jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

going to GMP-style element[1] types

master
Michael Hamburg 11 years ago
parent
942066a16d
commit
33328a1d21
20 changed files with 974 additions and 976 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +37
    -40
      src/arithmetic.c
  2. +477
    -478
      src/ec_point.c
  3. +35
    -35
      src/goldilocks.c
  4. +41
    -42
      src/include/ec_point.h
  5. +41
    -38
      src/include/field.h
  6. +1
    -1
      src/include/magic.h
  7. +2
    -2
      src/include/scalarmul.h
  8. +27
    -27
      src/p448/f_arithmetic.c
  9. +8
    -8
      src/p448/magic.c
  10. +27
    -27
      src/p480/f_arithmetic.c
  11. +6
    -6
      src/p480/magic.c
  12. +27
    -27
      src/p521/f_arithmetic.c
  13. +6
    -6
      src/p521/magic.c
  14. +35
    -35
      src/scalarmul.c
  15. +86
    -86
      test/bench.c
  16. +1
    -1
      test/test.c
  17. +1
    -1
      test/test.h
  18. +47
    -47
      test/test_arithmetic.c
  19. +24
    -24
      test/test_pointops.c
  20. +45
    -45
      test/test_scalarmul.c

+ 37
- 40
src/arithmetic.c View File

@@ -13,78 +13,75 @@

mask_t
field_eq (
const struct field_t *a,
const struct field_t *b
const field_a_t a,
const field_a_t b
) {
struct field_t ra, rb;
field_copy(&ra, a);
field_copy(&rb, b);
field_weak_reduce(&ra);
field_weak_reduce(&rb);
field_sub_RAW(&ra, &ra, &rb);
field_bias(&ra, 2);
return field_is_zero(&ra);
field_a_t ra, rb;
field_copy(ra, a);
field_copy(rb, b);
field_weak_reduce(ra);
field_weak_reduce(rb);
field_sub_RAW(ra, ra, rb);
field_bias(ra, 2);
return field_is_zero(ra);
}

void
field_inverse (
struct field_t* a,
const struct field_t* x
field_a_t a,
const field_a_t x
) {
struct field_t L0, L1;
field_isr ( &L0, x );
field_sqr ( &L1, &L0 );
field_sqr ( &L0, &L1 );
field_mul ( a, x, &L0 );
field_a_t L0, L1;
field_isr ( L0, x );
field_sqr ( L1, L0 );
field_sqr ( L0, L1 );
field_mul ( a, x, L0 );
}

mask_t
field_is_square (
const struct field_t* x
const field_a_t x
) {
mask_t L2, L3;
struct field_t L0, L1;
field_isr ( &L0, x );
field_sqr ( &L1, &L0 );
field_mul ( &L0, x, &L1 );
field_subw( &L0, 1 );
L3 = field_is_zero( &L0 );
L2 = field_is_zero( x );
return L3 | L2;
field_a_t L0, L1;
field_isr ( L0, x );
field_sqr ( L1, L0 );
field_mul ( L0, x, L1 );
field_subw( L0, 1 );
return field_is_zero( L0 ) | field_is_zero( x );
}

void
field_simultaneous_invert (
struct field_t *__restrict__ out,
const struct field_t *in,
field_a_t *__restrict__ out,
const field_a_t *in,
unsigned int n
) {
if (n==0) {
return;
} else if (n==1) {
field_inverse(out,in);
field_inverse(out[0],in[0]);
return;
}
field_copy(&out[1], &in[0]);
field_copy(out[1], in[0]);
int i;
for (i=1; i<(int) (n-1); i++) {
field_mul(&out[i+1], &out[i], &in[i]);
field_mul(out[i+1], out[i], in[i]);
}
field_mul(&out[0], &out[n-1], &in[n-1]);
field_mul(out[0], out[n-1], in[n-1]);
struct field_t tmp;
field_inverse(&tmp, &out[0]);
field_copy(&out[0], &tmp);
field_a_t tmp;
field_inverse(tmp, out[0]);
field_copy(out[0], tmp);
/* at this point, out[0] = product(in[i]) ^ -1
* out[i] = product(in[0]..in[i-1]) if i != 0
*/
for (i=n-1; i>0; i--) {
field_mul(&tmp, &out[i], &out[0]);
field_copy(&out[i], &tmp);
field_mul(tmp, out[i], out[0]);
field_copy(out[i], tmp);
field_mul(&tmp, &out[0], &in[i]);
field_copy(&out[0], &tmp);
field_mul(tmp, out[0], in[i]);
field_copy(out[0], tmp);
}
}

+ 477
- 478
src/ec_point.c
File diff suppressed because it is too large
View File


+ 35
- 35
src/goldilocks.c View File

@@ -162,7 +162,7 @@ goldilocks_derive_private_key (
struct sha512_ctx_t ctx;
struct tw_extensible_t exta;
struct field_t pk;
field_a_t pk;
sha512_init(&ctx);
sha512_update(&ctx, (const unsigned char *)"derivepk", GOLDI_DIVERSIFY_BYTES);
@@ -173,9 +173,9 @@ goldilocks_derive_private_key (
barrett_serialize(privkey->opaque, sk, GOLDI_FIELD_BYTES);

scalarmul_fixed_base(&exta, sk, GOLDI_SCALAR_BITS, &goldilocks_global.fixed_base);
untwist_and_double_and_serialize(&pk, &exta);
untwist_and_double_and_serialize(pk, &exta);
field_serialize(&privkey->opaque[GOLDI_FIELD_BYTES], &pk);
field_serialize(&privkey->opaque[GOLDI_FIELD_BYTES], pk);
return GOLDI_EOK;
}
@@ -225,11 +225,11 @@ goldilocks_private_to_public (
struct goldilocks_public_key_t *pubkey,
const struct goldilocks_private_key_t *privkey
) {
struct field_t pk;
mask_t msucc = field_deserialize(&pk,&privkey->opaque[GOLDI_FIELD_BYTES]);
field_a_t pk;
mask_t msucc = field_deserialize(pk,&privkey->opaque[GOLDI_FIELD_BYTES]);
if (msucc) {
field_serialize(pubkey->opaque, &pk);
field_serialize(pubkey->opaque, pk);
return GOLDI_EOK;
} else {
return GOLDI_ECORRUPT;
@@ -252,15 +252,15 @@ goldilocks_shared_secret_core (
assert(GOLDI_SHARED_SECRET_BYTES == SHA512_OUTPUT_BYTES);
word_t sk[GOLDI_FIELD_WORDS];
struct field_t pk;
field_a_t pk;
mask_t succ = field_deserialize(&pk,your_pubkey->opaque), msucc = -1;
mask_t succ = field_deserialize(pk,your_pubkey->opaque), msucc = -1;
#ifdef EXPERIMENT_ECDH_STIR_IN_PUBKEYS
struct field_t sum, prod;
msucc &= field_deserialize(&sum,&my_privkey->opaque[GOLDI_FIELD_BYTES]);
field_mul(&prod,&pk,&sum);
field_add(&sum,&pk,&sum);
field_a_t sum, prod;
msucc &= field_deserialize(sum,&my_privkey->opaque[GOLDI_FIELD_BYTES]);
field_mul(prod,pk,sum);
field_add(sum,pk,sum);
#endif
msucc &= barrett_deserialize(sk,my_privkey->opaque,&curve_prime_order);
@@ -269,17 +269,17 @@ goldilocks_shared_secret_core (
if (pre) {
struct tw_extensible_t tw;
succ &= scalarmul_fixed_base(&tw, sk, GOLDI_SCALAR_BITS, &pre->table);
untwist_and_double_and_serialize(&pk, &tw);
untwist_and_double_and_serialize(pk, &tw);
} else {
succ &= montgomery_ladder(&pk,&pk,sk,GOLDI_SCALAR_BITS,1);
succ &= montgomery_ladder(pk,pk,sk,GOLDI_SCALAR_BITS,1);
}
#else
(void)pre;
succ &= montgomery_ladder(&pk,&pk,sk,GOLDI_SCALAR_BITS,1);
succ &= montgomery_ladder(pk,pk,sk,GOLDI_SCALAR_BITS,1);
#endif
field_serialize(gxy,&pk);
field_serialize(gxy,pk);
/* obliterate records of our failure by adjusting with obliteration key */
struct sha512_ctx_t ctx;
@@ -300,9 +300,9 @@ goldilocks_shared_secret_core (
#ifdef EXPERIMENT_ECDH_STIR_IN_PUBKEYS
/* stir in the sum and product of the pubkeys. */
uint8_t a_pk[GOLDI_FIELD_BYTES];
field_serialize(a_pk, &sum);
field_serialize(a_pk, sum);
sha512_update(&ctx, a_pk, GOLDI_FIELD_BYTES);
field_serialize(a_pk, &prod);
field_serialize(a_pk, prod);
sha512_update(&ctx, a_pk, GOLDI_FIELD_BYTES);
#endif
@@ -383,11 +383,11 @@ goldilocks_sign (
/* 4[nonce]G */
uint8_t signature_tmp[GOLDI_FIELD_BYTES];
struct tw_extensible_t exta;
struct field_t gsk;
field_a_t gsk;
scalarmul_fixed_base(&exta, tk, GOLDI_SCALAR_BITS, &goldilocks_global.fixed_base);
double_tw_extensible(&exta);
untwist_and_double_and_serialize(&gsk, &exta);
field_serialize(signature_tmp, &gsk);
untwist_and_double_and_serialize(gsk, &exta);
field_serialize(signature_tmp, gsk);
word_t challenge[GOLDI_FIELD_WORDS];
goldilocks_derive_challenge (
@@ -437,10 +437,10 @@ goldilocks_verify (
return GOLDI_EUNINIT;
}
struct field_t pk;
field_a_t pk;
word_t s[GOLDI_FIELD_WORDS];
mask_t succ = field_deserialize(&pk,pubkey->opaque);
mask_t succ = field_deserialize(pk,pubkey->opaque);
if (!succ) return GOLDI_EINVAL;
succ = barrett_deserialize(s, &signature[GOLDI_FIELD_BYTES], &curve_prime_order);
@@ -449,14 +449,14 @@ goldilocks_verify (
word_t challenge[GOLDI_FIELD_WORDS];
goldilocks_derive_challenge(challenge, pubkey->opaque, signature, message, message_len);
struct field_t eph;
field_a_t eph;
struct tw_extensible_t pk_text;
/* deserialize [nonce]G */
succ = field_deserialize(&eph, signature);
succ = field_deserialize(eph, signature);
if (!succ) return GOLDI_EINVAL;
succ = deserialize_and_twist_approx(&pk_text, &sqrt_d_minus_1, &pk);
succ = deserialize_and_twist_approx(&pk_text, pk);
if (!succ) return GOLDI_EINVAL;
linear_combo_var_fixed_vt( &pk_text,
@@ -464,9 +464,9 @@ goldilocks_verify (
s, GOLDI_SCALAR_BITS,
goldilocks_global.wnafs, WNAF_PRECMP_BITS );
untwist_and_double_and_serialize( &pk, &pk_text );
untwist_and_double_and_serialize( pk, &pk_text );

