Browse Source

progress checkin. compiles. working on point decode. have switched some of the Ds over. BTW, you can see that this is using PinkBikeShed instead of the real Curve25519; this is temporary

master
Michael Hamburg 9 years ago
parent
commit
4b0bf31fc9
3 changed files with 60 additions and 34 deletions
  1. +10
    -5
      aux/decaffeinate_curve25519.sage
  2. +49
    -28
      src/decaf_fast.c
  3. +1
    -1
      src/p25519/f_arithmetic.c

+ 10
- 5
aux/decaffeinate_curve25519.sage View File

@@ -1,7 +1,12 @@
# This is as sketch of how to decaffeinate Curve25519 # This is as sketch of how to decaffeinate Curve25519


F = GF(2^255-19) F = GF(2^255-19)
d = -121665

doPinkBikeShed = True

if doPinkBikeShed: d = -89747 # PinkBikeShed
else: d = -121665 # Curve25519

M = EllipticCurve(F,[0,2-4*d,0,1,0]) M = EllipticCurve(F,[0,2-4*d,0,1,0])
sqrtN1 = sqrt(F(-1)) sqrtN1 = sqrt(F(-1))
@@ -28,7 +33,7 @@ def M_to_E(P):


def decaf_encode_from_E(X,Y): def decaf_encode_from_E(X,Y):
assert X^2 + Y^2 == 1 + d*X^2*Y^2 assert X^2 + Y^2 == 1 + d*X^2*Y^2
if not qpositive(X*Y): X,Y = Y,-X
if not (qpositive(X*Y) or doPinkBikeShed): X,Y = Y,-X
assert qpositive(X*Y) assert qpositive(X*Y)
assert (1-X^2).is_square() assert (1-X^2).is_square()
@@ -69,7 +74,7 @@ def decaf_encode_from_E_c(X,Y):
osx = ooAll * TZ osx = ooAll * TZ
ooTZ = ooAll * zx * osx ooTZ = ooAll * zx * osx
floop = qpositive(T^2 * ooTZ)
floop = qpositive(T^2 * ooTZ) or doPinkBikeShed
if floop: if floop:
frob = zx * ooTZ frob = zx * ooTZ
else: else:
@@ -92,7 +97,7 @@ def decaf_decode_to_E(s):
t = sqrt(s^4 + (2-4*d)*s^2 + 1) t = sqrt(s^4 + (2-4*d)*s^2 + 1)
if not qpositive(t/s): t = -t if not qpositive(t/s): t = -t
X,Y = 2*s / (1+s^2), (1-s^2) / t X,Y = 2*s / (1+s^2), (1-s^2) / t
assert qpositive(X*Y)
assert qpositive(X*Y) or doPinkBikeShed
return X,Y return X,Y
def decaf_decode_to_E_c(s): def decaf_decode_to_E_c(s):
@@ -111,7 +116,7 @@ def decaf_decode_to_E_c(s):
Y = (1-s2) * oot Y = (1-s2) * oot
if not qpositive(tos): Y = -Y if not qpositive(tos): Y = -Y
assert qpositive(X*Y)
assert qpositive(X*Y) or doPinkBikeShed
return X,Y return X,Y




+ 49
- 28
src/decaf_fast.c View File

@@ -43,7 +43,7 @@ typedef int64_t decaf_sdword_t;
#define sv static void #define sv static void
#define snv static void __attribute__((noinline)) #define snv static void __attribute__((noinline))
#define siv static inline void __attribute__((always_inline)) #define siv static inline void __attribute__((always_inline))
static const gf ZERO = {{{0}}}, ONE = {{{1}}}, TWO = {{{2}}};
static const gf ZERO = {{{0}}}, ONE = {{{1}}};//, TWO = {{{2}}};


