Browse Source
Montgomery ladder now uses non-reduced arith for speed. Also, it is tested to be CT
master
Mike Hamburg
9 years ago
2 changed files with 47 additions and 23 deletions
Split View
Diff Options
-
+29 -16src/decaf.c
-
+18 -7test/test_ct.cxx
+ 29
- 16
src/decaf.c
View File
| @@ -105,11 +105,14 @@ cond_neg(gf x, mask_t neg) { | |||
| /** Constant time, if (swap) (x,y) = (y,x); */ | |||
| static INLINE void | |||
| cond_swap(gf x, gf_s *__restrict__ y, mask_t swap) { | |||
| constant_time_cond_swap(x,y,sizeof(gf_s),swap); | |||
| /* | |||
| UNROLL for (unsigned int i=0; i<sizeof(x->limb)/sizeof(x->limb[0]); i++) { | |||
| decaf_word_t s = (x->limb[i] ^ y->limb[i]) & swap; | |||
| x->limb[i] ^= s; | |||
| y->limb[i] ^= s; | |||
| } | |||
| */ | |||
| } | |||
| /** Inverse square root using addition chain. */ | |||
| @@ -1610,25 +1613,25 @@ decaf_error_t API_NS(x_direct_scalarmul) ( | |||
| cond_swap(z2,z3,swap); | |||
| swap = k_t; | |||
| gf_add(t1,x2,z2); /* A = x2 + z2 */ | |||
| gf_sub(t2,x2,z2); /* B = x2 - z2 */ | |||
| gf_sub(z2,x3,z3); /* D = x3 - z3 */ | |||
| gf_mul(x2,t1,z2); /* DA */ | |||
| gf_add(z2,z3,x3); /* C = x3 + z3 */ | |||
| gf_mul(x3,t2,z2); /* CB */ | |||
| gf_sub(z3,x2,x3); /* DA-CB */ | |||
| gf_sqr(z2,z3); /* (DA-CB)^2 */ | |||
| gf_mul(z3,x1,z2); /* z3 = x1(DA-CB)^2 */ | |||
| gf_add(z2,x2,x3); /* (DA+CB) */ | |||
| gf_sqr(x3,z2); /* x3 = (DA+CB)^2 */ | |||
| gf_add_nr(t1,x2,z2); /* A = x2 + z2 */ | |||
| gf_sub_nr(t2,x2,z2); /* B = x2 - z2 */ | |||
| gf_sub_nr(z2,x3,z3); /* D = x3 - z3 */ | |||
| gf_mul(x2,t1,z2); /* DA */ | |||
| gf_add_nr(z2,z3,x3); /* C = x3 + z3 */ | |||
| gf_mul(x3,t2,z2); /* CB */ | |||
| gf_sub_nr(z3,x2,x3); /* DA-CB */ | |||
| gf_sqr(z2,z3); /* (DA-CB)^2 */ | |||
| gf_mul(z3,x1,z2); /* z3 = x1(DA-CB)^2 */ | |||
| gf_add_nr(z2,x2,x3); /* (DA+CB) */ | |||
| gf_sqr(x3,z2); /* x3 = (DA+CB)^2 */ | |||
| gf_sqr(z2,t1); /* AA = A^2 */ | |||
| gf_sqr(t1,t2); /* BB = B^2 */ | |||
| gf_mul(x2,z2,t1); /* x2 = AA*BB */ | |||
| gf_sub(t2,z2,t1); /* E = AA-BB */ | |||
| gf_sqr(z2,t1); /* AA = A^2 */ | |||
| gf_sqr(t1,t2); /* BB = B^2 */ | |||
| gf_mul(x2,z2,t1); /* x2 = AA*BB */ | |||
| gf_sub_nr(t2,z2,t1); /* E = AA-BB */ | |||
| gf_mulw_sgn(t1,t2,-EDWARDS_D); /* E*-d = a24*E */ | |||
| gf_add(t1,t1,z2); /* AA + a24*E */ | |||
| gf_add_nr(t1,t1,z2); /* AA + a24*E */ | |||
| gf_mul(z2,t2,t1); /* z2 = E(AA+a24*E) */ | |||
| } | |||
| @@ -1679,8 +1682,18 @@ void API_NS(x_base_scalarmul) ( | |||
| * we pick up only a factor of 2 over Jacobi -> Montgomery. | |||
| */ | |||
| sc_halve(the_scalar,the_scalar,sc_p); | |||
| #if COFACTOR==8 | |||
| /* If the base point isn't in the prime-order subgroup (PERF: | |||
| * guarantee that it is?) then a 4-isogeny isn't necessarily | |||
| * enough to clear the cofactor. So add another doubling. | |||
| */ | |||
| sc_halve(the_scalar,the_scalar,sc_p); | |||