succ = field_eq(&eph, &pk);
succ = field_eq(eph, pk);
return succ ? 0 : GOLDI_EINVAL;
}
#endif
@@ -485,14 +485,14 @@ goldilocks_precompute_public_key (
struct tw_extensible_t pk_text;
struct field_t pk;
mask_t succ = field_deserialize(&pk, pub->opaque);
field_a_t pk;
mask_t succ = field_deserialize(pk, pub->opaque);
if (!succ) {
free(precom);
return NULL;
}
succ = deserialize_and_twist_approx(&pk_text, &sqrt_d_minus_1, &pk);
succ = deserialize_and_twist_approx(&pk_text, pk);
if (!succ) {
free(precom);
return NULL;
@@ -538,11 +538,11 @@ goldilocks_verify_precomputed (
word_t challenge[GOLDI_FIELD_WORDS];
goldilocks_derive_challenge(challenge, pubkey->pub.opaque, signature, message, message_len);
struct field_t eph, pk;
field_a_t eph, pk;
struct tw_extensible_t pk_text;
/* deserialize [nonce]G */
succ = field_deserialize(&eph, signature);
succ = field_deserialize(eph, signature);
if (!succ) return GOLDI_EINVAL;
succ = linear_combo_combs_vt (
@@ -552,9 +552,9 @@ goldilocks_verify_precomputed (
);
if (!succ) return GOLDI_EINVAL;
untwist_and_double_and_serialize( &pk, &pk_text );
untwist_and_double_and_serialize( pk, &pk_text );

succ = field_eq(&eph, &pk);
succ = field_eq(eph, pk);
return succ ? 0 : GOLDI_EINVAL;
}



+ 41
- 42
src/include/ec_point.h View File

@@ -21,21 +21,21 @@ extern "C" {
* Affine point on an Edwards curve.
*/
struct affine_t {
struct field_t x, y;
field_a_t x, y;
};

/**
* Affine point on a twisted Edwards curve.
*/
struct tw_affine_t {
struct field_t x, y;
field_a_t x, y;
};

/**
* Montgomery buffer.
*/
struct montgomery_t {
struct field_t z0, xd, zd, xa, za;
field_a_t z0, xd, zd, xa, za;
};

/**
@@ -57,7 +57,7 @@ struct montgomery_t {
* instead.
*/
struct extensible_t {
struct field_t x, y, z, t, u;
field_a_t x, y, z, t, u;
};

/**
@@ -65,7 +65,7 @@ struct extensible_t {
* suitable for accumulators.
*/
struct tw_extensible_t {
struct field_t x, y, z, t, u;
field_a_t x, y, z, t, u;
};

/**
@@ -74,7 +74,7 @@ struct tw_extensible_t {
* Good for mixed readdition; suitable for fixed tables.
*/
struct tw_niels_t {
struct field_t a, b, c;
field_a_t a, b, c;
};

/**
@@ -84,7 +84,7 @@ struct tw_niels_t {
*/
struct tw_pniels_t {
struct tw_niels_t n;
struct field_t z;
field_a_t z;
};


@@ -273,14 +273,14 @@ montgomery_step (
void
deserialize_montgomery (
struct montgomery_t* a,
const struct field_t* sbz
const field_a_t sbz
);

mask_t
serialize_montgomery (
struct field_t* b,
field_a_t b,
const struct montgomery_t* a,
const struct field_t* sbz
const field_a_t sbz
);

/**
@@ -296,7 +296,7 @@ serialize_montgomery (
*/
void
serialize_extensible (
struct field_t* b,
field_a_t b,
const struct extensible_t* a
);

@@ -305,7 +305,7 @@ serialize_extensible (
*/
void
untwist_and_double_and_serialize (
struct field_t* b,
field_a_t b,
const struct tw_extensible_t* a
);

@@ -345,7 +345,7 @@ test_only_twist (

mask_t
field_is_square (
const struct field_t* x
const field_a_t x
);

mask_t
@@ -364,7 +364,7 @@ is_even_tw (
mask_t
deserialize_affine (
struct affine_t* a,
const struct field_t* sz
const field_a_t sz
);

/**
@@ -377,8 +377,7 @@ deserialize_affine (
mask_t
deserialize_and_twist_approx (
struct tw_extensible_t* a,
const struct field_t* sdm1,
const struct field_t* sz
const field_a_t sz
);

void
@@ -417,7 +416,7 @@ eq_tw_extensible (
void
elligator_2s_inject (
struct affine_t* a,
const struct field_t* r
const field_a_t r
);

mask_t
@@ -454,8 +453,8 @@ cond_negate_tw_niels (
struct tw_niels_t *n,
mask_t doNegate
) {
constant_time_cond_swap(&n->a, &n->b, sizeof(n->a), doNegate);
field_cond_neg(&n->c, doNegate);
constant_time_cond_swap(n->a, n->b, sizeof(n->a), doNegate);
field_cond_neg(n->c, doNegate);
}

/**
@@ -475,8 +474,8 @@ copy_affine (
struct affine_t* a,
const struct affine_t* ds
) {
field_copy ( &a->x, &ds->x );
field_copy ( &a->y, &ds->y );
field_copy ( a->x, ds->x );
field_copy ( a->y, ds->y );
}

void
@@ -484,8 +483,8 @@ copy_tw_affine (
struct tw_affine_t* a,
const struct tw_affine_t* ds
) {
field_copy ( &a->x, &ds->x );
field_copy ( &a->y, &ds->y );
field_copy ( a->x, ds->x );
field_copy ( a->y, ds->y );
}

void
@@ -493,11 +492,11 @@ copy_montgomery (
struct montgomery_t* a,
const struct montgomery_t* ds
) {
field_copy ( &a->z0, &ds->z0 );
field_copy ( &a->xd, &ds->xd );
field_copy ( &a->zd, &ds->zd );
field_copy ( &a->xa, &ds->xa );
field_copy ( &a->za, &ds->za );
field_copy ( a->z0, ds->z0 );
field_copy ( a->xd, ds->xd );
field_copy ( a->zd, ds->zd );
field_copy ( a->xa, ds->xa );
field_copy ( a->za, ds->za );
}

void
@@ -505,11 +504,11 @@ copy_extensible (
struct extensible_t* a,
const struct extensible_t* ds
) {
field_copy ( &a->x, &ds->x );
field_copy ( &a->y, &ds->y );
field_copy ( &a->z, &ds->z );
field_copy ( &a->t, &ds->t );
field_copy ( &a->u, &ds->u );
field_copy ( a->x, ds->x );
field_copy ( a->y, ds->y );
field_copy ( a->z, ds->z );
field_copy ( a->t, ds->t );
field_copy ( a->u, ds->u );
}

void
@@ -517,11 +516,11 @@ copy_tw_extensible (
struct tw_extensible_t* a,
const struct tw_extensible_t* ds
) {
field_copy ( &a->x, &ds->x );
field_copy ( &a->y, &ds->y );
field_copy ( &a->z, &ds->z );
field_copy ( &a->t, &ds->t );
field_copy ( &a->u, &ds->u );
field_copy ( a->x, ds->x );
field_copy ( a->y, ds->y );
field_copy ( a->z, ds->z );
field_copy ( a->t, ds->t );
field_copy ( a->u, ds->u );
}

void
@@ -529,9 +528,9 @@ copy_tw_niels (
struct tw_niels_t* a,
const struct tw_niels_t* ds
) {
field_copy ( &a->a, &ds->a );
field_copy ( &a->b, &ds->b );
field_copy ( &a->c, &ds->c );
field_copy ( a->a, ds->a );
field_copy ( a->b, ds->b );
field_copy ( a->c, ds->c );
}

void
@@ -540,7 +539,7 @@ copy_tw_pniels (
const struct tw_pniels_t* ds
) {
copy_tw_niels( &a->n, &ds->n );
field_copy ( &a->z, &ds->z );
field_copy ( a->z, ds->z );
}

