Browse Source
Merge branch 'decaf' of ssh://git.code.sf.net/p/ed448goldilocks/code into decaf
master
Mike Hamburg
9 years ago
5 changed files with 56 additions and 41 deletions
Split View
Diff Options
-
+2 -2Makefile
-
+8 -2include/shake.hxx
-
+17 -11src/decaf_fast.c
-
+13 -10src/shake.c
-
+16 -16test/bench_decaf.cxx
+ 2
- 2
Makefile
View File
| @@ -109,10 +109,10 @@ build/test: $(LIBCOMPONENTS) $(TESTCOMPONENTS) $(DECAFCOMPONENTS) | |||
| $(LD) $(LDFLAGS) -o $@ $^ -lgmp | |||
| build/test_decaf: $(TESTDECAFCOMPONENTS) decaf_lib | |||
| $(LDXX) $(LDFLAGS) -o $@ $< -Lbuild -Wl,-rpath=`pwd`/build -ldecaf | |||
| $(LDXX) $(LDFLAGS) -o $@ $< -Lbuild -ldecaf | |||
| build/bench_decaf: $(BENCHDECAFCOMPONENTS) decaf_lib | |||
| $(LDXX) $(LDFLAGS) -o $@ $< -Lbuild -Wl,-rpath=`pwd`/build -ldecaf | |||
| $(LDXX) $(LDFLAGS) -o $@ $< -Lbuild -ldecaf | |||
| build/shakesum: build/shakesum.o build/shake.o | |||
| $(LD) $(LDFLAGS) -o $@ $^ | |||
+ 8
- 2
include/shake.hxx
View File
| @@ -233,9 +233,15 @@ public: | |||
| if (!strobe_nonce(sp, data, data.size(), more)) throw ProtocolException(); | |||
| } | |||
| inline void plaintext(const Block &data, bool iSent, bool more = false | |||
| inline void send_plaintext(const Block &data, bool more = false | |||
| ) throw(ProtocolException) { | |||
| if (!strobe_plaintext(sp, data, data.size(), iSent, more)) | |||
| if (!strobe_plaintext(sp, data, data.size(), true, more)) | |||
| throw(ProtocolException()); | |||
| } | |||
| inline void recv_plaintext(const Block &data, bool more = false | |||
| ) throw(ProtocolException) { | |||
| if (!strobe_plaintext(sp, data, data.size(), false, more)) | |||
| throw(ProtocolException()); | |||
| } | |||
+ 17
- 11
src/decaf_fast.c
View File
| @@ -38,12 +38,12 @@ typedef int64_t decaf_sdword_t; | |||
| static const gf ZERO = {{{0}}}, ONE = {{{1}}}, TWO = {{{2}}}; | |||
| #define LMASK ((((decaf_word_t)1)<<LBITS)-1) | |||
| #if WBITS == 64 | |||
| static const gf P = {{{ LMASK, LMASK, LMASK, LMASK, LMASK-1, LMASK, LMASK, LMASK }}}; | |||
| #else | |||
| static const gf P = {{{ LMASK, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK, | |||
| LMASK-1, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK }}}; | |||
| #endif | |||
| // #if WBITS == 64 | |||
| // static const gf P = {{{ LMASK, LMASK, LMASK, LMASK, LMASK-1, LMASK, LMASK, LMASK }}}; | |||
| // #else | |||
| // static const gf P = {{{ LMASK, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK, | |||
| // LMASK-1, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK }}}; | |||
| // #endif | |||
| static const int EDWARDS_D = -39081; | |||
| const decaf_448_scalar_t decaf_448_scalar_p = {{{ | |||
| @@ -404,7 +404,7 @@ void decaf_448_scalar_add ( | |||
| decaf_448_subx(out, out->limb, decaf_448_scalar_p, decaf_448_scalar_p, chain); | |||
| } | |||
| snv decaf_448_halve ( | |||
| snv decaf_448_scalar_halve ( | |||
| decaf_448_scalar_t out, | |||
| const decaf_448_scalar_t a, | |||
| const decaf_448_scalar_t p | |||
| @@ -449,6 +449,7 @@ decaf_bool_t decaf_448_scalar_eq ( | |||
| const decaf_448_point_t decaf_448_point_identity = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}}; | |||
| static void gf_encode ( unsigned char ser[DECAF_448_SER_BYTES], gf a ) { | |||
| /* | |||
| gf_canon(a); | |||
