jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 25697caf5c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '25697caf5c'
${ noResults }
ed448goldilocks/bench.c

781 lines
22 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include <sys/time.h>

  6. #include <sys/types.h>

  7. #include <stdlib.h>

  8. #include <stdio.h>

  9. #include <memory.h>

  10. 

  11. #include "p448.h"

  12. #include "ec_point.h"

  13. #include "scalarmul.h"

  14. #include "barrett_field.h"

  15. #include "crandom.h"

  16. #include "goldilocks.h"

  17. 

  18. word_t q448_lo[4] = {

  19.     0xdc873d6d54a7bb0dull,

  20.     0xde933d8d723a70aaull,

  21.     0x3bb124b65129c96full,

  22.     0x000000008335dc16ull

  23. };

  24. 

  25. double now() {

  26.   struct timeval tv;

  27.   gettimeofday(&tv, NULL);

  28.   

  29.   return tv.tv_sec + tv.tv_usec/1000000.0;

  30. }

  31. 

  32. void p448_randomize( struct crandom_state_t *crand, struct p448_t *a ) {

  33.     crandom_generate(crand, (unsigned char *)a, sizeof(*a));

  34.     p448_strong_reduce(a);

  35. }

  36. 

  37. void q448_randomize( struct crandom_state_t *crand, uint64_t sk[7] ) {

  38.     crandom_generate(crand, (unsigned char *)sk, sizeof(uint64_t)*7);

  39. }

  40. 

  41. void p448_print( const char *descr, const struct p448_t *a ) {

  42.     p448_t b;

  43.     p448_copy(&b, a);

  44.     p448_strong_reduce(&b);

  45.     int j;

  46.     printf("%s = 0x", descr);

  47.     for (j=7; j>=0; j--) {

  48.         printf("%014llx", (unsigned long long)b.limb[j]);

  49.     }

  50.     printf("\n");

  51. }

  52. 

  53. void p448_print_full( const char *descr, const struct p448_t *a ) {

  54.     int j;

  55.     printf("%s = 0x", descr);

  56.     for (j=7; j>=0; j--) {

  57.         printf("%02llx_%014llx ", a->limb[j]>>56, (unsigned long long)a->limb[j]&(1ull<<56)-1);

  58.     }

  59.     printf("\n");

  60. }

  61. 

  62. void q448_print( const char *descr, const uint64_t secret[7] ) {

  63.     int j;

  64.     printf("%s = 0x", descr);

  65.     for (j=6; j>=0; j--) {

  66.         printf("%016llx", (unsigned long long)secret[j]);

  67.     }

  68.     printf("\n");

  69. }

  70. 

  71. int main(int argc, char **argv) {

  72.     (void)argc;

  73.     (void)argv;

  74. 

  75.     struct tw_extensible_t ext;

  76.     struct extensible_t exta;

  77.     struct tw_niels_t niels;

  78.     struct tw_pniels_t pniels;

  79.     struct affine_t affine;

  80.     struct montgomery_t mb;

  81.     struct p448_t a,b,c,d;

  82.     

  83.     

  84.     double when;

  85.     int i,j;

  86.     

  87.     /* Bad randomness so we can debug. */

  88.     char initial_seed[32];

  89.     for (i=0; i<32; i++) initial_seed[i] = i;

  90.     struct crandom_state_t crand;

  91.     crandom_init_from_buffer(&crand, initial_seed);

  92.     

  93.     uint64_t sk[7],tk[7];

  94.     q448_randomize(&crand, sk);

  95.     

  96.     when = now();

  97.     for (i=0; i<10000000; i++) {

  98.         p448_mul(&c, &b, &a);

  99.     }

  100.     when = now() - when;

  101.     printf("mul:         %5.1fns\n", when * 1e9 / i);

  102.     

  103.     when = now();

  104.     for (i=0; i<10000000; i++) {

  105.         p448_sqr(&c, &a);

  106.     }

  107.     when = now() - when;

  108.     printf("sqr:         %5.1fns\n", when * 1e9 / i);

  109.     

  110.     when = now();

  111.     for (i=0; i<5000000; i++) {

  112.         p448_mul(&c, &b, &a);

  113.         p448_mul(&a, &b, &c);

  114.     }

  115.     when = now() - when;

  116.     printf("mul dep:     %5.1fns\n", when * 1e9 / i / 2);

  117.     