#ifdef __cplusplus


+ 41
- 38
src/include/field.h View File

@@ -14,6 +14,9 @@
#include "f_field.h"
#include <string.h>

typedef struct field_t field_a_t[1];
#define field_a_restrict_t struct field_t *__restrict__

#define is32 (GOLDI_BITS == 32 || FIELD_BITS != 448)
#if (is32)
#define IF32(s) (s)
@@ -54,8 +57,8 @@ extern const uint8_t FIELD_MODULUS[FIELD_BYTES];
static inline void
__attribute__((unused,always_inline))
field_copy (
struct field_t *__restrict__ a,
const struct field_t *__restrict__ b
field_a_restrict_t a,
const field_a_restrict_t b
) {
memcpy(a,b,sizeof(*a));
}
@@ -70,8 +73,8 @@ field_copy (
*/
void
field_isr (
struct field_t* a,
const struct field_t* x
field_a_t a,
const field_a_t x
);
/**
@@ -81,8 +84,8 @@ field_isr (
*/
void
field_simultaneous_invert (
struct field_t *__restrict__ out,
const struct field_t *in,
field_a_t *__restrict__ out,
const field_a_t *in,
unsigned int n
);

@@ -93,8 +96,8 @@ field_simultaneous_invert (
*/
void
field_inverse (
struct field_t* a,
const struct field_t* x
field_a_t a,
const field_a_t x
);

/**
@@ -102,8 +105,8 @@ field_inverse (
*/
mask_t
field_eq (
const struct field_t *a,
const struct field_t *b
const field_a_t a,
const field_a_t b
);
/**
@@ -112,31 +115,31 @@ field_eq (
static __inline__ void
__attribute__((unused,always_inline))
field_sqrn (
field_t *__restrict__ y,
const field_t *x,
field_a_restrict_t y,
const field_a_t x,
int n
) {
field_t tmp;
field_a_t tmp;
assert(n>0);
if (n&1) {
field_sqr(y,x);
n--;
} else {
field_sqr(&tmp,x);
field_sqr(y,&tmp);
field_sqr(tmp,x);
field_sqr(y,tmp);
n-=2;
}
for (; n; n-=2) {
field_sqr(&tmp,y);
field_sqr(y,&tmp);
field_sqr(tmp,y);
field_sqr(y,tmp);
}
}

/* Multiply by signed curve constant */
static __inline__ void
field_mulw_scc (
struct field_t* __restrict__ out,
const struct field_t *a,
field_a_restrict_t out,
const field_a_t a,
int64_t scc
) {
if (scc >= 0) {
@@ -151,8 +154,8 @@ field_mulw_scc (
/* Multiply by signed curve constant and weak reduce if biased */
static __inline__ void
field_mulw_scc_wr (
struct field_t* __restrict__ out,
const struct field_t *a,
field_a_restrict_t out,
const field_a_t a,
int64_t scc
) {
field_mulw_scc(out, a, scc);
@@ -162,9 +165,9 @@ field_mulw_scc_wr (

static __inline__ void
field_subx_RAW (
struct field_t *d,
const struct field_t *a,
const struct field_t *b
field_a_t d,
const field_a_t a,
const field_a_t b
) {
field_sub_RAW ( d, a, b );
field_bias( d, 2 );
@@ -173,9 +176,9 @@ field_subx_RAW (

static __inline__ void
field_sub (
struct field_t *d,
const struct field_t *a,
const struct field_t *b
field_a_t d,
const field_a_t a,
const field_a_t b
) {
field_sub_RAW ( d, a, b );
field_bias( d, 2 );
@@ -184,9 +187,9 @@ field_sub (

static __inline__ void
field_add (
struct field_t *d,
const struct field_t *a,
const struct field_t *b
field_a_t d,
const field_a_t a,
const field_a_t b
) {
field_add_RAW ( d, a, b );
field_weak_reduce ( d );
@@ -194,7 +197,7 @@ field_add (

static __inline__ void
field_subw (
struct field_t *d,
field_a_t d,
word_t c
) {
field_subw_RAW ( d, c );
@@ -203,9 +206,9 @@ field_subw (
}

static __inline__ void
field_negx (
struct field_t *d,
const struct field_t *a
field_neg (
field_a_t d,
const field_a_t a
) {
field_neg_RAW ( d, a );
field_bias( d, 2 );
@@ -218,12 +221,12 @@ field_negx (
static inline void
__attribute__((unused,always_inline))
field_cond_neg (
field_t *a,
field_a_t a,
mask_t doNegate
) {
struct field_t negated;
field_negx(&negated, a);
constant_time_select(a, &negated, a, sizeof(negated), doNegate);
field_a_t negated;
field_neg(negated, a);
constant_time_select(a, negated, a, sizeof(negated), doNegate);
}

/** Require the warning annotation on raw routines */


+ 1
- 1
src/include/magic.h View File

@@ -45,7 +45,7 @@
/**
* @brief sqrt(d-1), used for point formats and twisting.
*/
extern const struct field_t sqrt_d_minus_1;
extern const field_a_t sqrt_d_minus_1;

/**
* @brief The base point for Goldilocks.


+ 2
- 2
src/include/scalarmul.h View File

@@ -90,8 +90,8 @@ struct fixed_base_table_t {
*/
mask_t
montgomery_ladder (
struct field_t *out,
const struct field_t *in,
field_a_t out,
const field_a_t in,
const word_t *scalar,
unsigned int nbits,
unsigned int n_extra_doubles


+ 27
- 27
src/p448/f_arithmetic.c View File

@@ -12,32 +12,32 @@

void
field_isr (
struct field_t* a,
const struct field_t* x
field_a_t a,
const field_a_t x
) {
struct field_t L0, L1, L2;
field_sqr ( &L1, x );
field_mul ( &L2, x, &L1 );
field_sqr ( &L1, &L2 );
field_mul ( &L2, x, &L1 );
field_sqrn ( &L1, &L2, 3 );
field_mul ( &L0, &L2, &L1 );
field_sqrn ( &L1, &L0, 3 );
field_mul ( &L0, &L2, &L1 );
field_sqrn ( &L2, &L0, 9 );
field_mul ( &L1, &L0, &L2 );
field_sqr ( &L0, &L1 );
field_mul ( &L2, x, &L0 );
field_sqrn ( &L0, &L2, 18 );
field_mul ( &L2, &L1, &L0 );
field_sqrn ( &L0, &L2, 37 );
field_mul ( &L1, &L2, &L0 );
field_sqrn ( &L0, &L1, 37 );
field_mul ( &L1, &L2, &L0 );
field_sqrn ( &L0, &L1, 111 );
field_mul ( &L2, &L1, &L0 );
field_sqr ( &L0, &L2 );
field_mul ( &L1, x, &L0 );
field_sqrn ( &L0, &L1, 223 );
field_mul ( a, &L2, &L0 );
field_a_t L0, L1, L2;
field_sqr ( L1, x );
field_mul ( L2, x, L1 );
field_sqr ( L1, L2 );
field_mul ( L2, x, L1 );
field_sqrn ( L1, L2, 3 );
field_mul ( L0, L2, L1 );
field_sqrn ( L1, L0, 3 );
field_mul ( L0, L2, L1 );
field_sqrn ( L2, L0, 9 );
field_mul ( L1, L0, L2 );
field_sqr ( L0, L1 );
field_mul ( L2, x, L0 );
field_sqrn ( L0, L2, 18 );
field_mul ( L2, L1, L0 );
field_sqrn ( L0, L2, 37 );
field_mul ( L1, L2, L0 );
field_sqrn ( L0, L1, 37 );
field_mul ( L1, L2, L0 );
field_sqrn ( L0, L1, 111 );
field_mul ( L2, L1, L0 );
field_sqr ( L0, L2 );
field_mul ( L1, x, L0 );
field_sqrn ( L0, L1, 223 );
field_mul ( a, L2, L0 );
}

+ 8
- 8
src/p448/magic.c View File

@@ -35,17 +35,17 @@ const word_t SCALARMUL_FIXED_WINDOW_ADJUSTMENT[2*SCALAR_WORDS] = {

const struct affine_t goldilocks_base_point = {
#ifdef USE_NEON_PERM
{{ 0xaed939f,0xc59d070,0xf0de840,0x5f065c3, 0xf4ba0c7,0xdf73324,0xc170033,0x3a6a26a,
{{{ 0xaed939f,0xc59d070,0xf0de840,0x5f065c3, 0xf4ba0c7,0xdf73324,0xc170033,0x3a6a26a,
0x4c63d96,0x4609845,0xf3932d9,0x1b4faff, 0x6147eaa,0xa2692ff,0x9cecfa9,0x297ea0e
}},
}}},
#else
{{ U56LE(0xf0de840aed939f), U56LE(0xc170033f4ba0c7),
{{{ U56LE(0xf0de840aed939f), U56LE(0xc170033f4ba0c7),
U56LE(0xf3932d94c63d96), U56LE(0x9cecfa96147eaa),
U56LE(0x5f065c3c59d070), U56LE(0x3a6a26adf73324),
U56LE(0x1b4faff4609845), U56LE(0x297ea0ea2692ff)
}},
}}},
#endif
{{ 19 }}
{{{ 19 }}}
};

static const word_t curve_prime_order_lo[(224+WORD_BITS-1)/WORD_BITS] = {
@@ -61,8 +61,8 @@ const struct barrett_prime_t curve_prime_order = {
curve_prime_order_lo
};

const struct field_t
sqrt_d_minus_1 = {{
const field_a_t
sqrt_d_minus_1 = {{{
#ifdef USE_NEON_PERM
0x6749f46,0x24d9770,0xd2e2183,0xa49f7b4,
0xb4f0179,0x8c5f656,0x888db42,0xdcac462,
@@ -78,4 +78,4 @@ sqrt_d_minus_1 = {{
U56LE(0x49443b8748734a),
U56LE(0x12fec0c0b25b7a)
#endif
}};
}}};

