b, sgn_r0^gf_hibit(b));
succ &= ~(gf_eq(b,ZERO) & sgn_r0);
#if COFACTOR == 8
succ &= ~(is_identity & sgn_ed_T); /* NB: there are no preimages of rotated identity. */
#endif
#if 255 == 8*SER_BYTES + 1 /* p521 */
gf_serialize(recovered_hash,b,0);
#else
gf_serialize(recovered_hash,b,1);
#if PKP_MASK != 0
/* Add a multiple of p to make the result either almost-onto or completely onto. */
succ &= plus_k_p(recovered_hash, (hint >> ((COFACTOR==8)?4:3)) & PKP_MASK);
#endif
#endif
return decaf_succeed_if(mask_to_bool(succ));
}

decaf_error_t
API_NS(invert_elligator_uniform) (
unsigned char partial_hash[2*SER_BYTES],
const point_t p,
uint32_t hint
) {
point_t pt2;
API_NS(point_from_hash_nonuniform)(pt2,&partial_hash[SER_BYTES]);
API_NS(point_sub)(pt2,p,pt2);
return API_NS(invert_elligator_nonuniform)(partial_hash,pt2,hint);
}

+ 339
- 0
src/GENERATED/c/curve25519/scalar.c View File

@@ -0,0 +1,339 @@
/**
* @file curve25519/scalar.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Decaf high-level functions.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "word.h"
#include "constant_time.h"
#include <decaf.h>

/* Template stuff */
#define API_NS(_id) decaf_255_##_id
#define SCALAR_BITS DECAF_255_SCALAR_BITS
#define SCALAR_SER_BYTES DECAF_255_SCALAR_BYTES
#define SCALAR_LIMBS DECAF_255_SCALAR_LIMBS
#define scalar_t API_NS(scalar_t)

static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0xd2b51da312547e1bull;
static const scalar_t sc_p = {{{
SC_LIMB(0x5812631a5cf5d3ed), SC_LIMB(0x14def9dea2f79cd6), SC_LIMB(0x0000000000000000), SC_LIMB(0x1000000000000000)
}}}, sc_r2 = {{{
SC_LIMB(0xa40611e3449c0f01), SC_LIMB(0xd00e1ba768859347), SC_LIMB(0xceec73d217f5be65), SC_LIMB(0x0399411b7c309a3d)
}}};
/* End of template stuff */

#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */

const scalar_t API_NS(scalar_one) = {{{1}}}, API_NS(scalar_zero) = {{{0}}};

/** {extra,accum} - sub +? p
* Must have extra <= 1
*/
static NOINLINE void sc_subx(
scalar_t out,
const decaf_word_t accum[SCALAR_LIMBS],
const scalar_t sub,
const scalar_t p,
decaf_word_t extra
) {
decaf_dsword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + accum[i]) - sub->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
}
decaf_word_t borrow = chain+extra; /* = 0 or -1 */
chain = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + out->limb[i]) + (p->limb[i] & borrow);
out->limb[i] = chain;
chain >>= WBITS;
}
}

static NOINLINE void sc_montmul (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
unsigned int i,j;
decaf_word_t accum[SCALAR_LIMBS+1] = {0};
decaf_word_t hi_carry = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
decaf_word_t mand = a->limb[i];
const decaf_word_t *mier = b->limb;
decaf_dword_t chain = 0;
for (j=0; j<SCALAR_LIMBS; j++) {
chain += ((decaf_dword_t)mand)*mier[j] + accum[j];
accum[j] = chain;
chain >>= WBITS;
}
accum[j] = chain;
mand = accum[0] * MONTGOMERY_FACTOR;
chain = 0;
mier = sc_p->limb;
for (j=0; j<SCALAR_LIMBS; j++) {
chain += (decaf_dword_t)mand*mier[j] + accum[j];
if (j) accum[j-1] = chain;
chain >>= WBITS;
}
chain += accum[j];
chain += hi_carry;
accum[j-1] = chain;
hi_carry = chain >> WBITS;
}
sc_subx(out, accum, sc_p, sc_p, hi_carry);
}

void API_NS(scalar_mul) (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
sc_montmul(out,a,b);
sc_montmul(out,out,sc_r2);
}

/* PERF: could implement this */
static INLINE void sc_montsqr (scalar_t out, const scalar_t a) {
sc_montmul(out,a,a);
}

decaf_error_t API_NS(scalar_invert) (
scalar_t out,
const scalar_t a
) {
/* Fermat's little theorem, sliding window.
* Sliding window is fine here because the modulus isn't secret.
*/
const int SCALAR_WINDOW_BITS = 3;
scalar_t precmp[1<<SCALAR_WINDOW_BITS];
const int LAST = (1<<SCALAR_WINDOW_BITS)-1;

/* Precompute precmp = [a^1,a^3,...] */
sc_montmul(precmp[0],a,sc_r2);
if (LAST > 0) sc_montmul(precmp[LAST],precmp[0],precmp[0]);

int i;
for (i=1; i<=LAST; i++) {
sc_montmul(precmp[i],precmp[i-1],precmp[LAST]);
}
/* Sliding window */
unsigned residue = 0, trailing = 0, started = 0;
for (i=SCALAR_BITS-1; i>=-SCALAR_WINDOW_BITS; i--) {
if (started) sc_montsqr(out,out);
decaf_word_t w = (i>=0) ? sc_p->limb[i/WBITS] : 0;
if (i >= 0 && i<WBITS) {
assert(w >= 2);
w-=2;
}
residue = (residue<<1) | ((w>>(i%WBITS))&1);
if (residue>>SCALAR_WINDOW_BITS != 0) {
assert(trailing == 0);
trailing = residue;
residue = 0;
}
if (trailing > 0 && (trailing & ((1<<SCALAR_WINDOW_BITS)-1)) == 0) {
if (started) {
sc_montmul(out,out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);
} else {
API_NS(scalar_copy)(out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);
started = 1;
}
trailing = 0;
}
trailing <<= 1;
}
assert(residue==0);
assert(trailing==0);
/* Demontgomerize */
sc_montmul(out,out,API_NS(scalar_one));
decaf_bzero(precmp, sizeof(precmp));
return decaf_succeed_if(~API_NS(scalar_eq)(out,API_NS(scalar_zero)));
}

void API_NS(scalar_sub) (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
sc_subx(out, a->limb, b, sc_p, 0);
}

void API_NS(scalar_add) (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
decaf_dword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + b->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
}
sc_subx(out, out->limb, sc_p, sc_p, chain);
}

void
API_NS(scalar_set_unsigned) (
scalar_t out,
uint64_t w
) {
memset(out,0,sizeof(scalar_t));
unsigned int i = 0;
for (; i<sizeof(uint64_t)/sizeof(decaf_word_t); i++) {
out->limb[i] = w;
w >>= (sizeof(uint64_t) > sizeof(decaf_word_t)) ? 8*sizeof(decaf_word_t) : 0;
}
}

decaf_bool_t
API_NS(scalar_eq) (
const scalar_t a,
const scalar_t b
) {
decaf_word_t diff = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
diff |= a->limb[i] ^ b->limb[i];
}
return mask_to_bool(word_is_zero(diff));
}

static INLINE void scalar_decode_short (
scalar_t s,
const unsigned char *ser,
unsigned int nbytes
) {
unsigned int i,j,k=0;
for (i=0; i<SCALAR_LIMBS; i++) {
decaf_word_t out = 0;
for (j=0; j<sizeof(decaf_word_t) && k<nbytes; j++,k++) {
out |= ((decaf_word_t)ser[k])<<(8*j);
}
s->limb[i] = out;
}
}

decaf_error_t API_NS(scalar_decode)(
scalar_t s,
const unsigned char ser[SCALAR_SER_BYTES]
) {
unsigned int i;
scalar_decode_short(s, ser, SCALAR_SER_BYTES);
decaf_dsword_t accum = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
}
/* Here accum == 0 or -1 */
API_NS(scalar_mul)(s,s,API_NS(scalar_one)); /* ham-handed reduce */
return decaf_succeed_if(~word_is_zero(accum));
}

void API_NS(scalar_destroy) (
scalar_t scalar
) {
decaf_bzero(scalar, sizeof(scalar_t));
}

void API_NS(scalar_decode_long)(
scalar_t s,
const unsigned char *ser,
size_t ser_len
) {
if (ser_len == 0) {
API_NS(scalar_copy)(s, API_NS(scalar_zero));
return;
}
size_t i;
scalar_t t1, t2;

i = ser_len - (ser_len%SCALAR_SER_BYTES);
if (i==ser_len) i -= SCALAR_SER_BYTES;
scalar_decode_short(t1, &ser[i], ser_len-i);

if (ser_len == sizeof(scalar_t)) {
assert(i==0);
/* ham-handed reduce */
API_NS(scalar_mul)(s,t1,API_NS(scalar_one));
API_NS(scalar_destroy)(t1);
return;
}

while (i) {
i -= SCALAR_SER_BYTES;
sc_montmul(t1,t1,sc_r2);
ignore_result( API_NS(scalar_decode)(t2, ser+i) );
API_NS(scalar_add)(t1, t1, t2);
}

API_NS(scalar_copy)(s, t1);
API_NS(scalar_destroy)(t1);
API_NS(scalar_destroy)(t2);
}

void API_NS(scalar_encode)(
unsigned char ser[SCALAR_SER_BYTES],
const scalar_t s
) {
unsigned int i,j,k=0;
for (i=0; i<SCALAR_LIMBS; i++) {
for (j=0; j<sizeof(decaf_word_t); j++,k++) {
ser[k] = s->limb[i] >> (8*j);
}
}
}

void API_NS(scalar_cond_sel) (
scalar_t out,
const scalar_t a,
const scalar_t b,
decaf_bool_t pick_b
) {
constant_time_select(out,a,b,sizeof(scalar_t),bool_to_mask(pick_b),sizeof(out->limb[0]));
}

void API_NS(scalar_halve) (
scalar_t out,
const scalar_t a
) {
decaf_word_t mask = -(a->limb[0] & 1);
decaf_dword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask);
out->limb[i] = chain;
chain >>= DECAF_WORD_BITS;
}
for (i=0; i<SCALAR_LIMBS-1; i++) {
out->limb[i] = out->limb[i]>>1 | out->limb[i+1]<<(WBITS-1);
}
out->limb[i] = out->limb[i]>>1 | chain<<(WBITS-1);
}


+ 234
- 0
src/GENERATED/c/ed448goldilocks/crypto.c View File

@@ -0,0 +1,234 @@
/**
* @file ed448goldilocks/crypto.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @cond internal
* @brief Example Decaf crypto routines
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include <decaf/crypto.h>
#include <string.h>

#define API_NAME "decaf_448"
#define API_NS(_id) decaf_448_##_id
#define SCALAR_BITS DECAF_448_SCALAR_BITS
#define SCALAR_BYTES ((SCALAR_BITS + 7)/8)
#define SER_BYTES DECAF_448_SER_BYTES

/* TODO: canonicalize and freeze the STROBE constants in this file
* (and STROBE itself for that matter)
*/
static const char *DERIVE_MAGIC = API_NAME"::derive_private_key";
static const char *SIGN_MAGIC = API_NAME"::sign";
static const char *SHARED_SECRET_MAGIC = API_NAME"::shared_secret";
static const uint16_t SHARED_SECRET_MAX_BLOCK_SIZE = 1<<12;
static const unsigned int SCALAR_OVERKILL_BYTES = SCALAR_BYTES + 8;

void API_NS(derive_private_key) (
API_NS(private_key_t) priv,
const API_NS(symmetric_key_t) proto
) {
uint8_t encoded_scalar[SCALAR_OVERKILL_BYTES];
API_NS(point_t) pub;
keccak_strobe_t strobe;
strobe_init(strobe, &STROBE_256, DERIVE_MAGIC, 0);
strobe_fixed_key(strobe, proto, sizeof(API_NS(symmetric_key_t)));
strobe_prng(strobe, encoded_scalar, sizeof(encoded_scalar));
strobe_destroy(strobe);
memcpy(priv->sym, proto, sizeof(API_NS(symmetric_key_t)));
API_NS(scalar_decode_long)(priv->secret_scalar, encoded_scalar, sizeof(encoded_scalar));
API_NS(precomputed_scalarmul)(pub, API_NS(precomputed_base), priv->secret_scalar);
API_NS(point_encode)(priv->pub, pub);
decaf_bzero(encoded_scalar, sizeof(encoded_scalar));
}

void
API_NS(destroy_private_key) (
API_NS(private_key_t) priv
) {
decaf_bzero((void*)priv, sizeof(API_NS(private_key_t)));
}

void API_NS(private_to_public) (
API_NS(public_key_t) pub,
const API_NS(private_key_t) priv
) {
memcpy(pub, priv->pub, sizeof(API_NS(public_key_t)));
}

/* Performance vs consttime tuning.
* Specifying true here might give better DOS resistance in certain corner
* cases. Specifying false gives a tighter result in test_ct.
*/
#ifndef DECAF_CRYPTO_SHARED_SECRET_SHORT_CIRUIT
#define DECAF_CRYPTO_SHARED_SECRET_SHORT_CIRUIT DECAF_FALSE
#endif

decaf_error_t
API_NS(shared_secret) (
uint8_t *shared,
size_t shared_bytes,
const API_NS(private_key_t) my_privkey,
const API_NS(public_key_t) your_pubkey,
int me_first
) {
keccak_strobe_t strobe;
strobe_init(strobe, &STROBE_256, SHARED_SECRET_MAGIC, 0);
uint8_t ss_ser[SER_BYTES];
if (me_first) {
strobe_ad(strobe,my_privkey->pub,sizeof(API_NS(public_key_t)));
strobe_ad(strobe,your_pubkey,sizeof(API_NS(public_key_t)));
} else {
strobe_ad(strobe,your_pubkey,sizeof(API_NS(public_key_t)));
strobe_ad(strobe,my_privkey->pub,sizeof(API_NS(public_key_t)));
}
decaf_error_t ret = API_NS(direct_scalarmul)(
ss_ser, your_pubkey, my_privkey->secret_scalar, DECAF_FALSE,
DECAF_CRYPTO_SHARED_SECRET_SHORT_CIRUIT
);
strobe_transact(strobe,NULL,ss_ser,sizeof(ss_ser),STROBE_CW_DH_KEY);
while (shared_bytes) {
uint16_t cando = (shared_bytes > SHARED_SECRET_MAX_BLOCK_SIZE)
? SHARED_SECRET_MAX_BLOCK_SIZE : shared_bytes;
strobe_prng(strobe,shared,cando);
shared_bytes -= cando;
shared += cando;
}

strobe_destroy(strobe);
decaf_bzero(ss_ser, sizeof(ss_ser));
return ret;
}

void
API_NS(sign_strobe) (
keccak_strobe_t strobe,
API_NS(signature_t) sig,
const API_NS(private_key_t) priv
) {
uint8_t overkill[SCALAR_OVERKILL_BYTES];
API_NS(point_t) point;
API_NS(scalar_t) nonce, challenge;
/* Stir pubkey */
strobe_transact(strobe,NULL,priv->pub,sizeof(API_NS(public_key_t)),STROBE_CW_SIG_PK);
/* Derive nonce */
keccak_strobe_t strobe2;
memcpy(strobe2,strobe,sizeof(strobe2));
strobe_fixed_key(strobe2,priv->sym,sizeof(API_NS(symmetric_key_t)));
strobe_prng(strobe2,overkill,sizeof(overkill));
strobe_destroy(strobe2);
API_NS(scalar_decode_long)(nonce, overkill, sizeof(overkill));
API_NS(precomputed_scalarmul)(point, API_NS(precomputed_base), nonce);
API_NS(point_encode)(sig, point);

/* Derive challenge */
strobe_transact(strobe,NULL,sig,SER_BYTES,STROBE_CW_SIG_EPH);
strobe_transact(strobe,overkill,NULL,sizeof(overkill),STROBE_CW_SIG_CHAL);
API_NS(scalar_decode_long)(challenge, overkill, sizeof(overkill));
/* Respond */
API_NS(scalar_mul)(challenge, challenge, priv->secret_scalar);
API_NS(scalar_sub)(nonce, nonce, challenge);
/* Save results */
API_NS(scalar_encode)(overkill, nonce);
strobe_transact(strobe,&sig[SER_BYTES],overkill,SCALAR_BYTES,STROBE_CW_SIG_RESP);
/* Clean up */
API_NS(scalar_destroy)(nonce);
API_NS(scalar_destroy)(challenge);
decaf_bzero(overkill,sizeof(overkill));
}

decaf_error_t
API_NS(verify_strobe) (
keccak_strobe_t strobe,
const API_NS(signature_t) sig,
const API_NS(public_key_t) pub
) {
decaf_bool_t ret;
uint8_t overkill[SCALAR_OVERKILL_BYTES];
API_NS(point_t) point, pubpoint;
API_NS(scalar_t) challenge, response;
/* Stir pubkey */
strobe_transact(strobe,NULL,pub,sizeof(API_NS(public_key_t)),STROBE_CW_SIG_PK);
/* Derive nonce */
strobe_transact(strobe,NULL,sig,SER_BYTES,STROBE_CW_SIG_EPH);
ret = decaf_successful( API_NS(point_decode)(point, sig, DECAF_TRUE) );
/* Derive challenge */
strobe_transact(strobe,overkill,NULL,sizeof(overkill),STROBE_CW_SIG_CHAL);
API_NS(scalar_decode_long)(challenge, overkill, sizeof(overkill));
/* Decode response */
strobe_transact(strobe,overkill,&sig[SER_BYTES],SCALAR_BYTES,STROBE_CW_SIG_RESP);
ret &= decaf_successful( API_NS(scalar_decode)(response, overkill) );
ret &= decaf_successful( API_NS(point_decode)(pubpoint, pub, DECAF_FALSE) );

API_NS(base_double_scalarmul_non_secret) (
pubpoint, response, pubpoint, challenge
);

ret &= API_NS(point_eq)(pubpoint, point);
/* Nothing here is secret, so don't do these things:
decaf_bzero(overkill,sizeof(overkill));
API_NS(point_destroy)(point);
API_NS(point_destroy)(pubpoint);
API_NS(scalar_destroy)(challenge);
API_NS(scalar_destroy)(response);
*/
return decaf_succeed_if(ret);
}

void
API_NS(sign) (
API_NS(signature_t) sig,
const API_NS(private_key_t) priv,
const unsigned char *message,
size_t message_len
) {
keccak_strobe_t ctx;
strobe_init(ctx,&STROBE_256,SIGN_MAGIC,0);
strobe_transact(ctx, NULL, message, message_len, STROBE_CW_STREAMING_PLAINTEXT);
API_NS(sign_strobe)(ctx, sig, priv);
strobe_destroy(ctx);
}

decaf_error_t
API_NS(verify) (
const API_NS(signature_t) sig,
const API_NS(public_key_t) pub,
const unsigned char *message,
size_t message_len
) {
keccak_strobe_t ctx;
strobe_init(ctx,&STROBE_256,SIGN_MAGIC,0);
strobe_transact(ctx, NULL, message, message_len, STROBE_CW_STREAMING_PLAINTEXT);
decaf_error_t ret = API_NS(verify_strobe)(ctx, sig, pub);
strobe_destroy(ctx);
return ret;
}

+ 1567
- 0
src/GENERATED/c/ed448goldilocks/decaf.c
File diff suppressed because it is too large
View File


+ 116
- 0
src/GENERATED/c/ed448goldilocks/decaf_gen_tables.c View File

@@ -0,0 +1,116 @@
/**
* @file ed448goldilocks/decaf_gen_tables.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Decaf global constant table precomputation.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#define _XOPEN_SOURCE 600 /* for posix_memalign */
#include <stdio.h>
#include <stdlib.h>

#include "field.h"
#include "f_field.h"
#include "decaf.h"

#define API_NS(_id) decaf_448_##_id
static const unsigned char base_point_ser_for_pregen[SER_BYTES] = {
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01
};

/* To satisfy linker. */
const gf API_NS(precomputed_base_as_fe)[1];
const API_NS(point_t) API_NS(point_base);

struct niels_s;
const gf_s *API_NS(precomputed_wnaf_as_fe);
extern const size_t API_NS(sizeof_precomputed_wnafs);

void API_NS(precompute_wnafs) (
struct niels_s *out,
const API_NS(point_t) base
);
static void field_print(const gf f) {
unsigned char ser[X_SER_BYTES];
gf_serialize(ser,f,1);
int b=0, i, comma=0;
unsigned long long limb = 0;
printf("{FIELD_LITERAL(");
for (i=0; i<X_SER_BYTES; i++) {
limb |= ((uint64_t)ser[i])<<b;
b += 8;
if (b >= GF_LIT_LIMB_BITS || i == SER_BYTES-1) {
limb &= (1ull<<GF_LIT_LIMB_BITS) -1;
b -= GF_LIT_LIMB_BITS;
if (comma) printf(",");
comma = 1;
printf("0x%016llx", limb);
limb = ((uint64_t)ser[i])>>(8-b);
}
}
printf(")}");
assert(b<8);
}

int main(int argc, char **argv) {
(void)argc; (void)argv;
API_NS(point_t) real_point_base;
int ret = API_NS(point_decode)(real_point_base,base_point_ser_for_pregen,0);
if (ret != DECAF_SUCCESS) return 1;
API_NS(precomputed_s) *pre;
ret = posix_memalign((void**)&pre, API_NS(alignof_precomputed_s), API_NS(sizeof_precomputed_s));
if (ret || !pre) return 1;
API_NS(precompute)(pre, real_point_base);
struct niels_s *pre_wnaf;
ret = posix_memalign((void**)&pre_wnaf, API_NS(alignof_precomputed_s), API_NS(sizeof_precomputed_wnafs));
if (ret || !pre_wnaf) return 1;
API_NS(precompute_wnafs)(pre_wnaf, real_point_base);

const gf_s *output;
unsigned i;
printf("/** @warning: this file was automatically generated. */\n");
printf("#include \"field.h\"\n\n");
printf("#include <decaf.h>\n\n");
printf("#define API_NS(_id) decaf_448_##_id\n");
output = (const gf_s *)real_point_base;
printf("const API_NS(point_t) API_NS(point_base) = {{\n");
for (i=0; i < sizeof(API_NS(point_t)); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n}};\n");
output = (const gf_s *)pre;
printf("const gf API_NS(precomputed_base_as_fe)[%d]\n",
(int)(API_NS(sizeof_precomputed_s) / sizeof(gf)));
printf("__attribute__((aligned(%d),visibility(\"hidden\"))) = {\n ", (int)API_NS(alignof_precomputed_s));
for (i=0; i < API_NS(sizeof_precomputed_s); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n};\n");
output = (const gf_s *)pre_wnaf;
printf("const gf API_NS(precomputed_wnaf_as_fe)[%d]\n",
(int)(API_NS(sizeof_precomputed_wnafs) / sizeof(gf)));
printf("__attribute__((aligned(%d),visibility(\"hidden\"))) = {\n ", (int)API_NS(alignof_precomputed_s));
for (i=0; i < API_NS(sizeof_precomputed_wnafs); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n};\n");
return 0;
}

+ 354
- 0
src/GENERATED/c/ed448goldilocks/decaf_tables.c View File

@@ -0,0 +1,354 @@
/** @warning: this file was automatically generated. */
#include "field.h"

