jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
61 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 12a5d0890c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '12a5d0890c'
${ noResults }
ed448goldilocks/src/include/scalarmul.h

357 lines
10 KiB
Raw Blame History 

  1. /**

  2.  * @file scalarmul.h

  3.  * @copyright

  4.  *   Copyright (c) 2014 Cryptography Research, Inc.  \n

  5.  *   Released under the MIT License.  See LICENSE.txt for license information.

  6.  * @author Mike Hamburg

  7.  */

  8. 

  9. #ifndef __P448_ALGO_H__

  10. #define __P448_ALGO_H__ 1

  11. 

  12. #include "ec_point.h"

  13. #include "field.h"

  14. #include "intrinsics.h"

  15. #include "magic.h"

  16. 

  17. #ifdef __cplusplus

  18. extern "C" {

  19. #endif

  20. 

  21. /**

  22.  * A word array containing a scalar

  23.  */

  24. typedef word_t scalar_t[SCALAR_WORDS];

  25. 

  26. /**

  27.  * A precomputed table for fixed-base scalar multiplication.

  28.  *

  29.  * This uses a signed combs format.

  30.  */

  31. struct fixed_base_table_t {

  32.    /** Comb tables containing multiples of the base point. */

  33.   tw_niels_a_t *table;

  34.   

  35.   /** Adjustments to the scalar in even and odd cases, respectively. */

  36.   word_t scalar_adjustments[2*SCALAR_WORDS];

  37.   

  38.   /** The number of combs in the table. */

  39.   unsigned int n;

  40.   

  41.   /** The number of teeth in each comb. */

  42.   unsigned int t;

  43.   

  44.   /** The spacing between the teeth. */

  45.   unsigned int s;

  46.   

  47.   /** If nonzero, the table was malloc'd by precompute_for_combs. */

  48.   unsigned int own_table;

  49. };

  50.     

  51. /**

  52.  * Full Montgomery ladder in inverse square root format.

  53.  *

  54.  * Out = [2^n_extra_doubles * scalar] * in, where

  55.  * scalar is little-endian and has length $nbits$ bits.

  56.  *

  57.  * If the scalar is even and/or n_extra_doubles >= 1,

  58.  * then this function will reject points which are not

  59.  * on the curve by returning MASK_FAILURE.

  60.  *

  61.  * This function will also reject multiplies which output

  62.  * the identity or the point of order 2.  It may be worth

  63.  * revisiting this decision in the FUTURE.  The idea is that

  64.  * this can only happen when: the input is the identity or the

  65.  * point of order 2; or the input is the point of order 4 on

  66.  * the twist; or the scalar is 0 or a multiple of the curve

  67.  * order; or the scalar is a multiple of the twist order and

  68.  * the input point is on the twist.

  69.  *

  70.  * This function takes constant time with respect to $*in$

  71.  * and $*scalar$, but not of course with respect to nbits or

  72.  * n_extra_doubles.

  73.  *

  74.  * For security, we recommend setting n_extra_doubles = 1.

  75.  * Because the cofactor of Goldilocks is 4 and input points

  76.  * are always even (when on the curve), this will cancel the

  77.  * cofactor.

  78.  *

  79.  * @param [out] out The output point.

  80.  * @param [in] in The base point.

  81.  * @param [in] scalar The scalar's little-endian representation.

  82.  * @param [in] nbits The number of bits in the scalar.  Note that

  83.  * unlike in Curve25519, we do not require the top bit to be set.

  84.  * @param [in] n_extra_doubles The number of extra doubles to do at

  85.  * the end.

  86.  *

  87.  * @retval MASK_SUCCESS The operation was successful.

  88.  * @retval MASK_FAILURE The input point was invalid, or the output

  89.  * would be the identity or the point of order 2.

  90.  */

  91. mask_t

  92. montgomery_ladder (

  93.     field_a_t out,

  94.     const field_a_t in,

  95.     const word_t *scalar,

  96.     unsigned int nbits,

  97.     unsigned int n_extra_doubles

  98. ) __attribute__((warn_unused_result));

  99.     

  100. /**

  101.  * Full Montgomery aux ladder in decaf format.

  102.  *

  103.  * Out = scalar * in, where

  104.  * scalar is little-endian and has length $nbits$ bits.

  105.  *

  106.  * This function (once it's done; TODO) will always reject points

  107.  * on the twist.

  108.  *

  109.  * This function takes constant time with respect to $*in$

  110.  * and $*scalar$, but not of course with respect to nbits or

  111.  * n_extra_doubles.

  112.  *

  113.  * @param [out] out The output point.

  114.  * @param [in] in The base point.

  115.  * @param [in] scalar The scalar's little-endian representation.