+ 27
- 27
src/p480/f_arithmetic.c View File

@@ -12,32 +12,32 @@

void
field_isr (
struct field_t* a,
const struct field_t* x
field_a_t a,
const field_a_t x
) {
struct field_t L0, L1, L2, L3;
field_sqr ( &L2, x );
field_mul ( &L1, x, &L2 );
field_sqrn ( &L0, &L1, 2 );
field_mul ( &L2, &L1, &L0 );
field_sqrn ( &L0, &L2, 4 );
field_mul ( &L1, &L2, &L0 );
field_sqr ( &L0, &L1 );
field_mul ( &L2, x, &L0 );
field_sqrn ( &L0, &L2, 8 );
field_mul ( &L2, &L1, &L0 );
field_sqrn ( &L0, &L2, 17 );
field_mul ( &L1, &L2, &L0 );
field_sqrn ( &L0, &L1, 17 );
field_mul ( &L1, &L2, &L0 );
field_sqrn ( &L3, &L1, 17 );
field_mul ( &L0, &L2, &L3 );
field_sqrn ( &L2, &L0, 51 );
field_mul ( &L0, &L1, &L2 );
field_sqrn ( &L1, &L0, 119 );
field_mul ( &L2, &L0, &L1 );
field_sqr ( &L0, &L2 );
field_mul ( &L1, x, &L0 );
field_sqrn ( &L0, &L1, 239 );
field_mul ( a, &L2, &L0 );
field_a_t L0, L1, L2, L3;
field_sqr ( L2, x );
field_mul ( L1, x, L2 );
field_sqrn ( L0, L1, 2 );
field_mul ( L2, L1, L0 );
field_sqrn ( L0, L2, 4 );
field_mul ( L1, L2, L0 );
field_sqr ( L0, L1 );
field_mul ( L2, x, L0 );
field_sqrn ( L0, L2, 8 );
field_mul ( L2, L1, L0 );
field_sqrn ( L0, L2, 17 );
field_mul ( L1, L2, L0 );
field_sqrn ( L0, L1, 17 );
field_mul ( L1, L2, L0 );
field_sqrn ( L3, L1, 17 );
field_mul ( L0, L2, L3 );
field_sqrn ( L2, L0, 51 );
field_mul ( L0, L1, L2 );
field_sqrn ( L1, L0, 119 );
field_mul ( L2, L0, L1 );
field_sqr ( L0, L2 );
field_mul ( L1, x, L0 );
field_sqrn ( L0, L1, 239 );
field_mul ( a, L2, L0 );
}

+ 6
- 6
src/p480/magic.c View File

@@ -36,7 +36,7 @@ const word_t SCALARMUL_FIXED_WINDOW_ADJUSTMENT[2*SCALAR_WORDS] = {
};

const struct affine_t goldilocks_base_point = {
{{
{{{
U60LE(0x849ff7f845c30d3),
U60LE(0x7dda488553a4c5b),
U60LE(0x1d3a2d9844831ea),
@@ -45,8 +45,8 @@ const struct affine_t goldilocks_base_point = {
U60LE(0xfc955e59aeefa65),
U60LE(0x3ab247cd530013c),
U60LE(0x7ca42af3d564280)
}},
{{ 5 }}
}}},
{{{ 5 }}}
};

static const word_t curve_prime_order_lo[(240+WORD_BITS-1)/WORD_BITS] = {
@@ -62,7 +62,7 @@ const struct barrett_prime_t curve_prime_order = {
curve_prime_order_lo
};

const struct field_t
sqrt_d_minus_1 = {{
const field_a_t
sqrt_d_minus_1 = {{{
232 /* Whoa, it comes out even. */
}};
}}};

+ 27
- 27
src/p521/f_arithmetic.c View File

@@ -12,32 +12,32 @@

void
field_isr (
struct field_t* a,
const struct field_t* x
field_a_t a,
const field_a_t x
) {
struct field_t L0, L1, L2;
field_sqr ( &L1, x );
field_mul ( &L0, x, &L1 );
field_sqrn ( &L2, &L0, 2 );
field_mul ( &L1, &L0, &L2 );
field_sqrn ( &L2, &L1, 4 );
field_mul ( &L0, &L1, &L2 );
field_sqrn ( &L2, &L0, 8 );
field_mul ( &L1, &L0, &L2 );
field_sqrn ( &L2, &L1, 16 );
field_mul ( &L0, &L1, &L2 );
field_sqrn ( &L2, &L0, 32 );
field_mul ( &L1, &L0, &L2 );
field_sqr ( &L2, &L1 );
field_mul ( &L0, x, &L2 );
field_sqrn ( &L2, &L0, 64 );
field_mul ( &L0, &L1, &L2 );
field_sqrn ( &L2, &L0, 129 );
field_mul ( &L1, &L0, &L2 );
field_sqr ( &L2, &L1 );
field_mul ( &L0, x, &L2 );
field_sqrn ( &L2, &L0, 259 );
field_mul ( &L1, &L0, &L2 );
field_sqr ( &L0, &L1 );
field_mul ( a, x, &L0 );
field_a_t L0, L1, L2;
field_sqr ( L1, x );
field_mul ( L0, x, L1 );
field_sqrn ( L2, L0, 2 );
field_mul ( L1, L0, L2 );
field_sqrn ( L2, L1, 4 );
field_mul ( L0, L1, L2 );
field_sqrn ( L2, L0, 8 );
field_mul ( L1, L0, L2 );
field_sqrn ( L2, L1, 16 );
field_mul ( L0, L1, L2 );
field_sqrn ( L2, L0, 32 );
field_mul ( L1, L0, L2 );
field_sqr ( L2, L1 );
field_mul ( L0, x, L2 );
field_sqrn ( L2, L0, 64 );
field_mul ( L0, L1, L2 );
field_sqrn ( L2, L0, 129 );
field_mul ( L1, L0, L2 );
field_sqr ( L2, L1 );
field_mul ( L0, x, L2 );
field_sqrn ( L2, L0, 259 );
field_mul ( L1, L0, L2 );
field_sqr ( L0, L1 );
field_mul ( a, x, L0 );
}

+ 6
- 6
src/p521/magic.c View File

@@ -39,7 +39,7 @@ const word_t SCALARMUL_FIXED_WINDOW_ADJUSTMENT[2*SCALAR_WORDS] = {
};

const struct affine_t goldilocks_base_point = {
{{
{{{
#ifdef USE_P521_3x3_TRANSPOSE
U58LE(0x02a940a2f19ba6c),
U58LE(0x3331c90d2c6ba52),
@@ -64,8 +64,8 @@ const struct affine_t goldilocks_base_point = {
U58LE(0x06277e432c8a5ac),
U58LE(0x0752cb45c48648b)
#endif
}},
{{ 12 }}
}}},
{{{ 12 }}}
};

static const word_t curve_prime_order_lo[(261+WORD_BITS-1)/WORD_BITS] = {
@@ -82,8 +82,8 @@ const struct barrett_prime_t curve_prime_order = {
curve_prime_order_lo
};

const struct field_t
sqrt_d_minus_1 = {{
const field_a_t
sqrt_d_minus_1 = {{{
#ifdef USE_P521_3x3_TRANSPOSE
U58LE(0x1e2be72c1c81990),
U58LE(0x207dfc238a33e46),
@@ -108,4 +108,4 @@ sqrt_d_minus_1 = {{
U58LE(0x0524b9e715937f5),
U58LE(0x0a9ea3ac10d6aed)
#endif
}};
}}};

