jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Thanks Johan Pascal: remove gf_hibit, since it was a relic from p521 days

master
Michael Hamburg 6 years ago
parent
383088f354
commit
752d260af2
5 changed files with 22 additions and 39 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +11
    -11
      src/per_curve/decaf.tmpl.c
  2. +1
    -1
      src/per_curve/decaf_gen_tables.tmpl.c
  3. +2
    -6
      src/per_curve/elligator.tmpl.c
  4. +2
    -4
      src/per_field/f_field.tmpl.h
  5. +6
    -17
      src/per_field/f_generic.tmpl.c

+ 11
- 11
src/per_curve/decaf.tmpl.c View File

@@ -233,7 +233,7 @@ void API_NS(deisogenize) (
void API_NS(point_encode)( unsigned char ser[SER_BYTES], const point_t p ) { void API_NS(point_encode)( unsigned char ser[SER_BYTES], const point_t p ) {
gf s,ie1,ie2; gf s,ie1,ie2;
API_NS(deisogenize)(s,ie1,ie2,p,0,0,0); API_NS(deisogenize)(s,ie1,ie2,p,0,0,0);
gf_serialize(ser,s,1);
gf_serialize(ser,s);
} }


decaf_error_t API_NS(point_decode) ( decaf_error_t API_NS(point_decode) (
@@ -244,7 +244,7 @@ decaf_error_t API_NS(point_decode) (
gf s, s2, num, tmp; gf s, s2, num, tmp;
gf_s *tmp2=s2, *ynum=p->z, *isr=p->x, *den=p->t; gf_s *tmp2=s2, *ynum=p->z, *isr=p->x, *den=p->t;
mask_t succ = gf_deserialize(s, ser, 1, 0);
mask_t succ = gf_deserialize(s, ser, 0);
succ &= bool_to_mask(allow_identity) | ~gf_eq(s, ZERO); succ &= bool_to_mask(allow_identity) | ~gf_eq(s, ZERO);
succ &= ~gf_lobit(s); succ &= ~gf_lobit(s);
@@ -840,7 +840,7 @@ void API_NS(point_debugging_pscale) (
) { ) {
gf gfac,tmp; gf gfac,tmp;
/* NB this means you'll never pscale by negative numbers for p521 */ /* NB this means you'll never pscale by negative numbers for p521 */
ignore_result(gf_deserialize(gfac,factor,0,0));
ignore_result(gf_deserialize(gfac,factor,0));
gf_cond_sel(gfac,gfac,ONE,gf_eq(gfac,ZERO)); gf_cond_sel(gfac,gfac,ONE,gf_eq(gfac,ZERO));
gf_mul(tmp,p->x,gfac); gf_mul(tmp,p->x,gfac);
gf_copy(q->x,tmp); gf_copy(q->x,tmp);
@@ -1135,7 +1135,7 @@ void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
/* Encode */ /* Encode */
enc[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] = 0; enc[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] = 0;
gf_serialize(enc, x, 1);
gf_serialize(enc, x);
enc[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] |= 0x80 & gf_lobit(t); enc[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] |= 0x80 & gf_lobit(t);