#include <decaf.h>

#define API_NS(_id) decaf_448_##_id
const API_NS(point_t) API_NS(point_base) = {{
{FIELD_LITERAL(0x00fffffffffffffe,0x00ffffffffffffff,0x00ffffffffffffff,0x00ffffffffffffff,0x0000000000000003,0x0000000000000000,0x0000000000000000,0x0000000000000000)},
{FIELD_LITERAL(0x0081e6d37f752992,0x003078ead1c28721,0x00135cfd2394666c,0x0041149c50506061,0x0031d30e4f5490b3,0x00902014990dc141,0x0052341b04c1e328,0x0014237853c10a1b)},
{FIELD_LITERAL(0x00fffffffffffffb,0x00ffffffffffffff,0x00ffffffffffffff,0x00ffffffffffffff,0x00fffffffffffffe,0x00ffffffffffffff,0x00ffffffffffffff,0x00ffffffffffffff)},
{FIELD_LITERAL(0x008f205b70660415,0x00881c60cfd3824f,0x00377a638d08500d,0x008c66d5d4672615,0x00e52fa558e08e13,0x0087770ae1b6983d,0x004388f55a0aa7ff,0x00b4d9a785cf1a91)}
}};
const gf API_NS(precomputed_base_as_fe)[240]
__attribute__((aligned(32),visibility("hidden"))) = {
{FIELD_LITERAL(0x00e614a9f7278dc5,0x002e454ad04c5124,0x00d8f58cee1436f3,0x00c83ed46e4180ec,0x00a41e93274a38fa,0x00c1e7e53257771e,0x0043e0ff03c0392f,0x002c7c6405ce61df)},
{FIELD_LITERAL(0x0033c4f9dc990b33,0x00c291cb1ceb55c3,0x002ae3f58ade88b2,0x006b1f9f11395474,0x002ded6e4b27ff7c,0x0041012ed4aa10e1,0x003c22d20a36bae7,0x001f584eed472b19)},
{FIELD_LITERAL(0x00c3514779ee6f60,0x001574c873b20c2b,0x004cd6a46a5a5e65,0x0059a068aeb4204a,0x004c610458bc354d,0x00e94567479d02d2,0x00feaf77ed118e28,0x00f58a8bf115eeb5)},
{FIELD_LITERAL(0x0046110878fcb20f,0x00df43db21cc6f32,0x00ffdde9f4516644,0x00519917791686b9,0x00b72b441fd34473,0x008d45684cb1c72b,0x0015181370fc17a5,0x00a456d1307f74d3)},
{FIELD_LITERAL(0x001430f149b607dc,0x00e992ccd16715fc,0x00a62209b0a32a09,0x00b889cedc26b8e4,0x0059bf9a3ac109cf,0x006871bb3b7feac2,0x00f4a4d5fd9a0e6b,0x00b95db460cd69a5)},
{FIELD_LITERAL(0x0036304418bda702,0x007bc56861561558,0x00f344bc8e30416f,0x00a64537080f59d7,0x00b4c20077d00ace,0x00ee79620b26f8cc,0x00a6a558e0b5403d,0x008f1d2c766f3d19)},
{FIELD_LITERAL(0x00ef21c0297d3112,0x0073f89bd27c35b1,0x00ec44f9b1ff5e33,0x006bee51d878f1ee,0x001571a4b2aceddb,0x00cd0182d55131d1,0x0026761dbc1844be,0x00f01865af716474)},
{FIELD_LITERAL(0x0021dfef3f5fe8cc,0x0038c659ed1dbd68,0x0058ded9bcebe283,0x00077bbb094983ee,0x00b7b484e913d70c,0x0063e477a9506397,0x0000b996a6e01629,0x00ab68b41f75cd37)},
{FIELD_LITERAL(0x00a1fbd946403a4e,0x00be5a4e2d611b05,0x00ea4f210888bc6e,0x0043e9b0e0ae50fe,0x002abc4f6bd86845,0x00c3ed649c67f663,0x00d4eeb391a520e7,0x004b19cf1bfe7584)},
{FIELD_LITERAL(0x0099a75e6f22999e,0x001f16454c79f659,0x00d776a37fddc812,0x0095fdd63b6b0a78,0x00d232169366e947,0x002ea77dd21e9de7,0x00e8c46e85f97a90,0x00358758651f8cd9)},
{FIELD_LITERAL(0x002b6f5036a07bdf,0x004f6940af3e2646,0x00866028f8986799,0x00838b26ccb50415,0x0010557417f00b11,0x008a3b6bc447e96b,0x003de3d035e9e0c9,0x00188fca2b6d4011)},
{FIELD_LITERAL(0x001ca4038635312b,0x0078dc75c1e01c44,0x004340f00b3100a4,0x005e63e36bf6646e,0x008e1efd4b624688,0x00a61c2ffb1525e1,0x0072587505a75b81,0x00a8637140d96e78)},
{FIELD_LITERAL(0x004a7c41ffac8a41,0x005bf37075b1c20b,0x00c053b570a42408,0x002bb7e278d328e7,0x00b2378b63245100,0x003318bf2a1a368a,0x00f4e3e0bdbe02de,0x0058921e4b1e32f8)},
{FIELD_LITERAL(0x005e93d6fa1118a0,0x0062b43515d381e2,0x002c42864052e620,0x00af258bae6ccbd3,0x00954247094d654d,0x005db01f5b010810,0x009c8cf25efa8204,0x005f73ced3714ef7)},
{FIELD_LITERAL(0x0085f89aff2cf49d,0x00f591ee8480f6f0,0x00378ed518114265,0x00f04293e2a09008,0x00c58688db9140ed,0x00e9912696399ff1,0x0055bd1b96367413,0x0023a70cf830f999)},
{FIELD_LITERAL(0x001c83772944584e,0x00c1ba881e472bcc,0x00af2715a0aef13f,0x00bd0360d25610a6,0x00c42f8b3eebebde,0x00a9e474849788b1,0x00dcd1a1a2efec5c,0x009480d34c2818c0)},
{FIELD_LITERAL(0x00b4b6e09a565d74,0x0095efcf6175aa48,0x00498defe7ae7810,0x00309b684ed26470,0x007a8873a91d4e44,0x00ea4b3f857eb27a,0x00979b8619d25a9e,0x00721a2770eeb6e9)},
{FIELD_LITERAL(0x00b422f0f4be195f,0x00e88cfa83bfa2db,0x009fd60666ea4268,0x0095a458f5e801d0,0x00b9eee6882081f6,0x00b27edb37604948,0x00a7f67c4d44d8db,0x00df840ccf290c01)},
{FIELD_LITERAL(0x00c9fed0d47c9103,0x00ba73ed9294a043,0x005cbbc928e652e1,0x0068419e98ee8215,0x00f63de63786300b,0x009aa9bb6c19f8aa,0x0066c536b573213f,0x00d2b77a5b2f2450)},
{FIELD_LITERAL(0x00810236c68d5b74,0x00d0a1af1872a011,0x007f23ee29e3801a,0x009a55a678f8dba4,0x0065445dcff9be40,0x00f3978789a9abc5,0x00001f010d23f5e8,0x00ff80042934b0c5)},
{FIELD_LITERAL(0x00a6749f4b3f9745,0x003ab85f4180e502,0x006a7de9b530ed50,0x0050b5353b0441bf,0x00a093583ac6ede4,0x00c4918ad1406299,0x000f75cf2a353a2b,0x001c6644a0683a56)},
{FIELD_LITERAL(0x00e8694156c09bfe,0x00f6f3a5bd17ad96,0x0098dbed45edad12,0x00edfe2b84921821,0x0097884330199b67,0x004aab02685b3e9e,0x0068ac0bd2453c30,0x00167c1c1c87d8f5)},
{FIELD_LITERAL(0x008bba5fbf63f599,0x0059a3c960c7d63f,0x00ce2db75b08b7d9,0x0097e80cb2104171,0x009b68be26a140d0,0x002b9b9954e94c68,0x00023ca8fc411beb,0x00cbc4bcccbada07)},
{FIELD_LITERAL(0x0053c100e77b678d,0x000f115c400fa96f,0x005928d3de22afa2,0x00e47cd9bdbdbe96,0x00597ecfe84abf19,0x0058bb428e4c7a32,0x00dd582f76ecf584,0x00b1211365eccb79)},
{FIELD_LITERAL(0x00dbfb9a00a58e68,0x004468189350d82f,0x00b4b12407ee92c6,0x00e27a7908f73455,0x00f071170071b5ae,0x00221a5e6ba229dd,0x001903e3f6a81f83,0x00be36325402775f)},
{FIELD_LITERAL(0x004d298d6e691756,0x00775644dfce310b,0x00a861887823ea98,0x00cf0b6014fa6e6f,0x005f4e296380826f,0x00bf423392627f90,0x002893bfc8122f6a,0x00440dbc89bea228)},
{FIELD_LITERAL(0x00acbb4f40a4ab73,0x00d6a82f48fa3366,0x000a7958fc6faac2,0x008a4cdd60a7c33c,0x005e5587dd8b6f1a,0x00e40f63086a88e8,0x0030940cbbcda0ad,0x009a42e3dc35c130)},
{FIELD_LITERAL(0x00d37716cad825f1,0x00883870cba9552a,0x008ef785f5c762e3,0x006cb253e0469242,0x007b8f17fee9d967,0x00a43de6932b52b6,0x001aca9fe2af783c,0x008967778ff0b680)},
{FIELD_LITERAL(0x006400c4cdc6c9c3,0x001e8c978691083f,0x00ad74f01f68e0c5,0x00f7feb0372b5f6a,0x002f60d175ade13a,0x0098ec54a221a678,0x00fcfea8a71f244e,0x00dea6660e45ded2)},
{FIELD_LITERAL(0x002585b4aa8d6752,0x00e62da7615a2089,0x0010c1c741f39b68,0x00569bb1eced9f65,0x00ba6d09e4daa724,0x007d3e20aef281b9,0x00bd7f65aca3ffdc,0x00dea434a50288a8)},
{FIELD_LITERAL(0x007ba92a2489170f,0x00cd356354d31e9c,0x00a60d47406e5430,0x009c3d5fde8ed877,0x00079eaa50dd08d1,0x0024674d593ffa5f,0x005391be9596c53b,0x00856ca8d50acdd9)},
{FIELD_LITERAL(0x00d4620aa5e5bdec,0x002303c4b9b5d941,0x003b061f857ebb2a,0x00371f9e856d49fd,0x0071c36c5335051e,0x0040e4346a4d359f,0x00b31dbd959ec40c,0x00d99353a71bf6de)},
{FIELD_LITERAL(0x0078898adf0f21dd,0x006e09bfedd8604a,0x00efaf0e0f9bb666,0x00b0f685db8852c3,0x0094c86ec566b841,0x00e5c2879ba50dbe,0x00a87cd444cff758,0x00d3e26fd47f23df)},
{FIELD_LITERAL(0x00b82c07fb1854f8,0x0057f654a06fad9f,0x004c00383250cf92,0x008b91713d291af6,0x002f2521777859b9,0x00533111421f22c8,0x00643da86fab9794,0x00dc7fb0680e3d40)},
{FIELD_LITERAL(0x00e59ffd40e87788,0x006431e9755a50af,0x00a03ce700fb580a,0x00ad7e70aa3c9b9e,0x0078970a2b4db503,0x00c800451849637a,0x00e7e6a5b49e123f,0x00e1ed15f77bcb4d)},
{FIELD_LITERAL(0x00bc1d1d1af47f28,0x00ebc5501bbd81f0,0x00aa6b5513547aa4,0x0074ed33551343fe,0x00d2114f6ef7d43b,0x006335b41d518aeb,0x00ebd46919692fb8,0x0052d5d4e3fada95)},
{FIELD_LITERAL(0x00ebfc9f489799a4,0x00497535b6980688,0x00fef76499e6a51b,0x00018eedde7a18da,0x00f435d9e72b69c7,0x005ab0faa8281675,0x003232d06e290be8,0x005473ec8be0286c)},
{FIELD_LITERAL(0x00c6eb0d0ebb4874,0x00856a2274119097,0x00380bc7b29e3719,0x00b1ae149f0e424d,0x0009b41855b9de26,0x0098684013d0f53f,0x0082e8554c38a6ff,0x00e76c18c353743a)},
{FIELD_LITERAL(0x008da1194e1ab61f,0x008edb5f89688805,0x00f4970252f851bd,0x007a46f632b6ad20,0x006d2d1c37e9f90a,0x0060dd09353f665f,0x000a625a80d86657,0x000f93f6fedd0888)},
{FIELD_LITERAL(0x003b019b31992fb4,0x004f6a2ad1f64c28,0x008a744134e5c571,0x000ca33172f9af3f,0x00d478755a67bb8b,0x009d1f5c48abb223,0x004da4d6f12ee901,0x0084f09541f4140d)},
{FIELD_LITERAL(0x0031f412f5cacd43,0x00e5afb75dd20e94,0x001ce24b3452740e,0x00176d6dedf30ff1,0x0082e22e564fffca,0x001d56fbe007097f,0x0095b37c851a6918,0x008ec50ef97f8f4c)},
{FIELD_LITERAL(0x007e2b1c52251f57,0x00cbef37c9380033,0x0037ed652761bceb,0x00f1c2a5dc6dd232,0x0026e1b90d63ce0b,0x00938d732173a6b8,0x00d439aa45da993f,0x00d356b8deaccef7)},
{FIELD_LITERAL(0x00ed32377f56c67d,0x00c3b6a4de32e4a7,0x00481a36c0dd5d91,0x00bb557d20466ba7,0x00645f6d3200163e,0x005eb4c54df7c48c,0x00fd8e3d08f1e3b4,0x001156353f099147)},
{FIELD_LITERAL(0x00ae1b4c089b2756,0x00e686d2b916fb5f,0x007ac43ec2437dd8,0x00f7bfdf7e860ed2,0x0097dbcb8b786dc9,0x00ec7a90401c8b2f,0x00425ed017989bdb,0x00444bc9ca6d914d)},
{FIELD_LITERAL(0x00e5e7b83b53ab7f,0x004e4bed6ca44fc5,0x0008bd7a67c40d4d,0x009dbec74a4a2f0e,0x0077df3f4fc2c73f,0x0046b1af5e73ea8d,0x009f096cb7be8670,0x003ad0a29929141d)},
{FIELD_LITERAL(0x00991a1222e9b2e1,0x00be7583901d7dc7,0x00fd1d0c8169d3da,0x000fe0a94a68acf9,0x00b77bd05afc78a2,0x00a84f1697f87ebc,0x000097cfdb0c2ecb,0x007d51d70352ed1b)},
{FIELD_LITERAL(0x0025dc2a60643159,0x001f0d8ff85f95b4,0x00ed74a4bc598a73,0x00f30afe6f0574a9,0x0003788545d4d28c,0x009dc410ad120ac0,0x001950947e69961d,0x001ceb23cb0355b0)},
{FIELD_LITERAL(0x00ee2202ded9f1bd,0x002fa4fce658976d,0x00e7c15bc9716470,0x004f7ea99d500369,0x004b995a18318376,0x00246c4f8af91911,0x00cc77a07d09dbfe,0x007906f6f1364be6)},
{FIELD_LITERAL(0x003c97e6384da36e,0x00423d53eac81a09,0x00b70d68f3cdce35,0x00ee7959b354b92c,0x00f4e9718819c8ca,0x009349f12acbffe9,0x005aee7b62cb7da6,0x00d97764154ffc86)},
{FIELD_LITERAL(0x00d95d1c5fcb435a,0x0016d1ed6b5086f9,0x00792aa0b7e54d71,0x0067b65715f1925d,0x00a219755ec6176b,0x00bc3f026b12c28f,0x00700c897ffeb93e,0x0089b83f6ec50b46)},
{FIELD_LITERAL(0x00ad9cdb4544b923,0x00d11664c7284061,0x00815ae86b8f910b,0x005414fb2591c3c6,0x0094ba83e2d7ef9e,0x0001dbc16599386c,0x00c8721f0493911b,0x00c1be6b463c346c)},
{FIELD_LITERAL(0x0079680ce111ed3b,0x001a1ed82806122c,0x000c2e7466d15df3,0x002c407f6f7150fd,0x00c5e7c96b1b0ce3,0x009aa44626863ff9,0x00887b8b5b80be42,0x00b6023cec964825)},
{FIELD_LITERAL(0x00fed3cd80ca2292,0x0015b043a73ca613,0x000a9fd7bf9be227,0x003b5e03de2db983,0x005af72d46904ef7,0x00c0f1b5c49faa99,0x00dc86fc3bd305e1,0x00c92f08c1cb1797)},
{FIELD_LITERAL(0x001b571efb768f37,0x009d778487cf5cfd,0x00430e37327ebfd4,0x00a92447e5970a41,0x00eb13127c0edbac,0x00ec61e5aefeaf20,0x00447eebf57d2e5c,0x00f01433e550e558)},
{FIELD_LITERAL(0x0039dd7ce7fc6860,0x00d64f6425653da1,0x003e037c7f57d0af,0x0063477a06e2bcf2,0x001727dbb7ac67e6,0x0049589f5efafe2e,0x00fc0fef2e813d54,0x008baa5d087fb50d)},
{FIELD_LITERAL(0x00a7527958238159,0x0013ec9537a84cd6,0x001d7fee7d562525,0x00b9eefa6191d5e5,0x00dbc97db70bcb8a,0x00481affc7a4d395,0x006f73d3e70c31bb,0x00183f324ed96a61)},
{FIELD_LITERAL(0x00db04a6264ba838,0x00582b1f9fddc1b3,0x003ee72e4aaa027f,0x007d1de938cd0dd5,0x0032d5d66cf76afa,0x00c9c717c95c1ec2,0x00f27aa11764b8d6,0x00713a482b7ef36e)},
{FIELD_LITERAL(0x00ece96f95f2b66f,0x00ece7952813a27b,0x0026fc36592e489e,0x007157d1a2de0f66,0x00759dc111d86ddf,0x0012881e5780bb0f,0x00c8ccc83ad29496,0x0012b9bd1929eb71)},
{FIELD_LITERAL(0x001bf51f7d65cdfd,0x00d14cdafa16a97d,0x002c38e60fcd10e7,0x00a27446e393efbd,0x000b5d8946a71fdd,0x0063df2cde128f2f,0x006c8679569b1888,0x0059ffc4925d732d)},
{FIELD_LITERAL(0x00f05ea5df25a20f,0x00cb6224e5b932ce,0x00d3aed52e2718d9,0x00fb89ee0996ce72,0x006197045a6e1e80,0x00bcdf20057fc6f9,0x0059bf78b6ae5c2c,0x0049cacb87455db0)},
{FIELD_LITERAL(0x006a15bb20f75c0c,0x0079a144027a5d0c,0x00d19116ce0b4d70,0x0059b83bcb0b268e,0x005f58f63f16c127,0x0079958318ee2c37,0x00defbb063d07f82,0x00f1f0b931d2d446)},
{FIELD_LITERAL(0x009696510000d333,0x00ec2f788bc04826,0x000e4d02b1f67ba5,0x00659aa8dace08b6,0x00d7a38a3a3ae533,0x008856defa8c746b,0x004d7a4402d3da1a,0x00ea82e06229260f)},
{FIELD_LITERAL(0x0034a1b3c3ca2bdd,0x0072077a35bca880,0x0005af4e935c1b8e,0x00a5f1a71e8b7737,0x004d3133292cb2e5,0x000fe2a2dca1c916,0x0024d181b41935bb,0x00d9f54880ca0332)},
{FIELD_LITERAL(0x009ffd90abfeae96,0x00cba3c2b624a516,0x005ef08bcee46c91,0x00e6fde30afb6185,0x00f0b4db4f818ce4,0x006c54f45d2127f5,0x00040125035854c7,0x00372658a3287e13)},
{FIELD_LITERAL(0x006f6fd9baac61d5,0x002a7710a020a895,0x009de0db7fc03d4d,0x00cdedcb1875f40b,0x00050caf9b6b1e22,0x005e3a6654456ab0,0x00775fdf8c4423d4,0x0028701ea5738b5d)},
{FIELD_LITERAL(0x0028f8f04e414d54,0x0087037ba56c7694,0x00976b5b4d0ddb59,0x00a4227e6d462421,0x004c77c678b4c560,0x0006c9e74fb485a8,0x00c1c138a02d3981,0x0040a19403d6b6b5)},
{FIELD_LITERAL(0x0045e8dda9400888,0x002ff12e5fc05db7,0x00a7098d54afe69c,0x00cdbe846a500585,0x00879c1593ca1882,0x003f7a7fea76c8b0,0x002cd73dd0c8e0a1,0x00645d6ce96f51fe)},
{FIELD_LITERAL(0x00f19224ebba2aa5,0x0074f89d358e694d,0x00eea486597135ad,0x0081579a4555c7e1,0x0010b9b872930a9d,0x00f002e87a30ecc0,0x009b9d66b6de56e2,0x00a3c4f45e8004eb)},
{FIELD_LITERAL(0x00d4817c1edc2929,0x00c67cb908be637f,0x00bd6dd1aa6bfe9c,0x00a1803a9fe7795c,0x001770d311e2cefb,0x0018054eca0d1c88,0x004fa667b240f212,0x00f631f7f055a447)},
{FIELD_LITERAL(0x00f89335c2a59286,0x00a0f5c905d55141,0x00b41fb836ee9382,0x00e235d51730ca43,0x00a5cb37b5c0a69a,0x009b966ffe136c45,0x00cb2ea10bf80ed1,0x00fb2b370b40dc35)},
{FIELD_LITERAL(0x0085e78af7758979,0x00275a4ee1631a3a,0x00d26bc0ed78b683,0x004f8355ea21064f,0x00d618e1a32696e5,0x008d8d7b150e5680,0x00a74cd854b278d2,0x001dd62702203ea0)},
{FIELD_LITERAL(0x0029782e92b11745,0x008eadf422f96200,0x00217a39f2cdcaa2,0x00782d1ca9aefd0b,0x00321c6e47203654,0x001e72961020101a,0x00b562fa6e6ab16e,0x0005c92274af111a)},
{FIELD_LITERAL(0x006bc3d53011f470,0x00032d6e692b83e8,0x00059722f497cd0b,0x0009b4e6f0c497cc,0x0058a804b7cce6c0,0x002b71d3302bbd5d,0x00e2f82a36765fce,0x008dded99524c703)},
{FIELD_LITERAL(0x002e788749a865f7,0x006e4dc3116861ea,0x009f1428c37276e6,0x00e7d2e0fc1e1226,0x003aeebc6b6c45f6,0x0071a8073bf500c9,0x004b22ad986b530c,0x00f439e63c0d79d4)},
{FIELD_LITERAL(0x00b2fa76ac8b829b,0x008fe6bf01865590,0x0059df538e389f40,0x006acd49eeea748a,0x00ab81280b990cfe,0x00c34a54ac57bfe5,0x003889ce9731cedf,0x0081b71cc1b4654d)},
{FIELD_LITERAL(0x002f194eaafa46dc,0x008e38f57fe87613,0x00dc8e5ae25f4ab2,0x000a17809575e6bd,0x00d3ec7923ba366a,0x003a7e72e0ad75e3,0x0010024b88436e0a,0x00ed3c5444b64051)},
{FIELD_LITERAL(0x001b2fc57bf3c738,0x006a3f918993fb80,0x0026f7a14fdec288,0x0075a2cdccef08db,0x00d3ecbc9eecdbf1,0x0048c40f06e5bf7f,0x00d63e423009896b,0x000598bc99c056a8)},
{FIELD_LITERAL(0x007ce03ecbf50cbd,0x00369ba996b992ca,0x00896d4b33a5f7f0,0x00602b5b8536da60,0x00e1122082ba6d73,0x00c3fbb903ba0d74,0x00d3f8ec55c1daf8,0x006a8f96ca0f0be1)},
{FIELD_LITERAL(0x001fb73475c45509,0x00d2b2e5ea43345a,0x00cb3c3842077bd1,0x0029f90ad820946e,0x007c11b2380778aa,0x009e54ece62c1704,0x004bc60c41ca01c3,0x004525679a5a0b03)},
{FIELD_LITERAL(0x00766ae4190ec6d8,0x0065768cabc71380,0x00b902598416cdc2,0x00380021ad38df52,0x008f0b89d6551134,0x004254d4cc62c5a5,0x000d79f4484b9b94,0x00b516732ae3c50e)},
{FIELD_LITERAL(0x0039b0422412784c,0x00bf9fe2ee8ce055,0x0063ddb8a4906298,0x00db48625178a0ea,0x009e9012c0fd3c4e,0x00ff30c60950d2c4,0x003b9453f5565977,0x0054dc1d7ff25dfb)},
{FIELD_LITERAL(0x0017085f4a346148,0x00c7cf7a37f62272,0x001776e129bc5c30,0x009955134c9eef2a,0x001ba5bdf1df07be,0x00ec39497103a55c,0x006578354fda6cfb,0x005f02719d4f15ee)},
{FIELD_LITERAL(0x000b3a37617632b0,0x00597199fe1cfb6c,0x0042a7ccdfeafdd6,0x004cc9f15ebcea17,0x00f436e596a6b4a4,0x00168861142df0d8,0x000753edfec26af5,0x000c495d7e388116)},
{FIELD_LITERAL(0x00ad46264a269aa2,0x002b13845e4b9e3c,0x0006a20b68b0d7f4,0x00c271a35ee514ae,0x002b67e14a58f4d8,0x00f5065b099a60d6,0x00ba6737b90514bc,0x00b6265e7c5b898f)},
{FIELD_LITERAL(0x00b60167d9e7d065,0x00e60ba0d07381e8,0x003a4f17b725c2d4,0x006c19fe176b64fa,0x003b57b31af86ccb,0x0021047c286180fd,0x00bdc8fb00c6dbb6,0x00fe4a9f4bab4f3f)},
{FIELD_LITERAL(0x000a72d23dcb3f1f,0x00a3737f84011727,0x00f870c0fbbf4a47,0x00a7aadd04b5c9ca,0x000c7715c67bd072,0x00015a136afcd74e,0x0080d5caea499634,0x0026b448ec7514b7)},
{FIELD_LITERAL(0x0077003c5e9eee08,0x006eaa1bdba2f437,0x007ae297ddfa8d2a,0x00aa8531e1aeb2d6,0x00ce283cc626efdc,0x00efe2f51d153115,0x00db954c07c84995,0x002ade92c7e00acf)},
{FIELD_LITERAL(0x00a6295218dc136a,0x00563b3af0e9c012,0x00d3753b0145db1b,0x004550389c043dc1,0x00ea94ae27401bdf,0x002b0b949f2b7956,0x00c63f780ad8e23c,0x00e591c47d6bab15)},
{FIELD_LITERAL(0x0057e7ea35f36dae,0x00f47d7ad15de22e,0x00d757ea4b105115,0x008311457d579d7e,0x00b49b75b1edd4eb,0x0081c7ff742fd63a,0x00ddda3187433df6,0x00475727d55f9c66)},
{FIELD_LITERAL(0x00be93a7d4fa7149,0x00bef825a4d3396a,0x004c32daa951139b,0x003f4be7d981a85e,0x00e866d6ca8642d0,0x00b912bba6f1b2f8,0x00e28ba64c9cf5e1,0x0039504574996955)},
{FIELD_LITERAL(0x002419222c607674,0x00a7f23af89188b3,0x00ad127284e73d1c,0x008bba582fae1c51,0x00fc6aa7ca9ecab1,0x003df5319eb6c2ba,0x002a05af8a8b199a,0x004bf8354558407c)},
{FIELD_LITERAL(0x008d6009b26da3f8,0x00898e88ca06b1ca,0x00edb22b2ed7fe62,0x00fbc93516aabe80,0x008b4b470c42ce0d,0x00e0032ba7d0dcbb,0x00d76da3a956ecc8,0x007f20fe74e3852a)},
{FIELD_LITERAL(0x003182b5cf0f0340,0x002fd3d8d9d60fc2,0x00b73ffe08bff43d,0x00d3dec97fee6a72,0x00675aafc6e16949,0x00d27f499c6f0c86,0x00e0578789f3387a,0x00e52031ab49ec2a)},
{FIELD_LITERAL(0x006b7a0674f9f8de,0x00a742414e5c7cff,0x0041cbf3c6e13221,0x00e3a64fd207af24,0x0087c05f15fbe8d1,0x004c50936d9e8a33,0x001306ec21042b6d,0x00a4f4137d1141c2)},
{FIELD_LITERAL(0x001ed4dc71fa2523,0x005d0bff19bf9b5c,0x00c3801cee065a64,0x001ed0b504323fbf,0x0003ab9fdcbbc593,0x00df82070178b8d2,0x00a2bcaa9c251f85,0x00c628a3674bd02e)},
{FIELD_LITERAL(0x00f619046dea974f,0x004c39fedfde6ee7,0x00d593cb9f22afc5,0x00624e10ee9ab4ab,0x009c1b40f41869fd,0x0098f2cb44da6d46,0x002311d093becf31,0x004d97d1771880ab)},
{FIELD_LITERAL(0x00ddbe0750dd1add,0x004b3c7b885844b8,0x00363e7ecf12f1ae,0x0062e953e6438f9d,0x0023cc73b076afe9,0x00b09fa083b4da32,0x00c7c3d2456c541d,0x005b591ec6b694d4)},
{FIELD_LITERAL(0x000d5b4b3da135ab,0x00838f3e5064d81d,0x00d44eb50f6d94ed,0x0008931ab502ac6d,0x00debe01ca3d3586,0x0025c206775f0641,0x005ad4b6ae912763,0x007e2c318ad8f247)},
{FIELD_LITERAL(0x00d79a91e629d030,0x00ad5b50fc20eb72,0x00edd89a222eb1bd,0x000ddad6fb098ea8,0x00b8be69a49c90c4,0x009bbe2d69ecd346,0x00a1def906a95a48,0x00db8fd6a6d2cca3)},
{FIELD_LITERAL(0x00c41d1f9c1f1ac1,0x007b2df4e9f19146,0x00b469355fd5ba7a,0x00b5e1965afc852a,0x00388d5f1e2d8217,0x0022079e4c09ae93,0x0014268acd4ef518,0x00c1dd8d9640464c)},
{FIELD_LITERAL(0x003fe038eb92f894,0x000e6da1b72e8e32,0x003a1411bfcbe0fa,0x00b55d473164a9e4,0x00b9a775ac2df48d,0x0002ddf350659e21,0x00a279a69eb19cb3,0x00f844eab25cba44)},
{FIELD_LITERAL(0x00c7ad952112f3aa,0x00229739f81c017a,0x0008b9222b75a2a8,0x00bd0d6ad469c483,0x00e344297892a13c,0x00a1cbeb8f435a3d,0x0078e2be1f7a0bec,0x001ac54f670ba8cd)},
{FIELD_LITERAL(0x00adb2c1566e8b8f,0x0096c68a35771a9a,0x00869933356f334a,0x00ba9c93459f5962,0x009ec73fb6e8ca4b,0x003c3802c27202e1,0x0031f5b733e0c008,0x00f9058c19611fa9)},
{FIELD_LITERAL(0x004d51124797c831,0x008f5ae3750347ad,0x0070ced94c1a0c8e,0x00f6db2043898e64,0x000d00c9a5750cd0,0x000741ec59bad712,0x003c9d11aab37b7f,0x00a67ba169807714)},
{FIELD_LITERAL(0x00dc70fe7eb5cbde,0x003cda5bb49331d7,0x00dec9068514f18c,0x00f3537d975b501d,0x00dd02de725b8e4b,0x0062327200072106,0x0034607e7e266644,0x00ebc51a91215cb6)},
{FIELD_LITERAL(0x00a5187e6ee7341b,0x00e6d52e82d83b6e,0x00df3c41323094a7,0x00b3324f444e9de9,0x00689eb21a35bfe5,0x00f16363becd548d,0x00e187cc98e7f60f,0x00127d9062f0ccab)},
{FIELD_LITERAL(0x0000623bf87622c5,0x00a1966fdd069496,0x00c315b7b812f9fc,0x00bdf5efcd128b97,0x001d464f532e3e16,0x003cd94f081bfd7e,0x00ed9dae12ce4009,0x002756f5736eee70)},
{FIELD_LITERAL(0x00b528e4ce3d61bf,0x005a03531ed051d6,0x00bbda4aa68d7f12,0x001810a28e93ccb9,0x00ef4ac525bef536,0x006dcefdd9f9f364,0x006e3d9ed78d6381,0x00774bd6ff0713c4)},
{FIELD_LITERAL(0x00c13c5aae3ae341,0x009c6c9ed98373e7,0x00098f26864577a8,0x0015b886e9488b45,0x0037692c42aadba5,0x00b83170b8e7791c,0x001670952ece1b44,0x00fd932a39276da2)},
{FIELD_LITERAL(0x00f1e26e9762d4a8,0x00d9d74082183414,0x00ffec9bd57a0282,0x000919e128fd497a,0x00ab7ae7d00fe5f8,0x0054dc442851ff68,0x00c9ebeb3b861687,0x00507f7cab8b698f)},
{FIELD_LITERAL(0x007e5cda6410cc67,0x00ab7f000be9ef84,0x0031b09f82de4167,0x00c003f7b4be2064,0x00bc2f44effafd2d,0x0013ca0a8a45cd9e,0x0035e70988cff10c,0x001744f57d827ab7)},
{FIELD_LITERAL(0x009ae3b93a56c404,0x004a410b7a456699,0x00023a619355e6b2,0x009cdc7297387257,0x0055b94d4ae70d04,0x002cbd607f65b005,0x003208b489697166,0x00ea2aa058867370)},
{FIELD_LITERAL(0x00df76b3328ada72,0x002e20621604a7c2,0x00f910638a105b09,0x00ef4724d96ef2cd,0x00377d83d6b8a2f7,0x00b4f48805ade324,0x001cd5da8b152018,0x0045af671a20ca7f)},
{FIELD_LITERAL(0x000d62da6711c0cd,0x004b53ac7a27d523,0x0089cc150fb20e64,0x0055d2c2883154fe,0x00b5dcfd03448874,0x006d80dda2a505cb,0x00b57162afb80dc8,0x007ddb5162431acf)},
{FIELD_LITERAL(0x00c845923c084294,0x00072419a201bc25,0x0045f408b5f8e669,0x00e9d6a186b74dfe,0x00e19108c68fa075,0x0017b91d874177b7,0x002f0ca2c7912c5a,0x009400aa385a90a2)},
{FIELD_LITERAL(0x001cf640859b02f8,0x00758d1d5d5ce427,0x00763c784ef4604c,0x005fa81aee205270,0x00ac537bfdfc44cb,0x004b919bd342d670,0x00238508d9bf4b7a,0x00154888795644f3)},
{FIELD_LITERAL(0x008eeef4feb7de7b,0x003012ffbb0d4107,0x00cb0d6fe30b99d1,0x00c4b51d598067cb,0x003356469016b7ee,0x00addaf85188542f,0x004538bdd8de18c1,0x00999dd4f0c59d4f)},
{FIELD_LITERAL(0x0026ef1614e160af,0x00c023f9edfc9c76,0x00cff090da5f57ba,0x0076db7a66643ae9,0x0019462f8c646999,0x008fec00b3854b22,0x00d55041692a0a1c,0x0065db894215ca00)},
{FIELD_LITERAL(0x00f8ac5cf4705b6a,0x00867d82dcb457e3,0x007e13ab2ccc2ce9,0x009ee9a018d3930e,0x008370f8ecb42df8,0x002d9f019add263e,0x003302385b92d196,0x00a15654536e2c0c)},
{FIELD_LITERAL(0x0056dafc91f5bae3,0x00d5fc6f3c94933e,0x000d8fdf26f76b0b,0x00726f2ad342c280,0x001e2fec8c6d0c46,0x000fe83ea74ae570,0x00353cec2c128243,0x0046657e1c14bd2c)},
{FIELD_LITERAL(0x008cc9cd236315c0,0x0031d9c5b39fda54,0x00a5713ef37e1171,0x00293d5ae2886325,0x00c4aba3e05015e1,0x0003f35ef78e4fc6,0x0039d6bd3ac1527b,0x0019d7c3afb77106)},
{FIELD_LITERAL(0x00b54850275fe626,0x0053a3fd1ec71140,0x00e3d2d7dbe096fa,0x00e4ac7b595cce4c,0x0077bad449c0a494,0x00b7c98814afd5b3,0x0057226f58486cf9,0x00b1557154f0cc57)},
{FIELD_LITERAL(0x0084e9d6ce567a50,0x0052bf5d1f2558ec,0x00920d83bff60ee7,0x00afc160b1d17413,0x008ae58837d3e7d1,0x00fd676c8896dba4,0x00004e170540611a,0x00f7ccb8f91f6541)},
{FIELD_LITERAL(0x004246bfcecc627a,0x004ba431246c03a4,0x00bd1d101872d497,0x003b73d3f185ee16,0x001feb2e2678c0e3,0x00ff13c5a89dec76,0x00ed06042e771d8f,0x00a4fd2a897a83dd)},
{FIELD_LITERAL(0x00dbca4e98a7dcd9,0x00ee29cfc78bde99,0x00e4a3b6995f52e9,0x0045d70189ae8096,0x00fd2a8a3b9b0d1b,0x00af1793b107d8e1,0x00dbf92cbe4afa20,0x00da60f798e3681d)},
{FIELD_LITERAL(0x0065b5c41af29a68,0x0021ce9a03a5ef69,0x00b0c0a91cba4f38,0x0008408de2a54743,0x00bcec1b84f673ae,0x001b382a3f1e5244,0x00d1c1c24c9afae1,0x005b7f3d32956904)},
{FIELD_LITERAL(0x004ede34af2813f3,0x00d4a8e11c9e8216,0x004796d5041de8a5,0x00c4c6b4d21cc987,0x00e8a433ee07fa1e,0x0055720b5abcc5a1,0x008873ea9c74b080,0x005b3fec1ab65d48)},
{FIELD_LITERAL(0x00417fa30a7119ed,0x00af257758419751,0x00d358a487b463d4,0x0089703cc720b00d,0x00ce56314ff7f271,0x0064db171ade62c1,0x00640b36d4a22fed,0x00424eb88696d23f)},
{FIELD_LITERAL(0x00b81ad88248f13a,0x00f5f69399248294,0x004be9b33e8cfea6,0x00b56087c018df01,0x0057e8846bbb6242,0x006a5db00b65a660,0x00963e3a87daf343,0x00badfe6dec2140b)},
{FIELD_LITERAL(0x001bd59c09e982ea,0x00f72daeb937b289,0x0018b76dca908e0e,0x00edb498512384ad,0x00ce0243b6cc9538,0x00f96ff690cb4e70,0x007c77bf9f673c8d,0x005bf704c088a528)},
{FIELD_LITERAL(0x0021ce99e09ebda3,0x00fcbd9f91875ad0,0x009bbf6b7b7a0b5f,0x00388886a69b1940,0x00926a56d0f81f12,0x00e12903c3358d46,0x005dfce4e8e1ce9d,0x0044cfa94e2f7e23)},
{FIELD_LITERAL(0x006c2b9d7234cc41,0x006ad9c2ae2bda7d,0x00b64cdddba701f9,0x00180318c49ac580,0x00c35d14319f4c95,0x003a21dc65cd415b,0x009c474c28e04940,0x00c65114875e57c6)},
{FIELD_LITERAL(0x00fb22bb5fd3ce50,0x0017b48aada7ae54,0x00fd5c44ad19a536,0x000ccc4e4e55e45c,0x00fd637d45b4c3f5,0x0038914e023c37cf,0x00ac1881d6a8d898,0x00611ed8d3d943a8)},
{FIELD_LITERAL(0x007dc52da400336c,0x001fded1e15b9457,0x00902e00f5568e3a,0x00219bef40456d2d,0x005684161fb3dbc9,0x004a4e9be49a76ea,0x006e685ae88b78ff,0x0021c42f13042d3c)},
{FIELD_LITERAL(0x00a91dda62eec2d4,0x00a6b7e64d7b13e9,0x00384086b44c9969,0x008de118af683239,0x0008e416fb85d76c,0x0020945ebda9b120,0x0096a7f485e7b172,0x000fa91c7035f011)},
{FIELD_LITERAL(0x005e8694077a1535,0x008bef75f71c8f1d,0x000a7c1316423511,0x00906e1d70604320,0x003fc46c1a2ffbd6,0x00d1d5022e68f360,0x002515fba37bbf46,0x00ca16234e023b44)},
{FIELD_LITERAL(0x009df98566a18c6d,0x00cf3a200968f219,0x0044ba60da6d9086,0x00dbc9c0e344da03,0x000f9401c4466855,0x00d46a57c5b0a8d1,0x00875a635d7ac7c6,0x00ef4a933b7e0ae6)},
{FIELD_LITERAL(0x00878366a9e0b96f,0x0057a8573ea9e0d8,0x005ef206ddc3f601,0x0046756a9d1c4eab,0x00bccf478bb3c12c,0x001f97ed7f813a3b,0x001b309582460e1c,0x0026a4f760ecd5cb)},
{FIELD_LITERAL(0x00139078397030bd,0x000e3c447e859a00,0x0064a5b334c82393,0x00b8aabeb7358093,0x00020778bb9ae73b,0x0032ee94c7892a18,0x008215253cb41bda,0x005e2797593517ae)},
{FIELD_LITERAL(0x002922b39ca33eec,0x0090d12a5f3ab194,0x00ab60c02fb5f8ed,0x00188d292abba1cf,0x00e10edec9698f6e,0x0069a4d9934133c8,0x0024aac40e6d3d06,0x001702c2177661b0)},
{FIELD_LITERAL(0x007c89a5a07aa2b5,0x00ae492ecae4711d,0x00ee921ab74f0844,0x007842778fc5005f,0x006a4d33cb28022c,0x007b327e4ac0f437,0x007a9d0366acaf12,0x005c6544e6c9ae1c)},
{FIELD_LITERAL(0x0091868594265aa2,0x00797accae98ca6d,0x0008d8c5f0f8a184,0x00d1f4f1c2b2fe6e,0x0036783dfb48a006,0x008c165120503527,0x0025fd780058ce9b,0x0068beb007be7d27)},
{FIELD_LITERAL(0x0019e23f0474b114,0x00eb94c2ad3b437e,0x006ddb34683b75ac,0x00391f9209b564c6,0x00083b3bb3bff7aa,0x00eedcd0f6dceefc,0x00b50817f794fe01,0x0036474deaaa75c9)},
{FIELD_LITERAL(0x002f007755836f3d,0x004d39f2530acc6b,0x006b58d7b2699929,0x004126fdd3185e62,0x003aeaac0f32897c,0x003c0478f4edb66d,0x0072f43ac66a9364,0x0003730da744777a)},
{FIELD_LITERAL(0x0045fdc16487cda3,0x00b2d8e844cf2ed7,0x00612c50e88c1607,0x00a08aabc66c1672,0x006031fdcbb24d97,0x001b639525744b93,0x004409d62639ab17,0x00a1853d0347ab1d)},
{FIELD_LITERAL(0x003667bf998406f8,0x0000115c43a12975,0x001e662f3b20e8fd,0x0019ffa534cb24eb,0x00016be0dc8efb45,0x00ff76a8b26243f5,0x00ae20d241a541e3,0x0069bd6af13cd430)},
{FIELD_LITERAL(0x008a5e5a9140a3de,0x005c18d41653ac12,0x0010321e9d6e8f3d,0x00fbdda016e10aca,0x0077fb6038c20257,0x00b5438b7a81ed77,0x00db1dbcb9a8ce83,0x0026734c2c1aabc3)},
{FIELD_LITERAL(0x007e32c049b5c477,0x009d2bfdbd9bcfd8,0x00636e93045938c6,0x007fde4af7687298,0x0046a5184fafa5d3,0x0079b1e7f13a359b,0x00875adf1fb927d6,0x00333e21c61bcad2)},
{FIELD_LITERAL(0x00b4b53eab6bdb19,0x009b22d8b43711d0,0x00d948b9d961785d,0x00cb167b6f279ead,0x00191de3a678e1c9,0x00d9dd9511095c2e,0x00f284324cd43067,0x00ed74fa535151dd)},
{FIELD_LITERAL(0x00fb7feb08c27472,0x008a97b55f699c77,0x006d41820f923b83,0x006831432f0aa975,0x00a58ffb263b3955,0x004f13449a66db38,0x0026fccd22b6d583,0x00a803eb20eeb6c2)},
{FIELD_LITERAL(0x007df6cbb926830b,0x00d336058ae37865,0x007af47dac696423,0x0048d3011ec64ac8,0x006b87666e40049f,0x0036a2e0e51303d7,0x00ba319bd79dbc55,0x003e2737ecc94f53)},
{FIELD_LITERAL(0x0008ed8ea0ad95be,0x0041d324b9709645,0x00e25412257a19b4,0x0058df9f3423d8d2,0x00a9ab20def71304,0x009ae0dbf8ac4a81,0x00c9565977e4392a,0x003c9269444baf55)},
{FIELD_LITERAL(0x002d69008d9d8d26,0x00092f686d7030a8,0x001f19e95aa28fec,0x002150bab1261538,0x008c5a941210b26c,0x009330209036d1e6,0x0062e11ec8e58de7,0x0011c3d11bb9d27f)},
{FIELD_LITERAL(0x008132ae5c5d8cd1,0x00121d68324a1d9f,0x00d6be9dafcb8c76,0x00684d9070edf745,0x00519fbc96d7448e,0x00388182fdc1f27e,0x000235baed41f158,0x00bf6cf6f1a1796a)},
{FIELD_LITERAL(0x00437bce9bccdf9d,0x00e0c8e2f85dc0a3,0x00c91a7073995a19,0x00856ec9fe294559,0x009e4b33394b156e,0x00e245b0dc497e5c,0x006a54e687eeaeff,0x00f1cd1cd00fdb7c)},
{FIELD_LITERAL(0x00d523b4b2eb7de6,0x00cf7b525f2c56f5,0x00b9217554f0d1b1,0x00bad2cbd5984a02,0x002b4af0fe2b21dd,0x002492603f310486,0x0073e7b3795b9d32,0x001e837c89b2bd25)},
{FIELD_LITERAL(0x00ce382dc7993d92,0x00021153e938b4c8,0x00096f7567f48f51,0x0058f81ddfe4b0d5,0x00cc379a56b355c7,0x002c760770d3e819,0x00ee22d1d26e5a40,0x00de6d93d5b082d7)},
{FIELD_LITERAL(0x007b2743b9a1e01a,0x007847ffd42688c4,0x006c7844d610a316,0x00f0cb8b250aa4b0,0x00a19060143b3ae6,0x0014eb10b77cfd80,0x000170905729dd06,0x00063b5b9cd72477)},
{FIELD_LITERAL(0x00f56e5bd3ad1fa9,0x00e7a09488031815,0x00f7fc3ae69d094a,0x00ddad7a7d45a9c2,0x00bc07fbf167a928,0x007a5d6137e0479f,0x00a0659eeab60a00,0x003e068b1342b4f9)},
{FIELD_LITERAL(0x00ffc5c89d2b0cba,0x00d363d42e3e6fc3,0x0019a1a0118e2e8a,0x00f7baeff48882e1,0x001bd5af28c6b514,0x0055476ca2253cb2,0x00d8eb1977e2ddf3,0x00b173b1adb228a1)},
{FIELD_LITERAL(0x005b64c6fd65ec97,0x00c1fdd7f877bc7f,0x000d9cc6c89f841c,0x005c97b7f1aff9ad,0x0075e3c61475d47e,0x001ecb1ba8153011,0x00fe7f1c8d71d40d,0x003fa9757a229832)},
{FIELD_LITERAL(0x000d346622f528f8,0x001e1f7497a62227,0x00fff70d2f9af433,0x002812c6d079ea3c,0x006898af56b25d7f,0x00c17c44f1349645,0x00207172ea3eb539,0x000608e8bd6a263d)},
{FIELD_LITERAL(0x002389319450f9ba,0x003677f31aa1250a,0x0092c3db642f38cb,0x00f8b64c0dfc9773,0x00cd49fe3505b795,0x0068105a4090a510,0x00df0ba2072a8bb6,0x00eb396143afd8be)},
{FIELD_LITERAL(0x00f11cc8e0e70bcb,0x00e5dc689974e7dd,0x0014e409f9ee5870,0x00826e6689acbd63,0x008a6f4e3d895d88,0x00b26a8da41fd4ad,0x000fb7723f83efd7,0x009c749db0a5f6c3)},
{FIELD_LITERAL(0x005f2b1304db3200,0x0022507ff7459b86,0x000f4c1c92b4f0bb,0x00c8cb42c50e0eb9,0x004781d1038aad80,0x002dcf20aa2254af,0x00d9ecda851a93e2,0x0043f6b92eca6cb2)},
{FIELD_LITERAL(0x0067f8f0c4fe26c9,0x0079c4a3cc8f67b9,0x0082b1e62f23550d,0x00f2d409caefd7f5,0x0080e67dcdb26e81,0x0087ae993ea1f98a,0x00aa108becf61d03,0x001acf11efb608a3)},
{FIELD_LITERAL(0x00468711bd994651,0x0033108fa67561bf,0x0089d760192a54b4,0x00adc433de9f1871,0x000467d05f36e050,0x007847e0f0579f7f,0x00a2314ad320052d,0x00b3a93649f0b243)},
{FIELD_LITERAL(0x007dda014454af26,0x000c49fa1b22df7c,0x005cd4d7e761dc2d,0x002af81a1a14b368,0x00a5e57b1cfd7ddf,0x00f90ab3e3a0f738,0x005cb83734d7bc0f,0x00f608c16abb405a)},
{FIELD_LITERAL(0x00e828333c297f8b,0x009ef3cf8c3f7e1f,0x00ab45f8fff31cb9,0x00c8b4178cb0b013,0x00d0c50dd3260a3f,0x0097126ac257f5bc,0x0042376cc90c705a,0x001d96fdb4a1071e)},
{FIELD_LITERAL(0x006c59c9ae744185,0x009fc32f1b4282cd,0x004d6348ca59b1ac,0x00105376881be067,0x00af4096013147dc,0x004abfb5a5cb3124,0x000d2a7f8626c354,0x009c6ed568e07431)},
{FIELD_LITERAL(0x00abd2bb27611e57,0x00cf99bd1fbbd267,0x006f7ac78d478cc7,0x00dc9d340dd23fbb,0x00d3ddd520099c46,0x009836dbb6a03486,0x00f19de267c36883,0x0020885613349904)},
{FIELD_LITERAL(0x00832d02369b482c,0x00cba52ff0d93450,0x003fa9c908d554db,0x008d1e357b54122f,0x00abd91c2dc950c6,0x007eff1df4c0ec69,0x003f6aeb13fb2d31,0x00002d6179fc5b2c)},
{FIELD_LITERAL(0x002809e4bbf1814a,0x00b9e854f9fafb32,0x00d35e67c10f7a67,0x008f1bcb76e748cf,0x004224d9515687d2,0x005ba0b774e620c4,0x00b5e57db5d54119,0x00e15babe5683282)},
{FIELD_LITERAL(0x00b9361257e36376,0x0049f348e3709d03,0x00dd0a597c455aa7,0x00078ce603320668,0x00635f64ae3195dc,0x00a4ed450b508288,0x0075b9adb5e1cc1d,0x00fca588167741f2)},
{FIELD_LITERAL(0x00a9e7730a819691,0x00d9cc73c4992b70,0x00e299bde067de5a,0x008c314eb705192a,0x00e7226f17e8a3cc,0x0029dfd956e65a47,0x0053a8e839073b12,0x006f942b2ab1597e)},
{FIELD_LITERAL(0x00a7efe46a7dbe2f,0x002f66fd55014fe7,0x006a428afa1ff026,0x0056caaa9604ab72,0x0033f3bcd7fac8ae,0x00ccb1aa01c86764,0x00158d1edf13bf40,0x009848ee76fcf3b4)},
{FIELD_LITERAL(0x00e3c287f132a1c6,0x006b0db804233a01,0x002a387902ad889b,0x00490b258b0f24d5,0x007f0e0745232a02,0x000c95c8c52d1dc4,0x0007fb060bcbc40d,0x002e50bf139dc67d)},
{FIELD_LITERAL(0x0039343746531ebe,0x00c8509d835d429d,0x00e79eceff6b0018,0x004abfd31e8efce5,0x007bbfaaa1e20210,0x00e3be89c193e179,0x001c420f4c31d585,0x00f414a315bef5ae)},
{FIELD_LITERAL(0x0082aeace5f1b144,0x00f68b3108cf4dd3,0x00634af01dde3020,0x000beab5df5c2355,0x00e8b790d1b49b0b,0x00e48d15854e36f4,0x0040ab2d95f3db9f,0x002711c4ed9e899a)},
{FIELD_LITERAL(0x0083d695db66f207,0x002a2f8ada58aa77,0x002271eec16b4818,0x008443a70141f337,0x00d60ae50640352b,0x00816cee1385490c,0x006577b21e989cbc,0x00af2a0d2317b416)},
{FIELD_LITERAL(0x0098cddc8b39549a,0x006da37e3b05d22c,0x00ce633cfd4eb3cb,0x00fda288ef526acd,0x0025338878c5d30a,0x00f34438c4e5a1b4,0x00584efea7c310f1,0x0041a551f1b660ad)},
{FIELD_LITERAL(0x005fa020cca2450a,0x00491c29db6416d8,0x0037cefe3f9f9a85,0x003d405230647066,0x0049e835f0fdbe89,0x00feb78ac1a0815c,0x00828e4b32dc9724,0x00db84f2dc8d6fd4)},
{FIELD_LITERAL(0x002808570429bc85,0x009d78dbec40c8ac,0x0052b4434bc3a7b4,0x00801b6419fe281c,0x008839a68764540a,0x0014ba034f958be4,0x00a31dbb6ec068f7,0x0077bd9bfe8c9cd9)},
{FIELD_LITERAL(0x00a0b68ec1eb72d2,0x002c03235c0d45a0,0x00553627323fe8c5,0x006186e94b17af94,0x00a9906196e29f14,0x0025b3aee6567733,0x007e0dd840080517,0x0018eb5801a4ba93)},
{FIELD_LITERAL(0x007bf562ca768d7c,0x006c1f3a174e387c,0x00f024b447fee939,0x007e7af75f01143f,0x003adb70b4eed89d,0x00e43544021ad79a,0x0091f7f7042011f6,0x0093c1a1ee3a0ddc)},
{FIELD_LITERAL(0x0028018fe84095bf,0x0091c0f9db41f3bd,0x0000445dfaca7dba,0x000603d307e6bdc6,0x00726c4c840ea4b0,0x009220d1c741716a,0x00d4918640a03006,0x0054caa25bda1d21)},
{FIELD_LITERAL(0x003973d8938971d6,0x002aca26fa80c1f5,0x00108af1faa6b513,0x00daae275d7924e6,0x0053634ced721308,0x00d2355fe0bbd443,0x00357612b2d22095,0x00f9bb9dd4136cf3)},
{FIELD_LITERAL(0x00938f97e20be973,0x0099141a36aaf306,0x0057b0ca29e545a1,0x0085db571f9fbc13,0x008b333c554b4693,0x0043ab6ef3e241cb,0x0054fb20aa1e5c70,0x00be0ff852760adf)},
{FIELD_LITERAL(0x00d400ed30a1fc5a,0x00e424e0575e6307,0x0036e3986c07b2c6,0x0007960e4d145650,0x00a643ab823cdc93,0x0026e9ee292c7976,0x001f9d2555d3fdeb,0x0012c3fb833d437d)},
{FIELD_LITERAL(0x0062dd0fb31be374,0x00fcc96b84c8e727,0x003f64f1375e6ae3,0x0057d9b6dd1af004,0x00d6a167b1103c7b,0x00dd28f3180fb537,0x004ff27ad7167128,0x008934c33461f2ac)},
{FIELD_LITERAL(0x000050d70c32b31a,0x001939d576d437b3,0x00d709e598bf9fe6,0x00a885b34bd2ee9e,0x00dd4b5c08ab1a50,0x0091bebd50b55639,0x00cf79ff64acdbc6,0x006067a39d826336)},
{FIELD_LITERAL(0x009a4b8d486fffbc,0x00458102d00ef9b4,0x00f498293b3cfdf0,0x00ed2d7b960b1b92,0x00ce3cd6c68fc137,0x004b60f431eccf99,0x00081efbe9e7e2b8,0x00a36f0ae7981133)},
{FIELD_LITERAL(0x0006918f5dfce6dc,0x00d4bf1c793c57fb,0x0069a3f649435364,0x00e89a50e5b0cd6e,0x00b9f6a237e973af,0x006d4ed8b104e41d,0x00498946a3924cd2,0x00c136ec5ac9d4f7)},
{FIELD_LITERAL(0x0051207abd179101,0x00fc2a5c20d9c5da,0x00fb9d5f2701b6df,0x002dd040fdea82b8,0x00f163b0738442ff,0x00d9736bd68855b8,0x00e0d8e93005e61c,0x00df5a40b3988570)},
{FIELD_LITERAL(0x00ee563d6f53acc9,0x00d465d2b5959acc,0x006575973bba26c8,0x00c9e4d84f81a1a3,0x00c3fbc4e8aa468a,0x0048149930eeaa11,0x008850a6f611000d,0x006709f6788337f9)},
{FIELD_LITERAL(0x00b373076597455f,0x00e83f1af53ac0f5,0x0041f63c01dc6840,0x0097dea19b0c6f4b,0x007f9d63b4c1572c,0x00e692d492d0f5f0,0x00cbcb392e83b4ad,0x0069c0f39ed9b1a8)},
{FIELD_LITERAL(0x00ab13af436bf8f4,0x000bcf0a0dac8574,0x00d50c864f705045,0x00c40e611debc842,0x0085010489bd5caa,0x007c5050acec026f,0x00f67d943c8da6d1,0x00de1da0278074c6)},
{FIELD_LITERAL(0x0079efcffed8f836,0x00604423802b5504,0x0070a6e294aab7dd,0x0020f75be15e7521,0x0062827c19bd5414,0x006738e425c48700,0x00dd37618fde0ffa,0x00bb2d65c01e1c3b)},
{FIELD_LITERAL(0x00c903ee6d825540,0x00add6c4cf98473e,0x007636efed4227f1,0x00905124ae55e772,0x00e6b38fab12ed53,0x0045e132b863fe55,0x003974662edb366a,0x00b1787052be8208)},
{FIELD_LITERAL(0x00e748cd7b5c52f2,0x00ea9df883f89cc3,0x0018970df156b6c7,0x00c5a46c2a33a847,0x00cbde395e32aa09,0x0072474ebb423140,0x00fb00053086a23d,0x001dafcfe22d4e1f)},
{FIELD_LITERAL(0x0059eb4ff288a383,0x00283876be3388ab,0x00bdd22974a2543b,0x0059eef0fe982d74,0x0097a5cf63dad778,0x004bc6002aebc99f,0x00c9a91d6118c690,0x0038364612a527ab)},
{FIELD_LITERAL(0x00006e34a35d9fbc,0x00eee4e48b2f019a,0x006b344743003a5f,0x00541d514f04a7e3,0x00e81f9ee7647455,0x005e2b916c438f81,0x00116f8137b7eff0,0x009bd3decc7039d1)},
{FIELD_LITERAL(0x0040f7e7c5b37bf2,0x0064e4dc81181bba,0x00a8767ae2a366b6,0x001496b4f90546f2,0x002a28493f860441,0x0021f59513049a3a,0x00852d369a8b7ee3,0x00dd2e7d8b7d30a9)},
{FIELD_LITERAL(0x00fa2dd90bcbeef2,0x00507d774710de2a,0x00b585ad10e7e373,0x0041f487e4b4f921,0x00191c9d8212f81d,0x001bc55cbdd8d474,0x0017954bdba8827b,0x0004d6d3a991ca44)},
{FIELD_LITERAL(0x00e38abece3c82ab,0x005a51f18a2c7a86,0x009dafa2e86d592e,0x00495a62eb688678,0x00b79df74c0eb212,0x0023e8cc78b75982,0x005998cb91075e13,0x00735aa9ba61bc76)},
{FIELD_LITERAL(0x00334f5303ea1222,0x00dfb3dbeb0a5d3e,0x002940d9592335c1,0x00706a7a63e8938a,0x005a533558bc4caf,0x00558e33192022a9,0x00970d9faf74c133,0x002979fcb63493ca)},
{FIELD_LITERAL(0x00260857d22419d7,0x005e0387d77651f0,0x008e0025ed2eb499,0x00c830b135804c2a,0x0037f43dbd3a77f6,0x008a4073d2f7379c,0x0072be0ce503ad58,0x00e6869d130c78be)},
{FIELD_LITERAL(0x00bfc5fa1e4ea21f,0x00c21d7b6bb892e6,0x00cf043f3acf0291,0x00c13f2f849b3c90,0x00d1a97ebef10891,0x0061e130a445e7fe,0x0019513fdedbf22b,0x001d60c813bff841)},
{FIELD_LITERAL(0x006e9f475cccf2ee,0x00454b9cd506430c,0x00224a4fb79ee479,0x0062e3347ef0b5e2,0x0034fd2a3512232a,0x00b8b3cb0f457046,0x00eb20165daa38ec,0x00128eebc2d9c0f7)},
{FIELD_LITERAL(0x00e6a9e38030fdec,0x001c23597bc14288,0x0097156a46356df1,0x00642048f0daca6a,0x003970a6e7955fd4,0x00a511e335e3cfc6,0x0054865756c85e31,0x00465f1ab66a6190)},
{FIELD_LITERAL(0x003e4964fa8a8fc8,0x00f6a1cdbcf41689,0x00943cb18fe7fda7,0x00606dafbf34440a,0x005d37a86399c789,0x00e79a2a69417403,0x00fe34f7e68b8866,0x0011f448ed2df10e)},
{FIELD_LITERAL(0x00c79e0b6d97dfbd,0x00917c71fd2bc6e8,0x00db7529ccfb63d8,0x00be5be957f17866,0x00a9e11fdc2cdac1,0x007b91a8e1f44443,0x00a3065e4057d80f,0x004825f5b8d5f6d4)},
{FIELD_LITERAL(0x000e0a81033e033b,0x00aec986ee821eab,0x00d1a4a48379273c,0x00609b79a9e06304,0x00e9618b4fe8f307,0x006ffdfa50b50969,0x009530224887ac0c,0x0020e7b36f0cef97)},
{FIELD_LITERAL(0x00fd579ffb691713,0x00b76af4f81c412d,0x00f239de96110f82,0x00e965fb437f0306,0x00ca7e9436900921,0x00e487f1325fa24a,0x00633907de476380,0x00721c62ac5b8ea0)},
{FIELD_LITERAL(0x00b37396c3320791,0x00fc7b67175c5783,0x00c36d2cd73ecc38,0x0080ebcc0b328fc5,0x0043a5b22b35d35d,0x00466c9f1713c9da,0x0026ad346dcaa8da,0x007c684e701183a6)},
{FIELD_LITERAL(0x003f2ab1abd14b06,0x00b129a8e8e37230,0x0048bc5b083d5c64,0x0002606c12933a98,0x00cf8051ceec1a73,0x00a755a8836c3ce6,0x002dabaa90ca4cb9,0x00b6e5525ddfc0f2)},
{FIELD_LITERAL(0x00c4a1fb48635413,0x00b5dd54423ad59f,0x009ff5d53fd24a88,0x003c98d267fc06a7,0x002db7cb20013641,0x00bd1d6716e191f2,0x006dbc8b29094241,0x0044bbf233dafa2c)},
{FIELD_LITERAL(0x00dff3103786ff34,0x000144553b1f20c3,0x0095613baeb930e4,0x00098058275ea5d4,0x007cd1402b046756,0x0074d74e4d58aee3,0x005f93fc343ff69b,0x00873df17296b3b0)},
{FIELD_LITERAL(0x00aa7c72be0ace19,0x004095d22fc37e4d,0x00a7d85f9e3b7c61,0x00ff21d344c9553c,0x00d105d6268e8b86,0x000616d733758845,0x003ecb4ba7210610,0x006a75e7dddc03b7)},
{FIELD_LITERAL(0x007860d99db787cf,0x00fda8983018f4a8,0x008c8866bac4743c,0x00ef471f84c82a3f,0x00abea5976d3b8e7,0x00714882896cd015,0x00b49fae584ddac5,0x008e33a1a0b69c81)},
{FIELD_LITERAL(0x000a9ee23c06881f,0x002c727d3d871945,0x00f47d971512d24a,0x00671e816f9ef31a,0x00883af2cfaad673,0x00601f98583d6c9a,0x00b435f5adc79655,0x00ad87b71c04bff2)},
{FIELD_LITERAL(0x0084911d36175613,0x00dbaa24427629dd,0x009b6f30b1554fc7,0x0026da093cf7ea9e,0x00eac4cfb8218c7c,0x00c4bde074231490,0x0089e5b5afb62587,0x0067fcb73adfdbcc)},
{FIELD_LITERAL(0x00eebfd4e2312cc3,0x00474b2564e4fc8c,0x003303ef14b1da9b,0x003c93e0e66beb1d,0x0013619b0566925a,0x008817c24d901bf3,0x00b62bd8898d218b,0x0075a7716f1e88a2)},
{FIELD_LITERAL(0x007f8a43da97dd5c,0x00058539c800fc7b,0x0040f3cf5a28414a,0x00d68dd0d95283d6,0x004adce9da90146e,0x00befa41c7d4f908,0x007603bc2e3c3060,0x00bdf360ab3545db)},
{FIELD_LITERAL(0x00f6de725e1976f0,0x00d96f80a02fda8a,0x00b25412a0e629fa,0x00c540e7e78fdb62,0x004ad02fb7336d3a,0x004922ae1bea5a3a,0x0026147d42d4bfeb,0x00d379a5bc4b94bc)},
{FIELD_LITERAL(0x00c338b915d8fef0,0x00a893292045c39a,0x0028ab4f2eba6887,0x0060743cb519fd61,0x0006213964093ac0,0x007c0b7a43f6266d,0x008e3557c4fa5bda,0x002da976de7b8d9d)},
{FIELD_LITERAL(0x0070047189452f4c,0x00f7ad12e1ce78d5,0x00af1ba51ec44a8b,0x005f39f63e667cd6,0x00058eac4648425e,0x00d7fdab42bea03b,0x0028576a5688de15,0x00af973209e77c10)},
{FIELD_LITERAL(0x00b78d6075749232,0x0001dc47a33b2cdc,0x0018c7b2e91b24f1,0x00b5bdc68f9876bd,0x0013f489ccba2b44,0x003b8846066128de,0x003d6252c8884dcf,0x00e3ae84b9908209)},
{FIELD_LITERAL(0x00aa2261022d883f,0x00ebcca4548010ac,0x002528512e28a437,0x0070ca7676b66082,0x0084bda170f7c6d3,0x00581b4747c9b8bb,0x005c96a01061c7e2,0x00fb7c4a362b5273)},
{FIELD_LITERAL(0x006366c380f7b574,0x001c7d1f09ff0438,0x003e20a7301f5b22,0x00d3efb1916d28f6,0x0049f4f81060ce83,0x00c69d91ea43ced1,0x002b6f3e5cd269ed,0x005b0fb22ce9ec65)},
{FIELD_LITERAL(0x003cffdf14aed2fd,0x009f0d77d7c5b2d9,0x004812ec41321d9f,0x008a1448bddf0916,0x008fef86030175df,0x00e3d703200a76c7,0x00d1babb470b2094,0x009f3a43b0e5828c)},
{FIELD_LITERAL(0x00a94700032a093f,0x0076e96c225216e7,0x00a63a4316e45f91,0x007d8bbb4645d3b2,0x00340a6ff22793eb,0x006f935d4572aeb7,0x00b1fb69f00afa28,0x009e8f3423161ed3)},
{FIELD_LITERAL(0x00ae307cf069f701,0x005859f222dd618b,0x00212d6c46ec0b0d,0x00a0fe4642afb62d,0x00420d8e4a0a8903,0x00a80ff639bdf7b0,0x0019bee1490b5d8e,0x007439e4b9c27a86)},
{FIELD_LITERAL(0x00610b6394a312e8,0x005aaa19d96160f5,0x008190e286138c4a,0x006538796a5cd53b,0x00fe28804432a97c,0x007315e011f55112,0x000bd4157d5acb9d,0x00d1b95469350336)},
{FIELD_LITERAL(0x0060db815bc4786c,0x006fab25beedc434,0x00c610d06084797c,0x000c48f08537bec0,0x0031aba51c5b93da,0x007968fa6e01f347,0x0030070da52840c6,0x00c043c225a4837f)},
{FIELD_LITERAL(0x0051cfcc5885377a,0x00dce566cb1803ca,0x00430c7643f2c7d4,0x00dce1a1337bdcc0,0x0010d5bd7283c128,0x003b1b547f9b46fe,0x000f245e37e770ab,0x007b72511f022b37)},
{FIELD_LITERAL(0x00e4302ff9b6116c,0x0092314b81d5f02a,0x000d31425f30702f,0x004946262e04213c,0x007ead9d19b6f9ed,0x001080a31ce8989f,0x001b632f36672a74,0x00a03933d9645a83)},
{FIELD_LITERAL(0x004a2902926f8d3f,0x00ad79b42637ab75,0x0088f60b90f2d4e8,0x0030f54ef0e398c4,0x00021dc9bf99681e,0x007ebf66fde74ee3,0x004ade654386e9a4,0x00e7485066be4c27)},
{FIELD_LITERAL(0x008940211aa0d633,0x00addae28136571d,0x00d68fdbba20d673,0x003bc6129bc9e21a,0x000346cf184ebe9a,0x0068774d741ebc7f,0x0019d5e9e6966557,0x0003cbd7f981b651)},
{FIELD_LITERAL(0x00bba0ed9c67c41f,0x00b30c8e225ba195,0x008bb5762a5cef18,0x00e0df31b06fb7cc,0x0018b912141991d5,0x00f6ed54e093eac2,0x0009e288264dbbb3,0x00feb663299b89ef)}
};
const gf API_NS(precomputed_wnaf_as_fe)[96]
__attribute__((aligned(32),visibility("hidden"))) = {
{FIELD_LITERAL(0x00cfc32590115acd,0x0079f0e2a5c7af1b,0x00dd94605b8d7332,0x0097dd6c75f5f3f3,0x00d9c59e36156de9,0x00edfbfd6cde47d7,0x0095b97c9f67c39a,0x007d7b90f587debc)},
{FIELD_LITERAL(0x00cfc32590115acd,0x0079f0e2a5c7af1b,0x00dd94605b8d7332,0x0017dd6c75f5f3f3,0x00d9c59e36156de8,0x00edfbfd6cde47d7,0x0095b97c9f67c39a,0x00fd7b90f587debc)},
{FIELD_LITERAL(0x001071dd4d8ae672,0x004f14ebe5f4f174,0x00e0987625c34c73,0x0092d00712c6f8c1,0x009ef424965e980b,0x00a8e0cf9369764b,0x000aa81907b4d207,0x00d5002c74d37924)},
{FIELD_LITERAL(0x00f3c4efe62b8b17,0x001e6acc1b6add7b,0x003367ef45836df5,0x000efc2d87a6ba53,0x00405a96933964ca,0x00572c2ae16357c6,0x00a9dc34ba6a7946,0x00151831e32ad161)},
{FIELD_LITERAL(0x00315f0372d1774a,0x007de9ed2960e79d,0x008b3d7c4c198add,0x00a5e6a45fa57892,0x00f32201aa80115a,0x007fb9386a433a1a,0x00abf6960b291ee6,0x002d8069294ebc2a)},
{FIELD_LITERAL(0x00fa5e878ae22827,0x00d33c7bb3963bd0,0x0053401a101efac6,0x0063df0bcbce59a5,0x007bca269c8b584b,0x00611a8a9978842c,0x00bb96e8da12b8a8,0x00e17844d01d394d)},
{FIELD_LITERAL(0x00c107c50e9b4d0d,0x00f6b65a5fada2f2,0x000bb67e79353fae,0x0018853f610ed92d,0x008c51f4d36d6915,0x00e3e9c096dd1c12,0x009d6b9ea6cde415,0x00304864dd66f4c6)},
{FIELD_LITERAL(0x00f3123b214085fb,0x00d005bafffb8f53,0x00d1606987dfe6ea,0x00e825edf73b018d,0x0082aa733829a933,0x00c857d8d7830d76,0x00ebdb8d2cbbe7e6,0x0063de0e9930722e)},
{FIELD_LITERAL(0x004ffebce35619ab,0x00d281a1543365c5,0x00ad17eeb3d098b8,0x008653b06bb7806d,0x0040026e64a28b62,0x00d9e06d52ea19df,0x008e7c684856876a,0x003ebbc191443f3b)},
{FIELD_LITERAL(0x00c0a062813b8884,0x0054d18cc36e636b,0x00e4493fcadba51a,0x005cda5b6577c9cf,0x00cc165615c315cf,0x001bbd5e155f17bb,0x004dee92a4f18e47,0x003e95412929bfb8)},
{FIELD_LITERAL(0x0015326f3e1f5fb6,0x0076886ca4eb6041,0x00fb34645ee36c23,0x006042a4cb8f7bb2,0x00b43e736403dd2f,0x00a8986566e7c60c,0x0010ea48904bf6d1,0x008b5ae8c5ddafbe)},
{FIELD_LITERAL(0x003a9f4a12faee9a,0x00e6ba523a29af6b,0x001dde79a8ef06ef,0x0033ed4361647314,0x00b0556ae76eb1c9,0x00e8b892762bd092,0x004709c83705e374,0x0077382d86f79b47)},
{FIELD_LITERAL(0x006638c5cee4113d,0x005c100c7276ed52,0x00d10562e281768d,0x0008e851e1eb2ed9,0x00d7cc086a7af373,0x00993ed528eb7942,0x0051677625b7df14,0x0029fbbcf6aaa3f7)},
{FIELD_LITERAL(0x001081503e396419,0x007a2c7aa8870415,0x00d372a4baf3490a,0x00b18821a1e18013,0x00b83fa876c54211,0x00e4bcf47a2ae1e9,0x0069a384ba9bf3c3,0x00b784d44ee9d468)},
{FIELD_LITERAL(0x00b4e3ad7c2ea1be,0x009962715cf7008a,0x00fbc6fdcc089d5e,0x001e29847c349313,0x00c1145569b3874d,0x0094f50069a1499b,0x004cec2bb8f423c8,0x0077eb0034c34627)},
{FIELD_LITERAL(0x008f00d279b21a44,0x00a5c81149c8116a,0x00cc8be3da721e9f,0x001935a34e6770b9,0x00e315426d5db99d,0x00cf6a842aff01bf,0x00e3cc9d5016ed3a,0x00ae78776098742d)},
{FIELD_LITERAL(0x0068db473197248f,0x0089874a12ff90c2,0x00420b4763f5428c,0x00d668b71fb38392,0x0022279b6d3c3687,0x003a5801405cf566,0x00127b8ea4b4fd44,0x00ce6a975208fb79)},
{FIELD_LITERAL(0x00797ca039d44238,0x0063cae935b6ef5e,0x006a938e072ff87c,0x006a3870309cdca0,0x0003800945fa3ddc,0x0032274c0728b5ad,0x0053a51e9217da91,0x00162b41712b79db)},
{FIELD_LITERAL(0x000911f06768bdc6,0x00bd27650f82c5b0,0x007b948017bcb94a,0x0095de039572c65e,0x0053743dabe00d25,0x0092b1d5888cd8cd,0x0065c6496b33c0d0,0x007a3f55d5bfb370)},
{FIELD_LITERAL(0x003f31eebfa20d27,0x00b1c0c84d6c2849,0x00dbefe8d1e53924,0x00472400b407ebc2,0x00c584bf62a91498,0x00c1f095f2010650,0x007e3b1b2c9ba41e,0x003189f894ed89dc)},
{FIELD_LITERAL(0x004d9eefe5de7ab7,0x003e35169bdbd884,0x0079625f58822d97,0x0043f4f607137c15,0x0029efd80717d455,0x0055b37a66623198,0x00153cecd460c01e,0x000464f30e396a2d)},
{FIELD_LITERAL(0x0057b28375dc4b6e,0x00771e6557974d80,0x00fa6792bc187316,0x000d7fed0f9f92d7,0x00e821281efdb64b,0x00a12bf7b4dc5064,0x00464f56bfa9bb8d,0x00526fa933114e0b)},
{FIELD_LITERAL(0x00bcf86d6aaed0f2,0x00b95ff679e8a71f,0x00c11d7bd57f8c87,0x00cb3362ed671b05,0x0068bb14b2ce4c10,0x00505313699af32f,0x005376e4cec89e51,0x00179b292d918f75)},
{FIELD_LITERAL(0x00246e4ca8018aa1,0x005e55abb4eaca63,0x0050b6ce5fe6aa8b,0x008979edb01ee510,0x002e152c38461080,0x00550a03a7f073ea,0x0018d841eb811e13,0x00c39e3e1ea88479)},
{FIELD_LITERAL(0x007f1264364f8cc7,0x000315388ba2d9ad,0x007562aa0a0d3396,0x0069318d20cfe53a,0x000acdcd1868b277,0x008e8d738518c6b8,0x006faf89fda8f887,0x00347e30277c4e4d)},
{FIELD_LITERAL(0x0062c03567cddf30,0x0032ee53437ac23b,0x00e8a6fbf62d80e2,0x002de89967f7d7fd,0x0005fedae4d7c736,0x0022d685f264ae39,0x0028936d3fba7df5,0x00acb4383b936fcc)},
{FIELD_LITERAL(0x00afee55215c8c25,0x00c57a8713769fcb,0x000df59aca05928e,0x00aead2ce1a57830,0x00d453e3719735cd,0x004f1cdc24b3ec7e,0x000e2a69482a51da,0x00151ba7f6834b1f)},
{FIELD_LITERAL(0x003eaec329954173,0x00fec61feee76bb2,0x009b544347f7f444,0x004c4f7dfdb8cebd,0x0039d610da25dbfb,0x000f513ccef26480,0x00af4ddd8b8d2732,0x00093756dd2be04b)},
{FIELD_LITERAL(0x006df537f064f2de,0x0007f0808cbfedb9,0x00792c87b64aa829,0x00fd42b4ce848ad1,0x004d9b9c66c5bd43,0x00df8fbdd58c4ed6,0x00cbe5355fc7f34c,0x00abe6eb22995e4d)},
{FIELD_LITERAL(0x00ef8a330d9484e0,0x0044944dece8fbcc,0x0016b6e52d9d2586,0x00610b0b72d2c7b3,0x00766d88f8990f61,0x00ea7bc69494eefe,0x0050c07989360110,0x00db9fc3bfd96ee7)},
{FIELD_LITERAL(0x0069991db096c6b8,0x0008ebceed962ba0,0x00ef0053e2f37ae3,0x009917f3c8c9cb68,0x000e0b52fef39f4e,0x00ea378bf7b8f008,0x009ae2a16388995b,0x007ec77e628ee921)},
{FIELD_LITERAL(0x0062284cece6ad83,0x00e18536b7278c56,0x0005ab4b910698c5,0x009910472a4fd019,0x008ab4e2c6d75150,0x00fbd9d538d59094,0x0086482b65914fd9,0x00ced958acabfefd)},
{FIELD_LITERAL(0x00c6cb4ee3a8dac4,0x0010cf7120de0b91,0x001ab166385e9e67,0x007f2a8eca89b19c,0x008ae3d846b943da,0x0022c7631b161ed6,0x005e5d402e327b23,0x00d0518c1aeb64cd)},
{FIELD_LITERAL(0x000d45c95be55ebb,0x005f3dd26b911e70,0x00755171065eb066,0x00110b2864e644c9,0x00718a31c2d84e02,0x0059a255fc4d65d8,0x0026337c97b14eba,0x0061e127f33d128b)},
{FIELD_LITERAL(0x006ee9a82004b322,0x003eff4833aac2f9,0x00bb62f8a13b9833,0x008f9deff439b18f,0x00bc30790842de17,0x000bfe23b4868215,0x00addb504d09d19a,0x002e121c04a5bd41)},
{FIELD_LITERAL(0x004126ac2e668677,0x0046c12e8a5dbed7,0x0078e3a69c049c9a,0x0035d20dffeb5878,0x000a263e2f4cbcdc,0x00090a6bd7e724f5,0x00b33f6e0b6366f9,0x00175e7759f40060)},
{FIELD_LITERAL(0x0083b4b835838c18,0x00ac69ddefc68cb4,0x00749b220f1ba281,0x004052a50d7a193d,0x007138ee3a4e5e56,0x003099ccfedc8067,0x006e811c0e9aaed9,0x00bead0cc8101227)},
{FIELD_LITERAL(0x00cd3889dfcd0517,0x001bf78dcd1f43de,0x000898cbb491727a,0x00440c964893d55d,0x0075e0b9391ea8f2,0x00ec9732687fc960,0x008ca65c62f86bcf,0x00fc9b9aed6debcb)},
{FIELD_LITERAL(0x00f8381236cfa255,0x00f5999b0d8c8fe3,0x000918786a1dff4e,0x00a2fa46132db8c1,0x00eb0a0e8379a878,0x003802d2e990566a,0x00b6c65d27147f1f,0x00ddbb45f6bd3e66)},
{FIELD_LITERAL(0x000f68a71ee1c67a,0x00e96102429b052c,0x0017776482925329,0x00ca322a71577df6,0x004325b8a79280b5,0x00c322234d786f77,0x00e9258fe7816ab4,0x006aa915d16d5532)},
{FIELD_LITERAL(0x00cde18980fd9d30,0x00d1a82889350971,0x0040d36b7eb0fbc8,0x003cc6e695329dd0,0x00e24b3318e1d88e,0x00e212a22459111d,0x00879f754eaab372,0x00f9801f5489c9a4)},
{FIELD_LITERAL(0x007354e942e00768,0x004c7668d3208ac0,0x0015712e1b92023f,0x00b018106b3a760b,0x00d4751647fa130b,0x00da3f7276d78b5a,0x00dc6c71672bb3b3,0x0008a6ecb3540963)},
{FIELD_LITERAL(0x00e13a624c26a6f1,0x00e161c0e3c0e7d2,0x00ba563c13d354eb,0x00f7e67a8d51498c,0x0088c48bf9742e97,0x00edaca155c6abcb,0x00bb24561c4448b5,0x00d045b2c38b42f1)},
{FIELD_LITERAL(0x0093d57b9871b4c4,0x0085e6b5532e7970,0x0012fdda50bdb89e,0x0025f590d6c39b47,0x00ef9d53a39585e6,0x00cf0a88a575110b,0x00fd53552894850f,0x00bef47029c5a860)},
{FIELD_LITERAL(0x00bd40f701996dd3,0x00cce747044b6173,0x0028a6b9ffb55eb3,0x0009fea794bd40e3,0x0038b30e26ed0198,0x005434c968b4cf52,0x00814878df362d47,0x0060ab54842b207a)},
{FIELD_LITERAL(0x00bd19d97479e8ae,0x00f722fb96aff3e9,0x004ae4a83cc75c02,0x0033bb6827a30094,0x00d0ec294a83cb5a,0x007c9ad150cfeefa,0x0033cbbd6b336c57,0x009f0b2fd7ef1d8f)},
{FIELD_LITERAL(0x00246036b708c7d9,0x000574c8b9127116,0x00ecd349a550414d,0x003c900c0186da47,0x007c82512cac2d00,0x001399e41f99830b,0x00a414712d16fdfb,0x0028822961a9b698)},
{FIELD_LITERAL(0x00576abc9c32ae74,0x0052e8eedb433484,0x009a0b95b52551ff,0x00e4e5a4d5691aff,0x00bc01db07dccd79,0x00996692751e0d3c,0x003acf0cd9be9606,0x003f06d2f83095a8)},
{FIELD_LITERAL(0x0028c4051a1ff7bb,0x0040ba689904a0ad,0x009e4b0a5acec321,0x00bc6d2b3c46aaeb,0x00f2caae4ef88adb,0x00ff6677bf11a28e,0x0092191cbfbb7484,0x00dae55afb78a291)},
{FIELD_LITERAL(0x00c95aa397ea26bc,0x007372e21066c24c,0x00d1f1e17008ce70,0x00277c5b46d24ff5,0x00d0a187e51cc6f8,0x00e58d524dca3f92,0x000d1a618c916355,0x00e5b4a71cfce6eb)},
{FIELD_LITERAL(0x00c40cbcbd853cbd,0x00523f5879bd473a,0x00fc476ce8a57ceb,0x009e5cb521a8fc43,0x0015c157448e29cc,0x0041f2065e0e673d,0x00b9227183e9ca04,0x000eadc022da2a1a)},
{FIELD_LITERAL(0x00d6313aad8c08f2,0x008fbb11d8a39cbf,0x00bf09c856cfea1d,0x00cc7448724a5516,0x00eb6e4d59ecdeb7,0x005eda293019421c,0x00a0853a9e457996,0x00e2a1515c045530)},
{FIELD_LITERAL(0x009cc09c03622bf9,0x0018ec007f1fb5bc,0x009f39168f0d29de,0x005a83280f20e76e,0x000dbf95aaf9af43,0x004f9bd6f102397b,0x00e154febb2e86e9,0x0032ea079c3d6c54)},
{FIELD_LITERAL(0x00fab169ca1c41ce,0x00f1bc0ce1d78d41,0x002fa4e361cc67be,0x009053af427e0267,0x0032387ad15144f5,0x00b00ae64f9e66e4,0x006f6617ef82b37a,0x00d8c1db3c95b59e)},
{FIELD_LITERAL(0x0035175500c7799c,0x00a167c5ca225e38,0x00854efcf271c80b,0x001b76bf0a2fcd01,0x0095c90610cf4ccd,0x0064190fc6a738a8,0x0079dce31456ebff,0x00742f0847dc1855)},
{FIELD_LITERAL(0x00f8f4bbbe10d3b9,0x00105a4fd7fe5ef6,0x0040f473c119b520,0x0075981f4cbad167,0x00e6e94e0d05858a,0x00287e587009323c,0x00797d31a81a36e6,0x0033eef622def25c)},
{FIELD_LITERAL(0x003077e1410a5ba5,0x00b14158718390d3,0x006f256df630d95f,0x0021d4d1b388a47b,0x008e29fce3c3ea50,0x002616d810e8828f,0x0076b1173dc76902,0x001c4c4bfe1be552)},
{FIELD_LITERAL(0x00a2657cac024d24,0x00aa33dfb739670f,0x00093b53769a8de7,0x00adafcb28c0514d,0x00bca8890425c381,0x008f15acedcdc343,0x0085efa2bb2f9604,0x0092437292387955)},
{FIELD_LITERAL(0x00dfb010d979be8f,0x007e6d963a211f07,0x00404b8ec1368699,0x00d9cc6590cb2087,0x00e0d919b389e23c,0x001001c50cec349f,0x001e848fec709fe4,0x000e91e3326121a1)},
{FIELD_LITERAL(0x00e8300e632c6b13,0x00010847ef6dda78,0x0019b7c68f200ab7,0x00220c952978bd9b,0x0019e887adc0331c,0x006c5993f36c4db5,0x0002c98eeb248079,0x0089ad282231d922)},
{FIELD_LITERAL(0x0059811830606614,0x00a8ec4d8a0d0097,0x000e2ac957beaec2,0x007dc4a64fdb8ed1,0x0063b9462f2c7312,0x00324ea6a55d282b,0x007c8a4cbdc26507,0x00f54f4ae9268708)},
{FIELD_LITERAL(0x0026d312845ed7bc,0x0051563888e17918,0x00b99c696ccab084,0x0059d7244957f3b8,0x00c5f4faf8c8d6ab,0x00bdeeec54ba3f26,0x001aba0f7c9d5485,0x00d731f784b29269)},
{FIELD_LITERAL(0x00bd7234c3aef4f0,0x00a7a9f815db44b1,0x00c8c940e9fc9785,0x003b81a973b01c38,0x00c32ffd7d7b79f9,0x00bc5b783c46e6c6,0x00b003fb1ef6a5f9,0x005b36765c2b46e7)},
{FIELD_LITERAL(0x0030b09f9659a719,0x00ac35ad7a6bc959,0x009b466b281c1ee8,0x0034b96465f80acb,0x00304970c66162b7,0x000f2347253e3918,0x000d54980ac74c5a,0x00aaabb0e875468a)},
{FIELD_LITERAL(0x00578872f1bd6085,0x00b3fd4fa6efa597,0x00e99ac49f625c00,0x002aef842e5ed2d8,0x004b8f706588e353,0x00449c499dfcc096,0x008d0cdddbf18dea,0x00e6bba4a6396ddd)},
{FIELD_LITERAL(0x0066485d97a2ac73,0x001d0e768483ffe7,0x00c5253731b7251c,0x00f76d892a3af3f3,0x00e8d035f85298e7,0x0034e58d0abf961a,0x00b11bd0eccaba4c,0x0087a079aec9d0e9)},
{FIELD_LITERAL(0x00d38488bd2e2026,0x00d35414e79dc3fe,0x00faa0a1c1fbbbb9,0x0093df0c4b10ab45,0x0039ffebe1394c9f,0x00cab0bc80e5cd5c,0x00453b9db5cadf06,0x003b7c08cb56f96e)},
{FIELD_LITERAL(0x00b63453c7af61ee,0x00eadcbafa2bd320,0x0086b04f4a7bf0e3,0x00b69bc8cbbfba5a,0x00ce4926bb1b064e,0x004df8ce753e0a27,0x00ff37bf2580a3a2,0x00ad90c8c5a377eb)},
{FIELD_LITERAL(0x00ac58c82bdd6e72,0x0008035e278a79da,0x003c9fcc92524fb3,0x000c71c26ea75e47,0x009631c4be717b38,0x00a2e968135e9152,0x00074295ca131ec2,0x00877a203d4a5015)},
{FIELD_LITERAL(0x00a49896f002be26,0x00ad6b0d720ae906,0x005786d8dbed0346,0x00f6749d6592e372,0x000542c37faf79a4,0x003281a4f5c7863a,0x00eacdc7def0cbdc,0x00ca8353efe160bd)},
{FIELD_LITERAL(0x003c9e851d9f8893,0x004df23c1696dd28,0x005e587fddb98f95,0x00359afa5adbfdbb,0x00ddb949d26e687c,0x00ebc6efd285564c,0x001750eec619bdd3,0x0037772e4ad0d4fa)},
{FIELD_LITERAL(0x0076e84babbbb048,0x000a6db83681bbe4,0x0059dff597eaead2,0x00f65bdd79fe2dab,0x00e3fc9faa642c8a,0x008a9cc9dfc634c9,0x00428a4b728b1cd4,0x00e80aea53cb6617)},
{FIELD_LITERAL(0x002ab17fdf7d2bd3,0x005aa55f23183393,0x009b88469f8c0eb9,0x007d101b314bca6b,0x0056dd4345fd97b9,0x00880e62e548ae7d,0x003d44d8c87b91a6,0x00fb2811386e22cc)},
{FIELD_LITERAL(0x00eacd58001be3a5,0x0014e1231ca72940,0x0022453384987584,0x0075848f0c37be5c,0x000e6dc40d82c0b2,0x00f4d8ec1270878c,0x00550981d6fb86fd,0x00bb66b58f4c6892)},
{FIELD_LITERAL(0x00bba772e57e297f,0x004f56f68df71b07,0x00ded9facaf23a81,0x00d78e832d78eedc,0x0004f7c3eff02685,0x00ba5fa931f9c020,0x005a29fb4b2295be,0x00e2543f745b1dc9)},
{FIELD_LITERAL(0x00712177652580f9,0x00e9ee16e21d1eca,0x0002465ba75b8e46,0x00a9cb7b1fc8ef2e,0x00ce337e6da1cf8e,0x009d3684c507fffa,0x00058cc115d71214,0x0017dba81e144377)},
{FIELD_LITERAL(0x003b778e67285805,0x00dbb06704ba87b5,0x00ba6ee1ea5ea2fe,0x00e2cdc2c8b3f699,0x006983c6eae69a9c,0x00c6c8c542d0c398,0x00f2d3a9ebcedbdc,0x00be30ddeabbd31c)},
{FIELD_LITERAL(0x0095f20a016490a6,0x005f2b00b9fbf26d,0x00b583124906cdaf,0x002e2077aa473ca8,0x0018c5b9f7902fa6,0x00b704f5229201a6,0x00e1fc5d70e4b1c2,0x00578e366ccf7289)},
{FIELD_LITERAL(0x00932127be1d579d,0x00e6729f50f54904,0x00e70f6247f618af,0x00b1953989fe9d9c,0x0015032e9df69633,0x00d3687b35cb6e82,0x00ab0fff86869218,0x0026054a3a68ddfb)},
{FIELD_LITERAL(0x00cf244d2e899137,0x00a793f52ec7aaa1,0x002e5cb0616e3883,0x009cbf752f176feb,0x0029edce4fa090a3,0x00f6540a960a0275,0x00513985eef0e3bc,0x00ce2e586f6c7228)},
{FIELD_LITERAL(0x00b42f011dbc757c,0x004a8e19d4f07c42,0x00a6d7828318b7ff,0x0004c9ce49ba3c0f,0x005fe71688087b6a,0x006e1d8f9a3d84ed,0x0089693e7e8e9a1f,0x0073bf4183ba45c5)},
{FIELD_LITERAL(0x0029e8ce35530d30,0x00d20f389f61fe3a,0x00cf9e8ddf74e1d4,0x004bec01b04d4979,0x007d92c9f6fd5ddd,0x00c072fa91981808,0x009afda4fe8a1676,0x00c96522ee879a14)},
{FIELD_LITERAL(0x005f0cd9cd83497b,0x00e382f098d97f00,0x0073e37e004eed2e,0x000707fe98b12237,0x0016d92a2b73d561,0x00a42926ab390165,0x00b394db4b1cc8fc,0x002fa14a3f6efa33)},
{FIELD_LITERAL(0x0055076a513d05ee,0x00f076d43cec14ad,0x00a4e386b252faf4,0x00c0713b79b313eb,0x00507efa72f46f19,0x00141bc1e7c66844,0x005629ef060c19ea,0x0085327113d1772c)},
{FIELD_LITERAL(0x00ed490108514e35,0x006bed897e6b4958,0x0000f2cae0dc546c,0x008175eb3e5008e4,0x0093e3fe8f3aed42,0x00e9dbc15fd54d1a,0x00844979a4cfc0c1,0x00ea3194d64ea60b)},
{FIELD_LITERAL(0x00b64d054ec7ed5c,0x007b924cd329fbce,0x00fe8805a8737293,0x00fb82f1d52b43ae,0x004ea745c72e1a76,0x0095ba2552861c0c,0x00f66846c3547784,0x003b815bd05dc23c)},
{FIELD_LITERAL(0x00669e32fd197ef7,0x001dfca2c5e2f7c9,0x00a2ae0964a1e5e2,0x00b4334b15c91232,0x0096419585110d96,0x009c0b2262172a58,0x009d7c87cf6d35ca,0x008a5ce50d3cabf6)},
{FIELD_LITERAL(0x00888b9c1cf73530,0x00375346c6afecd2,0x00142240b35b74d3,0x00d952835f86a5f5,0x000665c2658eaf9a,0x00f29f43062b2033,0x00a19a58c5bc85f9,0x00e62ac95724a937)},
{FIELD_LITERAL(0x003bedc9ae9d1730,0x00fedd7c04cbc775,0x00c19abc4540c61d,0x00115294c57fb687,0x00663fceb174cd8f,0x001671f572b885b0,0x002d14694ed85978,0x00127282078a8e44)},
{FIELD_LITERAL(0x00e6d2822aa72eca,0x00d832957cdc0058,0x00dc60e5bed23e18,0x00b94b4c418b03a3,0x00df3b85d410a430,0x0055e81b70bc79d4,0x00081d9369cbd1a0,0x00f7fee3acf0c656)},
{FIELD_LITERAL(0x003baba41b5abffb,0x00661ee09fca8193,0x00e0c6c92e6aea59,0x00886c207bcbe591,0x00aef9e7798e8004,0x00164f599f4d707a,0x00bb1597a76d21f2,0x00fda82d5e025626)},
{FIELD_LITERAL(0x00552b53a9640f0e,0x005985236f4d88bf,0x00b7aaec965a8ae5,0x00cedada7b5ccf95,0x007b1ea2088f1902,0x0028445e38b4a7fa,0x0057f10ddc50efed,0x007637a3147bc5cb)},
{FIELD_LITERAL(0x008174fe4db53757,0x00930c4f4a35ecc8,0x000e9f82c1c95a8f,0x00c6480547d66e5e,0x00dce888f9a7bf39,0x006671a5022cb906,0x004823c19b5337a0,0x00455338b7fec529)},
{FIELD_LITERAL(0x005ac123fdc45964,0x00395057c2221d17,0x003c09c74cf84eb1,0x00b5ca859bbebf9d,0x001b26b274a7d235,0x00e8c63508e96a48,0x00edbce4d51d721e,0x00c49436797d6f83)},
{FIELD_LITERAL(0x0071595be88a7f40,0x00a05e6ac1c0fc87,0x00a01bf6538b29eb,0x00badcd80b881fb8,0x005bfe7af8049f8b,0x0084918e6ae35537,0x00ed4bd54759316e,0x007f135988d6b548)},
{FIELD_LITERAL(0x0075656c41e06629,0x0086059d83396637,0x004f304ecb457b37,0x00e3b4887db6be65,0x0020b54c263bb0be,0x0060a69193e561c3,0x00e6863f20dc8ce9,0x00afe16ac56e6478)}
};

