inverting elligator now mostly works, except for identity and overflow issues

include/decaf_255.h

@@ -520,7 +520,7 @@ void decaf_255_point_debugging_2torque (
  * @param [out] pt The data hashed to the curve.
  * @return A "hint" value which can be used to help invert the encoding.
  */
-unsigned char
+uint16_t
 decaf_255_point_from_hash_nonuniform (
     decaf_255_point_t pt,
     const unsigned char hashed_data[DECAF_255_SER_BYTES]
@@ -549,7 +549,7 @@ decaf_bool_t
 decaf_255_invert_elligator_nonuniform (
     unsigned char recovered_hash[DECAF_255_SER_BYTES],
     const decaf_255_point_t pt,
-    unsigned char hint
+    uint16_t hint
 ) API_VIS NONNULL2 NOINLINE WARN_UNUSED;
 
 /**
@@ -576,7 +576,7 @@ decaf_bool_t
 decaf_255_invert_elligator_uniform (
     unsigned char recovered_hash[2*DECAF_255_SER_BYTES],
     const decaf_255_point_t pt,
-    unsigned char hint
+    uint16_t hint
 ) API_VIS NONNULL2 NOINLINE WARN_UNUSED;
 
 /**
@@ -588,7 +588,7 @@ decaf_255_invert_elligator_uniform (
  * @param [out] pt The data hashed to the curve.
  * @return A "hint" value which can be used to help invert the encoding.
  */ 
-unsigned char decaf_255_point_from_hash_uniform (
+uint16_t decaf_255_point_from_hash_uniform (
     decaf_255_point_t pt,
     const unsigned char hashed_data[2*DECAF_255_SER_BYTES]
 ) API_VIS NONNULL2 NOINLINE;

include/decaf_255.hxx

@@ -585,7 +585,7 @@ public:
     }
     
     inline bool invert_elligator (
-        Buffer &buf, unsigned char hint
+        Buffer &buf, uint16_t hint
     ) const NOEXCEPT {
         unsigned char buf2[2*HASH_BYTES];
         memset(buf2,0,sizeof(buf2));

include/shake.hxx

@@ -208,7 +208,7 @@ inline SecureBuffer Ed255::Point::steg_encode(SpongeRng &rng) const NOEXCEPT {
     bool done;
     do {
         rng.read(out.slice(HASH_BYTES-1,STEG_BYTES-HASH_BYTES+1));
-        done = invert_elligator(out, out[HASH_BYTES-1] & 7); /* 7 is kind of MAGIC */
+        done = invert_elligator(out, out[HASH_BYTES-1] & 7); /* FIXME 7 is kind of MAGIC */
     } while (!done);
     return out;
 }

src/decaf_fast.c

@@ -485,8 +485,8 @@ static void deisogenize (
     decaf_bool_t toggle_hibit_s,
     decaf_bool_t toggle_hibit_t_over_s
 ) {
-    gf a, d, x, t;
-    gf_s *b = s, *c = minus_t_over_s;
+    gf c, d, x, t;
+    gf_s *b = s, *a = minus_t_over_s;
     
     /* TODO: intern below */
     gf_mul ( x, p->x, SQRT_MINUS_ONE);
@@ -515,9 +515,9 @@ static void deisogenize (
     decaf_bool_t tg1 = toggle_hibit_t_over_s ^~ hibit(a);
     cond_neg ( c, tg1 );
     cond_neg ( a, tg1 );
-    gf_mul ( a, b, p->z );
-    gf_add ( a, a, c );
-    gf_mul ( b, a, p->y );
+    gf_mul ( d, b, p->z );
+    gf_add ( d, d, c );
+    gf_mul ( b, d, p->y );
     cond_neg ( b, toggle_hibit_s ^ hibit(b) );
 }
 
@@ -1068,7 +1068,7 @@ decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) {
     return succ;
 }
 
-unsigned char API_NS(point_from_hash_nonuniform) (
+uint16_t API_NS(point_from_hash_nonuniform) (
     point_t p,
     const unsigned char ser[SER_BYTES]
 ) {
@@ -1158,7 +1158,7 @@ decaf_bool_t
 API_NS(invert_elligator_nonuniform) (
     unsigned char recovered_hash[DECAF_255_SER_BYTES],
     const point_t p,
-    unsigned char hint
+    uint16_t hint
 ) {
     decaf_bool_t sgn_s = -(hint & 1),
         sgn_t_over_s = -(hint>>1 & 1),
@@ -1196,7 +1196,7 @@ API_NS(invert_elligator_nonuniform) (
     return succ;
 }
 
-unsigned char API_NS(point_from_hash_uniform) (
+uint16_t API_NS(point_from_hash_uniform) (
     point_t pt,
     const unsigned char hashed_data[2*SER_BYTES]
 ) {
@@ -1206,14 +1206,14 @@ unsigned char API_NS(point_from_hash_uniform) (
     unsigned char ret2 =
         API_NS(point_from_hash_nonuniform)(pt2,&hashed_data[SER_BYTES]);
     API_NS(point_add)(pt,pt,pt2);
-    return ret1 | (ret2<<4);
+    return ret1 | ((uint16_t)ret2<<8);
 }
 
 decaf_bool_t
 API_NS(invert_elligator_uniform) (
     unsigned char partial_hash[2*SER_BYTES],
     const point_t p,
-    unsigned char hint
+    uint16_t hint
 ) {
     point_t pt2;
     API_NS(point_from_hash_nonuniform)(pt2,&partial_hash[SER_BYTES]);