jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
77 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 0dc21dd9d7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0dc21dd9d7'
${ noResults }
ed448goldilocks/test/bench.c

798 lines
22 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "word.h"

  6. 

  7. #include <sys/time.h>

  8. #include <sys/types.h>

  9. #include <stdio.h>

  10. #include <memory.h>

  11. 

  12. #include "field.h"

  13. #include "ec_point.h"

  14. #include "scalarmul.h"

  15. #include "barrett_field.h"

  16. #include "crandom.h"

  17. #include "goldilocks.h"

  18. #include "sha512.h"

  19. #include "decaf.h"

  20. 

  21. static __inline__ void

  22. ignore_result ( int result ) {

  23.     (void)result;

  24. }

  25. 

  26. static double now(void) {

  27.   struct timeval tv;

  28.   gettimeofday(&tv, NULL);

  29.   

  30.   return tv.tv_sec + tv.tv_usec/1000000.0;

  31. }

  32. 

  33. static void field_randomize( struct crandom_state_t *crand, field_a_t a ) {

  34.     crandom_generate(crand, (unsigned char *)a, sizeof(*a));

  35.     field_strong_reduce(a);

  36. }

  37. 

  38. static void q448_randomize( struct crandom_state_t *crand, word_t sk[SCALAR_WORDS] ) {

  39.     crandom_generate(crand, (unsigned char *)sk, SCALAR_BYTES);

  40. }

  41. 

  42. static void field_print( const char *descr, const field_a_t a ) {

  43.     int j;

  44.     unsigned char ser[FIELD_BYTES];

  45.     field_serialize(ser,a);

  46.     printf("%s = 0x", descr);

  47.     for (j=FIELD_BYTES - 1; j>=0; j--) {

  48.         printf("%02x", ser[j]);

  49.     }

  50.     printf("\n");

  51. }

  52. 

  53. static void __attribute__((unused))

  54. field_print_full (

  55.     const char *descr,

  56.     const field_a_t a

  57. ) {

  58.     int j;

  59.     printf("%s = 0x", descr);

  60.     for (j=15; j>=0; j--) {

  61.         printf("%02" PRIxWORD "_" PRIxWORD56 " ",

  62.             a->limb[j]>>28, a->limb[j]&((1<<28)-1));

  63.     }

  64.     printf("\n");

  65. }

  66. 

  67. static void q448_print( const char *descr, const word_t secret[SCALAR_WORDS] ) {

  68.     int j;

  69.     printf("%s = 0x", descr);

  70.     for (j=SCALAR_WORDS-1; j>=0; j--) {

  71.         printf(PRIxWORDfull, secret[j]);

  72.     }

  73.     printf("\n");

  74. }

  75. 

  76. #ifndef N_TESTS_BASE

  77. #define N_TESTS_BASE 10000

  78. #endif

  79. 

  80. int main(int argc, char **argv) {

  81.     (void)argc;

  82.     (void)argv;

  83. 

  84.     struct tw_extensible_t ext;

  85.     struct extensible_t exta;

  86.     struct tw_niels_t niels;

  87.     struct tw_pniels_t pniels;

  88.     struct affine_t affine;

  89.     struct montgomery_t mb;

  90.     struct montgomery_aux_t mba;

  91.     field_a_t a,b,c,d;

  92.     

  93.     double when;

  94.     int i;

  95. 

  96.     int nbase = N_TESTS_BASE;

  97.     

  98.     /* Bad randomness so we can debug. */

  99.     char initial_seed[32];

  100.     for (i=0; i<32; i++) initial_seed[i] = i;

  101.     struct crandom_state_t crand;

  102.     crandom_init_from_buffer(&crand, initial_seed);

  103.     /* For testing the performance drop from the crandom debuffering change.

  104.         ignore_result(crandom_init_from_file(&crand, "/dev/urandom", 10000, 1));

  105.     */

  106.     

  107.     word_t sk[SCALAR_WORDS],tk[SCALAR_WORDS];

  108.     q448_randomize(&crand, sk);

  109.     