  118.     when = now();

  119.     for (i=0; i<10000000; i++) {

  120.         p448_mulw(&c, &b, 1234562);

  121.     }

  122.     when = now() - when;

  123.     printf("mulw:        %5.1fns\n", when * 1e9 / i);

  124.     

  125.     when = now();

  126.     for (i=0; i<100000; i++) {

  127.         p448_randomize(&crand, &a);

  128.     }

  129.     when = now() - when;

  130.     printf("rand448:     %5.1fns\n", when * 1e9 / i);

  131.     

  132.     when = now();

  133.     for (i=0; i<10000; i++) {

  134.         p448_isr(&c, &a);

  135.     }

  136.     when = now() - when;

  137.     printf("isr auto:    %5.1fµs\n", when * 1e6 / i);

  138.     

  139.     for (i=0; i<100; i++) {

  140.         p448_randomize(&crand, &a);

  141.         p448_isr(&d,&a);

  142.         p448_sqr(&b,&d);

  143.         p448_mul(&c,&b,&a);

  144.         p448_sqr(&b,&c);

  145.         p448_subw(&b,1);

  146.         p448_bias(&b,1);

  147.         if (!p448_is_zero(&b)) {

  148.             printf("ISR validation failure!\n");

  149.             p448_print("a", &a);

  150.             p448_print("s", &d);

  151.         }

  152.     }

  153.     

  154.     when = now();

  155.     for (i=0; i<10000; i++) {

  156.         elligator_2s_inject(&affine, &a);

  157.     }

  158.     when = now() - when;

  159.     printf("elligator:   %5.1fµs\n", when * 1e6 / i);

  160.     

  161.     for (i=0; i<100; i++) {

  162.         p448_randomize(&crand, &a);

  163.         elligator_2s_inject(&affine, &a);

  164.         if (!p448_affine_validate(&affine)) {

  165.             printf("Elligator validation failure!\n");

  166.             p448_print("a", &a);

  167.             p448_print("x", &affine.x);

  168.             p448_print("y", &affine.y);

  169.         }

  170.     }

  171.     

  172.     when = now();

  173.     for (i=0; i<10000; i++) {

  174.         affine_deserialize(&affine, &a);

  175.     }

  176.     when = now() - when;

  177.     printf("decompress:  %5.1fµs\n", when * 1e6 / i);

  178.     

  179.     when = now();

  180.     for (i=0; i<10000; i++) {

  181.         extensible_serialize(&a, &exta);

  182.     }

  183.     when = now() - when;

  184.     printf("compress:    %5.1fµs\n", when * 1e6 / i);

  185.     

  186.     int goods = 0;

  187.     for (i=0; i<100; i++) {

  188.         p448_randomize(&crand, &a);

  189.         mask_t good = affine_deserialize(&affine, &a);

  190.         if (good & !p448_affine_validate(&affine)) {

  191.             printf("Deserialize validation failure!\n");

  192.             p448_print("a", &a);

  193.             p448_print("x", &affine.x);

  194.             p448_print("y", &affine.y);

  195.         } else if (good) {

  196.             goods++;

  197.             convert_affine_to_extensible(&exta,&affine);

  198.             extensible_serialize(&b, &exta);

  199.             p448_sub(&c,&b,&a);

  200.             p448_bias(&c,2);

  201.             if (!p448_is_zero(&c)) {

  202.                 printf("Reserialize validation failure!\n");

  203.                 p448_print("a", &a);

  204.                 p448_print("x", &affine.x);

  205.                 p448_print("y", &affine.y);

  206.                 affine_deserialize(&affine, &b);

  207.                 p448_print("b", &b);

  208.                 p448_print("x", &affine.x);

  209.                 p448_print("y", &affine.y);

  210.                 printf("\n");

  211.             }

  212.         }

  213.     }

  214.     if (goods<i/3) {

  215.         printf("Deserialization validation failure! Deserialized %d/%d points\n", goods, i);

  216.     }

  217.     

  218.     uint64_t lsk[12];

  219.     for (i=0;i<10; i++) {

  220.         for (j=11; j>=0; j--) {

  221.             lsk[j] = random();

  222.             lsk[j] = lsk[j]<<22 ^ random();

  223.             lsk[j] = lsk[j]<<22 ^ random();

  224.         }

  225.     }

  226.     

  227.     when = now();

  228.     for (i=0; i<1000000; i++) {

  229.         barrett_reduce(lsk,12,0,q448_lo,7,4,62);

  230.     }

  231.     when = now() - when;

  232.     printf("barrett red: %5.1fns\n", when * 1e9 / i);

  233.     

