diff --git a/src/gen_headers/curve_data.py b/src/gen_headers/curve_data.py index 444560c..d9f26ec 100644 --- a/src/gen_headers/curve_data.py +++ b/src/gen_headers/curve_data.py @@ -1,3 +1,8 @@ +from collections import namedtuple + +comb_config = namedtuple("comb_config",["n","t","s"]) +wnaf_config = namedtuple("wnaf_config",["fixed","var"]) + field_data = { "p25519" : { "gf_desc" : "2^255 - 19", @@ -22,7 +27,11 @@ curve_data = { "scalar_bits" : 253, "d": -121665, "trace": -0xa6f7cef517bce6b2c09318d2e7ae9f7a, - "mont_base": 9 + "mont_base": 9, + + "combs":comb_config(3,5,17), + "wnaf":wnaf_config(5,3), + "window_bits":4 }, "ed448goldilocks" : { "name" : "Ed448-Goldilocks", @@ -31,7 +40,11 @@ curve_data = { "scalar_bits" : 446, "d": -39081, "trace": 0x10cd77058eec492d944a725bf7a4cf635c8e9c2ab721cf5b5529eec34, - "mont_base": 5 + "mont_base": 5, + + "combs":comb_config(5,5,18), + "wnaf":wnaf_config(5,3), + "window_bits":5 } } diff --git a/src/p25519/decaf_config.h b/src/p25519/decaf_config.h deleted file mode 100644 index dbde8c5..0000000 --- a/src/p25519/decaf_config.h +++ /dev/null @@ -1,50 +0,0 @@ -/** - * @file decaf_config.h - * @author Mike Hamburg - * - * @copyright - * Copyright (c) 2015 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * - * @brief Configuration for decaf_fast.c - */ -#ifndef __DECAF_CONFIG_H__ -#define __DECAF_CONFIG_H__ 1 - -/** - * Use the Montgomery ladder for direct scalarmul. - * - * The Montgomery ladder is faster than Edwards scalarmul, but providing - * the features Decaf supports (cofactor elimination, twist rejection) - * makes it complicated and adds code. Removing the ladder saves a few - * kilobytes at the cost of perhaps 5-10% overhead in direct scalarmul - * time. - */ -#define DECAF_USE_MONTGOMERY_LADDER 0 /* FUTURE */ - -/** The number of comb tables for fixed base scalarmul. */ -#define DECAF_COMBS_N 3 - -/** The number of teeth per comb for fixed base scalarmul. */ -#define DECAF_COMBS_T 5 - -/** The comb spacing fixed base scalarmul. */ -#define DECAF_COMBS_S 17 - -/** Performance tuning: the width of the fixed window for scalar mul. */ -#define DECAF_WINDOW_BITS 4 - -/** - * The number of bits used for the precomputed table in variable-time - * double scalarmul. - */ -#define DECAF_WNAF_FIXED_TABLE_BITS 5 - -/** - * Performance tuning: bits used for the variable table in variable-time - * double scalarmul. - */ -#define DECAF_WNAF_VAR_TABLE_BITS 3 - - -#endif /* __DECAF_CONFIG_H__ */ diff --git a/src/p448/decaf_config.h b/src/p448/decaf_config.h deleted file mode 100644 index 2028eda..0000000 --- a/src/p448/decaf_config.h +++ /dev/null @@ -1,50 +0,0 @@ -/** - * @file decaf_config.h - * @author Mike Hamburg - * - * @copyright - * Copyright (c) 2015 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * - * @brief Configuration for decaf_fast.c - */ -#ifndef __DECAF_CONFIG_H__ -#define __DECAF_CONFIG_H__ 1 - -/** - * Use the Montgomery ladder for direct scalarmul. - * - * The Montgomery ladder is faster than Edwards scalarmul, but providing - * the features Decaf supports (cofactor elimination, twist rejection) - * makes it complicated and adds code. Removing the ladder saves a few - * kilobytes at the cost of perhaps 5-10% overhead in direct scalarmul - * time. - */ -#define