  110.     memset(a,0,sizeof(a));

  111.     memset(b,0,sizeof(b));

  112.     memset(c,0,sizeof(c));

  113.     memset(d,0,sizeof(d));

  114.     when = now();

  115.     for (i=0; i<nbase*5000; i++) {

  116.         field_mul(c, b, a);

  117.     }

  118.     when = now() - when;

  119.     printf("mul:         %5.1fns\n", when * 1e9 / i);

  120.     

  121.     when = now();

  122.     for (i=0; i<nbase*5000; i++) {

  123.         field_sqr(c, a);

  124.     }

  125.     when = now() - when;

  126.     printf("sqr:         %5.1fns\n", when * 1e9 / i);

  127.     

  128.     when = now();

  129.     for (i=0; i<nbase*5000; i++) {

  130.         field_mulw(c, b, 1234562);

  131.     }

  132.     when = now() - when;

  133.     printf("mulw:        %5.1fns\n", when * 1e9 / i);

  134.     

  135.     when = now();

  136.     for (i=0; i<nbase*500; i++) {

  137.         field_mul(c, b, a);

  138.         field_mul(a, b, c);

  139.     }

  140.     when = now() - when;

  141.     printf("mul dep:     %5.1fns\n", when * 1e9 / i / 2);

  142.     

  143.     when = now();

  144.     for (i=0; i<nbase*10; i++) {

  145.         field_randomize(&crand, a);

  146.     }

  147.     when = now() - when;

  148.     printf("rand448:     %5.1fns\n", when * 1e9 / i);

  149.     

  150.     sha512_ctx_a_t sha;

  151.     uint8_t hashout[128];

  152.     when = now();

  153.     for (i=0; i<nbase; i++) {

  154.         sha512_init(sha);

  155.         sha512_final(sha, hashout);

  156.     }

  157.     when = now() - when;

  158.     printf("sha512 1blk: %5.1fns\n", when * 1e9 / i);

  159.     

  160.     when = now();

  161.     for (i=0; i<nbase; i++) {

  162.         sha512_update(sha, hashout, 128);

  163.     }

  164.     when = now() - when;

  165.     printf("sha512 blk:  %5.1fns (%0.2f MB/s)\n", when * 1e9 / i, 128*i/when/1e6);

  166.     

  167.     when = now();

  168.     for (i=0; i<nbase; i++) {

  169.         field_isr(c, a);

  170.     }

  171.     when = now() - when;

  172.     printf("isr auto:    %5.1fµs\n", when * 1e6 / i);

  173.     

  174.     for (i=0; i<100; i++) {

  175.         field_randomize(&crand, a);

  176.         field_isr(d,a);

  177.         field_sqr(b,d);

  178.         field_mul(c,b,a);

  179.         field_sqr(b,c);

  180.         field_subw(b,1);

  181.         if (!field_is_zero(b)) {

  182.             printf("ISR validation failure!\n");

  183.             field_print("a", a);

  184.             field_print("s", d);

  185.         }

  186.     }

  187.     

  188.     when = now();

  189.     for (i=0; i<nbase; i++) {

  190.         elligator_2s_inject(&affine, a);

  191.     }

  192.     when = now() - when;

  193.     printf("elligator:   %5.1fµs\n", when * 1e6 / i);

  194.     

  195.     for (i=0; i<100; i++) {

  196.         field_randomize(&crand, a);

  197.         elligator_2s_inject(&affine, a);

  198.         if (!validate_affine(&affine)) {

  199.             printf("Elligator validation failure!\n");

  200.             field_print("a", a);

  201.             field_print("x", affine.x);

  202.             field_print("y", affine.y);

  203.         }

  204.     }

  205.     

  206.     when = now();

  207.     for (i=0; i<nbase; i++) {

  208.         deserialize_affine(&affine, a);

  209.     }

  210.     when = now() - when;

  211.     printf("decompress:  %5.1fµs\n", when * 1e6 / i);

  212.     

  213.     convert_affine_to_extensible(&exta, &affine);

  214.     when = now();

  215.     for (i=0; i<nbase; i++) {

  216.         serialize_extensible(a, &exta);

  217.     }

  218.     when = now() - when;

  219.     printf("compress:    %5.1fµs\n", when * 1e6 / i);

  220.     

