Merge branch 'decaf' of ssh://git.code.sf.net/p/ed448goldilocks/code into decaf

Makefile

@@ -109,10 +109,10 @@ build/test: $(LIBCOMPONENTS) $(TESTCOMPONENTS) $(DECAFCOMPONENTS)
 	$(LD) $(LDFLAGS) -o $@ $^ -lgmp
 
 build/test_decaf: $(TESTDECAFCOMPONENTS) decaf_lib
-	$(LDXX) $(LDFLAGS) -o $@ $< -Lbuild -Wl,-rpath=`pwd`/build -ldecaf
+	$(LDXX) $(LDFLAGS) -o $@ $< -Lbuild -ldecaf
 
 build/bench_decaf: $(BENCHDECAFCOMPONENTS) decaf_lib
-	$(LDXX) $(LDFLAGS) -o $@ $< -Lbuild -Wl,-rpath=`pwd`/build -ldecaf
+	$(LDXX) $(LDFLAGS) -o $@ $< -Lbuild -ldecaf
 	
 build/shakesum: build/shakesum.o build/shake.o
 	$(LD) $(LDFLAGS) -o $@ $^

include/shake.hxx

@@ -233,9 +233,15 @@ public:
         if (!strobe_nonce(sp, data, data.size(), more)) throw ProtocolException();
     }
 
-    inline void plaintext(const Block &data, bool iSent, bool more = false
+    inline void send_plaintext(const Block &data, bool more = false
     ) throw(ProtocolException) {
-        if (!strobe_plaintext(sp, data, data.size(), iSent, more))
+        if (!strobe_plaintext(sp, data, data.size(), true, more))
+            throw(ProtocolException());
+    }
+
+    inline void recv_plaintext(const Block &data, bool more = false
+    ) throw(ProtocolException) {
+        if (!strobe_plaintext(sp, data, data.size(), false, more))
             throw(ProtocolException());
     }
 

src/decaf_fast.c

@@ -38,12 +38,12 @@ typedef int64_t decaf_sdword_t;
 static const gf ZERO = {{{0}}}, ONE = {{{1}}}, TWO = {{{2}}};
 
 #define LMASK ((((decaf_word_t)1)<<LBITS)-1)
-#if WBITS == 64
-static const gf P = {{{ LMASK, LMASK, LMASK, LMASK, LMASK-1, LMASK, LMASK, LMASK }}};
-#else
-static const gf P = {{{ LMASK,   LMASK, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK,
-	LMASK-1, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK }}};
-#endif
+// #if WBITS == 64
+// static const gf P = {{{ LMASK, LMASK, LMASK, LMASK, LMASK-1, LMASK, LMASK, LMASK }}};
+// #else
+// static const gf P = {{{ LMASK,   LMASK, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK,
+//     LMASK-1, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK }}};
+// #endif
 static const int EDWARDS_D = -39081;
 
 const decaf_448_scalar_t decaf_448_scalar_p = {{{
@@ -404,7 +404,7 @@ void decaf_448_scalar_add (
     decaf_448_subx(out, out->limb, decaf_448_scalar_p, decaf_448_scalar_p, chain);
 }
 
-snv decaf_448_halve (
+snv decaf_448_scalar_halve (
     decaf_448_scalar_t out,
     const decaf_448_scalar_t a,
     const decaf_448_scalar_t p
@@ -449,6 +449,7 @@ decaf_bool_t decaf_448_scalar_eq (
 const decaf_448_point_t decaf_448_point_identity = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};
 
 static void gf_encode ( unsigned char ser[DECAF_448_SER_BYTES], gf a ) {
+    /*
     gf_canon(a);
     int i, k=0, bits=0;
     decaf_dword_t buf=0;
@@ -458,6 +459,8 @@ static void gf_encode ( unsigned char ser[DECAF_448_SER_BYTES], gf a ) {
             ser[k++]=buf;
         }
     }
+    */
+    field_serialize(ser, (field_t *)a);
 }
 