+ 35
- 35
src/scalarmul.c View File

@@ -15,8 +15,8 @@

mask_t
montgomery_ladder (
struct field_t *out,
const struct field_t *in,
field_a_t out,
const field_a_t in,
const word_t *scalar,
unsigned int nbits,
unsigned int n_extra_doubles
@@ -30,15 +30,15 @@ montgomery_ladder (
word_t w = scalar[j];
for (i=n; i>=0; i--) {
mask_t flip = -((w>>i)&1);
constant_time_cond_swap(&mont.xa,&mont.xd,sizeof(mont.xd),flip^pflip);
constant_time_cond_swap(&mont.za,&mont.zd,sizeof(mont.xd),flip^pflip);
constant_time_cond_swap(mont.xa,mont.xd,sizeof(mont.xd),flip^pflip);
constant_time_cond_swap(mont.za,mont.zd,sizeof(mont.xd),flip^pflip);
montgomery_step(&mont);
pflip = flip;
}
n = WORD_BITS-1;
}
constant_time_cond_swap(&mont.xa,&mont.xd,sizeof(mont.xd),pflip);
constant_time_cond_swap(&mont.za,&mont.zd,sizeof(mont.xd),pflip);
constant_time_cond_swap(mont.xa,mont.xd,sizeof(mont.xd),pflip);
constant_time_cond_swap(mont.za,mont.zd,sizeof(mont.xd),pflip);
assert(n_extra_doubles < INT_MAX);
for (j=0; j<(int)n_extra_doubles; j++) {
@@ -475,8 +475,8 @@ precompute_fixed_base (
struct tw_pniels_t pn_tmp;
struct tw_pniels_t *doubles = (struct tw_pniels_t *) malloc_vector(sizeof(*doubles) * (t-1));
struct field_t *zs = (struct field_t *) malloc_vector(sizeof(*zs) * (n<<(t-1)));
struct field_t *zis = (struct field_t *) malloc_vector(sizeof(*zis) * (n<<(t-1)));
field_a_t *zs = (field_a_t *) malloc_vector(sizeof(*zs) * (n<<(t-1)));
field_a_t *zis = (field_a_t *) malloc_vector(sizeof(*zis) * (n<<(t-1)));
struct tw_niels_t *table = prealloc;
if (prealloc) {
@@ -562,7 +562,7 @@ precompute_fixed_base (

convert_tw_extensible_to_tw_pniels(&pn_tmp, &start);
copy_tw_niels(&table[idx], &pn_tmp.n);
field_copy(&zs[idx], &pn_tmp.z);
field_copy(zs[idx], pn_tmp.z);
if (j >= (1u<<(t-1)) - 1) break;
int delta = (j+1) ^ ((j+1)>>1) ^ gray;
@@ -584,22 +584,22 @@ precompute_fixed_base (
field_simultaneous_invert(zis, zs, n<<(t-1));

field_t product;
field_a_t product;
for (i=0; i<n<<(t-1); i++) {
field_mul(&product, &table[i].a, &zis[i]);
field_strong_reduce(&product);
field_copy(&table[i].a, &product);
field_mul(product, table[i].a, zis[i]);
field_strong_reduce(product);
field_copy(table[i].a, product);
field_mul(&product, &table[i].b, &zis[i]);
field_strong_reduce(&product);
field_copy(&table[i].b, &product);
field_mul(product, table[i].b, zis[i]);
field_strong_reduce(product);
field_copy(table[i].b, product);
field_mul(&product, &table[i].c, &zis[i]);
field_strong_reduce(&product);
field_copy(&table[i].c, &product);
field_mul(product, table[i].c, zis[i]);
field_strong_reduce(product);
field_copy(table[i].c, product);
}
mask_t ret = ~field_is_zero(&zis[0]);
mask_t ret = ~field_is_zero(zis[0]);

free(doubles);
free(zs);
@@ -635,8 +635,8 @@ precompute_fixed_base_wnaf (
unsigned int tbits
) {
int i;
struct field_t *zs = (struct field_t *) malloc_vector(sizeof(*zs)<<tbits);
struct field_t *zis = (struct field_t *) malloc_vector(sizeof(*zis)<<tbits);
field_a_t *zs = (field_a_t *) malloc_vector(sizeof(*zs)<<tbits);
field_a_t *zis = (field_a_t *) malloc_vector(sizeof(*zis)<<tbits);

if (!zs || !zis) {
free(zs);
@@ -650,7 +650,7 @@ precompute_fixed_base_wnaf (
struct tw_pniels_t twop, tmp;
convert_tw_extensible_to_tw_pniels(&tmp, &base);
field_copy(&zs[0], &tmp.z);
field_copy(zs[0], tmp.z);
copy_tw_niels(&out[0], &tmp.n);

if (tbits > 0) {
@@ -659,32 +659,32 @@ precompute_fixed_base_wnaf (
add_tw_pniels_to_tw_extensible(&base, &tmp);
convert_tw_extensible_to_tw_pniels(&tmp, &base);
field_copy(&zs[1], &tmp.z);
field_copy(zs[1], tmp.z);
copy_tw_niels(&out[1], &tmp.n);

for (i=2; i < 1<<tbits; i++) {
add_tw_pniels_to_tw_extensible(&base, &twop);
convert_tw_extensible_to_tw_pniels(&tmp, &base);
field_copy(&zs[i], &tmp.z);
field_copy(zs[i], tmp.z);
copy_tw_niels(&out[i], &tmp.n);
}
}
field_simultaneous_invert(zis, zs, 1<<tbits);

field_t product;
field_a_t product;
for (i=0; i<1<<tbits; i++) {
field_mul(&product, &out[i].a, &zis[i]);
field_strong_reduce(&product);
field_copy(&out[i].a, &product);
field_mul(product, out[i].a, zis[i]);
field_strong_reduce(product);
field_copy(out[i].a, product);
field_mul(&product, &out[i].b, &zis[i]);
field_strong_reduce(&product);
field_copy(&out[i].b, &product);
field_mul(product, out[i].b, zis[i]);
field_strong_reduce(product);
field_copy(out[i].b, product);
field_mul(&product, &out[i].c, &zis[i]);
field_strong_reduce(&product);
field_copy(&out[i].c, &product);
field_mul(product, out[i].c, zis[i]);
field_strong_reduce(product);
field_copy(out[i].c, product);
}

free(zs);


+ 86
- 86
test/bench.c View File

@@ -29,7 +29,7 @@ static double now(void) {
return tv.tv_sec + tv.tv_usec/1000000.0;
}

static void field_randomize( struct crandom_state_t *crand, struct field_t *a ) {
static void field_randomize( struct crandom_state_t *crand, field_a_t a ) {
crandom_generate(crand, (unsigned char *)a, sizeof(*a));
field_strong_reduce(a);
}
@@ -38,7 +38,7 @@ static void q448_randomize( struct crandom_state_t *crand, word_t sk[SCALAR_WORD
crandom_generate(crand, (unsigned char *)sk, SCALAR_BYTES);
}