  116.  * @param [in] nbits The number of bits in the scalar.  Note that

  117.  * unlike in Curve25519, we do not require the top bit to be set.

  118.  *

  119.  * @retval MASK_SUCCESS The operation was successful.

  120.  * @retval MASK_FAILURE The input point was invalid, or the output

  121.  * would be the identity or the point of order 2.

  122.  */

  123. mask_t

  124. decaf_montgomery_ladder (

  125.     field_a_t out,

  126.     const field_a_t in,

  127.     const word_t *scalar,

  128.     unsigned int nbits

  129. ) __attribute__((warn_unused_result));

  130.     

  131. /**

  132.  * Scalar multiply a twisted Edwards-form point.

  133.  *

  134.  * This function takes constant time.

  135.  *

  136.  * Currently the scalar is always exactly 448 bits long.

  137.  *

  138.  * @param [inout] working The point to multply.

  139.  * @param [in] scalar The scalar, in little-endian form.

  140.  */

  141. void

  142. scalarmul (

  143.     tw_extensible_a_t working,

  144.     const word_t scalar[SCALAR_WORDS]

  145.     /* TODO? int nbits */

  146. );

  147.     

  148. /**

  149.  * Scalar multiply a twisted Edwards-form point.  Use the same

  150.  * algorithm as scalarmul(), but uses variable array indices.

  151.  *

  152.  * Currently the scalar is always exactly 448 bits long.

  153.  *

  154.  * @warning This function uses variable array indices,

  155.  * so it is insecure against cache-timing attacks.  It is intended

  156.  * for microbenchmarking, to see how much constant-time arithmetic

  157.  * costs us.

  158.  *

  159.  * @param [inout] working The point to multply.

  160.  * @param [in] scalar The scalar, in little-endian form.

  161.  */

  162. void

  163. scalarmul_vlook (

  164.     tw_extensible_a_t working,

  165.     const word_t scalar[SCALAR_WORDS]

  166. );

  167. 

  168. /**

  169.  * Precompute a table to accelerate fixed-point scalar

  170.  * multiplication using the "multiple signed combs" approach.

  171.  *

  172.  * This function computes $n$ "comb" tables, each containing

  173.  * 2^(t-1) points in tw_niels_t format.  You must have

  174.  * n * t * s >= SCALAR_BITS = 446 for complete coverage.

  175.  *

  176.  * The scalar multiplication algorithm may adjust the scalar by

  177.  * a multiple of q.  Therefore, we strongly recommend to use base

  178.  * points in the q-torsion group (i.e. doubly even points).

  179.  *

  180.  * @param [out] out The table to compute.

  181.  * @param [in] base The base point.

  182.  * @param [in] n The number of combs in the table.

  183.  * @param [in] t The number of teeth in each comb.

  184.  * @param [in] s The spacing between the teeth.

  185.  * @param [out] prealloc An optional preallocated array containing

  186.  * space for n<<(t-1) values of type tw_niels_t.

  187.  *

  188.  * @retval MASK_SUCCESS Success.

  189.  * @retval MASK_FAILURE Failure, most likely because we are out

  190.  * of memory.

  191.  */

  192. mask_t

  193. precompute_fixed_base (

  194.   struct fixed_base_table_t *out,

  195.   const tw_extensible_a_t base,

  196.   unsigned int n,

  197.   unsigned int t,

  198.   unsigned int s,

  199.   tw_niels_a_t *prealloc

  200. ) __attribute__((warn_unused_result));

  201. 

  202.  /**

  203.   * Destroy a fixed-base table.  Frees any memory that we allocated

  204.   * for the combs.

  205.   *

  206.   * @param [in] table The table to destroy.

  207.   */

  208. void

  209. destroy_fixed_base (

  210.     struct fixed_base_table_t *table

  211. );

  212. 

  213. /**

  214.  * Scalar multiplication with precomputation.  Set working to

  215.  * to [scalar] * Base, where Base is the base point passed to

  216.  * precompute_for_combs().

  217.  *

  218.  * The scalar may be adjusted by a multiple of q, so this routine

  219.  * can be wrong by a cofactor if the base has cofactor components.

  220.  *

  221.  * @param [out] out The output point.

  222.  * @param [in] scalar The scalar.

  223.  * @param [in] nbits The number of bits in the scalar.  Must be <= n*t*s.

  224.  * @param [in] table The precomputed table.

  225.  *

  226.  * @retval MASK_SUCCESS Success.

  227.  * @retval MASK_FAILURE Failure, because n*t*s < nbits

  228.  */ 

  229. mask_t

  230. scalarmul_fixed_base (

  231.     tw_extensible_a_t out,

  232.     const word_t *scalar,

  233.     unsigned int nbits,

  234.     const struct fixed_base_table_t *table

  235. );

  236. 