  234.     when = now();

  235.     for (i=0; i<100000; i++) {

  236.         barrett_mac(lsk,7,lsk,7,lsk,7,q448_lo,7,4,62);

  237.     }

  238.     when = now() - when;

  239.     printf("barrett mac: %5.1fns\n", when * 1e9 / i);

  240.     

  241.     when = now();

  242.     for (i=0; i<1000000; i++) {

  243.         p448_tw_extensible_add_niels(&ext, &niels);

  244.     }

  245.     when = now() - when;

  246.     printf("exti+niels:  %5.1fns\n", when * 1e9 / i);

  247.     

  248.     when = now();

  249.     for (i=0; i<1000000; i++) {

  250.         p448_tw_extensible_add_pniels(&ext, &pniels);

  251.     }

  252.     when = now() - when;

  253.     printf("exti+pniels: %5.1fns\n", when * 1e9 / i);

  254.     

  255.     when = now();

  256.     for (i=0; i<1000000; i++) {

  257.         p448_tw_extensible_double(&ext);

  258.     }

  259.     when = now() - when;

  260.     printf("exti dbl:    %5.1fns\n", when * 1e9 / i);

  261.     

  262.     when = now();

  263.     for (i=0; i<1000000; i++) {

  264.         p448_isogeny_tw_to_un(&exta, &ext);

  265.     }

  266.     when = now() - when;

  267.     printf("i->a isog:   %5.1fns\n", when * 1e9 / i);

  268.     

  269.     when = now();

  270.     for (i=0; i<1000000; i++) {

  271.         p448_isogeny_un_to_tw(&ext, &exta);

  272.     }

  273.     when = now() - when;

  274.     printf("a->i isog:   %5.1fns\n", when * 1e9 / i);

  275.     

  276.     when = now();

  277.     for (i=0; i<1000000; i++) {

  278.         p448_montgomery_step(&mb);

  279.     }

  280.     when = now() - when;

  281.     printf("monty step:  %5.1fns\n", when * 1e9 / i);

  282. 	

  283.     when = now();

  284.     for (i=0; i<1000; i++) {

  285.         p448_montgomery_ladder(&a,&b,sk,448,0);

  286.     }

  287.     when = now() - when;

  288.     printf("full ladder: %5.1fµs\n", when * 1e6 / i);

  289.     

  290.     when = now();

  291.     for (i=0; i<1000; i++) {

  292.         edwards_scalar_multiply(&ext,sk);

  293.     }

  294.     when = now() - when;

  295.     printf("edwards smz: %5.1fµs\n", when * 1e6 / i);

  296.     

  297.     when = now();

  298.     int sum = 0;

  299.     for (i=0; i<1000; i++) {

  300.         q448_randomize(&crand, sk);

  301.         sum += edwards_scalar_multiply_vt(&ext,sk);

  302.     }

  303.     when = now() - when;

  304.     printf("edwards vtm: %5.1fµs (%0.2f avg bits = 1.5 + 448/%0.2f)\n",

  305.         when * 1e6 / i, 1.0*sum/i, 448.0*i/(sum-1.5*i));

  306.     

  307.     struct tw_niels_t wnaft[1<<6];

  308.     when = now();

  309.     for (i=0; i<1000; i++) {

  310.         precompute_for_wnaf(wnaft,&ext,6);

  311.     }

  312.     when = now() - when;

  313.     printf("wnaf6 pre:   %5.1fµs\n", when * 1e6 / i);

  314.     

  315.     when = now();

  316.     for (i=0; i<1000; i++) {

  317.         q448_randomize(&crand, sk);

  318.         edwards_scalar_multiply_vt_pre(&ext,sk,wnaft,6);

  319.     }

  320.     when = now() - when;

  321.     printf("edwards vt6: %5.1fµs\n", when * 1e6 / i);

  322.     

  323.     when = now();

  324.     for (i=0; i<1000; i++) {

  325.         precompute_for_wnaf(wnaft,&ext,4);

  326.     }

  327.     when = now() - when;

  328.     printf("wnaf4 pre:   %5.1fµs\n", when * 1e6 / i);

  329.     

  330.     when = now();

  331.     for (i=0; i<1000; i++) {

  332.         q448_randomize(&crand, sk);

  333.         edwards_scalar_multiply_vt_pre(&ext,sk,wnaft,4);

  334.     }

  335.     when = now() - when;

  336.     printf("edwards vt4: %5.1fµs\n", when * 1e6 / i);

  337. 

