jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Do not archive generated code

master
Johan Pascal 7 years ago
parent
26a7b2a9b7
commit
e39cc5d9ee
36 changed files with 0 additions and 12319 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +0
    -1598
      src/GENERATED/c/curve25519/decaf.c
  2. +0
    -125
      src/GENERATED/c/curve25519/decaf_gen_tables.c
  3. +0
    -258
      src/GENERATED/c/curve25519/decaf_tables.c
  4. +0
    -322
      src/GENERATED/c/curve25519/eddsa.c
  5. +0
    -204
      src/GENERATED/c/curve25519/elligator.c
  6. +0
    -341
      src/GENERATED/c/curve25519/scalar.c
  7. +0
    -24
      src/GENERATED/c/decaf/crypto.hxx
  8. +0
    -1598
      src/GENERATED/c/ed448goldilocks/decaf.c
  9. +0
    -125
      src/GENERATED/c/ed448goldilocks/decaf_gen_tables.c
  10. +0
    -354
      src/GENERATED/c/ed448goldilocks/decaf_tables.c
  11. +0
    -322
      src/GENERATED/c/ed448goldilocks/eddsa.c
  12. +0
    -204
      src/GENERATED/c/ed448goldilocks/elligator.c
  13. +0
    -341
      src/GENERATED/c/ed448goldilocks/scalar.c
  14. +0
    -110
      src/GENERATED/c/p25519/f_field.h
  15. +0
    -144
      src/GENERATED/c/p25519/f_generic.c
  16. +0
    -110
      src/GENERATED/c/p448/f_field.h
  17. +0
    -144
      src/GENERATED/c/p448/f_generic.c
  18. +0
    -32
      src/GENERATED/include/decaf.h
  19. +0
    -31
      src/GENERATED/include/decaf.hxx
  20. +0
    -117
      src/GENERATED/include/decaf/common.h
  21. +0
    -259
      src/GENERATED/include/decaf/ed255.h
  22. +0
    -438
      src/GENERATED/include/decaf/ed255.hxx
  23. +0
    -258
      src/GENERATED/include/decaf/ed448.h
  24. +0
    -438
      src/GENERATED/include/decaf/ed448.hxx
  25. +0
    -30
      src/GENERATED/include/decaf/eddsa.hxx
  26. +0
    -769
      src/GENERATED/include/decaf/point_255.h
  27. +0
    -793
      src/GENERATED/include/decaf/point_255.hxx
  28. +0
    -769
      src/GENERATED/include/decaf/point_448.h
  29. +0
    -791
      src/GENERATED/include/decaf/point_448.hxx
  30. +0
    -492
      src/GENERATED/include/decaf/secure_buffer.hxx
  31. +0
    -71
      src/GENERATED/include/decaf/sha512.h
  32. +0
    -103
      src/GENERATED/include/decaf/sha512.hxx
  33. +0
    -219
      src/GENERATED/include/decaf/shake.h
  34. +0
    -190
      src/GENERATED/include/decaf/shake.hxx
  35. +0
    -93
      src/GENERATED/include/decaf/spongerng.h
  36. +0
    -102
      src/GENERATED/include/decaf/spongerng.hxx

+ 0
- 1598
src/GENERATED/c/curve25519/decaf.c
File diff suppressed because it is too large
View File


+ 0
- 125
src/GENERATED/c/curve25519/decaf_gen_tables.c View File

@@ -1,125 +0,0 @@
/**
* @file curve25519/decaf_gen_tables.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Decaf global constant table precomputation.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#define _XOPEN_SOURCE 600 /* for posix_memalign */
#include <stdio.h>
#include <stdlib.h>

#include "field.h"
#include "f_field.h"
#include "decaf.h"

#define API_NS(_id) decaf_255_##_id
static const unsigned char base_point_ser_for_pregen[SER_BYTES] = {
0xe2, 0xf2, 0xae, 0x0a, 0x6a, 0xbc, 0x4e, 0x71, 0xa8, 0x84, 0xa9, 0x61, 0xc5, 0x00, 0x51, 0x5f, 0x58, 0xe3, 0x0b, 0x6a, 0xa5, 0x82, 0xdd, 0x8d, 0xb6, 0xa6, 0x59, 0x45, 0xe0, 0x8d, 0x2d, 0x76
};

/* To satisfy linker. */
const gf API_NS(precomputed_base_as_fe)[1];
const API_NS(point_t) API_NS(point_base);

struct niels_s;
const gf_s *API_NS(precomputed_wnaf_as_fe);
extern const size_t API_NS(sizeof_precomputed_wnafs);

void API_NS(precompute_wnafs) (
struct niels_s *out,
const API_NS(point_t) base
);
static void field_print(const gf f) {
unsigned char ser[X_SER_BYTES];
gf_serialize(ser,f,1);
int b=0, i, comma=0;
unsigned long long limb = 0;
printf("{FIELD_LITERAL(");
for (i=0; i<X_SER_BYTES; i++) {
limb |= ((uint64_t)ser[i])<<b;
b += 8;
if (b >= GF_LIT_LIMB_BITS || i == SER_BYTES-1) {
limb &= (1ull<<GF_LIT_LIMB_BITS) -1;
b -= GF_LIT_LIMB_BITS;
if (comma) printf(",");
comma = 1;
printf("0x%016llx", limb);
limb = ((uint64_t)ser[i])>>(8-b);
}
}
printf(")}");
assert(b<8);
}

int main(int argc, char **argv) {
(void)argc; (void)argv;
API_NS(point_t) real_point_base;
int ret = API_NS(point_decode)(real_point_base,base_point_ser_for_pregen,0);
if (ret != DECAF_SUCCESS) {
fprintf(stderr, "Can't decode base point!\n");
return 1;
}
API_NS(precomputed_s) *pre;
ret = posix_memalign((void**)&pre, API_NS(alignof_precomputed_s), API_NS(sizeof_precomputed_s));
if (ret || !pre) {
fprintf(stderr, "Can't allocate space for precomputed table\n");
return 1;
}
API_NS(precompute)(pre, real_point_base);
struct niels_s *pre_wnaf;
ret = posix_memalign((void**)&pre_wnaf, API_NS(alignof_precomputed_s), API_NS(sizeof_precomputed_wnafs));
if (ret || !pre_wnaf) {
fprintf(stderr, "Can't allocate space for precomputed WNAF table\n");
return 1;
}
API_NS(precompute_wnafs)(pre_wnaf, real_point_base);

const gf_s *output;
unsigned i;
printf("/** @warning: this file was automatically generated. */\n");
printf("#include \"field.h\"\n\n");
printf("#include <decaf.h>\n\n");
printf("#define API_NS(_id) decaf_255_##_id\n");
output = (const gf_s *)real_point_base;
printf("const API_NS(point_t) API_NS(point_base) = {{\n");
for (i=0; i < sizeof(API_NS(point_t)); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n}};\n");
output = (const gf_s *)pre;
printf("const gf API_NS(precomputed_base_as_fe)[%d]\n",
(int)(API_NS(sizeof_precomputed_s) / sizeof(gf)));
printf("VECTOR_ALIGNED __attribute__((visibility(\"hidden\"))) = {\n ");
for (i=0; i < API_NS(sizeof_precomputed_s); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n};\n");
output = (const gf_s *)pre_wnaf;
printf("const gf API_NS(precomputed_wnaf_as_fe)[%d]\n",
(int)(API_NS(sizeof_precomputed_wnafs) / sizeof(gf)));
printf("VECTOR_ALIGNED __attribute__((visibility(\"hidden\"))) = {\n ");
for (i=0; i < API_NS(sizeof_precomputed_wnafs); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n};\n");
return 0;
}

+ 0
- 258
src/GENERATED/c/curve25519/decaf_tables.c View File

@@ -1,258 +0,0 @@
/** @warning: this file was automatically generated. */
#include "field.h"

#include <decaf.h>

#define API_NS(_id) decaf_255_##_id
const API_NS(point_t) API_NS(point_base) = {{
{FIELD_LITERAL(0x0000485cca7e8859,0x00041dc396dfb8fc,0x0005584743ad3a93,0x0006ae1e23d9233c,0x00056f798c3a929c)},
{FIELD_LITERAL(0x0004ccccccccccc2,0x0001999999999999,0x0003333333333333,0x0006666666666666,0x0004cccccccccccc)},
{FIELD_LITERAL(0x0000000000000001,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000)},
{FIELD_LITERAL(0x0004f837acb251cf,0x0000dea88db96efd,0x00019b5df567eff2,0x00059babaf1be1f1,0x000342e2875657f7)}
}};
const gf API_NS(precomputed_base_as_fe)[144]
VECTOR_ALIGNED __attribute__((visibility("hidden"))) = {
{FIELD_LITERAL(0x000787c06838438e,0x000079b93ae8d43f,0x0006ce4230c8d2e4,0x0001e958b5ba51e1,0x000581f2251d4761)},
{FIELD_LITERAL(0x00028065bd02efcb,0x00072c06ae982429,0x0001a39392af7f7c,0x000398aaf36dab32,0x0004c8a8c4525fae)},
{FIELD_LITERAL(0x00006ff0bb7501fc,0x00044e6268755a4b,0x0007e0db395959b3,0x0005f7807150348a,0x00056f78b81a7a18)},
{FIELD_LITERAL(0x00013c159d969f7f,0x00038046e416d34a,0x00030a05d3333cd8,0x0003fc17afcf330a,0x0001456fcd6c2c06)},
{FIELD_LITERAL(0x0001b3b052f3a00d,0x00050d154cc33fb6,0x000570a09253802b,0x0006af26330b8f09,0x000503fdb7977d73)},
{FIELD_LITERAL(0x0006efde66a0b284,0x0003f75278c5b57a,0x000615404a959ab1,0x0007366d656ec17f,0x00077638e2d52a04)},
{FIELD_LITERAL(0x00002d288a8a8e1c,0x000029f655eeea29,0x00069ca769b47ee2,0x0002d41c299b6574,0x0002fcdb7d8bda37)},
{FIELD_LITERAL(0x0005883fa323a11e,0x000241047ad9c769,0x000233d3283fbb6d,0x000041bda7280e1d,0x00018a85382540f5)},
{FIELD_LITERAL(0x000398ee02172d95,0x00038f1cb6853c1d,0x00066b51fca8ad2e,0x00035176a3f540ea,0x00022227f7ee52d9)},
{FIELD_LITERAL(0x000790607ffeebfe,0x000725f8959cf0e0,0x00016b68dcd68a0f,0x00046f439e78680b,0x00026be3a14518fd)},
{FIELD_LITERAL(0x0002216f73946c7d,0x0000f4eb865cbfbf,0x0003c96750df440c,0x000655188ab63a68,0x0002a93e3b59098a)},
{FIELD_LITERAL(0x0004e738f3d06b92,0x0003dc62717f856b,0x0003e77175c6195f,0x000261d11fdad1f7,0x0003ff975f3e99ff)},
{FIELD_LITERAL(0x00031becbaeb1b98,0x0007912ee9ea6632,0x0004e42e201b640f,0x0007e5a0ef458ef1,0x000383f3cebfcbef)},
{FIELD_LITERAL(0x00004a9f30d26d26,0x0001838b85de7867,0x0006904531c39e2b,0x0000b5c478c98d49,0x0007d059931f87d8)},
{FIELD_LITERAL(0x000740d5eeae1f56,0x0004b490c85d90e3,0x000136df23a50d87,0x000495a021130ba9,0x0007d8b1c66d2535)},
{FIELD_LITERAL(0x000711d059bc6cef,0x0000ea1c699aeba1,0x0006371a8052c525,0x000699f87dd13a72,0x00021319ac452786)},
{FIELD_LITERAL(0x0004179c92b1b0bb,0x00046e9ddba894d8,0x0001e24442ec9a91,0x0004c132a51620b3,0x0006d110187f3653)},
{FIELD_LITERAL(0x0004752d8b4757d6,0x0003037d1074a2a3,0x0003e42cfdb0ba8b,0x0002a28dce1000aa,0x00073a9ba5d3f201)},
{FIELD_LITERAL(0x000605edf6ba1a36,0x000013aba4619a54,0x0007ad04bb3634df,0x0007d3751dadf975,0x0007857a65f3ad25)},
{FIELD_LITERAL(0x0003117ab7b95c2b,0x0000f4a313b2a63d,0x0006eb78029227ec,0x00043b924f138238,0x00073aad45f02122)},
{FIELD_LITERAL(0x0005c12191e279b9,0x00075a9e7e4e8c5d,0x0003a9d09d2551e0,0x0002d7e92ba557cc,0x000000a7d4499ac3)},
{FIELD_LITERAL(0x0005b75a63605042,0x0001fb3e9b1e1738,0x00054c87b6f7d7b6,0x0003b73e6812d3e8,0x000633794ff51d12)},
{FIELD_LITERAL(0x00058b7c046273ac,0x0000464dc4a43f06,0x0004eb0e5479c3c5,0x00036c45d45ee21a,0x00047b89a5b4d946)},
{FIELD_LITERAL(0x0002c15e3b3687ba,0x0005209d2ce7fc91,0x0005773da0f5711a,0x00004d96ced4966e,0x0001fa8fc1035b8b)},
{FIELD_LITERAL(0x00075c8cfdf08431,0x0003e5ee1a32e561,0x00017f242d52abcb,0x00070b795ca26857,0x0002cb36d5df0af3)},
{FIELD_LITERAL(0x0006a3037380c025,0x0005f0b9e09cee4c,0x000333017642af74,0x00023fd62c2cfe7a,0x00070eee8fed21d2)},
{FIELD_LITERAL(0x0001744e9770fe63,0x0002635b0761a50e,0x0001322c61f83f00,0x00063be3797d570c,0x0005afe452e6b7e9)},
{FIELD_LITERAL(0x00005fff6e9b6af7,0x0003e58a55a575a1,0x000616d026c6eff2,0x000186a3124f745b,0x0002eec52ffe33c4)},
{FIELD_LITERAL(0x0001ee0dff83b7ca,0x00022805e31c6873,0x0006fd7df7edeaef,0x0002f0f61779d562,0x0004deb8f2bacd10)},
{FIELD_LITERAL(0x0003df7b4c0f2a59,0x000302d0b8eb81a7,0x0001c2717df33aff,0x0006f3f90b3ffde9,0x0003428115ee6c46)},
{FIELD_LITERAL(0x0001ab77a68de949,0x0005da9c4d9a1ae9,0x0003ce86c23f9b7c,0x00007c893f16e3d9,0x000190c2b28c32a8)},
{FIELD_LITERAL(0x0000bae92c40e17e,0x0004a8ef7ffd05e8,0x0005e3a63cc24e24,0x0001ed40c1f74c12,0x000258c0a1c13ff6)},
{FIELD_LITERAL(0x0001674175148292,0x00036d3d03e1f95c,0x00049ecbbb4c9924,0x000603782041936d,0x000521d1cc84c8d6)},
{FIELD_LITERAL(0x0004c7d5df621bb3,0x00063a78ba5518cb,0x00050af726ccf0a4,0x0003745ad4fb4c6d,0x0004b598e9a94c84)},
{FIELD_LITERAL(0x000546d94d9e537c,0x0001f783b157c7bb,0x00034c7f212657b4,0x0006ea763a87171a,0x00074beeb5597da9)},
{FIELD_LITERAL(0x00009c1897ee2bb3,0x00022cbd1740946f,0x00051e8f81dd639f,0x00044423bda03112,0x00025d54e5b5f216)},
{FIELD_LITERAL(0x00037efe726b959f,0x000251179afe0af9,0x00027abb104aaf2d,0x0000409b36a0b0c0,0x0007f20165baf2eb)},
{FIELD_LITERAL(0x0001e7dc70d2e455,0x00079f1c0b114486,0x0002b9b9c0211476,0x000420d65df5b9c1,0x0007ad32d88f4e65)},
{FIELD_LITERAL(0x0000f4d9cbd1dced,0x0000ca815a5fa452,0x00040cdd0b2e26d2,0x0005ab32035de1dc,0x0004387b97d56e74)},
{FIELD_LITERAL(0x0004282b73d9d3e6,0x0006f6ae3911c629,0x0007e698e17d290f,0x000064657542456d,0x00022eaf07413105)},
{FIELD_LITERAL(0x0004d9e24bbb1c38,0x00001d0b9cb4f6e6,0x00008953dd712c89,0x00062f9f338dc8e9,0x0005b270d74b9a0b)},
{FIELD_LITERAL(0x000735ad38a70d62,0x0007c2c0047359b6,0x00053ecc0dd53647,0x0000fa507a3b1320,0x000362d0b0c5919d)},
{FIELD_LITERAL(0x0001e756ac51c2d7,0x0002fb982df272d3,0x0002bcba823c3ff6,0x00000e8c28e674f5,0x0001511ccec93f3e)},
{FIELD_LITERAL(0x0005d9d5f3a4d0f4,0x00014e0b6acbbb8a,0x0004c935dce28917,0x0004e84532fe74e9,0x0003532b26c5bdd3)},
{FIELD_LITERAL(0x0002c7c6bf08ea52,0x0004ce9cf3905bbd,0x0006eff528517cdf,0x00051c7e30819d9f,0x00078ddfe6e8eaf0)},
{FIELD_LITERAL(0x00040b28295a488c,0x00058f3942269291,0x0002eae04529af91,0x0005a950aa509a31,0x00051d13d423f3cc)},
{FIELD_LITERAL(0x00075bbfd400a649,0x0002c84af6f7554f,0x00010589298f1c45,0x0002df1c4551d7a3,0x00040ada606a7008)},
{FIELD_LITERAL(0x0000cb4829d47de1,0x00035279e3dcb0f4,0x0000796e2b17fc93,0x0000f7471379a59e,0x0004cb38c4a47f2d)},
{FIELD_LITERAL(0x00063d326152d536,0x0001f0f272df8e88,0x00020d57f1ef5f0b,0x000049ae733cd741,0x000789b0bd910484)},
{FIELD_LITERAL(0x00049e000de68a33,0x0002569532faf05e,0x0002c360e2577651,0x00023e58038a73d4,0x0005cfd1c66aa5db)},
{FIELD_LITERAL(0x0005219445517667,0x00052a931068f3ea,0x0006cc6f70494867,0x00050f70ab70bd44,0x0004939aea5e18ae)},
{FIELD_LITERAL(0x0002a678bc8c2008,0x0001fd399c8dcbff,0x0006dbf73cfc616e,0x00011a6e85d57176,0x00002f713757e057)},
{FIELD_LITERAL(0x0006d9cd93b1ccdc,0x00043d4ce72bf50a,0x0003e999e2d35c59,0x00001ae0db65d2ee,0x0007c4b601137e07)},
{FIELD_LITERAL(0x0004bc6553755ebf,0x00056e8f93c8dfe2,0x000323b34a8ed19f,0x000571befc514dab,0x00036f0d981e9dde)},
{FIELD_LITERAL(0x000787c0309c0a03,0x0003dd7fb3241327,0x000256b73edcaac5,0x00071a11d2f00b44,0x0000f142397f3232)},
{FIELD_LITERAL(0x0006a965074f090a,0x000042537473c8c0,0x000479b523a03430,0x000302e712f49521,0x0001608d67c58b1d)},
{FIELD_LITERAL(0x00069a9d867a02ee,0x0006aba7c3abe71e,0x00014af6344d6d32,0x00059cbf2b8ec118,0x00034973bd8f91f0)},
{FIELD_LITERAL(0x00023c42f4d253af,0x0000e5db7f886ed7,0x00027c0ff78b7ca6,0x00065a9e8c1c8eef,0x000272b266b7869e)},
{FIELD_LITERAL(0x00034f5086c55cc1,0x0007caffb3de4006,0x0007408da6d8ce8d,0x00034209d1a9cf67,0x0001e4cdc7d3366b)},
{FIELD_LITERAL(0x00077be63c353577,0x0002ccc681b95e39,0x00037f489ba0c067,0x000324b1d14b3c85,0x000487692b3a4f7b)},
{FIELD_LITERAL(0x0000bb6427577218,0x000642b8e158c2af,0x0005c99574a589e5,0x00044af83be01b53,0x000438f19801c19b)},
{FIELD_LITERAL(0x000791929d3da811,0x000083ba42ca3968,0x00004f2efc6d4e98,0x0004c09456e25204,0x00038d89c4798c48)},
{FIELD_LITERAL(0x000484ded8ea3977,0x0002573a2b0d164d,0x000057d1bd825e97,0x00045b7f03279e7c,0x00078c7feaa36f36)},
{FIELD_LITERAL(0x00073ebf8e0c1412,0x00044117b35ee64b,0x0005d7b30a79d11e,0x000295b447408ddb,0x0006440cb28f3f89)},
{FIELD_LITERAL(0x00050222af21bf22,0x0007518c1f3d1e61,0x00053599bee31ff1,0x00077afb3e70937a,0x00039b5cdbf90290)},
{FIELD_LITERAL(0x0001f6f60a0b2349,0x000196f840181d05,0x0000014882eba793,0x0000fb413162d41e,0x00065dc343d01a50)},
{FIELD_LITERAL(0x00007a9f75d85906,0x000639d779f83bb4,0x0000654c3abe3b7f,0x000566f9422b66d3,0x00044df9faded77a)},
{FIELD_LITERAL(0x0001961e7e467418,0x0000df3ccd0d527d,0x0003d517d7c96d95,0x000018e4481528a1,0x00028b40aabc5df2)},
{FIELD_LITERAL(0x0007c47eab16ee70,0x000586b5f9af963a,0x0007aba880ca31a5,0x0000a08bc2d694ce,0x00026acdd7701b42)},
{FIELD_LITERAL(0x0000ad2aa0b6b20e,0x000124f37a928d92,0x00036d109f019a42,0x0000c818e5146232,0x00075d7792dfd807)},
{FIELD_LITERAL(0x00030503c28b9e47,0x0003e896b791c6fd,0x0007fa59adcbdb16,0x0005bf8d8a47c99e,0x0006531a5de1683f)},
{FIELD_LITERAL(0x0006ab691a3a6569,0x0003dd814fc3084a,0x0005d5c02cae4dd1,0x0005a3c0be0f3dbe,0x0006a73f5ac0a573)},
{FIELD_LITERAL(0x0001d99e44acd55a,0x0004c2f954291163,0x0005206a8b10bb02,0x0006c1ca2d70d6a8,0x0007d8a804f96343)},
{FIELD_LITERAL(0x00015b9bba5048e7,0x000713d7a01a2316,0x000650d90c2f5162,0x0007a598761ff94a,0x0000b72e05f1e2dc)},
{FIELD_LITERAL(0x000646e1d2ecb410,0x000629a2ef1cd6b4,0x0006d447b257582a,0x00079356a5148d1e,0x00024a066d77bb54)},
{FIELD_LITERAL(0x0006acb33791298f,0x0000e9c707f60f66,0x000440c5ef5f2d41,0x0005ba193ad0b6c2,0x00051456d8b751b6)},
{FIELD_LITERAL(0x000181a243ee09be,0x000488c253812ccf,0x0003375475f6cdd3,0x000779a477aa7ab9,0x0003542890204f44)},
{FIELD_LITERAL(0x0006266b7ddc99d7,0x00026d7bf53a4cbc,0x0001c742ceb53e2b,0x0003e527df9f0ad1,0x0006913c1028a1c2)},
{FIELD_LITERAL(0x00068cca5da0b76b,0x000669472a2d88b9,0x00013e607a86ad68,0x0003cb25c977181a,0x0002485317d021fa)},
{FIELD_LITERAL(0x00059c009c26a476,0x00051d0584a31e4e,0x00015fab3a664bac,0x0003de72394f1d5e,0x000531b00982956a)},
{FIELD_LITERAL(0x0005deab8a4a8b2b,0x0004ac53cff731b6,0x0001e7ff38f7f8c4,0x00039937580b474f,0x0006fb0db141f6c6)},
{FIELD_LITERAL(0x000648f2a92a9bf5,0x000797a08ad37a50,0x00068f6a0d3b9279,0x00019e4b8669991a,0x0003c73b04a84d00)},
{FIELD_LITERAL(0x0005e149c917e591,0x00054dbbf21fe5c9,0x00018a9fd4f4f805,0x0007de6e8e13e528,0x00003981cea7113c)},
{FIELD_LITERAL(0x0003bb66e15aee68,0x00075ef7f4cc4a19,0x00046c1c0f36ba47,0x00069ac998e2c6a7,0x000244eef875e3b2)},
{FIELD_LITERAL(0x000711616dd6701c,0x0001248a7f1a41d9,0x0000819f6a28c01f,0x0007d816d71513a4,0x00043b075bc1ea59)},
{FIELD_LITERAL(0x00035818217c67b2,0x0007cc8b4ea58e8f,0x0003946011ab16f9,0x0002733a0aacf9e7,0x00028be99e739df3)},
{FIELD_LITERAL(0x00059ef24f4a8db9,0x000250f76f1b6eae,0x00064a73d931fa0f,0x0000512f6d7d827e,0x000607f19cbfb816)},
{FIELD_LITERAL(0x000488ecf6f587f3,0x0006aa5804295f5e,0x0004ab3fe7880735,0x000239212d39956a,0x0003a4314607db78)},
{FIELD_LITERAL(0x00056654a668e8cb,0x00029bc320312a6b,0x0000a956cfa8fca9,0x0002e676e4806a32,0x00002add96616e38)},
{FIELD_LITERAL(0x000161d6844f4257,0x0007a504e9fff45b,0x0003a0a148c809fc,0x00063db7d31212b6,0x00020a34989479bc)},
{FIELD_LITERAL(0x000236b2c0390d34,0x0001a74fdf496cd3,0x0002cc55b8b7552b,0x0005df9eee2aa485,0x0006874ffe3c2b7e)},
{FIELD_LITERAL(0x0000845574316356,0x0003780d650baa54,0x00017cc695e858de,0x0005aa11874d3917,0x0001c1af7e47f3fd)},
{FIELD_LITERAL(0x0003df29aea62b35,0x0007d406471a4638,0x000485f2756aae73,0x0002fb1784f47d7b,0x0006dd1a972e152c)},
{FIELD_LITERAL(0x00016f1207ab7497,0x0000062e50652318,0x0006f768bd372106,0x000728ab08217dc3,0x0005954a56084ae3)},
{FIELD_LITERAL(0x0002f4ca1559675c,0x00019c318724c743,0x0001919d4fc633f8,0x0002fdfded9749ff,0x000501068fe92e49)},
{FIELD_LITERAL(0x000730eea5126d0b,0x0006efb26cb70e2a,0x00009dbb5ce158ce,0x000454ca0f64796a,0x0007c0f65d024355)},
{FIELD_LITERAL(0x0003611cfe11ef4b,0x0005aaeedb6155f0,0x0003e540aeabe6ef,0x0000f78b74065192,0x00047523af6151bf)},
{FIELD_LITERAL(0x0004f249dafd1300,0x00032429e4917ad4,0x000362c1b7b7f817,0x00075447f1280d80,0x000365750a59552e)},
{FIELD_LITERAL(0x0005dcac2d7b940d,0x0002b8eb45461bf5,0x00005d0b65e115aa,0x0000e005552b4796,0x0002f003a12ebfda)},
{FIELD_LITERAL(0x0000177220975d5d,0x0005ba8842cd8e02,0x0003c7bf472059a8,0x00055517e31c386f,0x0002c71c74d6488c)},
{FIELD_LITERAL(0x00072b957911c56c,0x0001569c007a9a12,0x0005ba20cbbaf70c,0x0006c3e6bdbb6099,0x00064e44e81c075b)},
{FIELD_LITERAL(0x00038366b3594f1e,0x00037fe532f6ad56,0x00021d700e67c81f,0x0003c9049dc3bd30,0x0003d151eaf6dc0e)},
{FIELD_LITERAL(0x00050abcda5829d7,0x0004609b5e96f68e,0x00067415655ea15d,0x0004cfb4509cc3ae,0x0006b23addefb8d0)},
{FIELD_LITERAL(0x000076496e346e13,0x00036367cfa1ccd3,0x00017e199e301bc2,0x00070478ab91ceed,0x0003045d7df7782a)},
{FIELD_LITERAL(0x000137f233113b35,0x0004ede6c0ec12a5,0x0003701a6e67cd58,0x0005946348005a23,0x0001f7da36bbf369)},
{FIELD_LITERAL(0x0007cf2d2da25631,0x00050e34993e6b2b,0x00077f65d18600d6,0x0001ab10e8df75ce,0x0003fb8162c6e646)},
{FIELD_LITERAL(0x0002affd3fb0b8eb,0x00038c4c5d8116e4,0x0006c890b6236df5,0x0001b0ca04a3dcd6,0x0004ede9e2b2d222)},
{FIELD_LITERAL(0x00049a95a4b4b531,0x0003137d86fc92ec,0x0003709d8be07c1c,0x0004d5e3f04ed703,0x0006c754f433c0f2)},
{FIELD_LITERAL(0x0002af05aa5bd69d,0x000036c6c197970a,0x00061b671a06458f,0x0006890eb541c3d2,0x000030815bc65879)},
{FIELD_LITERAL(0x0007e783c8a57961,0x0003501cfd53edaf,0x00060073b435c42d,0x0003e7635150fbf5,0x0001d52ce3e84f55)},
{FIELD_LITERAL(0x00028af6d7e017e5,0x00008e6916baca87,0x0003ea1cb0f4aecd,0x00047a27b5ebc7a2,0x0003d356c5dd17f7)},
{FIELD_LITERAL(0x0003e38a232359fe,0x0001952a402660cf,0x00026bbebb34c830,0x0007dbc423d78448,0x0000b832acb82968)},
{FIELD_LITERAL(0x0004f57d66ed277b,0x0004b8c1d3ec59de,0x0001d02cac505cf0,0x00004d06f0ae5d7c,0x00029cf74d6d4371)},
{FIELD_LITERAL(0x0006882580653583,0x000665e9c061f2bd,0x00065db6cc599ff2,0x0006b8046bdafeb5,0x0002ee9e3c7d3000)},
{FIELD_LITERAL(0x000737e14efec8fe,0x00022e5c3897d2b6,0x00011a58c95c2457,0x000780be40dda04a,0x00038e16a91c29e1)},
{FIELD_LITERAL(0x00017a10c6c37301,0x0005132acffcccc4,0x000773611bf4757c,0x00041c2066f29f1b,0x00022ea8f6d1f387)},
{FIELD_LITERAL(0x000393bee768a8e8,0x0002ce4f84e15737,0x0001de0b0519be3c,0x00042c68b40c0028,0x000006fbc742b126)},
{FIELD_LITERAL(0x0002820400093c87,0x00070ed1de439605,0x0001017da80352a5,0x0001dce313d6f74f,0x00041a495460a316)},
{FIELD_LITERAL(0x0003390059914aa6,0x0001dd4c7bf04d23,0x0005a9c9d1189c6d,0x000662ee3486ad47,0x0001eb8a3c364730)},
{FIELD_LITERAL(0x0007df6dea788200,0x0002ae3f37f070c7,0x000116afc9f98bee,0x00050fbd7c48d713,0x0001f36282673be4)},
{FIELD_LITERAL(0x0002e8411e56df21,0x000107b90a9670e3,0x000240f904990e84,0x0004fa5270ab1af9,0x0007c2f807b6bb1f)},
{FIELD_LITERAL(0x00047b6982cdef22,0x0002aaf520c595ef,0x0004d6dc2206f24e,0x000380af64e1b48a,0x0005c9328edeb007)},
{FIELD_LITERAL(0x0003c2c334a7ef3e,0x000400e6655a38b7,0x000522be6814d5ae,0x0002f23e0bc9a362,0x000298daf954ed77)},
{FIELD_LITERAL(0x0005f84382ee84b4,0x0000b91f89349166,0x00072d88b99f2ff3,0x0005479f3f7706b4,0x000035116e7285f4)},
{FIELD_LITERAL(0x0006d23691a8a99d,0x00048f42ff923c83,0x0000e5129684bc58,0x000630f9bc1192fd,0x000401284677ede3)},
{FIELD_LITERAL(0x0000eff3b8714d04,0x000433498e2034dc,0x00070ca8b9771326,0x0000a264970345ad,0x0007b6e44cd2dd5a)},
{FIELD_LITERAL(0x000175bf84b82b29,0x00065e0ea17de536,0x0006b02a0010a208,0x0000bbfa9b7e8884,0x0003c21f98c815b6)},
{FIELD_LITERAL(0x000679b185adb791,0x0003ccd7cdbcb48b,0x0001e6934282172d,0x000112213a7ca210,0x00045089bd5cfb9c)},
{FIELD_LITERAL(0x0002877a97e6aec5,0x00050083ca5fa04a,0x0006a401497d8419,0x0003ce63a2c47d37,0x00014809d3f5339b)},
{FIELD_LITERAL(0x00026e50855da5de,0x00004d0fc457ea77,0x0001e1f5e1f41496,0x000175c0cd2b4571,0x0001722f7954d4e2)},
{FIELD_LITERAL(0x0007ac38211e7835,0x00063d213473cbbf,0x00005b9eada0052f,0x0003477219f26d7f,0x000453ce683f056f)},
{FIELD_LITERAL(0x000726f104629123,0x000482b184152205,0x00054242cd088a37,0x00032fb6be9f2837,0x000734ca9dc7f7c3)},
{FIELD_LITERAL(0x00062509dec41627,0x000072099496b712,0x0007712db0b3effb,0x0001e9c85c77fd36,0x0007f4ceff4f568c)},
{FIELD_LITERAL(0x0002b1990238e0e3,0x0006c1901505e91e,0x00019f32cc8628f9,0x00011218171b4b26,0x0006dbdb25ce79e2)},
{FIELD_LITERAL(0x0005370ef67b47ee,0x0001580466943896,0x0003297e2638eea5,0x000416db4e7a73ef,0x0004b3ce39e7ef57)},
{FIELD_LITERAL(0x00071cc5c1b2d84d,0x0003fa3f1fe5ba11,0x0004520e1812cf04,0x000612f4378d5d14,0x00019041e8a9771c)},
{FIELD_LITERAL(0x00037a9adac7f13d,0x0004513446d45ac8,0x0004862022a5e9c2,0x00046d1fee26d322,0x00050314790c0eb5)},
{FIELD_LITERAL(0x00009f958ec7782b,0x000532691db95f11,0x0000787b85edae84,0x0003347ccb5b1b48,0x00048f02d0fe2f5f)},
{FIELD_LITERAL(0x0001bd035445c3cb,0x00020697cdb801da,0x00027c9cd108f106,0x0007f03792eba8ff,0x000785b24c8954e8)},
{FIELD_LITERAL(0x0003d9815d5b1459,0x00079cc56b9e7bce,0x00072c9f1a31c024,0x00053d9b96409fbf,0x0003527718dcab2f)},
{FIELD_LITERAL(0x00003c0929520d8a,0x0005b4e8fb91f6d2,0x0003f2da27d5d5df,0x0001c4bb87d9118d,0x00026b9976202bed)},
{FIELD_LITERAL(0x000395fd8480a669,0x0001dc9000e23bd0,0x000065404c59dfc6,0x000125765d7383d3,0x0000c7ff2cbfdb58)},
{FIELD_LITERAL(0x00038f76c23acfef,0x0005a6ffbb722028,0x0000ce1434dbd9ba,0x000128b22b63ce7d,0x0007e28492f0e311)},
{FIELD_LITERAL(0x0004ef6dec07d978,0x0001814721d17298,0x0002f3010824e385,0x0004dec0df1030ea,0x000732ccad416ca1)}
};
const gf API_NS(precomputed_wnaf_as_fe)[96]
VECTOR_ALIGNED __attribute__((visibility("hidden"))) = {
{FIELD_LITERAL(0x000642380127222b,0x0006bdeb015cf04e,0x0006ed75f7c2fc4f,0x0007dc242146a194,0x0003aea9a0491d17)},
{FIELD_LITERAL(0x00068a94cba5aa97,0x0002dbae983ca94a,0x000445bd3b7036e3,0x00068a42451fc4d1,0x00011e232c83afb4)},
{FIELD_LITERAL(0x00025391b7203b96,0x000347c30d05c477,0x0007c933299a261d,0x00041480324ee8a6,0x00064ca19224efdf)},
{FIELD_LITERAL(0x0005870a7d58f0a0,0x0001b114a243c47e,0x00041892d3f588cf,0x0000dd81de11287e,0x00017356a5582dd5)},
{FIELD_LITERAL(0x00010182955b295c,0x00066c5c9ffd69b2,0x00061b151a710972,0x000283e92443fc68,0x0006d37a5c5e317b)},
{FIELD_LITERAL(0x00036a7b29fa190d,0x0006935273c5f4eb,0x00054075caf2ffbd,0x00014270ef756d90,0x000533e2a110cfc9)},
{FIELD_LITERAL(0x0001629db13df925,0x0005b8e4096d6111,0x0003f69f6e1fa07d,0x0000ad2fb64a4e21,0x0003804eca6f1a1b)},
{FIELD_LITERAL(0x00004152d30c2a52,0x0002c24984123284,0x00042e97ac31b344,0x00019fefd67353e1,0x0004e8cd7188a7e4)},
{FIELD_LITERAL(0x00045570b5e270ed,0x0005573633198d89,0x0007ca223ccd5afc,0x0007869c9de046c4,0x00069e89310811bf)},
{FIELD_LITERAL(0x0006d9d11e7eae02,0x0000be17c117a8e5,0x0005bd1bacc035a8,0x00055263e886a24c,0x0004f490d4442b45)},
{FIELD_LITERAL(0x000011c8b01f8feb,0x0007bf1c4cb192c2,0x000326354b21cbf2,0x000488390b6dfc94,0x0005ba34838ba4de)},
{FIELD_LITERAL(0x0007c67ff54be7cc,0x0007da997c07b329,0x00035eca964abf79,0x000706e02cff65ab,0x0007cd234d25af3c)},
{FIELD_LITERAL(0x0001fb4c93b5f593,0x0007144dc0cada1e,0x0000d50f94b1cb97,0x0006df9cbaf29c61,0x0003edfa4c8c2b32)},
{FIELD_LITERAL(0x0007271443c9ba84,0x00016f294c6baac0,0x00044dfa59cab659,0x0002fe9702828a2a,0x0007db9144c036dd)},
{FIELD_LITERAL(0x00047163cd6e88a8,0x0003c312ab4945e1,0x0003021e7db7375a,0x00055fbc7b3f6c06,0x000272ecf2d95b4e)},
{FIELD_LITERAL(0x00038b922c70ed29,0x000253866fc7c488,0x000576f12a312db9,0x00045d4f321497af,0x00018e5445d11403)},
{FIELD_LITERAL(0x0003f8e7ccec15a0,0x00052340d38e8703,0x0001fe25f1ae8f20,0x0003ddd469f772d0,0x000462fbbea67ca2)},
{FIELD_LITERAL(0x00011da13f2e0e8c,0x0002aa8f508e1fd7,0x000412a7c33e7f8e,0x000350c2a112bd8f,0x0003903a4aae1e31)},
{FIELD_LITERAL(0x0007f9daed4a4867,0x0002b6b4ed700133,0x0002630bb5d53e2d,0x00052b6f0617a8d5,0x0003a71ea3b7dd75)},
{FIELD_LITERAL(0x000784badf35d97a,0x000130c033b608d3,0x0004d1ca333b988c,0x00046996c1106167,0x00006cd17cb32faf)},
{FIELD_LITERAL(0x000017f0bb6265b4,0x0004b7b14a32f828,0x00038355613c060b,0x0002ff107843a525,0x00067859833d0bcf)},
{FIELD_LITERAL(0x0007efb1526681aa,0x0005d3f09cc25381,0x0005070ed313624a,0x0007dc7c70fcf2e6,0x00035f22ab001ece)},
{FIELD_LITERAL(0x0001d03d7131822b,0x00041269a071318a,0x00066b533c7c2f0e,0x00079eb2962ac445,0x0007c84f8b7d6434)},
{FIELD_LITERAL(0x0007bdf697319f65,0x000733aeaf20753c,0x0003e8ef6225fd72,0x0004a5b9853164cc,0x0007e0c9a1e3a2c0)},
{FIELD_LITERAL(0x0000ea923f718b41,0x0003ed3cdc5c1206,0x0007fcd7e9778042,0x000087a1037b0d5d,0x00007a7a0abbab1c)},
{FIELD_LITERAL(0x0001f75504e732eb,0x00022ebe847278d8,0x0007ea9ffc7568b3,0x0005ce813453dcf8,0x000487735ef97869)},
{FIELD_LITERAL(0x0005724daa8d895d,0x0000dc4fb5cda1a1,0x0005caeaaa9fb58e,0x0002cc7ce3532d7a,0x00078cb9c16aa739)},
{FIELD_LITERAL(0x000132663b80f4fb,0x0003569bb0747910,0x0001254f43541bae,0x0005ef6302e41398,0x0000f0739e94acdc)},
{FIELD_LITERAL(0x00062c278d9a1d30,0x000160f59d5d7ddb,0x0003a13c02fd4a4c,0x0003ae8e19ec0313,0x0007ff33d0402d0a)},
{FIELD_LITERAL(0x000779188d9101bd,0x0003907b5e2acb57,0x0000f2016ad328f1,0x0002563d8843c96e,0x000325477c857086)},
{FIELD_LITERAL(0x0002b91f27fd54d4,0x0006396d4db9c2ed,0x0001910e4a18d580,0x00013a22c5bab363,0x0007a440ee553a25)},
{FIELD_LITERAL(0x000490c21e746b15,0x00024b7059991174,0x00008ee694b74d75,0x0005e237b7856642,0x0007642c6cdb680c)},
{FIELD_LITERAL(0x0005dbf419ae9d74,0x00048e711fdf576f,0x00075068ca732b86,0x0006e8b996a54910,0x000772260ac3718e)},
{FIELD_LITERAL(0x000482565fa8a25b,0x0003df033dcf6602,0x00064e0f3b4e7074,0x00021b4575c116f5,0x0002208124f689de)},
{FIELD_LITERAL(0x0007585a86ebfdf4,0x0007b22f0200bb5d,0x0004c01c0570390b,0x00012d4f936a9ace,0x0007061937f48098)},
{FIELD_LITERAL(0x00058c8ef3313e8c,0x0004fe676de9150c,0x000071322bae837f,0x0004719a9c643417,0x0000b3d8da873b81)},
{FIELD_LITERAL(0x0004a783941354c6,0x0004a8dbae0192b1,0x00066e6e2284eb96,0x000328e80b25e8c3,0x000042a8e76bf4d5)},
{FIELD_LITERAL(0x0001d8c052051ec3,0x000366a48a8dd65b,0x0002a78e24295abf,0x000129d49470f3e6,0x0006c57172fbfc6f)},
{FIELD_LITERAL(0x00058858b562e4d4,0x0007aa756a9d33c0,0x0000d5156276e848,0x00053461aacbb1be,0x000003d03c677fca)},
{FIELD_LITERAL(0x0004ec9d19b70d7e,0x0006b590207bdecd,0x0001637d3bcc3bb3,0x00000c22df7f92fb,0x00041ea544c47cfa)},
{FIELD_LITERAL(0x0005bb2c05450730,0x000699da0443d31e,0x00029833797938dd,0x00047094e611ef5a,0x0003a80296f5af96)},
{FIELD_LITERAL(0x0001ac52918f4c8e,0x00070d18d98c3ff4,0x0003e5732b1553db,0x00072df46e974e9d,0x000122fb863fcfd7)},
{FIELD_LITERAL(0x00000849cf428975,0x000727067cad891a,0x0004f88f61de7005,0x00044257203c4bbb,0x0004c637329a0014)},
{FIELD_LITERAL(0x000765ea2cf96125,0x00020be964ac2553,0x0006542c16078fcd,0x0007e1c9a694af26,0x000670be61b828ab)},
{FIELD_LITERAL(0x0003e966dcdc760c,0x00047dd5a3cb73ac,0x00061d635f813625,0x0006d76efc6f57ba,0x00054decaca409ff)},
{FIELD_LITERAL(0x00006abffd1f9a07,0x0006a24984b59c94,0x00001c88b2d5ccab,0x00078756f923d472,0x000523ae194c2908)},
{FIELD_LITERAL(0x000295f6aed6c95f,0x00063835a88edc2f,0x0000d413a8f5d2be,0x0006d19ac30fb51e,0x000209a4daa47af4)},
{FIELD_LITERAL(0x0007b3d422474c11,0x00035fd7bbd41a91,0x00038313d567d746,0x00044be2c7641673,0x0003cfb2e79b0db4)},
{FIELD_LITERAL(0x0007deb72bd44d2d,0x000739424ef1d75e,0x0004018d17e7a6b2,0x0007b6e2a9d39e87,0x000521ea05c6c6dd)},
{FIELD_LITERAL(0x0001a5e807310023,0x00064308e578ea3e,0x00051e6fd6a01240,0x000274e880dadbdd,0x0001f551c726c373)},
{FIELD_LITERAL(0x0004d3ce8a1f77f7,0x0003167790f075b1,0x0004e6bce7f4a904,0x0004d2ccd17b0874,0x0007dd01b360f566)},
{FIELD_LITERAL(0x00073aa273d83a1f,0x000509605eef38e1,0x0002478a49a7bd9c,0x00037b4fffcc9a8f,0x0003de7bfae4d9c0)},
{FIELD_LITERAL(0x00010ab29d20014a,0x0003dad754471f37,0x0005db76f33e4e9e,0x000233bcc4657dd9,0x00064a6db2e9a1a4)},
{FIELD_LITERAL(0x00061971ac718eb9,0x0002cedb4d83bc7c,0x000450581aa489e6,0x000085abee0c4ae9,0x000375e304315ad9)},
{FIELD_LITERAL(0x0004e69a3015eec3,0x00014f8520f65886,0x000603fe316ae01d,0x000266136364ded2,0x0001ca16145255d7)},
{FIELD_LITERAL(0x000195b299aaa7a2,0x00029dcb30ab6966,0x0007db5d6559e7e8,0x0003080db154f47f,0x00039c84ee5affcf)},
{FIELD_LITERAL(0x00021a432b19e270,0x0006448861623f70,0x0004383a5006d140,0x000426de3a89b443,0x0001296a8b73e4ab)},
{FIELD_LITERAL(0x00026b6e1920377f,0x0001fe04f05868d1,0x00035b308dd430aa,0x0004a38a5bd39fc2,0x0007a2a54f12cec0)},
{FIELD_LITERAL(0x00019031dbbe6961,0x000228c57c496dbd,0x00016d3b12e551b5,0x0006f71b0487b7f1,0x0000576d528efd97)},
{FIELD_LITERAL(0x0006a3af1de65daa,0x00058620d6a4624a,0x00062c5f94e31af3,0x00065f2be517410c,0x00061ed8888aeaad)},
{FIELD_LITERAL(0x000460e8ec01abc0,0x00029d22bb6910a9,0x0000bb5a4290fa5c,0x000761396d21fe81,0x00017529bc98149c)},
{FIELD_LITERAL(0x0001a2d5558fa158,0x00018db5df86dcda,0x000628100de92051,0x0002e1d2985a8b52,0x0000a021ed4469e4)},
{FIELD_LITERAL(0x0003c1838ccb4f06,0x000433f163939d2f,0x0003c45789e20d0e,0x0004cc1dd7cf2cda,0x0004a3d1db8e2fb0)},
{FIELD_LITERAL(0x00078bc9fe3174f7,0x0005463ef645ece5,0x0005977ab88ef0f8,0x000143fe3a6097c1,0x00014e54b582e50b)},
{FIELD_LITERAL(0x000297c2159dd2ea,0x0002225918017b5d,0x0000fd2c877e4d6d,0x0000a876d935de03,0x0003aa2b685088ec)},
{FIELD_LITERAL(0x000381ec20845ff6,0x00010287499d4119,0x00071f5a1e12659a,0x0007119ecc4ec7fc,0x00065b686f7be346)},
{FIELD_LITERAL(0x00079aa225363911,0x0004401073991c38,0x0002d622e1b2ab01,0x0006d88484b2ff0e,0x0001af6bad1d0067)},
{FIELD_LITERAL(0x0004a9bd5d80f94a,0x000200829b9a0578,0x00005d3adbbe3535,0x0004a01abc9f4d78,0x000318228e347c33)},
{FIELD_LITERAL(0x00078a9576d93baf,0x0002b2a7e675aabc,0x00077ccfec62185f,0x00030ce0149594eb,0x00079ada3764fe9e)},
{FIELD_LITERAL(0x00019f03aa64e86b,0x000524ed3ec7b93e,0x00051dea71a325e6,0x0006072282cc2dd1,0x0003f6161300548d)},
{FIELD_LITERAL(0x0003d4e4793a59c5,0x00039088df420d66,0x000059f2dc08ae93,0x0002a529016f70f4,0x00003d508c2008c6)},
{FIELD_LITERAL(0x0000f3116a3baba1,0x000087e19c7c7a88,0x00064eadf2277a4f,0x0007d9a18deea24e,0x000204fcdb56e2b5)},
{FIELD_LITERAL(0x000740a868c461a6,0x00008d33fd39e939,0x000546fc277d8361,0x00049a29cc27b47d,0x00066efe0241ab2d)},
{FIELD_LITERAL(0x0004c02370cdf9e0,0x0002753707967fe5,0x0003e9e845537aa4,0x00052e8412924bcd,0x00035a32466d04a6)},
{FIELD_LITERAL(0x00056e5f94d6709d,0x0000baa9a44a9de5,0x0002f96da022a0e7,0x000522f1a31020d4,0x0002c56138662fb1)},
{FIELD_LITERAL(0x0003a975fed6c7ef,0x0005be0807c70f4d,0x00056cb1100a4f60,0x000039e4317fae1e,0x0002d3e8e7c807c5)},
{FIELD_LITERAL(0x000049cd79d8153d,0x0005f7f1bfb82d68,0x0006329634d9cab0,0x0007bcb505082b4e,0x00053f1ca734f15f)},
{FIELD_LITERAL(0x0000fdb698137903,0x0005fb51b23a7650,0x00056c97f01bfb0b,0x0002c8a3ede0e6c6,0x0000dffef54d46bd)},
{FIELD_LITERAL(0x000023fde8f23ca3,0x0003e79e97bcb77c,0x0006682d0da044a2,0x0002b5cc9caad587,0x0007053a7396d844)},
{FIELD_LITERAL(0x0007325e1ff6a8d7,0x000144c86fd24546,0x000196593acaf904,0x000241f57ca53397,0x00023e58d23dff45)},
{FIELD_LITERAL(0x00066242f578274b,0x00058a001d88f9f8,0x00036ae87b15be37,0x00016dbd43af7f3e,0x0001ce7f64876085)},
{FIELD_LITERAL(0x00015f6b0f790623,0x0007d5b90970fb7b,0x00045b6bd21c9701,0x0003fbe8a13740fc,0x00059a684a214173)},
{FIELD_LITERAL(0x00014da626cba741,0x000101c3468580bb,0x0004c6fb5709eea8,0x000354aaf860f432,0x0003d9501bbcc86d)},
{FIELD_LITERAL(0x0004100377e37e11,0x0000ac48fe9245e8,0x000098c5097111d5,0x0000c31ff20e0c11,0x0004d19f0fb6c913)},
{FIELD_LITERAL(0x0007c87f12093bcc,0x000223769c082868,0x00074d424db97824,0x0006d7020a556573,0x0001e0afdef95d3d)},
{FIELD_LITERAL(0x000201774f4281a6,0x00040d577fbe10c0,0x0001d96faea48a3a,0x00019d06096a4cb9,0x0000c0410e02b892)},
{FIELD_LITERAL(0x0004ecdd42bcb282,0x00036eb9f22440d6,0x00015738bdfebe58,0x0007da6d7cd185ed,0x000114cd2ee51425)},
{FIELD_LITERAL(0x00061fb7d973a125,0x00060a3d5f860ddc,0x00058032f5a2bae4,0x0001ae3459e6da16,0x0004d8e17bd386cb)},
{FIELD_LITERAL(0x0003d4f4a0189763,0x0002ebc953fe02a4,0x00004d165b695009,0x00050cba13806a99,0x0000f5b62c0c84e5)},
{FIELD_LITERAL(0x0006e654bfbff109,0x0006018351bcbbe2,0x00057964df181f22,0x00033e0673d9cfb1,0x00064efdf98a1040)},
{FIELD_LITERAL(0x00073ad6128efea0,0x0007c86bdff5a7c5,0x0001a71115a02aff,0x00049b3a3e67b1f4,0x00033315bb103c63)},
{FIELD_LITERAL(0x0006aac38a327053,0x0005351c17ce82af,0x0000f07d6bbd51f7,0x00039497c5b160b1,0x0001ca565d3b0b4c)},
{FIELD_LITERAL(0x00030e1e990f426f,0x0000a0a8e67aac06,0x0005d5c4267d1f6c,0x00051b0ebc5614b8,0x0000ca37a6b5f563)},
{FIELD_LITERAL(0x00009dcbfce95c17,0x0001ea312e0ecf1f,0x0001bfaafa617fde,0x00017565626471ce,0x00057a7e865a0896)},
{FIELD_LITERAL(0x00036e4ca4b09fec,0x00070559d5d9b147,0x00035855772927b5,0x000651fbdadbcd73,0x0007aea9eb02eba1)},
{FIELD_LITERAL(0x000447db14883a00,0x0002ccbdfcdd06ca,0x00052ae17d38e284,0x0002d754ce20339c,0x000163594fcc2603)}
};