+ 267
- 0
src/GENERATED/c/ed448goldilocks/eddsa.c View File

@@ -0,0 +1,267 @@
/**
* @file ed448goldilocks/eddsa.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @cond internal
* @brief EdDSA routines.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "word.h"
#include <decaf/ed448.h>
#include <decaf/shake.h>
#include <decaf/sha512.h>
#include <string.h>

#define API_NAME "decaf_448"
#define API_NS(_id) decaf_448_##_id

#define hash_ctx_t decaf_shake256_ctx_t
#define hash_init decaf_shake256_init
#define hash_update decaf_shake256_update
#define hash_final decaf_shake256_final
#define hash_destroy decaf_shake256_destroy
#define hash_hash decaf_shake256_hash

#define SUPPORTS_CONTEXTS DECAF_EDDSA_448_SUPPORTS_CONTEXTS
#define EDDSA_USE_SIGMA_ISOGENY 0
#define COFACTOR 4

/* EDDSA_BASE_POINT_RATIO = 1 or 2
* Because EdDSA25519 is not on E_d but on the isogenous E_sigma_d,
* its base point is twice ours.
*/
#define EDDSA_BASE_POINT_RATIO (1+EDDSA_USE_SIGMA_ISOGENY)

static void clamp (
uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]
) {
/* Blarg */
secret_scalar_ser[0] &= -COFACTOR;
uint8_t hibit = (1<<0)>>1;
if (hibit == 0) {
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0;
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
} else {
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= hibit-1;
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
}
}

static void hash_init_with_dom(
hash_ctx_t hash,
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len
) {
hash_init(hash);
#if SUPPORTS_CONTEXTS
const char *dom_s = "SigEd448";
const uint8_t dom[2] = {1+word_is_zero(prehashed), context_len};
hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
hash_update(hash,dom,2);
hash_update(hash,context,context_len);
#else
(void)prehashed;
(void)context;
assert(context==NULL);
(void)context_len;
assert(context_len == 0);
#endif
}

void decaf_ed448_derive_public_key (
uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]
) {
/* only this much used for keygen */
uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
hash_hash(
secret_scalar_ser,
sizeof(secret_scalar_ser),
privkey,
DECAF_EDDSA_448_PRIVATE_BYTES
);
clamp(secret_scalar_ser);
API_NS(scalar_t) secret_scalar;
API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));
/* Since we are going to mul_by_cofactor during encoding, divide by it here.
* However, the EdDSA base point is not the same as the decaf base point if
* the sigma isogeny is in use: the EdDSA base point is on Etwist_d/(1-d) and
* the decaf base point is on Etwist_d, and when converted it effectively
* picks up a factor of 2 from the isogenies. So we might start at 2 instead of 1.
*/
for (unsigned int c = EDDSA_BASE_POINT_RATIO; c < COFACTOR; c <<= 1) {
API_NS(scalar_halve)(secret_scalar,secret_scalar);
}
API_NS(point_t) p;
API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),secret_scalar);
API_NS(point_mul_by_cofactor_and_encode_like_eddsa)(pubkey, p);
/* Cleanup */
API_NS(scalar_destroy)(secret_scalar);
API_NS(point_destroy)(p);
decaf_bzero(secret_scalar_ser, sizeof(secret_scalar_ser));
}

void decaf_ed448_sign (
uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
#if !SUPPORTS_CONTEXTS
const uint8_t *const context = NULL;
const uint8_t context_len = 0;
#endif
API_NS(scalar_t) secret_scalar;
hash_ctx_t hash;
{
/* Schedule the secret key */
struct {
uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
uint8_t seed[DECAF_EDDSA_448_PRIVATE_BYTES];
} __attribute__((packed)) expanded;
hash_hash(
(uint8_t *)&expanded,
sizeof(expanded),
privkey,
DECAF_EDDSA_448_PRIVATE_BYTES
);
clamp(expanded.secret_scalar_ser);
API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
/* Hash to create the nonce */
hash_init_with_dom(hash,prehashed,context,context_len);
hash_update(hash,expanded.seed,sizeof(expanded.seed));
hash_update(hash,message,message_len);
decaf_bzero(&expanded, sizeof(expanded));
}
/* Decode the nonce */
API_NS(scalar_t) nonce_scalar;
{
uint8_t nonce[2*DECAF_EDDSA_448_PRIVATE_BYTES];
hash_final(hash,nonce,sizeof(nonce));
API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));
decaf_bzero(nonce, sizeof(nonce));
}
uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = {0};
{
/* Scalarmul to create the nonce-point */
API_NS(scalar_t) nonce_scalar_2;
API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar);
for (unsigned int c = 2*EDDSA_BASE_POINT_RATIO; c < COFACTOR; c <<= 1) {
API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);
}
API_NS(point_t) p;
API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),nonce_scalar_2);
API_NS(point_mul_by_cofactor_and_encode_like_eddsa)(nonce_point, p);
API_NS(point_destroy)(p);
API_NS(scalar_destroy)(nonce_scalar_2);
}
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_init_with_dom(hash,prehashed,context,context_len);
hash_update(hash,nonce_point,sizeof(nonce_point));
hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,message,message_len);
uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];
hash_final(hash,challenge,sizeof(challenge));
hash_destroy(hash);
API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
decaf_bzero(challenge,sizeof(challenge));
}
API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);
API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);
decaf_bzero(signature,DECAF_EDDSA_448_SIGNATURE_BYTES);
memcpy(signature,nonce_point,sizeof(nonce_point));
API_NS(scalar_encode)(&signature[DECAF_EDDSA_448_PUBLIC_BYTES],challenge_scalar);
API_NS(scalar_destroy)(secret_scalar);
API_NS(scalar_destroy)(nonce_scalar);
API_NS(scalar_destroy)(challenge_scalar);
}


decaf_error_t decaf_ed448_verify (
const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
#if !SUPPORTS_CONTEXTS
const uint8_t *const context = NULL;
const uint8_t context_len = 0;
#endif
API_NS(point_t) pk_point, r_point;
decaf_error_t error = API_NS(point_decode_like_eddsa_and_ignore_cofactor)(pk_point,pubkey);
if (DECAF_SUCCESS != error) { return error; }
error = API_NS(point_decode_like_eddsa_and_ignore_cofactor)(r_point,signature);
if (DECAF_SUCCESS != error) { return error; }
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_ctx_t hash;
hash_init_with_dom(hash,prehashed,context,context_len);
hash_update(hash,signature,DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,message,message_len);
uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];
hash_final(hash,challenge,sizeof(challenge));
hash_destroy(hash);
API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
decaf_bzero(challenge,sizeof(challenge));
}
API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar);
API_NS(scalar_t) response_scalar;
API_NS(scalar_decode_long)(
response_scalar,
&signature[DECAF_EDDSA_448_PUBLIC_BYTES],
DECAF_EDDSA_448_PRIVATE_BYTES
);
#if EDDSA_BASE_POINT_RATIO == 2
API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);
#endif
/* pk_point = -c(x(P)) + (cx + k)G = kG */
API_NS(base_double_scalarmul_non_secret)(
pk_point,
response_scalar,
pk_point,
challenge_scalar
);
return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
}

+ 199
- 0
src/GENERATED/c/ed448goldilocks/elligator.c View File

@@ -0,0 +1,199 @@
/**
* @file ed448goldilocks/elligator.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Elligator high-level functions.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "word.h"
#include "field.h"
#include <decaf.h>

/* Template stuff */
#define API_NS(_id) decaf_448_##_id
#define point_t API_NS(point_t)
#define IMAGINE_TWIST 0
#define COFACTOR 4
static const int EDWARDS_D = -39081;
/* End of template stuff */

extern void API_NS(deisogenize) (
gf_s *__restrict__ s,
gf_s *__restrict__ minus_t_over_s,
const point_t p,
mask_t toggle_hibit_s,
mask_t toggle_hibit_t_over_s,
mask_t toggle_rotation
);

void API_NS(point_from_hash_nonuniform) (
point_t p,
const unsigned char ser[SER_BYTES]
) {
gf r0,r,a,b,c,N,e;
ignore_result(gf_deserialize(r0,ser,0));
gf_strong_reduce(r0);
gf_sqr(a,r0);
gf_mul_qnr(r,a);

/* Compute D@c := (dr+a-d)(dr-ar-d) with a=1 */
gf_sub(a,r,ONE);
gf_mulw(b,a,EDWARDS_D); /* dr-d */
gf_add(a,b,ONE);
gf_sub(b,b,r);
gf_mul(c,a,b);
/* compute N := (r+1)(a-2d) */
gf_add(a,r,ONE);
gf_mulw(N,a,1-2*EDWARDS_D);
/* e = +-sqrt(1/ND) or +-r0 * sqrt(qnr/ND) */
gf_mul(a,c,N);
mask_t square = gf_isr(b,a);
gf_cond_sel(c,r0,ONE,square); /* r? = square ? 1 : r0 */
gf_mul(e,b,c);
/* s@a = +-|N.e| */
gf_mul(a,N,e);
gf_cond_neg(a,gf_hibit(a)^square); /* NB this is - what is listen in the paper */
/* t@b = -+ cN(r-1)((a-2d)e)^2 - 1 */
gf_mulw(c,e,1-2*EDWARDS_D); /* (a-2d)e */
gf_sqr(b,c);
gf_sub(e,r,ONE);
gf_mul(c,b,e);
gf_mul(b,c,N);
gf_cond_neg(b,square);
gf_sub(b,b,ONE);

/* isogenize */
#if IMAGINE_TWIST
gf_mul(c,a,SQRT_MINUS_ONE);
gf_copy(a,c);
#endif
gf_sqr(c,a); /* s^2 */
gf_add(a,a,a); /* 2s */
gf_add(e,c,ONE);
gf_mul(p->t,a,e); /* 2s(1+s^2) */
gf_mul(p->x,a,b); /* 2st */
gf_sub(a,ONE,c);
gf_mul(p->y,e,a); /* (1+s^2)(1-s^2) */
gf_mul(p->z,a,b); /* (1-s^2)t */
assert(API_NS(point_valid)(p));
}

void API_NS(point_from_hash_uniform) (
point_t pt,
const unsigned char hashed_data[2*SER_BYTES]
) {
point_t pt2;
API_NS(point_from_hash_nonuniform)(pt,hashed_data);
API_NS(point_from_hash_nonuniform)(pt2,&hashed_data[SER_BYTES]);
API_NS(point_add)(pt,pt,pt2);
}

/* Elligator_onto:
* Make elligator-inverse onto at the cost of roughly halving the success probability.
* Currently no effect for curves with field size 1 bit mod 8 (where the top bit
* is chopped off). FUTURE MAGIC: automatic at least for brainpool-style curves; support
* log p == 1 mod 8 brainpool curves maybe?
*/
#define MAX(A,B) (((A)>(B)) ? (A) : (B))
#define PKP_MASK ((1<<(MAX(8*SER_BYTES + 0 - 448,0)))-1)
#if PKP_MASK != 0
static UNUSED mask_t plus_k_p (
uint8_t x[SER_BYTES],
uint32_t factor_
) {
uint32_t carry = 0;
uint64_t factor = factor_;
const uint8_t p[SER_BYTES] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
for (unsigned int i=0; i<SER_BYTES; i++) {
uint64_t tmp = carry + p[i] * factor + x[i];
/* tmp <= 2^32-1 + (2^32-1)*(2^8-1) + (2^8-1) = 2^40-1 */
x[i] = tmp; carry = tmp>>8;
}
return word_is_zero(carry);
}
#endif

decaf_error_t
API_NS(invert_elligator_nonuniform) (
unsigned char recovered_hash[SER_BYTES],
const point_t p,
uint32_t hint_
) {
mask_t hint = hint_;
mask_t sgn_s = -(hint & 1),
sgn_t_over_s = -(hint>>1 & 1),
sgn_r0 = -(hint>>2 & 1),
/* FUTURE MAGIC: eventually if there's a curve which needs sgn_ed_T but not sgn_r0,
* change this mask extraction.
*/
sgn_ed_T = -(hint>>3 & 1);
gf a, b, c, d;
API_NS(deisogenize)(a,c,p,sgn_s,sgn_t_over_s,sgn_ed_T);
#if 448 == 8*SER_BYTES + 1 /* p521. */
sgn_r0 = 0;
#endif
/* ok, a = s; c = -t/s */
gf_mul(b,c,a);
gf_sub(b,ONE,b); /* t+1 */
gf_sqr(c,a); /* s^2 */
mask_t is_identity = gf_eq(p->t,ZERO);

/* identity adjustments */
/* in case of identity, currently c=0, t=0, b=1, will encode to 1 */
/* if hint is 0, -> 0 */
/* if hint is to neg t/s, then go to infinity, effectively set s to 1 */
gf_cond_sel(c,c,ONE,is_identity & sgn_t_over_s);
gf_cond_sel(b,b,ZERO,is_identity & ~sgn_t_over_s & ~sgn_s);
gf_mulw(d,c,2*EDWARDS_D-1); /* $d = (2d-a)s^2 */
gf_add(a,b,d); /* num? */
gf_sub(d,d,b); /* den? */
gf_mul(b,a,d); /* n*d */
gf_cond_sel(a,d,a,sgn_s);
gf_mul_qnr(d,b);
mask_t succ = gf_isr(c,d)|gf_eq(d,ZERO);
gf_mul(b,a,c);
gf_cond_neg(b, sgn_r0^gf_hibit(b));
succ &= ~(gf_eq(b,ZERO) & sgn_r0);
#if COFACTOR == 8
succ &= ~(is_identity & sgn_ed_T); /* NB: there are no preimages of rotated identity. */
#endif
#if 448 == 8*SER_BYTES + 1 /* p521 */
gf_serialize(recovered_hash,b,0);
#else
gf_serialize(recovered_hash,b,1);
#if PKP_MASK != 0
/* Add a multiple of p to make the result either almost-onto or completely onto. */
succ &= plus_k_p(recovered_hash, (hint >> ((COFACTOR==8)?4:3)) & PKP_MASK);
#endif
#endif
return decaf_succeed_if(mask_to_bool(succ));
}

decaf_error_t
API_NS(invert_elligator_uniform) (
unsigned char partial_hash[2*SER_BYTES],
const point_t p,
uint32_t hint
) {
point_t pt2;
API_NS(point_from_hash_nonuniform)(pt2,&partial_hash[SER_BYTES]);
API_NS(point_sub)(pt2,p,pt2);
return API_NS(invert_elligator_nonuniform)(partial_hash,pt2,hint);
}

+ 339
- 0
src/GENERATED/c/ed448goldilocks/scalar.c View File

@@ -0,0 +1,339 @@
/**
* @file ed448goldilocks/scalar.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Decaf high-level functions.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "word.h"
#include "constant_time.h"
#include <decaf.h>

/* Template stuff */
#define API_NS(_id) decaf_448_##_id
#define SCALAR_BITS DECAF_448_SCALAR_BITS
#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES
#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
#define scalar_t API_NS(scalar_t)

static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5ull;
static const scalar_t sc_p = {{{
SC_LIMB(0x2378c292ab5844f3), SC_LIMB(0x216cc2728dc58f55), SC_LIMB(0xc44edb49aed63690), SC_LIMB(0xffffffff7cca23e9), SC_LIMB(0xffffffffffffffff), SC_LIMB(0xffffffffffffffff), SC_LIMB(0x3fffffffffffffff)
}}}, sc_r2 = {{{
SC_LIMB(0xe3539257049b9b60), SC_LIMB(0x7af32c4bc1b195d9), SC_LIMB(0x0d66de2388ea1859), SC_LIMB(0xae17cf725ee4d838), SC_LIMB(0x1a9cc14ba3c47c44), SC_LIMB(0x2052bcb7e4d070af), SC_LIMB(0x3402a939f823b729)
}}};
/* End of template stuff */

#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */

const scalar_t API_NS(scalar_one) = {{{1}}}, API_NS(scalar_zero) = {{{0}}};

/** {extra,accum} - sub +? p
* Must have extra <= 1
*/
static NOINLINE void sc_subx(
scalar_t out,
const decaf_word_t accum[SCALAR_LIMBS],
const scalar_t sub,
const scalar_t p,
decaf_word_t extra
) {
decaf_dsword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + accum[i]) - sub->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
}
decaf_word_t borrow = chain+extra; /* = 0 or -1 */
chain = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + out->limb[i]) + (p->limb[i] & borrow);
out->limb[i] = chain;
chain >>= WBITS;
}
}

static NOINLINE void sc_montmul (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
unsigned int i,j;
decaf_word_t accum[SCALAR_LIMBS+1] = {0};
decaf_word_t hi_carry = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
decaf_word_t mand = a->limb[i];
const decaf_word_t *mier = b->limb;
decaf_dword_t chain = 0;
for (j=0; j<SCALAR_LIMBS; j++) {
chain += ((decaf_dword_t)mand)*mier[j] + accum[j];
accum[j] = chain;
chain >>= WBITS;
}
accum[j] = chain;
mand = accum[0] * MONTGOMERY_FACTOR;
chain = 0;
mier = sc_p->limb;
for (j=0; j<SCALAR_LIMBS; j++) {
chain += (decaf_dword_t)mand*mier[j] + accum[j];
if (j) accum[j-1] = chain;
chain >>= WBITS;
}
chain += accum[j];
chain += hi_carry;
accum[j-1] = chain;
hi_carry = chain >> WBITS;
}
sc_subx(out, accum, sc_p, sc_p, hi_carry);
}

void API_NS(scalar_mul) (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
sc_montmul(out,a,b);
sc_montmul(out,out,sc_r2);
}

/* PERF: could implement this */
static INLINE void sc_montsqr (scalar_t out, const scalar_t a) {
sc_montmul(out,a,a);
}

decaf_error_t API_NS(scalar_invert) (
scalar_t out,
const scalar_t a
) {
/* Fermat's little theorem, sliding window.
* Sliding window is fine here because the modulus isn't secret.
*/
const int SCALAR_WINDOW_BITS = 3;
scalar_t precmp[1<<SCALAR_WINDOW_BITS];
const int LAST = (1<<SCALAR_WINDOW_BITS)-1;

/* Precompute precmp = [a^1,a^3,...] */
sc_montmul(precmp[0],a,sc_r2);
if (LAST > 0) sc_montmul(precmp[LAST],precmp[0],precmp[0]);

int i;
for (i=1; i<=LAST; i++) {
sc_montmul(precmp[i],precmp[i-1],precmp[LAST]);
}
/* Sliding window */
unsigned residue = 0, trailing = 0, started = 0;
for (i=SCALAR_BITS-1; i>=-SCALAR_WINDOW_BITS; i--) {
if (started) sc_montsqr(out,out);
decaf_word_t w = (i>=0) ? sc_p->limb[i/WBITS] : 0;
if (i >= 0 && i<WBITS) {
assert(w >= 2);
w-=2;
}
residue = (residue<<1) | ((w>>(i%WBITS))&1);
if (residue>>SCALAR_WINDOW_BITS != 0) {
assert(trailing == 0);
trailing = residue;
residue = 0;
}
if (trailing > 0 && (trailing & ((1<<SCALAR_WINDOW_BITS)-1)) == 0) {
if (started) {
sc_montmul(out,out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);
} else {
API_NS(scalar_copy)(out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);
started = 1;
}
trailing = 0;
}
trailing <<= 1;
}
assert(residue==0);
assert(trailing==0);
/* Demontgomerize */
sc_montmul(out,out,API_NS(scalar_one));
decaf_bzero(precmp, sizeof(precmp));
return decaf_succeed_if(~API_NS(scalar_eq)(out,API_NS(scalar_zero)));
}

void API_NS(scalar_sub) (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
sc_subx(out, a->limb, b, sc_p, 0);
}

void API_NS(scalar_add) (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
decaf_dword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + b->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
}
sc_subx(out, out->limb, sc_p, sc_p, chain);
}

void
API_NS(scalar_set_unsigned) (
scalar_t out,
uint64_t w
) {
memset(out,0,sizeof(scalar_t));
unsigned int i = 0;
for (; i<sizeof(uint64_t)/sizeof(decaf_word_t); i++) {
out->limb[i] = w;
w >>= (sizeof(uint64_t) > sizeof(decaf_word_t)) ? 8*sizeof(decaf_word_t) : 0;
}
}

decaf_bool_t
API_NS(scalar_eq) (
const scalar_t a,
const scalar_t b
) {
decaf_word_t diff = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
diff |= a->limb[i] ^ b->limb[i];
}
return mask_to_bool(word_is_zero(diff));
}

static INLINE void scalar_decode_short (
scalar_t s,
const unsigned char *ser,
unsigned int nbytes
) {
unsigned int i,j,k=0;
for (i=0; i<SCALAR_LIMBS; i++) {
decaf_word_t out = 0;
for (j=0; j<sizeof(decaf_word_t) && k<nbytes; j++,k++) {
out |= ((decaf_word_t)ser[k])<<(8*j);
}
s->limb[i] = out;
}
}

decaf_error_t API_NS(scalar_decode)(
scalar_t s,
const unsigned char ser[SCALAR_SER_BYTES]
) {
unsigned int i;
scalar_decode_short(s, ser, SCALAR_SER_BYTES);
decaf_dsword_t accum = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
}
/* Here accum == 0 or -1 */
API_NS(scalar_mul)(s,s,API_NS(scalar_one)); /* ham-handed reduce */
return decaf_succeed_if(~word_is_zero(accum));
}

void API_NS(scalar_destroy) (
scalar_t scalar
) {
decaf_bzero(scalar, sizeof(scalar_t));
}

void API_NS(scalar_decode_long)(
scalar_t s,
const unsigned char *ser,
size_t ser_len
) {
if (ser_len == 0) {
API_NS(scalar_copy)(s, API_NS(scalar_zero));
return;
}
size_t i;
scalar_t t1, t2;

i = ser_len - (ser_len%SCALAR_SER_BYTES);
if (i==ser_len) i -= SCALAR_SER_BYTES;
scalar_decode_short(t1, &ser[i], ser_len-i);

if (ser_len == sizeof(scalar_t)) {
assert(i==0);
/* ham-handed reduce */
API_NS(scalar_mul)(s,t1,API_NS(scalar_one));
API_NS(scalar_destroy)(t1);
return;
}

while (i) {
i -= SCALAR_SER_BYTES;
sc_montmul(t1,t1,sc_r2);
ignore_result( API_NS(scalar_decode)(t2, ser+i) );
API_NS(scalar_add)(t1, t1, t2);
}