DECAF_USE_MONTGOMERY_LADDER 1 - -/** The number of comb tables for fixed base scalarmul. */ -#define DECAF_COMBS_N 5 - -/** The number of teeth per comb for fixed base scalarmul. */ -#define DECAF_COMBS_T 5 - -/** The comb spacing fixed base scalarmul. */ -#define DECAF_COMBS_S 18 - -/** Performance tuning: the width of the fixed window for scalar mul. */ -#define DECAF_WINDOW_BITS 5 - -/** - * The number of bits used for the precomputed table in variable-time - * double scalarmul. - */ -#define DECAF_WNAF_FIXED_TABLE_BITS 5 - -/** - * Performance tuning: bits used for the variable table in variable-time - * double scalarmul. - */ -#define DECAF_WNAF_VAR_TABLE_BITS 3 - - -#endif /* __DECAF_CONFIG_H__ */ diff --git a/src/per_curve/decaf.tmpl.c b/src/per_curve/decaf.tmpl.c index f2cdc39..c123d94 100644 --- a/src/per_curve/decaf.tmpl.c +++ b/src/per_curve/decaf.tmpl.c @@ -6,7 +6,6 @@ #include "word.h" #include "field.h" -#include "decaf_config.h" #include @@ -20,19 +19,38 @@ #define IMAGINE_TWIST $(imagine_twist) #define COFACTOR $(cofactor) +/** Comb config: number of combs, n, t, s. */ +#define COMBS_N $(combs.n) +#define COMBS_T $(combs.t) +#define COMBS_S $(combs.s) +#define DECAF_WINDOW_BITS $(window_bits) +#define DECAF_WNAF_FIXED_TABLE_BITS $(wnaf.fixed) +#define DECAF_WNAF_VAR_TABLE_BITS $(wnaf.var) + static const int EDWARDS_D = $(d); -static const scalar_t sc_p = {{{ $(ser(q,64,"SC_LIMB")) }}}; -static const scalar_t sc_r2 = {{{ $(ser(((2**128)**((scalar_bits+63)/64))%q,64,"SC_LIMB")) }}}; -extern const scalar_t API_NS(point_scalarmul_adjustment); /* TODO: auto template these too. */ -extern const scalar_t API_NS(precomputed_scalarmul_adjustment); +static const scalar_t sc_p = {{{ + $(ser(q,64,"SC_LIMB")) +}}}, sc_r2 = {{{ + $(ser(((2**128)**((scalar_bits+63)/64))%q,64,"SC_LIMB")) +}}}, point_scalarmul_adjustment = {{{ + $(ser((2**(scalar_bits-1+window_bits - ((scalar_bits-1)%window_bits)) - 1) % q,64,"SC_LIMB")) +}}}, precomputed_scalarmul_adjustment = {{{ + $(ser((2**(combs.n*combs.t*combs.s) - 1) % q,64,"SC_LIMB")) +}}}; static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x$("%x" % pow(-q,2**64-1,2**64))ull; +const uint8_t API_NS(x_base_point)[SER_BYTES] /* TODO */ = { + $(ser(mont_base,8)) +}; + #if COFACTOR==8 static const gf SQRT_ONE_MINUS_D = {FIELD_LITERAL( $(sqrt_one_minus_d) )}; #endif +/* End of template stuff */ + #if (COFACTOR == 8) && !IMAGINE_TWIST /* FUTURE: Curve41417 doesn't have these properties. */ @@ -62,7 +80,7 @@ typedef struct { niels_t n; gf z; } __attribute__((aligned(sizeof(big_register_t pniels_s, pniels_t[1]; /* Precomputed base */ -struct precomputed_s { niels_t table [DECAF_COMBS_N<<(DECAF_COMBS_T-1)]; }; +struct precomputed_s { niels_t table [COMBS_N<<(COMBS_T-1)]; }; extern const gf API_NS(precomputed_base_as_fe)[]; const precomputed_s *API_NS(precomputed_base) = @@ -916,7 +934,7 @@ void API_NS(point_scalarmul) ( NTABLE = 1<<(WINDOW-1); scalar_t scalar1x; - API_NS(scalar_add)(scalar1x, scalar, API_NS(point_scalarmul_adjustment)); + API_NS(scalar_add)(scalar1x, scalar, point_scalarmul_adjustment); sc_halve(scalar1x,scalar1x,sc_p); /* Set up a precomputed table with odd multiples of b. */ @@ -978,9 +996,9 @@ void API_NS(point_double_scalarmul) ( NTABLE = 1<<(WINDOW-1); scalar_t