+ 0
- 322
src/GENERATED/c/curve25519/eddsa.c View File

@@ -1,322 +0,0 @@
/**
* @file curve25519/eddsa.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @cond internal
* @brief EdDSA routines.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "word.h"
#include <decaf/ed255.h>
#include <decaf/shake.h>
#include <decaf/sha512.h>
#include <string.h>

#define API_NAME "decaf_255"
#define API_NS(_id) decaf_255_##_id

#define hash_ctx_t decaf_sha512_ctx_t
#define hash_init decaf_sha512_init
#define hash_update decaf_sha512_update
#define hash_final decaf_sha512_final
#define hash_destroy decaf_sha512_destroy
#define hash_hash decaf_sha512_hash

#define NO_CONTEXT DECAF_EDDSA_25519_SUPPORTS_CONTEXTLESS_SIGS
#define EDDSA_USE_SIGMA_ISOGENY 1
#define COFACTOR 8
#define EDDSA_PREHASH_BYTES 64

#if NO_CONTEXT
const uint8_t NO_CONTEXT_POINTS_HERE = 0;
const uint8_t * const DECAF_ED25519_NO_CONTEXT = &NO_CONTEXT_POINTS_HERE;
#endif

static void clamp (
uint8_t secret_scalar_ser[DECAF_EDDSA_25519_PRIVATE_BYTES]
) {
/* Blarg */
secret_scalar_ser[0] &= -COFACTOR;
uint8_t hibit = (1<<7)>>1;
if (hibit == 0) {
secret_scalar_ser[DECAF_EDDSA_25519_PRIVATE_BYTES - 1] = 0;
secret_scalar_ser[DECAF_EDDSA_25519_PRIVATE_BYTES - 2] |= 0x80;
} else {
secret_scalar_ser[DECAF_EDDSA_25519_PRIVATE_BYTES - 1] &= hibit-1;
secret_scalar_ser[DECAF_EDDSA_25519_PRIVATE_BYTES - 1] |= hibit;
}
}

static void hash_init_with_dom(
hash_ctx_t hash,
uint8_t prehashed,
uint8_t for_prehash,
const uint8_t *context,
uint8_t context_len
) {
hash_init(hash);

#if NO_CONTEXT
if (context_len == 0 && context == DECAF_ED25519_NO_CONTEXT) {
(void)prehashed;
(void)for_prehash;
(void)context;
(void)context_len;
return;
}
#endif
const char *dom_s = "SigEd25519 no Ed25519 collisions";
const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
hash_update(hash,dom,2);
hash_update(hash,context,context_len);
}

void decaf_ed25519_prehash_init (
hash_ctx_t hash
) {
hash_init(hash);
}

/* In this file because it uses the hash */
void decaf_ed25519_convert_private_key_to_x25519 (
uint8_t x[DECAF_X25519_PRIVATE_BYTES],
const uint8_t ed[DECAF_EDDSA_25519_PRIVATE_BYTES]
) {
/* pass the private key through hash_hash function */
/* and keep the first DECAF_X25519_PRIVATE_BYTES bytes */
hash_hash(
x,
DECAF_X25519_PRIVATE_BYTES,
ed,
DECAF_EDDSA_25519_PRIVATE_BYTES
);
}
void decaf_ed25519_derive_public_key (
uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES]
) {
/* only this much used for keygen */
uint8_t secret_scalar_ser[DECAF_EDDSA_25519_PRIVATE_BYTES];
hash_hash(
secret_scalar_ser,
sizeof(secret_scalar_ser),
privkey,
DECAF_EDDSA_25519_PRIVATE_BYTES
);
clamp(secret_scalar_ser);
API_NS(scalar_t) secret_scalar;
API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));
/* Since we are going to mul_by_cofactor during encoding, divide by it here.
* However, the EdDSA base point is not the same as the decaf base point if
* the sigma isogeny is in use: the EdDSA base point is on Etwist_d/(1-d) and
* the decaf base point is on Etwist_d, and when converted it effectively
* picks up a factor of 2 from the isogenies. So we might start at 2 instead of 1.
*/
for (unsigned int c=1; c<DECAF_255_EDDSA_ENCODE_RATIO; c <<= 1) {
API_NS(scalar_halve)(secret_scalar,secret_scalar);
}
API_NS(point_t) p;
API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),secret_scalar);
API_NS(point_mul_by_ratio_and_encode_like_eddsa)(pubkey, p);
/* Cleanup */
API_NS(scalar_destroy)(secret_scalar);
API_NS(point_destroy)(p);
decaf_bzero(secret_scalar_ser, sizeof(secret_scalar_ser));
}

void decaf_ed25519_sign (
uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len
) {
API_NS(scalar_t) secret_scalar;
hash_ctx_t hash;
{
/* Schedule the secret key */
struct {
uint8_t secret_scalar_ser[DECAF_EDDSA_25519_PRIVATE_BYTES];
uint8_t seed[DECAF_EDDSA_25519_PRIVATE_BYTES];
} __attribute__((packed)) expanded;
hash_hash(
(uint8_t *)&expanded,
sizeof(expanded),
privkey,
DECAF_EDDSA_25519_PRIVATE_BYTES
);
clamp(expanded.secret_scalar_ser);
API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
/* Hash to create the nonce */
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,expanded.seed,sizeof(expanded.seed));
hash_update(hash,message,message_len);
decaf_bzero(&expanded, sizeof(expanded));
}
/* Decode the nonce */
API_NS(scalar_t) nonce_scalar;
{
uint8_t nonce[2*DECAF_EDDSA_25519_PRIVATE_BYTES];
hash_final(hash,nonce,sizeof(nonce));
API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));
decaf_bzero(nonce, sizeof(nonce));
}
uint8_t nonce_point[DECAF_EDDSA_25519_PUBLIC_BYTES] = {0};
{
/* Scalarmul to create the nonce-point */
API_NS(scalar_t) nonce_scalar_2;
API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar);
for (unsigned int c = 2; c < DECAF_255_EDDSA_ENCODE_RATIO; c <<= 1) {
API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);
}
API_NS(point_t) p;
API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),nonce_scalar_2);
API_NS(point_mul_by_ratio_and_encode_like_eddsa)(nonce_point, p);
API_NS(point_destroy)(p);
API_NS(scalar_destroy)(nonce_scalar_2);
}
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,nonce_point,sizeof(nonce_point));
hash_update(hash,pubkey,DECAF_EDDSA_25519_PUBLIC_BYTES);
hash_update(hash,message,message_len);
uint8_t challenge[2*DECAF_EDDSA_25519_PRIVATE_BYTES];
hash_final(hash,challenge,sizeof(challenge));
hash_destroy(hash);
API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
decaf_bzero(challenge,sizeof(challenge));
}
API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);
API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);
decaf_bzero(signature,DECAF_EDDSA_25519_SIGNATURE_BYTES);
memcpy(signature,nonce_point,sizeof(nonce_point));
API_NS(scalar_encode)(&signature[DECAF_EDDSA_25519_PUBLIC_BYTES],challenge_scalar);
API_NS(scalar_destroy)(secret_scalar);
API_NS(scalar_destroy)(nonce_scalar);
API_NS(scalar_destroy)(challenge_scalar);
}


void decaf_ed25519_sign_prehash (
uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const decaf_ed25519_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
) {
uint8_t hash_output[EDDSA_PREHASH_BYTES];
{
decaf_ed25519_prehash_ctx_t hash_too;
memcpy(hash_too,hash,sizeof(hash_too));
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}

decaf_ed25519_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
decaf_bzero(hash_output,sizeof(hash_output));
}

decaf_error_t decaf_ed25519_verify (
const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len
) {
API_NS(point_t) pk_point, r_point;
decaf_error_t error = API_NS(point_decode_like_eddsa_and_mul_by_ratio)(pk_point,pubkey);
if (DECAF_SUCCESS != error) { return error; }
error = API_NS(point_decode_like_eddsa_and_mul_by_ratio)(r_point,signature);
if (DECAF_SUCCESS != error) { return error; }
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_ctx_t hash;
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,signature,DECAF_EDDSA_25519_PUBLIC_BYTES);
hash_update(hash,pubkey,DECAF_EDDSA_25519_PUBLIC_BYTES);
hash_update(hash,message,message_len);
uint8_t challenge[2*DECAF_EDDSA_25519_PRIVATE_BYTES];
hash_final(hash,challenge,sizeof(challenge));
hash_destroy(hash);
API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
decaf_bzero(challenge,sizeof(challenge));
}
API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar);
API_NS(scalar_t) response_scalar;
API_NS(scalar_decode_long)(
response_scalar,
&signature[DECAF_EDDSA_25519_PUBLIC_BYTES],
DECAF_EDDSA_25519_PRIVATE_BYTES
);
for (unsigned c=1; c<DECAF_255_EDDSA_DECODE_RATIO; c<<=1) {
API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);
}
/* pk_point = -c(x(P)) + (cx + k)G = kG */
API_NS(base_double_scalarmul_non_secret)(
pk_point,
response_scalar,
pk_point,
challenge_scalar
);
return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
}


decaf_error_t decaf_ed25519_verify_prehash (
const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const decaf_ed25519_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
) {
decaf_error_t ret;
uint8_t hash_output[EDDSA_PREHASH_BYTES];
{
decaf_ed25519_prehash_ctx_t hash_too;
memcpy(hash_too,hash,sizeof(hash_too));
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}
ret = decaf_ed25519_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
return ret;
}

+ 0
- 204
src/GENERATED/c/curve25519/elligator.c View File

@@ -1,204 +0,0 @@
/**
* @file curve25519/elligator.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Elligator high-level functions.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "word.h"
#include "field.h"
#include <decaf.h>

/* Template stuff */
#define API_NS(_id) decaf_255_##_id
#define point_t API_NS(point_t)
#define IMAGINE_TWIST 1
#define COFACTOR 8
static const int EDWARDS_D = -121665;

#define RISTRETTO_FACTOR DECAF_255_RISTRETTO_FACTOR
extern const gf RISTRETTO_FACTOR;

/* End of template stuff */
extern mask_t API_NS(deisogenize) (
gf_s *__restrict__ s,
gf_s *__restrict__ inv_el_sum,
gf_s *__restrict__ inv_el_m1,
const point_t p,
mask_t toggle_hibit_s,
mask_t toggle_altx,
mask_t toggle_rotation
);

void API_NS(point_from_hash_nonuniform) (
point_t p,
const unsigned char ser[SER_BYTES]
) {
gf r0,r,a,b,c,N,e;
const uint8_t mask = (uint8_t)(0xFE<<(6));
ignore_result(gf_deserialize(r0,ser,0,mask));
gf_strong_reduce(r0);
gf_sqr(a,r0);
gf_mul_qnr(r,a);

/* Compute D@c := (dr+a-d)(dr-ar-d) with a=1 */
gf_sub(a,r,ONE);
gf_mulw(b,a,EDWARDS_D); /* dr-d */
gf_add(a,b,ONE);
gf_sub(b,b,r);
gf_mul(c,a,b);
/* compute N := (r+1)(a-2d) */
gf_add(a,r,ONE);
gf_mulw(N,a,1-2*EDWARDS_D);
/* e = +-sqrt(1/ND) or +-r0 * sqrt(qnr/ND) */
gf_mul(a,c,N);
mask_t square = gf_isr(b,a);
gf_cond_sel(c,r0,ONE,square); /* r? = square ? 1 : r0 */
gf_mul(e,b,c);
/* s@a = +-|N.e| */
gf_mul(a,N,e);
gf_cond_neg(a,gf_lobit(a) ^ ~square);
/* t@b = -+ cN(r-1)((a-2d)e)^2 - 1 */
gf_mulw(c,e,1-2*EDWARDS_D); /* (a-2d)e */
gf_sqr(b,c);
gf_sub(e,r,ONE);
gf_mul(c,b,e);
gf_mul(b,c,N);
gf_cond_neg(b,square);
gf_sub(b,b,ONE);

/* isogenize */
#if IMAGINE_TWIST
gf_mul(c,a,SQRT_MINUS_ONE);
gf_copy(a,c);
#endif
gf_sqr(c,a); /* s^2 */
gf_add(a,a,a); /* 2s */
gf_add(e,c,ONE);
gf_mul(p->t,a,e); /* 2s(1+s^2) */
gf_mul(p->x,a,b); /* 2st */
gf_sub(a,ONE,c);
gf_mul(p->y,e,a); /* (1+s^2)(1-s^2) */
gf_mul(p->z,a,b); /* (1-s^2)t */
assert(API_NS(point_valid)(p));
}

void API_NS(point_from_hash_uniform) (
point_t pt,
const unsigned char hashed_data[2*SER_BYTES]
) {
point_t pt2;
API_NS(point_from_hash_nonuniform)(pt,hashed_data);
API_NS(point_from_hash_nonuniform)(pt2,&hashed_data[SER_BYTES]);
API_NS(point_add)(pt,pt,pt2);
}

/* Elligator_onto:
* Make elligator-inverse onto at the cost of roughly halving the success probability.
* Currently no effect for curves with field size 1 bit mod 8 (where the top bit
* is chopped off). FUTURE MAGIC: automatic at least for brainpool-style curves; support
* log p == 1 mod 8 brainpool curves maybe?
*/
#define MAX(A,B) (((A)>(B)) ? (A) : (B))

decaf_error_t
API_NS(invert_elligator_nonuniform) (
unsigned char recovered_hash[SER_BYTES],
const point_t p,
uint32_t hint_
) {
mask_t hint = hint_;
mask_t sgn_s = -(hint & 1),
sgn_altx = -(hint>>1 & 1),
sgn_r0 = -(hint>>2 & 1),
/* FUTURE MAGIC: eventually if there's a curve which needs sgn_ed_T but not sgn_r0,
* change this mask extraction.
*/
sgn_ed_T = -(hint>>3 & 1);
gf a,b,c;
API_NS(deisogenize)(a,b,c,p,sgn_s,sgn_altx,sgn_ed_T);
mask_t is_identity = gf_eq(p->t,ZERO);
#if COFACTOR==4
gf_cond_sel(b,b,ONE,is_identity & sgn_altx);
gf_cond_sel(c,c,ONE,is_identity & sgn_s &~ sgn_altx);
#elif IMAGINE_TWIST
/* Terrible, terrible special casing due to lots of 0/0 is deisogenize
* Basically we need to generate -D and +- i*RISTRETTO_FACTOR
*/
gf_mul_i(a,RISTRETTO_FACTOR);
gf_cond_sel(b,b,ONE,is_identity);
gf_cond_neg(a,sgn_altx);
gf_cond_sel(c,c,a,is_identity & sgn_ed_T);
gf_cond_sel(c,c,ZERO,is_identity & ~sgn_ed_T);
gf_mulw(a,ONE,-EDWARDS_D);
gf_cond_sel(c,c,a,is_identity & ~sgn_ed_T &~ sgn_altx);
#else
#error "Different special-casing goes here!"
#endif
#if IMAGINE_TWIST
gf_mulw(a,b,-EDWARDS_D);
#else
gf_mulw(a,b,EDWARDS_D-1);
#endif
gf_add(b,a,b);
gf_sub(a,a,c);
gf_add(b,b,c);
gf_cond_swap(a,b,sgn_s);
gf_mul_qnr(c,b);
gf_mul(b,c,a);
mask_t succ = gf_isr(c,b);
succ |= gf_eq(b,ZERO);
gf_mul(b,c,a);
#if 255 == 8*SER_BYTES + 1 /* p521. */
#error "this won't work because it needs to adjust high bit, not low bit"
sgn_r0 = 0;
#endif
gf_cond_neg(b, sgn_r0^gf_lobit(b));
/* Eliminate duplicate values for identity ... */
succ &= ~(gf_eq(b,ZERO) & (sgn_r0 | sgn_s));
// #if COFACTOR == 8
// succ &= ~(is_identity & sgn_ed_T); /* NB: there are no preimages of rotated identity. */
// #endif
#if 255 == 8*SER_BYTES + 1 /* p521 */
gf_serialize(recovered_hash,b,0);
#else
gf_serialize(recovered_hash,b,1);
#endif
#if 7
#if COFACTOR==8
recovered_hash[SER_BYTES-1] ^= (hint>>4)<<7;
#else
recovered_hash[SER_BYTES-1] ^= (hint>>3)<<7;
#endif
#endif
return decaf_succeed_if(mask_to_bool(succ));
}

decaf_error_t
API_NS(invert_elligator_uniform) (
unsigned char partial_hash[2*SER_BYTES],
const point_t p,
uint32_t hint
) {
point_t pt2;
API_NS(point_from_hash_nonuniform)(pt2,&partial_hash[SER_BYTES]);
API_NS(point_sub)(pt2,p,pt2);
return API_NS(invert_elligator_nonuniform)(partial_hash,pt2,hint);
}

+ 0
- 341
src/GENERATED/c/curve25519/scalar.c View File

@@ -1,341 +0,0 @@
/**
* @file curve25519/scalar.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Decaf high-level functions.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "word.h"
#include "constant_time.h"
#include <decaf.h>

/* Template stuff */
#define API_NS(_id) decaf_255_##_id
#define SCALAR_BITS DECAF_255_SCALAR_BITS
#define SCALAR_SER_BYTES DECAF_255_SCALAR_BYTES
#define SCALAR_LIMBS DECAF_255_SCALAR_LIMBS
#define scalar_t API_NS(scalar_t)

static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0xd2b51da312547e1bull;
static const scalar_t sc_p = {{{
SC_LIMB(0x5812631a5cf5d3ed), SC_LIMB(0x14def9dea2f79cd6), SC_LIMB(0x0000000000000000), SC_LIMB(0x1000000000000000)
}}}, sc_r2 = {{{
SC_LIMB(0xa40611e3449c0f01), SC_LIMB(0xd00e1ba768859347), SC_LIMB(0xceec73d217f5be65), SC_LIMB(0x0399411b7c309a3d)
}}};
/* End of template stuff */

#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */

const scalar_t API_NS(scalar_one) = {{{1}}}, API_NS(scalar_zero) = {{{0}}};

/** {extra,accum} - sub +? p
* Must have extra <= 1
*/
static DECAF_NOINLINE void sc_subx(
scalar_t out,
const decaf_word_t accum[SCALAR_LIMBS],
const scalar_t sub,
const scalar_t p,
decaf_word_t extra
) {
decaf_dsword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + accum[i]) - sub->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
}
decaf_word_t borrow = chain+extra; /* = 0 or -1 */
chain = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + out->limb[i]) + (p->limb[i] & borrow);
out->limb[i] = chain;
chain >>= WBITS;
}
}

static DECAF_NOINLINE void sc_montmul (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
unsigned int i,j;
decaf_word_t accum[SCALAR_LIMBS+1] = {0};
decaf_word_t hi_carry = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
decaf_word_t mand = a->limb[i];
const decaf_word_t *mier = b->limb;
decaf_dword_t chain = 0;
for (j=0; j<SCALAR_LIMBS; j++) {
chain += ((decaf_dword_t)mand)*mier[j] + accum[j];
accum[j] = chain;
chain >>= WBITS;
}
accum[j] = chain;
mand = accum[0] * MONTGOMERY_FACTOR;
chain = 0;
mier = sc_p->limb;
for (j=0; j<SCALAR_LIMBS; j++) {
chain += (decaf_dword_t)mand*mier[j] + accum[j];
if (j) accum[j-1] = chain;
chain >>= WBITS;
}
chain += accum[j];
chain += hi_carry;
accum[j-1] = chain;
hi_carry = chain >> WBITS;
}
sc_subx(out, accum, sc_p, sc_p, hi_carry);
}

void API_NS(scalar_mul) (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
sc_montmul(out,a,b);
sc_montmul(out,out,sc_r2);
}

/* PERF: could implement this */
static DECAF_INLINE void sc_montsqr (scalar_t out, const scalar_t a) {
sc_montmul(out,a,a);
}

decaf_error_t API_NS(scalar_invert) (
scalar_t out,
const scalar_t a
) {
/* Fermat's little theorem, sliding window.
* Sliding window is fine here because the modulus isn't secret.
*/
const int SCALAR_WINDOW_BITS = 3;
scalar_t precmp[1<<SCALAR_WINDOW_BITS];
const int LAST = (1<<SCALAR_WINDOW_BITS)-1;

/* Precompute precmp = [a^1,a^3,...] */
sc_montmul(precmp[0],a,sc_r2);
if (LAST > 0) sc_montmul(precmp[LAST],precmp[0],precmp[0]);

int i;
for (i=1; i<=LAST; i++) {
sc_montmul(precmp[i],precmp[i-1],precmp[LAST]);
}
/* Sliding window */
unsigned residue = 0, trailing = 0, started = 0;
for (i=SCALAR_BITS-1; i>=-SCALAR_WINDOW_BITS; i--) {
if (started) sc_montsqr(out,out);
decaf_word_t w = (i>=0) ? sc_p->limb[i/WBITS] : 0;
if (i >= 0 && i<WBITS) {
assert(w >= 2);
w-=2;
}
residue = (residue<<1) | ((w>>(i%WBITS))&1);
if (residue>>SCALAR_WINDOW_BITS != 0) {
assert(trailing == 0);
trailing = residue;
residue = 0;
}
if (trailing > 0 && (trailing & ((1<<SCALAR_WINDOW_BITS)-1)) == 0) {
if (started) {
sc_montmul(out,out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);
} else {
API_NS(scalar_copy)(out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);
started = 1;
}
trailing = 0;
}
trailing <<= 1;
}
assert(residue==0);
assert(trailing==0);
/* Demontgomerize */
sc_montmul(out,out,API_NS(scalar_one));
decaf_bzero(precmp, sizeof(precmp));
return decaf_succeed_if(~API_NS(scalar_eq)(out,API_NS(scalar_zero)));
}

void API_NS(scalar_sub) (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
sc_subx(out, a->limb, b, sc_p, 0);
}

void API_NS(scalar_add) (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
decaf_dword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + b->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
}
sc_subx(out, out->limb, sc_p, sc_p, chain);
}

void
API_NS(scalar_set_unsigned) (
scalar_t out,
uint64_t w
) {
memset(out,0,sizeof(scalar_t));
unsigned int i = 0;
for (; i<sizeof(uint64_t)/sizeof(decaf_word_t); i++) {
out->limb[i] = w;
#if DECAF_WORD_BITS < 64
w >>= 8*sizeof(decaf_word_t);
#endif
}
}

decaf_bool_t
API_NS(scalar_eq) (
const scalar_t a,
const scalar_t b
) {
decaf_word_t diff = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
diff |= a->limb[i] ^ b->limb[i];
}
return mask_to_bool(word_is_zero(diff));
}

static DECAF_INLINE void scalar_decode_short (
scalar_t s,
const unsigned char *ser,
unsigned int nbytes
) {
unsigned int i,j,k=0;
for (i=0; i<SCALAR_LIMBS; i++) {
decaf_word_t out = 0;
for (j=0; j<sizeof(decaf_word_t) && k<nbytes; j++,k++) {
out |= ((decaf_word_t)ser[k])<<(8*j);
}
s->limb[i] = out;
}
}

decaf_error_t API_NS(scalar_decode)(
scalar_t s,
const unsigned char ser[SCALAR_SER_BYTES]
) {
unsigned int i;
scalar_decode_short(s, ser, SCALAR_SER_BYTES);
decaf_dsword_t accum = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
}
/* Here accum == 0 or -1 */
API_NS(scalar_mul)(s,s,API_NS(scalar_one)); /* ham-handed reduce */
return decaf_succeed_if(~word_is_zero(accum));
}

void API_NS(scalar_destroy) (
scalar_t scalar
) {
decaf_bzero(scalar, sizeof(scalar_t));
}

void API_NS(scalar_decode_long)(
scalar_t s,
const unsigned char *ser,
size_t ser_len
) {
if (ser_len == 0) {
API_NS(scalar_copy)(s, API_NS(scalar_zero));
return;
}
size_t i;
scalar_t t1, t2;

i = ser_len - (ser_len%SCALAR_SER_BYTES);
if (i==ser_len) i -= SCALAR_SER_BYTES;
scalar_decode_short(t1, &ser[i], ser_len-i);

if (ser_len == sizeof(scalar_t)) {
assert(i==0);
/* ham-handed reduce */
API_NS(scalar_mul)(s,t1,API_NS(scalar_one));
API_NS(scalar_destroy)(t1);
return;
}

while (i) {
i -= SCALAR_SER_BYTES;
sc_montmul(t1,t1,sc_r2);
ignore_result( API_NS(scalar_decode)(t2, ser+i) );
API_NS(scalar_add)(t1, t1, t2);
}

API_NS(scalar_copy)(s, t1);
API_NS(scalar_destroy)(t1);
API_NS(scalar_destroy)(t2);
}

void API_NS(scalar_encode)(
unsigned char ser[SCALAR_SER_BYTES],
const scalar_t s
) {
unsigned int i,j,k=0;
for (i=0; i<SCALAR_LIMBS; i++) {
for (j=0; j<sizeof(decaf_word_t); j++,k++) {
ser[k] = s->limb[i] >> (8*j);
}
}
}

void API_NS(scalar_cond_sel) (
scalar_t out,
const scalar_t a,
const scalar_t b,
decaf_bool_t pick_b
) {
constant_time_select(out,a,b,sizeof(scalar_t),bool_to_mask(pick_b),sizeof(out->limb[0]));
}

void API_NS(scalar_halve) (
scalar_t out,
const scalar_t a
) {
decaf_word_t mask = -(a->limb[0] & 1);
decaf_dword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask);
out->limb[i] = chain;
chain >>= DECAF_WORD_BITS;
}
for (i=0; i<SCALAR_LIMBS-1; i++) {
out->limb[i] = out->limb[i]>>1 | out->limb[i+1]<<(WBITS-1);
}
out->limb[i] = out->limb[i]>>1 | chain<<(WBITS-1);
}


+ 0
- 24
src/GENERATED/c/decaf/crypto.hxx View File

@@ -1,24 +0,0 @@
/**
* @file decaf/crypto.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* Example Decaf crypto routines, C++ metaheader.
* @warning These are merely examples, though they ought to be secure. But real
* protocols will decide differently on magic numbers, formats, which items to
* hash, etc.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_CRYPTO_HXX__
#define __DECAF_CRYPTO_HXX__ 1

#include <decaf/crypto_255.hxx>
#include <decaf/crypto_448.hxx>

#endif /* __DECAF_CRYPTO_HXX__ */

+ 0
- 1598
src/GENERATED/c/ed448goldilocks/decaf.c
File diff suppressed because it is too large
View File


+ 0
- 125
src/GENERATED/c/ed448goldilocks/decaf_gen_tables.c View File

@@ -1,125 +0,0 @@
/**
* @file ed448goldilocks/decaf_gen_tables.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Decaf global constant table precomputation.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#define _XOPEN_SOURCE 600 /* for posix_memalign */
#include <stdio.h>
#include <stdlib.h>

#include "field.h"
#include "f_field.h"
#include "decaf.h"

#define API_NS(_id) decaf_448_##_id
static const unsigned char base_point_ser_for_pregen[SER_BYTES] = {
0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33
};

/* To satisfy linker. */
const gf API_NS(precomputed_base_as_fe)[1];
const API_NS(point_t) API_NS(point_base);

struct niels_s;
const gf_s *API_NS(precomputed_wnaf_as_fe);
extern const size_t API_NS(sizeof_precomputed_wnafs);

void API_NS(precompute_wnafs) (
struct niels_s *out,
const API_NS(point_t) base
);
static void field_print(const gf f) {
unsigned char ser[X_SER_BYTES];
gf_serialize(ser,f,1);
int b=0, i, comma=0;
unsigned long long limb = 0;
printf("{FIELD_LITERAL(");
for (i=0; i<X_SER_BYTES; i++) {
limb |= ((uint64_t)ser[i])<<b;
b += 8;
if (b >= GF_LIT_LIMB_BITS || i == SER_BYTES-1) {
limb &= (1ull<<GF_LIT_LIMB_BITS) -1;
b -= GF_LIT_LIMB_BITS;
if (comma) printf(",");
comma = 1;
printf("0x%016llx", limb);
limb = ((uint64_t)ser[i])>>(8-b);
}
}
printf(")}");
assert(b<8);
}

int main(int argc, char **argv) {
(void)argc; (void)argv;
API_NS(point_t) real_point_base;
int ret = API_NS(point_decode)(real_point_base,base_point_ser_for_pregen,0);
if (ret != DECAF_SUCCESS) {
fprintf(stderr, "Can't decode base point!\n");
return 1;
}
API_NS(precomputed_s) *pre;
ret = posix_memalign((void**)&pre, API_NS(alignof_precomputed_s), API_NS(sizeof_precomputed_s));
if (ret || !pre) {
fprintf(stderr, "Can't allocate space for precomputed table\n");
return 1;
}
API_NS(precompute)(pre, real_point_base);
struct niels_s *pre_wnaf;
ret = posix_memalign((void**)&pre_wnaf, API_NS(alignof_precomputed_s), API_NS(sizeof_precomputed_wnafs));
if (ret || !pre_wnaf) {
fprintf(stderr, "Can't allocate space for precomputed WNAF table\n");
return 1;
}
API_NS(precompute_wnafs)(pre_wnaf, real_point_base);

const gf_s *output;
unsigned i;
printf("/** @warning: this file was automatically generated. */\n");
printf("#include \"field.h\"\n\n");
printf("#include <decaf.h>\n\n");
printf("#define API_NS(_id) decaf_448_##_id\n");
output = (const gf_s *)real_point_base;
printf("const API_NS(point_t) API_NS(point_base) = {{\n");
for (i=0; i < sizeof(API_NS(point_t)); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n}};\n");
output = (const gf_s *)pre;
printf("const gf API_NS(precomputed_base_as_fe)[%d]\n",
(int)(API_NS(sizeof_precomputed_s) / sizeof(gf)));
printf("VECTOR_ALIGNED __attribute__((visibility(\"hidden\"))) = {\n ");
for (i=0; i < API_NS(sizeof_precomputed_s); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n};\n");
output = (const gf_s *)pre_wnaf;
printf("const gf API_NS(precomputed_wnaf_as_fe)[%d]\n",
(int)(API_NS(sizeof_precomputed_wnafs) / sizeof(gf)));
printf("VECTOR_ALIGNED __attribute__((visibility(\"hidden\"))) = {\n ");
for (i=0; i < API_NS(sizeof_precomputed_wnafs); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n};\n");
return 0;
}

+ 0
- 354
src/GENERATED/c/ed448goldilocks/decaf_tables.c View File

@@ -1,354 +0,0 @@
/** @warning: this file was automatically generated. */
#include "field.h"