API_NS(scalar_copy)(s, t1);
API_NS(scalar_destroy)(t1);
API_NS(scalar_destroy)(t2);
}

void API_NS(scalar_encode)(
unsigned char ser[SCALAR_SER_BYTES],
const scalar_t s
) {
unsigned int i,j,k=0;
for (i=0; i<SCALAR_LIMBS; i++) {
for (j=0; j<sizeof(decaf_word_t); j++,k++) {
ser[k] = s->limb[i] >> (8*j);
}
}
}

void API_NS(scalar_cond_sel) (
scalar_t out,
const scalar_t a,
const scalar_t b,
decaf_bool_t pick_b
) {
constant_time_select(out,a,b,sizeof(scalar_t),bool_to_mask(pick_b),sizeof(out->limb[0]));
}

void API_NS(scalar_halve) (
scalar_t out,
const scalar_t a
) {
decaf_word_t mask = -(a->limb[0] & 1);
decaf_dword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask);
out->limb[i] = chain;
chain >>= DECAF_WORD_BITS;
}
for (i=0; i<SCALAR_LIMBS-1; i++) {
out->limb[i] = out->limb[i]>>1 | out->limb[i+1]<<(WBITS-1);
}
out->limb[i] = out->limb[i]>>1 | chain<<(WBITS-1);
}


+ 108
- 0
src/GENERATED/c/p25519/f_field.h View File

@@ -0,0 +1,108 @@
/**
* @file p25519/f_field.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Field-specific code for 2^255 - 19.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __P25519_F_FIELD_H__
#define __P25519_F_FIELD_H__ 1

#include "constant_time.h"
#include <string.h>
#include <assert.h>

#include "word.h"

#define __DECAF_25519_GF_DEFINED__ 1
#define NLIMBS (40/sizeof(word_t))
#define X_SER_BYTES 32
#define SER_BYTES 32
typedef struct gf_25519_s {
word_t limb[NLIMBS];
} __attribute__((aligned(32))) gf_25519_s, gf_25519_t[1];

#define GF_LIT_LIMB_BITS 51
#define GF_BITS 255
#define ZERO gf_25519_ZERO
#define ONE gf_25519_ONE
#define MODULUS gf_25519_MODULUS
#define gf gf_25519_t
#define gf_s gf_25519_s
#define gf_eq gf_25519_eq
#define gf_hibit gf_25519_hibit
#define gf_copy gf_25519_copy
#define gf_add gf_25519_add
#define gf_sub gf_25519_sub
#define gf_add_RAW gf_25519_add_RAW
#define gf_sub_RAW gf_25519_sub_RAW
#define gf_bias gf_25519_bias
#define gf_weak_reduce gf_25519_weak_reduce
#define gf_strong_reduce gf_25519_strong_reduce
#define gf_mul gf_25519_mul
#define gf_sqr gf_25519_sqr
#define gf_mulw_unsigned gf_25519_mulw_unsigned
#define gf_isr gf_25519_isr
#define gf_serialize gf_25519_serialize
#define gf_deserialize gf_25519_deserialize

/* RFC 7748 support */
#define X_PUBLIC_BYTES X_SER_BYTES
#define X_PRIVATE_BYTES X_PUBLIC_BYTES
#define X_PRIVATE_BITS 255

#define SQRT_MINUS_ONE P25519_SQRT_MINUS_ONE /* might not be defined */

#define INLINE_UNUSED __inline__ __attribute__((unused,always_inline))

#ifdef __cplusplus
extern "C" {
#endif

/* Defined below in f_impl.h */
static INLINE_UNUSED void gf_copy (gf out, const gf a) { *out = *a; }
static INLINE_UNUSED void gf_add_RAW (gf out, const gf a, const gf b);
static INLINE_UNUSED void gf_sub_RAW (gf out, const gf a, const gf b);
static INLINE_UNUSED void gf_bias (gf inout, int amount);
static INLINE_UNUSED void gf_weak_reduce (gf inout);

void gf_strong_reduce (gf inout);
void gf_add (gf out, const gf a, const gf b);
void gf_sub (gf out, const gf a, const gf b);
void gf_mul (gf_s *__restrict__ out, const gf a, const gf b);
void gf_mulw_unsigned (gf_s *__restrict__ out, const gf a, uint32_t b);
void gf_sqr (gf_s *__restrict__ out, const gf a);
mask_t gf_isr(gf a, const gf x); /** a^2 x = 1, QNR, or 0 if x=0. Return true if successful */
mask_t gf_eq (const gf x, const gf y);
mask_t gf_hibit (const gf x);

void gf_serialize (uint8_t *serial, const gf x,int with_highbit);
mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES],int with_highbit);


#ifdef __cplusplus
} /* extern "C" */
#endif

#include "f_impl.h" /* Bring in the inline implementations */

#define P_MOD_8 5
#if P_MOD_8 == 5
extern const gf SQRT_MINUS_ONE;
#endif

#ifndef LIMBPERM
#define LIMBPERM(i) (i)
#endif
#define LIMB_MASK(i) (((1ull)<<LIMB_PLACE_VALUE(i))-1)

static const gf ZERO = {{{0}}}, ONE = {{{ [LIMBPERM(0)] = 1 }}};

#endif /* __P25519_F_FIELD_H__ */

+ 133
- 0
src/GENERATED/c/p25519/f_generic.c View File

@@ -0,0 +1,133 @@
/**
* @file p25519/f_generic.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Generic arithmetic which has to be compiled per field.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "field.h"

static const gf MODULUS = {FIELD_LITERAL(
0x7ffffffffffed, 0x7ffffffffffff, 0x7ffffffffffff, 0x7ffffffffffff, 0x7ffffffffffff
)};
#if P_MOD_8 == 5
const gf SQRT_MINUS_ONE = {FIELD_LITERAL(
0x61b274a0ea0b0, 0x0d5a5fc8f189d, 0x7ef5e9cbd0c60, 0x78595a6804c9e, 0x2b8324804fc1d
)};
#endif

/** Serialize to wire format. */
void gf_serialize (uint8_t serial[SER_BYTES], const gf x, int with_hibit) {
gf red;
gf_copy(red, x);
gf_strong_reduce(red);
if (!with_hibit) { assert(gf_hibit(red) == 0); }
unsigned int j=0, fill=0;
dword_t buffer = 0;
UNROLL for (unsigned int i=0; i<(with_hibit ? X_SER_BYTES : SER_BYTES); i++) {
if (fill < 8 && j < NLIMBS) {
buffer |= ((dword_t)red->limb[LIMBPERM(j)]) << fill;
fill += LIMB_PLACE_VALUE(LIMBPERM(j));
j++;
}
serial[i] = buffer;
fill -= 8;
buffer >>= 8;
}
}

/** Return high bit of x = low bit of 2x mod p */
mask_t gf_hibit(const gf x) {
gf y;
gf_add(y,x,x);
gf_strong_reduce(y);
return -(y->limb[0]&1);
}

/** Deserialize from wire format; return -1 on success and 0 on failure. */
mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit) {
unsigned int j=0, fill=0;
dword_t buffer = 0;
dsword_t scarry = 0;
UNROLL for (unsigned int i=0; i<NLIMBS; i++) {
UNROLL while (fill < LIMB_PLACE_VALUE(LIMBPERM(i)) && j < (with_hibit ? X_SER_BYTES : SER_BYTES)) {
buffer |= ((dword_t)serial[j]) << fill;
fill += 8;
j++;
}
x->limb[LIMBPERM(i)] = (i<NLIMBS-1) ? buffer & LIMB_MASK(LIMBPERM(i)) : buffer;
fill -= LIMB_PLACE_VALUE(LIMBPERM(i));
buffer >>= LIMB_PLACE_VALUE(LIMBPERM(i));
scarry = (scarry + x->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)]) >> (8*sizeof(word_t));
}
mask_t succ = with_hibit ? -(mask_t)1 : ~gf_hibit(x);
return succ & word_is_zero(buffer) & ~word_is_zero(scarry);
}

/** Reduce to canonical form. */
void gf_strong_reduce (gf a) {
/* first, clear high */
gf_weak_reduce(a); /* Determined to have negligible perf impact. */

/* now the total is less than 2p */

/* compute total_value - p. No need to reduce mod p. */
dsword_t scarry = 0;
for (unsigned int i=0; i<NLIMBS; i++) {
scarry = scarry + a->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)];
a->limb[LIMBPERM(i)] = scarry & LIMB_MASK(LIMBPERM(i));
scarry >>= LIMB_PLACE_VALUE(LIMBPERM(i));
}

/* uncommon case: it was >= p, so now scarry = 0 and this = x
* common case: it was < p, so now scarry = -1 and this = x - p + 2^255
* so let's add back in p. will carry back off the top for 2^255.
*/
assert(word_is_zero(scarry) | word_is_zero(scarry+1));

word_t scarry_0 = scarry;
dword_t carry = 0;

/* add it back */
for (unsigned int i=0; i<NLIMBS; i++) {
carry = carry + a->limb[LIMBPERM(i)] + (scarry_0 & MODULUS->limb[LIMBPERM(i)]);
a->limb[LIMBPERM(i)] = carry & LIMB_MASK(LIMBPERM(i));
carry >>= LIMB_PLACE_VALUE(LIMBPERM(i));
}

assert(word_is_zero(carry + scarry_0));
}

/** Add two gf elements */
void gf_sub (gf d, const gf a, const gf b) {
gf_sub_RAW ( d, a, b );
gf_bias( d, 2 );
gf_weak_reduce ( d );
}

/** Subtract d = a-b */
void gf_add (gf d, const gf a, const gf b) {
gf_add_RAW ( d, a, b );
gf_weak_reduce ( d );
}

/** Compare a==b */
mask_t gf_eq(const gf a, const gf b) {
gf c;
gf_sub(c,a,b);
gf_strong_reduce(c);
mask_t ret=0;
for (unsigned int i=0; i<NLIMBS; i++) {
ret |= c->limb[LIMBPERM(i)];
}

return word_is_zero(ret);
}

+ 108
- 0
src/GENERATED/c/p448/f_field.h View File

@@ -0,0 +1,108 @@
/**
* @file p448/f_field.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Field-specific code for 2^448 - 2^224 - 1.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __P448_F_FIELD_H__
#define __P448_F_FIELD_H__ 1

#include "constant_time.h"
#include <string.h>
#include <assert.h>

#include "word.h"

#define __DECAF_448_GF_DEFINED__ 1
#define NLIMBS (64/sizeof(word_t))
#define X_SER_BYTES 56
#define SER_BYTES 56
typedef struct gf_448_s {
word_t limb[NLIMBS];
} __attribute__((aligned(32))) gf_448_s, gf_448_t[1];

#define GF_LIT_LIMB_BITS 56
#define GF_BITS 448
#define ZERO gf_448_ZERO
#define ONE gf_448_ONE
#define MODULUS gf_448_MODULUS
#define gf gf_448_t
#define gf_s gf_448_s
#define gf_eq gf_448_eq
#define gf_hibit gf_448_hibit
#define gf_copy gf_448_copy
#define gf_add gf_448_add
#define gf_sub gf_448_sub
#define gf_add_RAW gf_448_add_RAW
#define gf_sub_RAW gf_448_sub_RAW
#define gf_bias gf_448_bias
#define gf_weak_reduce gf_448_weak_reduce
#define gf_strong_reduce gf_448_strong_reduce
#define gf_mul gf_448_mul
#define gf_sqr gf_448_sqr
#define gf_mulw_unsigned gf_448_mulw_unsigned
#define gf_isr gf_448_isr
#define gf_serialize gf_448_serialize
#define gf_deserialize gf_448_deserialize

/* RFC 7748 support */
#define X_PUBLIC_BYTES X_SER_BYTES
#define X_PRIVATE_BYTES X_PUBLIC_BYTES
#define X_PRIVATE_BITS 448

#define SQRT_MINUS_ONE P448_SQRT_MINUS_ONE /* might not be defined */

#define INLINE_UNUSED __inline__ __attribute__((unused,always_inline))

#ifdef __cplusplus
extern "C" {
#endif

/* Defined below in f_impl.h */
static INLINE_UNUSED void gf_copy (gf out, const gf a) { *out = *a; }
static INLINE_UNUSED void gf_add_RAW (gf out, const gf a, const gf b);
static INLINE_UNUSED void gf_sub_RAW (gf out, const gf a, const gf b);
static INLINE_UNUSED void gf_bias (gf inout, int amount);
static INLINE_UNUSED void gf_weak_reduce (gf inout);

void gf_strong_reduce (gf inout);
void gf_add (gf out, const gf a, const gf b);
void gf_sub (gf out, const gf a, const gf b);
void gf_mul (gf_s *__restrict__ out, const gf a, const gf b);
void gf_mulw_unsigned (gf_s *__restrict__ out, const gf a, uint32_t b);
void gf_sqr (gf_s *__restrict__ out, const gf a);
mask_t gf_isr(gf a, const gf x); /** a^2 x = 1, QNR, or 0 if x=0. Return true if successful */
mask_t gf_eq (const gf x, const gf y);
mask_t gf_hibit (const gf x);

void gf_serialize (uint8_t *serial, const gf x,int with_highbit);
mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES],int with_highbit);


#ifdef __cplusplus
} /* extern "C" */
#endif

#include "f_impl.h" /* Bring in the inline implementations */

#define P_MOD_8 7
#if P_MOD_8 == 5
extern const gf SQRT_MINUS_ONE;
#endif

#ifndef LIMBPERM
#define LIMBPERM(i) (i)
#endif
#define LIMB_MASK(i) (((1ull)<<LIMB_PLACE_VALUE(i))-1)

static const gf ZERO = {{{0}}}, ONE = {{{ [LIMBPERM(0)] = 1 }}};

#endif /* __P448_F_FIELD_H__ */

+ 133
- 0
src/GENERATED/c/p448/f_generic.c View File

@@ -0,0 +1,133 @@
/**
* @file p448/f_generic.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Generic arithmetic which has to be compiled per field.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "field.h"

static const gf MODULUS = {FIELD_LITERAL(
0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff, 0xfffffffffffffe, 0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff
)};
#if P_MOD_8 == 5
const gf SQRT_MINUS_ONE = {FIELD_LITERAL(
/* NOPE */
)};
#endif

/** Serialize to wire format. */
void gf_serialize (uint8_t serial[SER_BYTES], const gf x, int with_hibit) {
gf red;
gf_copy(red, x);
gf_strong_reduce(red);
if (!with_hibit) { assert(gf_hibit(red) == 0); }
unsigned int j=0, fill=0;
dword_t buffer = 0;
UNROLL for (unsigned int i=0; i<(with_hibit ? X_SER_BYTES : SER_BYTES); i++) {
if (fill < 8 && j < NLIMBS) {
buffer |= ((dword_t)red->limb[LIMBPERM(j)]) << fill;
fill += LIMB_PLACE_VALUE(LIMBPERM(j));
j++;
}
serial[i] = buffer;
fill -= 8;
buffer >>= 8;
}
}

/** Return high bit of x = low bit of 2x mod p */
mask_t gf_hibit(const gf x) {
gf y;
gf_add(y,x,x);
gf_strong_reduce(y);
return -(y->limb[0]&1);
}

/** Deserialize from wire format; return -1 on success and 0 on failure. */
mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit) {
unsigned int j=0, fill=0;
dword_t buffer = 0;
dsword_t scarry = 0;
UNROLL for (unsigned int i=0; i<NLIMBS; i++) {
UNROLL while (fill < LIMB_PLACE_VALUE(LIMBPERM(i)) && j < (with_hibit ? X_SER_BYTES : SER_BYTES)) {
buffer |= ((dword_t)serial[j]) << fill;
fill += 8;
j++;
}
x->limb[LIMBPERM(i)] = (i<NLIMBS-1) ? buffer & LIMB_MASK(LIMBPERM(i)) : buffer;
fill -= LIMB_PLACE_VALUE(LIMBPERM(i));
buffer >>= LIMB_PLACE_VALUE(LIMBPERM(i));
scarry = (scarry + x->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)]) >> (8*sizeof(word_t));
}
mask_t succ = with_hibit ? -(mask_t)1 : ~gf_hibit(x);
return succ & word_is_zero(buffer) & ~word_is_zero(scarry);
}

/** Reduce to canonical form. */
void gf_strong_reduce (gf a) {
/* first, clear high */
gf_weak_reduce(a); /* Determined to have negligible perf impact. */

/* now the total is less than 2p */

/* compute total_value - p. No need to reduce mod p. */
dsword_t scarry = 0;
for (unsigned int i=0; i<NLIMBS; i++) {
scarry = scarry + a->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)];
a->limb[LIMBPERM(i)] = scarry & LIMB_MASK(LIMBPERM(i));
scarry >>= LIMB_PLACE_VALUE(LIMBPERM(i));
}

/* uncommon case: it was >= p, so now scarry = 0 and this = x
* common case: it was < p, so now scarry = -1 and this = x - p + 2^255
* so let's add back in p. will carry back off the top for 2^255.
*/
assert(word_is_zero(scarry) | word_is_zero(scarry+1));

word_t scarry_0 = scarry;
dword_t carry = 0;

/* add it back */
for (unsigned int i=0; i<NLIMBS; i++) {
carry = carry + a->limb[LIMBPERM(i)] + (scarry_0 & MODULUS->limb[LIMBPERM(i)]);
a->limb[LIMBPERM(i)] = carry & LIMB_MASK(LIMBPERM(i));
carry >>= LIMB_PLACE_VALUE(LIMBPERM(i));
}

assert(word_is_zero(carry + scarry_0));
}

/** Add two gf elements */
void gf_sub (gf d, const gf a, const gf b) {
gf_sub_RAW ( d, a, b );
gf_bias( d, 2 );
gf_weak_reduce ( d );
}

/** Subtract d = a-b */
void gf_add (gf d, const gf a, const gf b) {
gf_add_RAW ( d, a, b );
gf_weak_reduce ( d );
}

/** Compare a==b */
mask_t gf_eq(const gf a, const gf b) {
gf c;
gf_sub(c,a,b);
gf_strong_reduce(c);
mask_t ret=0;
for (unsigned int i=0; i<NLIMBS; i++) {
ret |= c->limb[LIMBPERM(i)];
}

return word_is_zero(ret);
}

+ 32
- 0
src/GENERATED/include/decaf.h View File

@@ -0,0 +1,32 @@
/**
* @file decaf.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* Master header for Decaf library.
*
* The Decaf library implements cryptographic operations on a elliptic curve
* groups of prime order p. It accomplishes this by using a twisted Edwards
* curve (isogenous to Ed448-Goldilocks or Ed25519) and wiping out the cofactor.
*
* The formulas are all complete and have no special cases. However, some
* functions can fail. For example, decoding functions can fail because not
* every string is the encoding of a valid group element.
*
* The formulas contain no data-dependent branches, timing or memory accesses,
* except for decaf_XXX_base_double_scalarmul_non_secret.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_H__
#define __DECAF_H__ 1

#include <decaf/decaf_255.h>
#include <decaf/decaf_448.h>

#endif /* __DECAF_H__ */

+ 29
- 0
src/GENERATED/include/decaf.hxx View File

@@ -0,0 +1,29 @@
/**
* @file decaf.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* Master header for Decaf library, C++ version.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_HXX__
#define __DECAF_HXX__ 1

#include <decaf/decaf_255.hxx>
#include <decaf/decaf_448.hxx>

namespace decaf {
template <template<typename Group> class Run>
void run_for_all_curves() {
Run<IsoEd25519>::run();
Run<Ed448Goldilocks>::run();
}
}

#endif /* __DECAF_HXX__ */

+ 111
- 0
src/GENERATED/include/decaf/common.h View File

@@ -0,0 +1,111 @@
/**
* @file decaf/common.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Common utility headers for Decaf library.
*/

#ifndef __DECAF_COMMON_H__
#define __DECAF_COMMON_H__ 1

#include <stdint.h>
#include <sys/types.h>

#ifdef __cplusplus
extern "C" {
#endif

/* Goldilocks' build flags default to hidden and stripping executables. */
/** @cond internal */
#if defined(DOXYGEN) && !defined(__attribute__)
#define __attribute__((x))
#endif
#define API_VIS __attribute__((visibility("default")))
#define NOINLINE __attribute__((noinline))
#define WARN_UNUSED __attribute__((warn_unused_result))
#define NONNULL __attribute__((nonnull))
#define INLINE inline __attribute__((always_inline))
#define UNUSED __attribute__((unused))
/** @endcond */

/* Internal word types.
*
* Somewhat tricky. This could be decided separately per platform. However,
* the structs do need to be all the same size and alignment on a given
* platform to support dynamic linking, since even if you header was built
* with eg arch_neon, you might end up linking a library built with arch_arm32.
*/
#ifndef DECAF_WORD_BITS
#if (defined(__ILP64__) || defined(__amd64__) || defined(__x86_64__) || (((__UINT_FAST32_MAX__)>>30)>>30))
#define DECAF_WORD_BITS 64 /**< The number of bits in a word */
#else
#define DECAF_WORD_BITS 32 /**< The number of bits in a word */
#endif
#endif
#if DECAF_WORD_BITS == 64
typedef uint64_t decaf_word_t; /**< Word size for internal computations */
typedef int64_t decaf_sword_t; /**< Signed word size for internal computations */
typedef uint64_t decaf_bool_t; /**< "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */
typedef __uint128_t decaf_dword_t; /**< Double-word size for internal computations */
typedef __int128_t decaf_dsword_t; /**< Signed double-word size for internal computations */
#elif DECAF_WORD_BITS == 32 /**< The number of bits in a word */
typedef uint32_t decaf_word_t; /**< Word size for internal computations */
typedef int32_t decaf_sword_t; /**< Signed word size for internal computations */
typedef uint32_t decaf_bool_t; /**< "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */
typedef uint64_t decaf_dword_t; /**< Double-word size for internal computations */
typedef int64_t decaf_dsword_t; /**< Signed double-word size for internal computations */
#else
#error "Only supporting DECAF_WORD_BITS = 32 or 64 for now"
#endif
/** DECAF_TRUE = -1 so that DECAF_TRUE & x = x */
static const decaf_bool_t DECAF_TRUE = -(decaf_bool_t)1;

/** DECAF_FALSE = 0 so that DECAF_FALSE & x = 0 */
static const decaf_bool_t DECAF_FALSE = 0;

/** Another boolean type used to indicate success or failure. */
typedef enum {
DECAF_SUCCESS = -1, /**< The operation succeeded. */
DECAF_FAILURE = 0 /**< The operation failed. */
} decaf_error_t;


/** Return success if x is true */
static __inline__ __attribute__((unused,always_inline))
decaf_error_t
decaf_succeed_if(decaf_bool_t x) {
return (decaf_error_t)x;
}

/** Return DECAF_TRUE iff x == DECAF_SUCCESS */
static __inline__ __attribute__((unused,always_inline))
decaf_bool_t
decaf_successful(decaf_error_t e) {
decaf_dword_t w = ((decaf_word_t)e) ^ ((decaf_word_t)DECAF_SUCCESS);
return (w-1)>>DECAF_WORD_BITS;
}
/** Overwrite data with zeros. Uses memset_s if available. */
void decaf_bzero (
void *data,
size_t size
) NONNULL API_VIS;

/** Compare two buffers, returning DECAF_TRUE if they are equal. */
decaf_bool_t decaf_memeq (
const void *data1,
const void *data2,
size_t size
) NONNULL WARN_UNUSED API_VIS;
#ifdef __cplusplus
} /* extern "C" */
#endif
#endif /* __DECAF_COMMON_H__ */

+ 24
- 0
src/GENERATED/include/decaf/crypto.h View File

@@ -0,0 +1,24 @@
/**
* @file decaf/crypto.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* Example Decaf crypto routines, metaheader.
* @warning These are merely examples, though they ought to be secure. But real
* protocols will decide differently on magic numbers, formats, which items to
* hash, etc.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_CRYPTO_H__
#define __DECAF_CRYPTO_H__ 1

#include <decaf/crypto_255.h>
#include <decaf/crypto_448.h>

#endif /* __DECAF_CRYPTO_H__ */

+ 24
- 0
src/GENERATED/include/decaf/crypto.hxx View File

@@ -0,0 +1,24 @@
/**
* @file decaf/crypto.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* Example Decaf crypto routines, C++ metaheader.
* @warning These are merely examples, though they ought to be secure. But real
* protocols will decide differently on magic numbers, formats, which items to
* hash, etc.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_CRYPTO_HXX__
#define __DECAF_CRYPTO_HXX__ 1

#include <decaf/crypto_255.hxx>
#include <decaf/crypto_448.hxx>

#endif /* __DECAF_CRYPTO_HXX__ */

+ 178
- 0
src/GENERATED/include/decaf/crypto_255.h View File

@@ -0,0 +1,178 @@
/**
* @file decaf/crypto_255.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* Example Decaf crypto routines.
* @warning These are merely examples, though they ought to be secure. But real
* protocols will decide differently on magic numbers, formats, which items to
* hash, etc.
* @warning Experimental! The names, parameter orders etc are likely to change.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_CRYPTO_255_H__
#define __DECAF_CRYPTO_255_H__ 1

#include <decaf/decaf_255.h>
#include <decaf/strobe.h>

#ifdef __cplusplus
extern "C" {
#endif

/** Number of bytes for a symmetric key (expanded to full key) */
#define DECAF_255_SYMMETRIC_KEY_BYTES 32

/** A symmetric key, the compressed point of a private key. */
typedef unsigned char decaf_255_symmetric_key_t[DECAF_255_SYMMETRIC_KEY_BYTES];

/** An encoded public key. */
typedef unsigned char decaf_255_public_key_t[DECAF_255_SER_BYTES];

/** A signature. */
typedef unsigned char decaf_255_signature_t[DECAF_255_SER_BYTES + DECAF_255_SCALAR_BYTES];

typedef struct {
/** @cond internal */
/** The symmetric key from which everything is expanded */
decaf_255_symmetric_key_t sym;
/** The scalar x */
decaf_255_scalar_t secret_scalar;
/** x*Base */
decaf_255_public_key_t pub;
/** @endcond */
} /** Private key structure for pointers. */
decaf_255_private_key_s,
/** A private key (gmp array[1] style). */
decaf_255_private_key_t[1];
/**
* Derive a key from its compressed form.
* @param [out] priv The derived private key.
* @param [in] proto The compressed or proto-key, which must be 32 random bytes.
*/
void decaf_255_derive_private_key (
decaf_255_private_key_t priv,
const decaf_255_symmetric_key_t proto
) NONNULL API_VIS;

/**
* Destroy a private key.
*/
void decaf_255_destroy_private_key (
decaf_255_private_key_t priv
) NONNULL API_VIS;

/**
* Convert a private key to a public one.
* @param [out] pub The extracted private key.
* @param [in] priv The private key.
*/
void decaf_255_private_to_public (
decaf_255_public_key_t pub,
const decaf_255_private_key_t priv
) NONNULL API_VIS;
/**
* Compute a Diffie-Hellman shared secret.
*
* This is an example routine; real protocols would use something
* protocol-specific.
*
* @param [out] shared A buffer to store the shared secret.
* @param [in] shared_bytes The size of the buffer.
* @param [in] my_privkey My private key.
* @param [in] your_pubkey Your public key.
* @param [in] me_first Direction flag to break symmetry.
*
* @retval DECAF_SUCCESS Key exchange was successful.
* @retval DECAF_FAILURE Key exchange failed.
*/
decaf_error_t
decaf_255_shared_secret (
uint8_t *shared,
size_t shared_bytes,
const decaf_255_private_key_t my_privkey,
const decaf_255_public_key_t your_pubkey,
int me_first
) NONNULL WARN_UNUSED API_VIS;
/**
* Sign a message from a STROBE context.
*
* @param [out] sig The signature.
* @param [in] priv Your private key.
* @param [in] strobe A STROBE context with the message.
*/
void
decaf_255_sign_strobe (
keccak_strobe_t strobe,
decaf_255_signature_t sig,
const decaf_255_private_key_t priv
) NONNULL API_VIS;

/**
* Sign a message.
*
* @param [out] sig The signature.
* @param [in] priv Your private key.
* @param [in] message The message.
* @param [in] message_len The message's length.
*/
void
decaf_255_sign (
decaf_255_signature_t sig,
const decaf_255_private_key_t priv,
const unsigned char *message,
size_t message_len
) NONNULL API_VIS;

/**
* Verify a signed message from its STROBE context.
*
* @param [in] sig The signature.
* @param [in] pub The public key.
* @param [in] strobe A STROBE context with the message.
*
* @return DECAF_SUCCESS The signature verified successfully.
* @return DECAF_FAILURE The signature did not verify successfully.
*/
decaf_error_t
decaf_255_verify_strobe (
keccak_strobe_t strobe,
const decaf_255_signature_t sig,
const decaf_255_public_key_t pub
) NONNULL API_VIS WARN_UNUSED;

/**
* Verify a signed message.
*
* @param [in] sig The signature.
* @param [in] pub The public key.
* @param [in] message The message.
* @param [in] message_len The message's length.
*
* @return DECAF_SUCCESS The signature verified successfully.
* @return DECAF_FAILURE The signature did not verify successfully.
*/
decaf_error_t
decaf_255_verify (
const decaf_255_signature_t sig,
const decaf_255_public_key_t pub,
const unsigned char *message,
size_t message_len
) NONNULL API_VIS WARN_UNUSED;

#ifdef __cplusplus
} /* extern "C" */
#endif

#endif /* __DECAF_CRYPTO_255_H__ */

+ 216
- 0
src/GENERATED/include/decaf/crypto_255.hxx View File

@@ -0,0 +1,216 @@
/**
* @file decaf/crypto_255.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
*
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_CRYPTO_255_HXX__
#define __DECAF_CRYPTO_255_HXX__ 1
/*
* Example Decaf cyrpto routines, C++ wrapper.
* @warning These are merely examples, though they ought to be secure. But real
* protocols will decide differently on magic numbers, formats, which items to
* hash, etc.
* @warning Experimental! The names, parameter orders etc are likely to change.
*/

#include <decaf/decaf_255.hxx>
#include <decaf/shake.hxx>
#include <decaf/strobe.hxx>

/** @cond internal */
#if __cplusplus >= 201103L
#define NOEXCEPT noexcept
#else
#define NOEXCEPT throw()
#endif
/** @endcond */

namespace decaf {

/** A public key for crypto over some Group */
template <typename Group> class PublicKey;

/** A private key for crypto over some Group */
template <typename Group> class PrivateKey;

/** A public key for crypto over Iso-Ed25519 */
template<> class PublicKey<IsoEd25519>
: public Serializable< PublicKey<IsoEd25519> > {
private:
/** @cond internal */
typedef decaf_255_public_key_t Wrapped;
Wrapped wrapped;
template<class Group> friend class PrivateKey;
/** @endcond */
public:
/** Underlying group */
typedef IsoEd25519 Group;
/** Signature size. */
static const size_t SIG_BYTES = sizeof(decaf_255_signature_t);
/** Serialization size. */
static const size_t SER_BYTES = sizeof(Wrapped);
/** Read a private key from a string*/
inline explicit PublicKey(const FixedBlock<SER_BYTES> &b) NOEXCEPT {
memcpy(wrapped,b.data(),sizeof(wrapped));
}
/** Read a private key from a string*/
inline explicit PublicKey(const PrivateKey<IsoEd25519> &b) NOEXCEPT;
/** Create but don't initialize */
inline explicit PublicKey(const NOINIT&) NOEXCEPT { }
/** Serialize into a buffer. */
inline void serialize_into(unsigned char *x) const NOEXCEPT {
memcpy(x,wrapped,sizeof(wrapped));
}
/** Serialization size. */
inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }
/** Verify a message */
inline void verify(
const Block &message,
const FixedBlock<SIG_BYTES> &sig
) const throw(CryptoException) {
if (DECAF_SUCCESS != decaf_255_verify(sig.data(),wrapped,message.data(),message.size())) {
throw(CryptoException());
}
}
/** Verify a message */
inline void verify(
Strobe &context,
const FixedBlock<SIG_BYTES> &sig
) const throw(CryptoException) {
if (DECAF_SUCCESS != decaf_255_verify_strobe(context.wrapped,sig.data(),wrapped)) {
throw(CryptoException());
}
}
};

/** A private key for crypto over Iso-Ed25519 */
template<> class PrivateKey<IsoEd25519>
: public Serializable< PrivateKey<IsoEd25519> > {
private:
/** @cond internal */
typedef decaf_255_private_key_t Wrapped;
Wrapped wrapped;
template<class Group> friend class PublicKey;
/** @endcond */
public:
/** Underlying group */
typedef IsoEd25519 Group;
/** Signature size. */
static const size_t SIG_BYTES = sizeof(decaf_255_signature_t);
/** Serialization size. */
static const size_t SER_BYTES = sizeof(Wrapped);
/** Compressed size. */
static const size_t SYM_BYTES = DECAF_255_SYMMETRIC_KEY_BYTES;
/** Create but don't initialize */
inline explicit PrivateKey(const NOINIT&) NOEXCEPT { }
/** Read a private key from a string*/
inline explicit PrivateKey(const FixedBlock<SER_BYTES> &b) NOEXCEPT {
memcpy(wrapped,b.data(),sizeof(wrapped));
}
/** Read a private key from a string*/
inline explicit PrivateKey(const FixedBlock<SYM_BYTES> &b) NOEXCEPT {
decaf_255_derive_private_key(wrapped, b.data());
}
/** Create at random */
inline explicit PrivateKey(Rng &r) NOEXCEPT {
FixedArrayBuffer<SYM_BYTES> tmp(r);
decaf_255_derive_private_key(wrapped, tmp.data());
}
/** Secure destructor */
inline ~PrivateKey() NOEXCEPT {
decaf_255_destroy_private_key(wrapped);
}
/** Serialization size. */
inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }
/** Serialize into a buffer. */
inline void serialize_into(unsigned char *x) const NOEXCEPT {
memcpy(x,wrapped,sizeof(wrapped));
}
/** Compressed serialize. */
inline SecureBuffer compress() const throw(std::bad_alloc) {
SecureBuffer ret(sizeof(wrapped->sym));
memcpy(ret.data(),wrapped->sym,sizeof(wrapped->sym));
return ret;
}
/** Get the public key */
inline PublicKey<IsoEd25519> pub() const NOEXCEPT {
PublicKey<IsoEd25519> ret(*this); return ret;
}
/** Derive a shared secret */
inline SecureBuffer shared_secret(
const PublicKey<IsoEd25519> &pub,
size_t bytes,
bool me_first
) const throw(CryptoException,std::bad_alloc) {
SecureBuffer ret(bytes);
if (DECAF_SUCCESS != decaf_255_shared_secret(ret.data(),bytes,wrapped,pub.wrapped,me_first)) {
throw(CryptoException());
}
return ret;
}
/** Derive a shared secret */
inline decaf_error_t __attribute__((warn_unused_result))
shared_secret_noexcept(
Buffer ret,
const PublicKey<IsoEd25519> &pub,
bool me_first
) const NOEXCEPT {
return decaf_255_shared_secret(ret.data(),ret.size(),wrapped,pub.wrapped,me_first);
}

/** Sign a message. */
inline SecureBuffer sign(const Block &message) const {
SecureBuffer sig(SIG_BYTES);
decaf_255_sign(sig.data(), wrapped, message.data(), message.size());
return sig;
}

/** Sign a message. */
inline SecureBuffer verify(Strobe &context) const {
SecureBuffer sig(SIG_BYTES);
decaf_255_sign_strobe(context.wrapped, sig.data(), wrapped);
return sig;
}
};

/** @cond internal */
PublicKey<IsoEd25519>::PublicKey(const PrivateKey<IsoEd25519> &b) NOEXCEPT {
decaf_255_private_to_public(wrapped,b.wrapped);
}
/** @endcond */

#undef NOEXCEPT
} /* namespace decaf */
#endif /* __DECAF_CRYPTO_255_HXX__ */

+ 178
- 0
src/GENERATED/include/decaf/crypto_448.h View File

@@ -0,0 +1,178 @@
/**
* @file decaf/crypto_448.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* Example Decaf crypto routines.
* @warning These are merely examples, though they ought to be secure. But real
* protocols will decide differently on magic numbers, formats, which items to
* hash, etc.
* @warning Experimental! The names, parameter orders etc are likely to change.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_CRYPTO_448_H__
#define __DECAF_CRYPTO_448_H__ 1

#include <decaf/decaf_448.h>
#include <decaf/strobe.h>

#ifdef __cplusplus
extern "C" {
#endif

/** Number of bytes for a symmetric key (expanded to full key) */
#define DECAF_448_SYMMETRIC_KEY_BYTES 32

/** A symmetric key, the compressed point of a private key. */
typedef unsigned char decaf_448_symmetric_key_t[DECAF_448_SYMMETRIC_KEY_BYTES];

/** An encoded public key. */
typedef unsigned char decaf_448_public_key_t[DECAF_448_SER_BYTES];

/** A signature. */
typedef unsigned char decaf_448_signature_t[DECAF_448_SER_BYTES + DECAF_448_SCALAR_BYTES];

typedef struct {
/** @cond internal */
/** The symmetric key from which everything is expanded */
decaf_448_symmetric_key_t sym;
/** The scalar x */
decaf_448_scalar_t secret_scalar;
/** x*Base */
decaf_448_public_key_t pub;
/** @endcond */
} /** Private key structure for pointers. */
decaf_448_private_key_s,
/** A private key (gmp array[1] style). */
decaf_448_private_key_t[1];
/**
* Derive a key from its compressed form.
* @param [out] priv The derived private key.
* @param [in] proto The compressed or proto-key, which must be 32 random bytes.
*/
void decaf_448_derive_private_key (
decaf_448_private_key_t priv,
const decaf_448_symmetric_key_t proto
) NONNULL API_VIS;

/**
* Destroy a private key.
*/
void decaf_448_destroy_private_key (
decaf_448_private_key_t priv
) NONNULL API_VIS;

/**
* Convert a private key to a public one.
* @param [out] pub The extracted private key.
* @param [in] priv The private key.
*/
void decaf_448_private_to_public (
decaf_448_public_key_t pub,
const decaf_448_private_key_t priv
) NONNULL API_VIS;
/**
* Compute a Diffie-Hellman shared secret.
*
* This is an example routine; real protocols would use something
* protocol-specific.
*
* @param [out] shared A buffer to store the shared secret.
* @param [in] shared_bytes The size of the buffer.
* @param [in] my_privkey My private key.
* @param [in] your_pubkey Your public key.
* @param [in] me_first Direction flag to break symmetry.
*
* @retval DECAF_SUCCESS Key exchange was successful.
* @retval DECAF_FAILURE Key exchange failed.
*/
decaf_error_t
decaf_448_shared_secret (
uint8_t *shared,
size_t shared_bytes,
const decaf_448_private_key_t my_privkey,
const decaf_448_public_key_t your_pubkey,
int me_first
) NONNULL WARN_UNUSED API_VIS;
/**
* Sign a message from a STROBE context.
*
* @param [out] sig The signature.
* @param [in] priv Your private key.
* @param [in] strobe A STROBE context with the message.
*/
void
decaf_448_sign_strobe (
keccak_strobe_t strobe,
decaf_448_signature_t sig,
const decaf_448_private_key_t priv
) NONNULL API_VIS;

/**
* Sign a message.
*
* @param [out] sig The signature.
* @param [in] priv Your private key.
* @param [in] message The message.
* @param [in] message_len The message's length.
*/
void
decaf_448_sign (
decaf_448_signature_t sig,
const decaf_448_private_key_t priv,
const unsigned char *message,
size_t message_len
) NONNULL API_VIS;

/**
* Verify a signed message from its STROBE context.
*
* @param [in] sig The signature.
* @param [in] pub The public key.
* @param [in] strobe A STROBE context with the message.
*
* @return DECAF_SUCCESS The signature verified successfully.
* @return DECAF_FAILURE The signature did not verify successfully.
*/
decaf_error_t
decaf_448_verify_strobe (
keccak_strobe_t strobe,
const decaf_448_signature_t sig,
const decaf_448_public_key_t pub
) NONNULL API_VIS WARN_UNUSED;

/**
* Verify a signed message.
*
* @param [in] sig The signature.
* @param [in] pub The public key.
* @param [in] message The message.
* @param [in] message_len The message's length.
*
* @return DECAF_SUCCESS The signature verified successfully.
* @return DECAF_FAILURE The signature did not verify successfully.
*/
decaf_error_t
decaf_448_verify (
const decaf_448_signature_t sig,
const decaf_448_public_key_t pub,
const unsigned char *message,
size_t message_len
) NONNULL API_VIS WARN_UNUSED;

#ifdef __cplusplus
} /* extern "C" */
#endif

#endif /* __DECAF_CRYPTO_448_H__ */

+ 216
- 0
src/GENERATED/include/decaf/crypto_448.hxx View File

@@ -0,0 +1,216 @@
/**
* @file decaf/crypto_448.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
*
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_CRYPTO_448_HXX__
#define __DECAF_CRYPTO_448_HXX__ 1
/*
* Example Decaf cyrpto routines, C++ wrapper.
* @warning These are merely examples, though they ought to be secure. But real
* protocols will decide differently on magic numbers, formats, which items to
* hash, etc.
* @warning Experimental! The names, parameter orders etc are likely to change.
*/

#include <decaf/decaf_448.hxx>
#include <decaf/shake.hxx>
#include <decaf/strobe.hxx>

/** @cond internal */
#if __cplusplus >= 201103L
#define NOEXCEPT noexcept
#else
#define NOEXCEPT throw()
#endif
/** @endcond */

namespace decaf {

/** A public key for crypto over some Group */
template <typename Group> class PublicKey;

/** A private key for crypto over some Group */
template <typename Group> class PrivateKey;

/** A public key for crypto over Ed448-Goldilocks */
template<> class PublicKey<Ed448Goldilocks>
: public Serializable< PublicKey<Ed448Goldilocks> > {
private:
/** @cond internal */
typedef decaf_448_public_key_t Wrapped;
Wrapped wrapped;
template<class Group> friend class PrivateKey;
/** @endcond */
public:
/** Underlying group */
typedef Ed448Goldilocks Group;
/** Signature size. */
static const size_t SIG_BYTES = sizeof(decaf_448_signature_t);
/** Serialization size. */
static const size_t SER_BYTES = sizeof(Wrapped);
/** Read a private key from a string*/
inline explicit PublicKey(const FixedBlock<SER_BYTES> &b) NOEXCEPT {
memcpy(wrapped,b.data(),sizeof(wrapped));
}
/** Read a private key from a string*/
inline explicit PublicKey(const PrivateKey<Ed448Goldilocks> &b) NOEXCEPT;
/** Create but don't initialize */
inline explicit PublicKey(const NOINIT&) NOEXCEPT { }
/** Serialize into a buffer. */
inline void serialize_into(unsigned char *x) const NOEXCEPT {
memcpy(x,wrapped,sizeof(wrapped));
}
/** Serialization size. */
inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }
/** Verify a message */
inline void verify(
const Block &message,
const FixedBlock<SIG_BYTES> &sig
) const throw(CryptoException) {
if (DECAF_SUCCESS != decaf_448_verify(sig.data(),wrapped,message.data(),message.size())) {
throw(CryptoException());
}
}
/** Verify a message */
inline void verify(
Strobe &context,
const FixedBlock<SIG_BYTES> &sig
) const throw(CryptoException) {
if (DECAF_SUCCESS != decaf_448_verify_strobe(context.wrapped,sig.data(),wrapped)) {
throw(CryptoException());
}
}
};

/** A private key for crypto over Ed448-Goldilocks */
template<> class PrivateKey<Ed448Goldilocks>
: public Serializable< PrivateKey<Ed448Goldilocks> > {
private:
/** @cond internal */
typedef decaf_448_private_key_t Wrapped;
Wrapped wrapped;
template<class Group> friend class PublicKey;
/** @endcond */
public:
/** Underlying group */
typedef Ed448Goldilocks Group;
/** Signature size. */
static const size_t SIG_BYTES = sizeof(decaf_448_signature_t);
/** Serialization size. */
static const size_t SER_BYTES = sizeof(Wrapped);
/** Compressed size. */
static const size_t SYM_BYTES = DECAF_448_SYMMETRIC_KEY_BYTES;
/** Create but don't initialize */
inline explicit PrivateKey(const NOINIT&) NOEXCEPT { }
/** Read a private key from a string*/
inline explicit PrivateKey(const FixedBlock<SER_BYTES> &b) NOEXCEPT {
memcpy(wrapped,b.data(),sizeof(wrapped));
}
/** Read a private key from a string*/
inline explicit PrivateKey(const FixedBlock<SYM_BYTES> &b) NOEXCEPT {
decaf_448_derive_private_key(wrapped, b.data());
}
/** Create at random */
inline explicit PrivateKey(Rng &r) NOEXCEPT {
FixedArrayBuffer<SYM_BYTES> tmp(r);
decaf_448_derive_private_key(wrapped, tmp.data());
}
/** Secure destructor */
inline ~PrivateKey() NOEXCEPT {
decaf_448_destroy_private_key(wrapped);
}
/** Serialization size. */
inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }
/** Serialize into a buffer. */
inline void serialize_into(unsigned char *x) const NOEXCEPT {
memcpy(x,wrapped,sizeof(wrapped));
}
/** Compressed serialize. */
inline SecureBuffer compress() const throw(std::bad_alloc) {
SecureBuffer ret(sizeof(wrapped->sym));
memcpy(ret.data(),wrapped->sym,sizeof(wrapped->sym));
return ret;
}
/** Get the public key */
inline PublicKey<Ed448Goldilocks> pub() const NOEXCEPT {
PublicKey<Ed448Goldilocks> ret(*this); return ret;
}
/** Derive a shared secret */
inline SecureBuffer shared_secret(
const PublicKey<Ed448Goldilocks> &pub,
size_t bytes,
bool me_first
) const throw(CryptoException,std::bad_alloc) {
SecureBuffer ret(bytes);
if (DECAF_SUCCESS != decaf_448_shared_secret(ret.data(),bytes,wrapped,pub.wrapped,me_first)) {
throw(CryptoException());
}
return ret;
}
/** Derive a shared secret */
inline decaf_error_t __attribute__((warn_unused_result))
shared_secret_noexcept(
Buffer ret,
const PublicKey<Ed448Goldilocks> &pub,
bool me_first
) const NOEXCEPT {
return decaf_448_shared_secret(ret.data(),ret.size(),wrapped,pub.wrapped,me_first);
}

/** Sign a message. */
inline SecureBuffer sign(const Block &message) const {
SecureBuffer sig(SIG_BYTES);
decaf_448_sign(sig.data(), wrapped, message.data(), message.size());
return sig;
}

/** Sign a message. */
inline SecureBuffer verify(Strobe &context) const {
SecureBuffer sig(SIG_BYTES);
decaf_448_sign_strobe(context.wrapped, sig.data(), wrapped);
return sig;
}
};

/** @cond internal */
PublicKey<Ed448Goldilocks>::PublicKey(const PrivateKey<Ed448Goldilocks> &b) NOEXCEPT {
decaf_448_private_to_public(wrapped,b.wrapped);
}
/** @endcond */

#undef NOEXCEPT
} /* namespace decaf */
#endif /* __DECAF_CRYPTO_448_HXX__ */

+ 706
- 0
src/GENERATED/include/decaf/decaf_255.h View File

@@ -0,0 +1,706 @@
/**
* @file decaf/decaf_255.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief A group of prime order p, based on Curve25519.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_DECAF_255_H__
#define __DECAF_DECAF_255_H__ 1

#include <decaf/common.h>

#ifdef __cplusplus
extern "C" {
#endif

/** @cond internal */
#define DECAF_255_SCALAR_LIMBS ((253-1)/DECAF_WORD_BITS+1)
/** @endcond */