decaf_bzero(x,sizeof(x)); decaf_bzero(x,sizeof(x));
@@ -1156,7 +1156,7 @@ decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (
mask_t low = ~word_is_zero(enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] & 0x80); mask_t low = ~word_is_zero(enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] & 0x80);
enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] &= ~0x80; enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] &= ~0x80;
mask_t succ = gf_deserialize(p->y, enc2, 1, 0);
mask_t succ = gf_deserialize(p->y, enc2, 0);
#if $(gf_bits % 8) == 0 #if $(gf_bits % 8) == 0
succ &= word_is_zero(enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1]); succ &= word_is_zero(enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1]);
#endif #endif
@@ -1256,7 +1256,7 @@ decaf_error_t decaf_x$(gf_shortname) (
const uint8_t scalar[X_PRIVATE_BYTES] const uint8_t scalar[X_PRIVATE_BYTES]
) { ) {
gf x1, x2, z2, x3, z3, t1, t2; gf x1, x2, z2, x3, z3, t1, t2;
ignore_result(gf_deserialize(x1,base,1,0));
ignore_result(gf_deserialize(x1,base,0));
gf_copy(x2,ONE); gf_copy(x2,ONE);
gf_copy(z2,ZERO); gf_copy(z2,ZERO);
gf_copy(x3,x1); gf_copy(x3,x1);
@@ -1307,7 +1307,7 @@ decaf_error_t decaf_x$(gf_shortname) (
gf_cond_swap(z2,z3,swap); gf_cond_swap(z2,z3,swap);
gf_invert(z2,z2,0); gf_invert(z2,z2,0);
gf_mul(x1,x2,z2); gf_mul(x1,x2,z2);
gf_serialize(out,x1,1);
gf_serialize(out,x1);
mask_t nz = ~gf_eq(x1,ZERO); mask_t nz = ~gf_eq(x1,ZERO);
decaf_bzero(x1,sizeof(x1)); decaf_bzero(x1,sizeof(x1));
@@ -1328,7 +1328,7 @@ void decaf_ed$(gf_shortname)_convert_public_key_to_x$(gf_shortname) (
) { ) {
gf y; gf y;
const uint8_t mask = (uint8_t)(0xFE<<($((gf_bits-1)%8))); const uint8_t mask = (uint8_t)(0xFE<<($((gf_bits-1)%8)));
ignore_result(gf_deserialize(y, ed, 1, mask));
ignore_result(gf_deserialize(y, ed, mask));
{ {
gf n,d; gf n,d;
@@ -1339,7 +1339,7 @@ void decaf_ed$(gf_shortname)_convert_public_key_to_x$(gf_shortname) (
gf_sub(d, ONE, y); /* d = 1-y */ gf_sub(d, ONE, y); /* d = 1-y */
gf_invert(d, d, 0); /* d = 1/(1-y) */ gf_invert(d, d, 0); /* d = 1/(1-y) */
gf_mul(y, n, d); /* u = (y+1)/(1-y) */ gf_mul(y, n, d); /* u = (y+1)/(1-y) */
gf_serialize(x,y,1);
gf_serialize(x,y);
#else /* EDDSA_USE_SIGMA_ISOGENY */ #else /* EDDSA_USE_SIGMA_ISOGENY */
/* u = y^2 * (1-dy^2) / (1-y^2) */ /* u = y^2 * (1-dy^2) / (1-y^2) */
gf_sqr(n,y); /* y^2*/ gf_sqr(n,y); /* y^2*/
@@ -1349,7 +1349,7 @@ void decaf_ed$(gf_shortname)_convert_public_key_to_x$(gf_shortname) (
gf_mulw(d,n,EDWARDS_D); /* dy^2*/ gf_mulw(d,n,EDWARDS_D); /* dy^2*/
gf_sub(d, ONE, d); /* 1-dy^2*/ gf_sub(d, ONE, d); /* 1-dy^2*/
gf_mul(n, y, d); /* y^2 * (1-dy^2) / (1-y^2) */ gf_mul(n, y, d); /* y^2 * (1-dy^2) / (1-y^2) */
gf_serialize(x,n,1);
gf_serialize(x,n);
#endif /* EDDSA_USE_SIGMA_ISOGENY */ #endif /* EDDSA_USE_SIGMA_ISOGENY */
decaf_bzero(y,sizeof(y)); decaf_bzero(y,sizeof(y));
@@ -1381,7 +1381,7 @@ void API_NS(point_mul_by_ratio_and_encode_like_x$(gf_shortname)) (
#if IMAGINE_TWIST #if IMAGINE_TWIST
gf_sub(q->y,ZERO,q->y); gf_sub(q->y,ZERO,q->y);
#endif #endif
gf_serialize(out,q->y,1);
gf_serialize(out,q->y);
API_NS(point_destroy(q)); API_NS(point_destroy(q));
} }