#include <decaf.h>

#define API_NS(_id) decaf_448_##_id
const API_NS(point_t) API_NS(point_base) = {{
{FIELD_LITERAL(0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0080000000000000,0x00fffffffffffffe,0x00ffffffffffffff,0x00ffffffffffffff,0x007fffffffffffff)},
{FIELD_LITERAL(0x006079b4dfdd4a64,0x000c1e3ab470a1c8,0x0044d73f48e5199b,0x0050452714141818,0x004c74c393d5242c,0x0024080526437050,0x00d48d06c13078ca,0x008508de14f04286)},
{FIELD_LITERAL(0x0000000000000001,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000)},
{FIELD_LITERAL(0x00e3c816dc198105,0x0062071833f4e093,0x004dde98e3421403,0x00a319b57519c985,0x00794be956382384,0x00e1ddc2b86da60f,0x0050e23d5682a9ff,0x006d3669e173c6a4)}
}};
const gf API_NS(precomputed_base_as_fe)[240]
VECTOR_ALIGNED __attribute__((visibility("hidden"))) = {
{FIELD_LITERAL(0x00cc3b062366f4cc,0x003d6e34e314aa3c,0x00d51c0a7521774d,0x0094e060eec6ab8b,0x00d21291b4d80082,0x00befed12b55ef1e,0x00c3dd2df5c94518,0x00e0a7b112b8d4e6)},
{FIELD_LITERAL(0x0019eb5608d8723a,0x00d1bab52fb3aedb,0x00270a7311ebc90c,0x0037c12b91be7f13,0x005be16cd8b5c704,0x003e181acda888e1,0x00bc1f00fc3fc6d0,0x00d3839bfa319e20)},
{FIELD_LITERAL(0x003caeb88611909f,0x00ea8b378c4df3d4,0x00b3295b95a5a19a,0x00a65f97514bdfb5,0x00b39efba743cab1,0x0016ba98b862fd2d,0x0001508812ee71d7,0x000a75740eea114a)},
{FIELD_LITERAL(0x00ebcf0eb649f823,0x00166d332e98ea03,0x0059ddf64f5cd5f6,0x0047763123d9471b,0x00a64065c53ef62f,0x00978e44c480153d,0x000b5b2a0265f194,0x0046a24b9f32965a)},
{FIELD_LITERAL(0x00b9eef787034df0,0x0020bc24de3390cd,0x000022160bae99bb,0x00ae66e886e97946,0x0048d4bbe02cbb8b,0x0072ba97b34e38d4,0x00eae7ec8f03e85a,0x005ba92ecf808b2c)},
{FIELD_LITERAL(0x00c9cfbbe74258fd,0x00843a979ea9eaa7,0x000cbb4371cfbe90,0x0059bac8f7f0a628,0x004b3dff882ff530,0x0011869df4d90733,0x00595aa71f4abfc2,0x0070e2d38990c2e6)},
{FIELD_LITERAL(0x00de2010c0a01733,0x00c739a612e24297,0x00a7212643141d7c,0x00f88444f6b67c11,0x00484b7b16ec28f2,0x009c1b8856af9c68,0x00ff4669591fe9d6,0x0054974be08a32c8)},
{FIELD_LITERAL(0x0010de3fd682ceed,0x008c07642d83ca4e,0x0013bb064e00a1cc,0x009411ae27870e11,0x00ea8e5b4d531223,0x0032fe7d2aaece2e,0x00d989e243e7bb41,0x000fe79a508e9b8b)},
{FIELD_LITERAL(0x005e0426b9bfc5b1,0x0041a5b1d29ee4fa,0x0015b0def7774391,0x00bc164f1f51af01,0x00d543b0942797b9,0x003c129b6398099c,0x002b114c6e5adf18,0x00b4e630e4018a7b)},
{FIELD_LITERAL(0x00d490afc95f8420,0x00b096bf50c1d9b9,0x00799fd707679866,0x007c74d9334afbea,0x00efaa8be80ff4ed,0x0075c4943bb81694,0x00c21c2fca161f36,0x00e77035d492bfee)},
{FIELD_LITERAL(0x006658a190dd6661,0x00e0e9bab38609a6,0x0028895c802237ed,0x006a0229c494f587,0x002dcde96c9916b7,0x00d158822de16218,0x00173b917a06856f,0x00ca78a79ae07326)},
{FIELD_LITERAL(0x00e35bfc79caced4,0x0087238a3e1fe3bb,0x00bcbf0ff4ceff5b,0x00a19c1c94099b91,0x0071e102b49db976,0x0059e3d004eada1e,0x008da78afa58a47e,0x00579c8ebf269187)},
{FIELD_LITERAL(0x00a16c2905eee75f,0x009d4bcaea2c7e1d,0x00d3bd79bfad19df,0x0050da745193342c,0x006abdb8f6b29ab1,0x00a24fe0a4fef7ef,0x0063730da1057dfb,0x00a08c312c8eb108)},
{FIELD_LITERAL(0x00b583be005375be,0x00a40c8f8a4e3df4,0x003fac4a8f5bdbf7,0x00d4481d872cd718,0x004dc8749cdbaefe,0x00cce740d5e5c975,0x000b1c1f4241fd21,0x00a76de1b4e1cd07)},
{FIELD_LITERAL(0x007a076500d30b62,0x000a6e117b7f090f,0x00c8712ae7eebd9a,0x000fbd6c1d5f6ff7,0x003a7977246ebf11,0x00166ed969c6600e,0x00aa42e469c98bec,0x00dc58f307cf0666)},
{FIELD_LITERAL(0x004b491f65a9a28b,0x006a10309e8a55b7,0x00b67210185187ef,0x00cf6497b12d9b8f,0x0085778c56e2b1ba,0x0015b4c07a814d85,0x00686479e62da561,0x008de5d88f114916)},
{FIELD_LITERAL(0x00e37c88d6bba7b1,0x003e4577e1b8d433,0x0050d8ea5f510ec0,0x0042fc9f2da9ef59,0x003bd074c1141420,0x00561b8b7b68774e,0x00232e5e5d1013a3,0x006b7f2cb3d7e73f)},
{FIELD_LITERAL(0x004bdd0f0b41e6a0,0x001773057c405d24,0x006029f99915bd97,0x006a5ba70a17fe2f,0x0046111977df7e08,0x004d8124c89fb6b7,0x00580983b2bb2724,0x00207bf330d6f3fe)},
{FIELD_LITERAL(0x007efdc93972a48b,0x002f5e50e78d5fee,0x0080dc11d61c7fe5,0x0065aa598707245b,0x009abba2300641be,0x000c68787656543a,0x00ffe0fef2dc0a17,0x00007ffbd6cb4f3a)},
{FIELD_LITERAL(0x0036012f2b836efc,0x00458c126d6b5fbc,0x00a34436d719ad1e,0x0097be6167117dea,0x0009c219c879cff3,0x0065564493e60755,0x00993ac94a8cdec0,0x002d4885a4d0dbaf)},
{FIELD_LITERAL(0x00598b60b4c068ba,0x00c547a0be7f1afd,0x009582164acf12af,0x00af4acac4fbbe40,0x005f6ca7c539121a,0x003b6e752ebf9d66,0x00f08a30d5cac5d4,0x00e399bb5f97c5a9)},
{FIELD_LITERAL(0x007445a0409c0a66,0x00a65c369f3829c0,0x0031d248a4f74826,0x006817f34defbe8e,0x00649741d95ebf2e,0x00d46466ab16b397,0x00fdc35703bee414,0x00343b43334525f8)},
{FIELD_LITERAL(0x001796bea93f6401,0x00090c5a42e85269,0x00672412ba1252ed,0x001201d47b6de7de,0x006877bccfe66497,0x00b554fd97a4c161,0x009753f42dbac3cf,0x00e983e3e378270a)},
{FIELD_LITERAL(0x00ac3eff18849872,0x00f0eea3bff05690,0x00a6d72c21dd505d,0x001b832642424169,0x00a6813017b540e5,0x00a744bd71b385cd,0x0022a7d089130a7b,0x004edeec9a133486)},
{FIELD_LITERAL(0x00b2d6729196e8a9,0x0088a9bb2031cef4,0x00579e7787dc1567,0x0030f49feb059190,0x00a0b1d69c7f7d8f,0x0040bdcc6d9d806f,0x00d76c4037edd095,0x00bbf24376415dd7)},
{FIELD_LITERAL(0x00240465ff5a7197,0x00bb97e76caf27d0,0x004b4edbf8116d39,0x001d8586f708cbaa,0x000f8ee8ff8e4a50,0x00dde5a1945dd622,0x00e6fc1c0957e07c,0x0041c9cdabfd88a0)},
{FIELD_LITERAL(0x005344b0bf5b548c,0x002957d0b705cc99,0x00f586a70390553d,0x0075b3229f583cc3,0x00a1aa78227490e4,0x001bf09cf7957717,0x00cf6bf344325f52,0x0065bd1c23ca3ecf)},
{FIELD_LITERAL(0x009bff3b3239363c,0x00e17368796ef7c0,0x00528b0fe0971f3a,0x0008014fc8d4a095,0x00d09f2e8a521ec4,0x006713ab5dde5987,0x0003015758e0dbb1,0x00215999f1ba212d)},
{FIELD_LITERAL(0x002c88e93527da0e,0x0077c78f3456aad5,0x0071087a0a389d1c,0x00934dac1fb96dbd,0x008470e801162697,0x005bc2196cd4ad49,0x00e535601d5087c3,0x00769888700f497f)},
{FIELD_LITERAL(0x00da7a4b557298ad,0x0019d2589ea5df76,0x00ef3e38be0c6497,0x00a9644e1312609a,0x004592f61b2558da,0x0082c1df510d7e46,0x0042809a535c0023,0x00215bcb5afd7757)},
{FIELD_LITERAL(0x002b9df55a1a4213,0x00dcfc3b464a26be,0x00c4f9e07a8144d5,0x00c8e0617a92b602,0x008e3c93accafae0,0x00bf1bcb95b2ca60,0x004ce2426a613bf3,0x00266cac58e40921)},
{FIELD_LITERAL(0x008456d5db76e8f0,0x0032ca9cab2ce163,0x0059f2b8bf91abcf,0x0063c2a021712788,0x00f86155af22f72d,0x00db98b2a6c005a0,0x00ac6e416a693ac4,0x007a93572af53226)},
{FIELD_LITERAL(0x0087767520f0de22,0x0091f64012279fb5,0x001050f1f0644999,0x004f097a2477ad3c,0x006b37913a9947bd,0x001a3d78645af241,0x0057832bbb3008a7,0x002c1d902b80dc20)},
{FIELD_LITERAL(0x001a6002bf178877,0x009bce168aa5af50,0x005fc318ff04a7f5,0x0052818f55c36461,0x008768f5d4b24afb,0x0037ffbae7b69c85,0x0018195a4b61edc0,0x001e12ea088434b2)},
{FIELD_LITERAL(0x0047d3f804e7ab07,0x00a809ab5f905260,0x00b3ffc7cdaf306d,0x00746e8ec2d6e509,0x00d0dade8887a645,0x00acceeebde0dd37,0x009bc2579054686b,0x0023804f97f1c2bf)},
{FIELD_LITERAL(0x0043e2e2e50b80d7,0x00143aafe4427e0f,0x005594aaecab855b,0x008b12ccaaecbc01,0x002deeb091082bc3,0x009cca4be2ae7514,0x00142b96e696d047,0x00ad2a2b1c05256a)},
{FIELD_LITERAL(0x003914f2f144b78b,0x007a95dd8bee6f68,0x00c7f4384d61c8e6,0x004e51eb60f1bdb2,0x00f64be7aa4621d8,0x006797bfec2f0ac0,0x007d17aab3c75900,0x001893e73cac8bc5)},
{FIELD_LITERAL(0x00140360b768665b,0x00b68aca4967f977,0x0001089b66195ae4,0x00fe71122185e725,0x000bca2618d49637,0x00a54f0557d7e98a,0x00cdcd2f91d6f417,0x00ab8c13741fd793)},
{FIELD_LITERAL(0x00725ee6b1e549e0,0x007124a0769777fa,0x000b68fdad07ae42,0x0085b909cd4952df,0x0092d2e3c81606f4,0x009f22f6cac099a0,0x00f59da57f2799a8,0x00f06c090122f777)},
{FIELD_LITERAL(0x00ce0bed0a3532bc,0x001a5048a22df16b,0x00e31db4cbad8bf1,0x00e89292120cf00e,0x007d1dd1a9b00034,0x00e2a9041ff8f680,0x006a4c837ae596e7,0x00713af1068070b3)},
{FIELD_LITERAL(0x00c4fe64ce66d04b,0x00b095d52e09b3d7,0x00758bbecb1a3a8e,0x00f35cce8d0650c0,0x002b878aa5984473,0x0062e0a3b7544ddc,0x00b25b290ed116fe,0x007b0f6abe0bebf2)},
{FIELD_LITERAL(0x0081d4e3addae0a8,0x003410c836c7ffcc,0x00c8129ad89e4314,0x000e3d5a23922dcd,0x00d91e46f29c31f3,0x006c728cde8c5947,0x002bc655ba2566c0,0x002ca94721533108)},
{FIELD_LITERAL(0x0051e4b3f764d8a9,0x0019792d46e904a0,0x00853bc13dbc8227,0x000840208179f12d,0x0068243474879235,0x0013856fbfe374d0,0x00bda12fe8676424,0x00bbb43635926eb2)},
{FIELD_LITERAL(0x0012cdc880a93982,0x003c495b21cd1b58,0x00b7e5c93f22a26e,0x0044aa82dfb99458,0x009ba092cdffe9c0,0x00a14b3ab2083b73,0x000271c2f70e1c4b,0x00eea9cac0f66eb8)},
{FIELD_LITERAL(0x001a1847c4ac5480,0x00b1b412935bb03a,0x00f74285983bf2b2,0x00624138b5b5d0f1,0x008820c0b03d38bf,0x00b94e50a18c1572,0x0060f6934841798f,0x00c52f5d66d6ebe2)},
{FIELD_LITERAL(0x00da23d59f9bcea6,0x00e0f27007a06a4b,0x00128b5b43a6758c,0x000cf50190fa8b56,0x00fc877aba2b2d72,0x00623bef52edf53f,0x00e6af6b819669e2,0x00e314dc34fcaa4f)},
{FIELD_LITERAL(0x0066e5eddd164d1e,0x00418a7c6fe28238,0x0002e2f37e962c25,0x00f01f56b5975306,0x0048842fa503875c,0x0057b0e968078143,0x00ff683024f3d134,0x0082ae28fcad12e4)},
{FIELD_LITERAL(0x0011ddfd21260e42,0x00d05b0319a76892,0x00183ea4368e9b8f,0x00b0815662affc96,0x00b466a5e7ce7c88,0x00db93b07506e6ee,0x0033885f82f62401,0x0086f9090ec9b419)},
{FIELD_LITERAL(0x00d95d1c5fcb435a,0x0016d1ed6b5086f9,0x00792aa0b7e54d71,0x0067b65715f1925d,0x00a219755ec6176b,0x00bc3f026b12c28f,0x00700c897ffeb93e,0x0089b83f6ec50b46)},
{FIELD_LITERAL(0x003c97e6384da36e,0x00423d53eac81a09,0x00b70d68f3cdce35,0x00ee7959b354b92c,0x00f4e9718819c8ca,0x009349f12acbffe9,0x005aee7b62cb7da6,0x00d97764154ffc86)},
{FIELD_LITERAL(0x00526324babb46dc,0x002ee99b38d7bf9e,0x007ea51794706ef4,0x00abeb04da6e3c39,0x006b457c1d281060,0x00fe243e9a66c793,0x00378de0fb6c6ee4,0x003e4194b9c3cb93)},
{FIELD_LITERAL(0x00fed3cd80ca2292,0x0015b043a73ca613,0x000a9fd7bf9be227,0x003b5e03de2db983,0x005af72d46904ef7,0x00c0f1b5c49faa99,0x00dc86fc3bd305e1,0x00c92f08c1cb1797)},
{FIELD_LITERAL(0x0079680ce111ed3b,0x001a1ed82806122c,0x000c2e7466d15df3,0x002c407f6f7150fd,0x00c5e7c96b1b0ce3,0x009aa44626863ff9,0x00887b8b5b80be42,0x00b6023cec964825)},
{FIELD_LITERAL(0x00e4a8e1048970c8,0x0062887b7830a302,0x00bcf1c8cd81402b,0x0056dbb81a68f5be,0x0014eced83f12452,0x00139e1a510150df,0x00bb81140a82d1a3,0x000febcc1aaf1aa7)},
{FIELD_LITERAL(0x00a7527958238159,0x0013ec9537a84cd6,0x001d7fee7d562525,0x00b9eefa6191d5e5,0x00dbc97db70bcb8a,0x00481affc7a4d395,0x006f73d3e70c31bb,0x00183f324ed96a61)},
{FIELD_LITERAL(0x0039dd7ce7fc6860,0x00d64f6425653da1,0x003e037c7f57d0af,0x0063477a06e2bcf2,0x001727dbb7ac67e6,0x0049589f5efafe2e,0x00fc0fef2e813d54,0x008baa5d087fb50d)},
{FIELD_LITERAL(0x0024fb59d9b457c7,0x00a7d4e060223e4c,0x00c118d1b555fd80,0x0082e216c732f22a,0x00cd2a2993089504,0x003638e836a3e13d,0x000d855ee89b4729,0x008ec5b7d4810c91)},
{FIELD_LITERAL(0x001bf51f7d65cdfd,0x00d14cdafa16a97d,0x002c38e60fcd10e7,0x00a27446e393efbd,0x000b5d8946a71fdd,0x0063df2cde128f2f,0x006c8679569b1888,0x0059ffc4925d732d)},
{FIELD_LITERAL(0x00ece96f95f2b66f,0x00ece7952813a27b,0x0026fc36592e489e,0x007157d1a2de0f66,0x00759dc111d86ddf,0x0012881e5780bb0f,0x00c8ccc83ad29496,0x0012b9bd1929eb71)},
{FIELD_LITERAL(0x000fa15a20da5df0,0x00349ddb1a46cd31,0x002c512ad1d8e726,0x00047611f669318d,0x009e68fba591e17e,0x004320dffa803906,0x00a640874951a3d3,0x00b6353478baa24f)},
{FIELD_LITERAL(0x009696510000d333,0x00ec2f788bc04826,0x000e4d02b1f67ba5,0x00659aa8dace08b6,0x00d7a38a3a3ae533,0x008856defa8c746b,0x004d7a4402d3da1a,0x00ea82e06229260f)},
{FIELD_LITERAL(0x006a15bb20f75c0c,0x0079a144027a5d0c,0x00d19116ce0b4d70,0x0059b83bcb0b268e,0x005f58f63f16c127,0x0079958318ee2c37,0x00defbb063d07f82,0x00f1f0b931d2d446)},
{FIELD_LITERAL(0x00cb5e4c3c35d422,0x008df885ca43577f,0x00fa50b16ca3e471,0x005a0e58e17488c8,0x00b2ceccd6d34d19,0x00f01d5d235e36e9,0x00db2e7e4be6ca44,0x00260ab77f35fccd)},
{FIELD_LITERAL(0x006f6fd9baac61d5,0x002a7710a020a895,0x009de0db7fc03d4d,0x00cdedcb1875f40b,0x00050caf9b6b1e22,0x005e3a6654456ab0,0x00775fdf8c4423d4,0x0028701ea5738b5d)},
{FIELD_LITERAL(0x009ffd90abfeae96,0x00cba3c2b624a516,0x005ef08bcee46c91,0x00e6fde30afb6185,0x00f0b4db4f818ce4,0x006c54f45d2127f5,0x00040125035854c7,0x00372658a3287e13)},
{FIELD_LITERAL(0x00d7070fb1beb2ab,0x0078fc845a93896b,0x006894a4b2f224a6,0x005bdd8192b9dbde,0x00b38839874b3a9e,0x00f93618b04b7a57,0x003e3ec75fd2c67e,0x00bf5e6bfc29494a)},
{FIELD_LITERAL(0x00f19224ebba2aa5,0x0074f89d358e694d,0x00eea486597135ad,0x0081579a4555c7e1,0x0010b9b872930a9d,0x00f002e87a30ecc0,0x009b9d66b6de56e2,0x00a3c4f45e8004eb)},
{FIELD_LITERAL(0x0045e8dda9400888,0x002ff12e5fc05db7,0x00a7098d54afe69c,0x00cdbe846a500585,0x00879c1593ca1882,0x003f7a7fea76c8b0,0x002cd73dd0c8e0a1,0x00645d6ce96f51fe)},
{FIELD_LITERAL(0x002b7e83e123d6d6,0x00398346f7419c80,0x0042922e55940163,0x005e7fc5601886a3,0x00e88f2cee1d3103,0x00e7fab135f2e377,0x00b059984dbf0ded,0x0009ce080faa5bb8)},
{FIELD_LITERAL(0x0085e78af7758979,0x00275a4ee1631a3a,0x00d26bc0ed78b683,0x004f8355ea21064f,0x00d618e1a32696e5,0x008d8d7b150e5680,0x00a74cd854b278d2,0x001dd62702203ea0)},
{FIELD_LITERAL(0x00f89335c2a59286,0x00a0f5c905d55141,0x00b41fb836ee9382,0x00e235d51730ca43,0x00a5cb37b5c0a69a,0x009b966ffe136c45,0x00cb2ea10bf80ed1,0x00fb2b370b40dc35)},
{FIELD_LITERAL(0x00d687d16d4ee8ba,0x0071520bdd069dff,0x00de85c60d32355d,0x0087d2e3565102f4,0x00cde391b8dfc9aa,0x00e18d69efdfefe5,0x004a9d0591954e91,0x00fa36dd8b50eee5)},
{FIELD_LITERAL(0x002e788749a865f7,0x006e4dc3116861ea,0x009f1428c37276e6,0x00e7d2e0fc1e1226,0x003aeebc6b6c45f6,0x0071a8073bf500c9,0x004b22ad986b530c,0x00f439e63c0d79d4)},
{FIELD_LITERAL(0x006bc3d53011f470,0x00032d6e692b83e8,0x00059722f497cd0b,0x0009b4e6f0c497cc,0x0058a804b7cce6c0,0x002b71d3302bbd5d,0x00e2f82a36765fce,0x008dded99524c703)},
{FIELD_LITERAL(0x004d058953747d64,0x00701940fe79aa6f,0x00a620ac71c760bf,0x009532b611158b75,0x00547ed7f466f300,0x003cb5ab53a8401a,0x00c7763168ce3120,0x007e48e33e4b9ab2)},
{FIELD_LITERAL(0x001b2fc57bf3c738,0x006a3f918993fb80,0x0026f7a14fdec288,0x0075a2cdccef08db,0x00d3ecbc9eecdbf1,0x0048c40f06e5bf7f,0x00d63e423009896b,0x000598bc99c056a8)},
{FIELD_LITERAL(0x002f194eaafa46dc,0x008e38f57fe87613,0x00dc8e5ae25f4ab2,0x000a17809575e6bd,0x00d3ec7923ba366a,0x003a7e72e0ad75e3,0x0010024b88436e0a,0x00ed3c5444b64051)},
{FIELD_LITERAL(0x00831fc1340af342,0x00c9645669466d35,0x007692b4cc5a080f,0x009fd4a47ac9259f,0x001eeddf7d45928b,0x003c0446fc45f28b,0x002c0713aa3e2507,0x0095706935f0f41e)},
{FIELD_LITERAL(0x00766ae4190ec6d8,0x0065768cabc71380,0x00b902598416cdc2,0x00380021ad38df52,0x008f0b89d6551134,0x004254d4cc62c5a5,0x000d79f4484b9b94,0x00b516732ae3c50e)},
{FIELD_LITERAL(0x001fb73475c45509,0x00d2b2e5ea43345a,0x00cb3c3842077bd1,0x0029f90ad820946e,0x007c11b2380778aa,0x009e54ece62c1704,0x004bc60c41ca01c3,0x004525679a5a0b03)},
{FIELD_LITERAL(0x00c64fbddbed87b3,0x0040601d11731faa,0x009c22475b6f9d67,0x0024b79dae875f15,0x00616fed3f02c3b0,0x0000cf39f6af2d3b,0x00c46bac0aa9a688,0x00ab23e2800da204)},
{FIELD_LITERAL(0x000b3a37617632b0,0x00597199fe1cfb6c,0x0042a7ccdfeafdd6,0x004cc9f15ebcea17,0x00f436e596a6b4a4,0x00168861142df0d8,0x000753edfec26af5,0x000c495d7e388116)},
{FIELD_LITERAL(0x0017085f4a346148,0x00c7cf7a37f62272,0x001776e129bc5c30,0x009955134c9eef2a,0x001ba5bdf1df07be,0x00ec39497103a55c,0x006578354fda6cfb,0x005f02719d4f15ee)},
{FIELD_LITERAL(0x0052b9d9b5d9655d,0x00d4ec7ba1b461c3,0x00f95df4974f280b,0x003d8e5ca11aeb51,0x00d4981eb5a70b26,0x000af9a4f6659f29,0x004598c846faeb43,0x0049d9a183a47670)},
{FIELD_LITERAL(0x000a72d23dcb3f1f,0x00a3737f84011727,0x00f870c0fbbf4a47,0x00a7aadd04b5c9ca,0x000c7715c67bd072,0x00015a136afcd74e,0x0080d5caea499634,0x0026b448ec7514b7)},
{FIELD_LITERAL(0x00b60167d9e7d065,0x00e60ba0d07381e8,0x003a4f17b725c2d4,0x006c19fe176b64fa,0x003b57b31af86ccb,0x0021047c286180fd,0x00bdc8fb00c6dbb6,0x00fe4a9f4bab4f3f)},
{FIELD_LITERAL(0x0088ffc3a16111f7,0x009155e4245d0bc8,0x00851d68220572d5,0x00557ace1e514d29,0x0031d7c339d91022,0x00101d0ae2eaceea,0x00246ab3f837b66a,0x00d5216d381ff530)},
{FIELD_LITERAL(0x0057e7ea35f36dae,0x00f47d7ad15de22e,0x00d757ea4b105115,0x008311457d579d7e,0x00b49b75b1edd4eb,0x0081c7ff742fd63a,0x00ddda3187433df6,0x00475727d55f9c66)},
{FIELD_LITERAL(0x00a6295218dc136a,0x00563b3af0e9c012,0x00d3753b0145db1b,0x004550389c043dc1,0x00ea94ae27401bdf,0x002b0b949f2b7956,0x00c63f780ad8e23c,0x00e591c47d6bab15)},
{FIELD_LITERAL(0x00416c582b058eb6,0x004107da5b2cc695,0x00b3cd2556aeec64,0x00c0b418267e57a1,0x001799293579bd2e,0x0046ed44590e4d07,0x001d7459b3630a1e,0x00c6afba8b6696aa)},
{FIELD_LITERAL(0x008d6009b26da3f8,0x00898e88ca06b1ca,0x00edb22b2ed7fe62,0x00fbc93516aabe80,0x008b4b470c42ce0d,0x00e0032ba7d0dcbb,0x00d76da3a956ecc8,0x007f20fe74e3852a)},
{FIELD_LITERAL(0x002419222c607674,0x00a7f23af89188b3,0x00ad127284e73d1c,0x008bba582fae1c51,0x00fc6aa7ca9ecab1,0x003df5319eb6c2ba,0x002a05af8a8b199a,0x004bf8354558407c)},
{FIELD_LITERAL(0x00ce7d4a30f0fcbf,0x00d02c272629f03d,0x0048c001f7400bc2,0x002c21368011958d,0x0098a550391e96b5,0x002d80b66390f379,0x001fa878760cc785,0x001adfce54b613d5)},
{FIELD_LITERAL(0x001ed4dc71fa2523,0x005d0bff19bf9b5c,0x00c3801cee065a64,0x001ed0b504323fbf,0x0003ab9fdcbbc593,0x00df82070178b8d2,0x00a2bcaa9c251f85,0x00c628a3674bd02e)},
{FIELD_LITERAL(0x006b7a0674f9f8de,0x00a742414e5c7cff,0x0041cbf3c6e13221,0x00e3a64fd207af24,0x0087c05f15fbe8d1,0x004c50936d9e8a33,0x001306ec21042b6d,0x00a4f4137d1141c2)},
{FIELD_LITERAL(0x0009e6fb921568b0,0x00b3c60120219118,0x002a6c3460dd503a,0x009db1ef11654b54,0x0063e4bf0be79601,0x00670d34bb2592b9,0x00dcee2f6c4130ce,0x00b2682e88e77f54)},
{FIELD_LITERAL(0x000d5b4b3da135ab,0x00838f3e5064d81d,0x00d44eb50f6d94ed,0x0008931ab502ac6d,0x00debe01ca3d3586,0x0025c206775f0641,0x005ad4b6ae912763,0x007e2c318ad8f247)},
{FIELD_LITERAL(0x00ddbe0750dd1add,0x004b3c7b885844b8,0x00363e7ecf12f1ae,0x0062e953e6438f9d,0x0023cc73b076afe9,0x00b09fa083b4da32,0x00c7c3d2456c541d,0x005b591ec6b694d4)},
{FIELD_LITERAL(0x0028656e19d62fcf,0x0052a4af03df148d,0x00122765ddd14e42,0x00f2252904f67157,0x004741965b636f3a,0x006441d296132cb9,0x005e2106f956a5b7,0x00247029592d335c)},
{FIELD_LITERAL(0x003fe038eb92f894,0x000e6da1b72e8e32,0x003a1411bfcbe0fa,0x00b55d473164a9e4,0x00b9a775ac2df48d,0x0002ddf350659e21,0x00a279a69eb19cb3,0x00f844eab25cba44)},
{FIELD_LITERAL(0x00c41d1f9c1f1ac1,0x007b2df4e9f19146,0x00b469355fd5ba7a,0x00b5e1965afc852a,0x00388d5f1e2d8217,0x0022079e4c09ae93,0x0014268acd4ef518,0x00c1dd8d9640464c)},
{FIELD_LITERAL(0x0038526adeed0c55,0x00dd68c607e3fe85,0x00f746ddd48a5d57,0x0042f2952b963b7c,0x001cbbd6876d5ec2,0x005e341470bca5c2,0x00871d41e085f413,0x00e53ab098f45732)},
{FIELD_LITERAL(0x004d51124797c831,0x008f5ae3750347ad,0x0070ced94c1a0c8e,0x00f6db2043898e64,0x000d00c9a5750cd0,0x000741ec59bad712,0x003c9d11aab37b7f,0x00a67ba169807714)},
{FIELD_LITERAL(0x00adb2c1566e8b8f,0x0096c68a35771a9a,0x00869933356f334a,0x00ba9c93459f5962,0x009ec73fb6e8ca4b,0x003c3802c27202e1,0x0031f5b733e0c008,0x00f9058c19611fa9)},
{FIELD_LITERAL(0x00238f01814a3421,0x00c325a44b6cce28,0x002136f97aeb0e73,0x000cac8268a4afe2,0x0022fd218da471b3,0x009dcd8dfff8def9,0x00cb9f8181d999bb,0x00143ae56edea349)},
{FIELD_LITERAL(0x0000623bf87622c5,0x00a1966fdd069496,0x00c315b7b812f9fc,0x00bdf5efcd128b97,0x001d464f532e3e16,0x003cd94f081bfd7e,0x00ed9dae12ce4009,0x002756f5736eee70)},
{FIELD_LITERAL(0x00a5187e6ee7341b,0x00e6d52e82d83b6e,0x00df3c41323094a7,0x00b3324f444e9de9,0x00689eb21a35bfe5,0x00f16363becd548d,0x00e187cc98e7f60f,0x00127d9062f0ccab)},
{FIELD_LITERAL(0x004ad71b31c29e40,0x00a5fcace12fae29,0x004425b5597280ed,0x00e7ef5d716c3346,0x0010b53ada410ac8,0x0092310226060c9b,0x0091c26128729c7e,0x0088b42900f8ec3b)},
{FIELD_LITERAL(0x00f1e26e9762d4a8,0x00d9d74082183414,0x00ffec9bd57a0282,0x000919e128fd497a,0x00ab7ae7d00fe5f8,0x0054dc442851ff68,0x00c9ebeb3b861687,0x00507f7cab8b698f)},
{FIELD_LITERAL(0x00c13c5aae3ae341,0x009c6c9ed98373e7,0x00098f26864577a8,0x0015b886e9488b45,0x0037692c42aadba5,0x00b83170b8e7791c,0x001670952ece1b44,0x00fd932a39276da2)},
{FIELD_LITERAL(0x0081a3259bef3398,0x005480fff416107b,0x00ce4f607d21be98,0x003ffc084b41df9b,0x0043d0bb100502d1,0x00ec35f575ba3261,0x00ca18f677300ef3,0x00e8bb0a827d8548)},
{FIELD_LITERAL(0x00df76b3328ada72,0x002e20621604a7c2,0x00f910638a105b09,0x00ef4724d96ef2cd,0x00377d83d6b8a2f7,0x00b4f48805ade324,0x001cd5da8b152018,0x0045af671a20ca7f)},
{FIELD_LITERAL(0x009ae3b93a56c404,0x004a410b7a456699,0x00023a619355e6b2,0x009cdc7297387257,0x0055b94d4ae70d04,0x002cbd607f65b005,0x003208b489697166,0x00ea2aa058867370)},
{FIELD_LITERAL(0x00f29d2598ee3f32,0x00b4ac5385d82adc,0x007633eaf04df19b,0x00aa2d3d77ceab01,0x004a2302fcbb778a,0x00927f225d5afa34,0x004a8e9d5047f237,0x008224ae9dbce530)},
{FIELD_LITERAL(0x001cf640859b02f8,0x00758d1d5d5ce427,0x00763c784ef4604c,0x005fa81aee205270,0x00ac537bfdfc44cb,0x004b919bd342d670,0x00238508d9bf4b7a,0x00154888795644f3)},
{FIELD_LITERAL(0x00c845923c084294,0x00072419a201bc25,0x0045f408b5f8e669,0x00e9d6a186b74dfe,0x00e19108c68fa075,0x0017b91d874177b7,0x002f0ca2c7912c5a,0x009400aa385a90a2)},
{FIELD_LITERAL(0x0071110b01482184,0x00cfed0044f2bef8,0x0034f2901cf4662e,0x003b4ae2a67f9834,0x00cca9b96fe94810,0x00522507ae77abd0,0x00bac7422721e73e,0x0066622b0f3a62b0)},
{FIELD_LITERAL(0x00f8ac5cf4705b6a,0x00867d82dcb457e3,0x007e13ab2ccc2ce9,0x009ee9a018d3930e,0x008370f8ecb42df8,0x002d9f019add263e,0x003302385b92d196,0x00a15654536e2c0c)},
{FIELD_LITERAL(0x0026ef1614e160af,0x00c023f9edfc9c76,0x00cff090da5f57ba,0x0076db7a66643ae9,0x0019462f8c646999,0x008fec00b3854b22,0x00d55041692a0a1c,0x0065db894215ca00)},
{FIELD_LITERAL(0x00a925036e0a451c,0x002a0390c36b6cc1,0x00f27020d90894f4,0x008d90d52cbd3d7f,0x00e1d0137392f3b8,0x00f017c158b51a8f,0x00cac313d3ed7dbc,0x00b99a81e3eb42d3)},
{FIELD_LITERAL(0x00b54850275fe626,0x0053a3fd1ec71140,0x00e3d2d7dbe096fa,0x00e4ac7b595cce4c,0x0077bad449c0a494,0x00b7c98814afd5b3,0x0057226f58486cf9,0x00b1557154f0cc57)},
{FIELD_LITERAL(0x008cc9cd236315c0,0x0031d9c5b39fda54,0x00a5713ef37e1171,0x00293d5ae2886325,0x00c4aba3e05015e1,0x0003f35ef78e4fc6,0x0039d6bd3ac1527b,0x0019d7c3afb77106)},
{FIELD_LITERAL(0x007b162931a985af,0x00ad40a2e0daa713,0x006df27c4009f118,0x00503e9f4e2e8bec,0x00751a77c82c182d,0x000298937769245b,0x00ffb1e8fabf9ee5,0x0008334706e09abe)},
{FIELD_LITERAL(0x00dbca4e98a7dcd9,0x00ee29cfc78bde99,0x00e4a3b6995f52e9,0x0045d70189ae8096,0x00fd2a8a3b9b0d1b,0x00af1793b107d8e1,0x00dbf92cbe4afa20,0x00da60f798e3681d)},
{FIELD_LITERAL(0x004246bfcecc627a,0x004ba431246c03a4,0x00bd1d101872d497,0x003b73d3f185ee16,0x001feb2e2678c0e3,0x00ff13c5a89dec76,0x00ed06042e771d8f,0x00a4fd2a897a83dd)},
{FIELD_LITERAL(0x009a4a3be50d6597,0x00de3165fc5a1096,0x004f3f56e345b0c7,0x00f7bf721d5ab8bc,0x004313e47b098c50,0x00e4c7d5c0e1adbb,0x002e3e3db365051e,0x00a480c2cd6a96fb)},
{FIELD_LITERAL(0x00417fa30a7119ed,0x00af257758419751,0x00d358a487b463d4,0x0089703cc720b00d,0x00ce56314ff7f271,0x0064db171ade62c1,0x00640b36d4a22fed,0x00424eb88696d23f)},
{FIELD_LITERAL(0x004ede34af2813f3,0x00d4a8e11c9e8216,0x004796d5041de8a5,0x00c4c6b4d21cc987,0x00e8a433ee07fa1e,0x0055720b5abcc5a1,0x008873ea9c74b080,0x005b3fec1ab65d48)},
{FIELD_LITERAL(0x0047e5277db70ec5,0x000a096c66db7d6b,0x00b4164cc1730159,0x004a9f783fe720fe,0x00a8177b94449dbc,0x0095a24ff49a599f,0x0069c1c578250cbc,0x00452019213debf4)},
{FIELD_LITERAL(0x0021ce99e09ebda3,0x00fcbd9f91875ad0,0x009bbf6b7b7a0b5f,0x00388886a69b1940,0x00926a56d0f81f12,0x00e12903c3358d46,0x005dfce4e8e1ce9d,0x0044cfa94e2f7e23)},
{FIELD_LITERAL(0x001bd59c09e982ea,0x00f72daeb937b289,0x0018b76dca908e0e,0x00edb498512384ad,0x00ce0243b6cc9538,0x00f96ff690cb4e70,0x007c77bf9f673c8d,0x005bf704c088a528)},
{FIELD_LITERAL(0x0093d4628dcb33be,0x0095263d51d42582,0x0049b3222458fe06,0x00e7fce73b653a7f,0x003ca2ebce60b369,0x00c5de239a32bea4,0x0063b8b3d71fb6bf,0x0039aeeb78a1a839)},
{FIELD_LITERAL(0x007dc52da400336c,0x001fded1e15b9457,0x00902e00f5568e3a,0x00219bef40456d2d,0x005684161fb3dbc9,0x004a4e9be49a76ea,0x006e685ae88b78ff,0x0021c42f13042d3c)},
{FIELD_LITERAL(0x00fb22bb5fd3ce50,0x0017b48aada7ae54,0x00fd5c44ad19a536,0x000ccc4e4e55e45c,0x00fd637d45b4c3f5,0x0038914e023c37cf,0x00ac1881d6a8d898,0x00611ed8d3d943a8)},
{FIELD_LITERAL(0x0056e2259d113d2b,0x00594819b284ec16,0x00c7bf794bb36696,0x00721ee75097cdc6,0x00f71be9047a2892,0x00df6ba142564edf,0x0069580b7a184e8d,0x00f056e38fca0fee)},
{FIELD_LITERAL(0x009df98566a18c6d,0x00cf3a200968f219,0x0044ba60da6d9086,0x00dbc9c0e344da03,0x000f9401c4466855,0x00d46a57c5b0a8d1,0x00875a635d7ac7c6,0x00ef4a933b7e0ae6)},
{FIELD_LITERAL(0x005e8694077a1535,0x008bef75f71c8f1d,0x000a7c1316423511,0x00906e1d70604320,0x003fc46c1a2ffbd6,0x00d1d5022e68f360,0x002515fba37bbf46,0x00ca16234e023b44)},
{FIELD_LITERAL(0x00787c99561f4690,0x00a857a8c1561f27,0x00a10df9223c09fe,0x00b98a9562e3b154,0x004330b8744c3ed2,0x00e06812807ec5c4,0x00e4cf6a7db9f1e3,0x00d95b089f132a34)},
{FIELD_LITERAL(0x002922b39ca33eec,0x0090d12a5f3ab194,0x00ab60c02fb5f8ed,0x00188d292abba1cf,0x00e10edec9698f6e,0x0069a4d9934133c8,0x0024aac40e6d3d06,0x001702c2177661b0)},
{FIELD_LITERAL(0x00139078397030bd,0x000e3c447e859a00,0x0064a5b334c82393,0x00b8aabeb7358093,0x00020778bb9ae73b,0x0032ee94c7892a18,0x008215253cb41bda,0x005e2797593517ae)},
{FIELD_LITERAL(0x0083765a5f855d4a,0x0051b6d1351b8ee2,0x00116de548b0f7bb,0x0087bd88703affa0,0x0095b2cc34d7fdd2,0x0084cd81b53f0bc8,0x008562fc995350ed,0x00a39abb193651e3)},
{FIELD_LITERAL(0x0019e23f0474b114,0x00eb94c2ad3b437e,0x006ddb34683b75ac,0x00391f9209b564c6,0x00083b3bb3bff7aa,0x00eedcd0f6dceefc,0x00b50817f794fe01,0x0036474deaaa75c9)},
{FIELD_LITERAL(0x0091868594265aa2,0x00797accae98ca6d,0x0008d8c5f0f8a184,0x00d1f4f1c2b2fe6e,0x0036783dfb48a006,0x008c165120503527,0x0025fd780058ce9b,0x0068beb007be7d27)},
{FIELD_LITERAL(0x00d0ff88aa7c90c2,0x00b2c60dacf53394,0x0094a7284d9666d6,0x00bed9022ce7a19d,0x00c51553f0cd7682,0x00c3fb870b124992,0x008d0bc539956c9b,0x00fc8cf258bb8885)},
{FIELD_LITERAL(0x003667bf998406f8,0x0000115c43a12975,0x001e662f3b20e8fd,0x0019ffa534cb24eb,0x00016be0dc8efb45,0x00ff76a8b26243f5,0x00ae20d241a541e3,0x0069bd6af13cd430)},
{FIELD_LITERAL(0x0045fdc16487cda3,0x00b2d8e844cf2ed7,0x00612c50e88c1607,0x00a08aabc66c1672,0x006031fdcbb24d97,0x001b639525744b93,0x004409d62639ab17,0x00a1853d0347ab1d)},
{FIELD_LITERAL(0x0075a1a56ebf5c21,0x00a3e72be9ac53ed,0x00efcde1629170c2,0x0004225fe91ef535,0x0088049fc73dfda7,0x004abc74857e1288,0x0024e2434657317c,0x00d98cb3d3e5543c)},
{FIELD_LITERAL(0x00b4b53eab6bdb19,0x009b22d8b43711d0,0x00d948b9d961785d,0x00cb167b6f279ead,0x00191de3a678e1c9,0x00d9dd9511095c2e,0x00f284324cd43067,0x00ed74fa535151dd)},
{FIELD_LITERAL(0x007e32c049b5c477,0x009d2bfdbd9bcfd8,0x00636e93045938c6,0x007fde4af7687298,0x0046a5184fafa5d3,0x0079b1e7f13a359b,0x00875adf1fb927d6,0x00333e21c61bcad2)},
{FIELD_LITERAL(0x00048014f73d8b8d,0x0075684aa0966388,0x0092be7df06dc47c,0x0097cebcd0f5568a,0x005a7004d9c4c6a9,0x00b0ecbb659924c7,0x00d90332dd492a7c,0x0057fc14df11493d)},
{FIELD_LITERAL(0x0008ed8ea0ad95be,0x0041d324b9709645,0x00e25412257a19b4,0x0058df9f3423d8d2,0x00a9ab20def71304,0x009ae0dbf8ac4a81,0x00c9565977e4392a,0x003c9269444baf55)},
{FIELD_LITERAL(0x007df6cbb926830b,0x00d336058ae37865,0x007af47dac696423,0x0048d3011ec64ac8,0x006b87666e40049f,0x0036a2e0e51303d7,0x00ba319bd79dbc55,0x003e2737ecc94f53)},
{FIELD_LITERAL(0x00d296ff726272d9,0x00f6d097928fcf57,0x00e0e616a55d7013,0x00deaf454ed9eac7,0x0073a56bedef4d92,0x006ccfdf6fc92e19,0x009d1ee1371a7218,0x00ee3c2ee4462d80)},
{FIELD_LITERAL(0x00437bce9bccdf9d,0x00e0c8e2f85dc0a3,0x00c91a7073995a19,0x00856ec9fe294559,0x009e4b33394b156e,0x00e245b0dc497e5c,0x006a54e687eeaeff,0x00f1cd1cd00fdb7c)},
{FIELD_LITERAL(0x008132ae5c5d8cd1,0x00121d68324a1d9f,0x00d6be9dafcb8c76,0x00684d9070edf745,0x00519fbc96d7448e,0x00388182fdc1f27e,0x000235baed41f158,0x00bf6cf6f1a1796a)},
{FIELD_LITERAL(0x002adc4b4d148219,0x003084ada0d3a90a,0x0046de8aab0f2e4e,0x00452d342a67b5fd,0x00d4b50f01d4de21,0x00db6d9fc0cefb79,0x008c184c86a462cd,0x00e17c83764d42da)},
{FIELD_LITERAL(0x007b2743b9a1e01a,0x007847ffd42688c4,0x006c7844d610a316,0x00f0cb8b250aa4b0,0x00a19060143b3ae6,0x0014eb10b77cfd80,0x000170905729dd06,0x00063b5b9cd72477)},
{FIELD_LITERAL(0x00ce382dc7993d92,0x00021153e938b4c8,0x00096f7567f48f51,0x0058f81ddfe4b0d5,0x00cc379a56b355c7,0x002c760770d3e819,0x00ee22d1d26e5a40,0x00de6d93d5b082d7)},
{FIELD_LITERAL(0x000a91a42c52e056,0x00185f6b77fce7ea,0x000803c51962f6b5,0x0022528582ba563d,0x0043f8040e9856d6,0x0085a29ec81fb860,0x005f9a611549f5ff,0x00c1f974ecbd4b06)},
{FIELD_LITERAL(0x005b64c6fd65ec97,0x00c1fdd7f877bc7f,0x000d9cc6c89f841c,0x005c97b7f1aff9ad,0x0075e3c61475d47e,0x001ecb1ba8153011,0x00fe7f1c8d71d40d,0x003fa9757a229832)},
{FIELD_LITERAL(0x00ffc5c89d2b0cba,0x00d363d42e3e6fc3,0x0019a1a0118e2e8a,0x00f7baeff48882e1,0x001bd5af28c6b514,0x0055476ca2253cb2,0x00d8eb1977e2ddf3,0x00b173b1adb228a1)},
{FIELD_LITERAL(0x00f2cb99dd0ad707,0x00e1e08b6859ddd8,0x000008f2d0650bcc,0x00d7ed392f8615c3,0x00976750a94da27f,0x003e83bb0ecb69ba,0x00df8e8d15c14ac6,0x00f9f7174295d9c2)},
{FIELD_LITERAL(0x00f11cc8e0e70bcb,0x00e5dc689974e7dd,0x0014e409f9ee5870,0x00826e6689acbd63,0x008a6f4e3d895d88,0x00b26a8da41fd4ad,0x000fb7723f83efd7,0x009c749db0a5f6c3)},
{FIELD_LITERAL(0x002389319450f9ba,0x003677f31aa1250a,0x0092c3db642f38cb,0x00f8b64c0dfc9773,0x00cd49fe3505b795,0x0068105a4090a510,0x00df0ba2072a8bb6,0x00eb396143afd8be)},
{FIELD_LITERAL(0x00a0d4ecfb24cdff,0x00ddaf8008ba6479,0x00f0b3e36d4b0f44,0x003734bd3af1f146,0x00b87e2efc75527e,0x00d230df55ddab50,0x002613257ae56c1d,0x00bc0946d135934d)},
{FIELD_LITERAL(0x00468711bd994651,0x0033108fa67561bf,0x0089d760192a54b4,0x00adc433de9f1871,0x000467d05f36e050,0x007847e0f0579f7f,0x00a2314ad320052d,0x00b3a93649f0b243)},
{FIELD_LITERAL(0x0067f8f0c4fe26c9,0x0079c4a3cc8f67b9,0x0082b1e62f23550d,0x00f2d409caefd7f5,0x0080e67dcdb26e81,0x0087ae993ea1f98a,0x00aa108becf61d03,0x001acf11efb608a3)},
{FIELD_LITERAL(0x008225febbab50d9,0x00f3b605e4dd2083,0x00a32b28189e23d2,0x00d507e5e5eb4c97,0x005a1a84e302821f,0x0006f54c1c5f08c7,0x00a347c8cb2843f0,0x0009f73e9544bfa5)},
{FIELD_LITERAL(0x006c59c9ae744185,0x009fc32f1b4282cd,0x004d6348ca59b1ac,0x00105376881be067,0x00af4096013147dc,0x004abfb5a5cb3124,0x000d2a7f8626c354,0x009c6ed568e07431)},
{FIELD_LITERAL(0x00e828333c297f8b,0x009ef3cf8c3f7e1f,0x00ab45f8fff31cb9,0x00c8b4178cb0b013,0x00d0c50dd3260a3f,0x0097126ac257f5bc,0x0042376cc90c705a,0x001d96fdb4a1071e)},
{FIELD_LITERAL(0x00542d44d89ee1a8,0x00306642e0442d98,0x0090853872b87338,0x002362cbf22dc044,0x002c222adff663b8,0x0067c924495fcb79,0x000e621d983c977c,0x00df77a9eccb66fb)},
{FIELD_LITERAL(0x002809e4bbf1814a,0x00b9e854f9fafb32,0x00d35e67c10f7a67,0x008f1bcb76e748cf,0x004224d9515687d2,0x005ba0b774e620c4,0x00b5e57db5d54119,0x00e15babe5683282)},
{FIELD_LITERAL(0x00832d02369b482c,0x00cba52ff0d93450,0x003fa9c908d554db,0x008d1e357b54122f,0x00abd91c2dc950c6,0x007eff1df4c0ec69,0x003f6aeb13fb2d31,0x00002d6179fc5b2c)},
{FIELD_LITERAL(0x0046c9eda81c9c89,0x00b60cb71c8f62fc,0x0022f5a683baa558,0x00f87319fccdf997,0x009ca09b51ce6a22,0x005b12baf4af7d77,0x008a46524a1e33e2,0x00035a77e988be0d)},
{FIELD_LITERAL(0x00a7efe46a7dbe2f,0x002f66fd55014fe7,0x006a428afa1ff026,0x0056caaa9604ab72,0x0033f3bcd7fac8ae,0x00ccb1aa01c86764,0x00158d1edf13bf40,0x009848ee76fcf3b4)},
{FIELD_LITERAL(0x00a9e7730a819691,0x00d9cc73c4992b70,0x00e299bde067de5a,0x008c314eb705192a,0x00e7226f17e8a3cc,0x0029dfd956e65a47,0x0053a8e839073b12,0x006f942b2ab1597e)},
{FIELD_LITERAL(0x001c3d780ecd5e39,0x0094f247fbdcc5fe,0x00d5c786fd527764,0x00b6f4da74f0db2a,0x0080f1f8badcd5fc,0x00f36a373ad2e23b,0x00f804f9f4343bf2,0x00d1af40ec623982)},
{FIELD_LITERAL(0x0082aeace5f1b144,0x00f68b3108cf4dd3,0x00634af01dde3020,0x000beab5df5c2355,0x00e8b790d1b49b0b,0x00e48d15854e36f4,0x0040ab2d95f3db9f,0x002711c4ed9e899a)},
{FIELD_LITERAL(0x0039343746531ebe,0x00c8509d835d429d,0x00e79eceff6b0018,0x004abfd31e8efce5,0x007bbfaaa1e20210,0x00e3be89c193e179,0x001c420f4c31d585,0x00f414a315bef5ae)},
{FIELD_LITERAL(0x007c296a24990df8,0x00d5d07525a75588,0x00dd8e113e94b7e7,0x007bbc58febe0cc8,0x0029f51af9bfcad3,0x007e9311ec7ab6f3,0x009a884de1676343,0x0050d5f2dce84be9)},
{FIELD_LITERAL(0x005fa020cca2450a,0x00491c29db6416d8,0x0037cefe3f9f9a85,0x003d405230647066,0x0049e835f0fdbe89,0x00feb78ac1a0815c,0x00828e4b32dc9724,0x00db84f2dc8d6fd4)},
{FIELD_LITERAL(0x0098cddc8b39549a,0x006da37e3b05d22c,0x00ce633cfd4eb3cb,0x00fda288ef526acd,0x0025338878c5d30a,0x00f34438c4e5a1b4,0x00584efea7c310f1,0x0041a551f1b660ad)},
{FIELD_LITERAL(0x00d7f7a8fbd6437a,0x0062872413bf3753,0x00ad4bbcb43c584b,0x007fe49be601d7e3,0x0077c659789babf4,0x00eb45fcb06a741b,0x005ce244913f9708,0x0088426401736326)},
{FIELD_LITERAL(0x007bf562ca768d7c,0x006c1f3a174e387c,0x00f024b447fee939,0x007e7af75f01143f,0x003adb70b4eed89d,0x00e43544021ad79a,0x0091f7f7042011f6,0x0093c1a1ee3a0ddc)},
{FIELD_LITERAL(0x00a0b68ec1eb72d2,0x002c03235c0d45a0,0x00553627323fe8c5,0x006186e94b17af94,0x00a9906196e29f14,0x0025b3aee6567733,0x007e0dd840080517,0x0018eb5801a4ba93)},
{FIELD_LITERAL(0x00d7fe7017bf6a40,0x006e3f0624be0c42,0x00ffbba205358245,0x00f9fc2cf8194239,0x008d93b37bf15b4e,0x006ddf2e38be8e95,0x002b6e79bf5fcff9,0x00ab355da425e2de)},
{FIELD_LITERAL(0x00938f97e20be973,0x0099141a36aaf306,0x0057b0ca29e545a1,0x0085db571f9fbc13,0x008b333c554b4693,0x0043ab6ef3e241cb,0x0054fb20aa1e5c70,0x00be0ff852760adf)},
{FIELD_LITERAL(0x003973d8938971d6,0x002aca26fa80c1f5,0x00108af1faa6b513,0x00daae275d7924e6,0x0053634ced721308,0x00d2355fe0bbd443,0x00357612b2d22095,0x00f9bb9dd4136cf3)},
{FIELD_LITERAL(0x002bff12cf5e03a5,0x001bdb1fa8a19cf8,0x00c91c6793f84d39,0x00f869f1b2eba9af,0x0059bc547dc3236b,0x00d91611d6d38689,0x00e062daaa2c0214,0x00ed3c047cc2bc82)},
{FIELD_LITERAL(0x000050d70c32b31a,0x001939d576d437b3,0x00d709e598bf9fe6,0x00a885b34bd2ee9e,0x00dd4b5c08ab1a50,0x0091bebd50b55639,0x00cf79ff64acdbc6,0x006067a39d826336)},
{FIELD_LITERAL(0x0062dd0fb31be374,0x00fcc96b84c8e727,0x003f64f1375e6ae3,0x0057d9b6dd1af004,0x00d6a167b1103c7b,0x00dd28f3180fb537,0x004ff27ad7167128,0x008934c33461f2ac)},
{FIELD_LITERAL(0x0065b472b7900043,0x00ba7efd2ff1064b,0x000b67d6c4c3020f,0x0012d28469f4e46d,0x0031c32939703ec7,0x00b49f0bce133066,0x00f7e10416181d47,0x005c90f51867eecc)},
{FIELD_LITERAL(0x0051207abd179101,0x00fc2a5c20d9c5da,0x00fb9d5f2701b6df,0x002dd040fdea82b8,0x00f163b0738442ff,0x00d9736bd68855b8,0x00e0d8e93005e61c,0x00df5a40b3988570)},
{FIELD_LITERAL(0x0006918f5dfce6dc,0x00d4bf1c793c57fb,0x0069a3f649435364,0x00e89a50e5b0cd6e,0x00b9f6a237e973af,0x006d4ed8b104e41d,0x00498946a3924cd2,0x00c136ec5ac9d4f7)},
{FIELD_LITERAL(0x0011a9c290ac5336,0x002b9a2d4a6a6533,0x009a8a68c445d937,0x00361b27b07e5e5c,0x003c043b1755b974,0x00b7eb66cf1155ee,0x0077af5909eefff2,0x0098f609877cc806)},
{FIELD_LITERAL(0x00ab13af436bf8f4,0x000bcf0a0dac8574,0x00d50c864f705045,0x00c40e611debc842,0x0085010489bd5caa,0x007c5050acec026f,0x00f67d943c8da6d1,0x00de1da0278074c6)},
{FIELD_LITERAL(0x00b373076597455f,0x00e83f1af53ac0f5,0x0041f63c01dc6840,0x0097dea19b0c6f4b,0x007f9d63b4c1572c,0x00e692d492d0f5f0,0x00cbcb392e83b4ad,0x0069c0f39ed9b1a8)},
{FIELD_LITERAL(0x00861030012707c9,0x009fbbdc7fd4aafb,0x008f591d6b554822,0x00df08a41ea18ade,0x009d7d83e642abea,0x0098c71bda3b78ff,0x0022c89e7021f005,0x0044d29a3fe1e3c4)},
{FIELD_LITERAL(0x00e748cd7b5c52f2,0x00ea9df883f89cc3,0x0018970df156b6c7,0x00c5a46c2a33a847,0x00cbde395e32aa09,0x0072474ebb423140,0x00fb00053086a23d,0x001dafcfe22d4e1f)},
{FIELD_LITERAL(0x00c903ee6d825540,0x00add6c4cf98473e,0x007636efed4227f1,0x00905124ae55e772,0x00e6b38fab12ed53,0x0045e132b863fe55,0x003974662edb366a,0x00b1787052be8208)},
{FIELD_LITERAL(0x00a614b00d775c7c,0x00d7c78941cc7754,0x00422dd68b5dabc4,0x00a6110f0167d28b,0x00685a309c252886,0x00b439ffd5143660,0x003656e29ee7396f,0x00c7c9b9ed5ad854)},
{FIELD_LITERAL(0x0040f7e7c5b37bf2,0x0064e4dc81181bba,0x00a8767ae2a366b6,0x001496b4f90546f2,0x002a28493f860441,0x0021f59513049a3a,0x00852d369a8b7ee3,0x00dd2e7d8b7d30a9)},
{FIELD_LITERAL(0x00006e34a35d9fbc,0x00eee4e48b2f019a,0x006b344743003a5f,0x00541d514f04a7e3,0x00e81f9ee7647455,0x005e2b916c438f81,0x00116f8137b7eff0,0x009bd3decc7039d1)},
{FIELD_LITERAL(0x0005d226f434110d,0x00af8288b8ef21d5,0x004a7a52ef181c8c,0x00be0b781b4b06de,0x00e6e3627ded07e1,0x00e43aa342272b8b,0x00e86ab424577d84,0x00fb292c566e35bb)},
{FIELD_LITERAL(0x00334f5303ea1222,0x00dfb3dbeb0a5d3e,0x002940d9592335c1,0x00706a7a63e8938a,0x005a533558bc4caf,0x00558e33192022a9,0x00970d9faf74c133,0x002979fcb63493ca)},
{FIELD_LITERAL(0x00e38abece3c82ab,0x005a51f18a2c7a86,0x009dafa2e86d592e,0x00495a62eb688678,0x00b79df74c0eb212,0x0023e8cc78b75982,0x005998cb91075e13,0x00735aa9ba61bc76)},
{FIELD_LITERAL(0x00d9f7a82ddbe628,0x00a1fc782889ae0f,0x0071ffda12d14b66,0x0037cf4eca7fb3d5,0x00c80bc242c58808,0x0075bf8c2d08c863,0x008d41f31afc52a7,0x00197962ecf38741)},
{FIELD_LITERAL(0x006e9f475cccf2ee,0x00454b9cd506430c,0x00224a4fb79ee479,0x0062e3347ef0b5e2,0x0034fd2a3512232a,0x00b8b3cb0f457046,0x00eb20165daa38ec,0x00128eebc2d9c0f7)},
{FIELD_LITERAL(0x00bfc5fa1e4ea21f,0x00c21d7b6bb892e6,0x00cf043f3acf0291,0x00c13f2f849b3c90,0x00d1a97ebef10891,0x0061e130a445e7fe,0x0019513fdedbf22b,0x001d60c813bff841)},
{FIELD_LITERAL(0x0019561c7fcf0213,0x00e3dca6843ebd77,0x0068ea95b9ca920e,0x009bdfb70f253595,0x00c68f59186aa02a,0x005aee1cca1c3039,0x00ab79a8a937a1ce,0x00b9a0e549959e6f)},
{FIELD_LITERAL(0x00c79e0b6d97dfbd,0x00917c71fd2bc6e8,0x00db7529ccfb63d8,0x00be5be957f17866,0x00a9e11fdc2cdac1,0x007b91a8e1f44443,0x00a3065e4057d80f,0x004825f5b8d5f6d4)},
{FIELD_LITERAL(0x003e4964fa8a8fc8,0x00f6a1cdbcf41689,0x00943cb18fe7fda7,0x00606dafbf34440a,0x005d37a86399c789,0x00e79a2a69417403,0x00fe34f7e68b8866,0x0011f448ed2df10e)},
{FIELD_LITERAL(0x00f1f57efcc1fcc4,0x00513679117de154,0x002e5b5b7c86d8c3,0x009f6486561f9cfb,0x00169e74b0170cf7,0x00900205af4af696,0x006acfddb77853f3,0x00df184c90f31068)},
{FIELD_LITERAL(0x00b37396c3320791,0x00fc7b67175c5783,0x00c36d2cd73ecc38,0x0080ebcc0b328fc5,0x0043a5b22b35d35d,0x00466c9f1713c9da,0x0026ad346dcaa8da,0x007c684e701183a6)},
{FIELD_LITERAL(0x00fd579ffb691713,0x00b76af4f81c412d,0x00f239de96110f82,0x00e965fb437f0306,0x00ca7e9436900921,0x00e487f1325fa24a,0x00633907de476380,0x00721c62ac5b8ea0)},
{FIELD_LITERAL(0x00c0d54e542eb4f9,0x004ed657171c8dcf,0x00b743a4f7c2a39b,0x00fd9f93ed6cc567,0x00307fae3113e58b,0x0058aa577c93c319,0x00d254556f35b346,0x00491aada2203f0d)},
{FIELD_LITERAL(0x00dff3103786ff34,0x000144553b1f20c3,0x0095613baeb930e4,0x00098058275ea5d4,0x007cd1402b046756,0x0074d74e4d58aee3,0x005f93fc343ff69b,0x00873df17296b3b0)},
{FIELD_LITERAL(0x00c4a1fb48635413,0x00b5dd54423ad59f,0x009ff5d53fd24a88,0x003c98d267fc06a7,0x002db7cb20013641,0x00bd1d6716e191f2,0x006dbc8b29094241,0x0044bbf233dafa2c)},
{FIELD_LITERAL(0x0055838d41f531e6,0x00bf6a2dd03c81b2,0x005827a061c4839e,0x0000de2cbb36aac3,0x002efa29d9717478,0x00f9e928cc8a77ba,0x00c134b458def9ef,0x00958a182223fc48)},
{FIELD_LITERAL(0x000a9ee23c06881f,0x002c727d3d871945,0x00f47d971512d24a,0x00671e816f9ef31a,0x00883af2cfaad673,0x00601f98583d6c9a,0x00b435f5adc79655,0x00ad87b71c04bff2)},
{FIELD_LITERAL(0x007860d99db787cf,0x00fda8983018f4a8,0x008c8866bac4743c,0x00ef471f84c82a3f,0x00abea5976d3b8e7,0x00714882896cd015,0x00b49fae584ddac5,0x008e33a1a0b69c81)},
{FIELD_LITERAL(0x007b6ee2c9e8a9ec,0x002455dbbd89d622,0x006490cf4eaab038,0x00d925f6c3081561,0x00153b3047de7382,0x003b421f8bdceb6f,0x00761a4a5049da78,0x00980348c5202433)},
{FIELD_LITERAL(0x007f8a43da97dd5c,0x00058539c800fc7b,0x0040f3cf5a28414a,0x00d68dd0d95283d6,0x004adce9da90146e,0x00befa41c7d4f908,0x007603bc2e3c3060,0x00bdf360ab3545db)},
{FIELD_LITERAL(0x00eebfd4e2312cc3,0x00474b2564e4fc8c,0x003303ef14b1da9b,0x003c93e0e66beb1d,0x0013619b0566925a,0x008817c24d901bf3,0x00b62bd8898d218b,0x0075a7716f1e88a2)},
{FIELD_LITERAL(0x0009218da1e6890f,0x0026907f5fd02575,0x004dabed5f19d605,0x003abf181870249d,0x00b52fd048cc92c4,0x00b6dd51e415a5c5,0x00d9eb82bd2b4014,0x002c865a43b46b43)},
{FIELD_LITERAL(0x0070047189452f4c,0x00f7ad12e1ce78d5,0x00af1ba51ec44a8b,0x005f39f63e667cd6,0x00058eac4648425e,0x00d7fdab42bea03b,0x0028576a5688de15,0x00af973209e77c10)},
{FIELD_LITERAL(0x00c338b915d8fef0,0x00a893292045c39a,0x0028ab4f2eba6887,0x0060743cb519fd61,0x0006213964093ac0,0x007c0b7a43f6266d,0x008e3557c4fa5bda,0x002da976de7b8d9d)},
{FIELD_LITERAL(0x0048729f8a8b6dcd,0x00fe23b85cc4d323,0x00e7384d16e4db0e,0x004a423970678942,0x00ec0b763345d4ba,0x00c477b9f99ed721,0x00c29dad3777b230,0x001c517b466f7df6)},
{FIELD_LITERAL(0x006366c380f7b574,0x001c7d1f09ff0438,0x003e20a7301f5b22,0x00d3efb1916d28f6,0x0049f4f81060ce83,0x00c69d91ea43ced1,0x002b6f3e5cd269ed,0x005b0fb22ce9ec65)},
{FIELD_LITERAL(0x00aa2261022d883f,0x00ebcca4548010ac,0x002528512e28a437,0x0070ca7676b66082,0x0084bda170f7c6d3,0x00581b4747c9b8bb,0x005c96a01061c7e2,0x00fb7c4a362b5273)},
{FIELD_LITERAL(0x00c30020eb512d02,0x0060f288283a4d26,0x00b7ed13becde260,0x0075ebb74220f6e9,0x00701079fcfe8a1f,0x001c28fcdff58938,0x002e4544b8f4df6b,0x0060c5bc4f1a7d73)},
{FIELD_LITERAL(0x00ae307cf069f701,0x005859f222dd618b,0x00212d6c46ec0b0d,0x00a0fe4642afb62d,0x00420d8e4a0a8903,0x00a80ff639bdf7b0,0x0019bee1490b5d8e,0x007439e4b9c27a86)},
{FIELD_LITERAL(0x00a94700032a093f,0x0076e96c225216e7,0x00a63a4316e45f91,0x007d8bbb4645d3b2,0x00340a6ff22793eb,0x006f935d4572aeb7,0x00b1fb69f00afa28,0x009e8f3423161ed3)},
{FIELD_LITERAL(0x009ef49c6b5ced17,0x00a555e6269e9f0a,0x007e6f1d79ec73b5,0x009ac78695a32ac4,0x0001d77fbbcd5682,0x008cea1fee0aaeed,0x00f42bea82a53462,0x002e46ab96cafcc9)},
{FIELD_LITERAL(0x0051cfcc5885377a,0x00dce566cb1803ca,0x00430c7643f2c7d4,0x00dce1a1337bdcc0,0x0010d5bd7283c128,0x003b1b547f9b46fe,0x000f245e37e770ab,0x007b72511f022b37)},
{FIELD_LITERAL(0x0060db815bc4786c,0x006fab25beedc434,0x00c610d06084797c,0x000c48f08537bec0,0x0031aba51c5b93da,0x007968fa6e01f347,0x0030070da52840c6,0x00c043c225a4837f)},
{FIELD_LITERAL(0x001bcfd00649ee93,0x006dceb47e2a0fd5,0x00f2cebda0cf8fd0,0x00b6b9d9d1fbdec3,0x00815262e6490611,0x00ef7f5ce3176760,0x00e49cd0c998d58b,0x005fc6cc269ba57c)},
{FIELD_LITERAL(0x008940211aa0d633,0x00addae28136571d,0x00d68fdbba20d673,0x003bc6129bc9e21a,0x000346cf184ebe9a,0x0068774d741ebc7f,0x0019d5e9e6966557,0x0003cbd7f981b651)},
{FIELD_LITERAL(0x004a2902926f8d3f,0x00ad79b42637ab75,0x0088f60b90f2d4e8,0x0030f54ef0e398c4,0x00021dc9bf99681e,0x007ebf66fde74ee3,0x004ade654386e9a4,0x00e7485066be4c27)},
{FIELD_LITERAL(0x00445f1263983be0,0x004cf371dda45e6a,0x00744a89d5a310e7,0x001f20ce4f904833,0x00e746edebe66e29,0x000912ab1f6c153d,0x00f61d77d9b2444c,0x0001499cd6647610)}
};
const gf API_NS(precomputed_wnaf_as_fe)[96]
VECTOR_ALIGNED __attribute__((visibility("hidden"))) = {
{FIELD_LITERAL(0x00303cda6feea532,0x00860f1d5a3850e4,0x00226b9fa4728ccd,0x00e822938a0a0c0c,0x00263a61c9ea9216,0x001204029321b828,0x006a468360983c65,0x0002846f0a782143)},
{FIELD_LITERAL(0x00303cda6feea532,0x00860f1d5a3850e4,0x00226b9fa4728ccd,0x006822938a0a0c0c,0x00263a61c9ea9215,0x001204029321b828,0x006a468360983c65,0x0082846f0a782143)},
{FIELD_LITERAL(0x00ef8e22b275198d,0x00b0eb141a0b0e8b,0x001f6789da3cb38c,0x006d2ff8ed39073e,0x00610bdb69a167f3,0x00571f306c9689b4,0x00f557e6f84b2df8,0x002affd38b2c86db)},
{FIELD_LITERAL(0x00cea0fc8d2e88b5,0x00821612d69f1862,0x0074c283b3e67522,0x005a195ba05a876d,0x000cddfe557feea4,0x008046c795bcc5e5,0x00540969f4d6e119,0x00d27f96d6b143d5)},
{FIELD_LITERAL(0x000c3b1019d474e8,0x00e19533e4952284,0x00cc9810ba7c920a,0x00f103d2785945ac,0x00bfa5696cc69b34,0x00a8d3d51e9ca839,0x005623cb459586b9,0x00eae7ce1cd52e9e)},
{FIELD_LITERAL(0x0005a178751dd7d8,0x002cc3844c69c42f,0x00acbfe5efe10539,0x009c20f43431a65a,0x008435d96374a7b3,0x009ee57566877bd3,0x0044691725ed4757,0x001e87bb2fe2c6b2)},
{FIELD_LITERAL(0x000cedc4debf7a04,0x002ffa45000470ac,0x002e9f9678201915,0x0017da1208c4fe72,0x007d558cc7d656cb,0x0037a827287cf289,0x00142472d3441819,0x009c21f166cf8dd1)},
{FIELD_LITERAL(0x003ef83af164b2f2,0x000949a5a0525d0d,0x00f4498186cac051,0x00e77ac09ef126d2,0x0073ae0b2c9296e9,0x001c163f6922e3ed,0x0062946159321bea,0x00cfb79b22990b39)},
{FIELD_LITERAL(0x00b001431ca9e654,0x002d7e5eabcc9a3a,0x0052e8114c2f6747,0x0079ac4f94487f92,0x00bffd919b5d749c,0x00261f92ad15e620,0x00718397b7a97895,0x00c1443e6ebbc0c4)},
{FIELD_LITERAL(0x00eacd90c1e0a049,0x008977935b149fbe,0x0004cb9ba11c93dc,0x009fbd5b3470844d,0x004bc18c9bfc22cf,0x0057679a991839f3,0x00ef15b76fb4092e,0x0074a5173a225041)},
{FIELD_LITERAL(0x003f5f9d7ec4777b,0x00ab2e733c919c94,0x001bb6c035245ae5,0x00a325a49a883630,0x0033e9a9ea3cea2f,0x00e442a1eaa0e844,0x00b2116d5b0e71b8,0x00c16abed6d64047)},
{FIELD_LITERAL(0x00c560b5ed051165,0x001945adc5d65094,0x00e221865710f910,0x00cc12bc9e9b8ceb,0x004faa9518914e35,0x0017476d89d42f6d,0x00b8f637c8fa1c8b,0x0088c7d2790864b8)},
{FIELD_LITERAL(0x00ef7eafc1c69be6,0x0085d3855778fbea,0x002c8d5b450cb6f5,0x004e77de5e1e7fec,0x0047c057893abded,0x001b430b85d51e16,0x00965c7b45640c3c,0x00487b2bb1162b97)},
{FIELD_LITERAL(0x0099c73a311beec2,0x00a3eff38d8912ad,0x002efa9d1d7e8972,0x00f717ae1e14d126,0x002833f795850c8b,0x0066c12ad71486bd,0x00ae9889da4820eb,0x00d6044309555c08)},
{FIELD_LITERAL(0x004b1c5283d15e41,0x00669d8ea308ff75,0x0004390233f762a1,0x00e1d67b83cb6cec,0x003eebaa964c78b1,0x006b0aff965eb664,0x00b313d4470bdc37,0x008814ffcb3cb9d8)},
{FIELD_LITERAL(0x009724b8ce68db70,0x007678b5ed006f3d,0x00bdf4b89c0abd73,0x00299748e04c7c6d,0x00ddd86492c3c977,0x00c5a7febfa30a99,0x00ed84715b4b02bb,0x00319568adf70486)},
{FIELD_LITERAL(0x0070ff2d864de5bb,0x005a37eeb637ee95,0x0033741c258de160,0x00e6ca5cb1988f46,0x001ceabd92a24661,0x0030957bd500fe40,0x001c3362afe912c5,0x005187889f678bd2)},
{FIELD_LITERAL(0x0086835fc62bbdc7,0x009c3516ca4910a1,0x00956c71f8d00783,0x0095c78fcf63235f,0x00fc7ff6ba05c222,0x00cdd8b3f8d74a52,0x00ac5ae16de8256e,0x00e9d4be8ed48624)},
{FIELD_LITERAL(0x00c0ce11405df2d8,0x004e3f37b293d7b6,0x002410172e1ac6db,0x00b8dbff4bf8143d,0x003a7b409d56eb66,0x003e0f6a0dfef9af,0x0081c4e4d3645be1,0x00ce76076b127623)},
{FIELD_LITERAL(0x00f6ee0f98974239,0x0042d89af07d3a4f,0x00846b7fe84346b5,0x006a21fc6a8d39a1,0x00ac8bc2541ff2d9,0x006d4e2a77732732,0x009a39b694cc3f2f,0x0085c0aa2a404c8f)},
{FIELD_LITERAL(0x00b261101a218548,0x00c1cae96424277b,0x00869da0a77dd268,0x00bc0b09f8ec83ea,0x00d61027f8e82ba9,0x00aa4c85999dce67,0x00eac3132b9f3fe1,0x00fb9b0cf1c695d2)},
{FIELD_LITERAL(0x0043079295512f0d,0x0046a009861758e0,0x003ee2842a807378,0x0034cc9d1298e4fa,0x009744eb4d31b3ee,0x00afacec96650cd0,0x00ac891b313761ae,0x00e864d6d26e708a)},
{FIELD_LITERAL(0x00a84d7c8a23b491,0x0088e19aa868b27f,0x0005986d43e78ce9,0x00f28012f0606d28,0x0017ded7e10249b3,0x005ed4084b23af9b,0x00b9b0a940564472,0x00ad9056cceeb1f4)},
{FIELD_LITERAL(0x00db91b357fe755e,0x00a1aa544b15359c,0x00af4931a0195574,0x007686124fe11aef,0x00d1ead3c7b9ef7e,0x00aaf5fc580f8c15,0x00e727be147ee1ec,0x003c61c1e1577b86)},
{FIELD_LITERAL(0x009d3fca983220cf,0x00cd11acbc853dc4,0x0017590409d27f1d,0x00d2176698082802,0x00fa01251b2838c8,0x00dd297a0d9b51c6,0x00d76c92c045820a,0x00534bc7c46c9033)},
{FIELD_LITERAL(0x0080ed9bc9b07338,0x00fceac7745d2652,0x008a9d55f5f2cc69,0x0096ce72df301ac5,0x00f53232e7974d87,0x0071728c7ae73947,0x0090507602570778,0x00cb81cfd883b1b2)},
{FIELD_LITERAL(0x005011aadea373da,0x003a8578ec896034,0x00f20a6535fa6d71,0x005152d31e5a87cf,0x002bac1c8e68ca31,0x00b0e323db4c1381,0x00f1d596b7d5ae25,0x00eae458097cb4e0)},
{FIELD_LITERAL(0x00920ac80f9b0d21,0x00f80f7f73401246,0x0086d37849b557d6,0x0002bd4b317b752e,0x00b26463993a42bb,0x002070422a73b129,0x00341acaa0380cb3,0x00541914dd66a1b2)},
{FIELD_LITERAL(0x00c1513cd66abe8c,0x000139e01118944d,0x0064abbcb8080bbb,0x00b3b08202473142,0x00c629ef25da2403,0x00f0aec3310d9b7f,0x0050b2227472d8cd,0x00f6c8a922d41fb4)},
{FIELD_LITERAL(0x001075ccf26b7b1f,0x00bb6bb213170433,0x00e9491ad262da79,0x009ef4f48d2d384c,0x008992770766f09d,0x001584396b6b1101,0x00af3f8676c9feef,0x0024603c40269118)},
{FIELD_LITERAL(0x009dd7b31319527c,0x001e7ac948d873a9,0x00fa54b46ef9673a,0x0066efb8d5b02fe6,0x00754b1d3928aeae,0x0004262ac72a6f6b,0x0079b7d49a6eb026,0x003126a753540102)},
{FIELD_LITERAL(0x009666e24f693947,0x00f714311269d45f,0x0010ffac1d0c851c,0x0066e80c37363497,0x00f1f4ad010c60b0,0x0015c87408470ff7,0x00651d5e9c7766a4,0x008138819d7116de)},
{FIELD_LITERAL(0x003934b11c57253b,0x00ef308edf21f46e,0x00e54e99c7a16198,0x0080d57135764e63,0x00751c27b946bc24,0x00dd389ce4e9e129,0x00a1a2bfd1cd84dc,0x002fae73e5149b32)},
{FIELD_LITERAL(0x00911657dffb4cdd,0x00c100b7cc553d06,0x00449d075ec467cc,0x007062100bc64e70,0x0043cf86f7bd21e7,0x00f401dc4b797dea,0x005224afb2f62e65,0x00d1ede3fb5a42be)},
{FIELD_LITERAL(0x00f2ba36a41aa144,0x00a0c22d946ee18f,0x008aae8ef9a14f99,0x00eef4d79b19bb36,0x008e75ce3d27b1fc,0x00a65daa03b29a27,0x00d9cc83684eb145,0x009e1ed80cc2ed74)},
{FIELD_LITERAL(0x00bed953d1997988,0x00b93ed175a24128,0x00871c5963fb6365,0x00ca2df20014a787,0x00f5d9c1d0b34322,0x00f6f5942818db0a,0x004cc091f49c9906,0x00e8a188a60bff9f)},
{FIELD_LITERAL(0x0032c7762032fae8,0x00e4087232e0bc21,0x00f767344b6e8d85,0x00bbf369b76c2aa2,0x008a1f46c6e1570c,0x001368cd9780369f,0x007359a39d079430,0x0003646512921434)},
{FIELD_LITERAL(0x007c4b47ca7c73e7,0x005396221039734b,0x008b64ddf0e45d7e,0x00bfad5af285e6c2,0x008ec711c5b1a1a8,0x00cf663301237f98,0x00917ee3f1655126,0x004152f337efedd8)},
{FIELD_LITERAL(0x0007c7edc9305daa,0x000a6664f273701c,0x00f6e78795e200b1,0x005d05b9ecd2473e,0x0014f5f17c865786,0x00c7fd2d166fa995,0x004939a2d8eb80e0,0x002244ba0942c199)},
{FIELD_LITERAL(0x00321e767f0262cf,0x002e57d776caf68e,0x00bf2c94814f0437,0x00c339196acd622f,0x001db4cce71e2770,0x001ded5ddba6eee2,0x0078608ab1554c8d,0x00067fe0ab76365b)},
{FIELD_LITERAL(0x00f09758e11e3985,0x00169efdbd64fad3,0x00e8889b7d6dacd6,0x0035cdd58ea88209,0x00bcda47586d7f49,0x003cdddcb2879088,0x0016da70187e954b,0x009556ea2e92aacd)},
{FIELD_LITERAL(0x008cab16bd1ff897,0x00b389972cdf753f,0x00ea8ed1e46dfdc0,0x004fe7ef94c589f4,0x002b8ae9b805ecf3,0x0025c08d892874a5,0x0023938e98d44c4c,0x00f759134cabf69c)},
{FIELD_LITERAL(0x006c2a84678e4b3b,0x007a194aacd1868f,0x00ed0225af424761,0x00da0a6f293c64b8,0x001062ac5c6a7a18,0x0030f5775a8aeef4,0x0002acaad76b7af0,0x00410b8fd63a579f)},
{FIELD_LITERAL(0x001ec59db3d9590e,0x001e9e3f1c3f182d,0x0045a9c3ec2cab14,0x0008198572aeb673,0x00773b74068bd167,0x0012535eaa395434,0x0044dba9e3bbb74a,0x002fba4d3c74bd0e)},
{FIELD_LITERAL(0x0042bf08fe66922c,0x003318b8fbb49e8c,0x00d75946004aa14c,0x00f601586b42bf1c,0x00c74cf1d912fe66,0x00abcb36974b30ad,0x007eb78720c9d2b8,0x009f54ab7bd4df85)},
{FIELD_LITERAL(0x00db9fc948f73826,0x00fa8b3746ed8ee9,0x00132cb65aafbeb2,0x00c36ff3fe7925b8,0x00837daed353d2fe,0x00ec661be0667cf4,0x005beb8ed2e90204,0x00d77dd69e564967)},
{FIELD_LITERAL(0x0042e6268b861751,0x0008dd0469500c16,0x00b51b57c338a3fd,0x00cc4497d85cff6b,0x002f13d6b57c34a4,0x0083652eaf301105,0x00cc344294cc93a8,0x0060f4d02810e270)},
{FIELD_LITERAL(0x00a8954363cd518b,0x00ad171124bccb7b,0x0065f46a4adaae00,0x001b1a5b2a96e500,0x0043fe24f8233285,0x0066996d8ae1f2c3,0x00c530f3264169f9,0x00c0f92d07cf6a57)},
{FIELD_LITERAL(0x0036a55c6815d943,0x008c8d1def993db3,0x002e0e1e8ff7318f,0x00d883a4b92db00a,0x002f5e781ae33906,0x001a72adb235c06d,0x00f2e59e736e9caa,0x001a4b58e3031914)},
{FIELD_LITERAL(0x00d73bfae5e00844,0x00bf459766fb5f52,0x0061b4f5a5313cde,0x004392d4c3b95514,0x000d3551b1077523,0x0000998840ee5d71,0x006de6e340448b7b,0x00251aa504875d6e)},
{FIELD_LITERAL(0x003bf343427ac342,0x00adc0a78642b8c5,0x0003b893175a8314,0x0061a34ade5703bc,0x00ea3ea8bb71d632,0x00be0df9a1f198c2,0x0046dd8e7c1635fb,0x00f1523fdd25d5e5)},
{FIELD_LITERAL(0x00633f63fc9dd406,0x00e713ff80e04a43,0x0060c6e970f2d621,0x00a57cd7f0df1891,0x00f2406a550650bb,0x00b064290efdc684,0x001eab0144d17916,0x00cd15f863c293ab)},
{FIELD_LITERAL(0x0029cec55273f70d,0x007044ee275c6340,0x0040f637a93015e2,0x00338bb78db5aae9,0x001491b2a6132147,0x00a125d6cfe6bde3,0x005f7ac561ba8669,0x001d5eaea3fbaacf)},
{FIELD_LITERAL(0x00054e9635e3be31,0x000e43f31e2872be,0x00d05b1c9e339841,0x006fac50bd81fd98,0x00cdc7852eaebb09,0x004ff519b061991b,0x009099e8107d4c85,0x00273e24c36a4a61)},
{FIELD_LITERAL(0x00070b4441ef2c46,0x00efa5b02801a109,0x00bf0b8c3ee64adf,0x008a67e0b3452e98,0x001916b1f2fa7a74,0x00d781a78ff6cdc3,0x008682ce57e5c919,0x00cc1109dd210da3)},
{FIELD_LITERAL(0x00cae8aaff388663,0x005e983a35dda1c7,0x007ab1030d8e37f4,0x00e48940f5d032fe,0x006a36f9ef30b331,0x009be6f03958c757,0x0086231ceba91400,0x008bd0f7b823e7aa)},
{FIELD_LITERAL(0x00cf881ebef5a45a,0x004ebea78e7c6f2c,0x0090da9209cf26a0,0x00de2b2e4c775b84,0x0071d6031c3c15ae,0x00d9e927ef177d70,0x00894ee8c23896fd,0x00e3b3b401e41aad)},
{FIELD_LITERAL(0x00204fef26864170,0x00819269c5dee0f8,0x00bfb4713ec97966,0x0026339a6f34df78,0x001f26e64c761dc2,0x00effe3af313cb60,0x00e17b70138f601b,0x00f16e1ccd9ede5e)},
{FIELD_LITERAL(0x005d9a8353fdb2db,0x0055cc2048c698f0,0x00f6c4ac89657218,0x00525034d73faeb2,0x00435776fbda3c7d,0x0070ea5312323cbc,0x007a105d44d069fb,0x006dbc8d6dc786aa)},
{FIELD_LITERAL(0x0017cff19cd394ec,0x00fef7b810922587,0x00e6483970dff548,0x00ddf36ad6874264,0x00e61778523fcce2,0x0093a66c0c93b24a,0x00fd367114db7f86,0x007652d7ddce26dd)},
{FIELD_LITERAL(0x00d92ced7ba12843,0x00aea9c7771e86e7,0x0046639693354f7b,0x00a628dbb6a80c47,0x003a0b0507372953,0x00421113ab45c0d9,0x00e545f08362ab7a,0x0028ce087b4d6d96)},
{FIELD_LITERAL(0x00a67ee7cf9f99eb,0x005713b275f2ff68,0x00f1d536a841513d,0x00823b59b024712e,0x009c46b9d0d38cec,0x00cdb1595aa2d7d4,0x008375b3423d9af8,0x000ab0b516d978f7)},
{FIELD_LITERAL(0x00428dcb3c510b0f,0x00585607ea24bb4e,0x003736bf1603687a,0x00c47e568c4fe3c7,0x003cd00282848605,0x0043a487c3b91939,0x004ffc04e1095a06,0x00a4c989a3d4b918)},
{FIELD_LITERAL(0x00a8778d0e429f7a,0x004c02b059105a68,0x0016653b609da3ff,0x00d5107bd1a12d27,0x00b4708f9a771cab,0x00bb63b662033f69,0x0072f322240e7215,0x0019445b59c69222)},
{FIELD_LITERAL(0x00cf4f6069a658e6,0x0053ca52859436a6,0x0064b994d7e3e117,0x00cb469b9a07f534,0x00cfb68f399e9d47,0x00f0dcb8dac1c6e7,0x00f2ab67f538b3a5,0x0055544f178ab975)},
{FIELD_LITERAL(0x0099b7a2685d538c,0x00e2f1897b7c0018,0x003adac8ce48dae3,0x00089276d5c50c0c,0x00172fca07ad6717,0x00cb1a72f54069e5,0x004ee42f133545b3,0x00785f8651362f16)},
{FIELD_LITERAL(0x0049cbac38509e11,0x0015234505d42cdf,0x00794fb0b5840f1c,0x00496437344045a5,0x0031b6d944e4f9b0,0x00b207318ac1f5d8,0x0000c840da7f5c5d,0x00526f373a5c8814)},
{FIELD_LITERAL(0x002c7b7742d1dfd9,0x002cabeb18623c01,0x00055f5e3e044446,0x006c20f3b4ef54ba,0x00c600141ec6b35f,0x00354f437f1a32a3,0x00bac4624a3520f9,0x00c483f734a90691)},
{FIELD_LITERAL(0x0053a737d422918d,0x00f7fca1d8758625,0x00c360336dadb04c,0x00f38e3d9158a1b8,0x0069ce3b418e84c6,0x005d1697eca16ead,0x00f8bd6a35ece13d,0x007885dfc2b5afea)},
{FIELD_LITERAL(0x00c3617ae260776c,0x00b20dc3e96922d7,0x00a1a7802246706a,0x00ca6505a5240244,0x002246b62d919782,0x001439102d7aa9b3,0x00e8af1139e6422c,0x00c888d1b52f2b05)},
{FIELD_LITERAL(0x005b67690ffd41d9,0x005294f28df516f9,0x00a879272412fcb9,0x00098b629a6d1c8d,0x00fabd3c8050865a,0x00cd7e5b0a3879c5,0x00153238210f3423,0x00357cac101e9f42)},
{FIELD_LITERAL(0x008917b454444fb7,0x00f59247c97e441b,0x00a6200a6815152d,0x0009a4228601d254,0x001c0360559bd374,0x007563362039cb36,0x00bd75b48d74e32b,0x0017f515ac3499e8)},
{FIELD_LITERAL(0x001532a7ffe41c5a,0x00eb1edce358d6bf,0x00ddbacc7b678a7b,0x008a7b70f3c841a3,0x00f1923bf27d3f4c,0x000b2713ed8f7873,0x00aaf67e29047902,0x0044994a70b3976d)},
{FIELD_LITERAL(0x00d54e802082d42c,0x00a55aa0dce7cc6c,0x006477b96073f146,0x0082efe4ceb43594,0x00a922bcba026845,0x0077f19d1ab75182,0x00c2bb2737846e59,0x0004d7eec791dd33)},
{FIELD_LITERAL(0x0044588d1a81d680,0x00b0a9097208e4f8,0x00212605350dc57e,0x0028717cd2871123,0x00fb083c100fd979,0x0045a056ce063fdf,0x00a5d604b4dd6a41,0x001dabc08ba4e236)},
{FIELD_LITERAL(0x00c4887198d7a7fa,0x00244f98fb45784a,0x0045911e15a15d01,0x001d323d374c0966,0x00967c3915196562,0x0039373abd2f3c67,0x000d2c5614312423,0x0041cf2215442ce3)},
{FIELD_LITERAL(0x008ede889ada7f06,0x001611e91de2e135,0x00fdb9a458a471b9,0x00563484e03710d1,0x0031cc81925e3070,0x0062c97b3af80005,0x00fa733eea28edeb,0x00e82457e1ebbc88)},
{FIELD_LITERAL(0x006a0df5fe9b6f59,0x00a0d4ff46040d92,0x004a7cedb6f93250,0x00d1df8855b8c357,0x00e73a46086fd058,0x0048fb0add6dfe59,0x001e03a28f1b4e3d,0x00a871c993308d76)},
{FIELD_LITERAL(0x0030dbb2d1766ec8,0x00586c0ad138555e,0x00d1a34f9e91c77c,0x0063408ad0e89014,0x00d61231b05f6f5b,0x0009abf569f5fd8a,0x00aec67a110f1c43,0x0031d1a790938dd7)},
{FIELD_LITERAL(0x006cded841e2a862,0x00198d60af0ab6fb,0x0018f09db809e750,0x004e6ac676016263,0x00eafcd1620969cb,0x002c9784ca34917d,0x0054f00079796de7,0x00d9fab5c5972204)},
{FIELD_LITERAL(0x004bd0fee2438a83,0x00b571e62b0f83bd,0x0059287d7ce74800,0x00fb3631b645c3f0,0x00a018e977f78494,0x0091e27065c27b12,0x007696c1817165e0,0x008c40be7c45ba3a)},
{FIELD_LITERAL(0x00a0f326327cb684,0x001c7d0f672680ff,0x008c1c81ffb112d1,0x00f8f801674eddc8,0x00e926d5d48c2a9d,0x005bd6d954c6fe9a,0x004c6b24b4e33703,0x00d05eb5c09105cc)},
{FIELD_LITERAL(0x00d61731caacf2cf,0x002df0c7609e01c5,0x00306172208b1e2b,0x00b413fe4fb2b686,0x00826d360902a221,0x003f8d056e67e7f7,0x0065025b0175e989,0x00369add117865eb)},
{FIELD_LITERAL(0x00aaf895aec2fa11,0x000f892bc313eb52,0x005b1c794dad050b,0x003f8ec4864cec14,0x00af81058d0b90e5,0x00ebe43e183997bb,0x00a9d610f9f3e615,0x007acd8eec2e88d3)},
{FIELD_LITERAL(0x0049b2fab13812a3,0x00846db32cd60431,0x000177fa578c8d6c,0x00047d0e2ad4bc51,0x00b158ba38d1e588,0x006a45daad79e3f3,0x000997b93cab887b,0x00c47ea42fa23dc3)},
{FIELD_LITERAL(0x0012b6fef7aeb1ca,0x009412768194b6a7,0x00ff0d351f23ab93,0x007e8a14c1aff71b,0x006c1c0170c512bc,0x0016243ea02ab2e5,0x007bb6865b303f3e,0x0015ce6b29b159f4)},
{FIELD_LITERAL(0x009961cd02e68108,0x00e2035d3a1d0836,0x005d51f69b5e1a1d,0x004bccb4ea36edcd,0x0069be6a7aeef268,0x0063f4dd9de8d5a7,0x006283783092ca35,0x0075a31af2c35409)},
{FIELD_LITERAL(0x00c412365162e8cf,0x00012283fb34388a,0x003e6543babf39e2,0x00eead6b3a804978,0x0099c0314e8b326f,0x00e98e0a8d477a4f,0x00d2eb96b127a687,0x00ed8d7df87571bb)},
{FIELD_LITERAL(0x00777463e308cacf,0x00c8acb93950132d,0x00ebddbf4ca48b2c,0x0026ad7ca0795a0a,0x00f99a3d9a715064,0x000d60bcf9d4dfcc,0x005e65a73a437a06,0x0019d536a8db56c8)},
{FIELD_LITERAL(0x00192d7dd558d135,0x0027cd6a8323ffa7,0x00239f1a412dc1e7,0x0046b4b3be74fc5c,0x0020c47a2bef5bce,0x00aa17e48f43862b,0x00f7e26c96342e5f,0x0008011c530f39a9)},
{FIELD_LITERAL(0x00aad4ac569bf0f1,0x00a67adc90b27740,0x0048551369a5751a,0x0031252584a3306a,0x0084e15df770e6fc,0x00d7bba1c74b5805,0x00a80ef223af1012,0x0089c85ceb843a34)},
{FIELD_LITERAL(0x00c4545be4a54004,0x0099e11f60357e6c,0x001f3936d19515a6,0x007793df84341a6e,0x0051061886717ffa,0x00e9b0a660b28f85,0x0044ea685892de0d,0x000257d2a1fda9d9)},
{FIELD_LITERAL(0x007e8b01b24ac8a8,0x006cf3b0b5ca1337,0x00f1607d3e36a570,0x0039b7fab82991a1,0x00231777065840c5,0x00998e5afdd346f9,0x00b7dc3e64acc85f,0x00baacc748013ad6)},
{FIELD_LITERAL(0x008ea6a4177580bf,0x005fa1953e3f0378,0x005fe409ac74d614,0x00452327f477e047,0x00a4018507fb6073,0x007b6e71951caac8,0x0012b42ab8a6ce91,0x0080eca677294ab7)},
{FIELD_LITERAL(0x00a53edc023ba69b,0x00c6afa83ddde2e8,0x00c3f638b307b14e,0x004a357a64414062,0x00e4d94d8b582dc9,0x001739caf71695b7,0x0012431b2ae28de1,0x003b6bc98682907c)},
{FIELD_LITERAL(0x008a9a93be1f99d6,0x0079fa627cc699c8,0x00b0cfb134ba84c8,0x001c4b778249419a,0x00df4ab3d9c44f40,0x009f596e6c1a9e3c,0x001979c0df237316,0x00501e953a919b87)}
};