  237. /**

  238.  * Variable-time scalar multiplication.

  239.  *

  240.  * @warning This function takes variable time.  It is intended for

  241.  * microbenchmarking.

  242.  *

  243.  * @param [inout] working The input and output point.

  244.  * @param [in] scalar The scalar.

  245.  * @param [in] nbits The number of bits in the scalar

  246.  */ 

  247. void

  248. scalarmul_vt (

  249.     tw_extensible_a_t working,

  250.     const word_t *scalar,

  251.     unsigned int nbits

  252. );

  253. 

  254. 

  255. /**

  256.  * Precompute a table to accelerate fixed-point scalar

  257.  * multiplication (and, more importantly, linear combos)

  258.  * using the "windowed non-adjacent form" approach.

  259.  *

  260.  * @param [out] out The output table.  Must have room for 1<<i entries.

  261.  * @param [in] base The base point.

  262.  * @param [in] tbits The number of bits to put in the table.

  263.  *

  264.  * @retval MASK_SUCCESS Success.

  265.  * @retval MASK_FAILURE Failure, most likely because we are out

  266.  * of memory.

  267.  */

  268. mask_t

  269. precompute_fixed_base_wnaf (

  270.     tw_niels_a_t *out,

  271.     const tw_extensible_a_t base,

  272.     unsigned int tbits

  273. ) __attribute__((warn_unused_result));

  274. 

  275. /**

  276.  * Variable-time scalar multiplication with precomputed WNAF

  277.  * tables.

  278.  *

  279.  * @warning This function takes variable time.  It is intended for

  280.  * microbenchmarking.

  281.  *

  282.  * @param [out] out The output point.

  283.  * @param [in] scalar The scalar.

  284.  * @param [in] nbits The number of bits in the scalar.

  285.  * @param [in] precmp The precomputed WNAF table.

  286.  * @param [in] table_bits The number of bits in the WNAF table.

  287.  */ 

  288. void

  289. scalarmul_fixed_base_wnaf_vt (

  290.     tw_extensible_a_t out,

  291.     const word_t *scalar,

  292.     unsigned int nbits,

  293.     const tw_niels_a_t *precmp,

  294.     unsigned int table_bits

  295. );

  296. 

  297. 

  298. /**

  299.  * Variable-time scalar linear combination of two points: one

  300.  * variable, and one fixed (with fixed-base WNAF tables)

  301.  *

  302.  * @warning This function takes variable time.  It is intended for

  303.  * signature verification.

  304.  *

  305.  * @param [inout] working The output point, and also the variable input.

  306.  * @param [in] scalar_var The scalar for the variable input.

  307.  * @param [in] nbits_var The number of bits in scalar_var.

  308.  * @param [in] scalar_pre The scalar for the fixed input.

  309.  * @param [in] nbits_pre The number of bits in scalar_pre.

  310.  * @param [in] precmp The precomputed WNAF table.

  311.  * @param [in] table_bits_pre The number of bits in the WNAF table.

  312.  */ 

  313. void

  314. linear_combo_var_fixed_vt (

  315.     tw_extensible_a_t working,

  316.     const word_t scalar_var[SCALAR_WORDS],

  317.     unsigned int nbits_var,

  318.     const word_t scalar_pre[SCALAR_WORDS],

  319.     unsigned int nbits_pre,

  320.     const tw_niels_a_t *precmp,

  321.     unsigned int table_bits_pre

  322. );

  323. 

  324. /**

  325.  * Variable-time scalar linear combination of two fixed points.

  326.  *

  327.  * @warning This function takes variable time.  It is intended for

  328.  * signature verification.

  329.  *

  330.  * @param [out] working The output point.

  331.  * @param [in] scalar1 The first scalar.

  332.  * @param [in] nbits1 The number of bits in the first scalar.

  333.  * @param [in] table1 The first precomputed table.

  334.  * @param [in] scalar2 The second scalar.

  335.  * @param [in] nbits1 The number of bits in the second scalar.

  336.  * @param [in] table1 The second precomputed table.

  337.  *

  338.  * @retval MASK_SUCCESS Success.

  339.  * @retval MASK_FAILURE Failure, because eg the tables are too small.

  340.  */

  341. mask_t

  342. linear_combo_combs_vt (

  343.     tw_extensible_a_t out,

  344.     const word_t scalar1[SCALAR_WORDS],

  345.     unsigned int nbits1,

  346.     const struct fixed_base_table_t *table1,

  347.     const word_t scalar2[SCALAR_WORDS],

  348.     unsigned int nbits2,

  349.     const struct fixed_base_table_t *table2

  350. );

  351. 

  352. #ifdef __cplusplus

  353. };

  354. #endif

  355. 

  356. #endif /* __P448_ALGO_H__ */