  221.     int goods = 0;

  222.     for (i=0; i<100; i++) {

  223.         field_randomize(&crand, a);

  224.         mask_t good = deserialize_affine(&affine, a);

  225.         if (good & !validate_affine(&affine)) {

  226.             printf("Deserialize validation failure!\n");

  227.             field_print("a", a);

  228.             field_print("x", affine.x);

  229.             field_print("y", affine.y);

  230.         } else if (good) {

  231.             goods++;

  232.             convert_affine_to_extensible(&exta,&affine);

  233.             serialize_extensible(b, &exta);

  234.             field_sub(c,b,a);

  235.             if (!field_is_zero(c)) {

  236.                 printf("Reserialize validation failure!\n");

  237.                 field_print("a", a);

  238.                 field_print("x", affine.x);

  239.                 field_print("y", affine.y);

  240.                 deserialize_affine(&affine, b);

  241.                 field_print("b", b);

  242.                 field_print("x", affine.x);

  243.                 field_print("y", affine.y);

  244.                 printf("\n");

  245.             }

  246.         }

  247.     }

  248.     if (goods<i/3) {

  249.         printf("Deserialization validation failure! Deserialized %d/%d points\n", goods, i);

  250.     }

  251.     

  252.     word_t lsk[768/WORD_BITS];

  253.     crandom_generate(&crand, (unsigned char *)lsk, sizeof(lsk));

  254.     

  255.     when = now();

  256.     for (i=0; i<nbase*100; i++) {

  257.         barrett_reduce(lsk,sizeof(lsk)/sizeof(word_t),0,&curve_prime_order);

  258.     }

  259.     when = now() - when;

  260.     printf("barrett red: %5.1fns\n", when * 1e9 / i);

  261.     

  262.     when = now();

  263.     for (i=0; i<nbase*10; i++) {

  264.         barrett_mac(lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,&curve_prime_order);

  265.     }

  266.     when = now() - when;

  267.     printf("barrett mac: %5.1fns\n", when * 1e9 / i);

  268.     

  269.     memset(&ext,0,sizeof(ext));

  270.     memset(&niels,0,sizeof(niels)); /* avoid assertions in p521 even though this isn't a valid ext or niels */

  271. 

  272.     tw_extended_a_t ed;

  273.     convert_tw_extensible_to_tw_extended(ed,&ext);

  274. 

  275.     when = now();

  276.     for (i=0; i<nbase*100; i++) {

  277.         add_tw_niels_to_tw_extensible(&ext, &niels);

  278.     }

  279.     when = now() - when;

  280.     printf("exti+niels:  %5.1fns\n", when * 1e9 / i);

  281. 

  282.     when = now();

  283.     for (i=0; i<nbase*100; i++) {

  284.         add_tw_extended(ed,ed);

  285.     }

  286.     when = now() - when;

  287.     printf("txt + txt :  %5.1fns\n", when * 1e9 / i);

  288. 

  289.     decaf_point_t Da,Db,Dc;

  290.     memset(Da,0,sizeof(Da));

  291.     memset(Db,0,sizeof(Db));

  292.     memset(Dc,0,sizeof(Dc));

  293.     when = now();

  294.     for (i=0; i<nbase*100; i++) {

  295.         decaf_add(Da,Db,Dc);

  296.     }

  297.     when = now() - when;

  298.     printf("dec + dec:   %5.1fns\n", when * 1e9 / i);

  299.     

  300.     convert_tw_extensible_to_tw_pniels(&pniels, &ext);

  301.     when = now();

  302.     for (i=0; i<nbase*100; i++) {

  303.         add_tw_pniels_to_tw_extensible(&ext, &pniels);

  304.     }

  305.     when = now() - when;

  306.     printf("exti+pniels: %5.1fns\n", when * 1e9 / i);

  307.     

  308.     when = now();

  309.     for (i=0; i<nbase*100; i++) {

  310.         double_tw_extensible(&ext);

  311.     }

  312.     when = now() - when;

  313.     printf("exti dbl:    %5.1fns\n", when * 1e9 / i);

  314.     

