simplify elligator (todo: test more? eg 1/(1-d) on 25519)

Makefile

@@ -48,6 +48,11 @@ LANGXXFLAGS = -fno-strict-aliasing
 GENFLAGS = -ffunction-sections -fdata-sections -fvisibility=hidden -fomit-frame-pointer -fPIC
 OFLAGS ?= -O2
 
+MACOSX_VERSION_MIN ?= 10.9
+ifeq ($(UNAME),Darwin)
+GENFLAGS += -mmacosx-version-min=$(MACOSX_VERSION_MIN)
+endif
+
 TODAY = $(shell date "+%Y-%m-%d")
 
 ifneq (,$(findstring arm,$(MACHINE)))
@@ -184,7 +189,7 @@ $(BUILD_LIB)/libdecaf.so: $(BUILD_LIB)/libdecaf.so.1
 $(BUILD_LIB)/libdecaf.so.1: $(LIBCOMPONENTS)
 	rm -f $@
 ifeq ($(UNAME),Darwin)
-	libtool -macosx_version_min 10.6 -dynamic -dead_strip -lc -x -o $@ \
+	libtool -macosx_version_min $(MACOSX_VERSION_MIN) -dynamic -dead_strip -lc -x -o $@ \
 		  $(LIBCOMPONENTS)
 else
 	$(LD) $(LDFLAGS) -shared -Wl,-soname,`basename $@` -Wl,--gc-sections -o $@ $(LIBCOMPONENTS)

src/decaf_fast.c

@@ -1094,7 +1094,6 @@ void API_NS(point_from_hash_nonuniform) (
     /* Compute D := (dr+a-d)(dr-ar-d) with a=1 */
     gf_sub(a,c,dee);
     gf_add(a,a,ONE);
-    decaf_bool_t special_identity_case = gf_eq(a,ZERO);
     gf_sub(b,c,r);
     gf_sub(b,b,dee);
     gf_mul(D,a,b);
@@ -1108,9 +1107,6 @@ void API_NS(point_from_hash_nonuniform) (
     gf_mul(a,rN,D);
     
     decaf_bool_t square = gf_isqrt_chk(e,a,DECAF_FALSE);
-    decaf_bool_t r_is_zero = gf_eq(r,ZERO);
-    square |= r_is_zero;
-    square |= special_identity_case;
     
     /* b <- t/s */
     cond_sel(c,r0,r,square); /* r? = sqr ? r : 1 */
@@ -1136,7 +1132,7 @@ void API_NS(point_from_hash_nonuniform) (
     gf_mul(c,a,b);
     
     /* Normalize/negate */
-    decaf_bool_t neg_s = hibit(a)^~square;
+    decaf_bool_t neg_s = hibit(a) ^ ~square;
     cond_neg(a,neg_s); /* ends up negative if ~square */
     
     /* b <- t */
@@ -1145,7 +1141,7 @@ void API_NS(point_from_hash_nonuniform) (
     /* isogenize */
 #if IMAGINE_TWIST
     gf_mul(c,a,SQRT_MINUS_ONE);
-    gf_cpy(a,c); // TODO rename
+    gf_cpy(a,c);
 #endif
     
     gf_sqr(c,a); /* s^2 */

src/public_include/decaf/crypto.hxx

@@ -63,20 +63,25 @@ public:
         return typename Group::Point(ser);
     }
     
-    /** @brief Verify a sig.  TODO: nothrow version? FIXME: doesn't check reduction of scalar! */
+    /** @brief Verify a sig.  TODO: nothrow version? */
     inline bool verify_shake(const SHAKE<SHAKE_BITS> &ctx_, const FixedBlock<SIG_BYTES> &sig) throw(CryptoException) {
         SHAKE<SHAKE_BITS> ctx(ctx_);
         ctx << ser << sig.slice(0,Group::Point::SER_BYTES);
         FixedArrayBuffer<CHALLENGE_BYTES> challenge;
         ctx.output(challenge);
         
-        const typename Group::Point combo = point().non_secret_combo_with_base(
-            typename Group::Scalar(challenge),
+        typename Group::Scalar response;
+        decaf_bool_t scalar_OK = Group::Scalar::decode(
+            response,
             sig.slice(Group::Point::SER_BYTES, Group::Scalar::SER_BYTES)
         );
+            
+        const typename Group::Point combo = point().non_secret_combo_with_base(
+            typename Group::Scalar(challenge), response
+        );
         //if (combo != typename Group::Point(sig.slice(0,Group::Point::SER_BYTES)))
         //    throw CryptoException();
-            return combo == typename Group::Point(sig.slice(0,Group::Point::SER_BYTES));
+        return scalar_OK & (combo == typename Group::Point(sig.slice(0,Group::Point::SER_BYTES)));
     }
     
     /** @brief Sign from a message. */

src/public_include/decaf/decaf_448.hxx

@@ -195,7 +195,7 @@ public:
         decaf_bool_t allow_identity=DECAF_FALSE,
         decaf_bool_t short_circuit=DECAF_TRUE    
     ) const throw(CryptoException) {
-        SecureBuffer out(/*FIXME Point::*/SER_BYTES);
+        SecureBuffer out(Point::SER_BYTES);
         if (DECAF_SUCCESS !=
             decaf_448_direct_scalarmul(out.data(), in.data(), s, allow_identity, short_circuit)
         ) {

test/test_decaf.cxx

@@ -158,8 +158,13 @@ static void test_arithmetic() {
         
         if (i%20) continue;
         if (y!=0) arith_check(test,x,y,z,x*y/y,x,"invert");
-        // TODO: negative test, but this throws an exception
-        //arith_check(test,x,y,z,x/0,0,"invert0");
+        try {
+            y = x/0;
+            test.fail();
+            printf("  Inverted zero!");
+            print("x", x);
+            print("y", y);
+        } catch(CryptoException) {}
     }
 }