| #endif | |||
| point_t p; | |||
| API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),the_scalar); | |||
| #if COFACTOR==8 | |||
| API_NS(point_double)(p,p); | |||
| #endif | |||
| /* Isogenize to Montgomery curve */ | |||
| gf_invert(p->t,p->x); /* 1/x */ | |||
+ 18
- 7
test/test_ct.cxx
View File
| @@ -34,7 +34,7 @@ typedef typename Group::Point Point; | |||
| typedef typename Group::Precomputed Precomputed; | |||
| static void test_arithmetic() { | |||
| SpongeRng rng(Block("test_arithmetic")); | |||
| SpongeRng rng(Block("test_arithmetic"),SpongeRng::DETERMINISTIC); | |||
| rng.stir(undef_block); | |||
| Scalar x(rng),y(rng),z; | |||
| @@ -53,7 +53,7 @@ static void test_arithmetic() { | |||
| } | |||
| static void test_elligator() { | |||
| SpongeRng rng(Block("test_elligator")); | |||
| SpongeRng rng(Block("test_elligator"),SpongeRng::DETERMINISTIC); | |||
| rng.stir(undef_block); | |||
| FixedArrayBuffer<Group::Point::HASH_BYTES> inv; | |||
| @@ -66,7 +66,7 @@ static void test_elligator() { | |||
| } | |||
| static void test_ec() { | |||
| SpongeRng rng(Block("test_ec")); | |||
| SpongeRng rng(Block("test_ec"),SpongeRng::DETERMINISTIC); | |||
| rng.stir(undef_block); | |||
| uint8_t ser[Group::Point::SER_BYTES]; | |||
| @@ -92,9 +92,18 @@ static void test_ec() { | |||
| } | |||
| } | |||
| /* TODO: test x25519/x448 */ | |||
| /* FUTURE: test ed25519/ed448 */ | |||
| static void test_cfrg() { | |||
| SpongeRng rng(Block("test_cfrg"),SpongeRng::DETERMINISTIC); | |||
| rng.stir(undef_block); | |||
| for (int i=0; i<NTESTS; i++) { | |||
| FixedArrayBuffer<Group::DhLadder::PUBLIC_BYTES> pub(rng); | |||
| FixedArrayBuffer<Group::DhLadder::PRIVATE_BYTES> priv(rng); | |||
| Group::DhLadder::generate_key(priv); | |||
| ignore(Group::DhLadder::shared_secret_noexcept(pub,pub,priv)); | |||
| } | |||
| } | |||
| /* Specify the same value as you did when compiling decaf_crypto.c */ | |||
| #ifndef DECAF_CRYPTO_SHARED_SECRET_SHORT_CIRUIT | |||
| @@ -102,7 +111,7 @@ static void test_ec() { | |||
| #endif | |||
| static void test_crypto() { | |||
| SpongeRng rng(Block("test_crypto")); | |||
| SpongeRng rng(Block("test_crypto"),SpongeRng::DETERMINISTIC); | |||
| rng.stir(undef_block); | |||
| #if DECAF_CRYPTO_SHARED_SECRET_SHORT_CIRUIT | |||
| @@ -136,6 +145,7 @@ int main(int argc, char **argv) { | |||
| Tests<IsoEd25519>::test_arithmetic(); | |||
| Tests<IsoEd25519>::test_elligator(); | |||
| Tests<IsoEd25519>::test_ec(); | |||
| Tests<IsoEd25519>::test_cfrg(); | |||
| Tests<IsoEd25519>::test_crypto(); | |||
| printf("\n"); | |||
| @@ -143,6 +153,7 @@ int main(int argc, char **argv) { | |||
| Tests<Ed448Goldilocks>::test_arithmetic(); | |||
| Tests<Ed448Goldilocks>::test_elligator(); | |||
| Tests<Ed448Goldilocks>::test_ec(); | |||
| Tests<Ed448Goldilocks>::test_cfrg(); | |||
| Tests<Ed448Goldilocks>::test_crypto(); | |||
| return 0; | |||