 void decaf_448_point_encode( unsigned char ser[DECAF_448_SER_BYTES], const decaf_448_point_t p ) {
@@ -488,6 +491,7 @@ void decaf_448_point_encode( unsigned char ser[DECAF_448_SER_BYTES], const decaf
  * Deserialize a bool, return TRUE if < p.
  */
 static decaf_bool_t gf_deser(gf s, const unsigned char ser[DECAF_448_SER_BYTES]) {
+    /*
     unsigned int i, k=0, bits=0;
     decaf_dword_t buf=0;
     for (i=0; i<DECAF_448_SER_BYTES; i++) {
@@ -500,6 +504,8 @@ static decaf_bool_t gf_deser(gf s, const unsigned char ser[DECAF_448_SER_BYTES])
     decaf_sdword_t accum = 0;
     FOR_LIMB(i, accum = (accum + s->limb[i] - P->limb[i]) >> WBITS );
     return accum;
+    */
+    return field_deserialize((field_t *)s, ser);
 }
     
 decaf_bool_t decaf_448_point_decode (
@@ -897,7 +903,7 @@ void decaf_448_point_scalarmul (
         
     decaf_448_scalar_t scalar1x;
     decaf_448_scalar_add(scalar1x, scalar, decaf_448_point_scalarmul_adjustment);
-    decaf_448_halve(scalar1x,scalar1x,decaf_448_scalar_p);
+    decaf_448_scalar_halve(scalar1x,scalar1x,decaf_448_scalar_p);
     
     /* Set up a precomputed table with odd multiples of b. */
     pniels_t pn, multiples[NTABLE];
@@ -954,9 +960,9 @@ void decaf_448_point_double_scalarmul (
         
     decaf_448_scalar_t scalar1x, scalar2x;
     decaf_448_scalar_add(scalar1x, scalarb, decaf_448_point_scalarmul_adjustment);
-    decaf_448_halve(scalar1x,scalar1x,decaf_448_scalar_p);
+    decaf_448_scalar_halve(scalar1x,scalar1x,decaf_448_scalar_p);
     decaf_448_scalar_add(scalar2x, scalarc, decaf_448_point_scalarmul_adjustment);
-    decaf_448_halve(scalar2x,scalar2x,decaf_448_scalar_p);
+    decaf_448_scalar_halve(scalar2x,scalar2x,decaf_448_scalar_p);
     
     /* Set up a precomputed table with odd multiples of b. */
     pniels_t pn, multiples1[NTABLE], multiples2[NTABLE];
@@ -1227,7 +1233,7 @@ void decaf_448_precomputed_scalarmul (
     
     decaf_448_scalar_t scalar1x;
     decaf_448_scalar_add(scalar1x, scalar, decaf_448_precomputed_scalarmul_adjustment);
-    decaf_448_halve(scalar1x,scalar1x,decaf_448_scalar_p);
+    decaf_448_scalar_halve(scalar1x,scalar1x,decaf_448_scalar_p);
     
     niels_t ni;
     

src/shake.c

@@ -214,20 +214,23 @@ void sha3_output (
 }
 
 /** TODO: unify with decaf_bzero? */
-void sponge_destroy (
-    keccak_sponge_t sponge
-) {
+static void sponge_bzero(void *s, size_t size) {
 #ifdef __STDC_LIB_EXT1__
-    memset_s(sponge, sizeof(sponge), 0, sizeof(sponge));
+    memset_s(s, size, 0, size);
 #else
-    volatile uint64_t *destroy = (volatile uint64_t *)sponge;
-    unsigned i;
-    for (i=0; i<sizeof(keccak_sponge_t)/8; i++) {
-        destroy[i] = 0;
-    }
+    const size_t sw = sizeof(decaf_word_t);
+    volatile uint8_t *destroy = (volatile uint8_t *)s;
+    for (; size && ((uintptr_t)destroy)%sw; size--, destroy++)
+        *destroy = 0;
+    for (; size >= sw; size -= sw, destroy += sw)
+        *(volatile decaf_word_t *)destroy = 0;
+    for (; size; size--, destroy++)
+        *destroy = 0;
 #endif
 }
 