/** The number of bits in a scalar */
#define DECAF_255_SCALAR_BITS 253

/** @cond internal */
#ifndef __DECAF_25519_GF_DEFINED__
#define __DECAF_25519_GF_DEFINED__ 1
/** @brief Galois field element internal structure */
typedef struct gf_25519_s {
decaf_word_t limb[320/DECAF_WORD_BITS];
} __attribute__((aligned(32))) gf_25519_s, gf_25519_t[1];
#endif /* __DECAF_25519_GF_DEFINED__ */
/** @endcond */

/** Number of bytes in a serialized point. */
#define DECAF_255_SER_BYTES 32

/** Number of bytes in an elligated point. For now set the same as SER_BYTES
* but could be different for other curves.
*/
#define DECAF_255_HASH_BYTES 32

/** Number of bytes in a serialized scalar. */
#define DECAF_255_SCALAR_BYTES 32

/** Number of bits in the "which" field of an elligator inverse */
#define DECAF_255_INVERT_ELLIGATOR_WHICH_BITS 5

/** Number of bytes in an x25519 public key */
#define DECAF_X25519_PUBLIC_BYTES 32

/** Number of bytes in an x25519 private key */
#define DECAF_X25519_PRIVATE_BYTES 32

/** Twisted Edwards extended homogeneous coordinates */
typedef struct decaf_255_point_s {
/** @cond internal */
gf_25519_t x,y,z,t;
/** @endcond */
} decaf_255_point_t[1];

/** Precomputed table based on a point. Can be trivial implementation. */
struct decaf_255_precomputed_s;

/** Precomputed table based on a point. Can be trivial implementation. */
typedef struct decaf_255_precomputed_s decaf_255_precomputed_s;

/** Size and alignment of precomputed point tables. */
extern const size_t decaf_255_sizeof_precomputed_s API_VIS, decaf_255_alignof_precomputed_s API_VIS;

/** Scalar is stored packed, because we don't need the speed. */
typedef struct decaf_255_scalar_s {
/** @cond internal */
decaf_word_t limb[DECAF_255_SCALAR_LIMBS];
/** @endcond */
} decaf_255_scalar_t[1];

/** A scalar equal to 1. */
extern const decaf_255_scalar_t decaf_255_scalar_one API_VIS;

/** A scalar equal to 0. */
extern const decaf_255_scalar_t decaf_255_scalar_zero API_VIS;

/** The identity point on the curve. */
extern const decaf_255_point_t decaf_255_point_identity API_VIS;

/** An arbitrarily chosen base point on the curve. */
extern const decaf_255_point_t decaf_255_point_base API_VIS;

/** Precomputed table for the base point on the curve. */
extern const struct decaf_255_precomputed_s *decaf_255_precomputed_base API_VIS;

/**
* @brief Read a scalar from wire format or from bytes.
*
* @param [in] ser Serialized form of a scalar.
* @param [out] out Deserialized form.
*
* @retval DECAF_SUCCESS The scalar was correctly encoded.
* @retval DECAF_FAILURE The scalar was greater than the modulus,
* and has been reduced modulo that modulus.
*/
decaf_error_t decaf_255_scalar_decode (
decaf_255_scalar_t out,
const unsigned char ser[DECAF_255_SCALAR_BYTES]
) API_VIS WARN_UNUSED NONNULL NOINLINE;

/**
* @brief Read a scalar from wire format or from bytes. Reduces mod
* scalar prime.
*
* @param [in] ser Serialized form of a scalar.
* @param [in] ser_len Length of serialized form.
* @param [out] out Deserialized form.
*/
void decaf_255_scalar_decode_long (
decaf_255_scalar_t out,
const unsigned char *ser,
size_t ser_len
) API_VIS NONNULL NOINLINE;
/**
* @brief Serialize a scalar to wire format.
*
* @param [out] ser Serialized form of a scalar.
* @param [in] s Deserialized scalar.
*/
void decaf_255_scalar_encode (
unsigned char ser[DECAF_255_SCALAR_BYTES],
const decaf_255_scalar_t s
) API_VIS NONNULL NOINLINE NOINLINE;
/**
* @brief Add two scalars. The scalars may use the same memory.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @param [out] out a+b.
*/
void decaf_255_scalar_add (
decaf_255_scalar_t out,
const decaf_255_scalar_t a,
const decaf_255_scalar_t b
) API_VIS NONNULL NOINLINE;

/**
* @brief Compare two scalars.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @retval DECAF_TRUE The scalars are equal.
* @retval DECAF_FALSE The scalars are not equal.
*/
decaf_bool_t decaf_255_scalar_eq (
const decaf_255_scalar_t a,
const decaf_255_scalar_t b
) API_VIS WARN_UNUSED NONNULL NOINLINE;

/**
* @brief Subtract two scalars. The scalars may use the same memory.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @param [out] out a-b.
*/
void decaf_255_scalar_sub (
decaf_255_scalar_t out,
const decaf_255_scalar_t a,
const decaf_255_scalar_t b
) API_VIS NONNULL NOINLINE;

/**
* @brief Multiply two scalars. The scalars may use the same memory.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @param [out] out a*b.
*/
void decaf_255_scalar_mul (
decaf_255_scalar_t out,
const decaf_255_scalar_t a,
const decaf_255_scalar_t b
) API_VIS NONNULL NOINLINE;
/**
* @brief Halve a scalar. The scalars may use the same memory.
* @param [in] a A scalar.
* @param [out] out a/2.
*/
void decaf_255_scalar_halve (
decaf_255_scalar_t out,
const decaf_255_scalar_t a
) API_VIS NONNULL NOINLINE;

/**
* @brief Invert a scalar. When passed zero, return 0. The input and output may alias.
* @param [in] a A scalar.
* @param [out] out 1/a.
* @return DECAF_SUCCESS The input is nonzero.
*/
decaf_error_t decaf_255_scalar_invert (
decaf_255_scalar_t out,
const decaf_255_scalar_t a
) API_VIS WARN_UNUSED NONNULL NOINLINE;

/**
* @brief Copy a scalar. The scalars may use the same memory, in which
* case this function does nothing.
* @param [in] a A scalar.
* @param [out] out Will become a copy of a.
*/
static inline void NONNULL decaf_255_scalar_copy (
decaf_255_scalar_t out,
const decaf_255_scalar_t a
) {
*out = *a;
}

/**
* @brief Set a scalar to an unsigned 64-bit integer.
* @param [in] a An integer.
* @param [out] out Will become equal to a.
*/
void decaf_255_scalar_set_unsigned (
decaf_255_scalar_t out,
uint64_t a
) API_VIS NONNULL;

/**
* @brief Encode a point as a sequence of bytes.
*
* @param [out] ser The byte representation of the point.
* @param [in] pt The point to encode.
*/
void decaf_255_point_encode (
uint8_t ser[DECAF_255_SER_BYTES],
const decaf_255_point_t pt
) API_VIS NONNULL NOINLINE;

/**
* @brief Decode a point from a sequence of bytes.
*
* Every point has a unique encoding, so not every
* sequence of bytes is a valid encoding. If an invalid
* encoding is given, the output is undefined.
*
* @param [out] pt The decoded point.
* @param [in] ser The serialized version of the point.
* @param [in] allow_identity DECAF_TRUE if the identity is a legal input.
* @retval DECAF_SUCCESS The decoding succeeded.
* @retval DECAF_FAILURE The decoding didn't succeed, because
* ser does not represent a point.
*/
decaf_error_t decaf_255_point_decode (
decaf_255_point_t pt,
const uint8_t ser[DECAF_255_SER_BYTES],
decaf_bool_t allow_identity
) API_VIS WARN_UNUSED NONNULL NOINLINE;

/**
* @brief Copy a point. The input and output may alias,
* in which case this function does nothing.
*
* @param [out] a A copy of the point.
* @param [in] b Any point.
*/
static inline void NONNULL decaf_255_point_copy (
decaf_255_point_t a,
const decaf_255_point_t b
) {
*a=*b;
}

/**
* @brief Test whether two points are equal. If yes, return
* DECAF_TRUE, else return DECAF_FALSE.
*
* @param [in] a A point.
* @param [in] b Another point.
* @retval DECAF_TRUE The points are equal.
* @retval DECAF_FALSE The points are not equal.
*/
decaf_bool_t decaf_255_point_eq (
const decaf_255_point_t a,
const decaf_255_point_t b
) API_VIS WARN_UNUSED NONNULL NOINLINE;

/**
* @brief Add two points to produce a third point. The
* input points and output point can be pointers to the same
* memory.
*
* @param [out] sum The sum a+b.
* @param [in] a An addend.
* @param [in] b An addend.
*/
void decaf_255_point_add (
decaf_255_point_t sum,
const decaf_255_point_t a,
const decaf_255_point_t b
) API_VIS NONNULL;

/**
* @brief Double a point. Equivalent to
* decaf_255_point_add(two_a,a,a), but potentially faster.
*
* @param [out] two_a The sum a+a.
* @param [in] a A point.
*/
void decaf_255_point_double (
decaf_255_point_t two_a,
const decaf_255_point_t a
) API_VIS NONNULL;

/**
* @brief Subtract two points to produce a third point. The
* input points and output point can be pointers to the same
* memory.
*
* @param [out] diff The difference a-b.
* @param [in] a The minuend.
* @param [in] b The subtrahend.
*/
void decaf_255_point_sub (
decaf_255_point_t diff,
const decaf_255_point_t a,
const decaf_255_point_t b
) API_VIS NONNULL;
/**
* @brief Negate a point to produce another point. The input
* and output points can use the same memory.
*
* @param [out] nega The negated input point
* @param [in] a The input point.
*/
void decaf_255_point_negate (
decaf_255_point_t nega,
const decaf_255_point_t a
) API_VIS NONNULL;

/**
* @brief Multiply a base point by a scalar: scaled = scalar*base.
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
*/
void decaf_255_point_scalarmul (
decaf_255_point_t scaled,
const decaf_255_point_t base,
const decaf_255_scalar_t scalar
) API_VIS NONNULL NOINLINE;

/**
* @brief Multiply a base point by a scalar: scaled = scalar*base.
* This function operates directly on serialized forms.
*
* @warning This function is experimental. It may not be supported
* long-term.
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
* @param [in] allow_identity Allow the input to be the identity.
* @param [in] short_circuit Allow a fast return if the input is illegal.
*
* @retval DECAF_SUCCESS The scalarmul succeeded.
* @retval DECAF_FAILURE The scalarmul didn't succeed, because
* base does not represent a point.
*/
decaf_error_t decaf_255_direct_scalarmul (
uint8_t scaled[DECAF_255_SER_BYTES],
const uint8_t base[DECAF_255_SER_BYTES],
const decaf_255_scalar_t scalar,
decaf_bool_t allow_identity,
decaf_bool_t short_circuit
) API_VIS NONNULL WARN_UNUSED NOINLINE;

/**
* @brief RFC 7748 Diffie-Hellman scalarmul. This function uses a different
* (non-Decaf) encoding.
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
*
* @retval DECAF_SUCCESS The scalarmul succeeded.
* @retval DECAF_FAILURE The scalarmul didn't succeed, because the base
* point is in a small subgroup.
*/
decaf_error_t decaf_x25519 (
uint8_t out[DECAF_X25519_PUBLIC_BYTES],
const uint8_t base[DECAF_X25519_PUBLIC_BYTES],
const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES]
) API_VIS NONNULL WARN_UNUSED NOINLINE;

/** The base point for X25519 Diffie-Hellman */
extern const uint8_t decaf_x25519_base_point[DECAF_X25519_PUBLIC_BYTES] API_VIS;

/**
* @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses
* a different (non-Decaf) encoding.
*
* @param [out] scaled The scaled point base*scalar
* @param [in] scalar The scalar to multiply by.
*/
void decaf_x25519_generate_key (
uint8_t out[DECAF_X25519_PUBLIC_BYTES],
const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES]
) API_VIS NONNULL NOINLINE;

/* FUTURE: uint8_t decaf_255_encode_like_curve25519) */

/**
* @brief Precompute a table for fast scalar multiplication.
* Some implementations do not include precomputed points; for
* those implementations, this implementation simply copies the
* point.
*
* @param [out] a A precomputed table of multiples of the point.
* @param [in] b Any point.
*/
void decaf_255_precompute (
decaf_255_precomputed_s *a,
const decaf_255_point_t b
) API_VIS NONNULL NOINLINE;

/**
* @brief Multiply a precomputed base point by a scalar:
* scaled = scalar*base.
* Some implementations do not include precomputed points; for
* those implementations, this function is the same as
* decaf_255_point_scalarmul
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
*/
void decaf_255_precomputed_scalarmul (
decaf_255_point_t scaled,
const decaf_255_precomputed_s *base,
const decaf_255_scalar_t scalar
) API_VIS NONNULL NOINLINE;

/**
* @brief Multiply two base points by two scalars:
* scaled = scalar1*base1 + scalar2*base2.
*
* Equivalent to two calls to decaf_255_point_scalarmul, but may be
* faster.
*
* @param [out] combo The linear combination scalar1*base1 + scalar2*base2.
* @param [in] base1 A first point to be scaled.
* @param [in] scalar1 A first scalar to multiply by.
* @param [in] base2 A second point to be scaled.
* @param [in] scalar2 A second scalar to multiply by.
*/
void decaf_255_point_double_scalarmul (
decaf_255_point_t combo,
const decaf_255_point_t base1,
const decaf_255_scalar_t scalar1,
const decaf_255_point_t base2,
const decaf_255_scalar_t scalar2
) API_VIS NONNULL NOINLINE;
/**
* Multiply one base point by two scalars:
*
* a1 = scalar1 * base
* a2 = scalar2 * base
*
* Equivalent to two calls to decaf_255_point_scalarmul, but may be
* faster.
*
* @param [out] a1 The first multiple. It may be the same as the input point.
* @param [out] a2 The second multiple. It may be the same as the input point.
* @param [in] base1 A point to be scaled.
* @param [in] scalar1 A first scalar to multiply by.
* @param [in] scalar2 A second scalar to multiply by.
*/
void decaf_255_point_dual_scalarmul (
decaf_255_point_t a1,
decaf_255_point_t a2,
const decaf_255_point_t base1,
const decaf_255_scalar_t scalar1,
const decaf_255_scalar_t scalar2
) API_VIS NONNULL NOINLINE;

/**
* @brief Multiply two base points by two scalars:
* scaled = scalar1*decaf_255_point_base + scalar2*base2.
*
* Otherwise equivalent to decaf_255_point_double_scalarmul, but may be
* faster at the expense of being variable time.
*
* @param [out] combo The linear combination scalar1*base + scalar2*base2.
* @param [in] scalar1 A first scalar to multiply by.
* @param [in] base2 A second point to be scaled.
* @param [in] scalar2 A second scalar to multiply by.
*
* @warning: This function takes variable time, and may leak the scalars
* used. It is designed for signature verification.
*/
void decaf_255_base_double_scalarmul_non_secret (
decaf_255_point_t combo,
const decaf_255_scalar_t scalar1,
const decaf_255_point_t base2,
const decaf_255_scalar_t scalar2
) API_VIS NONNULL NOINLINE;

/**
* @brief Constant-time decision between two points. If pick_b
* is zero, out = a; else out = b.
*
* @param [out] out The output. It may be the same as either input.
* @param [in] a Any point.
* @param [in] b Any point.
* @param [in] pick_b If nonzero, choose point b.
*/
void decaf_255_point_cond_sel (
decaf_255_point_t out,
const decaf_255_point_t a,
const decaf_255_point_t b,
decaf_word_t pick_b
) API_VIS NONNULL NOINLINE;

/**
* @brief Constant-time decision between two scalars. If pick_b
* is zero, out = a; else out = b.
*
* @param [out] out The output. It may be the same as either input.
* @param [in] a Any scalar.
* @param [in] b Any scalar.
* @param [in] pick_b If nonzero, choose scalar b.
*/
void decaf_255_scalar_cond_sel (
decaf_255_scalar_t out,
const decaf_255_scalar_t a,
const decaf_255_scalar_t b,
decaf_word_t pick_b
) API_VIS NONNULL NOINLINE;

/**
* @brief Test that a point is valid, for debugging purposes.
*
* @param [in] to_test The point to test.
* @retval DECAF_TRUE The point is valid.
* @retval DECAF_FALSE The point is invalid.
*/
decaf_bool_t decaf_255_point_valid (
const decaf_255_point_t to_test
) API_VIS WARN_UNUSED NONNULL NOINLINE;

/**
* @brief Torque a point, for debugging purposes. The output
* will be equal to the input.
*
* @param [out] q The point to torque.
* @param [in] p The point to torque.
*/
void decaf_255_point_debugging_torque (
decaf_255_point_t q,
const decaf_255_point_t p
) API_VIS NONNULL NOINLINE;

/**
* @brief Projectively scale a point, for debugging purposes.
* The output will be equal to the input, and will be valid
* even if the factor is zero.
*
* @param [out] q The point to scale.
* @param [in] p The point to scale.
* @param [in] factor Serialized GF factor to scale.
*/
void decaf_255_point_debugging_pscale (
decaf_255_point_t q,
const decaf_255_point_t p,
const unsigned char factor[DECAF_255_SER_BYTES]
) API_VIS NONNULL NOINLINE;

/**
* @brief Almost-Elligator-like hash to curve.
*
* Call this function with the output of a hash to make a hash to the curve.
*
* This function runs Elligator2 on the decaf_255 Jacobi quartic model. It then
* uses the isogeny to put the result in twisted Edwards form. As a result,
* it is safe (cannot produce points of order 4), and would be compatible with
* hypothetical other implementations of Decaf using a Montgomery or untwisted
* Edwards model.
*
* Unlike Elligator, this function may be up to 4:1 on [0,(p-1)/2]:
* A factor of 2 due to the isogeny.
* A factor of 2 because we quotient out the 2-torsion.
*
* This makes it about 8:1 overall, or 16:1 overall on curves with cofactor 8.
*
* Negating the input (mod q) results in the same point. Inverting the input
* (mod q) results in the negative point. This is the same as Elligator.
*
* This function isn't quite indifferentiable from a random oracle.
* However, it is suitable for many protocols, including SPEKE and SPAKE2 EE.
* Furthermore, calling it twice with independent seeds and adding the results
* is indifferentiable from a random oracle.
*
* @param [in] hashed_data Output of some hash function.
* @param [out] pt The data hashed to the curve.
*/
void
decaf_255_point_from_hash_nonuniform (
decaf_255_point_t pt,
const unsigned char hashed_data[DECAF_255_HASH_BYTES]
) API_VIS NONNULL NOINLINE;

/**
* @brief Indifferentiable hash function encoding to curve.
*
* Equivalent to calling decaf_255_point_from_hash_nonuniform twice and adding.
*
* @param [in] hashed_data Output of some hash function.
* @param [out] pt The data hashed to the curve.
*/
void decaf_255_point_from_hash_uniform (
decaf_255_point_t pt,
const unsigned char hashed_data[2*DECAF_255_HASH_BYTES]
) API_VIS NONNULL NOINLINE;

/**
* @brief Inverse of elligator-like hash to curve.
*
* This function writes to the buffer, to make it so that
* decaf_255_point_from_hash_nonuniform(buffer) = pt if
* possible. Since there may be multiple preimages, the
* "which" parameter chooses between them. To ensure uniform
* inverse sampling, this function succeeds or fails
* independently for different "which" values.
*
* @param [out] recovered_hash Encoded data.
* @param [in] pt The point to encode.
* @param [in] which A value determining which inverse point
* to return.
*
* @retval DECAF_SUCCESS The inverse succeeded.
* @retval DECAF_FAILURE The inverse failed.
*/
decaf_error_t
decaf_255_invert_elligator_nonuniform (
unsigned char recovered_hash[DECAF_255_HASH_BYTES],
const decaf_255_point_t pt,
uint32_t which
) API_VIS NONNULL NOINLINE WARN_UNUSED;

/**
* @brief Inverse of elligator-like hash to curve.
*
* This function writes to the buffer, to make it so that
* decaf_255_point_from_hash_uniform(buffer) = pt if
* possible. Since there may be multiple preimages, the
* "which" parameter chooses between them. To ensure uniform
* inverse sampling, this function succeeds or fails
* independently for different "which" values.
*
* @param [out] recovered_hash Encoded data.
* @param [in] pt The point to encode.
* @param [in] which A value determining which inverse point
* to return.
*
* @retval DECAF_SUCCESS The inverse succeeded.
* @retval DECAF_FAILURE The inverse failed.
*/
decaf_error_t
decaf_255_invert_elligator_uniform (
unsigned char recovered_hash[2*DECAF_255_HASH_BYTES],
const decaf_255_point_t pt,
uint32_t which
) API_VIS NONNULL NOINLINE WARN_UNUSED;

/**
* @brief Overwrite scalar with zeros.
*/
void decaf_255_scalar_destroy (
decaf_255_scalar_t scalar
) NONNULL API_VIS;

/**
* @brief Overwrite point with zeros.
*/
void decaf_255_point_destroy (
decaf_255_point_t point
) NONNULL API_VIS;

/**
* @brief Overwrite precomputed table with zeros.
*/
void decaf_255_precomputed_destroy (
decaf_255_precomputed_s *pre
) NONNULL API_VIS;

#ifdef __cplusplus
} /* extern "C" */
#endif

#endif /* __DECAF_DECAF_255_H__ */

+ 714
- 0
src/GENERATED/include/decaf/decaf_255.hxx View File

@@ -0,0 +1,714 @@
/**
* @file decaf/decaf_255.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* A group of prime order p, C++ wrapper.
*
* The Decaf library implements cryptographic operations on a an elliptic curve
* group of prime order p. It accomplishes this by using a twisted Edwards
* curve (isogenous to Curve25519) and wiping out the cofactor.
*
* The formulas are all complete and have no special cases, except that
* decaf_255_decode can fail because not every sequence of bytes is a valid group
* element.
*
* The formulas contain no data-dependent branches, timing or memory accesses,
* except for decaf_255_base_double_scalarmul_non_secret.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_DECAF_255_HXX__
#define __DECAF_DECAF_255_HXX__ 1

/** This code uses posix_memalign. */
#ifndef _XOPEN_SOURCE
#define _XOPEN_SOURCE 600
#endif
#include <stdlib.h>
#include <string.h> /* for memcpy */

#include <decaf/decaf_255.h>
#include <decaf/ed255.h>
#include <decaf/secure_buffer.hxx>
#include <string>
#include <sys/types.h>
#include <limits.h>

/** @cond internal */
#if __cplusplus >= 201103L
#define NOEXCEPT noexcept
#else
#define NOEXCEPT throw()
#endif
/** @endcond */

namespace decaf {

/**
* Curve25519/Decaf instantiation of group.
*/
struct IsoEd25519 {

/** The name of the curve */
static inline const char *name() { return "Iso-Ed25519"; }

/** The curve's cofactor (removed, but useful for testing) */
static const int REMOVED_COFACTOR = 8;

/** Residue class of field modulus: p == this mod 2*(this-1) */
static const int FIELD_MODULUS_TYPE = 5;

/** @cond internal */
class Point;
class Precomputed;
/** @endcond */

/**
* A scalar modulo the curve order.
* Supports the usual arithmetic operations, all in constant time.
*/
class Scalar : public Serializable<Scalar> {
public:
/** wrapped C type */
typedef decaf_255_scalar_t Wrapped;
/** Size of a serialized element */
static const size_t SER_BYTES = DECAF_255_SCALAR_BYTES;

/** access to the underlying scalar object */
Wrapped s;

/** @cond internal */
/** Don't initialize. */
inline Scalar(const NOINIT &) NOEXCEPT {}
/** @endcond */

/** Set to an unsigned word */
inline Scalar(uint64_t w) NOEXCEPT { *this = w; }

/** Set to a signed word */
inline Scalar(int64_t w) NOEXCEPT { *this = w; }

/** Set to an unsigned word */
inline Scalar(unsigned int w) NOEXCEPT { *this = w; }

/** Set to a signed word */
inline Scalar(int w) NOEXCEPT { *this = w; }

/** Construct from RNG */
inline explicit Scalar(Rng &rng) NOEXCEPT {
FixedArrayBuffer<SER_BYTES + 16> sb(rng);
*this = sb;
}

/** Construct from decaf_scalar_t object. */
inline Scalar(const Wrapped &t = decaf_255_scalar_zero) NOEXCEPT { decaf_255_scalar_copy(s,t); }

/** Copy constructor. */
inline Scalar(const Scalar &x) NOEXCEPT { *this = x; }

/** Construct from arbitrary-length little-endian byte sequence. */
inline Scalar(const Block &buffer) NOEXCEPT { *this = buffer; }

/** Serializable instance */
inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }

/** Serializable instance */
inline void serialize_into(unsigned char *buffer) const NOEXCEPT {
decaf_255_scalar_encode(buffer, s);
}

/** Assignment. */
inline Scalar& operator=(const Scalar &x) NOEXCEPT { decaf_255_scalar_copy(s,x.s); return *this; }

/** Assign from unsigned 64-bit integer. */
inline Scalar& operator=(uint64_t w) NOEXCEPT { decaf_255_scalar_set_unsigned(s,w); return *this; }


/** Assign from signed int. */
inline Scalar& operator=(int64_t w) NOEXCEPT {
Scalar t(-(uint64_t)INT_MIN);
decaf_255_scalar_set_unsigned(s,(uint64_t)w - (uint64_t)INT_MIN);
*this -= t;
return *this;
}

/** Assign from unsigned int. */
inline Scalar& operator=(unsigned int w) NOEXCEPT { return *this = (uint64_t)w; }

/** Assign from signed int. */
inline Scalar& operator=(int w) NOEXCEPT { return *this = (int64_t)w; }

/** Destructor securely zeorizes the scalar. */
inline ~Scalar() NOEXCEPT { decaf_255_scalar_destroy(s); }

/** Assign from arbitrary-length little-endian byte sequence in a Block. */
inline Scalar &operator=(const Block &bl) NOEXCEPT {
decaf_255_scalar_decode_long(s,bl.data(),bl.size()); return *this;
}

/**
* Decode from correct-length little-endian byte sequence.
* @return DECAF_FAILURE if the scalar is greater than or equal to the group order q.
*/
static inline decaf_error_t WARN_UNUSED decode (
Scalar &sc, const FixedBlock<SER_BYTES> buffer
) NOEXCEPT {
return decaf_255_scalar_decode(sc.s,buffer.data());
}

/** Add. */
inline Scalar operator+ (const Scalar &q) const NOEXCEPT { Scalar r((NOINIT())); decaf_255_scalar_add(r.s,s,q.s); return r; }

/** Add to this. */
inline Scalar &operator+=(const Scalar &q) NOEXCEPT { decaf_255_scalar_add(s,s,q.s); return *this; }

/** Subtract. */
inline Scalar operator- (const Scalar &q) const NOEXCEPT { Scalar r((NOINIT())); decaf_255_scalar_sub(r.s,s,q.s); return r; }

/** Subtract from this. */
inline Scalar &operator-=(const Scalar &q) NOEXCEPT { decaf_255_scalar_sub(s,s,q.s); return *this; }

/** Multiply */
inline Scalar operator* (const Scalar &q) const NOEXCEPT { Scalar r((NOINIT())); decaf_255_scalar_mul(r.s,s,q.s); return r; }

/** Multiply into this. */
inline Scalar &operator*=(const Scalar &q) NOEXCEPT { decaf_255_scalar_mul(s,s,q.s); return *this; }

/** Negate */
inline Scalar operator- () const NOEXCEPT { Scalar r((NOINIT())); decaf_255_scalar_sub(r.s,decaf_255_scalar_zero,s); return r; }

/** Invert with Fermat's Little Theorem (slow!). If *this == 0,
* throw CryptoException. */
inline Scalar inverse() const throw(CryptoException) {
Scalar r;
if (DECAF_SUCCESS != decaf_255_scalar_invert(r.s,s)) {
throw CryptoException();
}
return r;
}

/** Invert with Fermat's Little Theorem (slow!). If *this == 0, set r=0
* and return DECAF_FAILURE. */
inline decaf_error_t WARN_UNUSED
inverse_noexcept(Scalar &r) const NOEXCEPT {
return decaf_255_scalar_invert(r.s,s);
}

/** Divide by inverting q. If q == 0, return 0. */
inline Scalar operator/ (const Scalar &q) const throw(CryptoException) { return *this * q.inverse(); }

/** Divide by inverting q. If q == 0, return 0. */
inline Scalar &operator/=(const Scalar &q) throw(CryptoException) { return *this *= q.inverse(); }

/** Return half this scalar. Much faster than /2. */
inline Scalar half() const { Scalar out; decaf_255_scalar_halve(out.s,s); return out; }

/** Compare in constant time */
inline bool operator!=(const Scalar &q) const NOEXCEPT { return !(*this == q); }

/** Compare in constant time */
inline bool operator==(const Scalar &q) const NOEXCEPT { return !!decaf_255_scalar_eq(s,q.s); }

/** Scalarmul with scalar on left. */
inline Point operator* (const Point &q) const NOEXCEPT { return q * (*this); }

/** Scalarmul-precomputed with scalar on left. */
inline Point operator* (const Precomputed &q) const NOEXCEPT { return q * (*this); }

/** Direct scalar multiplication. */
inline SecureBuffer direct_scalarmul(
const Block &in,
decaf_bool_t allow_identity=DECAF_FALSE,
decaf_bool_t short_circuit=DECAF_TRUE
) const throw(CryptoException);
};

/**
* Element of prime-order group.
*/
class Point : public Serializable<Point> {
public:
/** wrapped C type */
typedef decaf_255_point_t Wrapped;
/** Size of a serialized element */
static const size_t SER_BYTES = DECAF_255_SER_BYTES;

/** Bytes required for hash */
static const size_t HASH_BYTES = DECAF_255_HASH_BYTES;

/**
* Size of a stegged element.
*
* FUTURE: You can use HASH_BYTES * 3/2 (or more likely much less, eg HASH_BYTES + 8)
* with a random oracle hash function, by hash-expanding everything past the first
* HASH_BYTES of the element. However, since the internal C invert_elligator is not
* tied to a hash function, I didn't want to tie the C++ wrapper to a hash function
* either. But it might be a good idea to do this in the future, either with STROBE
* or something else.
*
* Then again, calling invert_elligator at all is super niche, so maybe who cares?
*/
static const size_t STEG_BYTES = HASH_BYTES * 2;
/** Number of bits in invert_elligator which are actually used. */
static const unsigned int INVERT_ELLIGATOR_WHICH_BITS = DECAF_255_INVERT_ELLIGATOR_WHICH_BITS;

/** The c-level object. */
Wrapped p;

/** @cond internal */
/** Don't initialize. */
inline Point(const NOINIT &) NOEXCEPT {}
/** @endcond */

/** Constructor sets to identity by default. */
inline Point(const Wrapped &q = decaf_255_point_identity) NOEXCEPT { decaf_255_point_copy(p,q); }

/** Copy constructor. */
inline Point(const Point &q) NOEXCEPT { *this = q; }

/** Assignment. */
inline Point& operator=(const Point &q) NOEXCEPT { decaf_255_point_copy(p,q.p); return *this; }

/** Destructor securely zeorizes the point. */
inline ~Point() NOEXCEPT { decaf_255_point_destroy(p); }

/** Construct from RNG */
inline explicit Point(Rng &rng, bool uniform = true) NOEXCEPT {
if (uniform) {
FixedArrayBuffer<2*HASH_BYTES> b(rng);
set_to_hash(b);
} else {
FixedArrayBuffer<HASH_BYTES> b(rng);
set_to_hash(b);
}
}

/**
* Initialize from a fixed-length byte string.
* The all-zero string maps to the identity.
*
* @throw CryptoException the string was the wrong length, or wasn't the encoding of a point,
* or was the identity and allow_identity was DECAF_FALSE.
*/
inline explicit Point(const FixedBlock<SER_BYTES> &buffer, decaf_bool_t allow_identity=DECAF_TRUE)
throw(CryptoException) {
if (DECAF_SUCCESS != decode(buffer,allow_identity)) {
throw CryptoException();
}
}

/**
* Initialize from C++ fixed-length byte string.
* The all-zero string maps to the identity.
*
* @retval DECAF_SUCCESS the string was successfully decoded.
* @return DECAF_FAILURE the string was the wrong length, or wasn't the encoding of a point,
* or was the identity and allow_identity was DECAF_FALSE. Contents of the buffer are undefined.
*/
inline decaf_error_t WARN_UNUSED decode (
const FixedBlock<SER_BYTES> &buffer, decaf_bool_t allow_identity=DECAF_TRUE
) NOEXCEPT {
return decaf_255_point_decode(p,buffer.data(),allow_identity);
}

/**
* Initialize from C++ fixed-length byte string, like EdDSA.
* The all-zero string maps to the identity.
*
* @retval DECAF_SUCCESS the string was successfully decoded.
* @return DECAF_FAILURE the string was the wrong length, or wasn't the encoding of a point.
* Contents of the point are undefined.
*/
inline decaf_error_t WARN_UNUSED decode_like_eddsa_and_ignore_cofactor_noexcept (
const FixedBlock<DECAF_EDDSA_25519_PUBLIC_BYTES> &buffer
) NOEXCEPT {
return decaf_255_point_decode_like_eddsa_and_ignore_cofactor(p,buffer.data());
}

inline void decode_like_eddsa_and_ignore_cofactor (
const FixedBlock<DECAF_EDDSA_25519_PUBLIC_BYTES> &buffer
) throw(CryptoException) {
if (DECAF_SUCCESS != decode_like_eddsa_and_ignore_cofactor_noexcept(buffer)) throw(CryptoException());
}

/** Multiply out cofactor and encode like EdDSA. */
inline SecureBuffer mul_by_cofactor_and_encode_like_eddsa() const {
SecureBuffer ret(DECAF_EDDSA_25519_PUBLIC_BYTES);
decaf_255_point_mul_by_cofactor_and_encode_like_eddsa(ret.data(),p);
return ret;
}

/**
* Map uniformly to the curve from a hash buffer.
* The empty or all-zero string maps to the identity, as does the string "\\x01".
* If the buffer is shorter than 2*HASH_BYTES, well, it won't be as uniform,
* but the buffer will be zero-padded on the right.
*/
static inline Point from_hash ( const Block &s ) NOEXCEPT {
Point p((NOINIT())); p.set_to_hash(s); return p;
}

/**
* Map to the curve from a hash buffer.
* The empty or all-zero string maps to the identity, as does the string "\\x01".
* If the buffer is shorter than 2*HASH_BYTES, well, it won't be as uniform,
* but the buffer will be zero-padded on the right.
*/
inline void set_to_hash( const Block &s ) NOEXCEPT {
if (s.size() < HASH_BYTES) {
SecureBuffer b(HASH_BYTES);
memcpy(b.data(), s.data(), s.size());
decaf_255_point_from_hash_nonuniform(p,b.data());
} else if (s.size() == HASH_BYTES) {
decaf_255_point_from_hash_nonuniform(p,s.data());
} else if (s.size() < 2*HASH_BYTES) {
SecureBuffer b(2*HASH_BYTES);
memcpy(b.data(), s.data(), s.size());
decaf_255_point_from_hash_uniform(p,b.data());
} else {
decaf_255_point_from_hash_uniform(p,s.data());
}
}

/**
* Encode to string. The identity encodes to the all-zero string.
*/
inline operator SecureBuffer() const {
SecureBuffer buffer(SER_BYTES);
decaf_255_point_encode(buffer.data(), p);
return buffer;
}

/** Serializable instance */
inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }

/** Serializable instance */
inline void serialize_into(unsigned char *buffer) const NOEXCEPT {
decaf_255_point_encode(buffer, p);
}

/** Point add. */
inline Point operator+ (const Point &q) const NOEXCEPT { Point r((NOINIT())); decaf_255_point_add(r.p,p,q.p); return r; }

/** Point add. */
inline Point &operator+=(const Point &q) NOEXCEPT { decaf_255_point_add(p,p,q.p); return *this; }

/** Point subtract. */
inline Point operator- (const Point &q) const NOEXCEPT { Point r((NOINIT())); decaf_255_point_sub(r.p,p,q.p); return r; }

/** Point subtract. */
inline Point &operator-=(const Point &q) NOEXCEPT { decaf_255_point_sub(p,p,q.p); return *this; }

/** Point negate. */
inline Point operator- () const NOEXCEPT { Point r((NOINIT())); decaf_255_point_negate(r.p,p); return r; }

/** Double the point out of place. */
inline Point times_two () const NOEXCEPT { Point r((NOINIT())); decaf_255_point_double(r.p,p); return r; }

/** Double the point in place. */
inline Point &double_in_place() NOEXCEPT { decaf_255_point_double(p,p); return *this; }

/** Constant-time compare. */
inline bool operator!=(const Point &q) const NOEXCEPT { return ! decaf_255_point_eq(p,q.p); }

/** Constant-time compare. */
inline bool operator==(const Point &q) const NOEXCEPT { return !!decaf_255_point_eq(p,q.p); }

/** Scalar multiply. */
inline Point operator* (const Scalar &s) const NOEXCEPT { Point r((NOINIT())); decaf_255_point_scalarmul(r.p,p,s.s); return r; }

/** Scalar multiply in place. */
inline Point &operator*=(const Scalar &s) NOEXCEPT { decaf_255_point_scalarmul(p,p,s.s); return *this; }

/** Multiply by s.inverse(). If s=0, maps to the identity. */
inline Point operator/ (const Scalar &s) const throw(CryptoException) { return (*this) * s.inverse(); }

/** Multiply by s.inverse(). If s=0, maps to the identity. */
inline Point &operator/=(const Scalar &s) throw(CryptoException) { return (*this) *= s.inverse(); }

/** Validate / sanity check */
inline bool validate() const NOEXCEPT { return decaf_255_point_valid(p); }

/** Double-scalar multiply, equivalent to q*qs + r*rs but faster. */
static inline Point double_scalarmul (
const Point &q, const Scalar &qs, const Point &r, const Scalar &rs
) NOEXCEPT {
Point p((NOINIT())); decaf_255_point_double_scalarmul(p.p,q.p,qs.s,r.p,rs.s); return p;
}

/** Dual-scalar multiply, equivalent to this*r1, this*r2 but faster. */
inline void dual_scalarmul (
Point &q1, Point &q2, const Scalar &r1, const Scalar &r2
) const NOEXCEPT {
decaf_255_point_dual_scalarmul(q1.p,q2.p,p,r1.s,r2.s);
}

/**
* Double-scalar multiply, equivalent to q*qs + r*rs but faster.
* For those who like their scalars before the point.
*/
static inline Point double_scalarmul (
const Scalar &qs, const Point &q, const Scalar &rs, const Point &r
) NOEXCEPT {
return double_scalarmul(q,qs,r,rs);
}

/**
* Double-scalar multiply: this point by the first scalar and base by the second scalar.
* @warning This function takes variable time, and may leak the scalars (or points, but currently
* it doesn't).
*/
inline Point non_secret_combo_with_base(const Scalar &s, const Scalar &s_base) NOEXCEPT {
Point r((NOINIT())); decaf_255_base_double_scalarmul_non_secret(r.p,s_base.s,p,s.s); return r;
}

/** Return a point equal to *this, whose internal data is rotated by a torsion element. */
inline Point debugging_torque() const NOEXCEPT {
Point q;
decaf_255_point_debugging_torque(q.p,p);
return q;
}

/** Return a point equal to *this, whose internal data has a modified representation. */
inline Point debugging_pscale(const FixedBlock<SER_BYTES> factor) const NOEXCEPT {
Point q;
decaf_255_point_debugging_pscale(q.p,p,factor.data());
return q;
}

/** Return a point equal to *this, whose internal data has a randomized representation. */
inline Point debugging_pscale(Rng &r) const NOEXCEPT {
FixedArrayBuffer<SER_BYTES> sb(r);
return debugging_pscale(sb);
}

/**
* Modify buffer so that Point::from_hash(Buffer) == *this, and return DECAF_SUCCESS;
* or leave buf unmodified and return DECAF_FAILURE.
*/
inline decaf_error_t invert_elligator (
Buffer buf, uint32_t hint
) const NOEXCEPT {
unsigned char buf2[2*HASH_BYTES];
memset(buf2,0,sizeof(buf2));
memcpy(buf2,buf.data(),(buf.size() > 2*HASH_BYTES) ? 2*HASH_BYTES : buf.size());
decaf_bool_t ret;
if (buf.size() > HASH_BYTES) {
ret = decaf_successful(decaf_255_invert_elligator_uniform(buf2, p, hint));
} else {
ret = decaf_successful(decaf_255_invert_elligator_nonuniform(buf2, p, hint));
}
if (buf.size() < HASH_BYTES) {
ret &= decaf_memeq(&buf2[buf.size()], &buf2[HASH_BYTES], HASH_BYTES - buf.size());
}
for (size_t i=0; i<buf.size() && i<HASH_BYTES; i++) {
buf[i] = (buf[i] & ~ret) | (buf2[i] &ret);
}
decaf_bzero(buf2,sizeof(buf2));
return decaf_succeed_if(ret);
}

/** Steganographically encode this */
inline SecureBuffer steg_encode(Rng &rng, size_t size=STEG_BYTES) const throw(std::bad_alloc, LengthException) {
if (size <= HASH_BYTES + 4 || size > 2*HASH_BYTES) throw LengthException();
SecureBuffer out(STEG_BYTES);
decaf_error_t done;
do {
rng.read(Buffer(out).slice(HASH_BYTES-4,STEG_BYTES-HASH_BYTES+1));
uint32_t hint = 0;
for (int i=0; i<4; i++) { hint |= uint32_t(out[HASH_BYTES-4+i])<<(8*i); }
done = invert_elligator(out, hint);
} while (!decaf_successful(done));
return out;
}

/** Return the base point */
static inline const Point base() NOEXCEPT { return Point(decaf_255_point_base); }

/** Return the identity point */
static inline const Point identity() NOEXCEPT { return Point(decaf_255_point_identity); }
};

/**
* Precomputed table of points.
* Minor difficulties arise here because the decaf API doesn't expose, as a constant, how big such an object is.
* Therefore we have to call malloc() or friends, but that's probably for the best, because you don't want to
* stack-allocate a 15kiB object anyway.
*/

/** @cond internal */
typedef decaf_255_precomputed_s Precomputed_U;
/** @endcond */
class Precomputed
/** @cond internal */
: protected OwnedOrUnowned<Precomputed,Precomputed_U>
/** @endcond */
{
public:

/** Destructor securely zeorizes the memory. */
inline ~Precomputed() NOEXCEPT { clear(); }

/**
* Initialize from underlying type, declared as a reference to prevent
* it from being called with 0, thereby breaking override.
*
* The underlying object must remain valid throughout the lifetime of this one.
*
* By default, initializes to the table for the base point.
*
* @warning The empty initializer makes this equal to base, unlike the empty
* initializer for points which makes this equal to the identity.
*/
inline Precomputed (
const Precomputed_U &yours = *default_value()
) NOEXCEPT : OwnedOrUnowned<Precomputed,Precomputed_U>(yours) {}


#if __cplusplus >= 201103L
/** Move-assign operator */
inline Precomputed &operator=(Precomputed &&it) NOEXCEPT {
OwnedOrUnowned<Precomputed,Precomputed_U>::operator= (it);
return *this;
}

/** Move constructor */
inline Precomputed(Precomputed &&it) NOEXCEPT : OwnedOrUnowned<Precomputed,Precomputed_U>() {
*this = it;
}

/** Undelete copy operator */
inline Precomputed &operator=(const Precomputed &it) NOEXCEPT {
OwnedOrUnowned<Precomputed,Precomputed_U>::operator= (it);
return *this;
}
#endif

/**
* Initilaize from point. Must allocate memory, and may throw.
*/
inline Precomputed &operator=(const Point &it) throw(std::bad_alloc) {
alloc();
decaf_255_precompute(ours.mine,it.p);
return *this;
}

/**
* Copy constructor.
*/
inline Precomputed(const Precomputed &it) throw(std::bad_alloc)
: OwnedOrUnowned<Precomputed,Precomputed_U>() { *this = it; }

/**
* Constructor which initializes from point.
*/
inline explicit Precomputed(const Point &it) throw(std::bad_alloc)
: OwnedOrUnowned<Precomputed,Precomputed_U>() { *this = it; }

/** Fixed base scalarmul. */
inline Point operator* (const Scalar &s) const NOEXCEPT { Point r; decaf_255_precomputed_scalarmul(r.p,get(),s.s); return r; }

/** Multiply by s.inverse(). If s=0, maps to the identity. */
inline Point operator/ (const Scalar &s) const throw(CryptoException) { return (*this) * s.inverse(); }

/** Return the table for the base point. */
static inline const Precomputed base() NOEXCEPT { return Precomputed(); }

public:
/** @cond internal */
friend class OwnedOrUnowned<Precomputed,Precomputed_U>;
static inline size_t size() NOEXCEPT { return decaf_255_sizeof_precomputed_s; }
static inline size_t alignment() NOEXCEPT { return decaf_255_alignof_precomputed_s; }
static inline const Precomputed_U * default_value() NOEXCEPT { return decaf_255_precomputed_base; }
/** @endcond */
};

struct DhLadder {
public:
/** Bytes in an X25519 public key. */
static const size_t PUBLIC_BYTES = DECAF_X25519_PUBLIC_BYTES;

/** Bytes in an X25519 private key. */
static const size_t PRIVATE_BYTES = DECAF_X25519_PRIVATE_BYTES;

/** Base point for a scalar multiplication. */
static const FixedBlock<PUBLIC_BYTES> base_point() NOEXCEPT {
return FixedBlock<PUBLIC_BYTES>(decaf_x25519_base_point);
}

/** Generate and return a shared secret with public key. */
static inline SecureBuffer shared_secret(
const FixedBlock<PUBLIC_BYTES> &pk,
const FixedBlock<PRIVATE_BYTES> &scalar
) throw(std::bad_alloc,CryptoException) {
SecureBuffer out(PUBLIC_BYTES);
if (DECAF_SUCCESS != decaf_x25519(out.data(), pk.data(), scalar.data())) {
throw CryptoException();
}
return out;
}

/** Generate and return a shared secret with public key, noexcept version. */
static inline decaf_error_t WARN_UNUSED
shared_secret_noexcept (
FixedBuffer<PUBLIC_BYTES> &out,
const FixedBlock<PUBLIC_BYTES> &pk,
const FixedBlock<PRIVATE_BYTES> &scalar
) NOEXCEPT {
return decaf_x25519(out.data(), pk.data(), scalar.data());
}

/** Generate and return a public key; equivalent to shared_secret(base_point(),scalar)
* but possibly faster.
*/
static inline SecureBuffer generate_key(
const FixedBlock<PRIVATE_BYTES> &scalar
) throw(std::bad_alloc) {
SecureBuffer out(PUBLIC_BYTES);
decaf_x25519_generate_key(out.data(), scalar.data());
return out;
}

/** Generate and return a public key into a fixed buffer;
* equivalent to shared_secret(base_point(),scalar) but possibly faster.
*/
static inline void
generate_key_noexcept (
FixedBuffer<PUBLIC_BYTES> &out,
const FixedBlock<PRIVATE_BYTES> &scalar
) NOEXCEPT {
decaf_x25519_generate_key(out.data(), scalar.data());
}
};

}; /* struct IsoEd25519 */

/** @cond internal */
inline SecureBuffer IsoEd25519::Scalar::direct_scalarmul (
const Block &in,
decaf_bool_t allow_identity,
decaf_bool_t short_circuit
) const throw(CryptoException) {
SecureBuffer out(IsoEd25519::Point::SER_BYTES);
if (DECAF_SUCCESS !=
decaf_255_direct_scalarmul(out.data(), in.data(), s, allow_identity, short_circuit)
) {
throw CryptoException();
}
return out;
}
/** @endcond */