  315.     when = now();

  316.     for (i=0; i<nbase*100; i++) {

  317.         untwist_and_double(&exta, &ext);

  318.     }

  319.     when = now() - when;

  320.     printf("i->a isog:   %5.1fns\n", when * 1e9 / i);

  321.     

  322.     when = now();

  323.     for (i=0; i<nbase*100; i++) {

  324.         twist_and_double(&ext, &exta);

  325.     }

  326.     when = now() - when;

  327.     printf("a->i isog:   %5.1fns\n", when * 1e9 / i);

  328.     

  329.     memset(&mb,0,sizeof(mb));

  330.     when = now();

  331.     for (i=0; i<nbase*100; i++) {

  332.         montgomery_step(&mb);

  333.     }

  334.     when = now() - when;

  335.     printf("monty step:  %5.1fns\n", when * 1e9 / i);

  336.     

  337.     memset(&mba,0,sizeof(mba));

  338.     when = now();

  339.     for (i=0; i<nbase*100; i++) {

  340.         montgomery_aux_step(&mba);

  341.     }

  342.     when = now() - when;

  343.     printf("monty aux:   %5.1fns\n", when * 1e9 / i);

  344. 	

  345.     when = now();

  346.     for (i=0; i<nbase/10; i++) {

  347.         ignore_result(montgomery_ladder(a,b,sk,FIELD_BITS,0));

  348.     }

  349.     when = now() - when;

  350.     printf("full ladder: %5.1fµs\n", when * 1e6 / i);

  351. 	

  352.     when = now();

  353.     for (i=0; i<nbase/10; i++) {

  354.         ignore_result(decaf_montgomery_ladder(a,b,sk,FIELD_BITS));

  355.     }

  356.     when = now() - when;

  357.     printf("decafladder: %5.1fµs\n", when * 1e6 / i);

  358.    

  359.     when = now();

  360.     for (i=0; i<nbase/10; i++) {

  361.         decaf_scalarmul(Da,Db,sk,sizeof(sk)/sizeof(word_t));

  362.     }

  363.     when = now() - when;

  364.     printf("decaf slow:  %5.1fµs\n", when * 1e6 / i);

  365. 

  366.     when = now();

  367.     for (i=0; i<nbase/10; i++) {

  368.         scalarmul(&ext,sk);

  369.     }

  370.     when = now() - when;

  371.     printf("edwards smz: %5.1fµs\n", when * 1e6 / i);

  372.     

  373.     when = now();

  374.     for (i=0; i<nbase/10; i++) {

  375.         scalarmul_vlook(&ext,sk);

  376.     }

  377.     when = now() - when;

  378.     printf("edwards svl: %5.1fµs\n", when * 1e6 / i);

  379.     

  380.     when = now();

  381.     for (i=0; i<nbase/10; i++) {

  382.         scalarmul_ed(ed,sk);

  383.     }

  384.     when = now() - when;

  385.     printf("edwards txt: %5.1fµs\n", when * 1e6 / i);

  386.     

  387.     field_set_ui(a,0);

  388.     when = now();

  389.     for (i=0; i<nbase/10; i++) {

  390. 	ignore_result(decaf_deserialize_tw_extended(ed,a,-1));

  391.         scalarmul_ed(ed,sk);

  392. 	decaf_serialize_tw_extended(a,ed);

  393.     }

  394.     when = now() - when;

  395.     printf("simple ECDH: %5.1fµs\n", when * 1e6 / i);

  396.     

  397.     when = now();

  398.     for (i=0; i<nbase/10; i++) {

  399.         scalarmul(&ext,sk);

  400.         untwist_and_double_and_serialize(a,&ext);

  401.     }

  402.     when = now() - when;

  403.     printf("edwards smc: %5.1fµs\n", when * 1e6 / i);

  404.     