+ 0
- 322
src/GENERATED/c/ed448goldilocks/eddsa.c View File

@@ -1,322 +0,0 @@
/**
* @file ed448goldilocks/eddsa.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @cond internal
* @brief EdDSA routines.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "word.h"
#include <decaf/ed448.h>
#include <decaf/shake.h>
#include <decaf/sha512.h>
#include <string.h>

#define API_NAME "decaf_448"
#define API_NS(_id) decaf_448_##_id

#define hash_ctx_t decaf_shake256_ctx_t
#define hash_init decaf_shake256_init
#define hash_update decaf_shake256_update
#define hash_final decaf_shake256_final
#define hash_destroy decaf_shake256_destroy
#define hash_hash decaf_shake256_hash

#define NO_CONTEXT DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS
#define EDDSA_USE_SIGMA_ISOGENY 0
#define COFACTOR 4
#define EDDSA_PREHASH_BYTES 64

#if NO_CONTEXT
const uint8_t NO_CONTEXT_POINTS_HERE = 0;
const uint8_t * const DECAF_ED448_NO_CONTEXT = &NO_CONTEXT_POINTS_HERE;
#endif

static void clamp (
uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]
) {
/* Blarg */
secret_scalar_ser[0] &= -COFACTOR;
uint8_t hibit = (1<<0)>>1;
if (hibit == 0) {
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0;
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
} else {
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= hibit-1;
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
}
}

static void hash_init_with_dom(
hash_ctx_t hash,
uint8_t prehashed,
uint8_t for_prehash,
const uint8_t *context,
uint8_t context_len
) {
hash_init(hash);

#if NO_CONTEXT
if (context_len == 0 && context == DECAF_ED448_NO_CONTEXT) {
(void)prehashed;
(void)for_prehash;
(void)context;
(void)context_len;
return;
}
#endif
const char *dom_s = "SigEd448";
const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
hash_update(hash,dom,2);
hash_update(hash,context,context_len);
}

void decaf_ed448_prehash_init (
hash_ctx_t hash
) {
hash_init(hash);
}

/* In this file because it uses the hash */
void decaf_ed448_convert_private_key_to_x448 (
uint8_t x[DECAF_X448_PRIVATE_BYTES],
const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]
) {
/* pass the private key through hash_hash function */
/* and keep the first DECAF_X448_PRIVATE_BYTES bytes */
hash_hash(
x,
DECAF_X448_PRIVATE_BYTES,
ed,
DECAF_EDDSA_448_PRIVATE_BYTES
);
}
void decaf_ed448_derive_public_key (
uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]
) {
/* only this much used for keygen */
uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
hash_hash(
secret_scalar_ser,
sizeof(secret_scalar_ser),
privkey,
DECAF_EDDSA_448_PRIVATE_BYTES
);
clamp(secret_scalar_ser);
API_NS(scalar_t) secret_scalar;
API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));
/* Since we are going to mul_by_cofactor during encoding, divide by it here.
* However, the EdDSA base point is not the same as the decaf base point if
* the sigma isogeny is in use: the EdDSA base point is on Etwist_d/(1-d) and
* the decaf base point is on Etwist_d, and when converted it effectively
* picks up a factor of 2 from the isogenies. So we might start at 2 instead of 1.
*/
for (unsigned int c=1; c<DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
API_NS(scalar_halve)(secret_scalar,secret_scalar);
}
API_NS(point_t) p;
API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),secret_scalar);
API_NS(point_mul_by_ratio_and_encode_like_eddsa)(pubkey, p);
/* Cleanup */
API_NS(scalar_destroy)(secret_scalar);
API_NS(point_destroy)(p);
decaf_bzero(secret_scalar_ser, sizeof(secret_scalar_ser));
}

void decaf_ed448_sign (
uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len
) {
API_NS(scalar_t) secret_scalar;
hash_ctx_t hash;
{
/* Schedule the secret key */
struct {
uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
uint8_t seed[DECAF_EDDSA_448_PRIVATE_BYTES];
} __attribute__((packed)) expanded;
hash_hash(
(uint8_t *)&expanded,
sizeof(expanded),
privkey,
DECAF_EDDSA_448_PRIVATE_BYTES
);
clamp(expanded.secret_scalar_ser);
API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
/* Hash to create the nonce */
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,expanded.seed,sizeof(expanded.seed));
hash_update(hash,message,message_len);
decaf_bzero(&expanded, sizeof(expanded));
}
/* Decode the nonce */
API_NS(scalar_t) nonce_scalar;
{
uint8_t nonce[2*DECAF_EDDSA_448_PRIVATE_BYTES];
hash_final(hash,nonce,sizeof(nonce));
API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));
decaf_bzero(nonce, sizeof(nonce));
}
uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = {0};
{
/* Scalarmul to create the nonce-point */
API_NS(scalar_t) nonce_scalar_2;
API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar);
for (unsigned int c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);
}
API_NS(point_t) p;
API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),nonce_scalar_2);
API_NS(point_mul_by_ratio_and_encode_like_eddsa)(nonce_point, p);
API_NS(point_destroy)(p);
API_NS(scalar_destroy)(nonce_scalar_2);
}
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,nonce_point,sizeof(nonce_point));
hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,message,message_len);
uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];
hash_final(hash,challenge,sizeof(challenge));
hash_destroy(hash);
API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
decaf_bzero(challenge,sizeof(challenge));
}
API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);
API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);
decaf_bzero(signature,DECAF_EDDSA_448_SIGNATURE_BYTES);
memcpy(signature,nonce_point,sizeof(nonce_point));
API_NS(scalar_encode)(&signature[DECAF_EDDSA_448_PUBLIC_BYTES],challenge_scalar);
API_NS(scalar_destroy)(secret_scalar);
API_NS(scalar_destroy)(nonce_scalar);
API_NS(scalar_destroy)(challenge_scalar);
}


void decaf_ed448_sign_prehash (
uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const decaf_ed448_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
) {
uint8_t hash_output[EDDSA_PREHASH_BYTES];
{
decaf_ed448_prehash_ctx_t hash_too;
memcpy(hash_too,hash,sizeof(hash_too));
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}

decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
decaf_bzero(hash_output,sizeof(hash_output));
}

decaf_error_t decaf_ed448_verify (
const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len
) {
API_NS(point_t) pk_point, r_point;
decaf_error_t error = API_NS(point_decode_like_eddsa_and_mul_by_ratio)(pk_point,pubkey);
if (DECAF_SUCCESS != error) { return error; }
error = API_NS(point_decode_like_eddsa_and_mul_by_ratio)(r_point,signature);
if (DECAF_SUCCESS != error) { return error; }
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_ctx_t hash;
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,signature,DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,message,message_len);
uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];
hash_final(hash,challenge,sizeof(challenge));
hash_destroy(hash);
API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
decaf_bzero(challenge,sizeof(challenge));
}
API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar);
API_NS(scalar_t) response_scalar;
API_NS(scalar_decode_long)(
response_scalar,
&signature[DECAF_EDDSA_448_PUBLIC_BYTES],
DECAF_EDDSA_448_PRIVATE_BYTES
);
for (unsigned c=1; c<DECAF_448_EDDSA_DECODE_RATIO; c<<=1) {
API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);
}
/* pk_point = -c(x(P)) + (cx + k)G = kG */
API_NS(base_double_scalarmul_non_secret)(
pk_point,
response_scalar,
pk_point,
challenge_scalar
);
return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
}


decaf_error_t decaf_ed448_verify_prehash (
const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const decaf_ed448_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
) {
decaf_error_t ret;
uint8_t hash_output[EDDSA_PREHASH_BYTES];
{
decaf_ed448_prehash_ctx_t hash_too;
memcpy(hash_too,hash,sizeof(hash_too));
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}
ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
return ret;
}

+ 0
- 204
src/GENERATED/c/ed448goldilocks/elligator.c View File

@@ -1,204 +0,0 @@
/**
* @file ed448goldilocks/elligator.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Elligator high-level functions.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "word.h"
#include "field.h"
#include <decaf.h>

/* Template stuff */
#define API_NS(_id) decaf_448_##_id
#define point_t API_NS(point_t)
#define IMAGINE_TWIST 0
#define COFACTOR 4
static const int EDWARDS_D = -39081;

#define RISTRETTO_FACTOR DECAF_448_RISTRETTO_FACTOR
extern const gf RISTRETTO_FACTOR;

/* End of template stuff */
extern mask_t API_NS(deisogenize) (
gf_s *__restrict__ s,
gf_s *__restrict__ inv_el_sum,
gf_s *__restrict__ inv_el_m1,
const point_t p,
mask_t toggle_hibit_s,
mask_t toggle_altx,
mask_t toggle_rotation
);

void API_NS(point_from_hash_nonuniform) (
point_t p,
const unsigned char ser[SER_BYTES]
) {
gf r0,r,a,b,c,N,e;
const uint8_t mask = (uint8_t)(0xFE<<(7));
ignore_result(gf_deserialize(r0,ser,0,mask));
gf_strong_reduce(r0);
gf_sqr(a,r0);
gf_mul_qnr(r,a);

/* Compute D@c := (dr+a-d)(dr-ar-d) with a=1 */
gf_sub(a,r,ONE);
gf_mulw(b,a,EDWARDS_D); /* dr-d */
gf_add(a,b,ONE);
gf_sub(b,b,r);
gf_mul(c,a,b);
/* compute N := (r+1)(a-2d) */
gf_add(a,r,ONE);
gf_mulw(N,a,1-2*EDWARDS_D);
/* e = +-sqrt(1/ND) or +-r0 * sqrt(qnr/ND) */
gf_mul(a,c,N);
mask_t square = gf_isr(b,a);
gf_cond_sel(c,r0,ONE,square); /* r? = square ? 1 : r0 */
gf_mul(e,b,c);
/* s@a = +-|N.e| */
gf_mul(a,N,e);
gf_cond_neg(a,gf_lobit(a) ^ ~square);
/* t@b = -+ cN(r-1)((a-2d)e)^2 - 1 */
gf_mulw(c,e,1-2*EDWARDS_D); /* (a-2d)e */
gf_sqr(b,c);
gf_sub(e,r,ONE);
gf_mul(c,b,e);
gf_mul(b,c,N);
gf_cond_neg(b,square);
gf_sub(b,b,ONE);

/* isogenize */
#if IMAGINE_TWIST
gf_mul(c,a,SQRT_MINUS_ONE);
gf_copy(a,c);
#endif
gf_sqr(c,a); /* s^2 */
gf_add(a,a,a); /* 2s */
gf_add(e,c,ONE);
gf_mul(p->t,a,e); /* 2s(1+s^2) */
gf_mul(p->x,a,b); /* 2st */
gf_sub(a,ONE,c);
gf_mul(p->y,e,a); /* (1+s^2)(1-s^2) */
gf_mul(p->z,a,b); /* (1-s^2)t */
assert(API_NS(point_valid)(p));
}

void API_NS(point_from_hash_uniform) (
point_t pt,
const unsigned char hashed_data[2*SER_BYTES]
) {
point_t pt2;
API_NS(point_from_hash_nonuniform)(pt,hashed_data);
API_NS(point_from_hash_nonuniform)(pt2,&hashed_data[SER_BYTES]);
API_NS(point_add)(pt,pt,pt2);
}

/* Elligator_onto:
* Make elligator-inverse onto at the cost of roughly halving the success probability.
* Currently no effect for curves with field size 1 bit mod 8 (where the top bit
* is chopped off). FUTURE MAGIC: automatic at least for brainpool-style curves; support
* log p == 1 mod 8 brainpool curves maybe?
*/
#define MAX(A,B) (((A)>(B)) ? (A) : (B))

decaf_error_t
API_NS(invert_elligator_nonuniform) (
unsigned char recovered_hash[SER_BYTES],
const point_t p,
uint32_t hint_
) {
mask_t hint = hint_;
mask_t sgn_s = -(hint & 1),
sgn_altx = -(hint>>1 & 1),
sgn_r0 = -(hint>>2 & 1),
/* FUTURE MAGIC: eventually if there's a curve which needs sgn_ed_T but not sgn_r0,
* change this mask extraction.
*/
sgn_ed_T = -(hint>>3 & 1);
gf a,b,c;
API_NS(deisogenize)(a,b,c,p,sgn_s,sgn_altx,sgn_ed_T);
mask_t is_identity = gf_eq(p->t,ZERO);
#if COFACTOR==4
gf_cond_sel(b,b,ONE,is_identity & sgn_altx);
gf_cond_sel(c,c,ONE,is_identity & sgn_s &~ sgn_altx);
#elif IMAGINE_TWIST
/* Terrible, terrible special casing due to lots of 0/0 is deisogenize
* Basically we need to generate -D and +- i*RISTRETTO_FACTOR
*/
gf_mul_i(a,RISTRETTO_FACTOR);
gf_cond_sel(b,b,ONE,is_identity);
gf_cond_neg(a,sgn_altx);
gf_cond_sel(c,c,a,is_identity & sgn_ed_T);
gf_cond_sel(c,c,ZERO,is_identity & ~sgn_ed_T);
gf_mulw(a,ONE,-EDWARDS_D);
gf_cond_sel(c,c,a,is_identity & ~sgn_ed_T &~ sgn_altx);
#else
#error "Different special-casing goes here!"
#endif
#if IMAGINE_TWIST
gf_mulw(a,b,-EDWARDS_D);
#else
gf_mulw(a,b,EDWARDS_D-1);
#endif
gf_add(b,a,b);
gf_sub(a,a,c);
gf_add(b,b,c);
gf_cond_swap(a,b,sgn_s);
gf_mul_qnr(c,b);
gf_mul(b,c,a);
mask_t succ = gf_isr(c,b);
succ |= gf_eq(b,ZERO);
gf_mul(b,c,a);
#if 448 == 8*SER_BYTES + 1 /* p521. */
#error "this won't work because it needs to adjust high bit, not low bit"
sgn_r0 = 0;
#endif
gf_cond_neg(b, sgn_r0^gf_lobit(b));
/* Eliminate duplicate values for identity ... */
succ &= ~(gf_eq(b,ZERO) & (sgn_r0 | sgn_s));
// #if COFACTOR == 8
// succ &= ~(is_identity & sgn_ed_T); /* NB: there are no preimages of rotated identity. */
// #endif
#if 448 == 8*SER_BYTES + 1 /* p521 */
gf_serialize(recovered_hash,b,0);
#else
gf_serialize(recovered_hash,b,1);
#endif
#if 0
#if COFACTOR==8
recovered_hash[SER_BYTES-1] ^= (hint>>4)<<0;
#else
recovered_hash[SER_BYTES-1] ^= (hint>>3)<<0;
#endif
#endif
return decaf_succeed_if(mask_to_bool(succ));
}

decaf_error_t
API_NS(invert_elligator_uniform) (
unsigned char partial_hash[2*SER_BYTES],
const point_t p,
uint32_t hint
) {
point_t pt2;
API_NS(point_from_hash_nonuniform)(pt2,&partial_hash[SER_BYTES]);
API_NS(point_sub)(pt2,p,pt2);
return API_NS(invert_elligator_nonuniform)(partial_hash,pt2,hint);
}

+ 0
- 341
src/GENERATED/c/ed448goldilocks/scalar.c View File

@@ -1,341 +0,0 @@
/**
* @file ed448goldilocks/scalar.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Decaf high-level functions.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "word.h"
#include "constant_time.h"
#include <decaf.h>

/* Template stuff */
#define API_NS(_id) decaf_448_##_id
#define SCALAR_BITS DECAF_448_SCALAR_BITS
#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES
#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
#define scalar_t API_NS(scalar_t)

static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5ull;
static const scalar_t sc_p = {{{
SC_LIMB(0x2378c292ab5844f3), SC_LIMB(0x216cc2728dc58f55), SC_LIMB(0xc44edb49aed63690), SC_LIMB(0xffffffff7cca23e9), SC_LIMB(0xffffffffffffffff), SC_LIMB(0xffffffffffffffff), SC_LIMB(0x3fffffffffffffff)
}}}, sc_r2 = {{{
SC_LIMB(0xe3539257049b9b60), SC_LIMB(0x7af32c4bc1b195d9), SC_LIMB(0x0d66de2388ea1859), SC_LIMB(0xae17cf725ee4d838), SC_LIMB(0x1a9cc14ba3c47c44), SC_LIMB(0x2052bcb7e4d070af), SC_LIMB(0x3402a939f823b729)
}}};
/* End of template stuff */

#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */

const scalar_t API_NS(scalar_one) = {{{1}}}, API_NS(scalar_zero) = {{{0}}};

/** {extra,accum} - sub +? p
* Must have extra <= 1
*/
static DECAF_NOINLINE void sc_subx(
scalar_t out,
const decaf_word_t accum[SCALAR_LIMBS],
const scalar_t sub,
const scalar_t p,
decaf_word_t extra
) {
decaf_dsword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + accum[i]) - sub->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
}
decaf_word_t borrow = chain+extra; /* = 0 or -1 */
chain = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + out->limb[i]) + (p->limb[i] & borrow);
out->limb[i] = chain;
chain >>= WBITS;
}
}

static DECAF_NOINLINE void sc_montmul (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
unsigned int i,j;
decaf_word_t accum[SCALAR_LIMBS+1] = {0};
decaf_word_t hi_carry = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
decaf_word_t mand = a->limb[i];
const decaf_word_t *mier = b->limb;
decaf_dword_t chain = 0;
for (j=0; j<SCALAR_LIMBS; j++) {
chain += ((decaf_dword_t)mand)*mier[j] + accum[j];
accum[j] = chain;
chain >>= WBITS;
}
accum[j] = chain;
mand = accum[0] * MONTGOMERY_FACTOR;
chain = 0;
mier = sc_p->limb;
for (j=0; j<SCALAR_LIMBS; j++) {
chain += (decaf_dword_t)mand*mier[j] + accum[j];
if (j) accum[j-1] = chain;
chain >>= WBITS;
}
chain += accum[j];
chain += hi_carry;
accum[j-1] = chain;
hi_carry = chain >> WBITS;
}
sc_subx(out, accum, sc_p, sc_p, hi_carry);
}

void API_NS(scalar_mul) (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
sc_montmul(out,a,b);
sc_montmul(out,out,sc_r2);
}

/* PERF: could implement this */
static DECAF_INLINE void sc_montsqr (scalar_t out, const scalar_t a) {
sc_montmul(out,a,a);
}

decaf_error_t API_NS(scalar_invert) (
scalar_t out,
const scalar_t a
) {
/* Fermat's little theorem, sliding window.
* Sliding window is fine here because the modulus isn't secret.
*/
const int SCALAR_WINDOW_BITS = 3;
scalar_t precmp[1<<SCALAR_WINDOW_BITS];
const int LAST = (1<<SCALAR_WINDOW_BITS)-1;

/* Precompute precmp = [a^1,a^3,...] */
sc_montmul(precmp[0],a,sc_r2);
if (LAST > 0) sc_montmul(precmp[LAST],precmp[0],precmp[0]);

int i;
for (i=1; i<=LAST; i++) {
sc_montmul(precmp[i],precmp[i-1],precmp[LAST]);
}
/* Sliding window */
unsigned residue = 0, trailing = 0, started = 0;
for (i=SCALAR_BITS-1; i>=-SCALAR_WINDOW_BITS; i--) {
if (started) sc_montsqr(out,out);
decaf_word_t w = (i>=0) ? sc_p->limb[i/WBITS] : 0;
if (i >= 0 && i<WBITS) {
assert(w >= 2);
w-=2;
}
residue = (residue<<1) | ((w>>(i%WBITS))&1);
if (residue>>SCALAR_WINDOW_BITS != 0) {
assert(trailing == 0);
trailing = residue;
residue = 0;
}
if (trailing > 0 && (trailing & ((1<<SCALAR_WINDOW_BITS)-1)) == 0) {
if (started) {
sc_montmul(out,out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);
} else {
API_NS(scalar_copy)(out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);
started = 1;
}
trailing = 0;
}
trailing <<= 1;
}
assert(residue==0);
assert(trailing==0);
/* Demontgomerize */
sc_montmul(out,out,API_NS(scalar_one));
decaf_bzero(precmp, sizeof(precmp));
return decaf_succeed_if(~API_NS(scalar_eq)(out,API_NS(scalar_zero)));
}

void API_NS(scalar_sub) (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
sc_subx(out, a->limb, b, sc_p, 0);
}

void API_NS(scalar_add) (
scalar_t out,
const scalar_t a,
const scalar_t b
) {
decaf_dword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + b->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
}
sc_subx(out, out->limb, sc_p, sc_p, chain);
}

void
API_NS(scalar_set_unsigned) (
scalar_t out,
uint64_t w
) {
memset(out,0,sizeof(scalar_t));
unsigned int i = 0;
for (; i<sizeof(uint64_t)/sizeof(decaf_word_t); i++) {
out->limb[i] = w;
#if DECAF_WORD_BITS < 64
w >>= 8*sizeof(decaf_word_t);
#endif
}
}

decaf_bool_t
API_NS(scalar_eq) (
const scalar_t a,
const scalar_t b
) {
decaf_word_t diff = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
diff |= a->limb[i] ^ b->limb[i];
}
return mask_to_bool(word_is_zero(diff));
}

static DECAF_INLINE void scalar_decode_short (
scalar_t s,
const unsigned char *ser,
unsigned int nbytes
) {
unsigned int i,j,k=0;
for (i=0; i<SCALAR_LIMBS; i++) {
decaf_word_t out = 0;
for (j=0; j<sizeof(decaf_word_t) && k<nbytes; j++,k++) {
out |= ((decaf_word_t)ser[k])<<(8*j);
}
s->limb[i] = out;
}
}

decaf_error_t API_NS(scalar_decode)(
scalar_t s,
const unsigned char ser[SCALAR_SER_BYTES]
) {
unsigned int i;
scalar_decode_short(s, ser, SCALAR_SER_BYTES);
decaf_dsword_t accum = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
}
/* Here accum == 0 or -1 */
API_NS(scalar_mul)(s,s,API_NS(scalar_one)); /* ham-handed reduce */
return decaf_succeed_if(~word_is_zero(accum));
}

void API_NS(scalar_destroy) (
scalar_t scalar
) {
decaf_bzero(scalar, sizeof(scalar_t));
}

void API_NS(scalar_decode_long)(
scalar_t s,
const unsigned char *ser,
size_t ser_len
) {
if (ser_len == 0) {
API_NS(scalar_copy)(s, API_NS(scalar_zero));
return;
}
size_t i;
scalar_t t1, t2;

i = ser_len - (ser_len%SCALAR_SER_BYTES);
if (i==ser_len) i -= SCALAR_SER_BYTES;
scalar_decode_short(t1, &ser[i], ser_len-i);

if (ser_len == sizeof(scalar_t)) {
assert(i==0);
/* ham-handed reduce */
API_NS(scalar_mul)(s,t1,API_NS(scalar_one));
API_NS(scalar_destroy)(t1);
return;
}

while (i) {
i -= SCALAR_SER_BYTES;
sc_montmul(t1,t1,sc_r2);
ignore_result( API_NS(scalar_decode)(t2, ser+i) );
API_NS(scalar_add)(t1, t1, t2);
}

API_NS(scalar_copy)(s, t1);
API_NS(scalar_destroy)(t1);
API_NS(scalar_destroy)(t2);
}

void API_NS(scalar_encode)(
unsigned char ser[SCALAR_SER_BYTES],
const scalar_t s
) {
unsigned int i,j,k=0;
for (i=0; i<SCALAR_LIMBS; i++) {
for (j=0; j<sizeof(decaf_word_t); j++,k++) {
ser[k] = s->limb[i] >> (8*j);
}
}
}

void API_NS(scalar_cond_sel) (
scalar_t out,
const scalar_t a,
const scalar_t b,
decaf_bool_t pick_b
) {
constant_time_select(out,a,b,sizeof(scalar_t),bool_to_mask(pick_b),sizeof(out->limb[0]));
}

void API_NS(scalar_halve) (
scalar_t out,
const scalar_t a
) {
decaf_word_t mask = -(a->limb[0] & 1);
decaf_dword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask);
out->limb[i] = chain;
chain >>= DECAF_WORD_BITS;
}
for (i=0; i<SCALAR_LIMBS-1; i++) {
out->limb[i] = out->limb[i]>>1 | out->limb[i+1]<<(WBITS-1);
}
out->limb[i] = out->limb[i]>>1 | chain<<(WBITS-1);
}


+ 0
- 110
src/GENERATED/c/p25519/f_field.h View File

@@ -1,110 +0,0 @@
/**
* @file p25519/f_field.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Field-specific code for 2^255 - 19.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __P25519_F_FIELD_H__
#define __P25519_F_FIELD_H__ 1

#include "constant_time.h"
#include <string.h>
#include <assert.h>

#include "word.h"

#define __DECAF_25519_GF_DEFINED__ 1
#define NLIMBS (40/sizeof(word_t))
#define X_SER_BYTES 32
#define SER_BYTES 32
typedef struct gf_25519_s {
word_t limb[NLIMBS];
} __attribute__((aligned(32))) gf_25519_s, gf_25519_t[1];

#define GF_LIT_LIMB_BITS 51
#define GF_BITS 255
#define ZERO gf_25519_ZERO
#define ONE gf_25519_ONE
#define MODULUS gf_25519_MODULUS
#define gf gf_25519_t
#define gf_s gf_25519_s
#define gf_eq gf_25519_eq
#define gf_hibit gf_25519_hibit
#define gf_lobit gf_25519_lobit
#define gf_copy gf_25519_copy
#define gf_add gf_25519_add
#define gf_sub gf_25519_sub
#define gf_add_RAW gf_25519_add_RAW
#define gf_sub_RAW gf_25519_sub_RAW
#define gf_bias gf_25519_bias
#define gf_weak_reduce gf_25519_weak_reduce
#define gf_strong_reduce gf_25519_strong_reduce
#define gf_mul gf_25519_mul
#define gf_sqr gf_25519_sqr
#define gf_mulw_unsigned gf_25519_mulw_unsigned
#define gf_isr gf_25519_isr
#define gf_serialize gf_25519_serialize
#define gf_deserialize gf_25519_deserialize

/* RFC 7748 support */
#define X_PUBLIC_BYTES X_SER_BYTES
#define X_PRIVATE_BYTES X_PUBLIC_BYTES
#define X_PRIVATE_BITS 255

#define SQRT_MINUS_ONE P25519_SQRT_MINUS_ONE /* might not be defined */

#define INLINE_UNUSED __inline__ __attribute__((unused,always_inline))

#ifdef __cplusplus
extern "C" {
#endif

/* Defined below in f_impl.h */
static INLINE_UNUSED void gf_copy (gf out, const gf a) { *out = *a; }
static INLINE_UNUSED void gf_add_RAW (gf out, const gf a, const gf b);
static INLINE_UNUSED void gf_sub_RAW (gf out, const gf a, const gf b);
static INLINE_UNUSED void gf_bias (gf inout, int amount);
static INLINE_UNUSED void gf_weak_reduce (gf inout);

void gf_strong_reduce (gf inout);
void gf_add (gf out, const gf a, const gf b);
void gf_sub (gf out, const gf a, const gf b);
void gf_mul (gf_s *__restrict__ out, const gf a, const gf b);
void gf_mulw_unsigned (gf_s *__restrict__ out, const gf a, uint32_t b);
void gf_sqr (gf_s *__restrict__ out, const gf a);
mask_t gf_isr(gf a, const gf x); /** a^2 x = 1, QNR, or 0 if x=0. Return true if successful */
mask_t gf_eq (const gf x, const gf y);
mask_t gf_lobit (const gf x);
mask_t gf_hibit (const gf x);

void gf_serialize (uint8_t *serial, const gf x,int with_highbit);
mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES],int with_hibit,uint8_t hi_nmask);


#ifdef __cplusplus
} /* extern "C" */
#endif

#include "f_impl.h" /* Bring in the inline implementations */

#define P_MOD_8 5
#if P_MOD_8 == 5
extern const gf SQRT_MINUS_ONE;
#endif

#ifndef LIMBPERM
#define LIMBPERM(i) (i)
#endif
#define LIMB_MASK(i) (((1ull)<<LIMB_PLACE_VALUE(i))-1)

static const gf ZERO = {{{0}}}, ONE = {{{ [LIMBPERM(0)] = 1 }}};

#endif /* __P25519_F_FIELD_H__ */

+ 0
- 144
src/GENERATED/c/p25519/f_generic.c View File

@@ -1,144 +0,0 @@
/**
* @file p25519/f_generic.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Generic arithmetic which has to be compiled per field.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "field.h"

static const gf MODULUS = {FIELD_LITERAL(
0x7ffffffffffed, 0x7ffffffffffff, 0x7ffffffffffff, 0x7ffffffffffff, 0x7ffffffffffff
)};
#if P_MOD_8 == 5
const gf SQRT_MINUS_ONE = {FIELD_LITERAL(
0x61b274a0ea0b0, 0x0d5a5fc8f189d, 0x7ef5e9cbd0c60, 0x78595a6804c9e, 0x2b8324804fc1d
)};
#endif