#undef NOEXCEPT
} /* namespace decaf */

#endif /* __DECAF_DECAF_255_HXX__ */

+ 706
- 0
src/GENERATED/include/decaf/decaf_448.h View File

@@ -0,0 +1,706 @@
/**
* @file decaf/decaf_448.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief A group of prime order p, based on Ed448-Goldilocks.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_DECAF_448_H__
#define __DECAF_DECAF_448_H__ 1

#include <decaf/common.h>

#ifdef __cplusplus
extern "C" {
#endif

/** @cond internal */
#define DECAF_448_SCALAR_LIMBS ((446-1)/DECAF_WORD_BITS+1)
/** @endcond */

/** The number of bits in a scalar */
#define DECAF_448_SCALAR_BITS 446

/** @cond internal */
#ifndef __DECAF_448_GF_DEFINED__
#define __DECAF_448_GF_DEFINED__ 1
/** @brief Galois field element internal structure */
typedef struct gf_448_s {
decaf_word_t limb[512/DECAF_WORD_BITS];
} __attribute__((aligned(32))) gf_448_s, gf_448_t[1];
#endif /* __DECAF_448_GF_DEFINED__ */
/** @endcond */

/** Number of bytes in a serialized point. */
#define DECAF_448_SER_BYTES 56

/** Number of bytes in an elligated point. For now set the same as SER_BYTES
* but could be different for other curves.
*/
#define DECAF_448_HASH_BYTES 56

/** Number of bytes in a serialized scalar. */
#define DECAF_448_SCALAR_BYTES 56

/** Number of bits in the "which" field of an elligator inverse */
#define DECAF_448_INVERT_ELLIGATOR_WHICH_BITS 3

/** Number of bytes in an x448 public key */
#define DECAF_X448_PUBLIC_BYTES 56

/** Number of bytes in an x448 private key */
#define DECAF_X448_PRIVATE_BYTES 56

/** Twisted Edwards extended homogeneous coordinates */
typedef struct decaf_448_point_s {
/** @cond internal */
gf_448_t x,y,z,t;
/** @endcond */
} decaf_448_point_t[1];

/** Precomputed table based on a point. Can be trivial implementation. */
struct decaf_448_precomputed_s;

/** Precomputed table based on a point. Can be trivial implementation. */
typedef struct decaf_448_precomputed_s decaf_448_precomputed_s;

/** Size and alignment of precomputed point tables. */
extern const size_t decaf_448_sizeof_precomputed_s API_VIS, decaf_448_alignof_precomputed_s API_VIS;

/** Scalar is stored packed, because we don't need the speed. */
typedef struct decaf_448_scalar_s {
/** @cond internal */
decaf_word_t limb[DECAF_448_SCALAR_LIMBS];
/** @endcond */
} decaf_448_scalar_t[1];

/** A scalar equal to 1. */
extern const decaf_448_scalar_t decaf_448_scalar_one API_VIS;

/** A scalar equal to 0. */
extern const decaf_448_scalar_t decaf_448_scalar_zero API_VIS;

/** The identity point on the curve. */
extern const decaf_448_point_t decaf_448_point_identity API_VIS;

/** An arbitrarily chosen base point on the curve. */
extern const decaf_448_point_t decaf_448_point_base API_VIS;

/** Precomputed table for the base point on the curve. */
extern const struct decaf_448_precomputed_s *decaf_448_precomputed_base API_VIS;

/**
* @brief Read a scalar from wire format or from bytes.
*
* @param [in] ser Serialized form of a scalar.
* @param [out] out Deserialized form.
*
* @retval DECAF_SUCCESS The scalar was correctly encoded.
* @retval DECAF_FAILURE The scalar was greater than the modulus,
* and has been reduced modulo that modulus.
*/
decaf_error_t decaf_448_scalar_decode (
decaf_448_scalar_t out,
const unsigned char ser[DECAF_448_SCALAR_BYTES]
) API_VIS WARN_UNUSED NONNULL NOINLINE;

/**
* @brief Read a scalar from wire format or from bytes. Reduces mod
* scalar prime.
*
* @param [in] ser Serialized form of a scalar.
* @param [in] ser_len Length of serialized form.
* @param [out] out Deserialized form.
*/
void decaf_448_scalar_decode_long (
decaf_448_scalar_t out,
const unsigned char *ser,
size_t ser_len
) API_VIS NONNULL NOINLINE;
/**
* @brief Serialize a scalar to wire format.
*
* @param [out] ser Serialized form of a scalar.
* @param [in] s Deserialized scalar.
*/
void decaf_448_scalar_encode (
unsigned char ser[DECAF_448_SCALAR_BYTES],
const decaf_448_scalar_t s
) API_VIS NONNULL NOINLINE NOINLINE;
/**
* @brief Add two scalars. The scalars may use the same memory.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @param [out] out a+b.
*/
void decaf_448_scalar_add (
decaf_448_scalar_t out,
const decaf_448_scalar_t a,
const decaf_448_scalar_t b
) API_VIS NONNULL NOINLINE;

/**
* @brief Compare two scalars.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @retval DECAF_TRUE The scalars are equal.
* @retval DECAF_FALSE The scalars are not equal.
*/
decaf_bool_t decaf_448_scalar_eq (
const decaf_448_scalar_t a,
const decaf_448_scalar_t b
) API_VIS WARN_UNUSED NONNULL NOINLINE;

/**
* @brief Subtract two scalars. The scalars may use the same memory.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @param [out] out a-b.
*/
void decaf_448_scalar_sub (
decaf_448_scalar_t out,
const decaf_448_scalar_t a,
const decaf_448_scalar_t b
) API_VIS NONNULL NOINLINE;

/**
* @brief Multiply two scalars. The scalars may use the same memory.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @param [out] out a*b.
*/
void decaf_448_scalar_mul (
decaf_448_scalar_t out,
const decaf_448_scalar_t a,
const decaf_448_scalar_t b
) API_VIS NONNULL NOINLINE;
/**
* @brief Halve a scalar. The scalars may use the same memory.
* @param [in] a A scalar.
* @param [out] out a/2.
*/
void decaf_448_scalar_halve (
decaf_448_scalar_t out,
const decaf_448_scalar_t a
) API_VIS NONNULL NOINLINE;

/**
* @brief Invert a scalar. When passed zero, return 0. The input and output may alias.
* @param [in] a A scalar.
* @param [out] out 1/a.
* @return DECAF_SUCCESS The input is nonzero.
*/
decaf_error_t decaf_448_scalar_invert (
decaf_448_scalar_t out,
const decaf_448_scalar_t a
) API_VIS WARN_UNUSED NONNULL NOINLINE;

/**
* @brief Copy a scalar. The scalars may use the same memory, in which
* case this function does nothing.
* @param [in] a A scalar.
* @param [out] out Will become a copy of a.
*/
static inline void NONNULL decaf_448_scalar_copy (
decaf_448_scalar_t out,
const decaf_448_scalar_t a
) {
*out = *a;
}

/**
* @brief Set a scalar to an unsigned 64-bit integer.
* @param [in] a An integer.
* @param [out] out Will become equal to a.
*/
void decaf_448_scalar_set_unsigned (
decaf_448_scalar_t out,
uint64_t a
) API_VIS NONNULL;

/**
* @brief Encode a point as a sequence of bytes.
*
* @param [out] ser The byte representation of the point.
* @param [in] pt The point to encode.
*/
void decaf_448_point_encode (
uint8_t ser[DECAF_448_SER_BYTES],
const decaf_448_point_t pt
) API_VIS NONNULL NOINLINE;

/**
* @brief Decode a point from a sequence of bytes.
*
* Every point has a unique encoding, so not every
* sequence of bytes is a valid encoding. If an invalid
* encoding is given, the output is undefined.
*
* @param [out] pt The decoded point.
* @param [in] ser The serialized version of the point.
* @param [in] allow_identity DECAF_TRUE if the identity is a legal input.
* @retval DECAF_SUCCESS The decoding succeeded.
* @retval DECAF_FAILURE The decoding didn't succeed, because
* ser does not represent a point.
*/
decaf_error_t decaf_448_point_decode (
decaf_448_point_t pt,
const uint8_t ser[DECAF_448_SER_BYTES],
decaf_bool_t allow_identity
) API_VIS WARN_UNUSED NONNULL NOINLINE;

/**
* @brief Copy a point. The input and output may alias,
* in which case this function does nothing.
*
* @param [out] a A copy of the point.
* @param [in] b Any point.
*/
static inline void NONNULL decaf_448_point_copy (
decaf_448_point_t a,
const decaf_448_point_t b
) {
*a=*b;
}

/**
* @brief Test whether two points are equal. If yes, return
* DECAF_TRUE, else return DECAF_FALSE.
*
* @param [in] a A point.
* @param [in] b Another point.
* @retval DECAF_TRUE The points are equal.
* @retval DECAF_FALSE The points are not equal.
*/
decaf_bool_t decaf_448_point_eq (
const decaf_448_point_t a,
const decaf_448_point_t b
) API_VIS WARN_UNUSED NONNULL NOINLINE;

/**
* @brief Add two points to produce a third point. The
* input points and output point can be pointers to the same
* memory.
*
* @param [out] sum The sum a+b.
* @param [in] a An addend.
* @param [in] b An addend.
*/
void decaf_448_point_add (
decaf_448_point_t sum,
const decaf_448_point_t a,
const decaf_448_point_t b
) API_VIS NONNULL;

/**
* @brief Double a point. Equivalent to
* decaf_448_point_add(two_a,a,a), but potentially faster.
*
* @param [out] two_a The sum a+a.
* @param [in] a A point.
*/
void decaf_448_point_double (
decaf_448_point_t two_a,
const decaf_448_point_t a
) API_VIS NONNULL;

/**
* @brief Subtract two points to produce a third point. The
* input points and output point can be pointers to the same
* memory.
*
* @param [out] diff The difference a-b.
* @param [in] a The minuend.
* @param [in] b The subtrahend.
*/
void decaf_448_point_sub (
decaf_448_point_t diff,
const decaf_448_point_t a,
const decaf_448_point_t b
) API_VIS NONNULL;
/**
* @brief Negate a point to produce another point. The input
* and output points can use the same memory.
*
* @param [out] nega The negated input point
* @param [in] a The input point.
*/
void decaf_448_point_negate (
decaf_448_point_t nega,
const decaf_448_point_t a
) API_VIS NONNULL;

/**
* @brief Multiply a base point by a scalar: scaled = scalar*base.
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
*/
void decaf_448_point_scalarmul (
decaf_448_point_t scaled,
const decaf_448_point_t base,
const decaf_448_scalar_t scalar
) API_VIS NONNULL NOINLINE;

/**
* @brief Multiply a base point by a scalar: scaled = scalar*base.
* This function operates directly on serialized forms.
*
* @warning This function is experimental. It may not be supported
* long-term.
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
* @param [in] allow_identity Allow the input to be the identity.
* @param [in] short_circuit Allow a fast return if the input is illegal.
*
* @retval DECAF_SUCCESS The scalarmul succeeded.
* @retval DECAF_FAILURE The scalarmul didn't succeed, because
* base does not represent a point.
*/
decaf_error_t decaf_448_direct_scalarmul (
uint8_t scaled[DECAF_448_SER_BYTES],
const uint8_t base[DECAF_448_SER_BYTES],
const decaf_448_scalar_t scalar,
decaf_bool_t allow_identity,
decaf_bool_t short_circuit
) API_VIS NONNULL WARN_UNUSED NOINLINE;

/**
* @brief RFC 7748 Diffie-Hellman scalarmul. This function uses a different
* (non-Decaf) encoding.
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
*
* @retval DECAF_SUCCESS The scalarmul succeeded.
* @retval DECAF_FAILURE The scalarmul didn't succeed, because the base
* point is in a small subgroup.
*/
decaf_error_t decaf_x448 (
uint8_t out[DECAF_X448_PUBLIC_BYTES],
const uint8_t base[DECAF_X448_PUBLIC_BYTES],
const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]
) API_VIS NONNULL WARN_UNUSED NOINLINE;

/** The base point for X448 Diffie-Hellman */
extern const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES] API_VIS;

/**
* @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses
* a different (non-Decaf) encoding.
*
* @param [out] scaled The scaled point base*scalar
* @param [in] scalar The scalar to multiply by.
*/
void decaf_x448_generate_key (
uint8_t out[DECAF_X448_PUBLIC_BYTES],
const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]
) API_VIS NONNULL NOINLINE;

/* FUTURE: uint8_t decaf_448_encode_like_curve448) */

/**
* @brief Precompute a table for fast scalar multiplication.
* Some implementations do not include precomputed points; for
* those implementations, this implementation simply copies the
* point.
*
* @param [out] a A precomputed table of multiples of the point.
* @param [in] b Any point.
*/
void decaf_448_precompute (
decaf_448_precomputed_s *a,
const decaf_448_point_t b
) API_VIS NONNULL NOINLINE;

/**
* @brief Multiply a precomputed base point by a scalar:
* scaled = scalar*base.
* Some implementations do not include precomputed points; for
* those implementations, this function is the same as
* decaf_448_point_scalarmul
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
*/
void decaf_448_precomputed_scalarmul (
decaf_448_point_t scaled,
const decaf_448_precomputed_s *base,
const decaf_448_scalar_t scalar
) API_VIS NONNULL NOINLINE;

/**
* @brief Multiply two base points by two scalars:
* scaled = scalar1*base1 + scalar2*base2.
*
* Equivalent to two calls to decaf_448_point_scalarmul, but may be
* faster.
*
* @param [out] combo The linear combination scalar1*base1 + scalar2*base2.
* @param [in] base1 A first point to be scaled.
* @param [in] scalar1 A first scalar to multiply by.
* @param [in] base2 A second point to be scaled.
* @param [in] scalar2 A second scalar to multiply by.
*/
void decaf_448_point_double_scalarmul (
decaf_448_point_t combo,
const decaf_448_point_t base1,
const decaf_448_scalar_t scalar1,
const decaf_448_point_t base2,
const decaf_448_scalar_t scalar2
) API_VIS NONNULL NOINLINE;
/**
* Multiply one base point by two scalars:
*
* a1 = scalar1 * base
* a2 = scalar2 * base
*
* Equivalent to two calls to decaf_448_point_scalarmul, but may be
* faster.
*
* @param [out] a1 The first multiple. It may be the same as the input point.
* @param [out] a2 The second multiple. It may be the same as the input point.
* @param [in] base1 A point to be scaled.
* @param [in] scalar1 A first scalar to multiply by.
* @param [in] scalar2 A second scalar to multiply by.
*/
void decaf_448_point_dual_scalarmul (
decaf_448_point_t a1,
decaf_448_point_t a2,
const decaf_448_point_t base1,
const decaf_448_scalar_t scalar1,
const decaf_448_scalar_t scalar2
) API_VIS NONNULL NOINLINE;

/**
* @brief Multiply two base points by two scalars:
* scaled = scalar1*decaf_448_point_base + scalar2*base2.
*
* Otherwise equivalent to decaf_448_point_double_scalarmul, but may be
* faster at the expense of being variable time.
*
* @param [out] combo The linear combination scalar1*base + scalar2*base2.
* @param [in] scalar1 A first scalar to multiply by.
* @param [in] base2 A second point to be scaled.
* @param [in] scalar2 A second scalar to multiply by.
*
* @warning: This function takes variable time, and may leak the scalars
* used. It is designed for signature verification.
*/
void decaf_448_base_double_scalarmul_non_secret (
decaf_448_point_t combo,
const decaf_448_scalar_t scalar1,
const decaf_448_point_t base2,
const decaf_448_scalar_t scalar2
) API_VIS NONNULL NOINLINE;

/**
* @brief Constant-time decision between two points. If pick_b
* is zero, out = a; else out = b.
*
* @param [out] out The output. It may be the same as either input.
* @param [in] a Any point.
* @param [in] b Any point.
* @param [in] pick_b If nonzero, choose point b.
*/
void decaf_448_point_cond_sel (
decaf_448_point_t out,
const decaf_448_point_t a,
const decaf_448_point_t b,
decaf_word_t pick_b
) API_VIS NONNULL NOINLINE;

/**
* @brief Constant-time decision between two scalars. If pick_b
* is zero, out = a; else out = b.
*
* @param [out] out The output. It may be the same as either input.
* @param [in] a Any scalar.
* @param [in] b Any scalar.
* @param [in] pick_b If nonzero, choose scalar b.
*/
void decaf_448_scalar_cond_sel (
decaf_448_scalar_t out,
const decaf_448_scalar_t a,
const decaf_448_scalar_t b,
decaf_word_t pick_b
) API_VIS NONNULL NOINLINE;

/**
* @brief Test that a point is valid, for debugging purposes.
*
* @param [in] to_test The point to test.
* @retval DECAF_TRUE The point is valid.
* @retval DECAF_FALSE The point is invalid.
*/
decaf_bool_t decaf_448_point_valid (
const decaf_448_point_t to_test
) API_VIS WARN_UNUSED NONNULL NOINLINE;

/**
* @brief Torque a point, for debugging purposes. The output
* will be equal to the input.
*
* @param [out] q The point to torque.
* @param [in] p The point to torque.
*/
void decaf_448_point_debugging_torque (
decaf_448_point_t q,
const decaf_448_point_t p
) API_VIS NONNULL NOINLINE;

/**
* @brief Projectively scale a point, for debugging purposes.
* The output will be equal to the input, and will be valid
* even if the factor is zero.
*
* @param [out] q The point to scale.
* @param [in] p The point to scale.
* @param [in] factor Serialized GF factor to scale.
*/
void decaf_448_point_debugging_pscale (
decaf_448_point_t q,
const decaf_448_point_t p,
const unsigned char factor[DECAF_448_SER_BYTES]
) API_VIS NONNULL NOINLINE;

/**
* @brief Almost-Elligator-like hash to curve.
*
* Call this function with the output of a hash to make a hash to the curve.
*
* This function runs Elligator2 on the decaf_448 Jacobi quartic model. It then
* uses the isogeny to put the result in twisted Edwards form. As a result,
* it is safe (cannot produce points of order 4), and would be compatible with
* hypothetical other implementations of Decaf using a Montgomery or untwisted
* Edwards model.
*
* Unlike Elligator, this function may be up to 4:1 on [0,(p-1)/2]:
* A factor of 2 due to the isogeny.
* A factor of 2 because we quotient out the 2-torsion.
*
* This makes it about 8:1 overall, or 16:1 overall on curves with cofactor 8.
*
* Negating the input (mod q) results in the same point. Inverting the input
* (mod q) results in the negative point. This is the same as Elligator.
*
* This function isn't quite indifferentiable from a random oracle.
* However, it is suitable for many protocols, including SPEKE and SPAKE2 EE.
* Furthermore, calling it twice with independent seeds and adding the results
* is indifferentiable from a random oracle.
*
* @param [in] hashed_data Output of some hash function.
* @param [out] pt The data hashed to the curve.
*/
void
decaf_448_point_from_hash_nonuniform (
decaf_448_point_t pt,
const unsigned char hashed_data[DECAF_448_HASH_BYTES]
) API_VIS NONNULL NOINLINE;

/**
* @brief Indifferentiable hash function encoding to curve.
*
* Equivalent to calling decaf_448_point_from_hash_nonuniform twice and adding.
*
* @param [in] hashed_data Output of some hash function.
* @param [out] pt The data hashed to the curve.
*/
void decaf_448_point_from_hash_uniform (
decaf_448_point_t pt,
const unsigned char hashed_data[2*DECAF_448_HASH_BYTES]
) API_VIS NONNULL NOINLINE;

/**
* @brief Inverse of elligator-like hash to curve.
*
* This function writes to the buffer, to make it so that
* decaf_448_point_from_hash_nonuniform(buffer) = pt if
* possible. Since there may be multiple preimages, the
* "which" parameter chooses between them. To ensure uniform
* inverse sampling, this function succeeds or fails
* independently for different "which" values.
*
* @param [out] recovered_hash Encoded data.
* @param [in] pt The point to encode.
* @param [in] which A value determining which inverse point
* to return.
*
* @retval DECAF_SUCCESS The inverse succeeded.
* @retval DECAF_FAILURE The inverse failed.
*/
decaf_error_t
decaf_448_invert_elligator_nonuniform (
unsigned char recovered_hash[DECAF_448_HASH_BYTES],
const decaf_448_point_t pt,
uint32_t which
) API_VIS NONNULL NOINLINE WARN_UNUSED;

/**
* @brief Inverse of elligator-like hash to curve.
*
* This function writes to the buffer, to make it so that
* decaf_448_point_from_hash_uniform(buffer) = pt if
* possible. Since there may be multiple preimages, the
* "which" parameter chooses between them. To ensure uniform
* inverse sampling, this function succeeds or fails
* independently for different "which" values.
*
* @param [out] recovered_hash Encoded data.
* @param [in] pt The point to encode.
* @param [in] which A value determining which inverse point
* to return.
*
* @retval DECAF_SUCCESS The inverse succeeded.
* @retval DECAF_FAILURE The inverse failed.
*/
decaf_error_t
decaf_448_invert_elligator_uniform (
unsigned char recovered_hash[2*DECAF_448_HASH_BYTES],
const decaf_448_point_t pt,
uint32_t which
) API_VIS NONNULL NOINLINE WARN_UNUSED;

/**
* @brief Overwrite scalar with zeros.
*/
void decaf_448_scalar_destroy (
decaf_448_scalar_t scalar
) NONNULL API_VIS;

/**
* @brief Overwrite point with zeros.
*/
void decaf_448_point_destroy (
decaf_448_point_t point
) NONNULL API_VIS;

/**
* @brief Overwrite precomputed table with zeros.
*/
void decaf_448_precomputed_destroy (
decaf_448_precomputed_s *pre
) NONNULL API_VIS;

#ifdef __cplusplus
} /* extern "C" */
#endif

#endif /* __DECAF_DECAF_448_H__ */

+ 714
- 0
src/GENERATED/include/decaf/decaf_448.hxx View File

@@ -0,0 +1,714 @@
/**
* @file decaf/decaf_448.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* A group of prime order p, C++ wrapper.
*
* The Decaf library implements cryptographic operations on a an elliptic curve
* group of prime order p. It accomplishes this by using a twisted Edwards
* curve (isogenous to Ed448-Goldilocks) and wiping out the cofactor.
*
* The formulas are all complete and have no special cases, except that
* decaf_448_decode can fail because not every sequence of bytes is a valid group
* element.
*
* The formulas contain no data-dependent branches, timing or memory accesses,
* except for decaf_448_base_double_scalarmul_non_secret.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_DECAF_448_HXX__
#define __DECAF_DECAF_448_HXX__ 1

/** This code uses posix_memalign. */
#ifndef _XOPEN_SOURCE
#define _XOPEN_SOURCE 600
#endif
#include <stdlib.h>
#include <string.h> /* for memcpy */

#include <decaf/decaf_448.h>
#include <decaf/ed448.h>
#include <decaf/secure_buffer.hxx>
#include <string>
#include <sys/types.h>
#include <limits.h>

/** @cond internal */
#if __cplusplus >= 201103L
#define NOEXCEPT noexcept
#else
#define NOEXCEPT throw()
#endif
/** @endcond */

namespace decaf {

/**
* Ed448-Goldilocks/Decaf instantiation of group.
*/
struct Ed448Goldilocks {

/** The name of the curve */
static inline const char *name() { return "Ed448-Goldilocks"; }

/** The curve's cofactor (removed, but useful for testing) */
static const int REMOVED_COFACTOR = 4;

/** Residue class of field modulus: p == this mod 2*(this-1) */
static const int FIELD_MODULUS_TYPE = 3;

/** @cond internal */
class Point;
class Precomputed;
/** @endcond */

/**
* A scalar modulo the curve order.
* Supports the usual arithmetic operations, all in constant time.
*/
class Scalar : public Serializable<Scalar> {
public:
/** wrapped C type */
typedef decaf_448_scalar_t Wrapped;
/** Size of a serialized element */
static const size_t SER_BYTES = DECAF_448_SCALAR_BYTES;

/** access to the underlying scalar object */
Wrapped s;

/** @cond internal */
/** Don't initialize. */
inline Scalar(const NOINIT &) NOEXCEPT {}
/** @endcond */

/** Set to an unsigned word */
inline Scalar(uint64_t w) NOEXCEPT { *this = w; }

/** Set to a signed word */
inline Scalar(int64_t w) NOEXCEPT { *this = w; }

/** Set to an unsigned word */
inline Scalar(unsigned int w) NOEXCEPT { *this = w; }

/** Set to a signed word */
inline Scalar(int w) NOEXCEPT { *this = w; }

/** Construct from RNG */
inline explicit Scalar(Rng &rng) NOEXCEPT {
FixedArrayBuffer<SER_BYTES + 16> sb(rng);
*this = sb;
}

/** Construct from decaf_scalar_t object. */
inline Scalar(const Wrapped &t = decaf_448_scalar_zero) NOEXCEPT { decaf_448_scalar_copy(s,t); }

/** Copy constructor. */
inline Scalar(const Scalar &x) NOEXCEPT { *this = x; }

/** Construct from arbitrary-length little-endian byte sequence. */
inline Scalar(const Block &buffer) NOEXCEPT { *this = buffer; }

/** Serializable instance */
inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }

/** Serializable instance */
inline void serialize_into(unsigned char *buffer) const NOEXCEPT {
decaf_448_scalar_encode(buffer, s);
}

/** Assignment. */
inline Scalar& operator=(const Scalar &x) NOEXCEPT { decaf_448_scalar_copy(s,x.s); return *this; }

/** Assign from unsigned 64-bit integer. */
inline Scalar& operator=(uint64_t w) NOEXCEPT { decaf_448_scalar_set_unsigned(s,w); return *this; }


/** Assign from signed int. */
inline Scalar& operator=(int64_t w) NOEXCEPT {
Scalar t(-(uint64_t)INT_MIN);
decaf_448_scalar_set_unsigned(s,(uint64_t)w - (uint64_t)INT_MIN);
*this -= t;
return *this;
}

/** Assign from unsigned int. */
inline Scalar& operator=(unsigned int w) NOEXCEPT { return *this = (uint64_t)w; }

/** Assign from signed int. */
inline Scalar& operator=(int w) NOEXCEPT { return *this = (int64_t)w; }

/** Destructor securely zeorizes the scalar. */
inline ~Scalar() NOEXCEPT { decaf_448_scalar_destroy(s); }

/** Assign from arbitrary-length little-endian byte sequence in a Block. */
inline Scalar &operator=(const Block &bl) NOEXCEPT {
decaf_448_scalar_decode_long(s,bl.data(),bl.size()); return *this;
}

/**
* Decode from correct-length little-endian byte sequence.
* @return DECAF_FAILURE if the scalar is greater than or equal to the group order q.
*/
static inline decaf_error_t WARN_UNUSED decode (
Scalar &sc, const FixedBlock<SER_BYTES> buffer
) NOEXCEPT {
return decaf_448_scalar_decode(sc.s,buffer.data());
}

/** Add. */
inline Scalar operator+ (const Scalar &q) const NOEXCEPT { Scalar r((NOINIT())); decaf_448_scalar_add(r.s,s,q.s); return r; }

/** Add to this. */
inline Scalar &operator+=(const Scalar &q) NOEXCEPT { decaf_448_scalar_add(s,s,q.s); return *this; }

/** Subtract. */
inline Scalar operator- (const Scalar &q) const NOEXCEPT { Scalar r((NOINIT())); decaf_448_scalar_sub(r.s,s,q.s); return r; }

/** Subtract from this. */
inline Scalar &operator-=(const Scalar &q) NOEXCEPT { decaf_448_scalar_sub(s,s,q.s); return *this; }

/** Multiply */
inline Scalar operator* (const Scalar &q) const NOEXCEPT { Scalar r((NOINIT())); decaf_448_scalar_mul(r.s,s,q.s); return r; }

/** Multiply into this. */
inline Scalar &operator*=(const Scalar &q) NOEXCEPT { decaf_448_scalar_mul(s,s,q.s); return *this; }

/** Negate */
inline Scalar operator- () const NOEXCEPT { Scalar r((NOINIT())); decaf_448_scalar_sub(r.s,decaf_448_scalar_zero,s); return r; }

/** Invert with Fermat's Little Theorem (slow!). If *this == 0,
* throw CryptoException. */
inline Scalar inverse() const throw(CryptoException) {
Scalar r;
if (DECAF_SUCCESS != decaf_448_scalar_invert(r.s,s)) {
throw CryptoException();
}
return r;
}

/** Invert with Fermat's Little Theorem (slow!). If *this == 0, set r=0
* and return DECAF_FAILURE. */
inline decaf_error_t WARN_UNUSED
inverse_noexcept(Scalar &r) const NOEXCEPT {
return decaf_448_scalar_invert(r.s,s);
}

/** Divide by inverting q. If q == 0, return 0. */
inline Scalar operator/ (const Scalar &q) const throw(CryptoException) { return *this * q.inverse(); }

/** Divide by inverting q. If q == 0, return 0. */
inline Scalar &operator/=(const Scalar &q) throw(CryptoException) { return *this *= q.inverse(); }

/** Return half this scalar. Much faster than /2. */
inline Scalar half() const { Scalar out; decaf_448_scalar_halve(out.s,s); return out; }

/** Compare in constant time */
inline bool operator!=(const Scalar &q) const NOEXCEPT { return !(*this == q); }

/** Compare in constant time */
inline bool operator==(const Scalar &q) const NOEXCEPT { return !!decaf_448_scalar_eq(s,q.s); }

/** Scalarmul with scalar on left. */
inline Point operator* (const Point &q) const NOEXCEPT { return q * (*this); }

/** Scalarmul-precomputed with scalar on left. */
inline Point operator* (const Precomputed &q) const NOEXCEPT { return q * (*this); }

/** Direct scalar multiplication. */
inline SecureBuffer direct_scalarmul(
const Block &in,
decaf_bool_t allow_identity=DECAF_FALSE,
decaf_bool_t short_circuit=DECAF_TRUE
) const throw(CryptoException);
};

/**
* Element of prime-order group.
*/
class Point : public Serializable<Point> {
public:
/** wrapped C type */
typedef decaf_448_point_t Wrapped;
/** Size of a serialized element */
static const size_t SER_BYTES = DECAF_448_SER_BYTES;

/** Bytes required for hash */
static const size_t HASH_BYTES = DECAF_448_HASH_BYTES;

/**
* Size of a stegged element.
*
* FUTURE: You can use HASH_BYTES * 3/2 (or more likely much less, eg HASH_BYTES + 8)
* with a random oracle hash function, by hash-expanding everything past the first
* HASH_BYTES of the element. However, since the internal C invert_elligator is not
* tied to a hash function, I didn't want to tie the C++ wrapper to a hash function
* either. But it might be a good idea to do this in the future, either with STROBE
* or something else.
*
* Then again, calling invert_elligator at all is super niche, so maybe who cares?
*/
static const size_t STEG_BYTES = HASH_BYTES * 2;
/** Number of bits in invert_elligator which are actually used. */
static const unsigned int INVERT_ELLIGATOR_WHICH_BITS = DECAF_448_INVERT_ELLIGATOR_WHICH_BITS;

/** The c-level object. */
Wrapped p;

/** @cond internal */
/** Don't initialize. */
inline Point(const NOINIT &) NOEXCEPT {}
/** @endcond */

/** Constructor sets to identity by default. */
inline Point(const Wrapped &q = decaf_448_point_identity) NOEXCEPT { decaf_448_point_copy(p,q); }

/** Copy constructor. */
inline Point(const Point &q) NOEXCEPT { *this = q; }

/** Assignment. */
inline Point& operator=(const Point &q) NOEXCEPT { decaf_448_point_copy(p,q.p); return *this; }

/** Destructor securely zeorizes the point. */
inline ~Point() NOEXCEPT { decaf_448_point_destroy(p); }

/** Construct from RNG */
inline explicit Point(Rng &rng, bool uniform = true) NOEXCEPT {
if (uniform) {
FixedArrayBuffer<2*HASH_BYTES> b(rng);
set_to_hash(b);
} else {
FixedArrayBuffer<HASH_BYTES> b(rng);
set_to_hash(b);
}
}

/**
* Initialize from a fixed-length byte string.
* The all-zero string maps to the identity.
*
* @throw CryptoException the string was the wrong length, or wasn't the encoding of a point,
* or was the identity and allow_identity was DECAF_FALSE.
*/
inline explicit Point(const FixedBlock<SER_BYTES> &buffer, decaf_bool_t allow_identity=DECAF_TRUE)
throw(CryptoException) {
if (DECAF_SUCCESS != decode(buffer,allow_identity)) {
throw CryptoException();
}
}

/**
* Initialize from C++ fixed-length byte string.
* The all-zero string maps to the identity.
*
* @retval DECAF_SUCCESS the string was successfully decoded.
* @return DECAF_FAILURE the string was the wrong length, or wasn't the encoding of a point,
* or was the identity and allow_identity was DECAF_FALSE. Contents of the buffer are undefined.
*/
inline decaf_error_t WARN_UNUSED decode (
const FixedBlock<SER_BYTES> &buffer, decaf_bool_t allow_identity=DECAF_TRUE
) NOEXCEPT {
return decaf_448_point_decode(p,buffer.data(),allow_identity);
}

/**
* Initialize from C++ fixed-length byte string, like EdDSA.
* The all-zero string maps to the identity.
*
* @retval DECAF_SUCCESS the string was successfully decoded.
* @return DECAF_FAILURE the string was the wrong length, or wasn't the encoding of a point.
* Contents of the point are undefined.
*/
inline decaf_error_t WARN_UNUSED decode_like_eddsa_and_ignore_cofactor_noexcept (
const FixedBlock<DECAF_EDDSA_448_PUBLIC_BYTES> &buffer
) NOEXCEPT {
return decaf_448_point_decode_like_eddsa_and_ignore_cofactor(p,buffer.data());
}

inline void decode_like_eddsa_and_ignore_cofactor (
const FixedBlock<DECAF_EDDSA_448_PUBLIC_BYTES> &buffer
) throw(CryptoException) {
if (DECAF_SUCCESS != decode_like_eddsa_and_ignore_cofactor_noexcept(buffer)) throw(CryptoException());
}

/** Multiply out cofactor and encode like EdDSA. */
inline SecureBuffer mul_by_cofactor_and_encode_like_eddsa() const {
SecureBuffer ret(DECAF_EDDSA_448_PUBLIC_BYTES);
decaf_448_point_mul_by_cofactor_and_encode_like_eddsa(ret.data(),p);
return ret;
}

/**
* Map uniformly to the curve from a hash buffer.
* The empty or all-zero string maps to the identity, as does the string "\\x01".
* If the buffer is shorter than 2*HASH_BYTES, well, it won't be as uniform,
* but the buffer will be zero-padded on the right.
*/
static inline Point from_hash ( const Block &s ) NOEXCEPT {
Point p((NOINIT())); p.set_to_hash(s); return p;
}

/**
* Map to the curve from a hash buffer.
* The empty or all-zero string maps to the identity, as does the string "\\x01".
* If the buffer is shorter than 2*HASH_BYTES, well, it won't be as uniform,
* but the buffer will be zero-padded on the right.
*/
inline void set_to_hash( const Block &s ) NOEXCEPT {
if (s.size() < HASH_BYTES) {
SecureBuffer b(HASH_BYTES);
memcpy(b.data(), s.data(), s.size());
decaf_448_point_from_hash_nonuniform(p,b.data());
} else if (s.size() == HASH_BYTES) {
decaf_448_point_from_hash_nonuniform(p,s.data());
} else if (s.size() < 2*HASH_BYTES) {
SecureBuffer b(2*HASH_BYTES);
memcpy(b.data(), s.data(), s.size());
decaf_448_point_from_hash_uniform(p,b.data());
} else {
decaf_448_point_from_hash_uniform(p,s.data());
}
}

/**
* Encode to string. The identity encodes to the all-zero string.
*/
inline operator SecureBuffer() const {
SecureBuffer buffer(SER_BYTES);
decaf_448_point_encode(buffer.data(), p);
return buffer;
}

/** Serializable instance */
inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }

/** Serializable instance */
inline void serialize_into(unsigned char *buffer) const NOEXCEPT {
decaf_448_point_encode(buffer, p);
}

/** Point add. */
inline Point operator+ (const Point &q) const NOEXCEPT { Point r((NOINIT())); decaf_448_point_add(r.p,p,q.p); return r; }

/** Point add. */
inline Point &operator+=(const Point &q) NOEXCEPT { decaf_448_point_add(p,p,q.p); return *this; }

/** Point subtract. */
inline Point operator- (const Point &q) const NOEXCEPT { Point r((NOINIT())); decaf_448_point_sub(r.p,p,q.p); return r; }

/** Point subtract. */
inline Point &operator-=(const Point &q) NOEXCEPT { decaf_448_point_sub(p,p,q.p); return *this; }

/** Point negate. */
inline Point operator- () const NOEXCEPT { Point r((NOINIT())); decaf_448_point_negate(r.p,p); return r; }

/** Double the point out of place. */
inline Point times_two () const NOEXCEPT { Point r((NOINIT())); decaf_448_point_double(r.p,p); return r; }

/** Double the point in place. */
inline Point &double_in_place() NOEXCEPT { decaf_448_point_double(p,p); return *this; }

/** Constant-time compare. */
inline bool operator!=(const Point &q) const NOEXCEPT { return ! decaf_448_point_eq(p,q.p); }

/** Constant-time compare. */
inline bool operator==(const Point &q) const NOEXCEPT { return !!decaf_448_point_eq(p,q.p); }

/** Scalar multiply. */
inline Point operator* (const Scalar &s) const NOEXCEPT { Point r((NOINIT())); decaf_448_point_scalarmul(r.p,p,s.s); return r; }

/** Scalar multiply in place. */
inline Point &operator*=(const Scalar &s) NOEXCEPT { decaf_448_point_scalarmul(p,p,s.s); return *this; }

/** Multiply by s.inverse(). If s=0, maps to the identity. */
inline Point operator/ (const Scalar &s) const throw(CryptoException) { return (*this) * s.inverse(); }

/** Multiply by s.inverse(). If s=0, maps to the identity. */
inline Point &operator/=(const Scalar &s) throw(CryptoException) { return (*this) *= s.inverse(); }

/** Validate / sanity check */
inline bool validate() const NOEXCEPT { return decaf_448_point_valid(p); }

/** Double-scalar multiply, equivalent to q*qs + r*rs but faster. */
static inline Point double_scalarmul (
const Point &q, const Scalar &qs, const Point &r, const Scalar &rs
) NOEXCEPT {
Point p((NOINIT())); decaf_448_point_double_scalarmul(p.p,q.p,qs.s,r.p,rs.s); return p;
}

/** Dual-scalar multiply, equivalent to this*r1, this*r2 but faster. */
inline void dual_scalarmul (
Point &q1, Point &q2, const Scalar &r1, const Scalar &r2
) const NOEXCEPT {
decaf_448_point_dual_scalarmul(q1.p,q2.p,p,r1.s,r2.s);
}

/**
* Double-scalar multiply, equivalent to q*qs + r*rs but faster.
* For those who like their scalars before the point.
*/
static inline Point double_scalarmul (
const Scalar &qs, const Point &q, const Scalar &rs, const Point &r
) NOEXCEPT {
return double_scalarmul(q,qs,r,rs);
}

/**
* Double-scalar multiply: this point by the first scalar and base by the second scalar.
* @warning This function takes variable time, and may leak the scalars (or points, but currently
* it doesn't).
*/
inline Point non_secret_combo_with_base(const Scalar &s, const Scalar &s_base) NOEXCEPT {
Point r((NOINIT())); decaf_448_base_double_scalarmul_non_secret(r.p,s_base.s,p,s.s); return r;
}

/** Return a point equal to *this, whose internal data is rotated by a torsion element. */
inline Point debugging_torque() const NOEXCEPT {
Point q;
decaf_448_point_debugging_torque(q.p,p);
return q;
}

/** Return a point equal to *this, whose internal data has a modified representation. */
inline Point debugging_pscale(const FixedBlock<SER_BYTES> factor) const NOEXCEPT {
Point q;
decaf_448_point_debugging_pscale(q.p,p,factor.data());
return q;
}

/** Return a point equal to *this, whose internal data has a randomized representation. */
inline Point debugging_pscale(Rng &r) const NOEXCEPT {
FixedArrayBuffer<SER_BYTES> sb(r);
return debugging_pscale(sb);
}

/**
* Modify buffer so that Point::from_hash(Buffer) == *this, and return DECAF_SUCCESS;
* or leave buf unmodified and return DECAF_FAILURE.
*/
inline decaf_error_t invert_elligator (
Buffer buf, uint32_t hint
) const NOEXCEPT {
unsigned char buf2[2*HASH_BYTES];
memset(buf2,0,sizeof(buf2));
memcpy(buf2,buf.data(),(buf.size() > 2*HASH_BYTES) ? 2*HASH_BYTES : buf.size());
decaf_bool_t ret;
if (buf.size() > HASH_BYTES) {
ret = decaf_successful(decaf_448_invert_elligator_uniform(buf2, p, hint));
} else {
ret = decaf_successful(decaf_448_invert_elligator_nonuniform(buf2, p, hint));
}
if (buf.size() < HASH_BYTES) {
ret &= decaf_memeq(&buf2[buf.size()], &buf2[HASH_BYTES], HASH_BYTES - buf.size());
}
for (size_t i=0; i<buf.size() && i<HASH_BYTES; i++) {
buf[i] = (buf[i] & ~ret) | (buf2[i] &ret);
}
decaf_bzero(buf2,sizeof(buf2));
return decaf_succeed_if(ret);
}

/** Steganographically encode this */
inline SecureBuffer steg_encode(Rng &rng, size_t size=STEG_BYTES) const throw(std::bad_alloc, LengthException) {
if (size <= HASH_BYTES + 4 || size > 2*HASH_BYTES) throw LengthException();
SecureBuffer out(STEG_BYTES);
decaf_error_t done;
do {
rng.read(Buffer(out).slice(HASH_BYTES-4,STEG_BYTES-HASH_BYTES+1));
uint32_t hint = 0;
for (int i=0; i<4; i++) { hint |= uint32_t(out[HASH_BYTES-4+i])<<(8*i); }
done = invert_elligator(out, hint);
} while (!decaf_successful(done));
return out;
}

/** Return the base point */
static inline const Point base() NOEXCEPT { return Point(decaf_448_point_base); }

/** Return the identity point */
static inline const Point identity() NOEXCEPT { return Point(decaf_448_point_identity); }
};

/**
* Precomputed table of points.
* Minor difficulties arise here because the decaf API doesn't expose, as a constant, how big such an object is.
* Therefore we have to call malloc() or friends, but that's probably for the best, because you don't want to
* stack-allocate a 15kiB object anyway.
*/

/** @cond internal */
typedef decaf_448_precomputed_s Precomputed_U;
/** @endcond */
class Precomputed
/** @cond internal */
: protected OwnedOrUnowned<Precomputed,Precomputed_U>
/** @endcond */
{
public:

/** Destructor securely zeorizes the memory. */
inline ~Precomputed() NOEXCEPT { clear(); }

/**
* Initialize from underlying type, declared as a reference to prevent
* it from being called with 0, thereby breaking override.
*
* The underlying object must remain valid throughout the lifetime of this one.
*
* By default, initializes to the table for the base point.
*
* @warning The empty initializer makes this equal to base, unlike the empty
* initializer for points which makes this equal to the identity.
*/
inline Precomputed (
const Precomputed_U &yours = *default_value()
) NOEXCEPT : OwnedOrUnowned<Precomputed,Precomputed_U>(yours) {}


#if __cplusplus >= 201103L
/** Move-assign operator */
inline Precomputed &operator=(Precomputed &&it) NOEXCEPT {
OwnedOrUnowned<Precomputed,Precomputed_U>::operator= (it);
return *this;
}

/** Move constructor */
inline Precomputed(Precomputed &&it) NOEXCEPT : OwnedOrUnowned<Precomputed,Precomputed_U>() {
*this = it;
}

/** Undelete copy operator */
inline Precomputed &operator=(const Precomputed &it) NOEXCEPT {
OwnedOrUnowned<Precomputed,Precomputed_U>::operator= (it);
return *this;
}
#endif

/**
* Initilaize from point. Must allocate memory, and may throw.
*/
inline Precomputed &operator=(const Point &it) throw(std::bad_alloc) {
alloc();
decaf_448_precompute(ours.mine,it.p);
return *this;
}

/**
* Copy constructor.
*/
inline Precomputed(const Precomputed &it) throw(std::bad_alloc)
: OwnedOrUnowned<Precomputed,Precomputed_U>() { *this = it; }

/**
* Constructor which initializes from point.
*/
inline explicit Precomputed(const Point &it) throw(std::bad_alloc)
: OwnedOrUnowned<Precomputed,Precomputed_U>() { *this = it; }

/** Fixed base scalarmul. */
inline Point operator* (const Scalar &s) const NOEXCEPT { Point r; decaf_448_precomputed_scalarmul(r.p,get(),s.s); return r; }

/** Multiply by s.inverse(). If s=0, maps to the identity. */
inline Point operator/ (const Scalar &s) const throw(CryptoException) { return (*this) * s.inverse(); }

/** Return the table for the base point. */
static inline const Precomputed base() NOEXCEPT { return Precomputed(); }

public:
/** @cond internal */
friend class OwnedOrUnowned<Precomputed,Precomputed_U>;
static inline size_t size() NOEXCEPT { return decaf_448_sizeof_precomputed_s; }
static inline size_t alignment() NOEXCEPT { return decaf_448_alignof_precomputed_s; }
static inline const Precomputed_U * default_value() NOEXCEPT { return decaf_448_precomputed_base; }
/** @endcond */
};

struct DhLadder {
public:
/** Bytes in an X448 public key. */
static const size_t PUBLIC_BYTES = DECAF_X448_PUBLIC_BYTES;

/** Bytes in an X448 private key. */
static const size_t PRIVATE_BYTES = DECAF_X448_PRIVATE_BYTES;

/** Base point for a scalar multiplication. */
static const FixedBlock<PUBLIC_BYTES> base_point() NOEXCEPT {
return FixedBlock<PUBLIC_BYTES>(decaf_x448_base_point);
}

/** Generate and return a shared secret with public key. */
static inline SecureBuffer shared_secret(
const FixedBlock<PUBLIC_BYTES> &pk,
const FixedBlock<PRIVATE_BYTES> &scalar
) throw(std::bad_alloc,CryptoException) {
SecureBuffer out(PUBLIC_BYTES);
if (DECAF_SUCCESS != decaf_x448(out.data(), pk.data(), scalar.data())) {
throw CryptoException();
}
return out;
}

/** Generate and return a shared secret with public key, noexcept version. */
static inline decaf_error_t WARN_UNUSED
shared_secret_noexcept (
FixedBuffer<PUBLIC_BYTES> &out,
const FixedBlock<PUBLIC_BYTES> &pk,
const FixedBlock<PRIVATE_BYTES> &scalar
) NOEXCEPT {
return decaf_x448(out.data(), pk.data(), scalar.data());
}

/** Generate and return a public key; equivalent to shared_secret(base_point(),scalar)
* but possibly faster.
*/
static inline SecureBuffer generate_key(
const FixedBlock<PRIVATE_BYTES> &scalar
) throw(std::bad_alloc) {
SecureBuffer out(PUBLIC_BYTES);
decaf_x448_generate_key(out.data(), scalar.data());
return out;
}

/** Generate and return a public key into a fixed buffer;
* equivalent to shared_secret(base_point(),scalar) but possibly faster.
*/
static inline void
generate_key_noexcept (
FixedBuffer<PUBLIC_BYTES> &out,
const FixedBlock<PRIVATE_BYTES> &scalar
) NOEXCEPT {
decaf_x448_generate_key(out.data(), scalar.data());
}
};