  338.     when = now();

  339.     for (i=0; i<1000; i++) {

  340.         precompute_for_wnaf(wnaft,&ext,5);

  341.     }

  342.     when = now() - when;

  343.     printf("wnaf5 pre:   %5.1fµs\n", when * 1e6 / i);

  344.     

  345.     when = now();

  346.     for (i=0; i<1000; i++) {

  347.         q448_randomize(&crand, sk);

  348.         edwards_scalar_multiply_vt_pre(&ext,sk,wnaft,5);

  349.     }

  350.     when = now() - when;

  351.     printf("edwards vt5: %5.1fµs\n", when * 1e6 / i);

  352.     

  353.     when = now();

  354.     sum = 0;

  355.     for (i=0; i<1000; i++) {

  356.         q448_randomize(&crand, sk);

  357.         q448_randomize(&crand, tk);

  358.         sum += edwards_combo_var_fixed_vt(&ext,sk,tk,wnaft,5);

  359.     }

  360.     when = now() - when;

  361.     printf("vt vf combo: %5.1fµs (avg = %0.3f)\n", when * 1e6 / i, 1.0*sum/i);

  362.     

  363.     when = now();

  364.     for (i=0; i<1000; i++) {

  365.         affine_deserialize(&affine, &a);

  366.         convert_affine_to_extensible(&exta,&affine);

  367.         p448_isogeny_un_to_tw(&ext,&exta);

  368.         edwards_scalar_multiply(&ext,sk);

  369.         p448_isogeny_tw_to_un(&exta,&ext);

  370.         extensible_serialize(&b, &exta);

  371.     }

  372.     when = now() - when;

  373.     printf("edwards sm:  %5.1fµs\n", when * 1e6 / i);

  374.     

  375.     struct tw_niels_t table[80] __attribute__((aligned(32)));

  376. 

  377.     while (1) {

  378.         p448_randomize(&crand, &a);

  379.         if (affine_deserialize(&affine, &a)) break;

  380.     }

  381.     convert_affine_to_extensible(&exta,&affine);

  382.     p448_isogeny_un_to_tw(&ext,&exta);

  383.     when = now();

  384.     for (i=0; i<1000; i++) {

  385.         precompute_for_combs(table, &ext, 5, 5, 18);

  386.     }

  387.     when = now() - when;

  388.     printf("pre(5,5,18): %5.1fµs\n", when * 1e6 / i);

  389. 	

  390.     when = now();

  391.     for (i=0; i<10000; i++) {

  392.         edwards_comb(&ext, sk, table, 5, 5, 18);

  393.     }

  394.     when = now() - when;

  395.     printf("com(5,5,18): %5.1fµs\n", when * 1e6 / i);

  396.     

  397.     when = now();

  398.     for (i=0; i<10000; i++) {

  399.         edwards_comb(&ext, sk, table, 3, 5, 30);

  400.     }

  401.     when = now() - when;

  402.     printf("com(3,5,30): %5.1fµs\n", when * 1e6 / i);

  403.     

  404.     when = now();

  405.     for (i=0; i<10000; i++) {

  406.         edwards_comb(&ext, sk, table, 2, 5, 45);

  407.     }

  408.     when = now() - when;

  409.     printf("com(2,5,45): %5.1fµs\n", when * 1e6 / i);

  410. 

  411.     when = now();

  412.     for (i=0; i<10000; i++) {

  413.         edwards_comb(&ext, sk, table, 8, 4, 14);

  414.     }

  415.     when = now() - when;

  416.     printf("com(4,4,28): %5.1fµs\n", when * 1e6 / i);

  417.     

  418.     when = now();

  419.     for (i=0; i<10000; i++) {

  420.         q448_randomize(&crand, sk);

  421.         edwards_comb(&ext, sk, table, 5, 5, 18);

  422.         p448_isogeny_tw_to_un(&exta,&ext);

  423.         extensible_serialize(&b, &exta);

  424.     }

  425.     when = now() - when;

  426.     printf("keygen:      %5.1fµs\n", when * 1e6 / i);

  427.     

  428.     printf("\nGoldilocks:\n");

  429.     

  430.     int res = goldilocks_init();

  431.     assert(!res);

  432.     

  433.     uint8_t gpk[56],gsk[56],hsk[56],hpk[56];

  434.     