/** Serialize to wire format. */
void gf_serialize (uint8_t serial[SER_BYTES], const gf x, int with_hibit) {
gf red;
gf_copy(red, x);
gf_strong_reduce(red);
if (!with_hibit) { assert(gf_hibit(red) == 0); }
unsigned int j=0, fill=0;
dword_t buffer = 0;
UNROLL for (unsigned int i=0; i<(with_hibit ? X_SER_BYTES : SER_BYTES); i++) {
if (fill < 8 && j < NLIMBS) {
buffer |= ((dword_t)red->limb[LIMBPERM(j)]) << fill;
fill += LIMB_PLACE_VALUE(LIMBPERM(j));
j++;
}
serial[i] = buffer;
fill -= 8;
buffer >>= 8;
}
}

/** Return high bit of x = low bit of 2x mod p */
mask_t gf_hibit(const gf x) {
gf y;
gf_add(y,x,x);
gf_strong_reduce(y);
return -(y->limb[0]&1);
}

/** Return high bit of x = low bit of 2x mod p */
mask_t gf_lobit(const gf x) {
gf y;
gf_copy(y,x);
gf_strong_reduce(y);
return -(y->limb[0]&1);
}

/** Deserialize from wire format; return -1 on success and 0 on failure. */
mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit, uint8_t hi_nmask) {
unsigned int j=0, fill=0;
dword_t buffer = 0;
dsword_t scarry = 0;
const unsigned nbytes = with_hibit ? X_SER_BYTES : SER_BYTES;
UNROLL for (unsigned int i=0; i<NLIMBS; i++) {
UNROLL while (fill < LIMB_PLACE_VALUE(LIMBPERM(i)) && j < nbytes) {
uint8_t sj = serial[j];
if (j==nbytes-1) sj &= ~hi_nmask;
buffer |= ((dword_t)sj) << fill;
fill += 8;
j++;
}
x->limb[LIMBPERM(i)] = (i<NLIMBS-1) ? buffer & LIMB_MASK(LIMBPERM(i)) : buffer;
fill -= LIMB_PLACE_VALUE(LIMBPERM(i));
buffer >>= LIMB_PLACE_VALUE(LIMBPERM(i));
scarry = (scarry + x->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)]) >> (8*sizeof(word_t));
}
mask_t succ = with_hibit ? -(mask_t)1 : ~gf_hibit(x);
return succ & word_is_zero(buffer) & ~word_is_zero(scarry);
}

/** Reduce to canonical form. */
void gf_strong_reduce (gf a) {
/* first, clear high */
gf_weak_reduce(a); /* Determined to have negligible perf impact. */

/* now the total is less than 2p */

/* compute total_value - p. No need to reduce mod p. */
dsword_t scarry = 0;
for (unsigned int i=0; i<NLIMBS; i++) {
scarry = scarry + a->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)];
a->limb[LIMBPERM(i)] = scarry & LIMB_MASK(LIMBPERM(i));
scarry >>= LIMB_PLACE_VALUE(LIMBPERM(i));
}

/* uncommon case: it was >= p, so now scarry = 0 and this = x
* common case: it was < p, so now scarry = -1 and this = x - p + 2^255
* so let's add back in p. will carry back off the top for 2^255.
*/
assert(word_is_zero(scarry) | word_is_zero(scarry+1));

word_t scarry_0 = scarry;
dword_t carry = 0;

/* add it back */
for (unsigned int i=0; i<NLIMBS; i++) {
carry = carry + a->limb[LIMBPERM(i)] + (scarry_0 & MODULUS->limb[LIMBPERM(i)]);
a->limb[LIMBPERM(i)] = carry & LIMB_MASK(LIMBPERM(i));
carry >>= LIMB_PLACE_VALUE(LIMBPERM(i));
}

assert(word_is_zero(carry + scarry_0));
}

/** Subtract two gf elements d=a-b */
void gf_sub (gf d, const gf a, const gf b) {
gf_sub_RAW ( d, a, b );
gf_bias( d, 2 );
gf_weak_reduce ( d );
}

/** Add two field elements d = a+b */
void gf_add (gf d, const gf a, const gf b) {
gf_add_RAW ( d, a, b );
gf_weak_reduce ( d );
}

/** Compare a==b */
mask_t gf_eq(const gf a, const gf b) {
gf c;
gf_sub(c,a,b);
gf_strong_reduce(c);
mask_t ret=0;
for (unsigned int i=0; i<NLIMBS; i++) {
ret |= c->limb[LIMBPERM(i)];
}

return word_is_zero(ret);
}

+ 0
- 110
src/GENERATED/c/p448/f_field.h View File

@@ -1,110 +0,0 @@
/**
* @file p448/f_field.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Field-specific code for 2^448 - 2^224 - 1.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __P448_F_FIELD_H__
#define __P448_F_FIELD_H__ 1

#include "constant_time.h"
#include <string.h>
#include <assert.h>

#include "word.h"

#define __DECAF_448_GF_DEFINED__ 1
#define NLIMBS (64/sizeof(word_t))
#define X_SER_BYTES 56
#define SER_BYTES 56
typedef struct gf_448_s {
word_t limb[NLIMBS];
} __attribute__((aligned(32))) gf_448_s, gf_448_t[1];

#define GF_LIT_LIMB_BITS 56
#define GF_BITS 448
#define ZERO gf_448_ZERO
#define ONE gf_448_ONE
#define MODULUS gf_448_MODULUS
#define gf gf_448_t
#define gf_s gf_448_s
#define gf_eq gf_448_eq
#define gf_hibit gf_448_hibit
#define gf_lobit gf_448_lobit
#define gf_copy gf_448_copy
#define gf_add gf_448_add
#define gf_sub gf_448_sub
#define gf_add_RAW gf_448_add_RAW
#define gf_sub_RAW gf_448_sub_RAW
#define gf_bias gf_448_bias
#define gf_weak_reduce gf_448_weak_reduce
#define gf_strong_reduce gf_448_strong_reduce
#define gf_mul gf_448_mul
#define gf_sqr gf_448_sqr
#define gf_mulw_unsigned gf_448_mulw_unsigned
#define gf_isr gf_448_isr
#define gf_serialize gf_448_serialize
#define gf_deserialize gf_448_deserialize

/* RFC 7748 support */
#define X_PUBLIC_BYTES X_SER_BYTES
#define X_PRIVATE_BYTES X_PUBLIC_BYTES
#define X_PRIVATE_BITS 448

#define SQRT_MINUS_ONE P448_SQRT_MINUS_ONE /* might not be defined */

#define INLINE_UNUSED __inline__ __attribute__((unused,always_inline))

#ifdef __cplusplus
extern "C" {
#endif

/* Defined below in f_impl.h */
static INLINE_UNUSED void gf_copy (gf out, const gf a) { *out = *a; }
static INLINE_UNUSED void gf_add_RAW (gf out, const gf a, const gf b);
static INLINE_UNUSED void gf_sub_RAW (gf out, const gf a, const gf b);
static INLINE_UNUSED void gf_bias (gf inout, int amount);
static INLINE_UNUSED void gf_weak_reduce (gf inout);

void gf_strong_reduce (gf inout);
void gf_add (gf out, const gf a, const gf b);
void gf_sub (gf out, const gf a, const gf b);
void gf_mul (gf_s *__restrict__ out, const gf a, const gf b);
void gf_mulw_unsigned (gf_s *__restrict__ out, const gf a, uint32_t b);
void gf_sqr (gf_s *__restrict__ out, const gf a);
mask_t gf_isr(gf a, const gf x); /** a^2 x = 1, QNR, or 0 if x=0. Return true if successful */
mask_t gf_eq (const gf x, const gf y);
mask_t gf_lobit (const gf x);
mask_t gf_hibit (const gf x);

void gf_serialize (uint8_t *serial, const gf x,int with_highbit);
mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES],int with_hibit,uint8_t hi_nmask);


#ifdef __cplusplus
} /* extern "C" */
#endif

#include "f_impl.h" /* Bring in the inline implementations */

#define P_MOD_8 7
#if P_MOD_8 == 5
extern const gf SQRT_MINUS_ONE;
#endif

#ifndef LIMBPERM
#define LIMBPERM(i) (i)
#endif
#define LIMB_MASK(i) (((1ull)<<LIMB_PLACE_VALUE(i))-1)

static const gf ZERO = {{{0}}}, ONE = {{{ [LIMBPERM(0)] = 1 }}};

#endif /* __P448_F_FIELD_H__ */

+ 0
- 144
src/GENERATED/c/p448/f_generic.c View File

@@ -1,144 +0,0 @@
/**
* @file p448/f_generic.c
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Generic arithmetic which has to be compiled per field.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/
#include "field.h"

static const gf MODULUS = {FIELD_LITERAL(
0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff, 0xfffffffffffffe, 0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff
)};
#if P_MOD_8 == 5
const gf SQRT_MINUS_ONE = {FIELD_LITERAL(
/* NOPE */
)};
#endif

/** Serialize to wire format. */
void gf_serialize (uint8_t serial[SER_BYTES], const gf x, int with_hibit) {
gf red;
gf_copy(red, x);
gf_strong_reduce(red);
if (!with_hibit) { assert(gf_hibit(red) == 0); }
unsigned int j=0, fill=0;
dword_t buffer = 0;
UNROLL for (unsigned int i=0; i<(with_hibit ? X_SER_BYTES : SER_BYTES); i++) {
if (fill < 8 && j < NLIMBS) {
buffer |= ((dword_t)red->limb[LIMBPERM(j)]) << fill;
fill += LIMB_PLACE_VALUE(LIMBPERM(j));
j++;
}
serial[i] = buffer;
fill -= 8;
buffer >>= 8;
}
}

/** Return high bit of x = low bit of 2x mod p */
mask_t gf_hibit(const gf x) {
gf y;
gf_add(y,x,x);
gf_strong_reduce(y);
return -(y->limb[0]&1);
}

/** Return high bit of x = low bit of 2x mod p */
mask_t gf_lobit(const gf x) {
gf y;
gf_copy(y,x);
gf_strong_reduce(y);
return -(y->limb[0]&1);
}

/** Deserialize from wire format; return -1 on success and 0 on failure. */
mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit, uint8_t hi_nmask) {
unsigned int j=0, fill=0;
dword_t buffer = 0;
dsword_t scarry = 0;
const unsigned nbytes = with_hibit ? X_SER_BYTES : SER_BYTES;
UNROLL for (unsigned int i=0; i<NLIMBS; i++) {
UNROLL while (fill < LIMB_PLACE_VALUE(LIMBPERM(i)) && j < nbytes) {
uint8_t sj = serial[j];
if (j==nbytes-1) sj &= ~hi_nmask;
buffer |= ((dword_t)sj) << fill;
fill += 8;
j++;
}
x->limb[LIMBPERM(i)] = (i<NLIMBS-1) ? buffer & LIMB_MASK(LIMBPERM(i)) : buffer;
fill -= LIMB_PLACE_VALUE(LIMBPERM(i));
buffer >>= LIMB_PLACE_VALUE(LIMBPERM(i));
scarry = (scarry + x->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)]) >> (8*sizeof(word_t));
}
mask_t succ = with_hibit ? -(mask_t)1 : ~gf_hibit(x);
return succ & word_is_zero(buffer) & ~word_is_zero(scarry);
}

/** Reduce to canonical form. */
void gf_strong_reduce (gf a) {
/* first, clear high */
gf_weak_reduce(a); /* Determined to have negligible perf impact. */

/* now the total is less than 2p */

/* compute total_value - p. No need to reduce mod p. */
dsword_t scarry = 0;
for (unsigned int i=0; i<NLIMBS; i++) {
scarry = scarry + a->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)];
a->limb[LIMBPERM(i)] = scarry & LIMB_MASK(LIMBPERM(i));
scarry >>= LIMB_PLACE_VALUE(LIMBPERM(i));
}

/* uncommon case: it was >= p, so now scarry = 0 and this = x
* common case: it was < p, so now scarry = -1 and this = x - p + 2^255
* so let's add back in p. will carry back off the top for 2^255.
*/
assert(word_is_zero(scarry) | word_is_zero(scarry+1));

word_t scarry_0 = scarry;
dword_t carry = 0;

/* add it back */
for (unsigned int i=0; i<NLIMBS; i++) {
carry = carry + a->limb[LIMBPERM(i)] + (scarry_0 & MODULUS->limb[LIMBPERM(i)]);
a->limb[LIMBPERM(i)] = carry & LIMB_MASK(LIMBPERM(i));
carry >>= LIMB_PLACE_VALUE(LIMBPERM(i));
}

assert(word_is_zero(carry + scarry_0));
}

/** Subtract two gf elements d=a-b */
void gf_sub (gf d, const gf a, const gf b) {
gf_sub_RAW ( d, a, b );
gf_bias( d, 2 );
gf_weak_reduce ( d );
}

/** Add two field elements d = a+b */
void gf_add (gf d, const gf a, const gf b) {
gf_add_RAW ( d, a, b );
gf_weak_reduce ( d );
}

/** Compare a==b */
mask_t gf_eq(const gf a, const gf b) {
gf c;
gf_sub(c,a,b);
gf_strong_reduce(c);
mask_t ret=0;
for (unsigned int i=0; i<NLIMBS; i++) {
ret |= c->limb[LIMBPERM(i)];
}

return word_is_zero(ret);
}

+ 0
- 32
src/GENERATED/include/decaf.h View File

@@ -1,32 +0,0 @@
/**
* @file decaf.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* Master header for Decaf library.
*
* The Decaf library implements cryptographic operations on a elliptic curve
* groups of prime order p. It accomplishes this by using a twisted Edwards
* curve (isogenous to Ed448-Goldilocks or Ed25519) and wiping out the cofactor.
*
* The formulas are all complete and have no special cases. However, some
* functions can fail. For example, decoding functions can fail because not
* every string is the encoding of a valid group element.
*
* The formulas contain no data-dependent branches, timing or memory accesses,
* except for decaf_XXX_base_double_scalarmul_non_secret.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_H__
#define __DECAF_H__ 1

#include <decaf/point_255.h>
#include <decaf/point_448.h>

#endif /* __DECAF_H__ */

+ 0
- 31
src/GENERATED/include/decaf.hxx View File

@@ -1,31 +0,0 @@
/**
* @file decaf.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* Master header for Decaf library, C++ version.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_HXX__
#define __DECAF_HXX__ 1

#include <decaf/point_255.hxx>
#include <decaf/point_448.hxx>

/** Namespace for all C++ decaf objects. */
namespace decaf {
/** Given a template with a "run" function, run it for all curves */
template <template<typename Group> class Run>
void run_for_all_curves() {
Run<Ristretto>::run();
Run<Ed448Goldilocks>::run();
}
}

#endif /* __DECAF_HXX__ */

+ 0
- 117
src/GENERATED/include/decaf/common.h View File

@@ -1,117 +0,0 @@
/**
* @file decaf/common.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief Common utility headers for Decaf library.
*/

#ifndef __DECAF_COMMON_H__
#define __DECAF_COMMON_H__ 1

#include <stdint.h>
#include <sys/types.h>

#ifdef __cplusplus
extern "C" {
#endif

/* Goldilocks' build flags default to hidden and stripping executables. */
/** @cond internal */
#if DOXYGEN || defined(__attribute__)
#define __attribute__(x)
#define NOINLINE
#endif
#define DECAF_API_VIS __attribute__((visibility("default")))
#define DECAF_NOINLINE __attribute__((noinline))
#define DECAF_WARN_UNUSED __attribute__((warn_unused_result))
#define DECAF_NONNULL __attribute__((nonnull))
#define DECAF_INLINE inline __attribute__((always_inline,unused))
// Cribbed from libnotmuch
#if defined (__clang_major__) && __clang_major__ >= 3 \
|| defined (__GNUC__) && __GNUC__ >= 5 \
|| defined (__GNUC__) && __GNUC__ == 4 && __GNUC_MINOR__ >= 5
#define DECAF_DEPRECATED(msg) __attribute__ ((deprecated(msg)))
#else
#define DECAF_DEPRECATED(msg) __attribute__ ((deprecated))
#endif
/** @endcond */

/* Internal word types.
*
* Somewhat tricky. This could be decided separately per platform. However,
* the structs do need to be all the same size and alignment on a given
* platform to support dynamic linking, since even if you header was built
* with eg arch_neon, you might end up linking a library built with arch_arm32.
*/
#ifndef DECAF_WORD_BITS
#if (defined(__ILP64__) || defined(__amd64__) || defined(__x86_64__) || (((__UINT_FAST32_MAX__)>>30)>>30))
#define DECAF_WORD_BITS 64 /**< The number of bits in a word */
#else
#define DECAF_WORD_BITS 32 /**< The number of bits in a word */
#endif
#endif
#if DECAF_WORD_BITS == 64
typedef uint64_t decaf_word_t; /**< Word size for internal computations */
typedef int64_t decaf_sword_t; /**< Signed word size for internal computations */
typedef uint64_t decaf_bool_t; /**< "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */
typedef __uint128_t decaf_dword_t; /**< Double-word size for internal computations */
typedef __int128_t decaf_dsword_t; /**< Signed double-word size for internal computations */
#elif DECAF_WORD_BITS == 32 /**< The number of bits in a word */
typedef uint32_t decaf_word_t; /**< Word size for internal computations */
typedef int32_t decaf_sword_t; /**< Signed word size for internal computations */
typedef uint32_t decaf_bool_t; /**< "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */
typedef uint64_t decaf_dword_t; /**< Double-word size for internal computations */
typedef int64_t decaf_dsword_t; /**< Signed double-word size for internal computations */
#else
#error "Only supporting DECAF_WORD_BITS = 32 or 64 for now"
#endif
/** DECAF_TRUE = -1 so that DECAF_TRUE & x = x */
static const decaf_bool_t DECAF_TRUE = -(decaf_bool_t)1;

/** DECAF_FALSE = 0 so that DECAF_FALSE & x = 0 */
static const decaf_bool_t DECAF_FALSE = 0;

/** Another boolean type used to indicate success or failure. */
typedef enum {
DECAF_SUCCESS = -1, /**< The operation succeeded. */
DECAF_FAILURE = 0 /**< The operation failed. */
} decaf_error_t;


/** Return success if x is true */
static DECAF_INLINE decaf_error_t
decaf_succeed_if(decaf_bool_t x) {
return (decaf_error_t)x;
}

/** Return DECAF_TRUE iff x == DECAF_SUCCESS */
static DECAF_INLINE decaf_bool_t
decaf_successful(decaf_error_t e) {
decaf_dword_t w = ((decaf_word_t)e) ^ ((decaf_word_t)DECAF_SUCCESS);
return (w-1)>>DECAF_WORD_BITS;
}
/** Overwrite data with zeros. Uses memset_s if available. */
void decaf_bzero (
void *data,
size_t size
) DECAF_NONNULL DECAF_API_VIS;

/** Compare two buffers, returning DECAF_TRUE if they are equal. */
decaf_bool_t decaf_memeq (
const void *data1,
const void *data2,
size_t size
) DECAF_NONNULL DECAF_WARN_UNUSED DECAF_API_VIS;
#ifdef __cplusplus
} /* extern "C" */
#endif
#endif /* __DECAF_COMMON_H__ */

+ 0
- 259
src/GENERATED/include/decaf/ed255.h View File

@@ -1,259 +0,0 @@
/**
* @file decaf/ed255.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief A group of prime order p, based on Curve25519.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_ED255_H__
#define __DECAF_ED255_H__ 1

#include <decaf/point_255.h>
#include <decaf/shake.h>
#include <decaf/sha512.h>

#ifdef __cplusplus
extern "C" {
#endif

/** Number of bytes in an EdDSA public key. */
#define DECAF_EDDSA_25519_PUBLIC_BYTES 32

/** Number of bytes in an EdDSA private key. */
#define DECAF_EDDSA_25519_PRIVATE_BYTES DECAF_EDDSA_25519_PUBLIC_BYTES

/** Number of bytes in an EdDSA private key. */
#define DECAF_EDDSA_25519_SIGNATURE_BYTES (DECAF_EDDSA_25519_PUBLIC_BYTES + DECAF_EDDSA_25519_PRIVATE_BYTES)

/** Does EdDSA support non-contextual signatures? */
#define DECAF_EDDSA_25519_SUPPORTS_CONTEXTLESS_SIGS 1
extern const uint8_t * const DECAF_ED25519_NO_CONTEXT DECAF_API_VIS;


/** Prehash context (raw), because each EdDSA instance has a different prehash. */
#define decaf_ed25519_prehash_ctx_s decaf_sha512_ctx_s

/** Prehash context, array[1] form. */
#define decaf_ed25519_prehash_ctx_t decaf_sha512_ctx_t
/** Prehash update. */
#define decaf_ed25519_prehash_update decaf_sha512_update
/** Prehash destroy. */
#define decaf_ed25519_prehash_destroy decaf_sha512_destroy

/** EdDSA encoding ratio. */
#define DECAF_255_EDDSA_ENCODE_RATIO 4

/** EdDSA decoding ratio. */
#define DECAF_255_EDDSA_DECODE_RATIO (8 / 4)

/**
* @brief EdDSA key generation. This function uses a different (non-Decaf)
* encoding.
*
* @param [out] pubkey The public key.
* @param [in] privkey The private key.
*/
void decaf_ed25519_derive_public_key (
uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief EdDSA signing.
*
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] message The message to sign.
* @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
void decaf_ed25519_sign (
uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len
) DECAF_API_VIS __attribute__((nonnull(1,2,3))) DECAF_NOINLINE;

/**
* @brief EdDSA signing with prehash.
*
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
void decaf_ed25519_sign_prehash (
uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const decaf_ed25519_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
) DECAF_API_VIS __attribute__((nonnull(1,2,3,4))) DECAF_NOINLINE;
/**
* @brief Prehash initialization, with contexts if supported.
*
* @param [out] hash The hash object to be initialized.
*/
void decaf_ed25519_prehash_init (
decaf_ed25519_prehash_ctx_t hash
) DECAF_API_VIS __attribute__((nonnull(1))) DECAF_NOINLINE;

/**
* @brief EdDSA signature verification.
*
* Uses the standard (i.e. less-strict) verification formula.
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] message The message to verify.
* @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
decaf_error_t decaf_ed25519_verify (
const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len
) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE;

/**
* @brief EdDSA signature verification.
*
* Uses the standard (i.e. less-strict) verification formula.
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
decaf_error_t decaf_ed25519_verify_prehash (
const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const decaf_ed25519_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE;

/**
* @brief EdDSA point encoding. Used internally, exposed externally.
* Multiplies by DECAF_255_EDDSA_ENCODE_RATIO first.
*
* The multiplication is required because the EdDSA encoding represents
* the cofactor information, but the Decaf encoding ignores it (which
* is the whole point). So if you decode from EdDSA and re-encode to
* EdDSA, the cofactor info must get cleared, because the intermediate
* representation doesn't track it.
*
* The way libdecaf handles this is to multiply by
* DECAF_255_EDDSA_DECODE_RATIO when decoding, and by
* DECAF_255_EDDSA_ENCODE_RATIO when encoding. The product of these
* ratios is always exactly the cofactor 8, so the cofactor
* ends up cleared one way or another. But exactly how that shakes
* out depends on the base points specified in RFC 8032.
*
* The upshot is that if you pass the Decaf/Ristretto base point to
* this function, you will get DECAF_255_EDDSA_ENCODE_RATIO times the
* EdDSA base point.
*
* @param [out] enc The encoded point.
* @param [in] p The point.
*/
void decaf_255_point_mul_by_ratio_and_encode_like_eddsa (
uint8_t enc[DECAF_EDDSA_25519_PUBLIC_BYTES],
const decaf_255_point_t p
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief EdDSA point decoding. Multiplies by DECAF_255_EDDSA_DECODE_RATIO,
* and ignores cofactor information.
*
* See notes on decaf_255_point_mul_by_ratio_and_encode_like_eddsa
*
* @param [out] enc The encoded point.
* @param [in] p The point.
*/
decaf_error_t decaf_255_point_decode_like_eddsa_and_mul_by_ratio (
decaf_255_point_t p,
const uint8_t enc[DECAF_EDDSA_25519_PUBLIC_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief EdDSA to ECDH public key conversion
* Deserialize the point to get y on Edwards curve,
* Convert it to u coordinate on Montgomery curve.
*
* @warning This function does not check that the public key being converted
* is a valid EdDSA public key (FUTURE?)
*
* @param[out] x The ECDH public key as in RFC7748(point on Montgomery curve)
* @param[in] ed The EdDSA public key(point on Edwards curve)
*/
void decaf_ed25519_convert_public_key_to_x25519 (
uint8_t x[DECAF_X25519_PUBLIC_BYTES],
const uint8_t ed[DECAF_EDDSA_25519_PUBLIC_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief EdDSA to ECDH private key conversion
* Using the appropriate hash function, hash the EdDSA private key
* and keep only the lower bytes to get the ECDH private key
*
* @param[out] x The ECDH private key as in RFC7748
* @param[in] ed The EdDSA private key
*/
void decaf_ed25519_convert_private_key_to_x25519 (
uint8_t x[DECAF_X25519_PRIVATE_BYTES],
const uint8_t ed[DECAF_EDDSA_25519_PRIVATE_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

#ifdef __cplusplus
} /* extern "C" */
#endif

#endif /* __DECAF_ED255_H__ */

+ 0
- 438
src/GENERATED/include/decaf/ed255.hxx View File

@@ -1,438 +0,0 @@
/**
* @file decaf/ed255.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
*
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_ED255_HXX__
#define __DECAF_ED255_HXX__ 1
/*
* Example Decaf cyrpto routines, C++ wrapper.
* @warning These are merely examples, though they ought to be secure. But real
* protocols will decide differently on magic numbers, formats, which items to
* hash, etc.
* @warning Experimental! The names, parameter orders etc are likely to change.
*/

#include <decaf/eddsa.hxx>
#include <decaf/point_255.hxx>
#include <decaf/ed255.h>

#include <decaf/shake.hxx>
#include <decaf/sha512.hxx>

/** @cond internal */
#if __cplusplus >= 201103L
#define DECAF_NOEXCEPT noexcept
#else
#define DECAF_NOEXCEPT throw()
#endif
/** @endcond */

/** Namespace for all libdecaf C++ objects. */
namespace decaf {

/** A public key for crypto over some Group */
template <typename Group> struct EdDSA;

/** A public key for crypto over Ristretto */
template<> struct EdDSA<Ristretto> {

/** @cond internal */
template<class CRTP, Prehashed> class Signing;
template<class CRTP, Prehashed> class Verification;
class PublicKeyBase;
class PrivateKeyBase;
typedef class PrivateKeyBase PrivateKey, PrivateKeyPure, PrivateKeyPh;
typedef class PublicKeyBase PublicKey, PublicKeyPure, PublicKeyPh;
/** @endcond */

/**
* Signatures support a "context" block, which allows you to domain separate them if
* (for some reason) it's annoying to domain separate the message itself. The default
* is no context. For Ed25519, the spec defining contexts is an extension, and the
* default is not to use that extension. This makes "no context" different from
* the empty string. For Ed448, contexts are built-in and mandatory, so "no context"
* is the same as the empty string.
*/
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTLESS_SIGS
static inline const Block NO_CONTEXT() { return Block(DECAF_ED25519_NO_CONTEXT,0); }
#else
static inline const Block NO_CONTEXT() { return Block(NULL,0); }
#endif

/** Prehash context for EdDSA. */
class Prehash : public SHA512 {
private:
/** @cond internal */
typedef SHA512 Super;
SecureBuffer context_;
template<class T, Prehashed Ph> friend class Signing;
template<class T, Prehashed Ph> friend class Verification;
void init() /*throw(LengthException)*/ {
Super::reset();
if (context_.size() > 255) {
throw LengthException();
}

decaf_ed25519_prehash_init((decaf_sha512_ctx_s *)wrapped);
}
/** @endcond */
public:
/** Number of output bytes in prehash */
static const size_t OUTPUT_BYTES = Super::DEFAULT_OUTPUT_BYTES;
/** Create the prehash */
Prehash(const Block &context = NO_CONTEXT()) /*throw(LengthException)*/ {
context_ = context;
init();
}

/** Reset this hash */
void reset() DECAF_NOEXCEPT { init(); }
/** Output from this hash */
SecureBuffer final() /*throw(std::bad_alloc)*/ {
SecureBuffer ret = Super::final(OUTPUT_BYTES);
reset();
return ret;
}
/** Output from this hash */
void final(Buffer &b) /*throw(LengthException)*/ {
if (b.size() != OUTPUT_BYTES) throw LengthException();
Super::final(b);
reset();
}
};

/** Signing (i.e. private) key class template */
template<class CRTP, Prehashed ph> class Signing;

/** Signing (i.e. private) key class, PureEdDSA version */
template<class CRTP> class Signing<CRTP,PURE> {
public:
/**
* Sign a message.
* @param [in] message The message to be signed.
* @param [in] context A context for the signature; must be at most 255 bytes.
*
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/
inline SecureBuffer sign (
const Block &message,
const Block &context = NO_CONTEXT()
) const /* throw(LengthException, std::bad_alloc) */ {
if (context.size() > 255) {
throw LengthException();
}
SecureBuffer out(CRTP::SIG_BYTES);
decaf_ed25519_sign (
out.data(),
((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(),
message.data(),
message.size(),
0,
context.data(),
context.size()
);
return out;
}
};

/** Signing (i.e. private) key class, prehashed version */
template<class CRTP> class Signing<CRTP,PREHASHED> {
public:
/** Sign a prehash context, and reset the context */
inline SecureBuffer sign_prehashed ( const Prehash &ph ) const /*throw(std::bad_alloc)*/ {
SecureBuffer out(CRTP::SIG_BYTES);
decaf_ed25519_sign_prehash (
out.data(),
((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed25519_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
);
return out;
}
/** Sign a message using the prehasher */
inline SecureBuffer sign_with_prehash (
const Block &message,
const Block &context = NO_CONTEXT()
) const /*throw(LengthException,CryptoException)*/ {
Prehash ph(context);
ph += message;
return sign_prehashed(ph);
}
};

/** Signing (i.e. private) key base class */
class PrivateKeyBase
: public Serializable<PrivateKeyBase>
, public Signing<PrivateKeyBase,PURE>
, public Signing<PrivateKeyBase,PREHASHED> {
public:
/** Type of public key corresponding to this private key */
typedef class PublicKeyBase PublicKey;
private:
/** @cond internal */
friend class PublicKeyBase;
friend class Signing<PrivateKey,PURE>;
friend class Signing<PrivateKey,PREHASHED>;
/** @endcond */
/** The pre-expansion form of the signing key. */
FixedArrayBuffer<DECAF_EDDSA_25519_PRIVATE_BYTES> priv_;
/** The post-expansion public key. */
FixedArrayBuffer<DECAF_EDDSA_25519_PUBLIC_BYTES> pub_;
public:
/** Underlying group */
typedef Ristretto Group;
/** Signature size. */
static const size_t SIG_BYTES = DECAF_EDDSA_25519_SIGNATURE_BYTES;
/** Serialization size. */
static const size_t SER_BYTES = DECAF_EDDSA_25519_PRIVATE_BYTES;
/** Create but don't initialize */
inline explicit PrivateKeyBase(const NOINIT&) DECAF_NOEXCEPT : priv_((NOINIT())), pub_((NOINIT())) { }
/** Read a private key from a string */
inline explicit PrivateKeyBase(const FixedBlock<SER_BYTES> &b) DECAF_NOEXCEPT { *this = b; }
/** Copy constructor */
inline PrivateKeyBase(const PrivateKey &k) DECAF_NOEXCEPT { *this = k; }
/** Create at random */
inline explicit PrivateKeyBase(Rng &r) DECAF_NOEXCEPT : priv_(r) {
decaf_ed25519_derive_public_key(pub_.data(), priv_.data());
}
/** Assignment from string */
inline PrivateKeyBase &operator=(const FixedBlock<SER_BYTES> &b) DECAF_NOEXCEPT {
memcpy(priv_.data(),b.data(),b.size());
decaf_ed25519_derive_public_key(pub_.data(), priv_.data());
return *this;
}
/** Copy assignment */
inline PrivateKeyBase &operator=(const PrivateKey &k) DECAF_NOEXCEPT {
memcpy(priv_.data(),k.priv_.data(), priv_.size());
memcpy(pub_.data(),k.pub_.data(), pub_.size());
return *this;
}
/** Serialization size. */
inline size_t ser_size() const DECAF_NOEXCEPT { return SER_BYTES; }
/** Serialize into a buffer. */
inline void serialize_into(unsigned char *x) const DECAF_NOEXCEPT {
memcpy(x,priv_.data(), priv_.size());
}
/** Convert to X format (to be used for key exchange) */
inline SecureBuffer convert_to_x() const {
SecureBuffer out(DECAF_X25519_PRIVATE_BYTES);
decaf_ed25519_convert_private_key_to_x25519(out.data(), priv_.data());
return out;
}
/** Return the corresponding public key */
inline PublicKey pub() const DECAF_NOEXCEPT {
PublicKey pub(*this);
return pub;
}
}; /* class PrivateKey */

/** Verification (i.e. public) EdDSA key, PureEdDSA version. */
template<class CRTP> class Verification<CRTP,PURE> {
public:
/** Verify a signature, returning DECAF_FAILURE if verification fails */
inline decaf_error_t DECAF_WARN_UNUSED verify_noexcept (
const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = NO_CONTEXT()
) const /*DECAF_NOEXCEPT*/ {
if (context.size() > 255) {
return DECAF_FAILURE;
}
return decaf_ed25519_verify (
sig.data(),
((const CRTP*)this)->pub_.data(),
message.data(),
message.size(),
0,
context.data(),
context.size()
);
}
/** Verify a signature, throwing an exception if verification fails
* @param [in] sig The signature.
* @param [in] message The signed message.
* @param [in] context A context for the signature; must be at most 255 bytes.
*
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/
inline void verify (
const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = NO_CONTEXT()
) const /*throw(LengthException,CryptoException)*/ {
if (context.size() > 255) {
throw LengthException();
}
if (DECAF_SUCCESS != verify_noexcept( sig, message, context )) {
throw CryptoException();
}
}
};

/** Verification (i.e. public) EdDSA key, prehashed version. */
template<class CRTP> class Verification<CRTP,PREHASHED> {
public:
/** Verify that a signature is valid for a given prehashed message, given the context. */
inline decaf_error_t DECAF_WARN_UNUSED verify_prehashed_noexcept (
const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
const Prehash &ph
) const /*DECAF_NOEXCEPT*/ {
return decaf_ed25519_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed25519_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
);
}

/** Verify that a signature is valid for a given prehashed message, given the context. */
inline void verify_prehashed (
const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
const Prehash &ph
) const /*throw(CryptoException)*/ {
if (DECAF_SUCCESS != decaf_ed25519_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed25519_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
)) {
throw CryptoException();
}
}
/** Hash and verify a message, using the prehashed verification mode. */
inline void verify_with_prehash (
const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = NO_CONTEXT()
) const /*throw(LengthException,CryptoException)*/ {
Prehash ph(context);
ph += message;
verify_prehashed(sig,ph);
}
};

/** EdDSA Public key base class. */
class PublicKeyBase
: public Serializable<PublicKeyBase>
, public Verification<PublicKeyBase,PURE>
, public Verification<PublicKeyBase,PREHASHED> {
public:
/** Private key corresponding to this type of public key */
typedef class PrivateKeyBase PrivateKey;
private:
/** @cond internal */
friend class PrivateKeyBase;
friend class Verification<PublicKey,PURE>;
friend class Verification<PublicKey,PREHASHED>;

private:
/** The pre-expansion form of the signature */
FixedArrayBuffer<DECAF_EDDSA_25519_PUBLIC_BYTES> pub_;
/** @endcond */
public:
/* PERF FUTURE: Pre-cached decoding? Precomputed table?? */
/** Underlying group */
typedef Ristretto Group;
/** Signature size. */
static const size_t SIG_BYTES = DECAF_EDDSA_25519_SIGNATURE_BYTES;
/** Serialization size. */
static const size_t SER_BYTES = DECAF_EDDSA_25519_PRIVATE_BYTES;
/** Create but don't initialize */
inline explicit PublicKeyBase(const NOINIT&) DECAF_NOEXCEPT : pub_((NOINIT())) { }
/** Read a private key from a string */
inline explicit PublicKeyBase(const FixedBlock<SER_BYTES> &b) DECAF_NOEXCEPT { *this = b; }
/** Copy constructor */
inline PublicKeyBase(const PublicKeyBase &k) DECAF_NOEXCEPT { *this = k; }
/** Copy constructor */
inline explicit PublicKeyBase(const PrivateKey &k) DECAF_NOEXCEPT { *this = k; }

/** Assignment from string */
inline PublicKey &operator=(const FixedBlock<SER_BYTES> &b) DECAF_NOEXCEPT {
memcpy(pub_.data(),b.data(),b.size());
return *this;
}

/** Assignment from private key */
inline PublicKey &operator=(const PublicKey &p) DECAF_NOEXCEPT {
return *this = p.pub_;
}

/** Assignment from private key */
inline PublicKey &operator=(const PrivateKey &p) DECAF_NOEXCEPT {
return *this = p.pub_;
}

/** Serialization size. */
inline size_t ser_size() const DECAF_NOEXCEPT { return SER_BYTES; }
/** Serialize into a buffer. */
inline void serialize_into(unsigned char *x) const DECAF_NOEXCEPT {
memcpy(x,pub_.data(), pub_.size());
}
/** Convert to X format (to be used for key exchange) */
inline SecureBuffer convert_to_x() const {
SecureBuffer out(DECAF_X25519_PRIVATE_BYTES);
decaf_ed25519_convert_public_key_to_x25519(out.data(), pub_.data());
return out;
}
}; /* class PublicKey */

}; /* template<> struct EdDSA<Ristretto> */

#undef DECAF_NOEXCEPT
} /* namespace decaf */

#endif /* __DECAF_ED255_HXX__ */

+ 0
- 258
src/GENERATED/include/decaf/ed448.h View File

@@ -1,258 +0,0 @@
/**
* @file decaf/ed448.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief A group of prime order p, based on Ed448-Goldilocks.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_ED448_H__
#define __DECAF_ED448_H__ 1

#include <decaf/point_448.h>
#include <decaf/shake.h>
#include <decaf/sha512.h>

#ifdef __cplusplus
extern "C" {
#endif

/** Number of bytes in an EdDSA public key. */
#define DECAF_EDDSA_448_PUBLIC_BYTES 57

/** Number of bytes in an EdDSA private key. */
#define DECAF_EDDSA_448_PRIVATE_BYTES DECAF_EDDSA_448_PUBLIC_BYTES

/** Number of bytes in an EdDSA private key. */
#define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + DECAF_EDDSA_448_PRIVATE_BYTES)

/** Does EdDSA support non-contextual signatures? */
#define DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS 0


/** Prehash context (raw), because each EdDSA instance has a different prehash. */
#define decaf_ed448_prehash_ctx_s decaf_shake256_ctx_s

/** Prehash context, array[1] form. */
#define decaf_ed448_prehash_ctx_t decaf_shake256_ctx_t
/** Prehash update. */
#define decaf_ed448_prehash_update decaf_shake256_update
/** Prehash destroy. */
#define decaf_ed448_prehash_destroy decaf_shake256_destroy

/** EdDSA encoding ratio. */
#define DECAF_448_EDDSA_ENCODE_RATIO 4

/** EdDSA decoding ratio. */
#define DECAF_448_EDDSA_DECODE_RATIO (4 / 4)

/**
* @brief EdDSA key generation. This function uses a different (non-Decaf)
* encoding.
*
* @param [out] pubkey The public key.
* @param [in] privkey The private key.
*/
void decaf_ed448_derive_public_key (
uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief EdDSA signing.
*
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] message The message to sign.
* @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
void decaf_ed448_sign (
uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len
) DECAF_API_VIS __attribute__((nonnull(1,2,3))) DECAF_NOINLINE;

/**
* @brief EdDSA signing with prehash.
*
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
void decaf_ed448_sign_prehash (
uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const decaf_ed448_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
) DECAF_API_VIS __attribute__((nonnull(1,2,3,4))) DECAF_NOINLINE;
/**
* @brief Prehash initialization, with contexts if supported.
*
* @param [out] hash The hash object to be initialized.
*/
void decaf_ed448_prehash_init (
decaf_ed448_prehash_ctx_t hash
) DECAF_API_VIS __attribute__((nonnull(1))) DECAF_NOINLINE;

/**
* @brief EdDSA signature verification.
*
* Uses the standard (i.e. less-strict) verification formula.
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] message The message to verify.
* @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
decaf_error_t decaf_ed448_verify (
const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len
) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE;

/**
* @brief EdDSA signature verification.
*
* Uses the standard (i.e. less-strict) verification formula.
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
decaf_error_t decaf_ed448_verify_prehash (
const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const decaf_ed448_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE;

/**
* @brief EdDSA point encoding. Used internally, exposed externally.
* Multiplies by DECAF_448_EDDSA_ENCODE_RATIO first.
*
* The multiplication is required because the EdDSA encoding represents
* the cofactor information, but the Decaf encoding ignores it (which
* is the whole point). So if you decode from EdDSA and re-encode to
* EdDSA, the cofactor info must get cleared, because the intermediate
* representation doesn't track it.
*
* The way libdecaf handles this is to multiply by
* DECAF_448_EDDSA_DECODE_RATIO when decoding, and by
* DECAF_448_EDDSA_ENCODE_RATIO when encoding. The product of these
* ratios is always exactly the cofactor 4, so the cofactor
* ends up cleared one way or another. But exactly how that shakes
* out depends on the base points specified in RFC 8032.
*
* The upshot is that if you pass the Decaf/Ristretto base point to
* this function, you will get DECAF_448_EDDSA_ENCODE_RATIO times the
* EdDSA base point.
*
* @param [out] enc The encoded point.
* @param [in] p The point.
*/
void decaf_448_point_mul_by_ratio_and_encode_like_eddsa (
uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
const decaf_448_point_t p
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief EdDSA point decoding. Multiplies by DECAF_448_EDDSA_DECODE_RATIO,
* and ignores cofactor information.
*
* See notes on decaf_448_point_mul_by_ratio_and_encode_like_eddsa
*
* @param [out] enc The encoded point.
* @param [in] p The point.
*/
decaf_error_t decaf_448_point_decode_like_eddsa_and_mul_by_ratio (
decaf_448_point_t p,
const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief EdDSA to ECDH public key conversion
* Deserialize the point to get y on Edwards curve,
* Convert it to u coordinate on Montgomery curve.
*
* @warning This function does not check that the public key being converted
* is a valid EdDSA public key (FUTURE?)
*
* @param[out] x The ECDH public key as in RFC7748(point on Montgomery curve)
* @param[in] ed The EdDSA public key(point on Edwards curve)
*/
void decaf_ed448_convert_public_key_to_x448 (
uint8_t x[DECAF_X448_PUBLIC_BYTES],
const uint8_t ed[DECAF_EDDSA_448_PUBLIC_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief EdDSA to ECDH private key conversion
* Using the appropriate hash function, hash the EdDSA private key
* and keep only the lower bytes to get the ECDH private key
*
* @param[out] x The ECDH private key as in RFC7748
* @param[in] ed The EdDSA private key
*/
void decaf_ed448_convert_private_key_to_x448 (
uint8_t x[DECAF_X448_PRIVATE_BYTES],
const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

#ifdef __cplusplus
} /* extern "C" */
#endif

#endif /* __DECAF_ED448_H__ */

+ 0
- 438
src/GENERATED/include/decaf/ed448.hxx View File

@@ -1,438 +0,0 @@
/**
* @file decaf/ed448.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
*
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_ED448_HXX__
#define __DECAF_ED448_HXX__ 1
/*
* Example Decaf cyrpto routines, C++ wrapper.
* @warning These are merely examples, though they ought to be secure. But real
* protocols will decide differently on magic numbers, formats, which items to
* hash, etc.
* @warning Experimental! The names, parameter orders etc are likely to change.
*/

#include <decaf/eddsa.hxx>
#include <decaf/point_448.hxx>
#include <decaf/ed448.h>

#include <decaf/shake.hxx>
#include <decaf/sha512.hxx>

/** @cond internal */
#if __cplusplus >= 201103L
#define DECAF_NOEXCEPT noexcept
#else
#define DECAF_NOEXCEPT throw()
#endif
/** @endcond */

/** Namespace for all libdecaf C++ objects. */
namespace decaf {

/** A public key for crypto over some Group */
template <typename Group> struct EdDSA;

/** A public key for crypto over Ed448-Goldilocks */
template<> struct EdDSA<Ed448Goldilocks> {

/** @cond internal */
template<class CRTP, Prehashed> class Signing;
template<class CRTP, Prehashed> class Verification;
class PublicKeyBase;
class PrivateKeyBase;
typedef class PrivateKeyBase PrivateKey, PrivateKeyPure, PrivateKeyPh;
typedef class PublicKeyBase PublicKey, PublicKeyPure, PublicKeyPh;
/** @endcond */

/**
* Signatures support a "context" block, which allows you to domain separate them if
* (for some reason) it's annoying to domain separate the message itself. The default
* is no context. For Ed25519, the spec defining contexts is an extension, and the
* default is not to use that extension. This makes "no context" different from
* the empty string. For Ed448, contexts are built-in and mandatory, so "no context"
* is the same as the empty string.
*/
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS
static inline const Block NO_CONTEXT() { return Block(DECAF_ED448_NO_CONTEXT,0); }
#else
static inline const Block NO_CONTEXT() { return Block(NULL,0); }
#endif

/** Prehash context for EdDSA. */
class Prehash : public SHAKE<256> {
private:
/** @cond internal */
typedef SHAKE<256> Super;
SecureBuffer context_;
template<class T, Prehashed Ph> friend class Signing;
template<class T, Prehashed Ph> friend class Verification;
void init() /*throw(LengthException)*/ {
Super::reset();
if (context_.size() > 255) {
throw LengthException();
}

decaf_ed448_prehash_init((decaf_shake256_ctx_s *)wrapped);
}
/** @endcond */
public:
/** Number of output bytes in prehash */
static const size_t OUTPUT_BYTES = Super::DEFAULT_OUTPUT_BYTES;
/** Create the prehash */
Prehash(const Block &context = NO_CONTEXT()) /*throw(LengthException)*/ {
context_ = context;
init();
}

/** Reset this hash */
void reset() DECAF_NOEXCEPT { init(); }
/** Output from this hash */
SecureBuffer final() /*throw(std::bad_alloc)*/ {
SecureBuffer ret = Super::final(OUTPUT_BYTES);
reset();
return ret;
}
/** Output from this hash */
void final(Buffer &b) /*throw(LengthException)*/ {
if (b.size() != OUTPUT_BYTES) throw LengthException();
Super::final(b);
reset();
}
};

/** Signing (i.e. private) key class template */
template<class CRTP, Prehashed ph> class Signing;

/** Signing (i.e. private) key class, PureEdDSA version */
template<class CRTP> class Signing<CRTP,PURE> {
public:
/**
* Sign a message.
* @param [in] message The message to be signed.
* @param [in] context A context for the signature; must be at most 255 bytes.
*
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/
inline SecureBuffer sign (
const Block &message,
const Block &context = NO_CONTEXT()
) const /* throw(LengthException, std::bad_alloc) */ {
if (context.size() > 255) {
throw LengthException();
}
SecureBuffer out(CRTP::SIG_BYTES);
decaf_ed448_sign (
out.data(),
((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(),
message.data(),
message.size(),
0,
context.data(),
context.size()
);
return out;
}
};

/** Signing (i.e. private) key class, prehashed version */
template<class CRTP> class Signing<CRTP,PREHASHED> {
public:
/** Sign a prehash context, and reset the context */
inline SecureBuffer sign_prehashed ( const Prehash &ph ) const /*throw(std::bad_alloc)*/ {
SecureBuffer out(CRTP::SIG_BYTES);
decaf_ed448_sign_prehash (
out.data(),
((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed448_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
);
return out;
}
/** Sign a message using the prehasher */
inline SecureBuffer sign_with_prehash (
const Block &message,
const Block &context = NO_CONTEXT()
) const /*throw(LengthException,CryptoException)*/ {
Prehash ph(context);
ph += message;
return sign_prehashed(ph);
}
};

/** Signing (i.e. private) key base class */
class PrivateKeyBase
: public Serializable<PrivateKeyBase>
, public Signing<PrivateKeyBase,PURE>
, public Signing<PrivateKeyBase,PREHASHED> {
public:
/** Type of public key corresponding to this private key */
typedef class PublicKeyBase PublicKey;
private:
/** @cond internal */
friend class PublicKeyBase;
friend class Signing<PrivateKey,PURE>;
friend class Signing<PrivateKey,PREHASHED>;
/** @endcond */
/** The pre-expansion form of the signing key. */
FixedArrayBuffer<DECAF_EDDSA_448_PRIVATE_BYTES> priv_;
/** The post-expansion public key. */
FixedArrayBuffer<DECAF_EDDSA_448_PUBLIC_BYTES> pub_;
public:
/** Underlying group */
typedef Ed448Goldilocks Group;
/** Signature size. */
static const size_t SIG_BYTES = DECAF_EDDSA_448_SIGNATURE_BYTES;
/** Serialization size. */
static const size_t SER_BYTES = DECAF_EDDSA_448_PRIVATE_BYTES;
/** Create but don't initialize */
inline explicit PrivateKeyBase(const NOINIT&) DECAF_NOEXCEPT : priv_((NOINIT())), pub_((NOINIT())) { }
/** Read a private key from a string */
inline explicit PrivateKeyBase(const FixedBlock<SER_BYTES> &b) DECAF_NOEXCEPT { *this = b; }
/** Copy constructor */
inline PrivateKeyBase(const PrivateKey &k) DECAF_NOEXCEPT { *this = k; }
/** Create at random */
inline explicit PrivateKeyBase(Rng &r) DECAF_NOEXCEPT : priv_(r) {
decaf_ed448_derive_public_key(pub_.data(), priv_.data());
}
/** Assignment from string */
inline PrivateKeyBase &operator=(const FixedBlock<SER_BYTES> &b) DECAF_NOEXCEPT {
memcpy(priv_.data(),b.data(),b.size());
decaf_ed448_derive_public_key(pub_.data(), priv_.data());
return *this;
}
/** Copy assignment */
inline PrivateKeyBase &operator=(const PrivateKey &k) DECAF_NOEXCEPT {
memcpy(priv_.data(),k.priv_.data(), priv_.size());
memcpy(pub_.data(),k.pub_.data(), pub_.size());
return *this;
}
/** Serialization size. */
inline size_t ser_size() const DECAF_NOEXCEPT { return SER_BYTES; }
/** Serialize into a buffer. */
inline void serialize_into(unsigned char *x) const DECAF_NOEXCEPT {
memcpy(x,priv_.data(), priv_.size());
}
/** Convert to X format (to be used for key exchange) */
inline SecureBuffer convert_to_x() const {
SecureBuffer out(DECAF_X448_PRIVATE_BYTES);
decaf_ed448_convert_private_key_to_x448(out.data(), priv_.data());
return out;
}
/** Return the corresponding public key */
inline PublicKey pub() const DECAF_NOEXCEPT {
PublicKey pub(*this);
return pub;
}
}; /* class PrivateKey */

/** Verification (i.e. public) EdDSA key, PureEdDSA version. */
template<class CRTP> class Verification<CRTP,PURE> {
public:
/** Verify a signature, returning DECAF_FAILURE if verification fails */
inline decaf_error_t DECAF_WARN_UNUSED verify_noexcept (
const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = NO_CONTEXT()
) const /*DECAF_NOEXCEPT*/ {
if (context.size() > 255) {
return DECAF_FAILURE;
}
return decaf_ed448_verify (
sig.data(),
((const CRTP*)this)->pub_.data(),
message.data(),
message.size(),
0,
context.data(),
context.size()
);
}
/** Verify a signature, throwing an exception if verification fails
* @param [in] sig The signature.
* @param [in] message The signed message.
* @param [in] context A context for the signature; must be at most 255 bytes.
*
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/
inline void verify (
const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = NO_CONTEXT()
) const /*throw(LengthException,CryptoException)*/ {
if (context.size() > 255) {
throw LengthException();
}
if (DECAF_SUCCESS != verify_noexcept( sig, message, context )) {
throw CryptoException();
}
}
};