  405.     when = now();

  406.     for (i=0; i<nbase/10; i++) {

  407.         q448_randomize(&crand, sk);

  408.         scalarmul_vt(&ext,sk,SCALAR_BITS);

  409.     }

  410.     when = now() - when;

  411.     printf("edwards vtm: %5.1fµs\n", when * 1e6 / i);

  412.     

  413.     tw_niels_a_t wnaft[1<<6];

  414.     when = now();

  415.     for (i=0; i<nbase/10; i++) {

  416.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,6));

  417.     }

  418.     when = now() - when;

  419.     printf("wnaf6 pre:   %5.1fµs\n", when * 1e6 / i);

  420.     

  421.     when = now();

  422.     for (i=0; i<nbase/10; i++) {

  423.         q448_randomize(&crand, sk);

  424.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,(const tw_niels_a_t*)wnaft,6);

  425.     }

  426.     when = now() - when;

  427.     printf("edwards vt6: %5.1fµs\n", when * 1e6 / i);

  428.     

  429.     when = now();

  430.     for (i=0; i<nbase/10; i++) {

  431.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,4));

  432.     }

  433.     when = now() - when;

  434.     printf("wnaf4 pre:   %5.1fµs\n", when * 1e6 / i);

  435.     

  436.     when = now();

  437.     for (i=0; i<nbase/10; i++) {

  438.         q448_randomize(&crand, sk);

  439.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,(const tw_niels_a_t*)wnaft,4);

  440.     }

  441.     when = now() - when;

  442.     printf("edwards vt4: %5.1fµs\n", when * 1e6 / i);

  443. 

  444.     when = now();

  445.     for (i=0; i<nbase/10; i++) {

  446.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,5));

  447.     }

  448.     when = now() - when;

  449.     printf("wnaf5 pre:   %5.1fµs\n", when * 1e6 / i);

  450.     

  451.     when = now();

  452.     for (i=0; i<nbase/10; i++) {

  453.         q448_randomize(&crand, sk);

  454.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,(const tw_niels_a_t*)wnaft,5);

  455.     }

  456.     when = now() - when;

  457.     printf("edwards vt5: %5.1fµs\n", when * 1e6 / i);

  458.     

  459.     when = now();

  460.     for (i=0; i<nbase/10; i++) {

  461.         q448_randomize(&crand, sk);

  462.         q448_randomize(&crand, tk);

  463.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,(const tw_niels_a_t*)wnaft,5);

  464.     }

  465.     when = now() - when;

  466.     printf("vt vf combo: %5.1fµs\n", when * 1e6 / i);

  467.     

  468.     when = now();

  469.     for (i=0; i<nbase/10; i++) {

  470.         deserialize_affine(&affine, a);

  471.         convert_affine_to_extensible(&exta,&affine);

  472.         twist_and_double(&ext,&exta);

  473.         scalarmul(&ext,sk);

  474.         untwist_and_double(&exta,&ext);

  475.         serialize_extensible(b, &exta);

  476.     }

  477.     when = now() - when;

  478.     printf("edwards sm:  %5.1fµs\n", when * 1e6 / i);

  479.     

  480.     struct fixed_base_table_t t_5_5_18, t_3_5_30, t_8_4_14, t_5_3_30, t_15_3_10;

  481. 

  482.     while (1) {

  483.         field_randomize(&crand, a);

  484.         if (deserialize_affine(&affine, a)) break;

  485.     }

  486.     convert_affine_to_extensible(&exta,&affine);

  487.     twist_and_double(&ext,&exta);

  488.     when = now();

  489.     for (i=0; i<nbase/10; i++) {

  490.         if (i) destroy_fixed_base(&t_5_5_18);

  491.         ignore_result(precompute_fixed_base(&t_5_5_18, &ext, 5, 5, 18, NULL));

  492.     }

  493.     when = now() - when;

  494.     printf("pre(5,5,18): %5.1fµs\n", when * 1e6 / i);

  495.     

  496.     when = now();

  497.     for (i=0; i<nbase/10; i++) {

  498.         if (i) destroy_fixed_base(&t_3_5_30);

  499.         ignore_result(precompute_fixed_base(&t_3_5_30, &ext, 3, 5, 30, NULL));

  500.     }

  501.     when = now() - when;

  502.     printf("pre(3,5,30): %5.1fµs\n", when * 1e6 / i);

  503.     