  435.     when = now();

  436.     for (i=0; i<10000; i++) {

  437.         if (i&1) {

  438.             res = goldilocks_keygen(gsk,gpk);

  439.         } else {

  440.             res = goldilocks_keygen(hsk,hpk);

  441.         }

  442.         assert(!res);

  443.     }

  444.     when = now() - when;

  445.     printf("keygen:      %5.1fµs\n", when * 1e6 / i);

  446.     

  447.     uint8_t ss1[64],ss2[64];

  448.     int gres1,gres2;

  449.     when = now();

  450.     for (i=0; i<10000; i++) {

  451.         if (i&1) {

  452.             gres1 = goldilocks_shared_secret(ss1,gsk,hpk);

  453.         } else {

  454.             gres2 = goldilocks_shared_secret(ss2,hsk,gpk);

  455.         }

  456.     }

  457.     when = now() - when;

  458.     printf("ecdh:        %5.1fµs\n", when * 1e6 / i);

  459.     if (gres1 || gres2 || memcmp(ss1,ss2,56)) {

  460.         printf("[FAIL] %d %d\n",gres1,gres2);

  461.         

  462.         printf("ss1 = ");

  463.         for (i=0; i<56; i++) {

  464.             printf("%02x", ss1[i]);

  465.         }

  466.         printf("\nss2 = ");

  467.         for (i=0; i<56; i++) {

  468.             printf("%02x", ss2[i]);

  469.         }

  470.         printf("\n");

  471.     }

  472.     

  473.     printf("\nTesting...\n");

  474.     

  475.     int failures=0, successes = 0;

  476.     for (i=0; i<1000; i++) {

  477.         p448_randomize(&crand, &a);

  478. 		uint64_t two = 2;

  479.         mask_t good = p448_montgomery_ladder(&b,&a,&two,2,0);

  480. 		if (!good) continue;

  481. 		

  482. 		uint64_t x = rand(), y=rand(), z=x*y;

  483. 		p448_montgomery_ladder(&b,&a,&x,64,0);

  484.         p448_montgomery_ladder(&c,&b,&y,64,0);

  485.         p448_montgomery_ladder(&b,&a,&z,64,0);

  486.         

  487.         p448_sub(&d,&b,&c);

  488.         p448_bias(&d,2);

  489. 		if (!p448_is_zero(&d)) {

  490.             printf("Odd ladder validation failure %d!\n", ++failures);

  491.             p448_print("a", &a);

  492.             printf("x=%llx, y=%llx, z=%llx\n", x,y,z);

  493.             p448_print("c", &c);

  494.             p448_print("b", &b);

  495. 			printf("\n");

  496. 		}

  497. 	}

  498.     

  499.     failures = 0;

  500.     for (i=0; i<1000; i++) {

  501.         mask_t good;

  502.         do {

  503.             p448_randomize(&crand, &a);

  504.             good = affine_deserialize(&affine, &a);

  505.         } while (!good);

  506.         

  507.         convert_affine_to_extensible(&exta,&affine);

  508.         p448_isogeny_un_to_tw(&ext,&exta);

  509.         p448_isogeny_tw_to_un(&exta,&ext);

  510.         extensible_serialize(&b, &exta);

  511.         isogeny_and_serialize(&c, &ext);

  512.         

  513.         p448_sub(&d,&b,&c);

  514.         p448_bias(&d,2);

  515.         

  516.         if (good && !p448_is_zero(&d)){

  517.             printf("Iso+serial validation failure %d!\n", ++failures);

  518.             p448_print("a", &a);

  519.             p448_print("b", &b);

  520.             p448_print("c", &c);

  521.             printf("\n");

  522.         } else if (good) {

  523.             successes ++;

  524.         }

  525.     }

  526.     if (successes < i/3) {

  527.         printf("Iso+serial variation: only %d/%d successful.\n", successes, i);

  528.     }

  529.         

  530.     failures = 0;

  531.     uint64_t four = 4;

  532.     for (i=0; i<1000; i++) {

  533.         p448_randomize(&crand, &a);

  534.         q448_randomize(&crand, sk);

  535.         

  536.         mask_t good = p448_montgomery_ladder(&b,&a,&four,3,0);

  537.         good &= p448_montgomery_ladder(&c,&b,sk,448,0);

  538.         

  539.         mask_t goodb = affine_deserialize(&affine, &a);

  540.         convert_affine_to_extensible(&exta,&affine);

  541.         p448_isogeny_un_to_tw(&ext,&exta);

  542.         edwards_scalar_multiply(&ext,sk);

  543.         p448_isogeny_tw_to_un(&exta,&ext);

  544.         extensible_serialize(&b, &exta);

  545.         