/** Verification (i.e. public) EdDSA key, prehashed version. */
template<class CRTP> class Verification<CRTP,PREHASHED> {
public:
/** Verify that a signature is valid for a given prehashed message, given the context. */
inline decaf_error_t DECAF_WARN_UNUSED verify_prehashed_noexcept (
const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
const Prehash &ph
) const /*DECAF_NOEXCEPT*/ {
return decaf_ed448_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed448_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
);
}

/** Verify that a signature is valid for a given prehashed message, given the context. */
inline void verify_prehashed (
const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
const Prehash &ph
) const /*throw(CryptoException)*/ {
if (DECAF_SUCCESS != decaf_ed448_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed448_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
)) {
throw CryptoException();
}
}
/** Hash and verify a message, using the prehashed verification mode. */
inline void verify_with_prehash (
const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = NO_CONTEXT()
) const /*throw(LengthException,CryptoException)*/ {
Prehash ph(context);
ph += message;
verify_prehashed(sig,ph);
}
};

/** EdDSA Public key base class. */
class PublicKeyBase
: public Serializable<PublicKeyBase>
, public Verification<PublicKeyBase,PURE>
, public Verification<PublicKeyBase,PREHASHED> {
public:
/** Private key corresponding to this type of public key */
typedef class PrivateKeyBase PrivateKey;
private:
/** @cond internal */
friend class PrivateKeyBase;
friend class Verification<PublicKey,PURE>;
friend class Verification<PublicKey,PREHASHED>;

private:
/** The pre-expansion form of the signature */
FixedArrayBuffer<DECAF_EDDSA_448_PUBLIC_BYTES> pub_;
/** @endcond */
public:
/* PERF FUTURE: Pre-cached decoding? Precomputed table?? */
/** Underlying group */
typedef Ed448Goldilocks Group;
/** Signature size. */
static const size_t SIG_BYTES = DECAF_EDDSA_448_SIGNATURE_BYTES;
/** Serialization size. */
static const size_t SER_BYTES = DECAF_EDDSA_448_PRIVATE_BYTES;
/** Create but don't initialize */
inline explicit PublicKeyBase(const NOINIT&) DECAF_NOEXCEPT : pub_((NOINIT())) { }
/** Read a private key from a string */
inline explicit PublicKeyBase(const FixedBlock<SER_BYTES> &b) DECAF_NOEXCEPT { *this = b; }
/** Copy constructor */
inline PublicKeyBase(const PublicKeyBase &k) DECAF_NOEXCEPT { *this = k; }
/** Copy constructor */
inline explicit PublicKeyBase(const PrivateKey &k) DECAF_NOEXCEPT { *this = k; }

/** Assignment from string */
inline PublicKey &operator=(const FixedBlock<SER_BYTES> &b) DECAF_NOEXCEPT {
memcpy(pub_.data(),b.data(),b.size());
return *this;
}

/** Assignment from private key */
inline PublicKey &operator=(const PublicKey &p) DECAF_NOEXCEPT {
return *this = p.pub_;
}

/** Assignment from private key */
inline PublicKey &operator=(const PrivateKey &p) DECAF_NOEXCEPT {
return *this = p.pub_;
}

/** Serialization size. */
inline size_t ser_size() const DECAF_NOEXCEPT { return SER_BYTES; }
/** Serialize into a buffer. */
inline void serialize_into(unsigned char *x) const DECAF_NOEXCEPT {
memcpy(x,pub_.data(), pub_.size());
}
/** Convert to X format (to be used for key exchange) */
inline SecureBuffer convert_to_x() const {
SecureBuffer out(DECAF_X448_PRIVATE_BYTES);
decaf_ed448_convert_public_key_to_x448(out.data(), pub_.data());
return out;
}
}; /* class PublicKey */

}; /* template<> struct EdDSA<Ed448Goldilocks> */

#undef DECAF_NOEXCEPT
} /* namespace decaf */

#endif /* __DECAF_ED448_HXX__ */

+ 0
- 30
src/GENERATED/include/decaf/eddsa.hxx View File

@@ -1,30 +0,0 @@
/**
* @file decaf/eddsa.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* EdDSA crypto routines, metaheader.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_EDDSA_HXX__
#define __DECAF_EDDSA_HXX__ 1

/** Namespace for all libdecaf C++ objects. */
namespace decaf {
/** How signatures handle hashing. */
enum Prehashed {
PURE, /**< Sign the message itself. This can't be done in one pass. */
PREHASHED /**< Sign the hash of the message. */
};
}

#include <decaf/ed255.hxx>
#include <decaf/ed448.hxx>

#endif /* __DECAF_EDDSA_HXX__ */

+ 0
- 769
src/GENERATED/include/decaf/point_255.h View File

@@ -1,769 +0,0 @@
/**
* @file decaf/point_255.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief A group of prime order p, based on Curve25519.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_POINT_255_H__
#define __DECAF_POINT_255_H__ 1

#include <decaf/common.h>

#ifdef __cplusplus
extern "C" {
#endif

/** @cond internal */
#define DECAF_255_SCALAR_LIMBS ((253-1)/DECAF_WORD_BITS+1)
/** @endcond */

/** The number of bits in a scalar */
#define DECAF_255_SCALAR_BITS 253

/** @cond internal */
#ifndef __DECAF_25519_GF_DEFINED__
#define __DECAF_25519_GF_DEFINED__ 1
/** @brief Galois field element internal structure */
typedef struct gf_25519_s {
decaf_word_t limb[320/DECAF_WORD_BITS];
} __attribute__((aligned(32))) gf_25519_s, gf_25519_t[1];
#endif /* __DECAF_25519_GF_DEFINED__ */
/** @endcond */

/** Number of bytes in a serialized point. */
#define DECAF_255_SER_BYTES 32

/** Number of bytes in an elligated point. For now set the same as SER_BYTES
* but could be different for other curves.
*/
#define DECAF_255_HASH_BYTES 32

/** Number of bytes in a serialized scalar. */
#define DECAF_255_SCALAR_BYTES 32

/** Number of bits in the "which" field of an elligator inverse */
#define DECAF_255_INVERT_ELLIGATOR_WHICH_BITS 5

/** The cofactor the curve would have, if we hadn't removed it */
#define DECAF_255_REMOVED_COFACTOR 8

/** X25519 encoding ratio. */
#define DECAF_X25519_ENCODE_RATIO 4

/** Number of bytes in an x25519 public key */
#define DECAF_X25519_PUBLIC_BYTES 32

/** Number of bytes in an x25519 private key */
#define DECAF_X25519_PRIVATE_BYTES 32

/** Representation of a point on the elliptic curve. */
typedef struct decaf_255_point_s {
/** @cond internal */
gf_25519_t x,y,z,t; /* Twisted extended homogeneous coordinates */
/** @endcond */
} decaf_255_point_t[1];

/** Precomputed table based on a point. Can be trivial implementation. */
struct decaf_255_precomputed_s;

/** Precomputed table based on a point. Can be trivial implementation. */
typedef struct decaf_255_precomputed_s decaf_255_precomputed_s;

/** Size and alignment of precomputed point tables. */
extern const size_t decaf_255_sizeof_precomputed_s DECAF_API_VIS, decaf_255_alignof_precomputed_s DECAF_API_VIS;

/** Representation of an element of the scalar field. */
typedef struct decaf_255_scalar_s {
/** @cond internal */
decaf_word_t limb[DECAF_255_SCALAR_LIMBS];
/** @endcond */
} decaf_255_scalar_t[1];

/** The scalar 1. */
extern const decaf_255_scalar_t decaf_255_scalar_one DECAF_API_VIS;

/** The scalar 0. */
extern const decaf_255_scalar_t decaf_255_scalar_zero DECAF_API_VIS;

/** The identity (zero) point on the curve. */
extern const decaf_255_point_t decaf_255_point_identity DECAF_API_VIS;

/** An arbitrarily-chosen base point on the curve. */
extern const decaf_255_point_t decaf_255_point_base DECAF_API_VIS;

/** Precomputed table of multiples of the base point on the curve. */
extern const struct decaf_255_precomputed_s *decaf_255_precomputed_base DECAF_API_VIS;

/**
* @brief Read a scalar from wire format or from bytes.
*
* @param [in] ser Serialized form of a scalar.
* @param [out] out Deserialized form.
*
* @retval DECAF_SUCCESS The scalar was correctly encoded.
* @retval DECAF_FAILURE The scalar was greater than the modulus,
* and has been reduced modulo that modulus.
*/
decaf_error_t decaf_255_scalar_decode (
decaf_255_scalar_t out,
const unsigned char ser[DECAF_255_SCALAR_BYTES]
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Read a scalar from wire format or from bytes. Reduces mod
* scalar prime.
*
* @param [in] ser Serialized form of a scalar.
* @param [in] ser_len Length of serialized form.
* @param [out] out Deserialized form.
*/
void decaf_255_scalar_decode_long (
decaf_255_scalar_t out,
const unsigned char *ser,
size_t ser_len
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* @brief Serialize a scalar to wire format.
*
* @param [out] ser Serialized form of a scalar.
* @param [in] s Deserialized scalar.
*/
void decaf_255_scalar_encode (
unsigned char ser[DECAF_255_SCALAR_BYTES],
const decaf_255_scalar_t s
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_NOINLINE;
/**
* @brief Add two scalars. The scalars may use the same memory.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @param [out] out a+b.
*/
void decaf_255_scalar_add (
decaf_255_scalar_t out,
const decaf_255_scalar_t a,
const decaf_255_scalar_t b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Compare two scalars.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @retval DECAF_TRUE The scalars are equal.
* @retval DECAF_FALSE The scalars are not equal.
*/
decaf_bool_t decaf_255_scalar_eq (
const decaf_255_scalar_t a,
const decaf_255_scalar_t b
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Subtract two scalars. The scalars may use the same memory.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @param [out] out a-b.
*/
void decaf_255_scalar_sub (
decaf_255_scalar_t out,
const decaf_255_scalar_t a,
const decaf_255_scalar_t b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Multiply two scalars. The scalars may use the same memory.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @param [out] out a*b.
*/
void decaf_255_scalar_mul (
decaf_255_scalar_t out,
const decaf_255_scalar_t a,
const decaf_255_scalar_t b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* @brief Halve a scalar. The scalars may use the same memory.
* @param [in] a A scalar.
* @param [out] out a/2.
*/
void decaf_255_scalar_halve (
decaf_255_scalar_t out,
const decaf_255_scalar_t a
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Invert a scalar. When passed zero, return 0. The input and output may alias.
* @param [in] a A scalar.
* @param [out] out 1/a.
* @return DECAF_SUCCESS The input is nonzero.
*/
decaf_error_t decaf_255_scalar_invert (
decaf_255_scalar_t out,
const decaf_255_scalar_t a
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Copy a scalar. The scalars may use the same memory, in which
* case this function does nothing.
* @param [in] a A scalar.
* @param [out] out Will become a copy of a.
*/
static inline void DECAF_NONNULL decaf_255_scalar_copy (
decaf_255_scalar_t out,
const decaf_255_scalar_t a
) {
*out = *a;
}

/**
* @brief Set a scalar to an unsigned 64-bit integer.
* @param [in] a An integer.
* @param [out] out Will become equal to a.
*/
void decaf_255_scalar_set_unsigned (
decaf_255_scalar_t out,
uint64_t a
) DECAF_API_VIS DECAF_NONNULL;

/**
* @brief Encode a point as a sequence of bytes.
*
* @param [out] ser The byte representation of the point.
* @param [in] pt The point to encode.
*/
void decaf_255_point_encode (
uint8_t ser[DECAF_255_SER_BYTES],
const decaf_255_point_t pt
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Decode a point from a sequence of bytes.
*
* Every point has a unique encoding, so not every
* sequence of bytes is a valid encoding. If an invalid
* encoding is given, the output is undefined.
*
* @param [out] pt The decoded point.
* @param [in] ser The serialized version of the point.
* @param [in] allow_identity DECAF_TRUE if the identity is a legal input.
* @retval DECAF_SUCCESS The decoding succeeded.
* @retval DECAF_FAILURE The decoding didn't succeed, because
* ser does not represent a point.
*/
decaf_error_t decaf_255_point_decode (
decaf_255_point_t pt,
const uint8_t ser[DECAF_255_SER_BYTES],
decaf_bool_t allow_identity
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Copy a point. The input and output may alias,
* in which case this function does nothing.
*
* @param [out] a A copy of the point.
* @param [in] b Any point.
*/
static inline void DECAF_NONNULL decaf_255_point_copy (
decaf_255_point_t a,
const decaf_255_point_t b
) {
*a=*b;
}

/**
* @brief Test whether two points are equal. If yes, return
* DECAF_TRUE, else return DECAF_FALSE.
*
* @param [in] a A point.
* @param [in] b Another point.
* @retval DECAF_TRUE The points are equal.
* @retval DECAF_FALSE The points are not equal.
*/
decaf_bool_t decaf_255_point_eq (
const decaf_255_point_t a,
const decaf_255_point_t b
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Add two points to produce a third point. The
* input points and output point can be pointers to the same
* memory.
*
* @param [out] sum The sum a+b.
* @param [in] a An addend.
* @param [in] b An addend.
*/
void decaf_255_point_add (
decaf_255_point_t sum,
const decaf_255_point_t a,
const decaf_255_point_t b
) DECAF_API_VIS DECAF_NONNULL;

/**
* @brief Double a point. Equivalent to
* decaf_255_point_add(two_a,a,a), but potentially faster.
*
* @param [out] two_a The sum a+a.
* @param [in] a A point.
*/
void decaf_255_point_double (
decaf_255_point_t two_a,
const decaf_255_point_t a
) DECAF_API_VIS DECAF_NONNULL;

/**
* @brief Subtract two points to produce a third point. The
* input points and output point can be pointers to the same
* memory.
*
* @param [out] diff The difference a-b.
* @param [in] a The minuend.
* @param [in] b The subtrahend.
*/
void decaf_255_point_sub (
decaf_255_point_t diff,
const decaf_255_point_t a,
const decaf_255_point_t b
) DECAF_API_VIS DECAF_NONNULL;
/**
* @brief Negate a point to produce another point. The input
* and output points can use the same memory.
*
* @param [out] nega The negated input point
* @param [in] a The input point.
*/
void decaf_255_point_negate (
decaf_255_point_t nega,
const decaf_255_point_t a
) DECAF_API_VIS DECAF_NONNULL;

/**
* @brief Multiply a base point by a scalar: scaled = scalar*base.
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
*/
void decaf_255_point_scalarmul (
decaf_255_point_t scaled,
const decaf_255_point_t base,
const decaf_255_scalar_t scalar
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Multiply a base point by a scalar: scaled = scalar*base.
* This function operates directly on serialized forms.
*
* @warning This function is experimental. It may not be supported
* long-term.
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
* @param [in] allow_identity Allow the input to be the identity.
* @param [in] short_circuit Allow a fast return if the input is illegal.
*
* @retval DECAF_SUCCESS The scalarmul succeeded.
* @retval DECAF_FAILURE The scalarmul didn't succeed, because
* base does not represent a point.
*/
decaf_error_t decaf_255_direct_scalarmul (
uint8_t scaled[DECAF_255_SER_BYTES],
const uint8_t base[DECAF_255_SER_BYTES],
const decaf_255_scalar_t scalar,
decaf_bool_t allow_identity,
decaf_bool_t short_circuit
) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;

/**
* @brief RFC 7748 Diffie-Hellman scalarmul, used to compute shared secrets.
* This function uses a different (non-Decaf) encoding.
*
* @param [out] shared The shared secret base*scalar
* @param [in] base The other party's public key, used as the base of the scalarmul.
* @param [in] scalar The private scalar to multiply by.
*
* @retval DECAF_SUCCESS The scalarmul succeeded.
* @retval DECAF_FAILURE The scalarmul didn't succeed, because the base
* point is in a small subgroup.
*/
decaf_error_t decaf_x25519 (
uint8_t shared[DECAF_X25519_PUBLIC_BYTES],
const uint8_t base[DECAF_X25519_PUBLIC_BYTES],
const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;

/**
* @brief Multiply a point by DECAF_X25519_ENCODE_RATIO,
* then encode it like RFC 7748.
*
* This function is mainly used internally, but is exported in case
* it will be useful.
*
* The ratio is necessary because the internal representation doesn't
* track the cofactor information, so on output we must clear the cofactor.
* This would multiply by the cofactor, but in fact internally libdecaf's
* points are always even, so it multiplies by half the cofactor instead.
*
* As it happens, this aligns with the base point definitions; that is,
* if you pass the Decaf/Ristretto base point to this function, the result
* will be DECAF_X25519_ENCODE_RATIO times the X25519
* base point.
*
* @param [out] out The scaled and encoded point.
* @param [in] p The point to be scaled and encoded.
*/
void decaf_255_point_mul_by_ratio_and_encode_like_x25519 (
uint8_t out[DECAF_X25519_PUBLIC_BYTES],
const decaf_255_point_t p
) DECAF_API_VIS DECAF_NONNULL;

/** The base point for X25519 Diffie-Hellman */
extern const uint8_t
decaf_x25519_base_point[DECAF_X25519_PUBLIC_BYTES]
#ifndef DOXYGEN
/* For some reason Doxygen chokes on this despite the defense in common.h... */
DECAF_API_VIS
#endif
;

/**
* @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses
* a different (non-Decaf) encoding.
*
* @deprecated Renamed to decaf_x25519_derive_public_key.
* I have no particular timeline for removing this name.
*
* @param [out] out The public key base*scalar.
* @param [in] scalar The private scalar.
*/
void decaf_x25519_generate_key (
uint8_t out[DECAF_X25519_PUBLIC_BYTES],
const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_DEPRECATED("Renamed to decaf_x25519_derive_public_key");
/**
* @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses
* a different (non-Decaf) encoding.
*
* Does exactly the same thing as decaf_x25519_generate_key,
* but has a better name.
*
* @param [out] out The public key base*scalar
* @param [in] scalar The private scalar.
*/
void decaf_x25519_derive_public_key (
uint8_t out[DECAF_X25519_PUBLIC_BYTES],
const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/* FUTURE: uint8_t decaf_255_encode_like_curve25519) */

/**
* @brief Precompute a table for fast scalar multiplication.
* Some implementations do not include precomputed points; for
* those implementations, this implementation simply copies the
* point.
*
* @param [out] a A precomputed table of multiples of the point.
* @param [in] b Any point.
*/
void decaf_255_precompute (
decaf_255_precomputed_s *a,
const decaf_255_point_t b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Multiply a precomputed base point by a scalar:
* scaled = scalar*base.
* Some implementations do not include precomputed points; for
* those implementations, this function is the same as
* decaf_255_point_scalarmul
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
*/
void decaf_255_precomputed_scalarmul (
decaf_255_point_t scaled,
const decaf_255_precomputed_s *base,
const decaf_255_scalar_t scalar
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Multiply two base points by two scalars:
* scaled = scalar1*base1 + scalar2*base2.
*
* Equivalent to two calls to decaf_255_point_scalarmul, but may be
* faster.
*
* @param [out] combo The linear combination scalar1*base1 + scalar2*base2.
* @param [in] base1 A first point to be scaled.
* @param [in] scalar1 A first scalar to multiply by.
* @param [in] base2 A second point to be scaled.
* @param [in] scalar2 A second scalar to multiply by.
*/
void decaf_255_point_double_scalarmul (
decaf_255_point_t combo,
const decaf_255_point_t base1,
const decaf_255_scalar_t scalar1,
const decaf_255_point_t base2,
const decaf_255_scalar_t scalar2
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* Multiply one base point by two scalars:
*
* a1 = scalar1 * base
* a2 = scalar2 * base
*
* Equivalent to two calls to decaf_255_point_scalarmul, but may be
* faster.
*
* @param [out] a1 The first multiple. It may be the same as the input point.
* @param [out] a2 The second multiple. It may be the same as the input point.
* @param [in] base1 A point to be scaled.
* @param [in] scalar1 A first scalar to multiply by.
* @param [in] scalar2 A second scalar to multiply by.
*/
void decaf_255_point_dual_scalarmul (
decaf_255_point_t a1,
decaf_255_point_t a2,
const decaf_255_point_t base1,
const decaf_255_scalar_t scalar1,
const decaf_255_scalar_t scalar2
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Multiply two base points by two scalars:
* scaled = scalar1*decaf_255_point_base + scalar2*base2.
*
* Otherwise equivalent to decaf_255_point_double_scalarmul, but may be
* faster at the expense of being variable time.
*
* @param [out] combo The linear combination scalar1*base + scalar2*base2.
* @param [in] scalar1 A first scalar to multiply by.
* @param [in] base2 A second point to be scaled.
* @param [in] scalar2 A second scalar to multiply by.
*
* @warning: This function takes variable time, and may leak the scalars
* used. It is designed for signature verification.
*/
void decaf_255_base_double_scalarmul_non_secret (
decaf_255_point_t combo,
const decaf_255_scalar_t scalar1,
const decaf_255_point_t base2,
const decaf_255_scalar_t scalar2
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Constant-time decision between two points. If pick_b
* is zero, out = a; else out = b.
*
* @param [out] out The output. It may be the same as either input.
* @param [in] a Any point.
* @param [in] b Any point.
* @param [in] pick_b If nonzero, choose point b.
*/
void decaf_255_point_cond_sel (
decaf_255_point_t out,
const decaf_255_point_t a,
const decaf_255_point_t b,
decaf_word_t pick_b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Constant-time decision between two scalars. If pick_b
* is zero, out = a; else out = b.
*
* @param [out] out The output. It may be the same as either input.
* @param [in] a Any scalar.
* @param [in] b Any scalar.
* @param [in] pick_b If nonzero, choose scalar b.
*/
void decaf_255_scalar_cond_sel (
decaf_255_scalar_t out,
const decaf_255_scalar_t a,
const decaf_255_scalar_t b,
decaf_word_t pick_b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Test that a point is valid, for debugging purposes.
*
* @param [in] to_test The point to test.
* @retval DECAF_TRUE The point is valid.
* @retval DECAF_FALSE The point is invalid.
*/
decaf_bool_t decaf_255_point_valid (
const decaf_255_point_t to_test
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Torque a point, for debugging purposes. The output
* will be equal to the input.
*
* @param [out] q The point to torque.
* @param [in] p The point to torque.
*/
void decaf_255_point_debugging_torque (
decaf_255_point_t q,
const decaf_255_point_t p
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Projectively scale a point, for debugging purposes.
* The output will be equal to the input, and will be valid
* even if the factor is zero.
*
* @param [out] q The point to scale.
* @param [in] p The point to scale.
* @param [in] factor Serialized GF factor to scale.
*/
void decaf_255_point_debugging_pscale (
decaf_255_point_t q,
const decaf_255_point_t p,
const unsigned char factor[DECAF_255_SER_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Almost-Elligator-like hash to curve.
*
* Call this function with the output of a hash to make a hash to the curve.
*
* This function runs Elligator2 on the decaf_255 Jacobi quartic model. It then
* uses the isogeny to put the result in twisted Edwards form. As a result,
* it is safe (cannot produce points of order 4), and would be compatible with
* hypothetical other implementations of Decaf using a Montgomery or untwisted
* Edwards model.
*
* Unlike Elligator, this function may be up to 4:1 on [0,(p-1)/2]:
* A factor of 2 due to the isogeny.
* A factor of 2 because we quotient out the 2-torsion.
*
* This makes it about 8:1 overall, or 16:1 overall on curves with cofactor 8.
*
* Negating the input (mod q) results in the same point. Inverting the input
* (mod q) results in the negative point. This is the same as Elligator.
*
* This function isn't quite indifferentiable from a random oracle.
* However, it is suitable for many protocols, including SPEKE and SPAKE2 EE.
* Furthermore, calling it twice with independent seeds and adding the results
* is indifferentiable from a random oracle.
*
* @param [in] hashed_data Output of some hash function.
* @param [out] pt The data hashed to the curve.
*/
void
decaf_255_point_from_hash_nonuniform (
decaf_255_point_t pt,
const unsigned char hashed_data[DECAF_255_HASH_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Indifferentiable hash function encoding to curve.
*
* Equivalent to calling decaf_255_point_from_hash_nonuniform twice and adding.
*
* @param [in] hashed_data Output of some hash function.
* @param [out] pt The data hashed to the curve.
*/
void decaf_255_point_from_hash_uniform (
decaf_255_point_t pt,
const unsigned char hashed_data[2*DECAF_255_HASH_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Inverse of elligator-like hash to curve.
*
* This function writes to the buffer, to make it so that
* decaf_255_point_from_hash_nonuniform(buffer) = pt if
* possible. Since there may be multiple preimages, the
* "which" parameter chooses between them. To ensure uniform
* inverse sampling, this function succeeds or fails
* independently for different "which" values.
*
* This function isn't guaranteed to find every possible
* preimage, but it finds all except a small finite number.
* In particular, when the number of bits in the modulus isn't
* a multiple of 8 (i.e. for curve25519), it sets the high bits
* independently, which enables the generated data to be uniform.
* But it doesn't add p, so you'll never get exactly p from this
* function. This might change in the future, especially if
* we ever support eg Brainpool curves, where this could cause
* real nonuniformity.
*
* @param [out] recovered_hash Encoded data.
* @param [in] pt The point to encode.
* @param [in] which A value determining which inverse point
* to return.
*
* @retval DECAF_SUCCESS The inverse succeeded.
* @retval DECAF_FAILURE The inverse failed.
*/
decaf_error_t
decaf_255_invert_elligator_nonuniform (
unsigned char recovered_hash[DECAF_255_HASH_BYTES],
const decaf_255_point_t pt,
uint32_t which
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;

/**
* @brief Inverse of elligator-like hash to curve.
*
* This function writes to the buffer, to make it so that
* decaf_255_point_from_hash_uniform(buffer) = pt if
* possible. Since there may be multiple preimages, the
* "which" parameter chooses between them. To ensure uniform
* inverse sampling, this function succeeds or fails
* independently for different "which" values.
*
* @param [out] recovered_hash Encoded data.
* @param [in] pt The point to encode.
* @param [in] which A value determining which inverse point
* to return.
*
* @retval DECAF_SUCCESS The inverse succeeded.
* @retval DECAF_FAILURE The inverse failed.
*/
decaf_error_t
decaf_255_invert_elligator_uniform (
unsigned char recovered_hash[2*DECAF_255_HASH_BYTES],
const decaf_255_point_t pt,
uint32_t which
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;

/** Securely erase a scalar. */
void decaf_255_scalar_destroy (
decaf_255_scalar_t scalar
) DECAF_NONNULL DECAF_API_VIS;

/** Securely erase a point by overwriting it with zeros.
* @warning This causes the point object to become invalid.
*/
void decaf_255_point_destroy (
decaf_255_point_t point
) DECAF_NONNULL DECAF_API_VIS;

/** Securely erase a precomputed table by overwriting it with zeros.
* @warning This causes the table object to become invalid.
*/
void decaf_255_precomputed_destroy (
decaf_255_precomputed_s *pre
) DECAF_NONNULL DECAF_API_VIS;

#ifdef __cplusplus
} /* extern "C" */
#endif

#endif /* __DECAF_POINT_255_H__ */

+ 0
- 793
src/GENERATED/include/decaf/point_255.hxx View File

@@ -1,793 +0,0 @@
/**
* @file decaf/point_255.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* A group of prime order, C++ wrapper.
*
* The Decaf library implements cryptographic operations on a an elliptic curve
* group of prime order. It accomplishes this by using a twisted Edwards
* curve (isogenous to Curve25519) and wiping out the cofactor.
*
* Most of the functions in this file run in constant time, can't fail
* except for ubiquitous reasons like memory exhaustion, and contain no
* data-dependend branches, timing or memory accesses. There are some
* exceptions, which should be noted. Typically, decoding functions can
* fail.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_POINT_255_HXX__
#define __DECAF_POINT_255_HXX__ 1

/** This code uses posix_memalign. */
#ifndef _XOPEN_SOURCE
#define _XOPEN_SOURCE 600
#endif
#include <stdlib.h>
#include <string.h> /* for memcpy */

#include <decaf/point_255.h>
#include <decaf/ed255.h>
#include <decaf/secure_buffer.hxx>
#include <string>
#include <sys/types.h>
#include <limits.h>

/** @cond internal */
#if __cplusplus >= 201103L
#define DECAF_NOEXCEPT noexcept
#else
#define DECAF_NOEXCEPT throw()
#endif
/** @endcond */

namespace decaf {

/**
* Curve25519/Decaf instantiation of group.
*/
struct Ristretto {

/** The name of the curve */
static inline const char *name() { return "Ristretto"; }

/** The name of the curve */
static inline int bits() { return 255; }

/** The curve's cofactor (removed, but useful for testing) */
static const int REMOVED_COFACTOR = 8;

/** Residue class of field modulus: p == this mod 2*(this-1) */
static const int FIELD_MODULUS_TYPE = 5;

/** @cond internal */
class Point;
class Precomputed;
/** @endcond */

/**
* A scalar modulo the curve order.
* Supports the usual arithmetic operations, all in constant time.
*/
class Scalar : public Serializable<Scalar> {
public:
/** wrapped C type */
typedef decaf_255_scalar_t Wrapped;
/** Size of a serialized element */
static const size_t SER_BYTES = DECAF_255_SCALAR_BYTES;

/** access to the underlying scalar object */
Wrapped s;

/** @cond internal */
/** Don't initialize. */
inline Scalar(const NOINIT &) DECAF_NOEXCEPT {}
/** @endcond */

/** Set to an unsigned word */
inline Scalar(uint64_t w) DECAF_NOEXCEPT { *this = w; }

/** Set to a signed word */
inline Scalar(int64_t w) DECAF_NOEXCEPT { *this = w; }

/** Set to an unsigned word */
inline Scalar(unsigned int w) DECAF_NOEXCEPT { *this = w; }

/** Set to a signed word */
inline Scalar(int w) DECAF_NOEXCEPT { *this = w; }

/** Construct from RNG */
inline explicit Scalar(Rng &rng) DECAF_NOEXCEPT {
FixedArrayBuffer<SER_BYTES + 16> sb(rng);
*this = sb;
}

/** Construct from decaf_scalar_t object. */
inline Scalar(const Wrapped &t = decaf_255_scalar_zero) DECAF_NOEXCEPT { decaf_255_scalar_copy(s,t); }

/** Copy constructor. */
inline Scalar(const Scalar &x) DECAF_NOEXCEPT { *this = x; }

/** Construct from arbitrary-length little-endian byte sequence. */
inline Scalar(const Block &buffer) DECAF_NOEXCEPT { *this = buffer; }

/** Serializable instance */
inline size_t ser_size() const DECAF_NOEXCEPT { return SER_BYTES; }

/** Serializable instance */
inline void serialize_into(unsigned char *buffer) const DECAF_NOEXCEPT {
decaf_255_scalar_encode(buffer, s);
}

/** Assignment. */
inline Scalar& operator=(const Scalar &x) DECAF_NOEXCEPT { decaf_255_scalar_copy(s,x.s); return *this; }

/** Assign from unsigned 64-bit integer. */
inline Scalar& operator=(uint64_t w) DECAF_NOEXCEPT { decaf_255_scalar_set_unsigned(s,w); return *this; }


/** Assign from signed int. */
inline Scalar& operator=(int64_t w) DECAF_NOEXCEPT {
Scalar t(-(uint64_t)INT_MIN);
decaf_255_scalar_set_unsigned(s,(uint64_t)w - (uint64_t)INT_MIN);
*this -= t;
return *this;
}

/** Assign from unsigned int. */
inline Scalar& operator=(unsigned int w) DECAF_NOEXCEPT { return *this = (uint64_t)w; }

/** Assign from signed int. */
inline Scalar& operator=(int w) DECAF_NOEXCEPT { return *this = (int64_t)w; }

/** Destructor securely zeorizes the scalar. */
inline ~Scalar() DECAF_NOEXCEPT { decaf_255_scalar_destroy(s); }

/** Assign from arbitrary-length little-endian byte sequence in a Block. */
inline Scalar &operator=(const Block &bl) DECAF_NOEXCEPT {
decaf_255_scalar_decode_long(s,bl.data(),bl.size()); return *this;
}

/**
* Decode from correct-length little-endian byte sequence.
* @return DECAF_FAILURE if the scalar is greater than or equal to the group order q.
*/
static inline decaf_error_t DECAF_WARN_UNUSED decode (
Scalar &sc, const FixedBlock<SER_BYTES> buffer
) DECAF_NOEXCEPT {
return decaf_255_scalar_decode(sc.s,buffer.data());
}

/** Add. */
inline Scalar operator+ (const Scalar &q) const DECAF_NOEXCEPT { Scalar r((NOINIT())); decaf_255_scalar_add(r.s,s,q.s); return r; }

/** Add to this. */
inline Scalar &operator+=(const Scalar &q) DECAF_NOEXCEPT { decaf_255_scalar_add(s,s,q.s); return *this; }

/** Subtract. */
inline Scalar operator- (const Scalar &q) const DECAF_NOEXCEPT { Scalar r((NOINIT())); decaf_255_scalar_sub(r.s,s,q.s); return r; }

/** Subtract from this. */
inline Scalar &operator-=(const Scalar &q) DECAF_NOEXCEPT { decaf_255_scalar_sub(s,s,q.s); return *this; }

/** Multiply */
inline Scalar operator* (const Scalar &q) const DECAF_NOEXCEPT { Scalar r((NOINIT())); decaf_255_scalar_mul(r.s,s,q.s); return r; }

/** Multiply into this. */
inline Scalar &operator*=(const Scalar &q) DECAF_NOEXCEPT { decaf_255_scalar_mul(s,s,q.s); return *this; }

/** Negate */
inline Scalar operator- () const DECAF_NOEXCEPT { Scalar r((NOINIT())); decaf_255_scalar_sub(r.s,decaf_255_scalar_zero,s); return r; }

/** Return 1/this.
* @throw CryptoException if this is 0.
*/
inline Scalar inverse() const /*throw(CryptoException)*/ {
Scalar r;
if (DECAF_SUCCESS != decaf_255_scalar_invert(r.s,s)) {
throw CryptoException();
}
return r;
}

/** Invert with Fermat's Little Theorem (slow!). If *this == 0, set r=0
* and return DECAF_FAILURE. */
inline decaf_error_t DECAF_WARN_UNUSED
inverse_noexcept(Scalar &r) const DECAF_NOEXCEPT {
return decaf_255_scalar_invert(r.s,s);
}

/** Return this/q. @throw CryptoException if q == 0. */
inline Scalar operator/ (const Scalar &q) const /*throw(CryptoException)*/ { return *this * q.inverse(); }

/** Set this to this/q. @throw CryptoException if q == 0. */
inline Scalar &operator/=(const Scalar &q) /*throw(CryptoException)*/ { return *this *= q.inverse(); }

/** Return half this scalar. Much faster than /2. */
inline Scalar half() const { Scalar out; decaf_255_scalar_halve(out.s,s); return out; }

/** Compare in constant time */
inline bool operator!=(const Scalar &q) const DECAF_NOEXCEPT { return !(*this == q); }

/** Compare in constant time */
inline bool operator==(const Scalar &q) const DECAF_NOEXCEPT { return !!decaf_255_scalar_eq(s,q.s); }

/** Scalarmul with scalar on left. */
inline Point operator* (const Point &q) const DECAF_NOEXCEPT { return q * (*this); }

/** Scalarmul-precomputed with scalar on left. */
inline Point operator* (const Precomputed &q) const DECAF_NOEXCEPT { return q * (*this); }

/** Direct scalar multiplication.
* @throw CryptoException if the input didn't decode.
*/
inline SecureBuffer direct_scalarmul (
const FixedBlock<SER_BYTES> &in,
decaf_bool_t allow_identity=DECAF_FALSE,
decaf_bool_t short_circuit=DECAF_TRUE
) const /*throw(CryptoException)*/;
/** Direct scalar multiplication. */
inline decaf_error_t DECAF_WARN_UNUSED direct_scalarmul_noexcept(
FixedBuffer<SER_BYTES> &out,
const FixedBlock<SER_BYTES> &in,
decaf_bool_t allow_identity=DECAF_FALSE,
decaf_bool_t short_circuit=DECAF_TRUE
) const DECAF_NOEXCEPT;
};

/** Element of prime-order elliptic curve group. */
class Point : public Serializable<Point> {
public:
/** Wrapped C type */
typedef decaf_255_point_t Wrapped;
/** Size of a serialized element */
static const size_t SER_BYTES = DECAF_255_SER_BYTES;

/** Bytes required for hash */
static const size_t HASH_BYTES = DECAF_255_HASH_BYTES;

/** Bytes required for EdDSA encoding */
static const size_t EDDSA_BYTES = DECAF_EDDSA_25519_PUBLIC_BYTES;

/** Bytes required for EdDSA encoding */
static const size_t LADDER_BYTES = DECAF_X25519_PUBLIC_BYTES;
/** Ratio due to EdDSA encoding */
static const int EDDSA_ENCODE_RATIO = DECAF_255_EDDSA_ENCODE_RATIO;
/** Ratio due to EdDSA decoding */
static const int EDDSA_DECODE_RATIO = DECAF_255_EDDSA_DECODE_RATIO;
/** Ratio due to ladder decoding */
static const int LADDER_ENCODE_RATIO = DECAF_X25519_ENCODE_RATIO;

/** Size of a steganographically-encoded curve element. If the point is random, the encoding
* should look statistically close to a uniformly-random sequnece of STEG_BYTES bytes.
*/
static const size_t STEG_BYTES = HASH_BYTES * 2;
/** Number of bits in invert_elligator which are actually used. */
static const unsigned int INVERT_ELLIGATOR_WHICH_BITS = DECAF_255_INVERT_ELLIGATOR_WHICH_BITS;

/** The c-level object. */
Wrapped p;

/** @cond internal */
/** Don't initialize. */
inline Point(const NOINIT &) DECAF_NOEXCEPT {}
/** @endcond */

/** Constructor sets to identity by default. */
inline Point(const Wrapped &q = decaf_255_point_identity) DECAF_NOEXCEPT { decaf_255_point_copy(p,q); }

/** Copy constructor. */
inline Point(const Point &q) DECAF_NOEXCEPT { *this = q; }

/** Assignment. */
inline Point& operator=(const Point &q) DECAF_NOEXCEPT { decaf_255_point_copy(p,q.p); return *this; }

/** Destructor securely zeorizes the point. */
inline ~Point() DECAF_NOEXCEPT { decaf_255_point_destroy(p); }

/** Construct from RNG */
inline explicit Point(Rng &rng, bool uniform = true) DECAF_NOEXCEPT {
if (uniform) {
FixedArrayBuffer<2*HASH_BYTES> b(rng);
set_to_hash(b);
} else {
FixedArrayBuffer<HASH_BYTES> b(rng);
set_to_hash(b);
}
}

/**
* Initialize from a fixed-length byte string.
* The all-zero string maps to the identity.
*
* @throw CryptoException the string was the wrong length, or wasn't the encoding of a point,
* or was the identity and allow_identity was DECAF_FALSE.
*/
inline explicit Point(const FixedBlock<SER_BYTES> &buffer, bool allow_identity=true)
/*throw(CryptoException)*/ {
if (DECAF_SUCCESS != decode(buffer,allow_identity ? DECAF_TRUE : DECAF_FALSE)) {
throw CryptoException();
}
}

/**
* Initialize from C++ fixed-length byte string.
* The all-zero string maps to the identity.
*
* @retval DECAF_SUCCESS the string was successfully decoded.
* @return DECAF_FAILURE the string was the wrong length, or wasn't the encoding of a point,
* or was the identity and allow_identity was DECAF_FALSE. Contents of the buffer are undefined.
*/
inline decaf_error_t DECAF_WARN_UNUSED decode (
const FixedBlock<SER_BYTES> &buffer, bool allow_identity=true
) DECAF_NOEXCEPT {
return decaf_255_point_decode(p,buffer.data(),allow_identity ? DECAF_TRUE : DECAF_FALSE);
}

/**
* Initialize from C++ fixed-length byte string, like EdDSA.
* The all-zero string maps to the identity.
*
* @retval DECAF_SUCCESS the string was successfully decoded.
* @return DECAF_FAILURE the string was the wrong length, or wasn't the encoding of a point.
* Contents of the point are undefined.
*/
inline decaf_error_t DECAF_WARN_UNUSED decode_like_eddsa_and_mul_by_ratio_noexcept (
const FixedBlock<DECAF_EDDSA_25519_PUBLIC_BYTES> &buffer
) DECAF_NOEXCEPT {
return decaf_255_point_decode_like_eddsa_and_mul_by_ratio(p,buffer.data());
}
/**
* Decode from EDDSA, multiply by EDDSA_DECODE_RATIO, and ignore any
* remaining cofactor information.
* @throw CryptoException if the input point was invalid.
*/
inline void decode_like_eddsa_and_mul_by_ratio(
const FixedBlock<DECAF_EDDSA_25519_PUBLIC_BYTES> &buffer
) /*throw(CryptoException)*/ {
if (DECAF_SUCCESS != decode_like_eddsa_and_mul_by_ratio_noexcept(buffer)) throw(CryptoException());
}

/** Multiply by EDDSA_ENCODE_RATIO and encode like EdDSA. */
inline SecureBuffer mul_by_ratio_and_encode_like_eddsa() const {
SecureBuffer ret(DECAF_EDDSA_25519_PUBLIC_BYTES);
decaf_255_point_mul_by_ratio_and_encode_like_eddsa(ret.data(),p);
return ret;
}

/** Multiply by EDDSA_ENCODE_RATIO and encode like EdDSA. */
inline void mul_by_ratio_and_encode_like_eddsa(
FixedBuffer<DECAF_EDDSA_25519_PUBLIC_BYTES> &out
) const {
decaf_255_point_mul_by_ratio_and_encode_like_eddsa(out.data(),p);
}

/** Multiply by LADDER_ENCODE_RATIO and encode like X25519/X448. */
inline SecureBuffer mul_by_ratio_and_encode_like_ladder() const {
SecureBuffer ret(LADDER_BYTES);
decaf_255_point_mul_by_ratio_and_encode_like_x25519(ret.data(),p);
return ret;
}

/** Multiply by LADDER_ENCODE_RATIO and encode like X25519/X448. */
inline void mul_by_ratio_and_encode_like_ladder(FixedBuffer<LADDER_BYTES> &out) const {
decaf_255_point_mul_by_ratio_and_encode_like_x25519(out.data(),p);
}

/**
* Map uniformly to the curve from a hash buffer.
* The empty or all-zero string maps to the identity, as does the string "\\x01".
* If the buffer is shorter than 2*HASH_BYTES, well, it won't be as uniform,
* but the buffer will be zero-padded on the right.
*/
static inline Point from_hash ( const Block &s ) DECAF_NOEXCEPT {
Point p((NOINIT())); p.set_to_hash(s); return p;
}

/**
* Map to the curve from a hash buffer.
* The empty or all-zero string maps to the identity, as does the string "\\x01".
* If the buffer is shorter than 2*HASH_BYTES, well, it won't be as uniform,
* but the buffer will be zero-padded on the right.
*/
inline void set_to_hash( const Block &s ) DECAF_NOEXCEPT {
if (s.size() < HASH_BYTES) {
SecureBuffer b(HASH_BYTES);
memcpy(b.data(), s.data(), s.size());
decaf_255_point_from_hash_nonuniform(p,b.data());
} else if (s.size() == HASH_BYTES) {
decaf_255_point_from_hash_nonuniform(p,s.data());
} else if (s.size() < 2*HASH_BYTES) {
SecureBuffer b(2*HASH_BYTES);
memcpy(b.data(), s.data(), s.size());
decaf_255_point_from_hash_uniform(p,b.data());
} else {
decaf_255_point_from_hash_uniform(p,s.data());
}
}

/** Encode to string. The identity encodes to the all-zero string. */
inline operator SecureBuffer() const {
SecureBuffer buffer(SER_BYTES);
decaf_255_point_encode(buffer.data(), p);
return buffer;
}

/** Serializable instance */
inline size_t ser_size() const DECAF_NOEXCEPT { return SER_BYTES; }

/** Serializable instance */
inline void serialize_into(unsigned char *buffer) const DECAF_NOEXCEPT {
decaf_255_point_encode(buffer, p);
}

/** Point add. */
inline Point operator+ (const Point &q) const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_255_point_add(r.p,p,q.p); return r; }

/** Point add. */
inline Point &operator+=(const Point &q) DECAF_NOEXCEPT { decaf_255_point_add(p,p,q.p); return *this; }

/** Point subtract. */
inline Point operator- (const Point &q) const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_255_point_sub(r.p,p,q.p); return r; }

/** Point subtract. */
inline Point &operator-=(const Point &q) DECAF_NOEXCEPT { decaf_255_point_sub(p,p,q.p); return *this; }

/** Point negate. */
inline Point operator- () const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_255_point_negate(r.p,p); return r; }

/** Double the point out of place. */
inline Point times_two () const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_255_point_double(r.p,p); return r; }

/** Double the point in place. */
inline Point &double_in_place() DECAF_NOEXCEPT { decaf_255_point_double(p,p); return *this; }

/** Constant-time compare. */
inline bool operator!=(const Point &q) const DECAF_NOEXCEPT { return ! decaf_255_point_eq(p,q.p); }

/** Constant-time compare. */
inline bool operator==(const Point &q) const DECAF_NOEXCEPT { return !!decaf_255_point_eq(p,q.p); }

/** Scalar multiply. */
inline Point operator* (const Scalar &s) const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_255_point_scalarmul(r.p,p,s.s); return r; }

/** Scalar multiply in place. */
inline Point &operator*=(const Scalar &s) DECAF_NOEXCEPT { decaf_255_point_scalarmul(p,p,s.s); return *this; }

/** Multiply by s.inverse(). If s=0, maps to the identity. */
inline Point operator/ (const Scalar &s) const /*throw(CryptoException)*/ { return (*this) * s.inverse(); }

/** Multiply by s.inverse(). If s=0, maps to the identity. */
inline Point &operator/=(const Scalar &s) /*throw(CryptoException)*/ { return (*this) *= s.inverse(); }

/** Validate / sanity check */
inline bool validate() const DECAF_NOEXCEPT { return decaf_255_point_valid(p); }

/** Double-scalar multiply, equivalent to q*qs + r*rs but faster. */
static inline Point double_scalarmul (
const Point &q, const Scalar &qs, const Point &r, const Scalar &rs
) DECAF_NOEXCEPT {
Point p((NOINIT())); decaf_255_point_double_scalarmul(p.p,q.p,qs.s,r.p,rs.s); return p;
}

/** Dual-scalar multiply, equivalent to this*r1, this*r2 but faster. */
inline void dual_scalarmul (
Point &q1, Point &q2, const Scalar &r1, const Scalar &r2
) const DECAF_NOEXCEPT {
decaf_255_point_dual_scalarmul(q1.p,q2.p,p,r1.s,r2.s);
}

/**
* Double-scalar multiply, equivalent to q*qs + r*rs but faster.
* For those who like their scalars before the point.
*/
static inline Point double_scalarmul (
const Scalar &qs, const Point &q, const Scalar &rs, const Point &r
) DECAF_NOEXCEPT {
return double_scalarmul(q,qs,r,rs);
}

/**
* Double-scalar multiply: this point by the first scalar and base by the second scalar.
* @warning This function takes variable time, and may leak the scalars (or points, but currently
* it doesn't).
*/
inline Point non_secret_combo_with_base(const Scalar &s, const Scalar &s_base) DECAF_NOEXCEPT {
Point r((NOINIT())); decaf_255_base_double_scalarmul_non_secret(r.p,s_base.s,p,s.s); return r;
}

/** Return a point equal to *this, whose internal data is rotated by a torsion element. */
inline Point debugging_torque() const DECAF_NOEXCEPT {
Point q;
decaf_255_point_debugging_torque(q.p,p);
return q;
}

/** Return a point equal to *this, whose internal data has a modified representation. */
inline Point debugging_pscale(const FixedBlock<SER_BYTES> factor) const DECAF_NOEXCEPT {
Point q;
decaf_255_point_debugging_pscale(q.p,p,factor.data());
return q;
}

/** Return a point equal to *this, whose internal data has a randomized representation. */
inline Point debugging_pscale(Rng &r) const DECAF_NOEXCEPT {
FixedArrayBuffer<SER_BYTES> sb(r);
return debugging_pscale(sb);
}

/**
* Modify buffer so that Point::from_hash(Buffer) == *this, and return DECAF_SUCCESS;
* or leave buf unmodified and return DECAF_FAILURE.
*/
inline decaf_error_t invert_elligator (
Buffer buf, uint32_t hint
) const DECAF_NOEXCEPT {
unsigned char buf2[2*HASH_BYTES];
memset(buf2,0,sizeof(buf2));
memcpy(buf2,buf.data(),(buf.size() > 2*HASH_BYTES) ? 2*HASH_BYTES : buf.size());
decaf_bool_t ret;
if (buf.size() > HASH_BYTES) {
ret = decaf_successful(decaf_255_invert_elligator_uniform(buf2, p, hint));
} else {
ret = decaf_successful(decaf_255_invert_elligator_nonuniform(buf2, p, hint));
}
if (buf.size() < HASH_BYTES) {
ret &= decaf_memeq(&buf2[buf.size()], &buf2[HASH_BYTES], HASH_BYTES - buf.size());
}
for (size_t i=0; i<buf.size() && i<HASH_BYTES; i++) {
buf[i] = (buf[i] & ~ret) | (buf2[i] &ret);
}
decaf_bzero(buf2,sizeof(buf2));
return decaf_succeed_if(ret);
}

/** Steganographically encode this */
inline SecureBuffer steg_encode(Rng &rng, size_t size=STEG_BYTES) const /*throw(std::bad_alloc, LengthException)*/ {
if (size <= HASH_BYTES + 4 || size > 2*HASH_BYTES) throw LengthException();
SecureBuffer out(STEG_BYTES);
decaf_error_t done;
do {
rng.read(Buffer(out).slice(HASH_BYTES-4,STEG_BYTES-HASH_BYTES+1));
uint32_t hint = 0;
for (int i=0; i<4; i++) { hint |= uint32_t(out[HASH_BYTES-4+i])<<(8*i); }
done = invert_elligator(out, hint);
} while (!decaf_successful(done));
return out;
}

/** Return the base point of the curve. */
static inline const Point base() DECAF_NOEXCEPT { return Point(decaf_255_point_base); }

/** Return the identity point of the curve. */
static inline const Point identity() DECAF_NOEXCEPT { return Point(decaf_255_point_identity); }
};

/**
* Precomputed table of points.
* Minor difficulties arise here because the decaf API doesn't expose, as a constant, how big such an object is.
* Therefore we have to call malloc() or friends, but that's probably for the best, because you don't want to
* stack-allocate a 15kiB object anyway.
*/

/** @cond internal */
typedef decaf_255_precomputed_s Precomputed_U;
/** @endcond */
class Precomputed
/** @cond internal */
: protected OwnedOrUnowned<Precomputed,Precomputed_U>
/** @endcond */
{
public:

/** Destructor securely zeorizes the memory. */
inline ~Precomputed() DECAF_NOEXCEPT { clear(); }

/**
* Initialize from underlying type, declared as a reference to prevent
* it from being called with 0, thereby breaking override.
*
* The underlying object must remain valid throughout the lifetime of this one.
*
* By default, initializes to the table for the base point.
*
* @warning The empty initializer makes this equal to base, unlike the empty
* initializer for points which makes this equal to the identity.
*/
inline Precomputed (
const Precomputed_U &yours = *decaf_255_precomputed_base
) DECAF_NOEXCEPT : OwnedOrUnowned<Precomputed,Precomputed_U>(yours) {}


#if __cplusplus >= 201103L
/** Move-assign operator */
inline Precomputed &operator=(Precomputed &&it) DECAF_NOEXCEPT {
OwnedOrUnowned<Precomputed,Precomputed_U>::operator= (it);
return *this;
}

/** Move constructor */
inline Precomputed(Precomputed &&it) DECAF_NOEXCEPT : OwnedOrUnowned<Precomputed,Precomputed_U>() {
*this = it;
}

