jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

OK, most tests are now passing. Remaining known problems: 

1) Elligator inversion fails on 0.  Also there may be corner cases
here which ought to be probed but are a pain, such as sqrt(id/(1-d))
and similar.

2) Elligator doesn't return the right hint, because I haven't coded
the rotation hints.  Probable solution: make Elligator not return a
hint, because there's no realistic scenario where it's useful anyway.
Alternative possible solution: can compute the right hint, but why
bother?

3) Elligator inversion doesn't set the high bit of the buffer at
random, because 2^255-19 isn't close to 2^256.  Possible solution:
preserve the high bit(s) of the buffer?

4) Elligator doesn't map [1] to the identity, I think.

5) Not enough corner case testing.

6) Probably some other non-Elligator problems
master
Michael Hamburg 9 years ago
parent
5a3fe27c03
commit
a53f9876f5
3 changed files with 77 additions and 19 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -1
      include/shake.hxx
  2. +6
    -6
      src/decaf_fast.c
  3. +70
    -12
      test/test_decaf.cxx

+ 1
- 1
include/shake.hxx View File

@@ -208,7 +208,7 @@ inline SecureBuffer Ed255::Point::steg_encode(SpongeRng &rng) const NOEXCEPT {
bool done; bool done;
do { do {
rng.read(out.slice(HASH_BYTES-1,STEG_BYTES-HASH_BYTES+1)); rng.read(out.slice(HASH_BYTES-1,STEG_BYTES-HASH_BYTES+1));
done = invert_elligator(out, out[HASH_BYTES-1] & 7); /* FIXME 7 is kind of MAGIC */
done = invert_elligator(out, out[HASH_BYTES-1]);
} while (!done); } while (!done);
return out; return out;
} }


+ 6
- 6
src/decaf_fast.c View File

@@ -509,15 +509,14 @@ static void deisogenize (
gf e; gf e;
gf_sqr(e, t); gf_sqr(e, t);
gf_mul(a, e, b); gf_mul(a, e, b);
rotate = hibit(a);
rotate = hibit(a) ^ toggle_rotation;
/* /*
* Curve25519: cond select between zx * 1/tz or sqrt(1-d); y=-x * Curve25519: cond select between zx * 1/tz or sqrt(1-d); y=-x
* Pink bike shed: frob = zx * 1/tz * Pink bike shed: frob = zx * 1/tz
*/ */
gf_mul ( a, b, c ); /* this is the case for PinkBikeShed */ gf_mul ( a, b, c ); /* this is the case for PinkBikeShed */
cond_sel ( a, a, SQRT_ONE_MINUS_D, rotate^toggle_rotation );
gf_sub ( e, ZERO, x );
cond_sel ( x, p->y, e, rotate );
cond_sel ( a, a, SQRT_ONE_MINUS_D, rotate );
cond_sel ( x, p->y, x, rotate );
} }
@@ -526,7 +525,7 @@ static void deisogenize (
gf_add ( a, a, a ); // 2 * "osx" * Z gf_add ( a, a, a ); // 2 * "osx" * Z
decaf_bool_t tg1 = rotate ^ toggle_hibit_t_over_s ^~ hibit(a); decaf_bool_t tg1 = rotate ^ toggle_hibit_t_over_s ^~ hibit(a);
cond_neg ( c, tg1 ); cond_neg ( c, tg1 );
cond_neg ( a, tg1 );
cond_neg ( a, rotate ^ tg1 );
gf_mul ( d, b, p->z ); gf_mul ( d, b, p->z );
gf_add ( d, d, c ); gf_add ( d, d, c );
gf_mul ( b, d, x ); /* here "x" = y unless rotate */ gf_mul ( b, d, x ); /* here "x" = y unless rotate */
@@ -1173,8 +1172,9 @@ decaf_bool_t
API_NS(invert_elligator_nonuniform) ( API_NS(invert_elligator_nonuniform) (
unsigned char recovered_hash[DECAF_255_SER_BYTES], unsigned char recovered_hash[DECAF_255_SER_BYTES],
const point_t p, const point_t p,
uint16_t hint
uint16_t hint_
) { ) {
uint64_t hint = hint_;
decaf_bool_t sgn_s = -(hint & 1), decaf_bool_t sgn_s = -(hint & 1),
sgn_t_over_s = -(hint>>1 & 1), sgn_t_over_s = -(hint>>1 & 1),
sgn_r0 = -(hint>>2 & 1), sgn_r0 = -(hint>>2 & 1),


