Michael Hamburg
650356c5f5
elligator overflow bits.
Before, invert_elligator would invert to a gf, which wouldnt be a uniformly
random string because, eg, curve25519 gfs only have 255 bits out of 256.
Now add a random multiple of p. This still wont work for future curves
that have a field size of 1 mod 8, because those curves use elligator with
no high bit set, but its a start
9 years ago
Michael Hamburg
050dcc186f
test/bench now uses run_for_all_curves<>
9 years ago
Michael Hamburg
c0310ba553
whoops, actually save the change the removes the todo comment
9 years ago
Michael Hamburg
c9abcef055
add some pathological test cases, clearing a few TODO items. Also scalar_set_unsigned now takes a uint64_t instead of a word_t
9 years ago
Michael Hamburg
37e0886300
simplify elligator, in a way that shouldnt change its output. I think it uses the opposite convention from the paper for sign(s) though.
9 years ago
Michael Hamburg
c7a3efd496
fix typo in 32-bit code
9 years ago
Mike Hamburg
5f38747a15
Montgomery ladder now uses non-reduced arith for speed. Also, it is tested to be CT
9 years ago
Michael Hamburg
2eacff6ad6
rfc7748 implementation, but their names will probably change
9 years ago
Michael Hamburg
4de70b837c
separate out strobe and spongerng from shake. strobe is experimental. spongerng is experimental internally but the interface should be pretty good (except for any camelCase vs snake_case issues). shake should be stable
9 years ago
Mike Hamburg
24e33a2f86
reasonable suite of ct tests now. also change scalar randomizer to generate +128 bits
9 years ago
Mike Hamburg
9f1cc0e2af
some more ct tests; serializeInto -> serialize_into. still need more ct tests, unification of snake vs camel case
9 years ago
Mike Hamburg
51ac192b79
ct tests are in; succeed if -DNDEBUG is passed. Should carefully audit assertions.
9 years ago
Michael Hamburg
d81592ba71
make test_ct, except it probably doesnt work; definitely not on a mac with no memcheck.h installed
9 years ago
Michael Hamburg
81403de10c
knock out a couple TODOs
9 years ago
Michael Hamburg
957ec6cd2c
restore shared secret benchmarks
9 years ago
Michael Hamburg
f92d14e08a
crypto.hxx is now a thin wrapper around crypto.h
9 years ago
Michael Hamburg
1c97140893
working on python generation
9 years ago
Michael Hamburg
ee076bcc3d
usage is static void
9 years ago
Michael Hamburg
b5a2757f21
clear a couple fixmes
9 years ago
Michael Hamburg
64adbd1082
split c crypto routines for now (a bit of a hack :-/)
9 years ago
Michael Hamburg
565522ffdf
trying to update to the latest version of strobe. lots of stuff in flux though
9 years ago
Mike Hamburg
704b424982
dual scalarmul because of TLS discussion
9 years ago
Michael Hamburg
a1f5348e18
beginning to separate errors from bools. not there yet though
9 years ago
Michael Hamburg
88a60a294d
add Group::FIELD_MODULUS_TYPE for testing purposes
9 years ago
Michael Hamburg
49629216f8
simplify elligator (todo: test more? eg 1/(1-d) on 25519)
9 years ago
Michael Hamburg
3ba3edc418
fix bench /0; some effort to bzero stack variables
9 years ago
Michael Hamburg
e95b7c7f0e
made scalar inverse WARN_UNUSED and made it throw. Small fix to sagetest. Changed some places that assumed that success is true, in case I want to adopt the proposal that success is 0
9 years ago
Michael Hamburg
bc252f835a
whups public_include
9 years ago
Michael Hamburg
0f78ec28fc
fix bug in tagforget
9 years ago
Michael Hamburg
d30a160bbb
bench with ++ crypto
9 years ago
Michael Hamburg
b35f966cf4
add serializable class, though i might repent of this because i dont want a vtable
9 years ago
Michael Hamburg
4dd77e0149
switch SecureBuffer to vector
9 years ago
Mike Hamburg
b849d2cd91
working on securebuffer problems, might just switch things to vector
9 years ago
Michael Hamburg
cdab495338
Cross-curve compilation working! Still a bunch of FIXMEs though
9 years ago
Mike Hamburg
8a1315e15f
get rid of unchecked isqrt. will be a tiny slowdown for p448 invert, called only in batch_invert
9 years ago
Mike Hamburg
eab2a41d13
switch from xy positive to 1/xy positive; this is because it can make laddered direct_scalarmul almost sane. almost.
9 years ago
Mike Hamburg
60b14fb0f1
add FixedBuffer
9 years ago
Mike Hamburg
6bc7a3db3b
rework build hierarchy to prepare for generated headers
9 years ago
Michael Hamburg
f8c32ba53f
knock out some TODOs
9 years ago
Michael Hamburg
db0a12de2a
working on breaking up include files
9 years ago
Michael Hamburg
629a782fff
Elligator now passes tests, but there are likely still missing preimages of rotations of the identity point. Also, projscaling elligator probably works, but it needs testing
9 years ago
Michael Hamburg
89dfab34a8
remove hinting from forward elligator, at least in 25519. leaving test in broken state because, well, it is broken
9 years ago
Michael Hamburg
a53f9876f5
OK, most tests are now passing. Remaining known problems:
1) Elligator inversion fails on 0. Also there may be corner cases
here which ought to be probed but are a pain, such as sqrt(id/(1-d))
and similar.
2) Elligator doesn't return the right hint, because I haven't coded
the rotation hints. Probable solution: make Elligator not return a
hint, because there's no realistic scenario where it's useful anyway.
Alternative possible solution: can compute the right hint, but why
bother?
3) Elligator inversion doesn't set the high bit of the buffer at
random, because 2^255-19 isn't close to 2^256. Possible solution:
preserve the high bit(s) of the buffer?
4) Elligator doesn't map [1] to the identity, I think.
5) Not enough corner case testing.
6) Probably some other non-Elligator problems
9 years ago
Michael Hamburg
5a3fe27c03
more rigorous tests. elligator still fails. problem: extracting xy is quite technical
9 years ago
Michael Hamburg
202ed7fea2
change 2torque to torque, which is 4torque in ed25519 case
9 years ago
Michael Hamburg
d974612404
restore test which got clobbered somehow
9 years ago
Michael Hamburg
cbb8cceea9
elligator doesnt work; gonna compare some things to see why
9 years ago
Michael Hamburg
d6461059f5
round-trip works
9 years ago
Michael Hamburg
a14dbafd2b
decode and elligator work. probably encode still buggy.
9 years ago
Mike Hamburg
40b1f8b85e
initial replace 448->255; doesnt compile yet
9 years ago