/** Undelete copy operator */
inline Precomputed &operator=(const Precomputed &it) DECAF_NOEXCEPT {
OwnedOrUnowned<Precomputed,Precomputed_U>::operator= (it);
return *this;
}
#endif

/**
* Initilaize from point. Must allocate memory, and may throw.
*/
inline Precomputed &operator=(const Point &it) /*throw(std::bad_alloc)*/ {
alloc();
decaf_255_precompute(ours.mine,it.p);
return *this;
}

/**
* Copy constructor.
*/
inline Precomputed(const Precomputed &it) /*throw(std::bad_alloc)*/
: OwnedOrUnowned<Precomputed,Precomputed_U>() { *this = it; }

/**
* Constructor which initializes from point.
*/
inline explicit Precomputed(const Point &it) /*throw(std::bad_alloc)*/
: OwnedOrUnowned<Precomputed,Precomputed_U>() { *this = it; }

/** Fixed base scalarmul. */
inline Point operator* (const Scalar &s) const DECAF_NOEXCEPT { Point r; decaf_255_precomputed_scalarmul(r.p,get(),s.s); return r; }

/** Multiply by s.inverse(). If s=0, maps to the identity. */
inline Point operator/ (const Scalar &s) const /*throw(CryptoException)*/ { return (*this) * s.inverse(); }

/** Return the table for the base point. */
static inline const Precomputed base() DECAF_NOEXCEPT { return Precomputed(); }

public:
/** @cond internal */
friend class OwnedOrUnowned<Precomputed,Precomputed_U>;
static inline size_t size() DECAF_NOEXCEPT { return decaf_255_sizeof_precomputed_s; }
static inline size_t alignment() DECAF_NOEXCEPT { return decaf_255_alignof_precomputed_s; }
static inline const Precomputed_U * default_value() DECAF_NOEXCEPT { return decaf_255_precomputed_base; }
/** @endcond */
};

/** X-only Diffie-Hellman ladder functions */
struct DhLadder {
public:
/** Bytes in an X25519 public key. */
static const size_t PUBLIC_BYTES = DECAF_X25519_PUBLIC_BYTES;

/** Bytes in an X25519 private key. */
static const size_t PRIVATE_BYTES = DECAF_X25519_PRIVATE_BYTES;

/** Base point for a scalar multiplication. */
static const FixedBlock<PUBLIC_BYTES> base_point() DECAF_NOEXCEPT {
return FixedBlock<PUBLIC_BYTES>(decaf_x25519_base_point);
}

/** Calculate and return a shared secret with public key. */
static inline SecureBuffer shared_secret(
const FixedBlock<PUBLIC_BYTES> &pk,
const FixedBlock<PRIVATE_BYTES> &scalar
) /*throw(std::bad_alloc,CryptoException)*/ {
SecureBuffer out(PUBLIC_BYTES);
if (DECAF_SUCCESS != decaf_x25519(out.data(), pk.data(), scalar.data())) {
throw CryptoException();
}
return out;
}

/** Calculate and write into out a shared secret with public key, noexcept version. */
static inline decaf_error_t DECAF_WARN_UNUSED
shared_secret_noexcept (
FixedBuffer<PUBLIC_BYTES> &out,
const FixedBlock<PUBLIC_BYTES> &pk,
const FixedBlock<PRIVATE_BYTES> &scalar
) DECAF_NOEXCEPT {
return decaf_x25519(out.data(), pk.data(), scalar.data());
}

/** Calculate and return a public key; equivalent to shared_secret(base_point(),scalar)
* but possibly faster.
* @deprecated Renamed to derive_public_key.
*/
static inline SecureBuffer DECAF_DEPRECATED("Renamed to derive_public_key")
generate_key(
const FixedBlock<PRIVATE_BYTES> &scalar
) /*throw(std::bad_alloc)*/ {
SecureBuffer out(PUBLIC_BYTES);
decaf_x25519_derive_public_key(out.data(), scalar.data());
return out;
}

/** Calculate and return a public key; equivalent to shared_secret(base_point(),scalar)
* but possibly faster.
*/
static inline SecureBuffer derive_public_key(
const FixedBlock<PRIVATE_BYTES> &scalar
) /*throw(std::bad_alloc)*/ {
SecureBuffer out(PUBLIC_BYTES);
decaf_x25519_derive_public_key(out.data(), scalar.data());
return out;
}

/** Calculate and return a public key into a fixed buffer;
* equivalent to shared_secret(base_point(),scalar) but possibly faster.
*/
static inline void
derive_public_key_noexcept (
FixedBuffer<PUBLIC_BYTES> &out,
const FixedBlock<PRIVATE_BYTES> &scalar
) DECAF_NOEXCEPT {
decaf_x25519_derive_public_key(out.data(), scalar.data());
}

/** Calculate and return a public key into a fixed buffer;
* equivalent to shared_secret(base_point(),scalar) but possibly faster.
* @deprecated Renamed to derive_public_key_noexcept.
*/
static inline void
DECAF_DEPRECATED("Renamed to derive_public_key_noexcept")
generate_key_noexcept (
FixedBuffer<PUBLIC_BYTES> &out,
const FixedBlock<PRIVATE_BYTES> &scalar
) DECAF_NOEXCEPT {
decaf_x25519_derive_public_key(out.data(), scalar.data());
}
};

}; /* struct Ristretto */

/** @cond internal */
inline SecureBuffer Ristretto::Scalar::direct_scalarmul (
const FixedBlock<Ristretto::Point::SER_BYTES> &in,
decaf_bool_t allow_identity,
decaf_bool_t short_circuit
) const /*throw(CryptoException)*/ {
SecureBuffer out(Ristretto::Point::SER_BYTES);
if (DECAF_SUCCESS !=
decaf_255_direct_scalarmul(out.data(), in.data(), s, allow_identity, short_circuit)
) {
throw CryptoException();
}
return out;
}

inline decaf_error_t Ristretto::Scalar::direct_scalarmul_noexcept (
FixedBuffer<Ristretto::Point::SER_BYTES> &out,
const FixedBlock<Ristretto::Point::SER_BYTES> &in,
decaf_bool_t allow_identity,
decaf_bool_t short_circuit
) const DECAF_NOEXCEPT {
return decaf_255_direct_scalarmul(out.data(), in.data(), s, allow_identity, short_circuit);
}
/** @endcond */

/** Alternative name for Ristretto, for backwards compatibility */
typedef Ristretto IsoEd25519;


#undef DECAF_NOEXCEPT
} /* namespace decaf */

#endif /* __DECAF_POINT_255_HXX__ */

+ 0
- 769
src/GENERATED/include/decaf/point_448.h View File

@@ -1,769 +0,0 @@
/**
* @file decaf/point_448.h
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief A group of prime order p, based on Ed448-Goldilocks.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_POINT_448_H__
#define __DECAF_POINT_448_H__ 1

#include <decaf/common.h>

#ifdef __cplusplus
extern "C" {
#endif

/** @cond internal */
#define DECAF_448_SCALAR_LIMBS ((446-1)/DECAF_WORD_BITS+1)
/** @endcond */

/** The number of bits in a scalar */
#define DECAF_448_SCALAR_BITS 446

/** @cond internal */
#ifndef __DECAF_448_GF_DEFINED__
#define __DECAF_448_GF_DEFINED__ 1
/** @brief Galois field element internal structure */
typedef struct gf_448_s {
decaf_word_t limb[512/DECAF_WORD_BITS];
} __attribute__((aligned(32))) gf_448_s, gf_448_t[1];
#endif /* __DECAF_448_GF_DEFINED__ */
/** @endcond */

/** Number of bytes in a serialized point. */
#define DECAF_448_SER_BYTES 56

/** Number of bytes in an elligated point. For now set the same as SER_BYTES
* but could be different for other curves.
*/
#define DECAF_448_HASH_BYTES 56

/** Number of bytes in a serialized scalar. */
#define DECAF_448_SCALAR_BYTES 56

/** Number of bits in the "which" field of an elligator inverse */
#define DECAF_448_INVERT_ELLIGATOR_WHICH_BITS 3

/** The cofactor the curve would have, if we hadn't removed it */
#define DECAF_448_REMOVED_COFACTOR 4

/** X448 encoding ratio. */
#define DECAF_X448_ENCODE_RATIO 2

/** Number of bytes in an x448 public key */
#define DECAF_X448_PUBLIC_BYTES 56

/** Number of bytes in an x448 private key */
#define DECAF_X448_PRIVATE_BYTES 56

/** Representation of a point on the elliptic curve. */
typedef struct decaf_448_point_s {
/** @cond internal */
gf_448_t x,y,z,t; /* Twisted extended homogeneous coordinates */
/** @endcond */
} decaf_448_point_t[1];

/** Precomputed table based on a point. Can be trivial implementation. */
struct decaf_448_precomputed_s;

/** Precomputed table based on a point. Can be trivial implementation. */
typedef struct decaf_448_precomputed_s decaf_448_precomputed_s;

/** Size and alignment of precomputed point tables. */
extern const size_t decaf_448_sizeof_precomputed_s DECAF_API_VIS, decaf_448_alignof_precomputed_s DECAF_API_VIS;

/** Representation of an element of the scalar field. */
typedef struct decaf_448_scalar_s {
/** @cond internal */
decaf_word_t limb[DECAF_448_SCALAR_LIMBS];
/** @endcond */
} decaf_448_scalar_t[1];

/** The scalar 1. */
extern const decaf_448_scalar_t decaf_448_scalar_one DECAF_API_VIS;

/** The scalar 0. */
extern const decaf_448_scalar_t decaf_448_scalar_zero DECAF_API_VIS;

/** The identity (zero) point on the curve. */
extern const decaf_448_point_t decaf_448_point_identity DECAF_API_VIS;

/** An arbitrarily-chosen base point on the curve. */
extern const decaf_448_point_t decaf_448_point_base DECAF_API_VIS;

/** Precomputed table of multiples of the base point on the curve. */
extern const struct decaf_448_precomputed_s *decaf_448_precomputed_base DECAF_API_VIS;

/**
* @brief Read a scalar from wire format or from bytes.
*
* @param [in] ser Serialized form of a scalar.
* @param [out] out Deserialized form.
*
* @retval DECAF_SUCCESS The scalar was correctly encoded.
* @retval DECAF_FAILURE The scalar was greater than the modulus,
* and has been reduced modulo that modulus.
*/
decaf_error_t decaf_448_scalar_decode (
decaf_448_scalar_t out,
const unsigned char ser[DECAF_448_SCALAR_BYTES]
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Read a scalar from wire format or from bytes. Reduces mod
* scalar prime.
*
* @param [in] ser Serialized form of a scalar.
* @param [in] ser_len Length of serialized form.
* @param [out] out Deserialized form.
*/
void decaf_448_scalar_decode_long (
decaf_448_scalar_t out,
const unsigned char *ser,
size_t ser_len
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* @brief Serialize a scalar to wire format.
*
* @param [out] ser Serialized form of a scalar.
* @param [in] s Deserialized scalar.
*/
void decaf_448_scalar_encode (
unsigned char ser[DECAF_448_SCALAR_BYTES],
const decaf_448_scalar_t s
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_NOINLINE;
/**
* @brief Add two scalars. The scalars may use the same memory.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @param [out] out a+b.
*/
void decaf_448_scalar_add (
decaf_448_scalar_t out,
const decaf_448_scalar_t a,
const decaf_448_scalar_t b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Compare two scalars.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @retval DECAF_TRUE The scalars are equal.
* @retval DECAF_FALSE The scalars are not equal.
*/
decaf_bool_t decaf_448_scalar_eq (
const decaf_448_scalar_t a,
const decaf_448_scalar_t b
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Subtract two scalars. The scalars may use the same memory.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @param [out] out a-b.
*/
void decaf_448_scalar_sub (
decaf_448_scalar_t out,
const decaf_448_scalar_t a,
const decaf_448_scalar_t b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Multiply two scalars. The scalars may use the same memory.
* @param [in] a One scalar.
* @param [in] b Another scalar.
* @param [out] out a*b.
*/
void decaf_448_scalar_mul (
decaf_448_scalar_t out,
const decaf_448_scalar_t a,
const decaf_448_scalar_t b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* @brief Halve a scalar. The scalars may use the same memory.
* @param [in] a A scalar.
* @param [out] out a/2.
*/
void decaf_448_scalar_halve (
decaf_448_scalar_t out,
const decaf_448_scalar_t a
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Invert a scalar. When passed zero, return 0. The input and output may alias.
* @param [in] a A scalar.
* @param [out] out 1/a.
* @return DECAF_SUCCESS The input is nonzero.
*/
decaf_error_t decaf_448_scalar_invert (
decaf_448_scalar_t out,
const decaf_448_scalar_t a
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Copy a scalar. The scalars may use the same memory, in which
* case this function does nothing.
* @param [in] a A scalar.
* @param [out] out Will become a copy of a.
*/
static inline void DECAF_NONNULL decaf_448_scalar_copy (
decaf_448_scalar_t out,
const decaf_448_scalar_t a
) {
*out = *a;
}

/**
* @brief Set a scalar to an unsigned 64-bit integer.
* @param [in] a An integer.
* @param [out] out Will become equal to a.
*/
void decaf_448_scalar_set_unsigned (
decaf_448_scalar_t out,
uint64_t a
) DECAF_API_VIS DECAF_NONNULL;

/**
* @brief Encode a point as a sequence of bytes.
*
* @param [out] ser The byte representation of the point.
* @param [in] pt The point to encode.
*/
void decaf_448_point_encode (
uint8_t ser[DECAF_448_SER_BYTES],
const decaf_448_point_t pt
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Decode a point from a sequence of bytes.
*
* Every point has a unique encoding, so not every
* sequence of bytes is a valid encoding. If an invalid
* encoding is given, the output is undefined.
*
* @param [out] pt The decoded point.
* @param [in] ser The serialized version of the point.
* @param [in] allow_identity DECAF_TRUE if the identity is a legal input.
* @retval DECAF_SUCCESS The decoding succeeded.
* @retval DECAF_FAILURE The decoding didn't succeed, because
* ser does not represent a point.
*/
decaf_error_t decaf_448_point_decode (
decaf_448_point_t pt,
const uint8_t ser[DECAF_448_SER_BYTES],
decaf_bool_t allow_identity
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Copy a point. The input and output may alias,
* in which case this function does nothing.
*
* @param [out] a A copy of the point.
* @param [in] b Any point.
*/
static inline void DECAF_NONNULL decaf_448_point_copy (
decaf_448_point_t a,
const decaf_448_point_t b
) {
*a=*b;
}

/**
* @brief Test whether two points are equal. If yes, return
* DECAF_TRUE, else return DECAF_FALSE.
*
* @param [in] a A point.
* @param [in] b Another point.
* @retval DECAF_TRUE The points are equal.
* @retval DECAF_FALSE The points are not equal.
*/
decaf_bool_t decaf_448_point_eq (
const decaf_448_point_t a,
const decaf_448_point_t b
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Add two points to produce a third point. The
* input points and output point can be pointers to the same
* memory.
*
* @param [out] sum The sum a+b.
* @param [in] a An addend.
* @param [in] b An addend.
*/
void decaf_448_point_add (
decaf_448_point_t sum,
const decaf_448_point_t a,
const decaf_448_point_t b
) DECAF_API_VIS DECAF_NONNULL;

/**
* @brief Double a point. Equivalent to
* decaf_448_point_add(two_a,a,a), but potentially faster.
*
* @param [out] two_a The sum a+a.
* @param [in] a A point.
*/
void decaf_448_point_double (
decaf_448_point_t two_a,
const decaf_448_point_t a
) DECAF_API_VIS DECAF_NONNULL;

/**
* @brief Subtract two points to produce a third point. The
* input points and output point can be pointers to the same
* memory.
*
* @param [out] diff The difference a-b.
* @param [in] a The minuend.
* @param [in] b The subtrahend.
*/
void decaf_448_point_sub (
decaf_448_point_t diff,
const decaf_448_point_t a,
const decaf_448_point_t b
) DECAF_API_VIS DECAF_NONNULL;
/**
* @brief Negate a point to produce another point. The input
* and output points can use the same memory.
*
* @param [out] nega The negated input point
* @param [in] a The input point.
*/
void decaf_448_point_negate (
decaf_448_point_t nega,
const decaf_448_point_t a
) DECAF_API_VIS DECAF_NONNULL;

/**
* @brief Multiply a base point by a scalar: scaled = scalar*base.
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
*/
void decaf_448_point_scalarmul (
decaf_448_point_t scaled,
const decaf_448_point_t base,
const decaf_448_scalar_t scalar
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Multiply a base point by a scalar: scaled = scalar*base.
* This function operates directly on serialized forms.
*
* @warning This function is experimental. It may not be supported
* long-term.
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
* @param [in] allow_identity Allow the input to be the identity.
* @param [in] short_circuit Allow a fast return if the input is illegal.
*
* @retval DECAF_SUCCESS The scalarmul succeeded.
* @retval DECAF_FAILURE The scalarmul didn't succeed, because
* base does not represent a point.
*/
decaf_error_t decaf_448_direct_scalarmul (
uint8_t scaled[DECAF_448_SER_BYTES],
const uint8_t base[DECAF_448_SER_BYTES],
const decaf_448_scalar_t scalar,
decaf_bool_t allow_identity,
decaf_bool_t short_circuit
) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;

/**
* @brief RFC 7748 Diffie-Hellman scalarmul, used to compute shared secrets.
* This function uses a different (non-Decaf) encoding.
*
* @param [out] shared The shared secret base*scalar
* @param [in] base The other party's public key, used as the base of the scalarmul.
* @param [in] scalar The private scalar to multiply by.
*
* @retval DECAF_SUCCESS The scalarmul succeeded.
* @retval DECAF_FAILURE The scalarmul didn't succeed, because the base
* point is in a small subgroup.
*/
decaf_error_t decaf_x448 (
uint8_t shared[DECAF_X448_PUBLIC_BYTES],
const uint8_t base[DECAF_X448_PUBLIC_BYTES],
const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;

/**
* @brief Multiply a point by DECAF_X448_ENCODE_RATIO,
* then encode it like RFC 7748.
*
* This function is mainly used internally, but is exported in case
* it will be useful.
*
* The ratio is necessary because the internal representation doesn't
* track the cofactor information, so on output we must clear the cofactor.
* This would multiply by the cofactor, but in fact internally libdecaf's
* points are always even, so it multiplies by half the cofactor instead.
*
* As it happens, this aligns with the base point definitions; that is,
* if you pass the Decaf/Ristretto base point to this function, the result
* will be DECAF_X448_ENCODE_RATIO times the X448
* base point.
*
* @param [out] out The scaled and encoded point.
* @param [in] p The point to be scaled and encoded.
*/
void decaf_448_point_mul_by_ratio_and_encode_like_x448 (
uint8_t out[DECAF_X448_PUBLIC_BYTES],
const decaf_448_point_t p
) DECAF_API_VIS DECAF_NONNULL;

/** The base point for X448 Diffie-Hellman */
extern const uint8_t
decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES]
#ifndef DOXYGEN
/* For some reason Doxygen chokes on this despite the defense in common.h... */
DECAF_API_VIS
#endif
;

/**
* @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses
* a different (non-Decaf) encoding.
*
* @deprecated Renamed to decaf_x448_derive_public_key.
* I have no particular timeline for removing this name.
*
* @param [out] out The public key base*scalar.
* @param [in] scalar The private scalar.
*/
void decaf_x448_generate_key (
uint8_t out[DECAF_X448_PUBLIC_BYTES],
const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_DEPRECATED("Renamed to decaf_x448_derive_public_key");
/**
* @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses
* a different (non-Decaf) encoding.
*
* Does exactly the same thing as decaf_x448_generate_key,
* but has a better name.
*
* @param [out] out The public key base*scalar
* @param [in] scalar The private scalar.
*/
void decaf_x448_derive_public_key (
uint8_t out[DECAF_X448_PUBLIC_BYTES],
const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/* FUTURE: uint8_t decaf_448_encode_like_curve448) */

/**
* @brief Precompute a table for fast scalar multiplication.
* Some implementations do not include precomputed points; for
* those implementations, this implementation simply copies the
* point.
*
* @param [out] a A precomputed table of multiples of the point.
* @param [in] b Any point.
*/
void decaf_448_precompute (
decaf_448_precomputed_s *a,
const decaf_448_point_t b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Multiply a precomputed base point by a scalar:
* scaled = scalar*base.
* Some implementations do not include precomputed points; for
* those implementations, this function is the same as
* decaf_448_point_scalarmul
*
* @param [out] scaled The scaled point base*scalar
* @param [in] base The point to be scaled.
* @param [in] scalar The scalar to multiply by.
*/
void decaf_448_precomputed_scalarmul (
decaf_448_point_t scaled,
const decaf_448_precomputed_s *base,
const decaf_448_scalar_t scalar
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Multiply two base points by two scalars:
* scaled = scalar1*base1 + scalar2*base2.
*
* Equivalent to two calls to decaf_448_point_scalarmul, but may be
* faster.
*
* @param [out] combo The linear combination scalar1*base1 + scalar2*base2.
* @param [in] base1 A first point to be scaled.
* @param [in] scalar1 A first scalar to multiply by.
* @param [in] base2 A second point to be scaled.
* @param [in] scalar2 A second scalar to multiply by.
*/
void decaf_448_point_double_scalarmul (
decaf_448_point_t combo,
const decaf_448_point_t base1,
const decaf_448_scalar_t scalar1,
const decaf_448_point_t base2,
const decaf_448_scalar_t scalar2
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
/**
* Multiply one base point by two scalars:
*
* a1 = scalar1 * base
* a2 = scalar2 * base
*
* Equivalent to two calls to decaf_448_point_scalarmul, but may be
* faster.
*
* @param [out] a1 The first multiple. It may be the same as the input point.
* @param [out] a2 The second multiple. It may be the same as the input point.
* @param [in] base1 A point to be scaled.
* @param [in] scalar1 A first scalar to multiply by.
* @param [in] scalar2 A second scalar to multiply by.
*/
void decaf_448_point_dual_scalarmul (
decaf_448_point_t a1,
decaf_448_point_t a2,
const decaf_448_point_t base1,
const decaf_448_scalar_t scalar1,
const decaf_448_scalar_t scalar2
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Multiply two base points by two scalars:
* scaled = scalar1*decaf_448_point_base + scalar2*base2.
*
* Otherwise equivalent to decaf_448_point_double_scalarmul, but may be
* faster at the expense of being variable time.
*
* @param [out] combo The linear combination scalar1*base + scalar2*base2.
* @param [in] scalar1 A first scalar to multiply by.
* @param [in] base2 A second point to be scaled.
* @param [in] scalar2 A second scalar to multiply by.
*
* @warning: This function takes variable time, and may leak the scalars
* used. It is designed for signature verification.
*/
void decaf_448_base_double_scalarmul_non_secret (
decaf_448_point_t combo,
const decaf_448_scalar_t scalar1,
const decaf_448_point_t base2,
const decaf_448_scalar_t scalar2
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Constant-time decision between two points. If pick_b
* is zero, out = a; else out = b.
*
* @param [out] out The output. It may be the same as either input.
* @param [in] a Any point.
* @param [in] b Any point.
* @param [in] pick_b If nonzero, choose point b.
*/
void decaf_448_point_cond_sel (
decaf_448_point_t out,
const decaf_448_point_t a,
const decaf_448_point_t b,
decaf_word_t pick_b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Constant-time decision between two scalars. If pick_b
* is zero, out = a; else out = b.
*
* @param [out] out The output. It may be the same as either input.
* @param [in] a Any scalar.
* @param [in] b Any scalar.
* @param [in] pick_b If nonzero, choose scalar b.
*/
void decaf_448_scalar_cond_sel (
decaf_448_scalar_t out,
const decaf_448_scalar_t a,
const decaf_448_scalar_t b,
decaf_word_t pick_b
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Test that a point is valid, for debugging purposes.
*
* @param [in] to_test The point to test.
* @retval DECAF_TRUE The point is valid.
* @retval DECAF_FALSE The point is invalid.
*/
decaf_bool_t decaf_448_point_valid (
const decaf_448_point_t to_test
) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Torque a point, for debugging purposes. The output
* will be equal to the input.
*
* @param [out] q The point to torque.
* @param [in] p The point to torque.
*/
void decaf_448_point_debugging_torque (
decaf_448_point_t q,
const decaf_448_point_t p
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Projectively scale a point, for debugging purposes.
* The output will be equal to the input, and will be valid
* even if the factor is zero.
*
* @param [out] q The point to scale.
* @param [in] p The point to scale.
* @param [in] factor Serialized GF factor to scale.
*/
void decaf_448_point_debugging_pscale (
decaf_448_point_t q,
const decaf_448_point_t p,
const unsigned char factor[DECAF_448_SER_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Almost-Elligator-like hash to curve.
*
* Call this function with the output of a hash to make a hash to the curve.
*
* This function runs Elligator2 on the decaf_448 Jacobi quartic model. It then
* uses the isogeny to put the result in twisted Edwards form. As a result,
* it is safe (cannot produce points of order 4), and would be compatible with
* hypothetical other implementations of Decaf using a Montgomery or untwisted
* Edwards model.
*
* Unlike Elligator, this function may be up to 4:1 on [0,(p-1)/2]:
* A factor of 2 due to the isogeny.
* A factor of 2 because we quotient out the 2-torsion.
*
* This makes it about 8:1 overall, or 16:1 overall on curves with cofactor 8.
*
* Negating the input (mod q) results in the same point. Inverting the input
* (mod q) results in the negative point. This is the same as Elligator.
*
* This function isn't quite indifferentiable from a random oracle.
* However, it is suitable for many protocols, including SPEKE and SPAKE2 EE.
* Furthermore, calling it twice with independent seeds and adding the results
* is indifferentiable from a random oracle.
*
* @param [in] hashed_data Output of some hash function.
* @param [out] pt The data hashed to the curve.
*/
void
decaf_448_point_from_hash_nonuniform (
decaf_448_point_t pt,
const unsigned char hashed_data[DECAF_448_HASH_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Indifferentiable hash function encoding to curve.
*
* Equivalent to calling decaf_448_point_from_hash_nonuniform twice and adding.
*
* @param [in] hashed_data Output of some hash function.
* @param [out] pt The data hashed to the curve.
*/
void decaf_448_point_from_hash_uniform (
decaf_448_point_t pt,
const unsigned char hashed_data[2*DECAF_448_HASH_BYTES]
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

/**
* @brief Inverse of elligator-like hash to curve.
*
* This function writes to the buffer, to make it so that
* decaf_448_point_from_hash_nonuniform(buffer) = pt if
* possible. Since there may be multiple preimages, the
* "which" parameter chooses between them. To ensure uniform
* inverse sampling, this function succeeds or fails
* independently for different "which" values.
*
* This function isn't guaranteed to find every possible
* preimage, but it finds all except a small finite number.
* In particular, when the number of bits in the modulus isn't
* a multiple of 8 (i.e. for curve25519), it sets the high bits
* independently, which enables the generated data to be uniform.
* But it doesn't add p, so you'll never get exactly p from this
* function. This might change in the future, especially if
* we ever support eg Brainpool curves, where this could cause
* real nonuniformity.
*
* @param [out] recovered_hash Encoded data.
* @param [in] pt The point to encode.
* @param [in] which A value determining which inverse point
* to return.
*
* @retval DECAF_SUCCESS The inverse succeeded.
* @retval DECAF_FAILURE The inverse failed.
*/
decaf_error_t
decaf_448_invert_elligator_nonuniform (
unsigned char recovered_hash[DECAF_448_HASH_BYTES],
const decaf_448_point_t pt,
uint32_t which
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;

/**
* @brief Inverse of elligator-like hash to curve.
*
* This function writes to the buffer, to make it so that
* decaf_448_point_from_hash_uniform(buffer) = pt if
* possible. Since there may be multiple preimages, the
* "which" parameter chooses between them. To ensure uniform
* inverse sampling, this function succeeds or fails
* independently for different "which" values.
*
* @param [out] recovered_hash Encoded data.
* @param [in] pt The point to encode.
* @param [in] which A value determining which inverse point
* to return.
*
* @retval DECAF_SUCCESS The inverse succeeded.
* @retval DECAF_FAILURE The inverse failed.
*/
decaf_error_t
decaf_448_invert_elligator_uniform (
unsigned char recovered_hash[2*DECAF_448_HASH_BYTES],
const decaf_448_point_t pt,
uint32_t which
) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;

/** Securely erase a scalar. */
void decaf_448_scalar_destroy (
decaf_448_scalar_t scalar
) DECAF_NONNULL DECAF_API_VIS;

/** Securely erase a point by overwriting it with zeros.
* @warning This causes the point object to become invalid.
*/
void decaf_448_point_destroy (
decaf_448_point_t point
) DECAF_NONNULL DECAF_API_VIS;

/** Securely erase a precomputed table by overwriting it with zeros.
* @warning This causes the table object to become invalid.
*/
void decaf_448_precomputed_destroy (
decaf_448_precomputed_s *pre
) DECAF_NONNULL DECAF_API_VIS;

#ifdef __cplusplus
} /* extern "C" */
#endif

#endif /* __DECAF_POINT_448_H__ */

+ 0
- 791
src/GENERATED/include/decaf/point_448.hxx View File

@@ -1,791 +0,0 @@
/**
* @file decaf/point_448.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* A group of prime order, C++ wrapper.
*
* The Decaf library implements cryptographic operations on a an elliptic curve
* group of prime order. It accomplishes this by using a twisted Edwards
* curve (isogenous to Ed448-Goldilocks) and wiping out the cofactor.
*
* Most of the functions in this file run in constant time, can't fail
* except for ubiquitous reasons like memory exhaustion, and contain no
* data-dependend branches, timing or memory accesses. There are some
* exceptions, which should be noted. Typically, decoding functions can
* fail.
*
* @warning This file was automatically generated in Python.
* Please do not edit it.
*/

#ifndef __DECAF_POINT_448_HXX__
#define __DECAF_POINT_448_HXX__ 1

/** This code uses posix_memalign. */
#ifndef _XOPEN_SOURCE
#define _XOPEN_SOURCE 600
#endif
#include <stdlib.h>
#include <string.h> /* for memcpy */

#include <decaf/point_448.h>
#include <decaf/ed448.h>
#include <decaf/secure_buffer.hxx>
#include <string>
#include <sys/types.h>
#include <limits.h>

/** @cond internal */
#if __cplusplus >= 201103L
#define DECAF_NOEXCEPT noexcept
#else
#define DECAF_NOEXCEPT throw()
#endif
/** @endcond */

namespace decaf {

/**
* Ed448-Goldilocks/Decaf instantiation of group.
*/
struct Ed448Goldilocks {

/** The name of the curve */
static inline const char *name() { return "Ed448-Goldilocks"; }

/** The name of the curve */
static inline int bits() { return 448; }

/** The curve's cofactor (removed, but useful for testing) */
static const int REMOVED_COFACTOR = 4;

/** Residue class of field modulus: p == this mod 2*(this-1) */
static const int FIELD_MODULUS_TYPE = 3;

/** @cond internal */
class Point;
class Precomputed;
/** @endcond */

/**
* A scalar modulo the curve order.
* Supports the usual arithmetic operations, all in constant time.
*/
class Scalar : public Serializable<Scalar> {
public:
/** wrapped C type */
typedef decaf_448_scalar_t Wrapped;
/** Size of a serialized element */
static const size_t SER_BYTES = DECAF_448_SCALAR_BYTES;

/** access to the underlying scalar object */
Wrapped s;

/** @cond internal */
/** Don't initialize. */
inline Scalar(const NOINIT &) DECAF_NOEXCEPT {}
/** @endcond */

/** Set to an unsigned word */
inline Scalar(uint64_t w) DECAF_NOEXCEPT { *this = w; }

/** Set to a signed word */
inline Scalar(int64_t w) DECAF_NOEXCEPT { *this = w; }

/** Set to an unsigned word */
inline Scalar(unsigned int w) DECAF_NOEXCEPT { *this = w; }

/** Set to a signed word */
inline Scalar(int w) DECAF_NOEXCEPT { *this = w; }

/** Construct from RNG */
inline explicit Scalar(Rng &rng) DECAF_NOEXCEPT {
FixedArrayBuffer<SER_BYTES + 16> sb(rng);
*this = sb;
}

/** Construct from decaf_scalar_t object. */
inline Scalar(const Wrapped &t = decaf_448_scalar_zero) DECAF_NOEXCEPT { decaf_448_scalar_copy(s,t); }

/** Copy constructor. */
inline Scalar(const Scalar &x) DECAF_NOEXCEPT { *this = x; }

/** Construct from arbitrary-length little-endian byte sequence. */
inline Scalar(const Block &buffer) DECAF_NOEXCEPT { *this = buffer; }

/** Serializable instance */
inline size_t ser_size() const DECAF_NOEXCEPT { return SER_BYTES; }

/** Serializable instance */
inline void serialize_into(unsigned char *buffer) const DECAF_NOEXCEPT {
decaf_448_scalar_encode(buffer, s);
}

/** Assignment. */
inline Scalar& operator=(const Scalar &x) DECAF_NOEXCEPT { decaf_448_scalar_copy(s,x.s); return *this; }

/** Assign from unsigned 64-bit integer. */
inline Scalar& operator=(uint64_t w) DECAF_NOEXCEPT { decaf_448_scalar_set_unsigned(s,w); return *this; }


/** Assign from signed int. */
inline Scalar& operator=(int64_t w) DECAF_NOEXCEPT {
Scalar t(-(uint64_t)INT_MIN);
decaf_448_scalar_set_unsigned(s,(uint64_t)w - (uint64_t)INT_MIN);
*this -= t;
return *this;
}

/** Assign from unsigned int. */
inline Scalar& operator=(unsigned int w) DECAF_NOEXCEPT { return *this = (uint64_t)w; }

/** Assign from signed int. */
inline Scalar& operator=(int w) DECAF_NOEXCEPT { return *this = (int64_t)w; }

/** Destructor securely zeorizes the scalar. */
inline ~Scalar() DECAF_NOEXCEPT { decaf_448_scalar_destroy(s); }

/** Assign from arbitrary-length little-endian byte sequence in a Block. */
inline Scalar &operator=(const Block &bl) DECAF_NOEXCEPT {
decaf_448_scalar_decode_long(s,bl.data(),bl.size()); return *this;
}

/**
* Decode from correct-length little-endian byte sequence.
* @return DECAF_FAILURE if the scalar is greater than or equal to the group order q.
*/
static inline decaf_error_t DECAF_WARN_UNUSED decode (
Scalar &sc, const FixedBlock<SER_BYTES> buffer
) DECAF_NOEXCEPT {
return decaf_448_scalar_decode(sc.s,buffer.data());
}

/** Add. */
inline Scalar operator+ (const Scalar &q) const DECAF_NOEXCEPT { Scalar r((NOINIT())); decaf_448_scalar_add(r.s,s,q.s); return r; }

/** Add to this. */
inline Scalar &operator+=(const Scalar &q) DECAF_NOEXCEPT { decaf_448_scalar_add(s,s,q.s); return *this; }

/** Subtract. */
inline Scalar operator- (const Scalar &q) const DECAF_NOEXCEPT { Scalar r((NOINIT())); decaf_448_scalar_sub(r.s,s,q.s); return r; }

/** Subtract from this. */
inline Scalar &operator-=(const Scalar &q) DECAF_NOEXCEPT { decaf_448_scalar_sub(s,s,q.s); return *this; }

/** Multiply */
inline Scalar operator* (const Scalar &q) const DECAF_NOEXCEPT { Scalar r((NOINIT())); decaf_448_scalar_mul(r.s,s,q.s); return r; }

/** Multiply into this. */
inline Scalar &operator*=(const Scalar &q) DECAF_NOEXCEPT { decaf_448_scalar_mul(s,s,q.s); return *this; }

/** Negate */
inline Scalar operator- () const DECAF_NOEXCEPT { Scalar r((NOINIT())); decaf_448_scalar_sub(r.s,decaf_448_scalar_zero,s); return r; }

/** Return 1/this.
* @throw CryptoException if this is 0.
*/
inline Scalar inverse() const /*throw(CryptoException)*/ {
Scalar r;
if (DECAF_SUCCESS != decaf_448_scalar_invert(r.s,s)) {
throw CryptoException();
}
return r;
}

/** Invert with Fermat's Little Theorem (slow!). If *this == 0, set r=0
* and return DECAF_FAILURE. */
inline decaf_error_t DECAF_WARN_UNUSED
inverse_noexcept(Scalar &r) const DECAF_NOEXCEPT {
return decaf_448_scalar_invert(r.s,s);
}

/** Return this/q. @throw CryptoException if q == 0. */
inline Scalar operator/ (const Scalar &q) const /*throw(CryptoException)*/ { return *this * q.inverse(); }

/** Set this to this/q. @throw CryptoException if q == 0. */
inline Scalar &operator/=(const Scalar &q) /*throw(CryptoException)*/ { return *this *= q.inverse(); }

/** Return half this scalar. Much faster than /2. */
inline Scalar half() const { Scalar out; decaf_448_scalar_halve(out.s,s); return out; }

/** Compare in constant time */
inline bool operator!=(const Scalar &q) const DECAF_NOEXCEPT { return !(*this == q); }

/** Compare in constant time */
inline bool operator==(const Scalar &q) const DECAF_NOEXCEPT { return !!decaf_448_scalar_eq(s,q.s); }

/** Scalarmul with scalar on left. */
inline Point operator* (const Point &q) const DECAF_NOEXCEPT { return q * (*this); }

/** Scalarmul-precomputed with scalar on left. */
inline Point operator* (const Precomputed &q) const DECAF_NOEXCEPT { return q * (*this); }

/** Direct scalar multiplication.
* @throw CryptoException if the input didn't decode.
*/
inline SecureBuffer direct_scalarmul (
const FixedBlock<SER_BYTES> &in,
decaf_bool_t allow_identity=DECAF_FALSE,
decaf_bool_t short_circuit=DECAF_TRUE
) const /*throw(CryptoException)*/;
/** Direct scalar multiplication. */
inline decaf_error_t DECAF_WARN_UNUSED direct_scalarmul_noexcept(
FixedBuffer<SER_BYTES> &out,
const FixedBlock<SER_BYTES> &in,
decaf_bool_t allow_identity=DECAF_FALSE,
decaf_bool_t short_circuit=DECAF_TRUE
) const DECAF_NOEXCEPT;
};

/** Element of prime-order elliptic curve group. */
class Point : public Serializable<Point> {
public:
/** Wrapped C type */
typedef decaf_448_point_t Wrapped;
/** Size of a serialized element */
static const size_t SER_BYTES = DECAF_448_SER_BYTES;

/** Bytes required for hash */
static const size_t HASH_BYTES = DECAF_448_HASH_BYTES;

/** Bytes required for EdDSA encoding */
static const size_t EDDSA_BYTES = DECAF_EDDSA_448_PUBLIC_BYTES;

/** Bytes required for EdDSA encoding */
static const size_t LADDER_BYTES = DECAF_X448_PUBLIC_BYTES;
/** Ratio due to EdDSA encoding */
static const int EDDSA_ENCODE_RATIO = DECAF_448_EDDSA_ENCODE_RATIO;
/** Ratio due to EdDSA decoding */
static const int EDDSA_DECODE_RATIO = DECAF_448_EDDSA_DECODE_RATIO;
/** Ratio due to ladder decoding */
static const int LADDER_ENCODE_RATIO = DECAF_X448_ENCODE_RATIO;

/** Size of a steganographically-encoded curve element. If the point is random, the encoding
* should look statistically close to a uniformly-random sequnece of STEG_BYTES bytes.
*/
static const size_t STEG_BYTES = HASH_BYTES * 2;
/** Number of bits in invert_elligator which are actually used. */
static const unsigned int INVERT_ELLIGATOR_WHICH_BITS = DECAF_448_INVERT_ELLIGATOR_WHICH_BITS;

/** The c-level object. */
Wrapped p;

/** @cond internal */
/** Don't initialize. */
inline Point(const NOINIT &) DECAF_NOEXCEPT {}
/** @endcond */

/** Constructor sets to identity by default. */
inline Point(const Wrapped &q = decaf_448_point_identity) DECAF_NOEXCEPT { decaf_448_point_copy(p,q); }

/** Copy constructor. */
inline Point(const Point &q) DECAF_NOEXCEPT { *this = q; }

/** Assignment. */
inline Point& operator=(const Point &q) DECAF_NOEXCEPT { decaf_448_point_copy(p,q.p); return *this; }

/** Destructor securely zeorizes the point. */
inline ~Point() DECAF_NOEXCEPT { decaf_448_point_destroy(p); }

/** Construct from RNG */
inline explicit Point(Rng &rng, bool uniform = true) DECAF_NOEXCEPT {
if (uniform) {
FixedArrayBuffer<2*HASH_BYTES> b(rng);
set_to_hash(b);
} else {
FixedArrayBuffer<HASH_BYTES> b(rng);
set_to_hash(b);
}
}

/**
* Initialize from a fixed-length byte string.
* The all-zero string maps to the identity.
*
* @throw CryptoException the string was the wrong length, or wasn't the encoding of a point,
* or was the identity and allow_identity was DECAF_FALSE.
*/
inline explicit Point(const FixedBlock<SER_BYTES> &buffer, bool allow_identity=true)
/*throw(CryptoException)*/ {
if (DECAF_SUCCESS != decode(buffer,allow_identity ? DECAF_TRUE : DECAF_FALSE)) {
throw CryptoException();
}
}

/**
* Initialize from C++ fixed-length byte string.
* The all-zero string maps to the identity.
*
* @retval DECAF_SUCCESS the string was successfully decoded.
* @return DECAF_FAILURE the string was the wrong length, or wasn't the encoding of a point,
* or was the identity and allow_identity was DECAF_FALSE. Contents of the buffer are undefined.
*/
inline decaf_error_t DECAF_WARN_UNUSED decode (
const FixedBlock<SER_BYTES> &buffer, bool allow_identity=true
) DECAF_NOEXCEPT {
return decaf_448_point_decode(p,buffer.data(),allow_identity ? DECAF_TRUE : DECAF_FALSE);
}

/**
* Initialize from C++ fixed-length byte string, like EdDSA.
* The all-zero string maps to the identity.
*
* @retval DECAF_SUCCESS the string was successfully decoded.
* @return DECAF_FAILURE the string was the wrong length, or wasn't the encoding of a point.
* Contents of the point are undefined.
*/
inline decaf_error_t DECAF_WARN_UNUSED decode_like_eddsa_and_mul_by_ratio_noexcept (
const FixedBlock<DECAF_EDDSA_448_PUBLIC_BYTES> &buffer
) DECAF_NOEXCEPT {
return decaf_448_point_decode_like_eddsa_and_mul_by_ratio(p,buffer.data());
}
/**
* Decode from EDDSA, multiply by EDDSA_DECODE_RATIO, and ignore any
* remaining cofactor information.
* @throw CryptoException if the input point was invalid.
*/
inline void decode_like_eddsa_and_mul_by_ratio(
const FixedBlock<DECAF_EDDSA_448_PUBLIC_BYTES> &buffer
) /*throw(CryptoException)*/ {
if (DECAF_SUCCESS != decode_like_eddsa_and_mul_by_ratio_noexcept(buffer)) throw(CryptoException());
}

/** Multiply by EDDSA_ENCODE_RATIO and encode like EdDSA. */
inline SecureBuffer mul_by_ratio_and_encode_like_eddsa() const {
SecureBuffer ret(DECAF_EDDSA_448_PUBLIC_BYTES);
decaf_448_point_mul_by_ratio_and_encode_like_eddsa(ret.data(),p);
return ret;
}

/** Multiply by EDDSA_ENCODE_RATIO and encode like EdDSA. */
inline void mul_by_ratio_and_encode_like_eddsa(
FixedBuffer<DECAF_EDDSA_448_PUBLIC_BYTES> &out
) const {
decaf_448_point_mul_by_ratio_and_encode_like_eddsa(out.data(),p);
}

/** Multiply by LADDER_ENCODE_RATIO and encode like X25519/X448. */
inline SecureBuffer mul_by_ratio_and_encode_like_ladder() const {
SecureBuffer ret(LADDER_BYTES);
decaf_448_point_mul_by_ratio_and_encode_like_x448(ret.data(),p);
return ret;
}

/** Multiply by LADDER_ENCODE_RATIO and encode like X25519/X448. */
inline void mul_by_ratio_and_encode_like_ladder(FixedBuffer<LADDER_BYTES> &out) const {
decaf_448_point_mul_by_ratio_and_encode_like_x448(out.data(),p);
}

/**
* Map uniformly to the curve from a hash buffer.
* The empty or all-zero string maps to the identity, as does the string "\\x01".
* If the buffer is shorter than 2*HASH_BYTES, well, it won't be as uniform,
* but the buffer will be zero-padded on the right.
*/
static inline Point from_hash ( const Block &s ) DECAF_NOEXCEPT {
Point p((NOINIT())); p.set_to_hash(s); return p;
}

/**
* Map to the curve from a hash buffer.
* The empty or all-zero string maps to the identity, as does the string "\\x01".
* If the buffer is shorter than 2*HASH_BYTES, well, it won't be as uniform,
* but the buffer will be zero-padded on the right.
*/
inline void set_to_hash( const Block &s ) DECAF_NOEXCEPT {
if (s.size() < HASH_BYTES) {
SecureBuffer b(HASH_BYTES);
memcpy(b.data(), s.data(), s.size());
decaf_448_point_from_hash_nonuniform(p,b.data());
} else if (s.size() == HASH_BYTES) {
decaf_448_point_from_hash_nonuniform(p,s.data());
} else if (s.size() < 2*HASH_BYTES) {
SecureBuffer b(2*HASH_BYTES);
memcpy(b.data(), s.data(), s.size());
decaf_448_point_from_hash_uniform(p,b.data());
} else {
decaf_448_point_from_hash_uniform(p,s.data());
}
}

/** Encode to string. The identity encodes to the all-zero string. */
inline operator SecureBuffer() const {
SecureBuffer buffer(SER_BYTES);
decaf_448_point_encode(buffer.data(), p);
return buffer;
}

/** Serializable instance */
inline size_t ser_size() const DECAF_NOEXCEPT { return SER_BYTES; }

/** Serializable instance */
inline void serialize_into(unsigned char *buffer) const DECAF_NOEXCEPT {
decaf_448_point_encode(buffer, p);
}

/** Point add. */
inline Point operator+ (const Point &q) const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_448_point_add(r.p,p,q.p); return r; }

/** Point add. */
inline Point &operator+=(const Point &q) DECAF_NOEXCEPT { decaf_448_point_add(p,p,q.p); return *this; }

/** Point subtract. */
inline Point operator- (const Point &q) const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_448_point_sub(r.p,p,q.p); return r; }

/** Point subtract. */
inline Point &operator-=(const Point &q) DECAF_NOEXCEPT { decaf_448_point_sub(p,p,q.p); return *this; }

/** Point negate. */
inline Point operator- () const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_448_point_negate(r.p,p); return r; }

/** Double the point out of place. */
inline Point times_two () const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_448_point_double(r.p,p); return r; }

/** Double the point in place. */
inline Point &double_in_place() DECAF_NOEXCEPT { decaf_448_point_double(p,p); return *this; }

/** Constant-time compare. */
inline bool operator!=(const Point &q) const DECAF_NOEXCEPT { return ! decaf_448_point_eq(p,q.p); }

/** Constant-time compare. */
inline bool operator==(const Point &q) const DECAF_NOEXCEPT { return !!decaf_448_point_eq(p,q.p); }

/** Scalar multiply. */
inline Point operator* (const Scalar &s) const DECAF_NOEXCEPT { Point r((NOINIT())); decaf_448_point_scalarmul(r.p,p,s.s); return r; }

/** Scalar multiply in place. */
inline Point &operator*=(const Scalar &s) DECAF_NOEXCEPT { decaf_448_point_scalarmul(p,p,s.s); return *this; }

/** Multiply by s.inverse(). If s=0, maps to the identity. */
inline Point operator/ (const Scalar &s) const /*throw(CryptoException)*/ { return (*this) * s.inverse(); }

/** Multiply by s.inverse(). If s=0, maps to the identity. */
inline Point &operator/=(const Scalar &s) /*throw(CryptoException)*/ { return (*this) *= s.inverse(); }

/** Validate / sanity check */
inline bool validate() const DECAF_NOEXCEPT { return decaf_448_point_valid(p); }

/** Double-scalar multiply, equivalent to q*qs + r*rs but faster. */
static inline Point double_scalarmul (
const Point &q, const Scalar &qs, const Point &r, const Scalar &rs
) DECAF_NOEXCEPT {
Point p((NOINIT())); decaf_448_point_double_scalarmul(p.p,q.p,qs.s,r.p,rs.s); return p;
}

/** Dual-scalar multiply, equivalent to this*r1, this*r2 but faster. */
inline void dual_scalarmul (
Point &q1, Point &q2, const Scalar &r1, const Scalar &r2
) const DECAF_NOEXCEPT {
decaf_448_point_dual_scalarmul(q1.p,q2.p,p,r1.s,r2.s);
}

/**
* Double-scalar multiply, equivalent to q*qs + r*rs but faster.
* For those who like their scalars before the point.
*/
static inline Point double_scalarmul (
const Scalar &qs, const Point &q, const Scalar &rs, const Point &r
) DECAF_NOEXCEPT {
return double_scalarmul(q,qs,r,rs);
}

/**
* Double-scalar multiply: this point by the first scalar and base by the second scalar.
* @warning This function takes variable time, and may leak the scalars (or points, but currently
* it doesn't).
*/
inline Point non_secret_combo_with_base(const Scalar &s, const Scalar &s_base) DECAF_NOEXCEPT {
Point r((NOINIT())); decaf_448_base_double_scalarmul_non_secret(r.p,s_base.s,p,s.s); return r;
}

/** Return a point equal to *this, whose internal data is rotated by a torsion element. */
inline Point debugging_torque() const DECAF_NOEXCEPT {
Point q;
decaf_448_point_debugging_torque(q.p,p);
return q;
}

/** Return a point equal to *this, whose internal data has a modified representation. */
inline Point debugging_pscale(const FixedBlock<SER_BYTES> factor) const DECAF_NOEXCEPT {
Point q;
decaf_448_point_debugging_pscale(q.p,p,factor.data());
return q;
}

/** Return a point equal to *this, whose internal data has a randomized representation. */
inline Point debugging_pscale(Rng &r) const DECAF_NOEXCEPT {
FixedArrayBuffer<SER_BYTES> sb(r);
return debugging_pscale(sb);
}

/**
* Modify buffer so that Point::from_hash(Buffer) == *this, and return DECAF_SUCCESS;
* or leave buf unmodified and return DECAF_FAILURE.
*/
inline decaf_error_t invert_elligator (
Buffer buf, uint32_t hint
) const DECAF_NOEXCEPT {
unsigned char buf2[2*HASH_BYTES];
memset(buf2,0,sizeof(buf2));
memcpy(buf2,buf.data(),(buf.size() > 2*HASH_BYTES) ? 2*HASH_BYTES : buf.size());
decaf_bool_t ret;
if (buf.size() > HASH_BYTES) {
ret = decaf_successful(decaf_448_invert_elligator_uniform(buf2, p, hint));
} else {
ret = decaf_successful(decaf_448_invert_elligator_nonuniform(buf2, p, hint));
}
if (buf.size() < HASH_BYTES) {
ret &= decaf_memeq(&buf2[buf.size()], &buf2[HASH_BYTES], HASH_BYTES - buf.size());
}
for (size_t i=0; i<buf.size() && i<HASH_BYTES; i++) {
buf[i] = (buf[i] & ~ret) | (buf2[i] &ret);
}
decaf_bzero(buf2,sizeof(buf2));
return decaf_succeed_if(ret);
}

/** Steganographically encode this */
inline SecureBuffer steg_encode(Rng &rng, size_t size=STEG_BYTES) const /*throw(std::bad_alloc, LengthException)*/ {
if (size <= HASH_BYTES + 4 || size > 2*HASH_BYTES) throw LengthException();
SecureBuffer out(STEG_BYTES);
decaf_error_t done;
do {
rng.read(Buffer(out).slice(HASH_BYTES-4,STEG_BYTES-HASH_BYTES+1));
uint32_t hint = 0;
for (int i=0; i<4; i++) { hint |= uint32_t(out[HASH_BYTES-4+i])<<(8*i); }
done = invert_elligator(out, hint);
} while (!decaf_successful(done));
return out;
}