}; /* struct Ed448Goldilocks */

/** @cond internal */
inline SecureBuffer Ed448Goldilocks::Scalar::direct_scalarmul (
const Block &in,
decaf_bool_t allow_identity,
decaf_bool_t short_circuit
) const throw(CryptoException) {
SecureBuffer out(Ed448Goldilocks::Point::SER_BYTES);
if (DECAF_SUCCESS !=
decaf_448_direct_scalarmul(out.data(), in.data(), s, allow_identity, short_circuit)
) {
throw CryptoException();
}
return out;
}
/** @endcond */

#undef NOEXCEPT
} /* namespace decaf */

#endif /* __DECAF_DECAF_448_HXX__ */

+ 139
- 0
src/GENERATED/include/decaf/ed255.h View File

@@ -0,0 +1,139 @@
/**
* @file decaf/ed255.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief A group of prime order p, based on Curve25519.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_ED255_H__
#define __DECAF_ED255_H__ 1

#include <decaf/decaf_255.h>

#ifdef __cplusplus
extern "C" {
#endif

/** Number of bytes in an EdDSA public key. */
#define DECAF_EDDSA_25519_PUBLIC_BYTES 32

/** Number of bytes in an EdDSA private key. */
#define DECAF_EDDSA_25519_PRIVATE_BYTES DECAF_EDDSA_25519_PUBLIC_BYTES

/** Number of bytes in an EdDSA private key. */
#define DECAF_EDDSA_25519_SIGNATURE_BYTES (DECAF_EDDSA_25519_PUBLIC_BYTES + DECAF_EDDSA_25519_PRIVATE_BYTES)

/** Does EdDSA support contexts? */
#define DECAF_EDDSA_25519_SUPPORTS_CONTEXTS 0

/**
* @brief EdDSA key generation. This function uses a different (non-Decaf)
* encoding.
*
* @param [out] pubkey The public key.
* @param [in] privkey The private key.
*/
void decaf_ed25519_derive_public_key (
uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES]
) API_VIS NONNULL NOINLINE;

/**
* @brief EdDSA signing.
*
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] message The message to sign.
* @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
void decaf_ed25519_sign (
uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE;

/**
* @brief EdDSA signature verification.
*
* Uses the standard (i.e. less-strict) verification formula.
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] message The message to verify.
* @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
decaf_error_t decaf_ed25519_verify (
const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2))) NOINLINE;



/**
* @brief EdDSA point encoding. Used internally, exposed externally.
* Multiplies the point by the current cofactor first.
*
* @param [out] enc The encoded point.
* @param [in] p The point.
*/
void decaf_255_point_mul_by_cofactor_and_encode_like_eddsa (
uint8_t enc[DECAF_EDDSA_25519_PUBLIC_BYTES],
const decaf_255_point_t p
) API_VIS NONNULL NOINLINE;

/**
* @brief EdDSA point decoding. Remember that while points on the
* EdDSA curves have cofactor information, Decaf ignores (quotients
* out) all cofactor information.
*
* @param [out] enc The encoded point.
* @param [in] p The point.
*/
decaf_error_t decaf_255_point_decode_like_eddsa_and_ignore_cofactor (
decaf_255_point_t p,
const uint8_t enc[DECAF_EDDSA_25519_PUBLIC_BYTES]
) API_VIS NONNULL NOINLINE;

#ifdef __cplusplus
} /* extern "C" */
#endif

#endif /* __DECAF_ED255_H__ */

+ 458
- 0
src/GENERATED/include/decaf/ed255.hxx View File

@@ -0,0 +1,458 @@
/**
* @file decaf/ed255.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
*
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_ED255_HXX__
#define __DECAF_ED255_HXX__ 1

/*
* Example Decaf cyrpto routines, C++ wrapper.
* @warning These are merely examples, though they ought to be secure. But real
* protocols will decide differently on magic numbers, formats, which items to
* hash, etc.
* @warning Experimental! The names, parameter orders etc are likely to change.
*/

#include <decaf/eddsa.hxx>
#include <decaf/decaf_255.hxx>
#include <decaf/ed255.h>

#include <decaf/shake.hxx>
#include <decaf/sha512.hxx>

/** @cond internal */
#if __cplusplus >= 201103L
#define NOEXCEPT noexcept
#else
#define NOEXCEPT throw()
#endif
/** @endcond */

namespace decaf {

/** A public key for crypto over some Group */
template <typename Group> struct EdDSA;

/** A public key for crypto over Iso-Ed25519 */
template<> struct EdDSA<IsoEd25519> {

/** @cond internal */
template<class CRTP, Prehashed> class Signing;
template<class CRTP, Prehashed> class Verification;

template<Prehashed=PURE> class PublicKeyBase;
template<Prehashed=PURE> class PrivateKeyBase;
typedef class PublicKeyBase<PURE> PublicKey, PublicKeyPure;
typedef class PublicKeyBase<PREHASHED> PublicKeyPh;
typedef class PrivateKeyBase<PURE> PrivateKey, PrivateKeyPure;
typedef class PrivateKeyBase<PREHASHED> PrivateKeyPh;

/** @endcond */

/** Prehash context for EdDSA. */
class Prehash : public SHA512 {
public:
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_25519_SUPPORTS_CONTEXTS;
private:
typedef SHA512 Super;
SecureBuffer context_;
template<class T, Prehashed Ph> friend class Signing;
template<class T, Prehashed Ph> friend class Verification;
void init() throw(LengthException) {
Super::reset();
if (context_.size() > 255
|| (context_.size() != 0 && !SUPPORTS_CONTEXTS)
) {
throw LengthException();
}
if (SUPPORTS_CONTEXTS) {
const char pfx[] = "";
uint8_t dom[2] = {2, (uint8_t)context_.size() };
update((const unsigned char*)pfx,strlen(pfx));
update(dom,2);
update(context_);
}
}
public:
/** Number of output bytes in prehash */
static const size_t OUTPUT_BYTES = Super::DEFAULT_OUTPUT_BYTES;
/** Create the prehash */
Prehash(Block context = Block(NULL,0)) throw(LengthException) {
context_ = context;
init();
}

/** Reset this hash */
void reset() NOEXCEPT { init(); }
/** Output from this hash */
SecureBuffer final() throw(std::bad_alloc) {
SecureBuffer ret = Super::final(OUTPUT_BYTES);
reset();
return ret;
}
/** Output from this hash */
void final(Buffer &b) throw(LengthException) {
if (b.size() != OUTPUT_BYTES) throw LengthException();
Super::final(b);
reset();
}
};

template<class CRTP, Prehashed ph> class Signing;

template<class CRTP> class Signing<CRTP,PREHASHED> {
public:
/* Sign a prehash context, and reset the context */
inline SecureBuffer sign_prehashed ( Prehash &ph ) const /*throw(std::bad_alloc)*/ {
SecureBuffer out(CRTP::SIG_BYTES);
FixedArrayBuffer<Prehash::OUTPUT_BYTES> tmp;
ph.final(tmp);
decaf_ed25519_sign (
out.data(),
((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(),
tmp.data(),
tmp.size(),
1
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()
#endif
);
return out;
}
/* Sign a message using the prehasher */
inline SecureBuffer sign_with_prehash (
const Block &message,
const Block &context = Block(NULL,0)
) const /*throw(LengthException,CryptoException)*/ {
Prehash ph(context);
ph += message;
return sign_prehashed(ph);
}
};

template<class CRTP> class Signing<CRTP,PURE> {
public:
/**
* Sign a message.
* @param [in] message The message to be signed.
* @param [in] context A context for the signature; must be at most 255 bytes;
* must be absent if SUPPORTS_CONTEXTS == false.
*
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/
inline SecureBuffer sign (
const Block &message,
const Block &context = Block(NULL,0)
) const /* TODO: this exn spec tickles a Clang bug?
* throw(LengthException, std::bad_alloc)
*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
throw LengthException();
}
SecureBuffer out(CRTP::SIG_BYTES);
decaf_ed25519_sign (
out.data(),
((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(),
message.data(),
message.size(),
0
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, context.data(),
context.size()
#endif
);
return out;
}
};


template<Prehashed ph> class PrivateKeyBase
: public Serializable<PrivateKeyBase<ph> >
, public Signing<PrivateKeyBase<ph>,ph> {
public:
typedef class PublicKeyBase<ph> MyPublicKey;
private:
/** @cond internal */
friend class PublicKeyBase<ph>;
friend class Signing<PrivateKeyBase<ph>, ph>;
/** @endcond */

/** The pre-expansion form of the signing key. */
FixedArrayBuffer<DECAF_EDDSA_25519_PRIVATE_BYTES> priv_;
/** The post-expansion public key. */
FixedArrayBuffer<DECAF_EDDSA_25519_PUBLIC_BYTES> pub_;
public:
/** Underlying group */
typedef IsoEd25519 Group;
/** Signature size. */
static const size_t SIG_BYTES = DECAF_EDDSA_25519_SIGNATURE_BYTES;
/** Serialization size. */
static const size_t SER_BYTES = DECAF_EDDSA_25519_PRIVATE_BYTES;
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_25519_SUPPORTS_CONTEXTS;
/** Create but don't initialize */
inline explicit PrivateKeyBase(const NOINIT&) NOEXCEPT : priv_((NOINIT())), pub_((NOINIT())) { }
/** Read a private key from a string */
inline explicit PrivateKeyBase(const FixedBlock<SER_BYTES> &b) NOEXCEPT { *this = b; }
/** Copy constructor */
inline PrivateKeyBase(const PrivateKey &k) NOEXCEPT { *this = k; }
/** Create at random */
inline explicit PrivateKeyBase(Rng &r) NOEXCEPT : priv_(r) {
decaf_ed25519_derive_public_key(pub_.data(), priv_.data());
}
/** Assignment from string */
inline PrivateKeyBase &operator=(const FixedBlock<SER_BYTES> &b) NOEXCEPT {
memcpy(priv_.data(),b.data(),b.size());
decaf_ed25519_derive_public_key(pub_.data(), priv_.data());
return *this;
}
/** Copy assignment */
inline PrivateKeyBase &operator=(const PrivateKey &k) NOEXCEPT {
memcpy(priv_.data(),k.priv_.data(), priv_.size());
memcpy(pub_.data(),k.pub_.data(), pub_.size());
return *this;
}
/** Serialization size. */
inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }
/** Serialize into a buffer. */
inline void serialize_into(unsigned char *x) const NOEXCEPT {
memcpy(x,priv_.data(), priv_.size());
}
/** Return the corresponding public key */
inline MyPublicKey pub() const NOEXCEPT {
MyPublicKey pub(*this);
return pub;
}
}; /* class PrivateKey */



template<class CRTP> class Verification<CRTP,PURE> {
public:
/** Verify a signature, returning DECAF_FAILURE if verification fails */
inline decaf_error_t WARN_UNUSED verify_noexcept (
const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = Block(NULL,0)
) const /*NOEXCEPT*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
return DECAF_FAILURE;
}
return decaf_ed25519_verify (
sig.data(),
((const CRTP*)this)->pub_.data(),
message.data(),
message.size(),
0
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, context.data(),
context.size()
#endif
);
}
/** Verify a signature, throwing an exception if verification fails
* @param [in] sig The signature.
* @param [in] message The signed message.
* @param [in] context A context for the signature; must be at most 255 bytes;
* must be absent if SUPPORTS_CONTEXTS == false.
*
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/
inline void verify (
const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = Block(NULL,0)
) const /*throw(LengthException,CryptoException)*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
throw LengthException();
}
if (DECAF_SUCCESS != verify_noexcept( sig, message, context )) {
throw CryptoException();
}
}
};


template<class CRTP> class Verification<CRTP,PREHASHED> {
public:
/* Verify a prehash context, and reset the context */
inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept (
const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
Prehash &ph
) const /*NOEXCEPT*/ {
FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
ph.final(m);
return decaf_ed25519_verify (
sig.data(),
((const CRTP*)this)->pub_.data(),
m.data(),
m.size(),
1
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()
#endif
);
}
/* Verify a prehash context, and reset the context */
inline void verify_prehashed (
const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
Prehash &ph
) const /*throw(CryptoException)*/ {
FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
ph.final(m);
if (DECAF_SUCCESS != decaf_ed25519_verify (
sig.data(),
((const CRTP*)this)->pub_.data(),
m.data(),
m.size(),
1
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()
#endif
)) {
throw CryptoException();
}
}
/* Verify a message using the prehasher */
inline void verify_with_prehash (
const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = Block(NULL,0)
) const /*throw(LengthException,CryptoException)*/ {
Prehash ph(context);
ph += message;
verify_prehashed(sig,ph);
}
};



template<Prehashed ph> class PublicKeyBase
: public Serializable<PublicKeyBase<ph> >
, public Verification<PublicKeyBase<ph>,ph> {
public:
typedef class PrivateKeyBase<ph> MyPrivateKey;
private:
/** @cond internal */
friend class PrivateKeyBase<ph>;
friend class Verification<PublicKeyBase<ph>, ph>;
/** @endcond */


private:
/** The pre-expansion form of the signature */
FixedArrayBuffer<DECAF_EDDSA_25519_PUBLIC_BYTES> pub_;
public:
/* PERF FUTURE: Pre-cached decoding? Precomputed table?? */
/** Underlying group */
typedef IsoEd25519 Group;
/** Signature size. */
static const size_t SIG_BYTES = DECAF_EDDSA_25519_SIGNATURE_BYTES;
/** Serialization size. */
static const size_t SER_BYTES = DECAF_EDDSA_25519_PRIVATE_BYTES;
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_25519_SUPPORTS_CONTEXTS;
/** Create but don't initialize */
inline explicit PublicKeyBase(const NOINIT&) NOEXCEPT : pub_((NOINIT())) { }
/** Read a private key from a string */
inline explicit PublicKeyBase(const FixedBlock<SER_BYTES> &b) NOEXCEPT { *this = b; }
/** Copy constructor */
inline PublicKeyBase(const PublicKeyBase &k) NOEXCEPT { *this = k; }
/** Copy constructor */
inline explicit PublicKeyBase(const MyPrivateKey &k) NOEXCEPT { *this = k; }

/** Assignment from string */
inline PublicKey &operator=(const FixedBlock<SER_BYTES> &b) NOEXCEPT {
memcpy(pub_.data(),b.data(),b.size());
return *this;
}

/** Assignment from private key */
inline PublicKey &operator=(const PublicKey &p) NOEXCEPT {
return *this = p.pub_;
}

/** Assignment from private key */
inline PublicKey &operator=(const MyPrivateKey &p) NOEXCEPT {
return *this = p.pub_;
}

/** Serialization size. */
inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }
/** Serialize into a buffer. */
inline void serialize_into(unsigned char *x) const NOEXCEPT {
memcpy(x,pub_.data(), pub_.size());
}
}; /* class PublicKey */

}; /* template<> struct EdDSA<IsoEd25519> */

#undef NOEXCEPT
} /* namespace decaf */

#endif /* __DECAF_ED255_HXX__ */

+ 139
- 0
src/GENERATED/include/decaf/ed448.h View File

@@ -0,0 +1,139 @@
/**
* @file decaf/ed448.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief A group of prime order p, based on Ed448-Goldilocks.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_ED448_H__
#define __DECAF_ED448_H__ 1

#include <decaf/decaf_448.h>

#ifdef __cplusplus
extern "C" {
#endif

/** Number of bytes in an EdDSA public key. */
#define DECAF_EDDSA_448_PUBLIC_BYTES 57

/** Number of bytes in an EdDSA private key. */
#define DECAF_EDDSA_448_PRIVATE_BYTES DECAF_EDDSA_448_PUBLIC_BYTES

/** Number of bytes in an EdDSA private key. */
#define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + DECAF_EDDSA_448_PRIVATE_BYTES)

/** Does EdDSA support contexts? */
#define DECAF_EDDSA_448_SUPPORTS_CONTEXTS 1

/**
* @brief EdDSA key generation. This function uses a different (non-Decaf)
* encoding.
*
* @param [out] pubkey The public key.
* @param [in] privkey The private key.
*/
void decaf_ed448_derive_public_key (
uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]
) API_VIS NONNULL NOINLINE;

/**
* @brief EdDSA signing.
*
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] message The message to sign.
* @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
void decaf_ed448_sign (
uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE;

/**
* @brief EdDSA signature verification.
*
* Uses the standard (i.e. less-strict) verification formula.
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] message The message to verify.
* @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
decaf_error_t decaf_ed448_verify (
const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2))) NOINLINE;



/**
* @brief EdDSA point encoding. Used internally, exposed externally.
* Multiplies the point by the current cofactor first.
*
* @param [out] enc The encoded point.
* @param [in] p The point.
*/
void decaf_448_point_mul_by_cofactor_and_encode_like_eddsa (
uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
const decaf_448_point_t p
) API_VIS NONNULL NOINLINE;

/**
* @brief EdDSA point decoding. Remember that while points on the
* EdDSA curves have cofactor information, Decaf ignores (quotients
* out) all cofactor information.
*
* @param [out] enc The encoded point.
* @param [in] p The point.
*/
decaf_error_t decaf_448_point_decode_like_eddsa_and_ignore_cofactor (
decaf_448_point_t p,
const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]
) API_VIS NONNULL NOINLINE;

#ifdef __cplusplus
} /* extern "C" */
#endif

#endif /* __DECAF_ED448_H__ */

+ 460
- 0
src/GENERATED/include/decaf/ed448.hxx View File

@@ -0,0 +1,460 @@
/**
* @file decaf/ed448.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
*
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_ED448_HXX__
#define __DECAF_ED448_HXX__ 1

/*
* Example Decaf cyrpto routines, C++ wrapper.
* @warning These are merely examples, though they ought to be secure. But real
* protocols will decide differently on magic numbers, formats, which items to
* hash, etc.
* @warning Experimental! The names, parameter orders etc are likely to change.
*/

#include <decaf/eddsa.hxx>
#include <decaf/decaf_448.hxx>
#include <decaf/ed448.h>

#include <decaf/shake.hxx>
#include <decaf/sha512.hxx>

/** @cond internal */
#if __cplusplus >= 201103L
#define NOEXCEPT noexcept
#else
#define NOEXCEPT throw()
#endif
/** @endcond */

namespace decaf {

/** A public key for crypto over some Group */
template <typename Group> struct EdDSA;

/** A public key for crypto over Ed448-Goldilocks */
template<> struct EdDSA<Ed448Goldilocks> {

/** @cond internal */
template<class CRTP, Prehashed> class Signing;
template<class CRTP, Prehashed> class Verification;

class PublicKeyBase;
class PrivateKeyBase;
typedef class PrivateKeyBase PrivateKey, PrivateKeyPure, PrivateKeyPh;
typedef class PublicKeyBase PublicKey, PublicKeyPure, PublicKeyPh;
/** @endcond */

/** Prehash context for EdDSA. */
class Prehash : public SHAKE<256> {
public:
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_448_SUPPORTS_CONTEXTS;
private:
typedef SHAKE<256> Super;
SecureBuffer context_;
template<class T, Prehashed Ph> friend class Signing;
template<class T, Prehashed Ph> friend class Verification;
void init() throw(LengthException) {
Super::reset();
if (context_.size() > 255
|| (context_.size() != 0 && !SUPPORTS_CONTEXTS)
) {
throw LengthException();
}
if (SUPPORTS_CONTEXTS) {
const char pfx[] = "SigEd448";
uint8_t dom[2] = {2, (uint8_t)context_.size() };
update((const unsigned char*)pfx,strlen(pfx));
update(dom,2);
update(context_);
}
}
public:
/** Number of output bytes in prehash */
static const size_t OUTPUT_BYTES = Super::DEFAULT_OUTPUT_BYTES;
/** Create the prehash */
Prehash(Block context = Block(NULL,0)) throw(LengthException) {
context_ = context;
init();
}

/** Reset this hash */
void reset() NOEXCEPT { init(); }
/** Output from this hash */
SecureBuffer final() throw(std::bad_alloc) {
SecureBuffer ret = Super::final(OUTPUT_BYTES);
reset();
return ret;
}
/** Output from this hash */
void final(Buffer &b) throw(LengthException) {
if (b.size() != OUTPUT_BYTES) throw LengthException();
Super::final(b);
reset();
}
};

template<class CRTP, Prehashed ph> class Signing;

template<class CRTP> class Signing<CRTP,PREHASHED> {
public:
/* Sign a prehash context, and reset the context */
inline SecureBuffer sign_prehashed ( Prehash &ph ) const /*throw(std::bad_alloc)*/ {
SecureBuffer out(CRTP::SIG_BYTES);
FixedArrayBuffer<Prehash::OUTPUT_BYTES> tmp;
ph.final(tmp);
decaf_ed448_sign (
out.data(),
((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(),
tmp.data(),
tmp.size(),
1
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()
#endif
);
return out;
}
/* Sign a message using the prehasher */
inline SecureBuffer sign_with_prehash (
const Block &message,
const Block &context = Block(NULL,0)
) const /*throw(LengthException,CryptoException)*/ {
Prehash ph(context);
ph += message;
return sign_prehashed(ph);
}
};

template<class CRTP> class Signing<CRTP,PURE> {
public:
/**
* Sign a message.
* @param [in] message The message to be signed.
* @param [in] context A context for the signature; must be at most 255 bytes;
* must be absent if SUPPORTS_CONTEXTS == false.
*
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/
inline SecureBuffer sign (
const Block &message,
const Block &context = Block(NULL,0)
) const /* TODO: this exn spec tickles a Clang bug?
* throw(LengthException, std::bad_alloc)
*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
throw LengthException();
}
SecureBuffer out(CRTP::SIG_BYTES);
decaf_ed448_sign (
out.data(),
((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(),
message.data(),
message.size(),
0
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, context.data(),
context.size()
#endif
);
return out;
}
};


class PrivateKeyBase
: public Serializable<PrivateKeyBase>
, public Signing<PrivateKeyBase,PURE>
, public Signing<PrivateKeyBase,PREHASHED> {
public:
typedef class PublicKeyBase MyPublicKey;
private:
/** @cond internal */
friend class PublicKeyBase;
friend class Signing<PrivateKey,PURE>;
friend class Signing<PrivateKey,PREHASHED>;
/** @endcond */

/** The pre-expansion form of the signing key. */
FixedArrayBuffer<DECAF_EDDSA_448_PRIVATE_BYTES> priv_;
/** The post-expansion public key. */
FixedArrayBuffer<DECAF_EDDSA_448_PUBLIC_BYTES> pub_;
public:
/** Underlying group */
typedef Ed448Goldilocks Group;
/** Signature size. */
static const size_t SIG_BYTES = DECAF_EDDSA_448_SIGNATURE_BYTES;
/** Serialization size. */
static const size_t SER_BYTES = DECAF_EDDSA_448_PRIVATE_BYTES;
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_448_SUPPORTS_CONTEXTS;
/** Create but don't initialize */
inline explicit PrivateKeyBase(const NOINIT&) NOEXCEPT : priv_((NOINIT())), pub_((NOINIT())) { }
/** Read a private key from a string */
inline explicit PrivateKeyBase(const FixedBlock<SER_BYTES> &b) NOEXCEPT { *this = b; }
/** Copy constructor */
inline PrivateKeyBase(const PrivateKey &k) NOEXCEPT { *this = k; }
/** Create at random */
inline explicit PrivateKeyBase(Rng &r) NOEXCEPT : priv_(r) {
decaf_ed448_derive_public_key(pub_.data(), priv_.data());
}
/** Assignment from string */
inline PrivateKeyBase &operator=(const FixedBlock<SER_BYTES> &b) NOEXCEPT {
memcpy(priv_.data(),b.data(),b.size());
decaf_ed448_derive_public_key(pub_.data(), priv_.data());
return *this;
}
/** Copy assignment */
inline PrivateKeyBase &operator=(const PrivateKey &k) NOEXCEPT {
memcpy(priv_.data(),k.priv_.data(), priv_.size());
memcpy(pub_.data(),k.pub_.data(), pub_.size());
return *this;
}
/** Serialization size. */
inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }
/** Serialize into a buffer. */
inline void serialize_into(unsigned char *x) const NOEXCEPT {
memcpy(x,priv_.data(), priv_.size());
}
/** Return the corresponding public key */
inline MyPublicKey pub() const NOEXCEPT {
MyPublicKey pub(*this);
return pub;
}
}; /* class PrivateKey */



template<class CRTP> class Verification<CRTP,PURE> {
public:
/** Verify a signature, returning DECAF_FAILURE if verification fails */
inline decaf_error_t WARN_UNUSED verify_noexcept (
const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = Block(NULL,0)
) const /*NOEXCEPT*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
return DECAF_FAILURE;
}
return decaf_ed448_verify (
sig.data(),
((const CRTP*)this)->pub_.data(),
message.data(),
message.size(),
0
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, context.data(),
context.size()
#endif
);
}
/** Verify a signature, throwing an exception if verification fails
* @param [in] sig The signature.
* @param [in] message The signed message.
* @param [in] context A context for the signature; must be at most 255 bytes;
* must be absent if SUPPORTS_CONTEXTS == false.
*
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/
inline void verify (
const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = Block(NULL,0)
) const /*throw(LengthException,CryptoException)*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
throw LengthException();
}
if (DECAF_SUCCESS != verify_noexcept( sig, message, context )) {
throw CryptoException();
}
}
};


template<class CRTP> class Verification<CRTP,PREHASHED> {
public:
/* Verify a prehash context, and reset the context */
inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept (
const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
Prehash &ph
) const /*NOEXCEPT*/ {
FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
ph.final(m);
return decaf_ed448_verify (
sig.data(),
((const CRTP*)this)->pub_.data(),
m.data(),
m.size(),
1
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()
#endif
);
}
/* Verify a prehash context, and reset the context */
inline void verify_prehashed (
const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
Prehash &ph
) const /*throw(CryptoException)*/ {
FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
ph.final(m);
if (DECAF_SUCCESS != decaf_ed448_verify (
sig.data(),
((const CRTP*)this)->pub_.data(),
m.data(),
m.size(),
1
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()
#endif
)) {
throw CryptoException();
}
}
/* Verify a message using the prehasher */
inline void verify_with_prehash (
const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = Block(NULL,0)
) const /*throw(LengthException,CryptoException)*/ {
Prehash ph(context);
ph += message;
verify_prehashed(sig,ph);
}
};



class PublicKeyBase
: public Serializable<PublicKeyBase>
, public Verification<PublicKeyBase,PURE>
, public Verification<PublicKeyBase,PREHASHED> {
public:
typedef class PrivateKeyBase MyPrivateKey;
private:
/** @cond internal */
friend class PrivateKeyBase;
friend class Verification<PublicKey,PURE>;
friend class Verification<PublicKey,PREHASHED>;
/** @endcond */


private:
/** The pre-expansion form of the signature */
FixedArrayBuffer<DECAF_EDDSA_448_PUBLIC_BYTES> pub_;
public:
/* PERF FUTURE: Pre-cached decoding? Precomputed table?? */
/** Underlying group */
typedef Ed448Goldilocks Group;
/** Signature size. */
static const size_t SIG_BYTES = DECAF_EDDSA_448_SIGNATURE_BYTES;
/** Serialization size. */
static const size_t SER_BYTES = DECAF_EDDSA_448_PRIVATE_BYTES;
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_448_SUPPORTS_CONTEXTS;
/** Create but don't initialize */
inline explicit PublicKeyBase(const NOINIT&) NOEXCEPT : pub_((NOINIT())) { }
/** Read a private key from a string */
inline explicit PublicKeyBase(const FixedBlock<SER_BYTES> &b) NOEXCEPT { *this = b; }
/** Copy constructor */
inline PublicKeyBase(const PublicKeyBase &k) NOEXCEPT { *this = k; }
/** Copy constructor */
inline explicit PublicKeyBase(const MyPrivateKey &k) NOEXCEPT { *this = k; }

/** Assignment from string */
inline PublicKey &operator=(const FixedBlock<SER_BYTES> &b) NOEXCEPT {
memcpy(pub_.data(),b.data(),b.size());
return *this;
}

/** Assignment from private key */
inline PublicKey &operator=(const PublicKey &p) NOEXCEPT {
return *this = p.pub_;
}

/** Assignment from private key */
inline PublicKey &operator=(const MyPrivateKey &p) NOEXCEPT {
return *this = p.pub_;
}

/** Serialization size. */
inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }
/** Serialize into a buffer. */
inline void serialize_into(unsigned char *x) const NOEXCEPT {
memcpy(x,pub_.data(), pub_.size());
}
}; /* class PublicKey */

}; /* template<> struct EdDSA<Ed448Goldilocks> */

#undef NOEXCEPT
} /* namespace decaf */

#endif /* __DECAF_ED448_HXX__ */

+ 22
- 0
src/GENERATED/include/decaf/eddsa.hxx View File

@@ -0,0 +1,22 @@
/**
* @file decaf/eddsa.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* EdDSA crypto routines, metaheader.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_EDDSA_HXX__
#define __DECAF_EDDSA_HXX__ 1

namespace decaf { enum Prehashed { PURE, PREHASHED }; }
#include <decaf/ed255.hxx>
#include <decaf/ed448.hxx>

#endif /* __DECAF_EDDSA_HXX__ */

+ 492
- 0
src/GENERATED/include/decaf/secure_buffer.hxx View File

@@ -0,0 +1,492 @@
/**
* @file decaf/secure_buffer.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief C++ self-zeroizing buffer.
*/
#ifndef __DECAF_SECURE_BUFFER_HXX__
#define __DECAF_SECURE_BUFFER_HXX__ 1

#include <string>
#include <sys/types.h>
#include <stdio.h>
#include <vector>
#include <stdexcept>
#include <cstddef>
#include <limits>

/** @cond internal */
#if __cplusplus >= 201103L
#define NOEXCEPT noexcept
#define DELETE = delete
#else
#define NOEXCEPT throw()
#define DELETE
#endif
/** @endcond */

namespace decaf {

/**
* Securely zeroize contents of memory.
*/
static inline void really_bzero(void *data, size_t size) { decaf_bzero(data,size); }

/** @brief An allocator which zeros its memory on free */
template<typename T, size_t alignment = 0> class SanitizingAllocator {
/** @cond internal */
/* Based on http://www.codeproject.com/Articles/4795/C-Standard-Allocator-An-Introduction-and-Implement */
public:
typedef T value_type;
typedef T* pointer;
typedef const T* const_pointer;
typedef T& reference;
typedef const T& const_reference;
typedef size_t size_type;
typedef std::ptrdiff_t difference_type;
template<typename U> struct rebind { typedef SanitizingAllocator<U> other; };
inline SanitizingAllocator() NOEXCEPT {}
inline ~SanitizingAllocator() NOEXCEPT {}
inline SanitizingAllocator(const SanitizingAllocator &) NOEXCEPT {}
template<typename U, size_t a> inline SanitizingAllocator(const SanitizingAllocator<U, a> &) NOEXCEPT {}
inline T* address(T& r) const NOEXCEPT { return &r; }
inline const T* address(const T& r) const NOEXCEPT { return &r; }
inline T* allocate (
size_type cnt,
typename std::allocator<void>::const_pointer = 0
) throw(std::bad_alloc);
inline void deallocate(T* p, size_t size) NOEXCEPT;
inline size_t max_size() const NOEXCEPT { return std::numeric_limits<size_t>::max() / sizeof(T); }
inline void construct(T* p, const T& t) { new(p) T(t); }
inline void destroy(T* p) { p->~T(); }
inline bool operator==(SanitizingAllocator const&) const NOEXCEPT { return true; }
inline bool operator!=(SanitizingAllocator const&) const NOEXCEPT { return false; }
/** @endcond */
};

/** A variant of std::vector which securely zerozes its state when destructed. */
typedef std::vector<unsigned char, SanitizingAllocator<unsigned char, 0> > SecureBuffer;

/** Constant-time compare two buffers */
template<class T,class U, class V, class W>
inline bool memeq(const std::vector<T,U> &a, const std::vector<V,W> &b) {
if (a.size() != b.size()) return false;
return decaf_memeq(a.data(),b.data(),a.size());
}

/** Base class of objects which support serialization */
template<class Base> class Serializable {
public:
/** @brief Return the number of bytes needed to serialize this object */
inline size_t ser_size() const NOEXCEPT { return static_cast<const Base*>(this)->ser_size(); }
/** @brief Serialize this object into a buffer */
inline void serialize_into(unsigned char *buf) const NOEXCEPT {
static_cast<const Base*>(this)->serialize_into(buf);
}
/** @brief Serialize this object into a SecureBuffer and return it */
inline SecureBuffer serialize() const throw(std::bad_alloc) {
SecureBuffer out(ser_size());
serialize_into(out.data());
return out;
}
/** Cast operator */
#if __cplusplus >= 201103L
explicit inline operator SecureBuffer() const throw(std::bad_alloc) {
return serialize();
}
#endif
};

/**@cond internal*/
class Buffer;
/**@endcond*/
/** @brief An exception for when crypto (ie point decode) has failed. */
class CryptoException : public std::exception {
public:
/** @return "CryptoException" */
virtual const char * what() const NOEXCEPT { return "CryptoException"; }
};

/** @brief An exception for when crypto (ie point decode) has failed. */
class LengthException : public std::exception {
public:
/** @return "CryptoException" */
virtual const char * what() const NOEXCEPT { return "LengthException"; }
};

/** @brief Passed to constructors to avoid (conservative) initialization */
struct NOINIT {};

/** @brief Prototype of a random number generator.
* FUTURE: Are the noexcept methods really noexcept? What about self-reseeding RNGs?
*/
class Rng {
protected:
/** Empty initializer */
Rng() {}
/** Not copyable */
Rng(const Rng &) DELETE;
/** Not copyable */
Rng &operator=(const Rng &) DELETE;
public:
/** @brief Read into a Buffer */
virtual void read(Buffer buffer) NOEXCEPT = 0;

/** @brief Read into a SecureBuffer. */
inline SecureBuffer read(size_t length) throw(std::bad_alloc);
};


/** A reference to a block of data, which (when accessed through this base class) is const. */
class Block {
protected:
/** @cond internal */
unsigned char *data_;
size_t size_;
const bool zero_on_destroy_;
/** @endcond */

public:
/** Null initialization */
inline Block() : data_(NULL), size_(0), zero_on_destroy_(false) {}
/** Init from C string */
inline Block(const char *data) NOEXCEPT : data_((unsigned char *)data),
size_(strlen(data)), zero_on_destroy_(false) {}

/** Unowned init */
inline Block(const unsigned char *data, size_t size, bool zero_on_destroy=false) NOEXCEPT : data_((unsigned char *)data),
size_(size), zero_on_destroy_(zero_on_destroy) {}
/** Block from std::string */
inline Block(const std::string &s) : data_(
#if __cplusplus >= 201103L
((unsigned char *)&(s)[0])
#else
((unsigned char *)(s.data()))
#endif
), size_(s.size()), zero_on_destroy_(false) {}
/** Block from std::vector */
template<class alloc> inline Block(const std::vector<unsigned char,alloc> &s)
: data_(((unsigned char *)&(s)[0])), size_(s.size()), zero_on_destroy_(false) {}

/** Get const data */
inline const unsigned char *data() const NOEXCEPT { return data_; }
/** Subscript */
inline const unsigned char &operator[](size_t off) const throw(std::out_of_range) {
if (off >= size()) throw(std::out_of_range("decaf::Block"));
return data_[off];
}

/** Get the size */
inline size_t size() const NOEXCEPT { return size_; }

/** Convert to C++ string */
inline std::string get_string() const {
return std::string((const char *)data_,size_);
}

/** Slice the buffer*/
inline Block slice(size_t off, size_t length) const throw(LengthException) {
if (off > size() || length > size() - off) throw LengthException();
return Block(data()+off, length);
}
/** Content-wise comparison; constant-time if they are the same length. */
inline decaf_bool_t contents_equal(const Block &b) const NOEXCEPT {
if (b.size() != size()) return false;
return decaf_memeq(b.data(),data(),size());
}
/** Create new block from this */
inline operator SecureBuffer() const throw(std::bad_alloc) {
return SecureBuffer(data_,data_+size_);
}

/** Securely set the buffer to 0. */
inline void zeroize() NOEXCEPT { really_bzero(data_,size()); }
/** Debugging print in hex */
inline void debug_print_hex(const char *name = NULL) {
if (name) printf("%s = ", name);
for (size_t s = 0; s < size(); s++) printf("%02x", data_[s]);
printf("\n");
}
private:
/** @cond internal */
inline decaf_bool_t operator>=(const Block &b) const NOEXCEPT DELETE;
inline decaf_bool_t operator<=(const Block &b) const NOEXCEPT DELETE;
inline decaf_bool_t operator> (const Block &b) const NOEXCEPT DELETE;
inline decaf_bool_t operator< (const Block &b) const NOEXCEPT DELETE;
inline void operator= (const Block &b) const NOEXCEPT DELETE;
/** @endcond */
};

/** A fixed-size block */
template<size_t Size> class FixedBlock : public Block {
public:
/** Check a block's length. */
inline FixedBlock(const Block &b) throw(LengthException) : Block(b.data(),Size) {
if (Size != b.size()) throw LengthException();
}
/** Block from std::vector */
template<class alloc> inline FixedBlock(const std::vector<unsigned char,alloc> &s) : Block(s) {
if (Size != s.size()) throw LengthException();
}
/** Explicitly pass a C buffer. */
inline explicit FixedBlock(const uint8_t data[Size]) NOEXCEPT : Block(data,Size) {}
};

/** A reference to a writable block of data */
class Buffer : public Block {
public:
/** Null init */
inline Buffer() NOEXCEPT : Block() {}

/** Unowned init */
inline Buffer(unsigned char *data, size_t size, bool zero_on_destroy=false) NOEXCEPT : Block(data,size,zero_on_destroy) {}
/** Block from std::vector */
template<class alloc> inline Buffer(std::vector<unsigned char,alloc> &s) : Block(s) {}

/** Get const data */
inline const unsigned char *data() const NOEXCEPT { return data_; }

/** Cast to unsigned char */
inline unsigned char* data() NOEXCEPT { return data_; }

/** Slice the buffer*/
inline Buffer slice(size_t off, size_t length) throw(LengthException);
/** Subscript */
inline unsigned char &operator[](size_t off) throw(std::out_of_range) {
if (off >= size()) throw(std::out_of_range("decaf::Buffer"));
return data_[off];
}
/** Copy from another block */
inline void assign(const Block b) throw(LengthException) {
if (b.size() != size()) throw LengthException();
memmove(data(),b.data(),size());
}
private:
/** @cond internal */
inline void operator= (const Block &b) const NOEXCEPT DELETE;
/** @endcond */
};


/** A fixed-size block */
template<size_t Size> class FixedBuffer : public Buffer {
public:
/** Check a block's length. */
inline FixedBuffer(Buffer b) throw(LengthException) : Buffer(b) {
if (Size != b.size()) throw LengthException();
}
/** Check a block's length. */
inline FixedBuffer(SecureBuffer &b) throw(LengthException) : Buffer(b) {
if (Size != b.size()) throw LengthException();
}
/** Explicitly pass a C buffer. */
inline explicit FixedBuffer(uint8_t dat[Size],bool zero_on_destroy = false) NOEXCEPT : Buffer(dat,Size,zero_on_destroy) {}
/** Cast to a FixedBlock. */
inline operator FixedBlock<Size>() const NOEXCEPT {
return FixedBlock<Size>(data());
}
private:
/** @cond internal */
inline void operator= (const Block &b) const NOEXCEPT DELETE;
/** @endcond */
};

/** A fixed-size stack-allocated buffer (for NOEXCEPT semantics) */
template<size_t Size> class FixedArrayBuffer : public FixedBuffer<Size> {
private:
uint8_t storage[Size];
public:
using Buffer::zeroize;
/** New buffer initialized to zero. */
inline explicit FixedArrayBuffer() NOEXCEPT : FixedBuffer<Size>(storage,true) { memset(storage,0,Size); }

/** New uninitialized buffer. */
inline explicit FixedArrayBuffer(const NOINIT &) NOEXCEPT : FixedBuffer<Size>(storage,true) { }
/** New random buffer */
inline explicit FixedArrayBuffer(Rng &r) NOEXCEPT : FixedBuffer<Size>(storage,true) { r.read(*this); }
/** Copy constructor */
inline explicit FixedArrayBuffer(const FixedBlock<Size> &b) NOEXCEPT : FixedBuffer<Size>(storage,true) {
memcpy(storage,b.data(),Size);
}
/** Copy operator */
inline FixedArrayBuffer& operator=(const FixedBlock<Size> &b) NOEXCEPT {
memcpy(storage,b.data(),Size); return *this;
}
/** Copy operator */
inline FixedArrayBuffer& operator=(const FixedArrayBuffer<Size> &b) NOEXCEPT {
memcpy(storage,b.data(),Size); return *this;
}
/** Copy operator */
inline FixedArrayBuffer& operator=(const Block &b) throw(LengthException) {
*this = FixedBlock<Size>(b);
}
/** Copy constructor */
inline explicit FixedArrayBuffer(const Block &b) throw(LengthException) : FixedBuffer<Size>(storage,true) {
if (b.size() != Size) throw LengthException();
memcpy(storage,b.data(),Size);
}
/** Copy constructor */
inline explicit FixedArrayBuffer(const FixedArrayBuffer<Size> &b) NOEXCEPT : FixedBuffer<Size>(storage,true) {
memcpy(storage,b.data(),Size);
}
/** Destroy the buffer */
~FixedArrayBuffer() NOEXCEPT { zeroize(); }
};

/** @cond internal */
Buffer Buffer::slice(size_t off, size_t length) throw(LengthException) {
if (off > size() || length > size() - off) throw LengthException();
return Buffer(data()+off, length);
}

inline SecureBuffer Rng::read(size_t length) throw(std::bad_alloc) {
SecureBuffer out(length); read(out); return out;
}
/** @endcond */

/** @cond internal */
/** A secure buffer which stores an owned or unowned underlying value.
* If it is owned, it will be securely zeroed.
*/
template <class T, class Wrapped>
class OwnedOrUnowned {
protected:
union {
Wrapped *mine;
const Wrapped *yours;
} ours;
bool is_mine;

inline void clear() NOEXCEPT {
if (is_mine) {
really_bzero(ours.mine, T::size());
free(ours.mine);
ours.yours = T::default_value();
is_mine = false;
}
}
inline void alloc() throw(std::bad_alloc) {
if (is_mine) return;
int ret = posix_memalign((void**)&ours.mine, T::alignment(), T::size());
if (ret || !ours.mine) {
is_mine = false;
throw std::bad_alloc();
}
is_mine = true;
}
inline const Wrapped *get() const NOEXCEPT { return is_mine ? ours.mine : ours.yours; }

inline OwnedOrUnowned(
const Wrapped &yours = *T::default_value()
) NOEXCEPT {
ours.yours = &yours;
is_mine = false;
}

/**
* @brief Assign. This may require an allocation and memcpy.
*/
inline T &operator=(const OwnedOrUnowned &it) throw(std::bad_alloc) {
if (this == &it) return *(T*)this;
if (it.is_mine) {
alloc();
memcpy(ours.mine,it.ours.mine,T::size());
} else {
clear();
ours.yours = it.ours.yours;
}
is_mine = it.is_mine;
return *(T*)this;
}

#if __cplusplus >= 201103L
inline T &operator=(OwnedOrUnowned &&it) NOEXCEPT {
if (this == &it) return *(T*)this;
clear();
ours = it.ours;
is_mine = it.is_mine;
it.is_mine = false;
it.ours.yours = T::default_value;
return *this;
}
#endif
};
/** @endcond */

/*******************************************/
/* Inline implementations below this point */
/*******************************************/

/** @cond internal */
template<typename T, size_t alignment>
T* SanitizingAllocator<T,alignment>::allocate (
size_type cnt,
typename std::allocator<void>::const_pointer
) throw(std::bad_alloc) {
void *v;
int ret = 0;
if (alignment) ret = posix_memalign(&v, alignment, cnt * sizeof(T));
else v = malloc(cnt * sizeof(T));
if (ret || v==NULL) throw(std::bad_alloc());
return reinterpret_cast<T*>(v);
}

template<typename T, size_t alignment>
void SanitizingAllocator<T,alignment>::deallocate(T* p, size_t size) NOEXCEPT {
if (p==NULL) return;
really_bzero(reinterpret_cast<void*>(p), size);
free(reinterpret_cast<void*>(p));
}

/** @endcond */

} /* namespace decaf */


#undef NOEXCEPT
#undef DELETE

#endif /* __DECAF_SECURE_BUFFER_HXX__ */

+ 53
- 0
src/GENERATED/include/decaf/sha512.h View File

@@ -0,0 +1,53 @@
/**
* @file decaf/shake.h
* @copyright Public domain.
* @author Mike Hamburg
* @brief SHA2-512
*/

#ifndef __SHA512_H__
#define __SHA512_H__

#include <stdint.h>
#include <sys/types.h>
#include <stdlib.h> /* for NULL */

#include <decaf/common.h>

#ifdef __cplusplus
extern "C" {
#endif

typedef struct decaf_sha512_ctx_s {
uint64_t state[8];
uint8_t block[128];
uint64_t bytes_processed;
} decaf_sha512_ctx_s, decaf_sha512_ctx_t[1];

void decaf_sha512_init(decaf_sha512_ctx_t ctx) NONNULL API_VIS;
void decaf_sha512_update(decaf_sha512_ctx_t ctx, const uint8_t *message, size_t length) NONNULL API_VIS;
void decaf_sha512_final(decaf_sha512_ctx_t ctx, uint8_t *out, size_t length) NONNULL API_VIS;

static inline void decaf_sha512_destroy(decaf_sha512_ctx_t ctx) {
decaf_bzero(ctx,sizeof(*ctx));
}

static inline void decaf_sha512_hash(
uint8_t *output,
size_t output_len,
const uint8_t *message,
size_t message_len
) {
decaf_sha512_ctx_t ctx;
decaf_sha512_init(ctx);
decaf_sha512_update(ctx,message,message_len);
decaf_sha512_final(ctx,output,output_len);
decaf_sha512_destroy(ctx);
}

#ifdef __cplusplus
} /* extern "C" */
#endif
#endif /* __SHA512_H__ */

+ 103
- 0
src/GENERATED/include/decaf/sha512.hxx View File

@@ -0,0 +1,103 @@
/**
* @file decaf/sha512.hxx
* @copyright
* Based on public domain code by Dan Bernstein \n
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief SHA512 instance, C++ wrapper.
*/

#ifndef __DECAF_SHA512_HXX__
#define __DECAF_SHA512_HXX__

#include <decaf/secure_buffer.hxx>
#include <decaf/sha512.h>
#include <sys/types.h>

/** @cond internal */
#if __cplusplus >= 201103L
#define NOEXCEPT noexcept
#else
#define NOEXCEPT throw()
#endif
/** @endcond */

namespace decaf {
/** SHA512 wrapper function */
class SHA512 {
protected:
/** @cond internal */
/** The C-wrapper sponge state */
decaf_sha512_ctx_t sha;

public:
/** Number of bytes ouf output */
static const size_t OUTPUT_BYTES = 64;
/** Number of bytes of output */
static const size_t MAX_OUTPUT_BYTES = OUTPUT_BYTES;
/** Default number of bytes to output */
static const size_t DEFAULT_OUTPUT_BYTES = OUTPUT_BYTES;
/** Constructor */
inline SHA512() NOEXCEPT { decaf_sha512_init(sha); }
/** Add more data to running hash */
inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha512_update(sha,in,len); }

/** Add more data to running hash, C++ version. */
inline void update(const Block &s) NOEXCEPT { update(s.data(),s.size()); }

/** Add more data, stream version. */
inline SHA512 &operator<<(const Block &s) { update(s); return *this; }

/** Same as <<. */
inline SHA512 &operator+=(const Block &s) { return *this << s; }
/** @brief Output bytes from the SHA context, and resets it. */
inline void final(Buffer b) throw(LengthException) {
if (b.size() > OUTPUT_BYTES) throw LengthException();
decaf_sha512_final(sha,b.data(),b.size());
}
/** Resets the SHA context */
inline void reset() NOEXCEPT { decaf_sha512_init(sha); }