scalar1x, scalar2x; - API_NS(scalar_add)(scalar1x, scalarb, API_NS(point_scalarmul_adjustment)); + API_NS(scalar_add)(scalar1x, scalarb, point_scalarmul_adjustment); sc_halve(scalar1x,scalar1x,sc_p); - API_NS(scalar_add)(scalar2x, scalarc, API_NS(point_scalarmul_adjustment)); + API_NS(scalar_add)(scalar2x, scalarc, point_scalarmul_adjustment); sc_halve(scalar2x,scalar2x,sc_p); /* Set up a precomputed table with odd multiples of b. */ @@ -1054,9 +1072,9 @@ void API_NS(point_dual_scalarmul) ( NTABLE = 1<<(WINDOW-1); scalar_t scalar1x, scalar2x; - API_NS(scalar_add)(scalar1x, scalar1, API_NS(point_scalarmul_adjustment)); + API_NS(scalar_add)(scalar1x, scalar1, point_scalarmul_adjustment); sc_halve(scalar1x,scalar1x,sc_p); - API_NS(scalar_add)(scalar2x, scalar2, API_NS(point_scalarmul_adjustment)); + API_NS(scalar_add)(scalar2x, scalar2, point_scalarmul_adjustment); sc_halve(scalar2x,scalar2x,sc_p); /* Set up a precomputed table with odd multiples of b. */ @@ -1417,7 +1435,7 @@ void API_NS(precompute) ( precomputed_s *table, const point_t base ) { - const unsigned int n = DECAF_COMBS_N, t = DECAF_COMBS_T, s = DECAF_COMBS_S; + const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S; assert(n*t*s >= SCALAR_BITS); point_t working, start, doubles[t-1]; @@ -1495,10 +1513,10 @@ void API_NS(precomputed_scalarmul) ( ) { int i; unsigned j,k; - const unsigned int n = DECAF_COMBS_N, t = DECAF_COMBS_T, s = DECAF_COMBS_S; + const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S; scalar_t scalar1x; - API_NS(scalar_add)(scalar1x, scalar, API_NS(precomputed_scalarmul_adjustment)); + API_NS(scalar_add)(scalar1x, scalar, precomputed_scalarmul_adjustment); sc_halve(scalar1x,scalar1x,sc_p); niels_t ni; diff --git a/src/per_curve/decaf_gen_tables.tmpl.c b/src/per_curve/decaf_gen_tables.tmpl.c index e753dcc..dc7060c 100644 --- a/src/per_curve/decaf_gen_tables.tmpl.c +++ b/src/per_curve/decaf_gen_tables.tmpl.c @@ -7,21 +7,15 @@ #include "field.h" #include "f_field.h" #include "decaf.h" -#include "decaf_config.h" #define API_NS(_id) $(c_ns)_##_id -#define SCALAR_BITS $(C_NS)_SCALAR_BITS static const unsigned char base_point_ser_for_pregen[SER_BYTES] = { $(decaf_base) }; /* To satisfy linker. */ const gf API_NS(precomputed_base_as_fe)[1]; -const API_NS(scalar_t) API_NS(precomputed_scalarmul_adjustment); -const API_NS(scalar_t) API_NS(point_scalarmul_adjustment); - const API_NS(point_t) API_NS(point_base); -const uint8_t API_NS(x_base_point)[X_PUBLIC_BYTES] = {0}; struct niels_s; const gf_s *API_NS(precomputed_wnaf_as_fe); @@ -31,28 +25,6 @@ void API_NS(precompute_wnafs) ( struct niels_s *out, const API_NS(point_t) base ); - -static void scalar_print(const char *name, const API_NS(scalar_t) sc) { /* UNIFY */ - printf("const API_NS(scalar_t) %s = {{{\n", name); - const int SCALAR_BYTES = (SCALAR_BITS + 7) / 8; - unsigned char ser[SCALAR_BYTES]; - API_NS(scalar_encode)(ser,sc); - int b=0, i, comma=0; - unsigned long long limb = 0; - for (i=0; i>(8-b); - } - } - printf("}}};\n\n"); -} - static void field_print(const gf f) { /* UNIFY */ unsigned char ser[SER_BYTES]; gf_serialize(ser,f); @@ -129,38 +101,5 @@ int main(int argc, char **argv) { } printf("\n};\n"); - API_NS(scalar_t) smadj; - API_NS(scalar_copy)(smadj,API_NS(scalar_one)); - - for (i=0; i