/** Return the base point of the curve. */
static inline const Point base() DECAF_NOEXCEPT { return Point(decaf_448_point_base); }

/** Return the identity point of the curve. */
static inline const Point identity() DECAF_NOEXCEPT { return Point(decaf_448_point_identity); }
};

/**
* Precomputed table of points.
* Minor difficulties arise here because the decaf API doesn't expose, as a constant, how big such an object is.
* Therefore we have to call malloc() or friends, but that's probably for the best, because you don't want to
* stack-allocate a 15kiB object anyway.
*/

/** @cond internal */
typedef decaf_448_precomputed_s Precomputed_U;
/** @endcond */
class Precomputed
/** @cond internal */
: protected OwnedOrUnowned<Precomputed,Precomputed_U>
/** @endcond */
{
public:

/** Destructor securely zeorizes the memory. */
inline ~Precomputed() DECAF_NOEXCEPT { clear(); }

/**
* Initialize from underlying type, declared as a reference to prevent
* it from being called with 0, thereby breaking override.
*
* The underlying object must remain valid throughout the lifetime of this one.
*
* By default, initializes to the table for the base point.
*
* @warning The empty initializer makes this equal to base, unlike the empty
* initializer for points which makes this equal to the identity.
*/
inline Precomputed (
const Precomputed_U &yours = *decaf_448_precomputed_base
) DECAF_NOEXCEPT : OwnedOrUnowned<Precomputed,Precomputed_U>(yours) {}


#if __cplusplus >= 201103L
/** Move-assign operator */
inline Precomputed &operator=(Precomputed &&it) DECAF_NOEXCEPT {
OwnedOrUnowned<Precomputed,Precomputed_U>::operator= (it);
return *this;
}

/** Move constructor */
inline Precomputed(Precomputed &&it) DECAF_NOEXCEPT : OwnedOrUnowned<Precomputed,Precomputed_U>() {
*this = it;
}

/** Undelete copy operator */
inline Precomputed &operator=(const Precomputed &it) DECAF_NOEXCEPT {
OwnedOrUnowned<Precomputed,Precomputed_U>::operator= (it);
return *this;
}
#endif

/**
* Initilaize from point. Must allocate memory, and may throw.
*/
inline Precomputed &operator=(const Point &it) /*throw(std::bad_alloc)*/ {
alloc();
decaf_448_precompute(ours.mine,it.p);
return *this;
}

/**
* Copy constructor.
*/
inline Precomputed(const Precomputed &it) /*throw(std::bad_alloc)*/
: OwnedOrUnowned<Precomputed,Precomputed_U>() { *this = it; }

/**
* Constructor which initializes from point.
*/
inline explicit Precomputed(const Point &it) /*throw(std::bad_alloc)*/
: OwnedOrUnowned<Precomputed,Precomputed_U>() { *this = it; }

/** Fixed base scalarmul. */
inline Point operator* (const Scalar &s) const DECAF_NOEXCEPT { Point r; decaf_448_precomputed_scalarmul(r.p,get(),s.s); return r; }

/** Multiply by s.inverse(). If s=0, maps to the identity. */
inline Point operator/ (const Scalar &s) const /*throw(CryptoException)*/ { return (*this) * s.inverse(); }

/** Return the table for the base point. */
static inline const Precomputed base() DECAF_NOEXCEPT { return Precomputed(); }

public:
/** @cond internal */
friend class OwnedOrUnowned<Precomputed,Precomputed_U>;
static inline size_t size() DECAF_NOEXCEPT { return decaf_448_sizeof_precomputed_s; }
static inline size_t alignment() DECAF_NOEXCEPT { return decaf_448_alignof_precomputed_s; }
static inline const Precomputed_U * default_value() DECAF_NOEXCEPT { return decaf_448_precomputed_base; }
/** @endcond */
};

/** X-only Diffie-Hellman ladder functions */
struct DhLadder {
public:
/** Bytes in an X448 public key. */
static const size_t PUBLIC_BYTES = DECAF_X448_PUBLIC_BYTES;

/** Bytes in an X448 private key. */
static const size_t PRIVATE_BYTES = DECAF_X448_PRIVATE_BYTES;

/** Base point for a scalar multiplication. */
static const FixedBlock<PUBLIC_BYTES> base_point() DECAF_NOEXCEPT {
return FixedBlock<PUBLIC_BYTES>(decaf_x448_base_point);
}

/** Calculate and return a shared secret with public key. */
static inline SecureBuffer shared_secret(
const FixedBlock<PUBLIC_BYTES> &pk,
const FixedBlock<PRIVATE_BYTES> &scalar
) /*throw(std::bad_alloc,CryptoException)*/ {
SecureBuffer out(PUBLIC_BYTES);
if (DECAF_SUCCESS != decaf_x448(out.data(), pk.data(), scalar.data())) {
throw CryptoException();
}
return out;
}

/** Calculate and write into out a shared secret with public key, noexcept version. */
static inline decaf_error_t DECAF_WARN_UNUSED
shared_secret_noexcept (
FixedBuffer<PUBLIC_BYTES> &out,
const FixedBlock<PUBLIC_BYTES> &pk,
const FixedBlock<PRIVATE_BYTES> &scalar
) DECAF_NOEXCEPT {
return decaf_x448(out.data(), pk.data(), scalar.data());
}

/** Calculate and return a public key; equivalent to shared_secret(base_point(),scalar)
* but possibly faster.
* @deprecated Renamed to derive_public_key.
*/
static inline SecureBuffer DECAF_DEPRECATED("Renamed to derive_public_key")
generate_key(
const FixedBlock<PRIVATE_BYTES> &scalar
) /*throw(std::bad_alloc)*/ {
SecureBuffer out(PUBLIC_BYTES);
decaf_x448_derive_public_key(out.data(), scalar.data());
return out;
}

/** Calculate and return a public key; equivalent to shared_secret(base_point(),scalar)
* but possibly faster.
*/
static inline SecureBuffer derive_public_key(
const FixedBlock<PRIVATE_BYTES> &scalar
) /*throw(std::bad_alloc)*/ {
SecureBuffer out(PUBLIC_BYTES);
decaf_x448_derive_public_key(out.data(), scalar.data());
return out;
}

/** Calculate and return a public key into a fixed buffer;
* equivalent to shared_secret(base_point(),scalar) but possibly faster.
*/
static inline void
derive_public_key_noexcept (
FixedBuffer<PUBLIC_BYTES> &out,
const FixedBlock<PRIVATE_BYTES> &scalar
) DECAF_NOEXCEPT {
decaf_x448_derive_public_key(out.data(), scalar.data());
}

/** Calculate and return a public key into a fixed buffer;
* equivalent to shared_secret(base_point(),scalar) but possibly faster.
* @deprecated Renamed to derive_public_key_noexcept.
*/
static inline void
DECAF_DEPRECATED("Renamed to derive_public_key_noexcept")
generate_key_noexcept (
FixedBuffer<PUBLIC_BYTES> &out,
const FixedBlock<PRIVATE_BYTES> &scalar
) DECAF_NOEXCEPT {
decaf_x448_derive_public_key(out.data(), scalar.data());
}
};

}; /* struct Ed448Goldilocks */

/** @cond internal */
inline SecureBuffer Ed448Goldilocks::Scalar::direct_scalarmul (
const FixedBlock<Ed448Goldilocks::Point::SER_BYTES> &in,
decaf_bool_t allow_identity,
decaf_bool_t short_circuit
) const /*throw(CryptoException)*/ {
SecureBuffer out(Ed448Goldilocks::Point::SER_BYTES);
if (DECAF_SUCCESS !=
decaf_448_direct_scalarmul(out.data(), in.data(), s, allow_identity, short_circuit)
) {
throw CryptoException();
}
return out;
}

inline decaf_error_t Ed448Goldilocks::Scalar::direct_scalarmul_noexcept (
FixedBuffer<Ed448Goldilocks::Point::SER_BYTES> &out,
const FixedBlock<Ed448Goldilocks::Point::SER_BYTES> &in,
decaf_bool_t allow_identity,
decaf_bool_t short_circuit
) const DECAF_NOEXCEPT {
return decaf_448_direct_scalarmul(out.data(), in.data(), s, allow_identity, short_circuit);
}
/** @endcond */



#undef DECAF_NOEXCEPT
} /* namespace decaf */

#endif /* __DECAF_POINT_448_HXX__ */

+ 0
- 492
src/GENERATED/include/decaf/secure_buffer.hxx View File

@@ -1,492 +0,0 @@
/**
* @file decaf/secure_buffer.hxx
* @author Mike Hamburg
*
* @copyright
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
*
* @brief C++ self-zeroizing buffer.
*/
#ifndef __DECAF_SECURE_BUFFER_HXX__
#define __DECAF_SECURE_BUFFER_HXX__ 1

#include <string>
#include <sys/types.h>
#include <stdio.h>
#include <vector>
#include <stdexcept>
#include <cstddef>
#include <limits>

/** @cond internal */
#if __cplusplus >= 201103L
#define DECAF_NOEXCEPT noexcept
#define DECAF_DELETE = delete
#else
#define DECAF_NOEXCEPT throw()
#define DECAF_DELETE
#endif
/** @endcond */

namespace decaf {

/**
* Securely zeroize contents of memory.
*/
static inline void really_bzero(void *data, size_t size) { decaf_bzero(data,size); }

/** @brief An allocator which zeros its memory on free */
template<typename T, size_t alignment = 0> class SanitizingAllocator {
/** @cond internal */
/* Based on http://www.codeproject.com/Articles/4795/C-Standard-Allocator-An-Introduction-and-Implement */
public:
typedef T value_type;
typedef T* pointer;
typedef const T* const_pointer;
typedef T& reference;
typedef const T& const_reference;
typedef size_t size_type;
typedef std::ptrdiff_t difference_type;
template<typename U> struct rebind { typedef SanitizingAllocator<U> other; };
inline SanitizingAllocator() DECAF_NOEXCEPT {}
inline ~SanitizingAllocator() DECAF_NOEXCEPT {}
inline SanitizingAllocator(const SanitizingAllocator &) DECAF_NOEXCEPT {}
template<typename U, size_t a> inline SanitizingAllocator(const SanitizingAllocator<U, a> &) DECAF_NOEXCEPT {}
inline T* address(T& r) const DECAF_NOEXCEPT { return &r; }
inline const T* address(const T& r) const DECAF_NOEXCEPT { return &r; }
inline T* allocate (
size_type cnt,
typename std::allocator<void>::const_pointer = 0
) /*throw(std::bad_alloc)*/;
inline void deallocate(T* p, size_t size) DECAF_NOEXCEPT;
inline size_t max_size() const DECAF_NOEXCEPT { return std::numeric_limits<size_t>::max() / sizeof(T); }
inline void construct(T* p, const T& t) { new(p) T(t); }
inline void destroy(T* p) { p->~T(); }
inline bool operator==(SanitizingAllocator const&) const DECAF_NOEXCEPT { return true; }
inline bool operator!=(SanitizingAllocator const&) const DECAF_NOEXCEPT { return false; }
/** @endcond */
};

/** A variant of std::vector which securely zerozes its state when destructed. */
typedef std::vector<unsigned char, SanitizingAllocator<unsigned char, 0> > SecureBuffer;

/** Constant-time compare two buffers */
template<class T,class U, class V, class W>
inline bool memeq(const std::vector<T,U> &a, const std::vector<V,W> &b) {
if (a.size() != b.size()) return false;
return decaf_memeq(a.data(),b.data(),a.size());
}

/** Base class of objects which support serialization */
template<class Base> class Serializable {
public:
/** @brief Return the number of bytes needed to serialize this object */
inline size_t ser_size() const DECAF_NOEXCEPT { return static_cast<const Base*>(this)->ser_size(); }
/** @brief Serialize this object into a buffer */
inline void serialize_into(unsigned char *buf) const DECAF_NOEXCEPT {
static_cast<const Base*>(this)->serialize_into(buf);
}
/** @brief Serialize this object into a SecureBuffer and return it */
inline SecureBuffer serialize() const /*throw(std::bad_alloc)*/ {
SecureBuffer out(ser_size());
serialize_into(out.data());
return out;
}
/** Cast operator */
#if __cplusplus >= 201103L
explicit inline operator SecureBuffer() const /*throw(std::bad_alloc)*/ {
return serialize();
}
#endif
};

/**@cond internal*/
class Buffer;
/**@endcond*/
/** @brief An exception for when crypto (ie point decode) has failed. */
class CryptoException : public std::exception {
public:
/** @return "CryptoException" */
virtual const char * what() const DECAF_NOEXCEPT { return "CryptoException"; }
};

/** @brief An exception for when crypto (ie point decode) has failed. */
class LengthException : public std::exception {
public:
/** @return "CryptoException" */
virtual const char * what() const DECAF_NOEXCEPT { return "LengthException"; }
};

/** @brief Passed to constructors to avoid (conservative) initialization */
struct NOINIT {};

/** @brief Prototype of a random number generator.
* FUTURE: Are the noexcept methods really noexcept? What about self-reseeding RNGs?
*/
class Rng {
protected:
/** Empty initializer */
Rng() {}
/** Not copyable */
Rng(const Rng &) DECAF_DELETE;
/** Not copyable */
Rng &operator=(const Rng &) DECAF_DELETE;
public:
/** @brief Read into a Buffer */
virtual void read(Buffer buffer) DECAF_NOEXCEPT = 0;

/** @brief Read into a SecureBuffer. */
inline SecureBuffer read(size_t length) /*throw(std::bad_alloc)*/;
};


/** A reference to a block of data, which (when accessed through this base class) is const. */
class Block {
protected:
/** @cond internal */
unsigned char *data_;
size_t size_;
const bool zero_on_destroy_;
/** @endcond */

public:
/** Null initialization */
inline Block() : data_(NULL), size_(0), zero_on_destroy_(false) {}
/** Init from C string */
inline Block(const char *data) DECAF_NOEXCEPT : data_((unsigned char *)data),
size_(strlen(data)), zero_on_destroy_(false) {}

/** Unowned init */
inline Block(const unsigned char *data, size_t size, bool zero_on_destroy=false) DECAF_NOEXCEPT : data_((unsigned char *)data),
size_(size), zero_on_destroy_(zero_on_destroy) {}
/** Block from std::string */
inline Block(const std::string &s) : data_(
#if __cplusplus >= 201103L
((unsigned char *)&(s)[0])
#else
((unsigned char *)(s.data()))
#endif
), size_(s.size()), zero_on_destroy_(false) {}
/** Block from std::vector */
template<class alloc> inline Block(const std::vector<unsigned char,alloc> &s)
: data_(((unsigned char *)&(s)[0])), size_(s.size()), zero_on_destroy_(false) {}

/** Get const data */
inline const unsigned char *data() const DECAF_NOEXCEPT { return data_; }
/** Subscript */
inline const unsigned char &operator[](size_t off) const /*throw(std::out_of_range)*/ {
if (off >= size()) throw(std::out_of_range("decaf::Block"));
return data_[off];
}

/** Get the size */
inline size_t size() const DECAF_NOEXCEPT { return size_; }

/** Convert to C++ string */
inline std::string get_string() const {
return std::string((const char *)data_,size_);
}

/** Slice the buffer*/
inline Block slice(size_t off, size_t length) const /*throw(LengthException)*/ {
if (off > size() || length > size() - off) throw LengthException();
return Block(data()+off, length);
}
/** Content-wise comparison; constant-time if they are the same length. */
inline decaf_bool_t contents_equal(const Block &b) const DECAF_NOEXCEPT {
if (b.size() != size()) return false;
return decaf_memeq(b.data(),data(),size());
}
/** Create new block from this */
inline operator SecureBuffer() const /*throw(std::bad_alloc)*/ {
return SecureBuffer(data_,data_+size_);
}

/** Securely set the buffer to 0. */
inline void zeroize() DECAF_NOEXCEPT { really_bzero(data_,size()); }
/** Debugging print in hex */
inline void debug_print_hex(const char *name = NULL) {
if (name) printf("%s = ", name);
for (size_t s = 0; s < size(); s++) printf("%02x", data_[s]);
printf("\n");
}
private:
/** @cond internal */
inline decaf_bool_t operator>=(const Block &b) const DECAF_NOEXCEPT DECAF_DELETE;
inline decaf_bool_t operator<=(const Block &b) const DECAF_NOEXCEPT DECAF_DELETE;
inline decaf_bool_t operator> (const Block &b) const DECAF_NOEXCEPT DECAF_DELETE;
inline decaf_bool_t operator< (const Block &b) const DECAF_NOEXCEPT DECAF_DELETE;
inline void operator= (const Block &b) const DECAF_NOEXCEPT DECAF_DELETE;
/** @endcond */
};

/** A fixed-size block */
template<size_t Size> class FixedBlock : public Block {
public:
/** Check a block's length. */
inline FixedBlock(const Block &b) /*throw(LengthException)*/ : Block(b.data(),Size) {
if (Size != b.size()) throw LengthException();
}
/** Block from std::vector */
template<class alloc> inline FixedBlock(const std::vector<unsigned char,alloc> &s) : Block(s) {
if (Size != s.size()) throw LengthException();
}
/** Explicitly pass a C buffer. */
inline explicit FixedBlock(const uint8_t data[Size]) DECAF_NOEXCEPT : Block(data,Size) {}
};

/** A reference to a writable block of data */
class Buffer : public Block {
public:
/** Null init */
inline Buffer() DECAF_NOEXCEPT : Block() {}

/** Unowned init */
inline Buffer(unsigned char *data, size_t size, bool zero_on_destroy=false) DECAF_NOEXCEPT : Block(data,size,zero_on_destroy) {}
/** Block from std::vector */
template<class alloc> inline Buffer(std::vector<unsigned char,alloc> &s) : Block(s) {}

/** Get const data */
inline const unsigned char *data() const DECAF_NOEXCEPT { return data_; }

/** Cast to unsigned char */
inline unsigned char* data() DECAF_NOEXCEPT { return data_; }

/** Slice the buffer*/
inline Buffer slice(size_t off, size_t length) /*throw(LengthException)*/;
/** Subscript */
inline unsigned char &operator[](size_t off) /*throw(std::out_of_range)*/ {
if (off >= size()) throw(std::out_of_range("decaf::Buffer"));
return data_[off];
}
/** Copy from another block */
inline void assign(const Block b) /*throw(LengthException)*/ {
if (b.size() != size()) throw LengthException();
memmove(data(),b.data(),size());
}
private:
/** @cond internal */
inline void operator= (const Block &b) const DECAF_NOEXCEPT DECAF_DELETE;
/** @endcond */
};


/** A fixed-size block */
template<size_t Size> class FixedBuffer : public Buffer {
public:
/** Check a block's length. */
inline FixedBuffer(Buffer b) /*throw(LengthException)*/ : Buffer(b) {
if (Size != b.size()) throw LengthException();
}
/** Check a block's length. */
inline FixedBuffer(SecureBuffer &b) /*throw(LengthException)*/ : Buffer(b) {
if (Size != b.size()) throw LengthException();
}
/** Explicitly pass a C buffer. */
inline explicit FixedBuffer(uint8_t dat[Size],bool zero_on_destroy = false) DECAF_NOEXCEPT : Buffer(dat,Size,zero_on_destroy) {}
/** Cast to a FixedBlock. */
inline operator FixedBlock<Size>() const DECAF_NOEXCEPT {
return FixedBlock<Size>(data());
}
private:
/** @cond internal */
inline void operator= (const Block &b) const DECAF_NOEXCEPT DECAF_DELETE;
/** @endcond */
};

/** A fixed-size stack-allocated buffer (for DECAF_NOEXCEPT semantics) */
template<size_t Size> class FixedArrayBuffer : public FixedBuffer<Size> {
private:
uint8_t storage[Size];
public:
using Buffer::zeroize;
/** New buffer initialized to zero. */
inline explicit FixedArrayBuffer() DECAF_NOEXCEPT : FixedBuffer<Size>(storage,true) { memset(storage,0,Size); }

/** New uninitialized buffer. */
inline explicit FixedArrayBuffer(const NOINIT &) DECAF_NOEXCEPT : FixedBuffer<Size>(storage,true) { }
/** New random buffer */
inline explicit FixedArrayBuffer(Rng &r) DECAF_NOEXCEPT : FixedBuffer<Size>(storage,true) { r.read(*this); }
/** Copy constructor */
inline explicit FixedArrayBuffer(const FixedBlock<Size> &b) DECAF_NOEXCEPT : FixedBuffer<Size>(storage,true) {
memcpy(storage,b.data(),Size);
}
/** Copy operator */
inline FixedArrayBuffer& operator=(const FixedBlock<Size> &b) DECAF_NOEXCEPT {
memcpy(storage,b.data(),Size); return *this;
}
/** Copy operator */
inline FixedArrayBuffer& operator=(const FixedArrayBuffer<Size> &b) DECAF_NOEXCEPT {
memcpy(storage,b.data(),Size); return *this;
}
/** Copy operator */
inline FixedArrayBuffer& operator=(const Block &b) /*throw(LengthException)*/ {
*this = FixedBlock<Size>(b);
}
/** Copy constructor */
inline explicit FixedArrayBuffer(const Block &b) /*throw(LengthException)*/ : FixedBuffer<Size>(storage,true) {
if (b.size() != Size) throw LengthException();
memcpy(storage,b.data(),Size);
}
/** Copy constructor */
inline explicit FixedArrayBuffer(const FixedArrayBuffer<Size> &b) DECAF_NOEXCEPT : FixedBuffer<Size>(storage,true) {
memcpy(storage,b.data(),Size);
}
/** Destroy the buffer */
~FixedArrayBuffer() DECAF_NOEXCEPT { zeroize(); }
};

/** @cond internal */
Buffer Buffer::slice(size_t off, size_t length) /*throw(LengthException)*/ {
if (off > size() || length > size() - off) throw LengthException();
return Buffer(data()+off, length);
}

inline SecureBuffer Rng::read(size_t length) /*throw(std::bad_alloc)*/ {
SecureBuffer out(length); read(out); return out;
}
/** @endcond */

/** @cond internal */
/** A secure buffer which stores an owned or unowned underlying value.
* If it is owned, it will be securely zeroed.
*/
template <class T, class Wrapped>
class OwnedOrUnowned {
protected:
union {
Wrapped *mine;
const Wrapped *yours;
} ours;
bool is_mine;

inline void clear() DECAF_NOEXCEPT {
if (is_mine) {
really_bzero(ours.mine, T::size());
free(ours.mine);
ours.yours = T::default_value();
is_mine = false;
}
}
inline void alloc() /*throw(std::bad_alloc)*/ {
if (is_mine) return;
int ret = posix_memalign((void**)&ours.mine, T::alignment(), T::size());
if (ret || !ours.mine) {
is_mine = false;
throw std::bad_alloc();
}
is_mine = true;
}
inline const Wrapped *get() const DECAF_NOEXCEPT { return is_mine ? ours.mine : ours.yours; }

inline OwnedOrUnowned(
const Wrapped &yours = *T::default_value()
) DECAF_NOEXCEPT {
ours.yours = &yours;
is_mine = false;
}

/**
* @brief Assign. This may require an allocation and memcpy.
*/
inline T &operator=(const OwnedOrUnowned &it) /*throw(std::bad_alloc)*/ {
if (this == &it) return *(T*)this;
if (it.is_mine) {
alloc();
memcpy(ours.mine,it.ours.mine,T::size());
} else {
clear();
ours.yours = it.ours.yours;
}
is_mine = it.is_mine;
return *(T*)this;
}

#if __cplusplus >= 201103L
inline T &operator=(OwnedOrUnowned &&it) DECAF_NOEXCEPT {
if (this == &it) return *(T*)this;
clear();
ours = it.ours;
is_mine = it.is_mine;
it.is_mine = false;
it.ours.yours = T::default_value;
return *this;
}
#endif
};
/** @endcond */

/*******************************************/
/* Inline implementations below this point */
/*******************************************/

/** @cond internal */
template<typename T, size_t alignment>
T* SanitizingAllocator<T,alignment>::allocate (
size_type cnt,
typename std::allocator<void>::const_pointer
) /*throw(std::bad_alloc)*/ {
void *v;
int ret = 0;
if (alignment) ret = posix_memalign(&v, alignment, cnt * sizeof(T));
else v = malloc(cnt * sizeof(T));
if (ret || v==NULL) throw(std::bad_alloc());
return reinterpret_cast<T*>(v);
}

template<typename T, size_t alignment>
void SanitizingAllocator<T,alignment>::deallocate(T* p, size_t size) DECAF_NOEXCEPT {
if (p==NULL) return;
really_bzero(reinterpret_cast<void*>(p), size);
free(reinterpret_cast<void*>(p));
}

/** @endcond */

} /* namespace decaf */


#undef DECAF_NOEXCEPT
#undef DECAF_DELETE

#endif /* __DECAF_SECURE_BUFFER_HXX__ */

+ 0
- 71
src/GENERATED/include/decaf/sha512.h View File

@@ -1,71 +0,0 @@
/**
* @file decaf/shake.h
* @copyright Public domain.
* @author Mike Hamburg
* @brief SHA2-512
*/

#ifndef __DECAF_SHA512_H__
#define __DECAF_SHA512_H__

#include <stdint.h>
#include <sys/types.h>
#include <stdlib.h> /* for NULL */

#include <decaf/common.h>

#ifdef __cplusplus
extern "C" {
#endif
/** Hash context for SHA-512 */
typedef struct decaf_sha512_ctx_s {
/** @cond internal */
uint64_t state[8];
uint8_t block[128];
uint64_t bytes_processed;
/* @endcond */
} decaf_sha512_ctx_s, decaf_sha512_ctx_t[1];

/** Initialize a SHA-512 context. */
void decaf_sha512_init(decaf_sha512_ctx_t ctx) DECAF_NONNULL DECAF_API_VIS;

/** Update context by hashing part of a message. */
void decaf_sha512_update(decaf_sha512_ctx_t ctx, const uint8_t *message, size_t message_len) DECAF_NONNULL DECAF_API_VIS;

/** Finalize context and write out hash.
* @param [inout] ctx The context. Will be destroyed and re-initialized on return.
* @param [out] output Place to store the output hash.
* @param [in] output_len Length in bytes of the output hash. Must between 0 and 64, inclusive.
*/
void decaf_sha512_final(decaf_sha512_ctx_t ctx, uint8_t *output, size_t output_len) DECAF_NONNULL DECAF_API_VIS;

/** Securely destroy a SHA512 context. */
static inline void decaf_sha512_destroy(decaf_sha512_ctx_t ctx) {
decaf_bzero(ctx,sizeof(*ctx));
}

/** Hash a message.
* @param [out] output Place to store the output hash.
* @param [in] output_len Length in bytes of the output hash. Must between 0 and 64, inclusive.
* @param [in] message A message to hash.
* @param [in] message_len Length in bytes of the input message.
*/
static inline void decaf_sha512_hash(
uint8_t *output,
size_t output_len,
const uint8_t *message,
size_t message_len
) {
decaf_sha512_ctx_t ctx;
decaf_sha512_init(ctx);
decaf_sha512_update(ctx,message,message_len);
decaf_sha512_final(ctx,output,output_len);
decaf_sha512_destroy(ctx);
}

#ifdef __cplusplus
} /* extern "C" */
#endif
#endif /* __DECAF_SHA512_H__ */

+ 0
- 103
src/GENERATED/include/decaf/sha512.hxx View File

@@ -1,103 +0,0 @@
/**
* @file decaf/sha512.hxx
* @copyright
* Based on public domain code by Dan Bernstein \n
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief SHA512 instance, C++ wrapper.
*/

#ifndef __DECAF_SHA512_HXX__
#define __DECAF_SHA512_HXX__

#include <decaf/secure_buffer.hxx>
#include <decaf/sha512.h>
#include <sys/types.h>

/** @cond internal */
#if __cplusplus >= 201103L
#define DECAF_NOEXCEPT noexcept
#else
#define DECAF_NOEXCEPT throw()
#endif
/** @endcond */

namespace decaf {
/** SHA512 wrapper function */
class SHA512 {
protected:
/** @cond internal */
/** The C-wrapper sponge state */
decaf_sha512_ctx_t wrapped;
/** @endcond */

public:
/** Number of bytes ouf output */
static const size_t OUTPUT_BYTES = 64;
/** Number of bytes of output */
static const size_t MAX_OUTPUT_BYTES = OUTPUT_BYTES;
/** Default number of bytes to output */
static const size_t DEFAULT_OUTPUT_BYTES = OUTPUT_BYTES;
/** Constructor */
inline SHA512() DECAF_NOEXCEPT { decaf_sha512_init(wrapped); }
/** Add more data to running hash */
inline void update(const uint8_t *__restrict__ in, size_t len) DECAF_NOEXCEPT { decaf_sha512_update(wrapped,in,len); }

/** Add more data to running hash, C++ version. */
inline void update(const Block &s) DECAF_NOEXCEPT { update(s.data(),s.size()); }

/** Add more data, stream version. */
inline SHA512 &operator<<(const Block &s) { update(s); return *this; }

/** Same as <<. */
inline SHA512 &operator+=(const Block &s) { return *this << s; }
/** @brief Output bytes from the SHA context, and resets it. */
inline void final(Buffer b) /*throw(LengthException)*/ {
if (b.size() > OUTPUT_BYTES) throw LengthException();
decaf_sha512_final(wrapped,b.data(),b.size());
}
/** Resets the SHA context */
inline void reset() DECAF_NOEXCEPT { decaf_sha512_init(wrapped); }

/** @brief Output bytes from the sponge. */
inline SecureBuffer final(size_t len = OUTPUT_BYTES) /*throw(LengthException)*/ {
if (len > OUTPUT_BYTES) throw LengthException();
SecureBuffer buffer(len);
decaf_sha512_final(wrapped,buffer.data(),len);
return buffer;
}

/** @brief Return the sponge's default output size. */
inline size_t default_output_size() const DECAF_NOEXCEPT { return OUTPUT_BYTES; }

/** @brief Return the sponge's maximum output size. */
inline size_t max_output_size() const DECAF_NOEXCEPT { return MAX_OUTPUT_BYTES; }

/** @brief Hash a message in one pass */
static inline SecureBuffer hash (
const Block &message,
size_t outlen = OUTPUT_BYTES
) /*throw(LengthException, std::bad_alloc)*/ {
if (outlen > OUTPUT_BYTES) throw LengthException();
SecureBuffer buffer(outlen);
decaf_sha512_hash(buffer.data(),outlen,message.data(),message.size());
return buffer;
}

/** Destructor zeroizes state */
inline ~SHA512() DECAF_NOEXCEPT { decaf_sha512_destroy(wrapped); }
};
} /* namespace decaf */

#undef DECAF_NOEXCEPT

#endif /* __DECAF_SHA512_HXX__ */

+ 0
- 219
src/GENERATED/include/decaf/shake.h View File

@@ -1,219 +0,0 @@
/**
* @file decaf/shake.h
* @copyright
* Based on CC0 code by David Leon Gil, 2015 \n
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief SHA-3-n and DECAF_SHAKE-n instances.
*/

#ifndef __DECAF_SHAKE_H__
#define __DECAF_SHAKE_H__

#include <stdint.h>
#include <sys/types.h>
#include <stdlib.h> /* for NULL */

#include <decaf/common.h>

#ifdef __cplusplus
extern "C" {
#endif

#ifndef INTERNAL_SPONGE_STRUCT
/** Sponge container object for the various primitives. */
typedef struct decaf_keccak_sponge_s {
/** @cond internal */
uint64_t opaque[26];
/** @endcond */
} decaf_keccak_sponge_s;

/** Convenience GMP-style one-element array version */
typedef struct decaf_keccak_sponge_s decaf_keccak_sponge_t[1];

/** Parameters for sponge construction, distinguishing DECAF_SHA3 and
* DECAF_SHAKE instances.
*/
struct decaf_kparams_s;
#endif

/**
* @brief Initialize a sponge context object.
* @param [out] sponge The object to initialize.
* @param [in] params The sponge's parameter description.
*/
void decaf_sha3_init (
decaf_keccak_sponge_t sponge,
const struct decaf_kparams_s *params
) DECAF_API_VIS;

/**
* @brief Absorb data into a DECAF_SHA3 or DECAF_SHAKE hash context.
* @param [inout] sponge The context.
* @param [in] in The input data.
* @param [in] len The input data's length in bytes.
* @return DECAF_FAILURE if the sponge has already been used for output.
* @return DECAF_SUCCESS otherwise.
*/
decaf_error_t decaf_sha3_update (
struct decaf_keccak_sponge_s * __restrict__ sponge,
const uint8_t *in,
size_t len
) DECAF_API_VIS;

/**
* @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context.
* This does not destroy or re-initialize the hash context, and
* decaf_sha3 output can be called more times.
*
* @param [inout] sponge The context.
* @param [out] out The output data.
* @param [in] len The requested output data length in bytes.
* @return DECAF_FAILURE if the sponge has exhausted its output capacity.
* @return DECAF_SUCCESS otherwise.
*/
decaf_error_t decaf_sha3_output (
decaf_keccak_sponge_t sponge,
uint8_t * __restrict__ out,
size_t len
) DECAF_API_VIS;

/**
* @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context.
* This re-initializes the context to its starting parameters.
*
* @param [inout] sponge The context.
* @param [out] out The output data.
* @param [in] len The requested output data length in bytes.
*/
decaf_error_t decaf_sha3_final (
decaf_keccak_sponge_t sponge,
uint8_t * __restrict__ out,
size_t len
) DECAF_API_VIS;

/**
* @brief Reset the sponge to the empty string.
*
* @param [inout] sponge The context.
*/
void decaf_sha3_reset (
decaf_keccak_sponge_t sponge
) DECAF_API_VIS;

/**
* @brief Return the default output length of the sponge construction,
* for the purpose of C++ default operators.
*
* Returns n/8 for DECAF_SHA3-n and 2n/8 for DECAF_SHAKE-n.
*/
size_t decaf_sha3_default_output_bytes (
const decaf_keccak_sponge_t sponge /**< [inout] The context. */
) DECAF_API_VIS;

/**
* @brief Return the default output length of the sponge construction,
* for the purpose of C++ default operators.
*
* Returns n/8 for DECAF_SHA3-n and SIZE_MAX for DECAF_SHAKE-n.
*/
size_t decaf_sha3_max_output_bytes (
const decaf_keccak_sponge_t sponge /**< [inout] The context. */
) DECAF_API_VIS;

/**
* @brief Destroy a DECAF_SHA3 or DECAF_SHAKE sponge context by overwriting it with 0.
* @param [out] sponge The context.
*/
void decaf_sha3_destroy (
decaf_keccak_sponge_t sponge
) DECAF_API_VIS;

/**
* @brief Hash (in) to (out)
* @param [in] in The input data.
* @param [in] inlen The length of the input data.
* @param [out] out A buffer for the output data.
* @param [in] outlen The length of the output data.
* @param [in] params The parameters of the sponge hash.
*/
decaf_error_t decaf_sha3_hash (
uint8_t *out,
size_t outlen,
const uint8_t *in,
size_t inlen,
const struct decaf_kparams_s *params
) DECAF_API_VIS;

/* FUTURE: expand/doxygenate individual DECAF_SHAKE/DECAF_SHA3 instances? */

/** @cond internal */
#define DECAF_DEC_SHAKE(n) \
extern const struct decaf_kparams_s DECAF_SHAKE##n##_params_s DECAF_API_VIS; \
typedef struct decaf_shake##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_shake##n##_ctx_t[1]; \
static inline void DECAF_NONNULL decaf_shake##n##_init(decaf_shake##n##_ctx_t sponge) { \
decaf_sha3_init(sponge->s, &DECAF_SHAKE##n##_params_s); \
} \
static inline void DECAF_NONNULL decaf_shake##n##_gen_init(decaf_keccak_sponge_t sponge) { \
decaf_sha3_init(sponge, &DECAF_SHAKE##n##_params_s); \
} \
static inline decaf_error_t DECAF_NONNULL decaf_shake##n##_update(decaf_shake##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \
return decaf_sha3_update(sponge->s, in, inlen); \
} \
static inline void DECAF_NONNULL decaf_shake##n##_final(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
decaf_sha3_output(sponge->s, out, outlen); \
decaf_sha3_init(sponge->s, &DECAF_SHAKE##n##_params_s); \
} \
static inline void DECAF_NONNULL decaf_shake##n##_output(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
decaf_sha3_output(sponge->s, out, outlen); \
} \
static inline void DECAF_NONNULL decaf_shake##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \
decaf_sha3_hash(out,outlen,in,inlen,&DECAF_SHAKE##n##_params_s); \
} \
static inline void DECAF_NONNULL decaf_shake##n##_destroy( decaf_shake##n##_ctx_t sponge ) { \
decaf_sha3_destroy(sponge->s); \
}

#define DECAF_DEC_SHA3(n) \
extern const struct decaf_kparams_s DECAF_SHA3_##n##_params_s DECAF_API_VIS; \
typedef struct decaf_sha3_##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_sha3_##n##_ctx_t[1]; \
static inline void DECAF_NONNULL decaf_sha3_##n##_init(decaf_sha3_##n##_ctx_t sponge) { \
decaf_sha3_init(sponge->s, &DECAF_SHA3_##n##_params_s); \
} \
static inline void DECAF_NONNULL decaf_sha3_##n##_gen_init(decaf_keccak_sponge_t sponge) { \
decaf_sha3_init(sponge, &DECAF_SHA3_##n##_params_s); \
} \
static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_update(decaf_sha3_##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \
return decaf_sha3_update(sponge->s, in, inlen); \
} \
static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_final(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
decaf_error_t ret = decaf_sha3_output(sponge->s, out, outlen); \
decaf_sha3_init(sponge->s, &DECAF_SHA3_##n##_params_s); \
return ret; \
} \
static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_output(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
return decaf_sha3_output(sponge->s, out, outlen); \
} \
static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \
return decaf_sha3_hash(out,outlen,in,inlen,&DECAF_SHA3_##n##_params_s); \
} \
static inline void DECAF_NONNULL decaf_sha3_##n##_destroy(decaf_sha3_##n##_ctx_t sponge) { \
decaf_sha3_destroy(sponge->s); \
}
/** @endcond */

DECAF_DEC_SHAKE(128)
DECAF_DEC_SHAKE(256)
DECAF_DEC_SHA3(224)
DECAF_DEC_SHA3(256)
DECAF_DEC_SHA3(384)
DECAF_DEC_SHA3(512)
#undef DECAF_DEC_SHAKE
#undef DECAF_DEC_SHA3

#ifdef __cplusplus
} /* extern "C" */
#endif
#endif /* __DECAF_SHAKE_H__ */

+ 0
- 190
src/GENERATED/include/decaf/shake.hxx View File

@@ -1,190 +0,0 @@
/**
* @file decaf/shake.hxx
* @copyright
* Based on CC0 code by David Leon Gil, 2015 \n
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief SHA-3-n and SHAKE-n instances, C++ wrapper.
*/

#ifndef __DECAF_SHAKE_HXX__
#define __DECAF_SHAKE_HXX__

#include <decaf/shake.h>
#include <decaf/secure_buffer.hxx>
#include <sys/types.h>

/** @cond internal */
#if __cplusplus >= 201103L
#define DECAF_NOEXCEPT noexcept
#define DECAF_DELETE = delete
#else
#define DECAF_NOEXCEPT throw()
#define DECAF_DELETE
#endif
/** @endcond */

namespace decaf {

/**
* Hash function derived from Keccak
* FUTURE: throw ProtocolException when hash is misused by calling update() after output().
*/
class KeccakHash {
protected:
/** @cond internal */
/** The C-wrapper sponge state */
decaf_keccak_sponge_t wrapped;
/** Initialize from parameters */
inline KeccakHash(const decaf_kparams_s *params) DECAF_NOEXCEPT { decaf_sha3_init(wrapped, params); }
/** @endcond */
public:
/** Add more data to running hash */
inline void update(const uint8_t *__restrict__ in, size_t len) DECAF_NOEXCEPT { decaf_sha3_update(wrapped,in,len); }

/** Add more data to running hash, C++ version. */
inline void update(const Block &s) DECAF_NOEXCEPT { decaf_sha3_update(wrapped,s.data(),s.size()); }
/** Add more data, stream version. */
inline KeccakHash &operator<<(const Block &s) DECAF_NOEXCEPT { update(s); return *this; }
/** Same as <<. */
inline KeccakHash &operator+=(const Block &s) DECAF_NOEXCEPT { return *this << s; }
/** @brief Output bytes from the sponge. */
inline SecureBuffer output(size_t len) /*throw(std::bad_alloc, LengthException)*/ {
if (len > max_output_size()) throw LengthException();
SecureBuffer buffer(len);
if (DECAF_SUCCESS != decaf_sha3_output(wrapped,buffer.data(),len)) {
throw LengthException();
}
return buffer;
}
/** @brief Output bytes from the sponge. */
inline SecureBuffer final(size_t len) /*throw(std::bad_alloc, LengthException)*/ {
if (len > max_output_size()) throw LengthException();
SecureBuffer buffer(len);
if (DECAF_SUCCESS != decaf_sha3_final(wrapped,buffer.data(),len)) {
throw LengthException();
}
return buffer;
}

/** @brief Output bytes from the sponge. Throw LengthException if you've
* output too many bytes from a SHA-3 instance.
*/
inline void output(Buffer b) /*throw(LengthException)*/ {
if (DECAF_SUCCESS != decaf_sha3_output(wrapped,b.data(),b.size())) {
throw LengthException();
}
}
/** @brief Output bytes from the sponge and reinitialize it. Throw
* LengthException if you've output too many bytes from a SHA3 instance.
*/
inline void final(Buffer b) /*throw(LengthException)*/ {
if (DECAF_SUCCESS != decaf_sha3_final(wrapped,b.data(),b.size())) {
throw LengthException();
}
}
/** @brief Return the sponge's default output size. */
inline size_t default_output_size() const DECAF_NOEXCEPT {
return decaf_sha3_default_output_bytes(wrapped);
}
/** @brief Return the sponge's maximum output size. */
inline size_t max_output_size() const DECAF_NOEXCEPT {
return decaf_sha3_max_output_bytes(wrapped);
}
/** Output the default number of bytes. */
inline SecureBuffer output() /*throw(std::bad_alloc,LengthException)*/ {
return output(default_output_size());
}
/** Output the default number of bytes, and reset hash. */
inline SecureBuffer final() /*throw(std::bad_alloc,LengthException)*/ {
return final(default_output_size());
}

/** Reset the hash to the empty string */
inline void reset() DECAF_NOEXCEPT { decaf_sha3_reset(wrapped); }
/** Destructor zeroizes state */
inline ~KeccakHash() DECAF_NOEXCEPT { decaf_sha3_destroy(wrapped); }
};

/** Fixed-output-length SHA3 */
template<int bits> class SHA3 : public KeccakHash {
private:
/** Get the parameter template block for this hash */
static inline const struct decaf_kparams_s *get_params();
public:
/** Number of bytes of output */
static const size_t MAX_OUTPUT_BYTES = bits/8;
/** Number of bytes of output */
static const size_t DEFAULT_OUTPUT_BYTES = bits/8;
/** Initializer */
inline SHA3() DECAF_NOEXCEPT : KeccakHash(get_params()) {}

/** Hash bytes with this SHA3 instance.
* @throw LengthException if nbytes > MAX_OUTPUT_BYTES
*/
static inline SecureBuffer hash(const Block &b, size_t nbytes = MAX_OUTPUT_BYTES) /*throw(std::bad_alloc, LengthException)*/ {
if (nbytes > MAX_OUTPUT_BYTES) {
throw LengthException();
}
SHA3 s; s += b; return s.output(nbytes);
}
};

/** Variable-output-length SHAKE */
template<int bits>
class SHAKE : public KeccakHash {
private:
/** Get the parameter template block for this hash */
static inline const struct decaf_kparams_s *get_params();
public:
/** Number of bytes of output */
#if __cplusplus >= 201103L
static const size_t MAX_OUTPUT_BYTES = SIZE_MAX;
#else
static const size_t MAX_OUTPUT_BYTES = (size_t)-1;
#endif

/** Default number of bytes to output */
static const size_t DEFAULT_OUTPUT_BYTES = bits/4;
/** Initializer */
inline SHAKE() DECAF_NOEXCEPT : KeccakHash(get_params()) {}
/** Hash bytes with this SHAKE instance */
static inline SecureBuffer hash(const Block &b, size_t outlen) /*throw(std::bad_alloc)*/ {
SHAKE s; s += b; return s.output(outlen);
}
};

/** @cond internal */
template<> inline const struct decaf_kparams_s *SHAKE<128>::get_params() { return &DECAF_SHAKE128_params_s; }
template<> inline const struct decaf_kparams_s *SHAKE<256>::get_params() { return &DECAF_SHAKE256_params_s; }
template<> inline const struct decaf_kparams_s *SHA3<224>::get_params() { return &DECAF_SHA3_224_params_s; }
template<> inline const struct decaf_kparams_s *SHA3<256>::get_params() { return &DECAF_SHA3_256_params_s; }
template<> inline const struct decaf_kparams_s *SHA3<384>::get_params() { return &DECAF_SHA3_384_params_s; }
template<> inline const struct decaf_kparams_s *SHA3<512>::get_params() { return &DECAF_SHA3_512_params_s; }
/** @endcond */
} /* namespace decaf */

#undef DECAF_NOEXCEPT
#undef DECAF_DELETE

#endif /* __DECAF_SHAKE_HXX__ */

+ 0
- 93
src/GENERATED/include/decaf/spongerng.h View File

@@ -1,93 +0,0 @@
/**
* @file decaf/spongerng.h
* @copyright
* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief Sponge-based RNGs.
* @warning This construction isn't final. In particular,
* the outputs of deterministic RNGs from this mechanism might change in future versions.
*/

#ifndef __DECAF_SPONGERNG_H__
#define __DECAF_SPONGERNG_H__

#include <decaf/shake.h>

#ifdef __cplusplus
extern "C" {
#endif
/** Keccak CSPRNG structure as struct. */
typedef struct {
decaf_keccak_sponge_t sponge; /**< Internal sponge object. */
} decaf_keccak_prng_s;
/** Keccak CSPRNG structure as one-element array */
typedef decaf_keccak_prng_s decaf_keccak_prng_t[1];
/** Initialize a sponge-based CSPRNG from a buffer. */
void decaf_spongerng_init_from_buffer (
decaf_keccak_prng_t prng, /**< [out] The PRNG object. */
const uint8_t *__restrict__ in, /**< [in] The initialization data. */
size_t len, /**< [in] The length of the initialization data. */
int deterministic /**< [in] If zero, allow RNG to stir in nondeterministic data from RDRAND or RDTSC.*/
) DECAF_NONNULL DECAF_API_VIS;
/**
* @brief Initialize a sponge-based CSPRNG from a file.
* @retval DECAF_SUCCESS success.
* @retval DECAF_FAILURE failure.
* @note On failure, errno can be used to determine the cause.
*/
decaf_error_t decaf_spongerng_init_from_file (
decaf_keccak_prng_t prng, /**< [out] The PRNG object. */
const char *file, /**< [in] A name of a file containing initial data. */
size_t len, /**< [in] The length of the initial data. Must be positive. */
int deterministic /**< [in] If zero, allow RNG to stir in nondeterministic data from RDRAND or RDTSC. */
) DECAF_NONNULL DECAF_API_VIS DECAF_WARN_UNUSED;

/**
* @brief Initialize a nondeterministic sponge-based CSPRNG from /dev/urandom.
* @retval DECAF_SUCCESS success.
* @retval DECAF_FAILURE failure.
* @note On failure, errno can be used to determine the cause.
*/
decaf_error_t decaf_spongerng_init_from_dev_urandom (
decaf_keccak_prng_t prng /**< [out] sponge The sponge object. */
) DECAF_API_VIS DECAF_WARN_UNUSED;

/** Output bytes from a sponge-based CSPRNG. */
void decaf_spongerng_next (
decaf_keccak_prng_t prng, /**< [inout] The PRNG object. */
uint8_t * __restrict__ out, /**< [out] Output buffer. */
size_t len /**< [in] Number of bytes to output. */
) DECAF_API_VIS;

/** Stir entropy data into a sponge-based CSPRNG from a buffer. */
void decaf_spongerng_stir (
decaf_keccak_prng_t prng, /**< [out] The PRNG object. */
const uint8_t * __restrict__ in, /**< [in] The entropy data. */
size_t len /**< [in] The length of the initial data. */
) DECAF_NONNULL DECAF_API_VIS;
/** Securely destroy a sponge RNG object by overwriting it. */
static DECAF_INLINE void
decaf_spongerng_destroy (
decaf_keccak_prng_t doomed /**< [in] The object to destroy. */
);

/** @cond internal */
/***************************************/
/* Implementations of inline functions */
/***************************************/
void decaf_spongerng_destroy (decaf_keccak_prng_t doomed) {
decaf_sha3_destroy(doomed->sponge);
}
/** @endcond */ /* internal */

#ifdef __cplusplus
} /* extern "C" */
#endif

#endif /* __DECAF_SPONGERNG_H__ */

+ 0
- 102
src/GENERATED/include/decaf/spongerng.hxx View File

@@ -1,102 +0,0 @@
/**
* @file decaf/spongerng.hxx
* @copyright
* Based on CC0 code by David Leon Gil, 2015 \n
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief Sponge RNG instances, C++ wrapper.
* @warning The guts of this are subject to change. Please don't implement
* anything that depends on the deterministic RNG being stable across versions
* of this library.
*/

#ifndef __DECAF_SPONGERNG_HXX__
#define __DECAF_SPONGERNG_HXX__

#include <decaf/spongerng.h>

#include <string>
#include <sys/types.h>
#include <errno.h>

/** @cond internal */
#if __cplusplus >= 201103L
#define DECAF_NOEXCEPT noexcept
#define DECAF_DELETE = delete
#else
#define DECAF_NOEXCEPT throw()
#define DECAF_DELETE
#endif
/** @endcond */

namespace decaf {

/** Sponge-based random-number generator */
class SpongeRng : public Rng {
private:
/** C wrapped object */
decaf_keccak_prng_t sp;
public:
/** Deterministic flag.
* The idea is that DETERMINISTIC is used for testing or for lockstep computations,
* and NONDETERMINISTIC is used in production.
*/
enum Deterministic { RANDOM = 0, DETERMINISTIC = 1 };
/** Exception thrown when The RNG fails (to seed itself) */
class RngException : public std::exception {
private:
/** @cond internal */
const char *const what_;
/** @endcond */
public:
const int err_code; /**< errno that caused the reseed to fail. */
const char *what() const DECAF_NOEXCEPT { return what_; } /**< Description of exception. */
RngException(int err_code, const char *what_) DECAF_NOEXCEPT : what_(what_), err_code(err_code) {} /**< Construct */
};
/** Initialize, deterministically by default, from block */
inline SpongeRng( const Block &in, Deterministic det ) {
decaf_spongerng_init_from_buffer(sp,in.data(),in.size(),(int)det);
}
/** Initialize, non-deterministically by default, from C/C++ filename */
inline SpongeRng( const std::string &in = "/dev/urandom", size_t len = 32, Deterministic det = RANDOM )
/*throw(RngException)*/ {
decaf_error_t ret = decaf_spongerng_init_from_file(sp,in.c_str(),len,det);
if (!decaf_successful(ret)) {
throw RngException(errno, "Couldn't load from file");
}
}
/** Stir in new data */
inline void stir( const Block &data ) DECAF_NOEXCEPT {
decaf_spongerng_stir(sp,data.data(),data.size());
}
/** Securely destroy by overwriting state. */
inline ~SpongeRng() DECAF_NOEXCEPT { decaf_spongerng_destroy(sp); }
using Rng::read;
/** Read data to a buffer. */
virtual inline void read(Buffer buffer) DECAF_NOEXCEPT
#if __cplusplus >= 201103L
final
#endif
{ decaf_spongerng_next(sp,buffer.data(),buffer.size()); }
private:
SpongeRng(const SpongeRng &) DECAF_DELETE;
SpongeRng &operator=(const SpongeRng &) DECAF_DELETE;
};
/**@endcond*/
} /* namespace decaf */

#undef DECAF_NOEXCEPT
#undef DECAF_DELETE

#endif /* __DECAF_SPONGERNG_HXX__ */

Write Preview
Loading…
Cancel
Save