+void sponge_destroy (keccak_sponge_t sponge) { sponge_bzero(sponge, sizeof(keccak_sponge_t)); }
+
 void sponge_init (
     keccak_sponge_t sponge,
     const struct kparams_s *params
@@ -506,7 +509,7 @@ static void strobe_forget (
         strobe_duplex(sponge,tmp,NULL,len);
         if (sponge->params->position) dokeccak(sponge);
         strobe_duplex(sponge,tmp,NULL,len);
-        decaf_bzero(tmp,len);
+        sponge_bzero(tmp,len);
     } else {
         if (sponge->params->rate < len + sponge->params->position) {
             dokeccak(sponge);

test/bench_decaf.cxx

@@ -121,13 +121,13 @@ static void tdh (
     
     Scalar xe(rng);
     SecureBuffer gxe = Precomputed::base() * xe;
-    client.plaintext(gxe,true);
-    server.plaintext(gxe,false);
+    client.send_plaintext(gxe);
+    server.recv_plaintext(gxe);
     
     Scalar ye(rng);
     SecureBuffer gye = Precomputed::base() * ye;
-    server.plaintext(gye,true);
-    client.plaintext(gye,false);
+    server.send_plaintext(gye);
+    client.recv_plaintext(gye);
     
     Point pgxe(gxe);
     server.key(pgxe*ye);
@@ -160,17 +160,17 @@ static void fhmqv (
     Strobe client(Strobe::CLIENT), server(Strobe::SERVER);
     
     Scalar xe(rng);
-    client.plaintext(gx,true);
-    server.plaintext(gx,false);
+    client.send_plaintext(gx);
+    server.recv_plaintext(gx);
     SecureBuffer gxe = Precomputed::base() * xe;
-    client.plaintext(gxe,true);
-    server.plaintext(gxe,false);
+    server.send_plaintext(gxe);
+    client.recv_plaintext(gxe);
 
     Scalar ye(rng);
-    server.plaintext(gy,true);
-    client.plaintext(gy,false);
+    server.send_plaintext(gy);
+    client.recv_plaintext(gy);
     SecureBuffer gye = Precomputed::base() * ye;
-    server.plaintext(gye,true);
+    server.send_plaintext(gye);
     
     Scalar schx(server.prng(Scalar::SER_BYTES));
     Scalar schy(server.prng(Scalar::SER_BYTES));
@@ -178,7 +178,7 @@ static void fhmqv (
     server.key(Point::double_scalarmul(Point(gx),yec,Point(gxe),yec*schx));
     SecureBuffer as = server.produce_auth();
     
-    client.plaintext(gye,false);
+    client.recv_plaintext(gye);
     Scalar cchx(client.prng(Scalar::SER_BYTES));
     Scalar cchy(client.prng(Scalar::SER_BYTES));
     Scalar xec = x + xe*schx;
@@ -209,13 +209,13 @@ static void spake2ee(const Block &hashed_password, SpongeRng &rng, bool aug) {
     hs = Point::from_hash(h1); // double-count
     
     SecureBuffer gx(Precomputed::base() * x + hc);
-    client.plaintext(gx,true);
-    server.plaintext(gx,false);
+    client.send_plaintext(gx);
+    server.recv_plaintext(gx);
     
     Scalar y(rng);
     SecureBuffer gy(Precomputed::base() * y + hs);
-    server.plaintext(gy,true);
-    client.plaintext(gy,false);
+    server.send_plaintext(gy);
+    client.recv_plaintext(gy);
     
     server.key(h1);
     server.key((Point(gx) - hc)*y);