+ 1
- 1
src/per_curve/decaf_gen_tables.tmpl.c View File

@@ -27,7 +27,7 @@ void API_NS(precompute_wnafs) (
); );
static void field_print(const gf f) { static void field_print(const gf f) {
unsigned char ser[X_SER_BYTES]; unsigned char ser[X_SER_BYTES];
gf_serialize(ser,f,1);
gf_serialize(ser,f);
int b=0, i, comma=0; int b=0, i, comma=0;
unsigned long long limb = 0; unsigned long long limb = 0;
printf("{FIELD_LITERAL("); printf("{FIELD_LITERAL(");


+ 2
- 6
src/per_curve/elligator.tmpl.c View File

@@ -31,7 +31,7 @@ void API_NS(point_from_hash_nonuniform) (
) { ) {
gf r0,r,a,b,c,N,e; gf r0,r,a,b,c,N,e;
const uint8_t mask = (uint8_t)(0xFE<<($((gf_bits-1)%8))); const uint8_t mask = (uint8_t)(0xFE<<($((gf_bits-1)%8)));
ignore_result(gf_deserialize(r0,ser,0,mask));
ignore_result(gf_deserialize(r0,ser,mask));
gf_strong_reduce(r0); gf_strong_reduce(r0);
gf_sqr(a,r0); gf_sqr(a,r0);
gf_mul_qnr(r,a); gf_mul_qnr(r,a);
@@ -165,11 +165,7 @@ API_NS(invert_elligator_nonuniform) (
// succ &= ~(is_identity & sgn_ed_T); /* NB: there are no preimages of rotated identity. */ // succ &= ~(is_identity & sgn_ed_T); /* NB: there are no preimages of rotated identity. */
// #endif // #endif
#if $(gf_bits) == 8*SER_BYTES + 1 /* p521 */
gf_serialize(recovered_hash,b,0);
#else
gf_serialize(recovered_hash,b,1);
#endif
gf_serialize(recovered_hash,b);
#if $(gf_bits%8) #if $(gf_bits%8)
#if COFACTOR==8 #if COFACTOR==8
recovered_hash[SER_BYTES-1] ^= (hint>>4)<<$(gf_bits%8); recovered_hash[SER_BYTES-1] ^= (hint>>4)<<$(gf_bits%8);


+ 2
- 4
src/per_field/f_field.tmpl.h View File

@@ -22,7 +22,6 @@ typedef struct gf_$(gf_shortname)_s {
#define gf gf_$(gf_shortname)_t #define gf gf_$(gf_shortname)_t
#define gf_s gf_$(gf_shortname)_s #define gf_s gf_$(gf_shortname)_s
#define gf_eq gf_$(gf_shortname)_eq #define gf_eq gf_$(gf_shortname)_eq
#define gf_hibit gf_$(gf_shortname)_hibit
#define gf_lobit gf_$(gf_shortname)_lobit #define gf_lobit gf_$(gf_shortname)_lobit
#define gf_copy gf_$(gf_shortname)_copy #define gf_copy gf_$(gf_shortname)_copy
#define gf_add gf_$(gf_shortname)_add #define gf_add gf_$(gf_shortname)_add
@@ -68,10 +67,9 @@ void gf_sqr (gf_s *__restrict__ out, const gf a);
mask_t gf_isr(gf a, const gf x); /** a^2 x = 1, QNR, or 0 if x=0. Return true if successful */ mask_t gf_isr(gf a, const gf x); /** a^2 x = 1, QNR, or 0 if x=0. Return true if successful */
mask_t gf_eq (const gf x, const gf y); mask_t gf_eq (const gf x, const gf y);
mask_t gf_lobit (const gf x); mask_t gf_lobit (const gf x);
mask_t gf_hibit (const gf x);


void gf_serialize (uint8_t *serial, const gf x,int with_highbit);
mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES],int with_hibit,uint8_t hi_nmask);
void gf_serialize (uint8_t *serial, const gf x);
mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES],uint8_t hi_nmask);