| int i, k=0, bits=0; | |||
| decaf_dword_t buf=0; | |||
| @@ -458,6 +459,8 @@ static void gf_encode ( unsigned char ser[DECAF_448_SER_BYTES], gf a ) { | |||
| ser[k++]=buf; | |||
| } | |||
| } | |||
| */ | |||
| field_serialize(ser, (field_t *)a); | |||
| } | |||
| void decaf_448_point_encode( unsigned char ser[DECAF_448_SER_BYTES], const decaf_448_point_t p ) { | |||
| @@ -488,6 +491,7 @@ void decaf_448_point_encode( unsigned char ser[DECAF_448_SER_BYTES], const decaf | |||
| * Deserialize a bool, return TRUE if < p. | |||
| */ | |||
| static decaf_bool_t gf_deser(gf s, const unsigned char ser[DECAF_448_SER_BYTES]) { | |||
| /* | |||
| unsigned int i, k=0, bits=0; | |||
| decaf_dword_t buf=0; | |||
| for (i=0; i<DECAF_448_SER_BYTES; i++) { | |||
| @@ -500,6 +504,8 @@ static decaf_bool_t gf_deser(gf s, const unsigned char ser[DECAF_448_SER_BYTES]) | |||
| decaf_sdword_t accum = 0; | |||
| FOR_LIMB(i, accum = (accum + s->limb[i] - P->limb[i]) >> WBITS ); | |||
| return accum; | |||
| */ | |||
| return field_deserialize((field_t *)s, ser); | |||
| } | |||
| decaf_bool_t decaf_448_point_decode ( | |||
| @@ -897,7 +903,7 @@ void decaf_448_point_scalarmul ( | |||
| decaf_448_scalar_t scalar1x; | |||
| decaf_448_scalar_add(scalar1x, scalar, decaf_448_point_scalarmul_adjustment); | |||
| decaf_448_halve(scalar1x,scalar1x,decaf_448_scalar_p); | |||
| decaf_448_scalar_halve(scalar1x,scalar1x,decaf_448_scalar_p); | |||
| /* Set up a precomputed table with odd multiples of b. */ | |||
| pniels_t pn, multiples[NTABLE]; | |||
| @@ -954,9 +960,9 @@ void decaf_448_point_double_scalarmul ( | |||
| decaf_448_scalar_t scalar1x, scalar2x; | |||
| decaf_448_scalar_add(scalar1x, scalarb, decaf_448_point_scalarmul_adjustment); | |||
| decaf_448_halve(scalar1x,scalar1x,decaf_448_scalar_p); | |||
| decaf_448_scalar_halve(scalar1x,scalar1x,decaf_448_scalar_p); | |||
| decaf_448_scalar_add(scalar2x, scalarc, decaf_448_point_scalarmul_adjustment); | |||
| decaf_448_halve(scalar2x,scalar2x,decaf_448_scalar_p); | |||
| decaf_448_scalar_halve(scalar2x,scalar2x,decaf_448_scalar_p); | |||
| /* Set up a precomputed table with odd multiples of b. */ | |||
| pniels_t pn, multiples1[NTABLE], multiples2[NTABLE]; | |||
| @@ -1227,7 +1233,7 @@ void decaf_448_precomputed_scalarmul ( | |||
| decaf_448_scalar_t scalar1x; | |||
| decaf_448_scalar_add(scalar1x, scalar, decaf_448_precomputed_scalarmul_adjustment); | |||
| decaf_448_halve(scalar1x,scalar1x,decaf_448_scalar_p); | |||
| decaf_448_scalar_halve(scalar1x,scalar1x,decaf_448_scalar_p); | |||
| niels_t ni; | |||
+ 13
- 10
src/shake.c
View File
| @@ -214,20 +214,23 @@ void sha3_output ( | |||
| } | |||
| /** TODO: unify with decaf_bzero? */ | |||
| void sponge_destroy ( | |||
| keccak_sponge_t sponge | |||
| ) { | |||
| static void sponge_bzero(void *s, size_t size) { | |||
| #ifdef __STDC_LIB_EXT1__ | |||
| memset_s(sponge, sizeof(sponge), 0, sizeof(sponge)); | |||
| memset_s(s, size, 0, size); | |||
| #else | |||
| volatile uint64_t *destroy = (volatile uint64_t *)sponge; | |||
| unsigned i; | |||
| for (i=0; i<sizeof(keccak_sponge_t)/8; i++) { | |||
| destroy[i] = 0; | |||
| } | |||
| const size_t sw = sizeof(decaf_word_t); | |||
| volatile uint8_t *destroy = (volatile uint8_t *)s; | |||
| for (; size && ((uintptr_t)destroy)%sw; size--, destroy++) | |||