static void field_print( const char *descr, const struct field_t *a ) {
static void field_print( const char *descr, const field_a_t a ) {
int j;
unsigned char ser[FIELD_BYTES];
field_serialize(ser,a);
@@ -52,7 +52,7 @@ static void field_print( const char *descr, const struct field_t *a ) {
static void __attribute__((unused))
field_print_full (
const char *descr,
const struct field_t *a
const field_a_t a
) {
int j;
printf("%s = 0x", descr);
@@ -86,7 +86,7 @@ int main(int argc, char **argv) {
struct tw_pniels_t pniels;
struct affine_t affine;
struct montgomery_t mb;
struct field_t a,b,c,d;
field_a_t a,b,c,d;
double when;
@@ -106,42 +106,42 @@ int main(int argc, char **argv) {
word_t sk[SCALAR_WORDS],tk[SCALAR_WORDS];
q448_randomize(&crand, sk);
memset(&a,0,sizeof(a));
memset(&b,0,sizeof(b));
memset(&c,0,sizeof(c));
memset(&d,0,sizeof(d));
memset(a,0,sizeof(a));
memset(b,0,sizeof(b));
memset(c,0,sizeof(c));
memset(d,0,sizeof(d));
when = now();
for (i=0; i<nbase*5000; i++) {
field_mul(&c, &b, &a);
field_mul(c, b, a);
}
when = now() - when;
printf("mul: %5.1fns\n", when * 1e9 / i);
when = now();
for (i=0; i<nbase*5000; i++) {
field_sqr(&c, &a);
field_sqr(c, a);
}
when = now() - when;
printf("sqr: %5.1fns\n", when * 1e9 / i);
when = now();
for (i=0; i<nbase*5000; i++) {
field_mulw(&c, &b, 1234562);
field_mulw(c, b, 1234562);
}
when = now() - when;
printf("mulw: %5.1fns\n", when * 1e9 / i);
when = now();
for (i=0; i<nbase*500; i++) {
field_mul(&c, &b, &a);
field_mul(&a, &b, &c);
field_mul(c, b, a);
field_mul(a, b, c);
}
when = now() - when;
printf("mul dep: %5.1fns\n", when * 1e9 / i / 2);
when = now();
for (i=0; i<nbase*10; i++) {
field_randomize(&crand, &a);
field_randomize(&crand, a);
}
when = now() - when;
printf("rand448: %5.1fns\n", when * 1e9 / i);
@@ -165,46 +165,46 @@ int main(int argc, char **argv) {
when = now();
for (i=0; i<nbase; i++) {
field_isr(&c, &a);
field_isr(c, a);
}
when = now() - when;
printf("isr auto: %5.1fµs\n", when * 1e6 / i);
for (i=0; i<100; i++) {
field_randomize(&crand, &a);
field_isr(&d,&a);
field_sqr(&b,&d);
field_mul(&c,&b,&a);
field_sqr(&b,&c);
field_subw(&b,1);
if (!field_is_zero(&b)) {
field_randomize(&crand, a);
field_isr(d,a);
field_sqr(b,d);
field_mul(c,b,a);
field_sqr(b,c);
field_subw(b,1);
if (!field_is_zero(b)) {
printf("ISR validation failure!\n");
field_print("a", &a);
field_print("s", &d);
field_print("a", a);
field_print("s", d);
}
}
when = now();
for (i=0; i<nbase; i++) {
elligator_2s_inject(&affine, &a);
elligator_2s_inject(&affine, a);
}
when = now() - when;
printf("elligator: %5.1fµs\n", when * 1e6 / i);
for (i=0; i<100; i++) {
field_randomize(&crand, &a);
elligator_2s_inject(&affine, &a);
field_randomize(&crand, a);
elligator_2s_inject(&affine, a);
if (!validate_affine(&affine)) {
printf("Elligator validation failure!\n");
field_print("a", &a);
field_print("x", &affine.x);
field_print("y", &affine.y);
field_print("a", a);
field_print("x", affine.x);
field_print("y", affine.y);
}
}
when = now();
for (i=0; i<nbase; i++) {
deserialize_affine(&affine, &a);
deserialize_affine(&affine, a);
}
when = now() - when;
printf("decompress: %5.1fµs\n", when * 1e6 / i);
@@ -212,34 +212,34 @@ int main(int argc, char **argv) {
convert_affine_to_extensible(&exta, &affine);
when = now();
for (i=0; i<nbase; i++) {
serialize_extensible(&a, &exta);
serialize_extensible(a, &exta);
}
when = now() - when;
printf("compress: %5.1fµs\n", when * 1e6 / i);
int goods = 0;
for (i=0; i<100; i++) {
field_randomize(&crand, &a);
mask_t good = deserialize_affine(&affine, &a);
field_randomize(&crand, a);
mask_t good = deserialize_affine(&affine, a);
if (good & !validate_affine(&affine)) {
printf("Deserialize validation failure!\n");
field_print("a", &a);
field_print("x", &affine.x);
field_print("y", &affine.y);
field_print("a", a);
field_print("x", affine.x);
field_print("y", affine.y);
} else if (good) {
goods++;
convert_affine_to_extensible(&exta,&affine);
serialize_extensible(&b, &exta);
field_sub(&c,&b,&a);
if (!field_is_zero(&c)) {
serialize_extensible(b, &exta);
field_sub(c,b,a);
if (!field_is_zero(c)) {
printf("Reserialize validation failure!\n");
field_print("a", &a);
field_print("x", &affine.x);
field_print("y", &affine.y);
deserialize_affine(&affine, &b);
field_print("b", &b);
field_print("x", &affine.x);
field_print("y", &affine.y);
field_print("a", a);
field_print("x", affine.x);
field_print("y", affine.y);
deserialize_affine(&affine, b);
field_print("b", b);
field_print("x", affine.x);
field_print("y", affine.y);
printf("\n");
}
}
@@ -313,7 +313,7 @@ int main(int argc, char **argv) {
when = now();
for (i=0; i<nbase/10; i++) {
ignore_result(montgomery_ladder(&a,&b,sk,FIELD_BITS,0));
ignore_result(montgomery_ladder(a,b,sk,FIELD_BITS,0));
}
when = now() - when;
printf("full ladder: %5.1fµs\n", when * 1e6 / i);
@@ -335,7 +335,7 @@ int main(int argc, char **argv) {
when = now();
for (i=0; i<nbase/10; i++) {
scalarmul(&ext,sk);
untwist_and_double_and_serialize(&a,&ext);
untwist_and_double_and_serialize(a,&ext);
}
when = now() - when;
printf("edwards smc: %5.1fµs\n", when * 1e6 / i);
@@ -405,12 +405,12 @@ int main(int argc, char **argv) {
when = now();
for (i=0; i<nbase/10; i++) {
deserialize_affine(&affine, &a);
deserialize_affine(&affine, a);
convert_affine_to_extensible(&exta,&affine);
twist_and_double(&ext,&exta);
scalarmul(&ext,sk);
untwist_and_double(&exta,&ext);
serialize_extensible(&b, &exta);
serialize_extensible(b, &exta);
}
when = now() - when;
printf("edwards sm: %5.1fµs\n", when * 1e6 / i);
@@ -418,8 +418,8 @@ int main(int argc, char **argv) {
struct fixed_base_table_t t_5_5_18, t_3_5_30, t_8_4_14, t_5_3_30, t_15_3_10;

while (1) {
field_randomize(&crand, &a);
if (deserialize_affine(&affine, &a)) break;
field_randomize(&crand, a);
if (deserialize_affine(&affine, a)) break;
}
convert_affine_to_extensible(&exta,&affine);
twist_and_double(&ext,&exta);
@@ -616,9 +616,9 @@ int main(int argc, char **argv) {
failures=0; successes = 0;
for (i=0; i<nbase/10; i++) {
field_randomize(&crand, &a);
field_randomize(&crand, a);
word_t two = 2;
mask_t good = montgomery_ladder(&b,&a,&two,2,0);
mask_t good = montgomery_ladder(b,a,&two,2,0);
if (!good) continue;
word_t x,y;
@@ -628,17 +628,17 @@ int main(int argc, char **argv) {
y = (hword_t)y;
word_t z=x*y;
ignore_result(montgomery_ladder(&b,&a,&x,WORD_BITS,0));
ignore_result(montgomery_ladder(&c,&b,&y,WORD_BITS,0));
ignore_result(montgomery_ladder(&b,&a,&z,WORD_BITS,0));
ignore_result(montgomery_ladder(b,a,&x,WORD_BITS,0));
ignore_result(montgomery_ladder(c,b,&y,WORD_BITS,0));
ignore_result(montgomery_ladder(b,a,&z,WORD_BITS,0));
field_sub(&d,&b,&c);
if (!field_is_zero(&d)) {
field_sub(d,b,c);
if (!field_is_zero(d)) {
printf("Odd ladder validation failure %d!\n", ++failures);
field_print("a", &a);
field_print("a", a);
printf("x=%"PRIxWORD", y=%"PRIxWORD", z=%"PRIxWORD"\n", x,y,z);
field_print("c", &c);
field_print("b", &b);
field_print("c", c);
field_print("b", b);
printf("\n");
}
}
@@ -647,23 +647,23 @@ int main(int argc, char **argv) {
for (i=0; i<nbase/10; i++) {
mask_t good;
do {
field_randomize(&crand, &a);
good = deserialize_affine(&affine, &a);
field_randomize(&crand, a);
good = deserialize_affine(&affine, a);
} while (!good);
convert_affine_to_extensible(&exta,&affine);
twist_and_double(&ext,&exta);
untwist_and_double(&exta,&ext);
serialize_extensible(&b, &exta);
untwist_and_double_and_serialize(&c, &ext);
serialize_extensible(b, &exta);
untwist_and_double_and_serialize(c, &ext);
field_sub(&d,&b,&c);
field_sub(d,b,c);
if (good && !field_is_zero(&d)){
if (good && !field_is_zero(d)){
printf("Iso+serial validation failure %d!\n", ++failures);
field_print("a", &a);
field_print("b", &b);
field_print("c", &c);
field_print("a", a);
field_print("b", b);
field_print("c", c);
printf("\n");
} else if (good) {
successes ++;
@@ -675,23 +675,23 @@ int main(int argc, char **argv) {
successes = failures = 0;
for (i=0; i<nbase/10; i++) {
struct field_t aa;
field_a_t aa;
struct tw_extensible_t exu,exv,exw;
mask_t good;
do {
field_randomize(&crand, &a);
good = deserialize_affine(&affine, &a);
field_randomize(&crand, a);
good = deserialize_affine(&affine, a);
convert_affine_to_extensible(&exta,&affine);
twist_and_double(&ext,&exta);
} while (!good);
do {
field_randomize(&crand, &aa);
good = deserialize_affine(&affine, &aa);
field_randomize(&crand, aa);
good = deserialize_affine(&affine, aa);
convert_affine_to_extensible(&exta,&affine);
twist_and_double(&exu,&exta);
} while (!good);
field_randomize(&crand, &aa);
field_randomize(&crand, aa);
q448_randomize(&crand, sk);
if (i==0 || i==2) memset(&sk, 0, sizeof(sk));
@@ -705,23 +705,23 @@ int main(int argc, char **argv) {
convert_tw_extensible_to_tw_pniels(&pniels, &exw);
add_tw_pniels_to_tw_extensible(&exv,&pniels);
untwist_and_double(&exta,&exv);
serialize_extensible(&b, &exta);
serialize_extensible(b, &exta);

ignore_result(precompute_fixed_base_wnaf(wnaft,&exu,5));
linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,wnaft,5);
untwist_and_double(&exta,&exv);
serialize_extensible(&c, &exta);
serialize_extensible(c, &exta);
field_sub(&d,&b,&c);
field_sub(d,b,c);
if (!field_is_zero(&d)){
if (!field_is_zero(d)){
printf("PreWNAF combo validation failure %d!\n", ++failures);
field_print("a", &a);
field_print("A", &aa);
field_print("a", a);
field_print("A", aa);
q448_print("s", sk);
q448_print("t", tk);
field_print("c", &c);
field_print("b", &b);
field_print("c", c);
field_print("b", b);
printf("\n\n");
} else if (good) {
successes ++;


+ 1
- 1
test/test.c View File

@@ -82,7 +82,7 @@ hexprint (

void field_print (
const char *descr,
const struct field_t *a
const field_a_t a
) {
int j;
unsigned char ser[FIELD_BYTES];


+ 1
- 1
test/test.h View File

@@ -20,7 +20,7 @@ hexprint (
void field_print (
const char *descr,
const struct field_t *a
const field_a_t a
);
void scalar_print (