#ifdef __cplusplus #ifdef __cplusplus


+ 6
- 17
src/per_field/f_generic.tmpl.c View File

@@ -13,15 +13,14 @@ static const gf MODULUS = {FIELD_LITERAL(
#endif #endif


/** Serialize to wire format. */ /** Serialize to wire format. */
void gf_serialize (uint8_t serial[SER_BYTES], const gf x, int with_hibit) {
void gf_serialize (uint8_t serial[SER_BYTES], const gf x) {
gf red; gf red;
gf_copy(red, x); gf_copy(red, x);
gf_strong_reduce(red); gf_strong_reduce(red);
if (!with_hibit) { assert(gf_hibit(red) == 0); }
unsigned int j=0, fill=0; unsigned int j=0, fill=0;
dword_t buffer = 0; dword_t buffer = 0;
UNROLL for (unsigned int i=0; i<(with_hibit ? X_SER_BYTES : SER_BYTES); i++) {
UNROLL for (unsigned int i=0; i<SER_BYTES; i++) {
if (fill < 8 && j < NLIMBS) { if (fill < 8 && j < NLIMBS) {
buffer |= ((dword_t)red->limb[LIMBPERM(j)]) << fill; buffer |= ((dword_t)red->limb[LIMBPERM(j)]) << fill;
fill += LIMB_PLACE_VALUE(LIMBPERM(j)); fill += LIMB_PLACE_VALUE(LIMBPERM(j));
@@ -33,14 +32,6 @@ void gf_serialize (uint8_t serial[SER_BYTES], const gf x, int with_hibit) {
} }
} }


/** Return high bit of x = low bit of 2x mod p */
mask_t gf_hibit(const gf x) {
gf y;
gf_add(y,x,x);
gf_strong_reduce(y);
return -(y->limb[0]&1);
}

/** Return high bit of x = low bit of 2x mod p */ /** Return high bit of x = low bit of 2x mod p */
mask_t gf_lobit(const gf x) { mask_t gf_lobit(const gf x) {
gf y; gf y;
@@ -50,15 +41,14 @@ mask_t gf_lobit(const gf x) {
} }


/** Deserialize from wire format; return -1 on success and 0 on failure. */ /** Deserialize from wire format; return -1 on success and 0 on failure. */
mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit, uint8_t hi_nmask) {
mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], uint8_t hi_nmask) {
unsigned int j=0, fill=0; unsigned int j=0, fill=0;
dword_t buffer = 0; dword_t buffer = 0;
dsword_t scarry = 0; dsword_t scarry = 0;
const unsigned nbytes = with_hibit ? X_SER_BYTES : SER_BYTES;
UNROLL for (unsigned int i=0; i<NLIMBS; i++) { UNROLL for (unsigned int i=0; i<NLIMBS; i++) {
UNROLL while (fill < LIMB_PLACE_VALUE(LIMBPERM(i)) && j < nbytes) {
UNROLL while (fill < LIMB_PLACE_VALUE(LIMBPERM(i)) && j < SER_BYTES) {
uint8_t sj = serial[j]; uint8_t sj = serial[j];
if (j==nbytes-1) sj &= ~hi_nmask;
if (j==SER_BYTES-1) sj &= ~hi_nmask;
buffer |= ((dword_t)sj) << fill; buffer |= ((dword_t)sj) << fill;
fill += 8; fill += 8;
j++; j++;
@@ -68,8 +58,7 @@ mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit, ui
buffer >>= LIMB_PLACE_VALUE(LIMBPERM(i)); buffer >>= LIMB_PLACE_VALUE(LIMBPERM(i));
scarry = (scarry + x->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)]) >> (8*sizeof(word_t)); scarry = (scarry + x->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)]) >> (8*sizeof(word_t));
} }
mask_t succ = with_hibit ? -(mask_t)1 : ~gf_hibit(x);
return succ & word_is_zero(buffer) & ~word_is_zero(scarry);
return word_is_zero(buffer) & ~word_is_zero(scarry);
} }


/** Reduce to canonical form. */ /** Reduce to canonical form. */


Write Preview
Loading…
Cancel
Save