static const int EDWARDS_D = -89747; static const int EDWARDS_D = -89747;
// Gonna test with PinkBikeShed until the math works... // Gonna test with PinkBikeShed until the math works...
@@ -504,33 +504,47 @@ void API_NS(point_encode)( unsigned char ser[SER_BYTES], const point_t p ) {
static decaf_bool_t gf_deser(gf s, const unsigned char ser[SER_BYTES]) { static decaf_bool_t gf_deser(gf s, const unsigned char ser[SER_BYTES]) {
return field_deserialize((field_t *)s, ser); return field_deserialize((field_t *)s, ser);
} }
extern const gf SQRT_MINUS_ONE; /* Intern this? */
decaf_bool_t API_NS(point_decode) ( decaf_bool_t API_NS(point_decode) (
point_t p, point_t p,
const unsigned char ser[SER_BYTES], const unsigned char ser[SER_BYTES],
decaf_bool_t allow_identity decaf_bool_t allow_identity
) { ) {
gf s, a, b, c, d;
gf s, a, b, c, d, e, f, g;
decaf_bool_t succ = gf_deser(s, ser), zero = gf_eq(s, ZERO); decaf_bool_t succ = gf_deser(s, ser), zero = gf_eq(s, ZERO);
succ &= allow_identity | ~zero; succ &= allow_identity | ~zero;
succ &= ~hibit(s); succ &= ~hibit(s);
gf_sqr ( a, s ); gf_sqr ( a, s );
gf_sub ( p->z, ONE, a ); /* 1-s^2 = 1+as^2 since a=-1 */
gf_sqr ( b, p->z );
gf_mlw ( c, a, 4-4*EDWARDS_D );
gf_add ( c, c, b ); /* u = Z^2 - 4ds^2 with d = EDWARDS_D-1 */
gf_mul ( b, c, a );
succ &= gf_isqrt_chk ( d, b, DECAF_TRUE ); /* v <- 1/sqrt(us^2) */
gf_mul ( b, c, d );
cond_neg ( d, hibit(b) ); /* v <- -v if uv negative */
gf_add ( p->x, s, s ); /* X = 2s */
gf_mul ( c, d, s );
gf_sub ( b, TWO, p->z );
gf_mul ( a, b, c ); /* vs(2-Z) */
gf_mul ( p->y,a,p->z ); /* Y = wZ */
gf_mul ( p->t,a,p->x ); /* T = wX */
gf_add ( g, ONE, a ); /* 1+s^2 = 1+as^2 since a=1 */
succ &= ~ gf_eq( g, ZERO );
gf_sqr ( b, g );
gf_mlw ( c, a, -4*EDWARDS_D );
gf_add ( c, c, b ); /* t^2 */
gf_mul ( d, g, s ); /* s(1+s^2) for denoms */
gf_sqr ( e, d );
gf_mul ( b, c, e );
succ &= gf_isqrt_chk ( e, b, DECAF_TRUE ); /* e = "the" */
gf_mul ( f, e, d ); /* 1/t */
gf_mul ( d, e, c ); /* d = later "the" */
gf_mul ( e, d, g ); /* t/s */
gf_sub ( a, ONE, a); /* 1-s^2 */
gf_mul ( p->y, a, f );
gf_cpy ( p->z, ONE );
gf_sub ( d, e, d );
gf_mul ( c, d, f );
gf_mul ( b, c, SQRT_MINUS_ONE );
gf_add ( p->x, b, b );
cond_neg ( p->x, hibit(e) );
gf_mul ( p->t, p->x, p->y );
p->y->limb[0] -= zero; p->y->limb[0] -= zero;
/* TODO: do something safe-ish if ~succ? */
/* Curve25519: succ &= ~hibit(p->t); */
return succ; return succ;
} }