+ 70
- 12
test/test_decaf.cxx View File

@@ -57,6 +57,14 @@ static void print(const char *name, const Scalar &x) {
printf("\n"); printf("\n");
} }


static void hexprint(const char *name, const decaf::SecureBuffer &buffer) {
printf(" %s = 0x", name);
for (int i=buffer.size()-1; i>=0; i--) {
printf("%02x", buffer[i]);
}
printf("\n");
}

static void print(const char *name, const Point &x) { static void print(const char *name, const Point &x) {
unsigned char buffer[Point::SER_BYTES]; unsigned char buffer[Point::SER_BYTES];
x.encode(buffer); x.encode(buffer);
@@ -156,6 +164,7 @@ static void test_elligator() {
decaf::SpongeRng rng(decaf::Block("test_elligator")); decaf::SpongeRng rng(decaf::Block("test_elligator"));
Test test("Elligator"); Test test("Elligator");
/*
for (int i=0; i<32; i++) { for (int i=0; i<32; i++) {
decaf::SecureBuffer b1(Point::HASH_BYTES); decaf::SecureBuffer b1(Point::HASH_BYTES);
Point p = Point::identity(); Point p = Point::identity();
@@ -171,26 +180,74 @@ static void test_elligator() {
b1[0], b1[1]); b1[0], b1[1]);
} }
} }
*/
const int NHINTS = 1<<4;
decaf::SecureBuffer *alts[NHINTS];
bool successes[NHINTS];


for (int i=0; i<NTESTS && (i<16 || test.passing_now); i++) {
size_t len = (i % (2*Point::HASH_BYTES + 3));
decaf::SecureBuffer b1(len), b2(len);
for (int i=0; i<NTESTS && (test.passing_now || i < 100); i++) {
size_t len = 8 + (i % (2*Point::HASH_BYTES + 3)); // FIXME: 0
decaf::SecureBuffer b1(len);
rng.read(b1); rng.read(b1);
if (i==1) b1[0] = 1; /* special case test */ if (i==1) b1[0] = 1; /* special case test */
if (len > Point::HASH_BYTES)
memcpy(&b2[Point::HASH_BYTES], &b1[Point::HASH_BYTES], len-Point::HASH_BYTES);
Point s;
unsigned char hint = s.set_to_hash(b1);
if (len >= Point::HASH_BYTES) b1[Point::HASH_BYTES-1] &= 0x7F; // FIXME MAGIC
Point s = Point::from_hash(b1);
for (int j=0; j<(i&3); j++) s.debugging_torque_in_place(); for (int j=0; j<(i&3); j++) s.debugging_torque_in_place();
bool succ = s.invert_elligator(b2,hint);
if (!succ || memcmp(b1,b2,len)) {
bool good = false;
for (int j=0; j<NHINTS; j++) {
alts[j] = new decaf::SecureBuffer(len);

if (len > Point::HASH_BYTES)
memcpy(&(*alts[j])[Point::HASH_BYTES], &b1[Point::HASH_BYTES], len-Point::HASH_BYTES);
successes[j] = s.invert_elligator(*alts[j],j);
if (successes[j]) {
good = good || (b1 == *alts[j]);
for (int k=0; k<j; k++) {
if (successes[k] && *alts[j] == *alts[k]) {
test.fail();
printf(" Duplicate Elligator inversion: i=%d, hints=%d, %d\n",i,j,k);
hexprint("x",b1);
hexprint("X",*alts[j]);
}
}
if (s != Point::from_hash(*alts[j])) {
test.fail();
printf(" Fail Elligator inversion round-trip: i=%d, hint=%d %s\n",i,j,
(s==-Point::from_hash(*alts[j])) ? "[output was -input]": "");
hexprint("x",b1);
hexprint("X",*alts[j]);
}
}
}
if (!good) {
test.fail(); test.fail();
printf(" Fail elligator inversion i=%d (claimed %s, hint=%d)\n",
i, succ ? "success" : "failure", hint);
printf(" %s Elligator inversion: i=%d\n",good ? "Passed" : "Failed", i);
hexprint("B", b1);
for (int j=0; j<NHINTS; j++) {
printf(" %d: %s%s", j, successes[j] ? "succ" : "fail\n", (successes[j] && *alts[j] == b1) ? " [x]" : "");
if (successes[j]) {
hexprint("b", *alts[j]);
}
}
printf("\n");
}
for (int j=0; j<NHINTS; j++) {
delete alts[j];
alts[j] = NULL;
} }
Point t(rng); Point t(rng);
point_check(test,t,t,t,0,0,t,Point::from_hash(t.steg_encode(rng)),"steg round-trip"); point_check(test,t,t,t,0,0,t,Point::from_hash(t.steg_encode(rng)),"steg round-trip");
} }
} }


@@ -216,7 +273,8 @@ static void test_ec() {
point_check(test,p,q,r,0,0,p,Point((decaf::SecureBuffer)p),"round-trip"); point_check(test,p,q,r,0,0,p,Point((decaf::SecureBuffer)p),"round-trip");
Point pp = p; Point pp = p;
(pp).debugging_torque_in_place();
pp = p + q - q;
pp.debugging_torque_in_place();
if (decaf::SecureBuffer(pp) != decaf::SecureBuffer(p)) { if (decaf::SecureBuffer(pp) != decaf::SecureBuffer(p)) {
test.fail(); test.fail();
printf("Fail torque seq test\n"); printf("Fail torque seq test\n");


Write Preview
Loading…
Cancel
Save