  504.     when = now();

  505.     for (i=0; i<nbase/10; i++) {

  506.         if (i) destroy_fixed_base(&t_5_3_30);

  507.         ignore_result(precompute_fixed_base(&t_5_3_30, &ext, 5, 3, 30, NULL));

  508.     }

  509.     when = now() - when;

  510.     printf("pre(5,3,30): %5.1fµs\n", when * 1e6 / i);

  511.     

  512.     when = now();

  513.     for (i=0; i<nbase/10; i++) {

  514.         if (i) destroy_fixed_base(&t_15_3_10);

  515.         ignore_result(precompute_fixed_base(&t_15_3_10, &ext, 15, 3, 10, NULL));

  516.     }

  517.     when = now() - when;

  518.     printf("pre(15,3,10):%5.1fµs\n", when * 1e6 / i);

  519.     

  520.     when = now();

  521.     for (i=0; i<nbase/10; i++) {

  522.         if (i) destroy_fixed_base(&t_8_4_14);

  523.         ignore_result(precompute_fixed_base(&t_8_4_14, &ext, 8, 4, 14, NULL));

  524.     }

  525.     when = now() - when;

  526.     printf("pre(8,4,14): %5.1fµs\n", when * 1e6 / i);

  527. 	

  528.     when = now();

  529.     for (i=0; i<nbase; i++) {

  530.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_5_18);

  531.     }

  532.     when = now() - when;

  533.     printf("com(5,5,18): %5.1fµs\n", when * 1e6 / i);

  534.     

  535.     when = now();

  536.     for (i=0; i<nbase; i++) {

  537.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_3_5_30);

  538.     }

  539.     when = now() - when;

  540.     printf("com(3,5,30): %5.1fµs\n", when * 1e6 / i);

  541. 

  542.     when = now();

  543.     for (i=0; i<nbase; i++) {

  544.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_8_4_14);

  545.     }

  546.     when = now() - when;

  547.     printf("com(8,4,14): %5.1fµs\n", when * 1e6 / i);

  548. 

  549.     when = now();

  550.     for (i=0; i<nbase; i++) {

  551.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_3_30);

  552.     }

  553.     when = now() - when;

  554.     printf("com(5,3,30): %5.1fµs\n", when * 1e6 / i);

  555. 

  556.     when = now();

  557.     for (i=0; i<nbase; i++) {

  558.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_15_3_10);

  559.     }

  560.     when = now() - when;

  561.     printf("com(15,3,10):%5.1fµs\n", when * 1e6 / i);

  562.     

  563.     printf("\nGoldilocks:\n");

  564.     

  565.     int res = goldilocks_init();

  566.     assert(!res);

  567.     

  568.     struct goldilocks_public_key_t gpk,hpk;

  569.     struct goldilocks_private_key_t gsk,hsk;

  570.     

  571.     when = now();

  572.     for (i=0; i<nbase; i++) {

  573.         if (i&1) {

  574.             res = goldilocks_keygen(&gsk,&gpk);

  575.         } else {

  576.             res = goldilocks_keygen(&hsk,&hpk);

  577.         }

  578.         assert(!res);

  579.     }

  580.     when = now() - when;

  581.     printf("keygen:      %5.1fµs\n", when * 1e6 / i);

  582.     

  583.     uint8_t ss1[64],ss2[64];

  584.     int gres1=0,gres2=0;

  585.     when = now();

  586.     for (i=0; i<nbase; i++) {

  587.         if (i&1) {

  588.             gres1 = goldilocks_shared_secret(ss1,&gsk,&hpk);

  589.         } else {

  590.             gres2 = goldilocks_shared_secret(ss2,&hsk,&gpk);

  591.         }

  592.     }

  593.     when = now() - when;

  594.     printf("ecdh:        %5.1fµs\n", when * 1e6 / i);

  595.     if (gres1 || gres2 || memcmp(ss1,ss2,64)) {

  596.         printf("[FAIL] %d %d\n",gres1,gres2);

  597.         