+ 47
- 47
test/test_arithmetic.c View File

@@ -7,7 +7,7 @@
mpz_t mp_field;

static mask_t mpz_to_field (
struct field_t *out,
field_a_t out,
const mpz_t in
) {
uint8_t ser[FIELD_BYTES];
@@ -27,9 +27,9 @@ static inline int BRANCH_ON_CONSTANT(int x) {

static mask_t field_assert_eq_gmp(
const char *descr,
const struct field_t *a,
const struct field_t *b,
const struct field_t *x,
const field_a_t a,
const field_a_t b,
const field_a_t x,
const mpz_t y,
float lowBound,
float highBound
@@ -88,32 +88,32 @@ static mask_t test_add_sub_RAW (
const mpz_t y,
word_t word
) {
struct field_t xx,yy,tt;
field_a_t xx,yy,tt;
mpz_t t;
mask_t succ = MASK_SUCCESS;
succ = mpz_to_field(&xx,x);
succ &= mpz_to_field(&yy,y);
succ = mpz_to_field(xx,x);
succ &= mpz_to_field(yy,y);
mpz_init(t);
field_add_RAW(&tt,&xx,&yy);
field_add_RAW(tt,xx,yy);
mpz_add(t,x,y);
succ &= field_assert_eq_gmp("add",&xx,&yy,&tt,t,0,2.1);
succ &= field_assert_eq_gmp("add",xx,yy,tt,t,0,2.1);
field_sub_RAW(&tt,&xx,&yy);
field_bias(&tt,2);
field_sub_RAW(tt,xx,yy);
field_bias(tt,2);
mpz_sub(t,x,y);
succ &= field_assert_eq_gmp("sub",&xx,&yy,&tt,t,0,3.1);
succ &= field_assert_eq_gmp("sub",xx,yy,tt,t,0,3.1);
field_copy(&tt,&xx);
field_addw(&tt,word);
field_copy(tt,xx);
field_addw(tt,word);
mpz_add_ui(t,x,word);
succ &= field_assert_eq_gmp("addw",&xx,&yy,&tt,t,0,2.1);
succ &= field_assert_eq_gmp("addw",xx,yy,tt,t,0,2.1);
field_copy(&tt,&xx);
field_subw(&tt,word);
field_bias(&tt,1);
field_copy(tt,xx);
field_subw(tt,word);
field_bias(tt,1);
mpz_sub_ui(t,x,word);
succ &= field_assert_eq_gmp("subw",&xx,&yy,&tt,t,0,2.1);
succ &= field_assert_eq_gmp("subw",xx,yy,tt,t,0,2.1);

/*
if (!succ) {
@@ -132,32 +132,32 @@ static mask_t test_mul_sqr (
const mpz_t y,
word_t word
) {
struct field_t xx,yy,tt;
field_a_t xx,yy,tt;
mpz_t t;
mask_t succ = MASK_SUCCESS;
succ = mpz_to_field(&xx,x);
succ &= mpz_to_field(&yy,y);
succ = mpz_to_field(xx,x);
succ &= mpz_to_field(yy,y);
mpz_init(t);
field_mul(&tt,&xx,&yy);
field_mul(tt,xx,yy);
mpz_mul(t,x,y);
succ &= field_assert_eq_gmp("mul",&xx,&yy,&tt,t,0,1.1);
succ &= field_assert_eq_gmp("mul",xx,yy,tt,t,0,1.1);
field_mulw(&tt,&xx,word);
field_mulw(tt,xx,word);
mpz_mul_ui(t,x,word);
succ &= field_assert_eq_gmp("mulw",&xx,&yy,&tt,t,0,1.1);
succ &= field_assert_eq_gmp("mulw",xx,yy,tt,t,0,1.1);
field_sqr(&tt,&xx);
field_sqr(tt,xx);
mpz_mul(t,x,x);
succ &= field_assert_eq_gmp("sqrx",&xx,&yy,&tt,t,0,1.1);
succ &= field_assert_eq_gmp("sqrx",xx,yy,tt,t,0,1.1);
field_sqr(&tt,&yy);
field_sqr(tt,yy);
mpz_mul(t,y,y);
succ &= field_assert_eq_gmp("sqy",&xx,&yy,&tt,t,0,1.1);
succ &= field_assert_eq_gmp("sqy",xx,yy,tt,t,0,1.1);
if (!succ) {
field_print(" x", &xx);
field_print(" y", &yy);
field_print(" x", xx);
field_print(" y", yy);
}
mpz_clear(t);
@@ -168,28 +168,28 @@ static mask_t test_mul_sqr (
static mask_t test_isr (
const mpz_t x
) {
struct field_t xx,yy,ss,tt;
field_a_t xx,yy,ss,tt;
mask_t succ = 0;
succ = mpz_to_field(&xx,x);
succ = mpz_to_field(xx,x);
field_isr(&ss,&xx);
field_sqr(&tt,&ss);
field_mul(&yy,&xx,&tt);
field_isr(ss,xx);
field_sqr(tt,ss);
field_mul(yy,xx,tt);
field_addw(&tt,1);
succ |= field_is_zero(&tt);
field_addw(tt,1);
succ |= field_is_zero(tt);
field_subw(&tt,2);
field_bias(&tt,1);
succ |= field_is_zero(&tt);
field_subw(tt,2);
field_bias(tt,1);
succ |= field_is_zero(tt);
field_addw(&tt,1);
field_addw(tt,1);
if (~succ) {
youfail();
printf("ISR failure.\n");
field_print(" x", &xx);
field_print(" s", &ss);
field_print(" t", &tt);
field_print(" x", xx);
field_print(" s", ss);
field_print(" t", tt);
}
return succ;
@@ -214,7 +214,7 @@ int test_arithmetic (void) {
mask_t succ = MASK_SUCCESS;
int radix_bits = sizeof(word_t) * FIELD_BITS / sizeof(field_t);
int radix_bits = sizeof(word_t) * FIELD_BITS / sizeof(field_a_t);
for (j=0; j<ntests; j++) {
if (j<256) {


+ 24
- 24
test/test_pointops.c View File

@@ -12,15 +12,15 @@ static void
failprint_ext (
const struct extensible_t *a
) {
struct field_t zi, scaled;
field_print(" x", &a->x);
field_print(" y", &a->y);
field_print(" z", &a->z);
field_inverse(&zi, &a->z);
field_mul(&scaled, &zi, &a->x);
field_print(" X", &scaled);
field_mul(&scaled, &zi, &a->y);
field_print(" Y", &scaled);
field_a_t zi, scaled;
field_print(" x", a->x);
field_print(" y", a->y);
field_print(" z", a->z);
field_inverse(zi, a->z);
field_mul(scaled, zi, a->x);
field_print(" X", scaled);
field_mul(scaled, zi, a->y);
field_print(" Y", scaled);
printf("\n");
}

@@ -165,10 +165,10 @@ add_double_test (
if (~succ) {
printf(" Bases were:\n");
field_print(" x1", &base1->x);
field_print(" y1", &base1->y);
field_print(" x2", &base2->x);
field_print(" y2", &base2->y);
field_print(" x1", base1->x);
field_print(" y1", base1->y);
field_print(" x2", base2->x);
field_print(" y2", base2->y);
}
return succ ? 0 : -1;
@@ -211,18 +211,18 @@ single_twisting_test (
succ = 0;
} /* FUTURE: quadness */
field_t sera,serb;
untwist_and_double_and_serialize(&sera,&text);
field_a_t sera,serb;
untwist_and_double_and_serialize(sera,&text);
copy_extensible(&tmpext,&exb);
double_extensible(&tmpext);
serialize_extensible(&serb,&tmpext);
serialize_extensible(serb,&tmpext);
/* check that their (doubled; FUTURE?) serializations are equal */
if (~field_eq(&sera,&serb)) {
if (~field_eq(sera,serb)) {
youfail();
printf(" Different serialization from twist + double ()\n");
field_print(" t", &sera);
field_print(" b", &serb);
field_print(" t", sera);
field_print(" b", serb);
succ = 0;
}
@@ -242,8 +242,8 @@ single_twisting_test (
if (~succ) {
printf(" Base was:\n");
field_print(" x", &base->x);
field_print(" y", &base->y);
field_print(" x", base->x);
field_print(" y", base->y);
}
@@ -252,7 +252,7 @@ single_twisting_test (

int test_pointops (void) {
struct affine_t base, pbase;
struct field_t serf;
field_a_t serf;
struct crandom_state_t crand;
crandom_init_from_buffer(&crand, "test_pointops random initializer");
@@ -277,7 +277,7 @@ int test_pointops (void) {
#endif
/* TODO: we need a field generate, which can return random or pathological. */
mask_t succ = field_deserialize(&serf, ser);
mask_t succ = field_deserialize(serf, ser);
if (!succ) {
youfail();
printf(" Unlikely: fail at field_deserialize\n");
@@ -287,7 +287,7 @@ int test_pointops (void) {
if (i) {
copy_affine(&pbase, &base);
}
elligator_2s_inject(&base, &serf);
elligator_2s_inject(&base, serf);
if (i) {
ret = add_double_test(&base, &pbase);