@@ -547,13 +561,13 @@ void API_NS(point_sub) (
gf_add_nr ( b, q->y, q->x ); gf_add_nr ( b, q->y, q->x );
gf_mul ( p->y, d, b ); gf_mul ( p->y, d, b );
gf_mul ( b, r->t, q->t ); gf_mul ( b, r->t, q->t );
gf_mlw ( p->x, b, 2-2*EDWARDS_D );
gf_mlw ( p->x, b, -2*EDWARDS_D );
gf_add_nr ( b, a, p->y ); gf_add_nr ( b, a, p->y );
gf_sub_nr ( c, p->y, a ); gf_sub_nr ( c, p->y, a );
gf_mul ( a, q->z, r->z ); gf_mul ( a, q->z, r->z );
gf_add_nr ( a, a, a ); gf_add_nr ( a, a, a );
gf_sub_nr ( p->y, a, p->x );
gf_add_nr ( a, a, p->x );
gf_add_nr ( p->y, a, p->x );
gf_sub_nr ( a, a, p->x );
gf_mul ( p->z, a, p->y ); gf_mul ( p->z, a, p->y );
gf_mul ( p->x, p->y, c ); gf_mul ( p->x, p->y, c );
gf_mul ( p->y, a, b ); gf_mul ( p->y, a, b );
@@ -573,13 +587,13 @@ void API_NS(point_add) (
gf_add_nr ( b, q->y, q->x ); gf_add_nr ( b, q->y, q->x );
gf_mul ( p->y, d, b ); gf_mul ( p->y, d, b );
gf_mul ( b, r->t, q->t ); gf_mul ( b, r->t, q->t );
gf_mlw ( p->x, b, 2-2*EDWARDS_D );
gf_mlw ( p->x, b, -2*EDWARDS_D );
gf_add_nr ( b, a, p->y ); gf_add_nr ( b, a, p->y );
gf_sub_nr ( c, p->y, a ); gf_sub_nr ( c, p->y, a );
gf_mul ( a, q->z, r->z ); gf_mul ( a, q->z, r->z );
gf_add_nr ( a, a, a ); gf_add_nr ( a, a, a );
gf_add_nr ( p->y, a, p->x );
gf_sub_nr ( a, a, p->x );
gf_sub_nr ( p->y, a, p->x );
gf_add_nr ( a, a, p->x );
gf_mul ( p->z, a, p->y ); gf_mul ( p->z, a, p->y );
gf_mul ( p->x, p->y, c ); gf_mul ( p->x, p->y, c );
gf_mul ( p->y, a, b ); gf_mul ( p->y, a, b );
@@ -747,7 +761,7 @@ static void pt_to_pniels (
) { ) {
gf_sub ( b->n->a, a->y, a->x ); gf_sub ( b->n->a, a->y, a->x );
gf_add ( b->n->b, a->x, a->y ); gf_add ( b->n->b, a->x, a->y );
gf_mlw ( b->n->c, a->t, 2*EDWARDS_D-2 );
gf_mlw ( b->n->c, a->t, -2*EDWARDS_D );
gf_add ( b->z, a->z, a->z ); gf_add ( b->z, a->z, a->z );
} }


@@ -1012,7 +1026,14 @@ decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) {
gf a, b; gf a, b;
gf_mul ( a, p->y, q->x ); gf_mul ( a, p->y, q->x );
gf_mul ( b, q->y, p->x ); gf_mul ( b, q->y, p->x );
return gf_eq(a,b);
decaf_bool_t succ = gf_eq(a,b);
gf_mul ( a, p->y, q->y );
gf_mul ( b, q->x, p->x );
gf_add ( a, a, b);
succ |= gf_eq(a,ZERO);
return succ;
} }


unsigned char API_NS(point_from_hash_nonuniform) ( unsigned char API_NS(point_from_hash_nonuniform) (
@@ -1190,9 +1211,9 @@ decaf_bool_t API_NS(point_valid) (
gf_sqr(b,p->y); gf_sqr(b,p->y);
gf_sub(a,b,a); gf_sub(a,b,a);
gf_sqr(b,p->t); gf_sqr(b,p->t);
gf_mlw(c,b,1-EDWARDS_D);
gf_mlw(c,b,-EDWARDS_D);
gf_sqr(b,p->z); gf_sqr(b,p->z);
gf_sub(b,b,c);
gf_add(b,b,c);
out &= gf_eq(a,b); out &= gf_eq(a,b);
out &= ~gf_eq(p->z,ZERO); out &= ~gf_eq(p->z,ZERO);
return out; return out;


+ 1
- 1
src/p25519/f_arithmetic.c View File

@@ -10,7 +10,7 @@


#include "field.h" #include "field.h"


static const field_a_t SQRT_MINUS_ONE = {FIELD_LITERAL( // FIXME goes elsewhere?
const field_a_t SQRT_MINUS_ONE = {FIELD_LITERAL( // FIXME goes elsewhere?
0x61b274a0ea0b0, 0x61b274a0ea0b0,
0x0d5a5fc8f189d, 0x0d5a5fc8f189d,
0x7ef5e9cbd0c60, 0x7ef5e9cbd0c60,


Loading…
Cancel
Save