/** @brief Output bytes from the sponge. */
inline SecureBuffer final(size_t len = OUTPUT_BYTES) throw(LengthException) {
if (len > OUTPUT_BYTES) throw LengthException();
SecureBuffer buffer(len);
decaf_sha512_final(sha,buffer.data(),len);
return buffer;
}

/** @brief Return the sponge's default output size. */
inline size_t default_output_size() const NOEXCEPT { return OUTPUT_BYTES; }

/** @brief Return the sponge's maximum output size. */
inline size_t max_output_size() const NOEXCEPT { return MAX_OUTPUT_BYTES; }

/** @brief Hash a message in one pass */
static inline SecureBuffer hash (
const Block &message,
size_t outlen = OUTPUT_BYTES
) throw(LengthException, std::bad_alloc) {
if (outlen > OUTPUT_BYTES) throw LengthException();
SecureBuffer buffer(outlen);
decaf_sha512_hash(buffer.data(),outlen,message.data(),message.size());
return buffer;
}

/** Destructor zeroizes state */
inline ~SHA512() NOEXCEPT { decaf_sha512_destroy(sha); }
};
} /* namespace decaf */

#undef NOEXCEPT

#endif /* __DECAF_SHA512_HXX__ */

+ 210
- 0
src/GENERATED/include/decaf/shake.h View File

@@ -0,0 +1,210 @@
/**
* @file decaf/shake.h
* @copyright
* Based on CC0 code by David Leon Gil, 2015 \n
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief SHA-3-n and DECAF_SHAKE-n instances.
*/

#ifndef __DECAF_SHAKE_H__
#define __DECAF_SHAKE_H__

#include <stdint.h>
#include <sys/types.h>
#include <stdlib.h> /* for NULL */

#include <decaf/common.h>

#ifdef __cplusplus
extern "C" {
#endif

#ifndef INTERNAL_SPONGE_STRUCT
/** Sponge container object for the various primitives. */
typedef struct decaf_keccak_sponge_s {
/** @cond internal */
uint64_t opaque[26];
/** @endcond */
} decaf_keccak_sponge_s;

/** Convenience GMP-style one-element array version */
typedef struct decaf_keccak_sponge_s decaf_keccak_sponge_t[1];

/** Parameters for sponge construction, distinguishing DECAF_SHA3 and
* DECAF_SHAKE instances.
*/
struct decaf_kparams_s;
#endif

/**
* @brief Initialize a sponge context object.
* @param [out] sponge The object to initialize.
* @param [in] params The sponge's parameter description.
*/
void decaf_sponge_init (
decaf_keccak_sponge_t sponge,
const struct decaf_kparams_s *params
) API_VIS;

/**
* @brief Absorb data into a DECAF_SHA3 or DECAF_SHAKE hash context.
* @param [inout] sponge The context.
* @param [in] in The input data.
* @param [in] len The input data's length in bytes.
*/
void decaf_sha3_update (
struct decaf_keccak_sponge_s * __restrict__ sponge,
const uint8_t *in,
size_t len
) API_VIS;

/**
* @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context.
* This does not destroy or re-initialize the hash context, and
* decaf_sha3 output can be called more times.
*
* @param [inout] sponge The context.
* @param [out] out The output data.
* @param [in] len The requested output data length in bytes.
* @return DECAF_FAILURE if the sponge has exhausted its output capacity.
* @return DECAF_SUCCESS otherwise.
*/
decaf_error_t decaf_sha3_output (
decaf_keccak_sponge_t sponge,
uint8_t * __restrict__ out,
size_t len
) API_VIS;

/**
* @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context.
* This re-initializes the context to its starting parameters.
*
* @param [inout] sponge The context.
* @param [out] out The output data.
* @param [in] len The requested output data length in bytes.
*/
decaf_error_t decaf_sha3_final (
decaf_keccak_sponge_t sponge,
uint8_t * __restrict__ out,
size_t len
) API_VIS;

/**
* @brief Reset the sponge to the empty string.
*
* @param [inout] sponge The context.
*/
void decaf_sha3_reset (
decaf_keccak_sponge_t sponge
) API_VIS;

/**
* @brief Return the default output length of the sponge construction,
* for the purpose of C++ default operators.
*
* Returns n/8 for DECAF_SHA3-n and 2n/8 for DECAF_SHAKE-n.
*/
size_t decaf_sponge_default_output_bytes (
const decaf_keccak_sponge_t sponge /**< [inout] The context. */
) API_VIS;

/**
* @brief Return the default output length of the sponge construction,
* for the purpose of C++ default operators.
*
* Returns n/8 for DECAF_SHA3-n and SIZE_MAX for DECAF_SHAKE-n.
*/
size_t decaf_sponge_max_output_bytes (
const decaf_keccak_sponge_t sponge /**< [inout] The context. */
) API_VIS;

/**
* @brief Destroy a DECAF_SHA3 or DECAF_SHAKE sponge context by overwriting it with 0.
* @param [out] sponge The context.
*/
void decaf_sponge_destroy (
decaf_keccak_sponge_t sponge
) API_VIS;

/**
* @brief Hash (in) to (out)
* @param [in] in The input data.
* @param [in] inlen The length of the input data.
* @param [out] out A buffer for the output data.
* @param [in] outlen The length of the output data.
* @param [in] params The parameters of the sponge hash.
*/
void decaf_sponge_hash (
const uint8_t *in,
size_t inlen,
uint8_t *out,
size_t outlen,
const struct decaf_kparams_s *params
) API_VIS;

/* FUTURE: expand/doxygenate individual DECAF_SHAKE/DECAF_SHA3 instances? */

/** @cond internal */
#define DEC_SHAKE(n) \
extern const struct decaf_kparams_s DECAF_SHAKE##n##_params_s API_VIS; \
typedef struct decaf_shake##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_shake##n##_ctx_t[1]; \
static inline void NONNULL decaf_shake##n##_init(decaf_shake##n##_ctx_t sponge) { \
decaf_sponge_init(sponge->s, &DECAF_SHAKE##n##_params_s); \
} \
static inline void NONNULL decaf_shake##n##_gen_init(decaf_keccak_sponge_t sponge) { \
decaf_sponge_init(sponge, &DECAF_SHAKE##n##_params_s); \
} \
static inline void NONNULL decaf_shake##n##_update(decaf_shake##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \
decaf_sha3_update(sponge->s, in, inlen); \
} \
static inline void NONNULL decaf_shake##n##_final(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
decaf_sha3_output(sponge->s, out, outlen); \
decaf_sponge_init(sponge->s, &DECAF_SHAKE##n##_params_s); \
} \
static inline void NONNULL decaf_shake##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \
decaf_sponge_hash(in,inlen,out,outlen,&DECAF_SHAKE##n##_params_s); \
} \
static inline void NONNULL decaf_shake##n##_destroy( decaf_shake##n##_ctx_t sponge ) { \
decaf_sponge_destroy(sponge->s); \
}

#define DEC_SHA3(n) \
extern const struct decaf_kparams_s DECAF_SHA3_##n##_params_s API_VIS; \
typedef struct decaf_sha3_##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_sha3_##n##_ctx_t[1]; \
static inline void NONNULL decaf_sha3_##n##_init(decaf_sha3_##n##_ctx_t sponge) { \
decaf_sponge_init(sponge->s, &DECAF_SHA3_##n##_params_s); \
} \
static inline void NONNULL decaf_sha3_##n##_gen_init(decaf_keccak_sponge_t sponge) { \
decaf_sponge_init(sponge, &DECAF_SHA3_##n##_params_s); \
} \
static inline void NONNULL decaf_sha3_##n##_update(decaf_sha3_##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \
decaf_sha3_update(sponge->s, in, inlen); \
} \
static inline void NONNULL decaf_sha3_##n##_final(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
decaf_sha3_output(sponge->s, out, outlen); \
decaf_sponge_init(sponge->s, &DECAF_SHA3_##n##_params_s); \
} \
static inline void NONNULL decaf_sha3_##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \
decaf_sponge_hash(in,inlen,out,outlen,&DECAF_SHA3_##n##_params_s); \
} \
static inline void NONNULL decaf_sha3_##n##_destroy(decaf_sha3_##n##_ctx_t sponge) { \
decaf_sponge_destroy(sponge->s); \
}
/** @endcond */

DEC_SHAKE(128)
DEC_SHAKE(256)
DEC_SHA3(224)
DEC_SHA3(256)
DEC_SHA3(384)
DEC_SHA3(512)
#undef DEC_SHAKE
#undef DEC_SHA3

#ifdef __cplusplus
} /* extern "C" */
#endif
#endif /* __DECAF_SHAKE_H__ */

+ 190
- 0
src/GENERATED/include/decaf/shake.hxx View File

@@ -0,0 +1,190 @@
/**
* @file decaf/shake.hxx
* @copyright
* Based on CC0 code by David Leon Gil, 2015 \n
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief SHA-3-n and SHAKE-n instances, C++ wrapper.
*/

#ifndef __DECAF_SHAKE_HXX__
#define __DECAF_SHAKE_HXX__

#include <decaf/shake.h>
#include <decaf/secure_buffer.hxx>
#include <sys/types.h>

/** @cond internal */
#if __cplusplus >= 201103L
#define NOEXCEPT noexcept
#define DELETE = delete
#else
#define NOEXCEPT throw()
#define DELETE
#endif
/** @endcond */

namespace decaf {

/**
* Hash function derived from Keccak
* FUTURE: throw ProtocolException when hash is misused by calling update() after output().
*/
class KeccakHash {
protected:
/** @cond internal */
/** The C-wrapper sponge state */
decaf_keccak_sponge_t sp;
/** Initialize from parameters */
inline KeccakHash(const decaf_kparams_s *params) NOEXCEPT { decaf_sponge_init(sp, params); }
/** @endcond */
public:
/** Add more data to running hash */
inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha3_update(sp,in,len); }

/** Add more data to running hash, C++ version. */
inline void update(const Block &s) NOEXCEPT { decaf_sha3_update(sp,s.data(),s.size()); }
/** Add more data, stream version. */
inline KeccakHash &operator<<(const Block &s) NOEXCEPT { update(s); return *this; }
/** Same as <<. */
inline KeccakHash &operator+=(const Block &s) NOEXCEPT { return *this << s; }
/** @brief Output bytes from the sponge. */
inline SecureBuffer output(size_t len) throw(std::bad_alloc, LengthException) {
if (len > max_output_size()) throw LengthException();
SecureBuffer buffer(len);
if (DECAF_SUCCESS != decaf_sha3_output(sp,buffer.data(),len)) {
throw LengthException();
}
return buffer;
}
/** @brief Output bytes from the sponge. */
inline SecureBuffer final(size_t len) throw(std::bad_alloc, LengthException) {
if (len > max_output_size()) throw LengthException();
SecureBuffer buffer(len);
if (DECAF_SUCCESS != decaf_sha3_final(sp,buffer.data(),len)) {
throw LengthException();
}
return buffer;
}

/** @brief Output bytes from the sponge. Throw LengthException if you've
* output too many bytes from a SHA-3 instance.
*/
inline void output(Buffer b) throw(LengthException) {
if (DECAF_SUCCESS != decaf_sha3_output(sp,b.data(),b.size())) {
throw LengthException();
}
}
/** @brief Output bytes from the sponge and reinitialize it. Throw
* LengthException if you've output too many bytes from a SHA3 instance.
*/
inline void final(Buffer b) throw(LengthException) {
if (DECAF_SUCCESS != decaf_sha3_final(sp,b.data(),b.size())) {
throw LengthException();
}
}
/** @brief Return the sponge's default output size. */
inline size_t default_output_size() const NOEXCEPT {
return decaf_sponge_default_output_bytes(sp);
}
/** @brief Return the sponge's maximum output size. */
inline size_t max_output_size() const NOEXCEPT {
return decaf_sponge_max_output_bytes(sp);
}
/** Output the default number of bytes. */
inline SecureBuffer output() throw(std::bad_alloc,LengthException) {
return output(default_output_size());
}
/** Output the default number of bytes, and reset hash. */
inline SecureBuffer final() throw(std::bad_alloc,LengthException) {
return final(default_output_size());
}

/** Reset the hash to the empty string */
inline void reset() NOEXCEPT { decaf_sha3_reset(sp); }
/** Destructor zeroizes state */
inline ~KeccakHash() NOEXCEPT { decaf_sponge_destroy(sp); }
};

/** Fixed-output-length SHA3 */
template<int bits> class SHA3 : public KeccakHash {
private:
/** Get the parameter template block for this hash */
static inline const struct decaf_kparams_s *get_params();
public:
/** Number of bytes of output */
static const size_t MAX_OUTPUT_BYTES = bits/8;
/** Number of bytes of output */
static const size_t DEFAULT_OUTPUT_BYTES = bits/8;
/** Initializer */
inline SHA3() NOEXCEPT : KeccakHash(get_params()) {}

/** Hash bytes with this SHA3 instance.
* @throw LengthException if nbytes > MAX_OUTPUT_BYTES
*/
static inline SecureBuffer hash(const Block &b, size_t nbytes = MAX_OUTPUT_BYTES) throw(std::bad_alloc, LengthException) {
if (nbytes > MAX_OUTPUT_BYTES) {
throw LengthException();
}
SHA3 s; s += b; return s.output(nbytes);
}
};

/** Variable-output-length SHAKE */
template<int bits>
class SHAKE : public KeccakHash {
private:
/** Get the parameter template block for this hash */
static inline const struct decaf_kparams_s *get_params();
public:
/** Number of bytes of output */
#if __cplusplus >= 201103L
static const size_t MAX_OUTPUT_BYTES = SIZE_MAX;
#else
static const size_t MAX_OUTPUT_BYTES = (size_t)-1;
#endif

/** Default number of bytes to output */
static const size_t DEFAULT_OUTPUT_BYTES = bits/4;
/** Initializer */
inline SHAKE() NOEXCEPT : KeccakHash(get_params()) {}
/** Hash bytes with this SHAKE instance */
static inline SecureBuffer hash(const Block &b, size_t outlen) throw(std::bad_alloc) {
SHAKE s; s += b; return s.output(outlen);
}
};

/** @cond internal */
template<> inline const struct decaf_kparams_s *SHAKE<128>::get_params() { return &DECAF_SHAKE128_params_s; }
template<> inline const struct decaf_kparams_s *SHAKE<256>::get_params() { return &DECAF_SHAKE256_params_s; }
template<> inline const struct decaf_kparams_s *SHA3<224>::get_params() { return &DECAF_SHA3_224_params_s; }
template<> inline const struct decaf_kparams_s *SHA3<256>::get_params() { return &DECAF_SHA3_256_params_s; }
template<> inline const struct decaf_kparams_s *SHA3<384>::get_params() { return &DECAF_SHA3_384_params_s; }
template<> inline const struct decaf_kparams_s *SHA3<512>::get_params() { return &DECAF_SHA3_512_params_s; }
/** @endcond */
} /* namespace decaf */

#undef NOEXCEPT
#undef DELETE

#endif /* __DECAF_SHAKE_HXX__ */

+ 93
- 0
src/GENERATED/include/decaf/spongerng.h View File

@@ -0,0 +1,93 @@
/**
* @file decaf/spongerng.h
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief Sponge-based RNGs.
* @warning This construction isn't final. In particular,
* the outputs of deterministic RNGs from this mechanism might change in future versions.
*/

#ifndef __DECAF_SPONGERNG_H__
#define __DECAF_SPONGERNG_H__

#include <decaf/shake.h>

#ifdef __cplusplus
extern "C" {
#endif
/** Keccak CSPRNG structure as struct. */
typedef struct {
decaf_keccak_sponge_t sponge; /**< Internal sponge object. */
} decaf_keccak_prng_s;
/** Keccak CSPRNG structure as one-element array */
typedef decaf_keccak_prng_s decaf_keccak_prng_t[1];
/** Initialize a sponge-based CSPRNG from a buffer. */
void decaf_spongerng_init_from_buffer (
decaf_keccak_prng_t prng, /**< [out] The PRNG object. */
const uint8_t *__restrict__ in, /**< [in] The initialization data. */
size_t len, /**< [in] The length of the initialization data. */
int deterministic /**< [in] If zero, allow RNG to stir in nondeterministic data from RDRAND or RDTSC.*/
) NONNULL API_VIS;
/**
* @brief Initialize a sponge-based CSPRNG from a file.
* @retval DECAF_SUCCESS success.
* @retval DECAF_FAILURE failure.
* @note On failure, errno can be used to determine the cause.
*/
decaf_error_t decaf_spongerng_init_from_file (
decaf_keccak_prng_t prng, /**< [out] The PRNG object. */
const char *file, /**< [in] A name of a file containing initial data. */
size_t len, /**< [in] The length of the initial data. Must be positive. */
int deterministic /**< [in] If zero, allow RNG to stir in nondeterministic data from RDRAND or RDTSC. */
) NONNULL API_VIS WARN_UNUSED;

/**
* @brief Initialize a nondeterministic sponge-based CSPRNG from /dev/urandom.
* @retval DECAF_SUCCESS success.
* @retval DECAF_FAILURE failure.
* @note On failure, errno can be used to determine the cause.
*/
decaf_error_t decaf_spongerng_init_from_dev_urandom (
decaf_keccak_prng_t prng /**< [out] sponge The sponge object. */
) API_VIS WARN_UNUSED;

/** Output bytes from a sponge-based CSPRNG. */
void decaf_spongerng_next (
decaf_keccak_prng_t prng, /**< [inout] The PRNG object. */
uint8_t * __restrict__ out, /**< [out] Output buffer. */
size_t len /**< [in] Number of bytes to output. */
) API_VIS;

/** Stir entropy data into a sponge-based CSPRNG from a buffer. */
void decaf_spongerng_stir (
decaf_keccak_prng_t prng, /**< [out] The PRNG object. */
const uint8_t * __restrict__ in, /**< [in] The entropy data. */
size_t len /**< [in] The length of the initial data. */
) NONNULL API_VIS;
/** Securely destroy a sponge RNG object by overwriting it. */
static INLINE UNUSED void
decaf_spongerng_destroy (
decaf_keccak_prng_t doomed /**< [in] The object to destroy. */
);

/** @cond internal */
/***************************************/
/* Implementations of inline functions */
/***************************************/
void decaf_spongerng_destroy (decaf_keccak_prng_t doomed) {
decaf_sponge_destroy(doomed->sponge);
}
/** @endcond */ /* internal */

#ifdef __cplusplus
} /* extern "C" */
#endif

#endif /* __DECAF_SPONGERNG_H__ */

+ 104
- 0
src/GENERATED/include/decaf/spongerng.hxx View File

@@ -0,0 +1,104 @@


/**
* @file decaf/strobe.hxx
* @copyright
* Based on CC0 code by David Leon Gil, 2015 \n
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief Sponge RNG instances, C++ wrapper.
* @warning The guts of this are subject to change. Please don't implement
* anything that depends on the deterministic RNG being stable across versions
* of this library.
*/

#ifndef __DECAF_SPONGERNG_HXX__
#define __DECAF_SPONGERNG_HXX__

#include <decaf/spongerng.h>

#include <string>
#include <sys/types.h>
#include <errno.h>

/** @cond internal */
#if __cplusplus >= 201103L
#define NOEXCEPT noexcept
#define DELETE = delete
#else
#define NOEXCEPT throw()
#define DELETE
#endif
/** @endcond */

namespace decaf {

/** Sponge-based random-number generator */
class SpongeRng : public Rng {
private:
/** C wrapped object */
decaf_keccak_prng_t sp;
public:
/** Deterministic flag.
* The idea is that DETERMINISTIC is used for testing or for lockstep computations,
* and NONDETERMINISTIC is used in production.
*/
enum Deterministic { RANDOM = 0, DETERMINISTIC = 1 };
/** Exception thrown when The RNG fails (to seed itself) */
class RngException : public std::exception {
private:
/** @cond internal */
const char *const what_;
/** @endcond */
public:
const int err_code; /**< errno that caused the reseed to fail. */
const char *what() const NOEXCEPT { return what_; } /**< Description of exception. */
RngException(int err_code, const char *what_) NOEXCEPT : what_(what_), err_code(err_code) {} /**< Construct */
};
/** Initialize, deterministically by default, from block */
inline SpongeRng( const Block &in, Deterministic det ) {
decaf_spongerng_init_from_buffer(sp,in.data(),in.size(),(int)det);
}
/** Initialize, non-deterministically by default, from C/C++ filename */
inline SpongeRng( const std::string &in = "/dev/urandom", size_t len = 32, Deterministic det = RANDOM )
throw(RngException) {
decaf_error_t ret = decaf_spongerng_init_from_file(sp,in.c_str(),len,det);
if (!decaf_successful(ret)) {
throw RngException(errno, "Couldn't load from file");
}
}
/** Stir in new data */
inline void stir( const Block &data ) NOEXCEPT {
decaf_spongerng_stir(sp,data.data(),data.size());
}
/** Securely destroy by overwriting state. */
inline ~SpongeRng() NOEXCEPT { decaf_spongerng_destroy(sp); }
using Rng::read;
/** Read data to a buffer. */
virtual inline void read(Buffer buffer) NOEXCEPT
#if __cplusplus >= 201103L
final
#endif
{ decaf_spongerng_next(sp,buffer.data(),buffer.size()); }
private:
SpongeRng(const SpongeRng &) DELETE;
SpongeRng &operator=(const SpongeRng &) DELETE;
};
/**@endcond*/
} /* namespace decaf */

#undef NOEXCEPT
#undef DELETE

#endif /* __DECAF_SPONGERNG_HXX__ */

+ 341
- 0
src/GENERATED/include/decaf/strobe.h View File

@@ -0,0 +1,341 @@
/**
* @file decaf/strobe.h
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief STROBE experimental protocol framework.
* @warning EXPERIMENTAL! The names, parameter orders etc are likely to change.
*/

#ifndef __DECAF_STROBE_H__
#define __DECAF_STROBE_H__

#include <decaf/shake.h>

#ifdef __cplusplus
extern "C" {
#endif
/** Keccak STROBE structure as struct. */
typedef struct {
decaf_keccak_sponge_t sponge; /**< Internal sponge object. */
} keccak_strobe_s;
/** Keccak STROBE structure as one-element array */
typedef keccak_strobe_s keccak_strobe_t[1];

/** STROBE parameters, 128-bit estimated security for hashing and encryption */
extern const struct decaf_kparams_s STROBE_128 API_VIS;

/** STROBE parameters, 256-bit estimated security for hashing and encryption */
extern const struct decaf_kparams_s STROBE_256 API_VIS;

/** STROBE parameters, 128-bit estimated security for encryption only (not hashing) */
extern const struct decaf_kparams_s STROBE_KEYED_128 API_VIS;

/** STROBE parameters, 256-bit estimated security for encryption only (not hashing) */
extern const struct decaf_kparams_s STROBE_KEYED_256 API_VIS;


/** Initialize Strobe protocol context. */
void strobe_init (
keccak_strobe_t strobe, /**< [out] The uninitialized strobe object. */
const struct decaf_kparams_s *params, /**< [in] Parameter set descriptor. */
const char *proto, /**< [in] Unique identifier for the protocol. TODO: define namespaces for this */
uint8_t am_client /**< [in] Nonzero if this party. */
) NONNULL API_VIS;

/** Run a transaction against a STROBE state. */
void strobe_transact (
keccak_strobe_t strobe, /**< [inout] The initialized STROBE object. */
unsigned char *out, /**< [out] The output. */
const unsigned char *in, /**< [in] The input. */
size_t len, /**< [in] The length of the input/output. */
uint32_t cw_flags /**< [in] The control word with flags. */
) __attribute__((nonnull(1))) API_VIS;

/** Record a message sent in plaintext */
static INLINE UNUSED NONNULL void strobe_plaintext (
keccak_strobe_t strobe, /**< [inout] The STROBE object */
const unsigned char *in, /**< [in] The message. */
uint16_t len, /**< [in] The length of the message. */
uint8_t iSent /**< [in] If nonzero, I sent the message. */
);

/** Report authenticated data in strobe context. */
static INLINE UNUSED NONNULL void
strobe_ad (
keccak_strobe_t strobe, /**< [inout] The strobe object. */
const unsigned char *in, /**< [in] The plaintext. */
size_t len /**< [in] The length of the ad. */
);

/** Set nonce in strobe context. */
static INLINE UNUSED NONNULL void
strobe_nonce (
keccak_strobe_t strobe, /**< [inout] The initialized strobe object. */
const unsigned char *in, /**< [in] The nonce. */
uint16_t len /**< [in] The length of the nonce. */
);

/** Set fixed key in strobe context. */
static INLINE UNUSED NONNULL void
strobe_fixed_key (
keccak_strobe_t strobe, /**< [inout] The initialized strobe object. */
const unsigned char *in, /**< [in] The key. */
uint16_t len /**< [in] The length of the key. */
);

/** Set Diffie-Hellman key in strobe context. */
static INLINE UNUSED NONNULL void
strobe_dh_key (
keccak_strobe_t strobe, /**< [inout] The initialized strobe object. */
const unsigned char *in, /**< [in] The key. */
uint16_t len /**< [in] The length of the key. */
);

/** The maximum number of bytes that strobe_produce_auth can spit out. */
#define STROBE_MAX_AUTH_BYTES 32
/** Produce an authenticator. */
static INLINE UNUSED NONNULL void
strobe_produce_auth (
keccak_strobe_t strobe, /**< [inout] The Strobe protocol context. */
unsigned char *out, /**< [out] The authenticator. */
uint16_t len /**< [in] The length, at most STROBE_MAX_AUTH_BYTES. */
);

/**
* @brief Verify an authenticator.
* @retval DECAF_SUCCESS The operation applied successfully.
* @retval DECAF_FAILURE The operation failed because of a
* bad validator (or because you aren't keyed)
*/
decaf_error_t strobe_verify_auth (
keccak_strobe_t strobe, /**< [inout] The Strobe protocol context */
const unsigned char *in, /**< [in] The authenticator */
uint16_t len /**< [in] The length, at most STROBE_MAX_AUTH_BYTES. */
) WARN_UNUSED NONNULL API_VIS;

/**
* @brief Encrypt bytes from in to out.
* @warning Doesn't produce an auth tag.
*/
static INLINE UNUSED NONNULL void
strobe_encrypt (
keccak_strobe_t strobe, /**< [inout] strobe The Strobe protocol context. */
unsigned char *out, /**< [out] The ciphertext. */
const unsigned char *in, /**< [in] The plaintext. */
uint16_t len /**< [in] The length of plaintext and ciphertext. */
);

/**
* Decrypt bytes from in to out.
* @warning Doesn't check an auth tag.
*/
static INLINE UNUSED NONNULL void
strobe_decrypt (
keccak_strobe_t strobe, /**< [inout] The Strobe protocol context. */
unsigned char *out, /**< [out] The plaintext. */
const unsigned char *in, /**< [in] The ciphertext. */
uint16_t len /**< [in] The length of plaintext and ciphertext. */
);

/**
* @brief Produce a session-bound pseudorandom value.
*
* @warning This "prng" value is NOT suitable for
* refreshing forward secrecy! It's to replace things
* like TCP session hash.
*/
static inline void NONNULL strobe_prng (
keccak_strobe_t strobe, /**< [inout] The Strobe protocol context */
unsigned char *out, /**< [out] The output random data. */
uint16_t len /**< The length. */
);

/** Respecify Strobe protocol object's crypto. */
void strobe_respec (
keccak_strobe_t strobe, /**< [inout] The initialized strobe context. */
const struct decaf_kparams_s *params /**< [in] Strobe parameter descriptor. */
) NONNULL API_VIS;

/** Securely destroy a STROBE object by overwriting it. */
static INLINE UNUSED NONNULL void
strobe_destroy (
keccak_strobe_t doomed /**< [in] The object to destroy. */
);

/** @cond internal */

/************************************************************************/
/* Declarations of various constants and operating modes, for extension */
/************************************************************************/

/** STROBE modes of operation */
typedef enum {
STROBE_MODE_ABSORB = 0,
STROBE_MODE_DUPLEX = 1,
STROBE_MODE_ABSORB_R = 2,
STROBE_MODE_DUPLEX_R = 3,
/* FIXME: no bits allocated in .py version */
STROBE_MODE_PLAINTEXT = 4,
STROBE_MODE_SQUEEZE = 5,
STROBE_MODE_FORGET = 6,
STROBE_MODE_SQUEEZE_R = 7
} strobe_mode_t;

#define STROBE_FLAG_CLIENT_SENT (1<<8) /**< Set if the client this message. */
#define STROBE_FLAG_IMPLICIT (1<<9) /**< Set if nobody set this message. */
#define STROBE_FLAG_FORGET (1<<12) /**< After this operation, destroy bytes to prevent rollback. */
/* TODO: maybe just make STROBE heavy non-invertible? */
#define STROBE_FLAG_NO_LENGTH (1<<15) /**< This operation has an unknown length (for streaming). */

/* After 1<<16, flags don't go to the sponge anymore, they just affect the handling */
#define STROBE_FLAG_RECV (1<<16) /**< I received this packet, so reverse directions. */
#define STROBE_FLAG_RUN_F (1<<17) /**< Must run F between control word and data. */
#define STROBE_FLAG_MORE (1<<18) /**< Set for all operations in an unknown-length streaming operation after the first */
#define STROBE_FLAG_LENGTH_64 (1<<19) /**< Length is a 64-bit word instead of a 16-bit one. */
#define STROBE_FLAG_NONDIR (STROBE_FLAG_IMPLICIT)

/** Automatic flags implied by the mode */
/* NB: SQUEEZE_R is treated as directional because its' MAC.
* can of course override by orring in IMPLICIT|NONDIR
*/
#define STROBE_AUTO_FLAGS(_mode) \
( (((_mode)&1) ? STROBE_FLAG_RUN_F : 0) \
| (( ((_mode) & ~2) == STROBE_MODE_ABSORB \
|| (_mode) == STROBE_MODE_SQUEEZE \
|| (_mode) == STROBE_MODE_FORGET \
) ? STROBE_FLAG_IMPLICIT|STROBE_FLAG_NONDIR : 0) \
)

/**@ Define a control word for STROBE protocols. */
#define STROBE_CONTROL_WORD(_name,_id,_mode,_flags) \
static const uint32_t _name = _id | (_mode<<10) | (_mode<<29) | _flags | STROBE_AUTO_FLAGS(_mode)

STROBE_CONTROL_WORD(STROBE_CW_INIT, 0x00, STROBE_MODE_ABSORB, 0); /**< Initialization with protocol name */
/* Ciphers */
STROBE_CONTROL_WORD(STROBE_CW_FIXED_KEY, 0x10, STROBE_MODE_ABSORB, 0); /**< Fixed symmetric/preshared key */
STROBE_CONTROL_WORD(STROBE_CW_STATIC_PUB, 0x11, STROBE_MODE_PLAINTEXT, 0); /**< Static public key of other party */
STROBE_CONTROL_WORD(STROBE_CW_DH_EPH, 0x12, STROBE_MODE_PLAINTEXT, 0); /**< DH ephemeral key on the wire */
STROBE_CONTROL_WORD(STROBE_CW_DH_KEY, 0x13, STROBE_MODE_ABSORB, 0); /**< DH shared secret key */
STROBE_CONTROL_WORD(STROBE_CW_PRNG, 0x18, STROBE_MODE_SQUEEZE, STROBE_FLAG_FORGET); /**< Generate random bits (for PRNG) */
STROBE_CONTROL_WORD(STROBE_CW_SESSION_HASH, 0x19, STROBE_MODE_SQUEEZE, 0); /**< Generate session hash */

/* Reuse for PRNG */
STROBE_CONTROL_WORD(STROBE_CW_PRNG_INITIAL_SEED, 0x10, STROBE_MODE_ABSORB, STROBE_FLAG_NO_LENGTH); /**< Initial seeding for PRNG */
STROBE_CONTROL_WORD(STROBE_CW_PRNG_RESEED, 0x11, STROBE_MODE_ABSORB, STROBE_FLAG_NO_LENGTH); /**< Later seeding for PRNG */
STROBE_CONTROL_WORD(STROBE_CW_PRNG_CPU_SEED, 0x12, STROBE_MODE_ABSORB, 0); /**< Seed from CPU-builin RNG */
STROBE_CONTROL_WORD(STROBE_CW_PRNG_USER_SEED, 0x13, STROBE_MODE_ABSORB, STROBE_FLAG_LENGTH_64); /**< Seed from user */
STROBE_CONTROL_WORD(STROBE_CW_PRNG_PRNG, 0x14, STROBE_MODE_SQUEEZE, STROBE_FLAG_LENGTH_64 | STROBE_FLAG_FORGET); /**< Call to generate bits */

/* Signatures */
STROBE_CONTROL_WORD(STROBE_CW_SIG_SCHEME, 0x20, STROBE_MODE_ABSORB, 0); /**< Name of the signature scheme we're using. */
STROBE_CONTROL_WORD(STROBE_CW_SIG_PK, 0x21, STROBE_MODE_ABSORB, 0); /**< Public (verification key) */
STROBE_CONTROL_WORD(STROBE_CW_SIG_EPH, 0x22, STROBE_MODE_PLAINTEXT, 0); /**< Schnorr ephemeral. */
STROBE_CONTROL_WORD(STROBE_CW_SIG_CHAL, 0x23, STROBE_MODE_SQUEEZE, 0); /**< Schnorr challenge. */
STROBE_CONTROL_WORD(STROBE_CW_SIG_RESP, 0x24, STROBE_MODE_DUPLEX, 0); /**< Schnoll response. */

/* Payloads and encrypted data */

STROBE_CONTROL_WORD(STROBE_CW_PAYLOAD_PLAINTEXT, 0x30, STROBE_MODE_PLAINTEXT, 0);
STROBE_CONTROL_WORD(STROBE_CW_PAYLOAD_CIPHERTEXT, 0x31, STROBE_MODE_DUPLEX, 0);
STROBE_CONTROL_WORD(STROBE_CW_MAC, 0x32, STROBE_MODE_SQUEEZE_R, STROBE_FLAG_FORGET);
STROBE_CONTROL_WORD(STROBE_CW_AD_EXPLICIT, 0x34, STROBE_MODE_PLAINTEXT, 0);
STROBE_CONTROL_WORD(STROBE_CW_AD_IMPLICIT, 0x35, STROBE_MODE_ABSORB, 0);
STROBE_CONTROL_WORD(STROBE_CW_NONCE_EXPLICIT, 0x36, STROBE_MODE_PLAINTEXT, 0);
STROBE_CONTROL_WORD(STROBE_CW_NONCE_IMPLICIT, 0x37, STROBE_MODE_ABSORB, 0);

STROBE_CONTROL_WORD(STROBE_CW_STREAMING_PLAINTEXT,0x30, STROBE_MODE_PLAINTEXT, STROBE_FLAG_NO_LENGTH); /* TODO: orly? */

/* Change spec, control flow, etc */
STROBE_CONTROL_WORD(STROBE_CW_COMPRESS, 0x40, STROBE_MODE_ABSORB_R, 0);
/* FIXME: adjust this respec logic */
STROBE_CONTROL_WORD(STROBE_CW_RESPEC_INFO, 0x41, STROBE_MODE_ABSORB, STROBE_FLAG_RUN_F | STROBE_FLAG_FORGET);
STROBE_CONTROL_WORD(STROBE_CW_RESPEC, 0x42, STROBE_MODE_ABSORB_R, STROBE_FLAG_RUN_F);
STROBE_CONTROL_WORD(STROBE_CW_FORK, 0x43, STROBE_MODE_ABSORB_R, STROBE_FLAG_RUN_F | STROBE_FLAG_FORGET);
/* FIXME: instance can be rolled back to recover other INSTANCEs */
STROBE_CONTROL_WORD(STROBE_CW_INSTANCE, 0x44, STROBE_MODE_ABSORB_R, STROBE_FLAG_FORGET);
STROBE_CONTROL_WORD(STROBE_CW_ACKNOWLEDGE, 0x45, STROBE_MODE_PLAINTEXT, 0);

/** Reverse a keyword because it's being received instead of sent */
static INLINE UNUSED WARN_UNUSED uint32_t
strobe_cw_recv(uint32_t cw) {
uint32_t recv_toggle = (cw & STROBE_FLAG_NONDIR) ? 0 : STROBE_FLAG_RECV;
if (cw & STROBE_FLAG_IMPLICIT) {
return cw ^ recv_toggle;
} else {
uint32_t modes_2[8] = {
/* Note: most of these really shouldn't happen... */
STROBE_MODE_ABSORB,
STROBE_MODE_DUPLEX_R,
STROBE_MODE_ABSORB_R,
STROBE_MODE_DUPLEX,
STROBE_MODE_PLAINTEXT,
STROBE_MODE_SQUEEZE,
STROBE_MODE_FORGET,
STROBE_MODE_ABSORB
};

return ((cw & ((1<<29)-1)) | (modes_2[cw>>29]<<29)) ^ recv_toggle;
}
}

/***************************************/
/* Implementations of inline functions */
/***************************************/

void strobe_plaintext(keccak_strobe_t strobe, const unsigned char *in, uint16_t len, uint8_t iSent) {
strobe_transact(
strobe, NULL, in, len,
iSent ? STROBE_CW_PAYLOAD_PLAINTEXT
: strobe_cw_recv(STROBE_CW_PAYLOAD_PLAINTEXT)
);
}

void strobe_ad(keccak_strobe_t strobe, const unsigned char *in, size_t len) {
strobe_transact( strobe, NULL, in, len, STROBE_CW_AD_EXPLICIT );
}

void strobe_nonce (keccak_strobe_t strobe, const unsigned char *in, uint16_t len) {
strobe_transact( strobe, NULL, in, len, STROBE_CW_NONCE_EXPLICIT );
}

void strobe_fixed_key (keccak_strobe_t strobe, const unsigned char *in, uint16_t len) {
strobe_transact( strobe, NULL, in, len, STROBE_CW_FIXED_KEY );
}

void strobe_dh_key (keccak_strobe_t strobe, const unsigned char *in, uint16_t len) {
strobe_transact( strobe, NULL, in, len, STROBE_CW_DH_KEY );
}

void strobe_produce_auth (keccak_strobe_t strobe, unsigned char *out, uint16_t len) {
strobe_transact( strobe, out, NULL, len, STROBE_CW_MAC );
}

void strobe_encrypt (keccak_strobe_t strobe, unsigned char *out, const unsigned char *in, uint16_t len) {
strobe_transact(strobe, out, in, len, STROBE_CW_PAYLOAD_CIPHERTEXT);
}

void strobe_decrypt(keccak_strobe_t strobe, unsigned char *out, const unsigned char *in, uint16_t len) {
strobe_transact(strobe, out, in, len, strobe_cw_recv(STROBE_CW_PAYLOAD_CIPHERTEXT));
}

void strobe_prng(keccak_strobe_t strobe, unsigned char *out, uint16_t len) {
strobe_transact( strobe, out, NULL, len, STROBE_CW_PRNG );
}

void strobe_destroy (keccak_strobe_t doomed) {
decaf_sponge_destroy(doomed->sponge);
}

/** @endcond */ /* internal */

#ifdef __cplusplus
} /* extern "C" */
#endif

#endif /* __DECAF_STROBE_H__ */

+ 239
- 0
src/GENERATED/include/decaf/strobe.hxx View File

@@ -0,0 +1,239 @@
/**
* @file decaf/strobe.hxx
* @copyright
* Based on CC0 code by David Leon Gil, 2015 \n
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief STROBE instances, C++ wrapper.
* @warning This protocol framework is entirely experimental, and shouldn't be
* relied on for anything serious yet.
*/

#ifndef __DECAF_STROBE_HXX__
#define __DECAF_STROBE_HXX__

#include <decaf/strobe.h>

#include <sys/types.h>


/** @cond internal */
#if __cplusplus >= 201103L
#define NOEXCEPT noexcept
#define DELETE = delete
#else
#define NOEXCEPT throw()
#define DELETE
#endif
/** @endcond */

namespace decaf {

/** @brief An exception for misused protocol, eg encrypt with no key. */
class ProtocolException : public std::exception {
public:
/** @return "ProtocolException" */
virtual const char * what() const NOEXCEPT { return "ProtocolException"; }
};

/** STROBE protocol framework object */
class Strobe {
public:
/** The wrapped object */
keccak_strobe_t wrapped;
/** Number of bytes in a default authentication size. */
static const uint16_t DEFAULT_AUTH_SIZE = 16;
/** Am I a server or a client? */
enum client_or_server { SERVER, CLIENT };
/** Create protocol object. */
inline Strobe (
const char *description, /**< Description of this protocol. */
client_or_server whoami, /**< Am I client or server? */
const decaf_kparams_s &params = STROBE_256 /**< Strength parameters */
) NOEXCEPT {
strobe_init(wrapped, &params, description, whoami == CLIENT);
keyed = false;
}
/** Securely destroy by overwriting state. */
inline ~Strobe() NOEXCEPT { strobe_destroy(wrapped); }

/** Stir in fixed key, from a C++ block. */
inline void fixed_key (
const Block &data /**< The key. */
) throw(ProtocolException) {
strobe_fixed_key(wrapped, data.data(), data.size());
keyed = true;
}

/** Stir in fixed key, from a serializeable object. */
template<class T> inline void fixed_key (
const Serializable<T> &data /**< The key. */
) throw(ProtocolException) {
fixed_key(data.serialize());
}

/** Stir in DH key, from a C++ block. */
inline void dh_key (
const Block &data /**< The key. */
) throw(ProtocolException) {
strobe_dh_key(wrapped, data.data(), data.size());
keyed = true;
}

/** Stir in DH key, from a serializeable object. */
template<class T> inline void dh_key (
const Serializable<T> &data /**< The key. */
) throw(ProtocolException) {
dh_key(data.serialize());
}

/** Stir in an explicit nonce. */
inline void nonce(const Block &data) NOEXCEPT {
strobe_nonce(wrapped, data.data(), data.size());
}

/** Stir in data we sent as plaintext. NB This doesn't actually send anything. */
inline void send_plaintext(const Block &data) NOEXCEPT {
strobe_plaintext(wrapped, data.data(), data.size(), true);
}

/** Stir in serializeable data we sent as plaintext. NB This doesn't actually send anything. */
template<class T> inline void send_plaintext(const Serializable<T> &data) NOEXCEPT {
send_plaintext(data.serialize());
}

/** Stir in data we received as plaintext. NB This doesn't actually receive anything. */
inline void recv_plaintext(const Block &data) NOEXCEPT {
strobe_plaintext(wrapped, data.data(), data.size(), false);
}

/** Stir in associated data. */
inline void ad(const Block &data) {
strobe_ad(wrapped, data.data(), data.size());
}

/** Stir in associated serializable data. */
template<class T> inline void ad(const Serializable<T> &data) NOEXCEPT {
ad(data.serialize());
}
/** Encrypt into a buffer, without appending authentication data */
inline void encrypt_no_auth(Buffer out, const Block &data) throw(LengthException,ProtocolException) {
if (!keyed) throw ProtocolException();
if (out.size() != data.size()) throw LengthException();
strobe_encrypt(wrapped, out.data(), data.data(), data.size());
}
/** Encrypt, without appending authentication data */
inline SecureBuffer encrypt_no_auth(const Block &data) throw(ProtocolException) {
SecureBuffer out(data.size()); encrypt_no_auth(out, data); return out;
}
/** Encrypt a serializable object, without appending authentication data */
template<class T> inline SecureBuffer encrypt_no_auth(const Serializable<T> &data) throw(ProtocolException) {
return encrypt_no_auth(data.serialize());
}
/** Decrypt into a buffer, without checking authentication data. */
inline void decrypt_no_auth(Buffer out, const Block &data) throw(LengthException,ProtocolException) {
if (!keyed) throw ProtocolException();
if (out.size() != data.size()) throw LengthException();
strobe_decrypt(wrapped, out.data(), data.data(), data.size());
}
/** Decrypt, without checking authentication data. */
inline SecureBuffer decrypt_no_auth(const Block &data) throw(ProtocolException) {
SecureBuffer out(data.size()); decrypt_no_auth(out, data); return out;
}
/** Produce an authenticator into a buffer. */
inline void produce_auth(Buffer out, bool even_though_unkeyed = false) throw(LengthException,ProtocolException) {
if (!keyed && !even_though_unkeyed) throw ProtocolException();
if (out.size() > STROBE_MAX_AUTH_BYTES) throw LengthException();
strobe_produce_auth(wrapped, out.data(), out.size());
}
/** Produce an authenticator. */
inline SecureBuffer produce_auth(uint8_t bytes = DEFAULT_AUTH_SIZE) throw(ProtocolException) {
SecureBuffer out(bytes); produce_auth(out); return out;
}
/** Encrypt into a buffer and append authentication data */
inline void encrypt(
Buffer out, const Block &data, uint8_t auth = DEFAULT_AUTH_SIZE
) throw(LengthException,ProtocolException) {
if (out.size() < data.size() || out.size() != data.size() + auth) throw LengthException();
encrypt_no_auth(out.slice(0,data.size()), data);
produce_auth(out.slice(data.size(),auth));
}
/** Encrypt and append authentication data */
inline SecureBuffer encrypt (
const Block &data, uint8_t auth = DEFAULT_AUTH_SIZE
) throw(LengthException,ProtocolException,std::bad_alloc ){
SecureBuffer out(data.size() + auth); encrypt(out, data, auth); return out;
}
/** Encrypt a serializable object and append authentication data */
template<class T> inline SecureBuffer encrypt (
const Serializable<T> &data, uint8_t auth = DEFAULT_AUTH_SIZE
) throw(LengthException,ProtocolException,std::bad_alloc ){
return encrypt(data.serialize(), auth);
}
/** Decrypt into a buffer and check authentication data */
inline void decrypt (
Buffer out, const Block &data, uint8_t bytes = DEFAULT_AUTH_SIZE
) throw(LengthException, CryptoException, ProtocolException) {
if (out.size() > data.size() || out.size() != data.size() - bytes) throw LengthException();
decrypt_no_auth(out, data.slice(0,out.size()));
verify_auth(data.slice(out.size(),bytes));
}
/** Decrypt and check authentication data */
inline SecureBuffer decrypt (
const Block &data, uint8_t bytes = DEFAULT_AUTH_SIZE
) throw(LengthException,CryptoException,ProtocolException,std::bad_alloc) {
if (data.size() < bytes) throw LengthException();
SecureBuffer out(data.size() - bytes); decrypt(out, data, bytes); return out;
}
/** Check authentication data */
inline void verify_auth(const Block &auth) throw(LengthException,CryptoException) {
if (auth.size() == 0 || auth.size() > STROBE_MAX_AUTH_BYTES) throw LengthException();
if (strobe_verify_auth(wrapped, auth.data(), auth.size()) != DECAF_SUCCESS) throw CryptoException();
}
/** Fill pseudorandom data into a buffer */
inline void prng(Buffer out) NOEXCEPT {
(void)strobe_prng(wrapped, out.data(), out.size());
}
/** Return pseudorandom data */
inline SecureBuffer prng(size_t bytes) {
SecureBuffer out(bytes); prng(out); return out;
}
/** Change specs, perhaps to a faster spec that takes advantage of being keyed.
* @warning Experimental.
*/
inline void respec(const decaf_kparams_s &params) throw(ProtocolException) {
if (!keyed) throw(ProtocolException());
strobe_respec(wrapped, &params);
}
private:
bool keyed;
};
} /* namespace decaf */

#undef NOEXCEPT
#undef DELETE

#endif /* __DECAF_STROBE_HXX__ */

src/gen_headers/curve_data.py → src/generator/curve_data.py View File


src/gen_headers/template.py → src/generator/template.py View File


Write Preview
Loading…
Cancel
Save