| *destroy = 0; | |||
| for (; size >= sw; size -= sw, destroy += sw) | |||
| *(volatile decaf_word_t *)destroy = 0; | |||
| for (; size; size--, destroy++) | |||
| *destroy = 0; | |||
| #endif | |||
| } | |||
| void sponge_destroy (keccak_sponge_t sponge) { sponge_bzero(sponge, sizeof(keccak_sponge_t)); } | |||
| void sponge_init ( | |||
| keccak_sponge_t sponge, | |||
| const struct kparams_s *params | |||
| @@ -506,7 +509,7 @@ static void strobe_forget ( | |||
| strobe_duplex(sponge,tmp,NULL,len); | |||
| if (sponge->params->position) dokeccak(sponge); | |||
| strobe_duplex(sponge,tmp,NULL,len); | |||
| decaf_bzero(tmp,len); | |||
| sponge_bzero(tmp,len); | |||
| } else { | |||
| if (sponge->params->rate < len + sponge->params->position) { | |||
| dokeccak(sponge); | |||
+ 16
- 16
test/bench_decaf.cxx
View File
| @@ -121,13 +121,13 @@ static void tdh ( | |||
| Scalar xe(rng); | |||
| SecureBuffer gxe = Precomputed::base() * xe; | |||
| client.plaintext(gxe,true); | |||
| server.plaintext(gxe,false); | |||
| client.send_plaintext(gxe); | |||
| server.recv_plaintext(gxe); | |||
| Scalar ye(rng); | |||
| SecureBuffer gye = Precomputed::base() * ye; | |||
| server.plaintext(gye,true); | |||
| client.plaintext(gye,false); | |||
| server.send_plaintext(gye); | |||
| client.recv_plaintext(gye); | |||
| Point pgxe(gxe); | |||
| server.key(pgxe*ye); | |||
| @@ -160,17 +160,17 @@ static void fhmqv ( | |||
| Strobe client(Strobe::CLIENT), server(Strobe::SERVER); | |||
| Scalar xe(rng); | |||
| client.plaintext(gx,true); | |||
| server.plaintext(gx,false); | |||
| client.send_plaintext(gx); | |||
| server.recv_plaintext(gx); | |||
| SecureBuffer gxe = Precomputed::base() * xe; | |||
| client.plaintext(gxe,true); | |||
| server.plaintext(gxe,false); | |||
| server.send_plaintext(gxe); | |||
| client.recv_plaintext(gxe); | |||
| Scalar ye(rng); | |||
| server.plaintext(gy,true); | |||
| client.plaintext(gy,false); | |||
| server.send_plaintext(gy); | |||
| client.recv_plaintext(gy); | |||
| SecureBuffer gye = Precomputed::base() * ye; | |||
| server.plaintext(gye,true); | |||
| server.send_plaintext(gye); | |||
| Scalar schx(server.prng(Scalar::SER_BYTES)); | |||
| Scalar schy(server.prng(Scalar::SER_BYTES)); | |||
| @@ -178,7 +178,7 @@ static void fhmqv ( | |||
| server.key(Point::double_scalarmul(Point(gx),yec,Point(gxe),yec*schx)); | |||
| SecureBuffer as = server.produce_auth(); | |||
| client.plaintext(gye,false); | |||
| client.recv_plaintext(gye); | |||
| Scalar cchx(client.prng(Scalar::SER_BYTES)); | |||
| Scalar cchy(client.prng(Scalar::SER_BYTES)); | |||
| Scalar xec = x + xe*schx; | |||
| @@ -209,13 +209,13 @@ static void spake2ee(const Block &hashed_password, SpongeRng &rng, bool aug) { | |||
| hs = Point::from_hash(h1); // double-count | |||
| SecureBuffer gx(Precomputed::base() * x + hc); | |||
| client.plaintext(gx,true); | |||
| server.plaintext(gx,false); | |||
| client.send_plaintext(gx); | |||
| server.recv_plaintext(gx); | |||
| Scalar y(rng); | |||
| SecureBuffer gy(Precomputed::base() * y + hs); | |||
| server.plaintext(gy,true); | |||
| client.plaintext(gy,false); | |||
| server.send_plaintext(gy); | |||
| client.recv_plaintext(gy); | |||
| server.key(h1); | |||
| server.key((Point(gx) - hc)*y); | |||