  598.         printf("sk1 = ");

  599.         for (i=0; i<SCALAR_BYTES; i++) {

  600.             printf("%02x", gsk.opaque[i]);

  601.         }

  602.         printf("\nsk2 = ");

  603.         for (i=0; i<SCALAR_BYTES; i++) {

  604.             printf("%02x", hsk.opaque[i]);

  605.         }

  606.         printf("\nss1 = ");

  607.         for (i=0; i<64; i++) {

  608.             printf("%02x", ss1[i]);

  609.         }

  610.         printf("\nss2 = ");

  611.         for (i=0; i<64; i++) {

  612.             printf("%02x", ss2[i]);

  613.         }

  614.         printf("\n");

  615.     }

  616.     

  617.     uint8_t sout[FIELD_BYTES*2];

  618.     const char *message = "hello world";

  619.     size_t message_len = strlen(message);

  620.     when = now();

  621.     for (i=0; i<nbase; i++) {

  622.         res = goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  623.         (void)res;

  624.         assert(!res);

  625.     }

  626.     when = now() - when;

  627.     printf("sign:        %5.1fµs\n", when * 1e6 / i);

  628.     

  629.     when = now();

  630.     for (i=0; i<nbase; i++) {

  631.         int ver = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  632.         (void)ver;

  633.         assert(!ver);

  634.     }

  635.     when = now() - when;

  636.     printf("verify:      %5.1fµs\n", when * 1e6 / i);

  637.     

  638.     struct goldilocks_precomputed_public_key_t *pre = NULL;

  639.     when = now();

  640.     for (i=0; i<nbase; i++) {

  641.         goldilocks_destroy_precomputed_public_key(pre);

  642.         pre = goldilocks_precompute_public_key(&gpk);

  643.     }

  644.     when = now() - when;

  645.     printf("precompute:  %5.1fµs\n", when * 1e6 / i);

  646.     

  647.     when = now();

  648.     for (i=0; i<nbase; i++) {

  649.         int ver = goldilocks_verify_precomputed(sout,(const unsigned char *)message,message_len,pre);

  650.         (void)ver;

  651.         assert(!ver);

  652.     }

  653.     when = now() - when;

  654.     printf("verify pre:  %5.1fµs\n", when * 1e6 / i);

  655.     

  656.     when = now();

  657.     for (i=0; i<nbase; i++) {

  658.         int ret = goldilocks_shared_secret_precomputed(ss1,&gsk,pre);

  659.         (void)ret;

  660.         assert(!ret);

  661.     }

  662.     when = now() - when;

  663.     printf("ecdh pre:    %5.1fµs\n", when * 1e6 / i);

  664.     

  665.     printf("\nTesting...\n");

  666.     

  667.     

  668.     int failures=0, successes = 0;

  669.     for (i=0; i<nbase/10; i++) {

  670.         ignore_result(goldilocks_keygen(&gsk,&gpk));

  671.         goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  672.         res = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  673.         if (res) failures++;

  674.     }

  675.     if (failures) {

  676.         printf("FAIL %d/%d signature checks!\n", failures, i);

  677.     }

  678.     

  679.     failures=0; successes = 0;

  680.     for (i=0; i<nbase/10; i++) {

  681.         field_randomize(&crand, a);

  682. 		word_t two = 2;

  683.         mask_t good = montgomery_ladder(b,a,&two,2,0);

  684. 		if (!good) continue;

  685. 		

  686. 		word_t x,y;

  687.         crandom_generate(&crand, (unsigned char *)&x, sizeof(x));

  688.         crandom_generate(&crand, (unsigned char *)&y, sizeof(y));

  689.         x = (hword_t)x;

  690.         y = (hword_t)y;

  691.         word_t z=x*y;

  692.         

  693.     	ignore_result(montgomery_ladder(b,a,&x,WORD_BITS,0));

  694.         ignore_result(montgomery_ladder(c,b,&y,WORD_BITS,0));

  695.         ignore_result(montgomery_ladder(b,a,&z,WORD_BITS,0));

  696.         