+ 45
- 45
test/test_scalarmul.c View File

@@ -12,19 +12,19 @@
/* 0 = succeed, 1 = inval, -1 = fail */
static int
single_scalarmul_compatibility_test (
const struct field_t *base,
const field_a_t base,
const word_t *scalar,
int nbits
) {
struct tw_extensible_t text, work;
struct field_t mont, ct, vl, vt;
field_a_t mont, ct, vl, vt;
int ret = 0, i;
mask_t succ, succm;
succ = deserialize_and_twist_approx(&text, &sqrt_d_minus_1, base);
succ = deserialize_and_twist_approx(&text, base);
succm = montgomery_ladder(&mont,base,scalar,nbits,1);
succm = montgomery_ladder(mont,base,scalar,nbits,1);
if (succ != succm) {
youfail();
@@ -52,7 +52,7 @@ single_scalarmul_compatibility_test (
const int nparams = sizeof(params)/sizeof(params[0]);
struct fixed_base_table_t fbt;
const int nsizes = 6;
struct field_t fbout[nparams], wout[nsizes];
field_a_t fbout[nparams], wout[nsizes];
memset(&fbt, 0, sizeof(fbt));
memset(&fbout, 0, sizeof(fbout));
memset(&wout, 0, sizeof(wout));
@@ -75,7 +75,7 @@ single_scalarmul_compatibility_test (
continue;
}
untwist_and_double_and_serialize(&fbout[i], &work);
untwist_and_double_and_serialize(fbout[i], &work);
}
/* compute using precomp wNAF */
@@ -91,7 +91,7 @@ single_scalarmul_compatibility_test (
scalarmul_fixed_base_wnaf_vt(&work, scalar, nbits, pre, i);
untwist_and_double_and_serialize(&wout[i], &work);
untwist_and_double_and_serialize(wout[i], &work);
}
mask_t consistent = MASK_SUCCESS;
@@ -100,31 +100,31 @@ single_scalarmul_compatibility_test (
/* window methods currently only work on FIELD_BITS bits. */
copy_tw_extensible(&work, &text);
scalarmul(&work, scalar);
untwist_and_double_and_serialize(&ct, &work);
untwist_and_double_and_serialize(ct, &work);
copy_tw_extensible(&work, &text);
scalarmul_vlook(&work, scalar);
untwist_and_double_and_serialize(&vl, &work);
untwist_and_double_and_serialize(vl, &work);
copy_tw_extensible(&work, &text);
scalarmul_vt(&work, scalar, nbits);
untwist_and_double_and_serialize(&vt, &work);
untwist_and_double_and_serialize(vt, &work);
/* check consistency mont vs window */
consistent &= field_eq(&mont, &ct);
consistent &= field_eq(&mont, &vl);
consistent &= field_eq(&mont, &vt);
consistent &= field_eq(mont, ct);
consistent &= field_eq(mont, vl);
consistent &= field_eq(mont, vt);
}
/* check consistency mont vs combs */
for (i=0; i<nparams; i++) {
consistent &= field_eq(&mont,&fbout[i]);
consistent &= field_eq(mont,fbout[i]);
}
/* check consistency mont vs wNAF */
for (i=0; i<nsizes; i++) {
consistent &= field_eq(&mont,&wout[i]);
consistent &= field_eq(mont,wout[i]);
}
/* If inconsistent, complain. */
@@ -133,23 +133,23 @@ single_scalarmul_compatibility_test (
printf(" Failed scalarmul consistency test with nbits=%d.\n",nbits);
field_print(" base", base);
scalar_print(" scal", scalar, (nbits+WORD_BITS-1)/WORD_BITS);
field_print(" mont", &mont);
field_print(" mont", mont);
for (i=0; i<nparams; i++) {
printf(" With n=%d, t=%d, s=%d:\n", params[i].n, params[i].t, params[i].s);
field_print(" out ", &fbout[i]);
field_print(" out ", fbout[i]);
}
for (i=0; i<nsizes; i++) {
printf(" With w=%d:\n",i);
field_print(" wNAF", &wout[i]);
field_print(" wNAF", wout[i]);
}
if (nbits == FIELD_BITS) {
field_print(" ct ", &ct);
field_print(" vl ", &vl);
field_print(" vt ", &vt);
field_print(" ct ", ct);
field_print(" vl ", vl);
field_print(" vt ", vt);
}
ret = -1;
@@ -160,20 +160,20 @@ single_scalarmul_compatibility_test (

static int
single_linear_combo_test (
const struct field_t *base1,
const field_a_t base1,
const word_t *scalar1,
int nbits1,
const struct field_t *base2,
const field_a_t base2,
const word_t *scalar2,
int nbits2
) {
struct tw_extensible_t text1, text2, working;
struct tw_pniels_t pn;
struct field_t result_comb, result_combo, result_wnaf;
field_a_t result_comb, result_combo, result_wnaf;
mask_t succ =
deserialize_and_twist_approx(&text1, &sqrt_d_minus_1, base1)
& deserialize_and_twist_approx(&text2, &sqrt_d_minus_1, base2);
deserialize_and_twist_approx(&text1, base1)
& deserialize_and_twist_approx(&text2, base2);
if (!succ) return 1;
struct fixed_base_table_t t1, t2;
@@ -194,22 +194,22 @@ single_linear_combo_test (
/* use the dedicated wNAF linear combo algorithm */
copy_tw_extensible(&working, &text1);
linear_combo_var_fixed_vt(&working, scalar1, nbits1, scalar2, nbits2, wnaf, 5);
untwist_and_double_and_serialize(&result_wnaf, &working);
untwist_and_double_and_serialize(result_wnaf, &working);
/* use the dedicated combs algorithm */
succ &= linear_combo_combs_vt(&working, scalar1, nbits1, &t1, scalar2, nbits2, &t2);
untwist_and_double_and_serialize(&result_combo, &working);
untwist_and_double_and_serialize(result_combo, &working);
/* use two combs */
succ &= scalarmul_fixed_base(&working, scalar1, nbits1, &t1);
convert_tw_extensible_to_tw_pniels(&pn, &working);
succ &= scalarmul_fixed_base(&working, scalar2, nbits2, &t2);
add_tw_pniels_to_tw_extensible(&working, &pn);
untwist_and_double_and_serialize(&result_comb, &working);
untwist_and_double_and_serialize(result_comb, &working);
mask_t consistent = MASK_SUCCESS;
consistent &= field_eq(&result_combo, &result_wnaf);
consistent &= field_eq(&result_comb, &result_wnaf);
consistent &= field_eq(result_combo, result_wnaf);
consistent &= field_eq(result_comb, result_wnaf);
if (!succ || !consistent) {
youfail();
@@ -219,9 +219,9 @@ single_linear_combo_test (
scalar_print(" scal1", scalar1, (nbits1+WORD_BITS-1)/WORD_BITS);
field_print(" base2", base2);
scalar_print(" scal2", scalar2, (nbits1+WORD_BITS-1)/WORD_BITS);
field_print(" combs", &result_comb);
field_print(" combo", &result_combo);
field_print(" wNAFs", &result_wnaf);
field_print(" combs", result_comb);
field_print(" combo", result_combo);
field_print(" wNAFs", result_wnaf);
return -1;
}
@@ -234,7 +234,7 @@ single_linear_combo_test (
/* 0 = succeed, 1 = inval, -1 = fail */
static int
single_scalarmul_commutativity_test (
const struct field_t *base,
const field_a_t base,
const word_t *scalar1,
int nbits1,
int ned1,
@@ -242,12 +242,12 @@ single_scalarmul_commutativity_test (
int nbits2,
int ned2
) {
struct field_t m12, m21, tmp1, tmp2;
mask_t succ12a = montgomery_ladder(&tmp1,base,scalar1,nbits1,ned1);
mask_t succ12b = montgomery_ladder(&m12,&tmp1,scalar2,nbits2,ned2);
field_a_t m12, m21, tmp1, tmp2;
mask_t succ12a = montgomery_ladder(tmp1,base,scalar1,nbits1,ned1);
mask_t succ12b = montgomery_ladder(m12,tmp1,scalar2,nbits2,ned2);
mask_t succ21a = montgomery_ladder(&tmp2,base,scalar2,nbits2,ned2);
mask_t succ21b = montgomery_ladder(&m21,&tmp2,scalar1,nbits1,ned1);
mask_t succ21a = montgomery_ladder(tmp2,base,scalar2,nbits2,ned2);
mask_t succ21b = montgomery_ladder(m21,tmp2,scalar1,nbits1,ned1);
mask_t succ12 = succ12a & succ12b, succ21 = succ21a & succ21b;
@@ -256,8 +256,8 @@ single_scalarmul_commutativity_test (
printf(" Failed scalarmul commutativity test with (nbits,ned) = (%d,%d), (%d,%d).\n",
nbits1,ned1,nbits2,ned2);
field_print(" base", base);
field_print(" tmp1", &tmp1);
field_print(" tmp2", &tmp2);
field_print(" tmp1", tmp1);
field_print(" tmp2", tmp2);
scalar_print(" sca1", scalar1, (nbits1+WORD_BITS-1)/WORD_BITS);
scalar_print(" sca2", scalar2, (nbits1+WORD_BITS-1)/WORD_BITS);
printf(" good = ((%d,%d),(%d,%d))\n", (int)-succ12a,
@@ -269,7 +269,7 @@ single_scalarmul_commutativity_test (
return 1;
}
mask_t consistent = field_eq(&m12,&m21);
mask_t consistent = field_eq(m12,m21);
if (consistent) {
return 0;
} else {
@@ -279,8 +279,8 @@ single_scalarmul_commutativity_test (
field_print(" base", base);
scalar_print(" sca1", scalar1, (nbits1+WORD_BITS-1)/WORD_BITS);
scalar_print(" sca2", scalar2, (nbits1+WORD_BITS-1)/WORD_BITS);
field_print(" m12 ", &m12);
field_print(" m21 ", &m21);
field_print(" m12 ", m12);
field_print(" m21 ", m21);
return -1;
}
}


Write Preview
Loading…
Cancel
Save