  697.         field_sub(d,b,c);

  698. 		if (!field_is_zero(d)) {

  699.             printf("Odd ladder validation failure %d!\n", ++failures);

  700.             field_print("a", a);

  701.             printf("x=%"PRIxWORD", y=%"PRIxWORD", z=%"PRIxWORD"\n", x,y,z);

  702.             field_print("c", c);

  703.             field_print("b", b);

  704. 			printf("\n");

  705. 		}

  706. 	}

  707.     

  708.     failures = 0;

  709.     for (i=0; i<nbase/10; i++) {

  710.         mask_t good;

  711.         do {

  712.             field_randomize(&crand, a);

  713.             good = deserialize_affine(&affine, a);

  714.         } while (!good);

  715.         

  716.         convert_affine_to_extensible(&exta,&affine);

  717.         twist_and_double(&ext,&exta);

  718.         untwist_and_double(&exta,&ext);

  719.         serialize_extensible(b, &exta);

  720.         untwist_and_double_and_serialize(c, &ext);

  721.         

  722.         field_sub(d,b,c);

  723.         

  724.         if (good && !field_is_zero(d)){

  725.             printf("Iso+serial validation failure %d!\n", ++failures);

  726.             field_print("a", a);

  727.             field_print("b", b);

  728.             field_print("c", c);

  729.             printf("\n");

  730.         } else if (good) {

  731.             successes ++;

  732.         }

  733.     }

  734.     if (successes < i/3) {

  735.         printf("Iso+serial variation: only %d/%d successful.\n", successes, i);

  736.     }

  737.     

  738.     successes = failures = 0;

  739.     for (i=0; i<nbase/10; i++) {

  740.         field_a_t aa;

  741.         struct tw_extensible_t exu,exv,exw;

  742.         

  743.         mask_t good;

  744.         do {

  745.             field_randomize(&crand, a);

  746.             good = deserialize_affine(&affine, a);

  747.             convert_affine_to_extensible(&exta,&affine);

  748.             twist_and_double(&ext,&exta);

  749.         } while (!good);

  750.         do {

  751.             field_randomize(&crand, aa);

  752.             good = deserialize_affine(&affine, aa);

  753.             convert_affine_to_extensible(&exta,&affine);

  754.             twist_and_double(&exu,&exta);

  755.         } while (!good);

  756.         field_randomize(&crand, aa);

  757.         

  758.         q448_randomize(&crand, sk);

  759. 		if (i==0 || i==2) memset(&sk, 0, sizeof(sk));

  760.         q448_randomize(&crand, tk);

  761. 		if (i==0 || i==1) memset(&tk, 0, sizeof(tk));

  762.         

  763.         copy_tw_extensible(&exv, &ext);

  764.         copy_tw_extensible(&exw, &exu);

  765.         scalarmul(&exv,sk);

  766.         scalarmul(&exw,tk);

  767.         convert_tw_extensible_to_tw_pniels(&pniels, &exw);

  768.         add_tw_pniels_to_tw_extensible(&exv,&pniels);

  769.         untwist_and_double(&exta,&exv);

  770.         serialize_extensible(b, &exta);

  771. 

  772.         ignore_result(precompute_fixed_base_wnaf(wnaft,&exu,5));

  773.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,(const tw_niels_a_t*)wnaft,5);

  774.         untwist_and_double(&exta,&exv);

  775.         serialize_extensible(c, &exta);

  776.         

  777.         field_sub(d,b,c);

  778.         

  779.         if (!field_is_zero(d)){

  780.             printf("PreWNAF combo validation failure %d!\n", ++failures);

  781.             field_print("a", a);

  782.             field_print("A", aa);

  783.             q448_print("s", sk);

  784.             q448_print("t", tk);

  785.             field_print("c", c);

  786.             field_print("b", b);

  787.             printf("\n\n");

  788.         } else if (good) {

  789.             successes ++;

  790.         }

  791.     }

  792.     if (successes < i) {

  793.         printf("PreWNAF combo variation: only %d/%d successful.\n", successes, i);

  794.     }

  795.     

  796.     return 0;

  797. }