  546.         p448_sub(&d,&b,&c);

  547.         p448_bias(&d,2);

  548.         

  549.         if (good != goodb) {

  550.             printf("Compatibility validation failure %d: good: %d != %d\n", ++failures, (int)(-good), (int)(-goodb));

  551.         } else if (good && !p448_is_zero(&d)){

  552.             printf("Compatibility validation failure %d!\n", ++failures);

  553.             p448_print("a", &a);

  554.             q448_print("s", sk);

  555.             p448_print("c", &c);

  556.             p448_print("b", &b);

  557.             printf("\n");

  558.         } else if (good) {

  559.             successes ++;

  560.         }

  561.     }

  562.     if (successes < i/3) {

  563.         printf("Compatibility variation: only %d/%d successful.\n", successes, i);

  564.     }

  565.         

  566.     successes = failures = 0;

  567.     for (i=0; i<1000; i++) {

  568.         p448_randomize(&crand, &a);

  569.         q448_randomize(&crand, sk);

  570. 		if (!i) bzero(&sk, sizeof(sk));

  571.         

  572.         mask_t good = p448_montgomery_ladder(&b,&a,&four,3,0);

  573.         good &= p448_montgomery_ladder(&c,&b,sk,448,0);

  574.         if (!good) continue;

  575.         

  576.         affine_deserialize(&affine, &a);

  577.         convert_affine_to_extensible(&exta,&affine);

  578.         p448_isogeny_un_to_tw(&ext,&exta);

  579.         

  580.         precompute_for_combs(table, &ext, 5, 5, 18);

  581.         edwards_comb(&ext, sk, table, 5, 5, 18);

  582.         p448_isogeny_tw_to_un(&exta,&ext);

  583.         extensible_serialize(&b, &exta);

  584.         

  585.         p448_sub(&d,&b,&c);

  586.         p448_bias(&d,2);

  587.         

  588.         if (!p448_is_zero(&d)){

  589.             printf("Comb validation failure %d!\n", ++failures);

  590.             p448_print("a", &a);

  591.             q448_print("s", sk);

  592.             p448_print("c", &c);

  593.             p448_print("b", &b);

  594.             printf("\n");

  595.         } else if (good) {

  596.             successes ++;

  597.         }

  598.     }

  599.     if (successes < i/3) {

  600.         printf("Comb variation: only %d/%d successful.\n", successes, i);

  601.     }

  602.         

  603.     successes = failures = 0;

  604.     for (i=0; i<1000; i++) {

  605.         p448_randomize(&crand, &a);

  606.         q448_randomize(&crand, sk);

  607. 		if (!i) bzero(&sk, sizeof(sk));

  608.         

  609.         mask_t good = affine_deserialize(&affine, &a);

  610.         if (!good) continue;

  611.         

  612.         convert_affine_to_extensible(&exta,&affine);

  613.         p448_isogeny_un_to_tw(&ext,&exta);

  614.         struct tw_extensible_t exu;

  615.         copy_tw_extensible(&exu, &ext);

  616.         

  617.         edwards_scalar_multiply(&ext,sk);

  618.         p448_isogeny_tw_to_un(&exta,&ext);

  619.         extensible_serialize(&b, &exta);

  620.         

  621.         edwards_scalar_multiply_vt(&exu,sk);

  622.         p448_isogeny_tw_to_un(&exta,&exu);

  623.         extensible_serialize(&c, &exta);

  624.         

  625.         p448_sub(&d,&b,&c);

  626.         p448_bias(&d,2);

  627.         

  628.         if (!p448_is_zero(&d)){

  629.             printf("WNAF validation failure %d!\n", ++failures);

  630.             p448_print("a", &a);

  631.             q448_print("s", sk);

  632.             p448_print("c", &c);

  633.             p448_print("b", &b);

  634.             printf("\n");

  635.         } else if (good) {

  636.             successes ++;

  637.         }

  638.     }

  639.     if (successes < i/3) {

  640.         printf("WNAF variation: only %d/%d successful.\n", successes, i);

  641.     }

  642.         

  643.     successes = failures = 0;

  644.     for (i=0; i<1000; i++) {

  645.         p448_randomize(&crand, &a);

  646.         q448_randomize(&crand, sk);

  647. 		if (!i) bzero(&sk, sizeof(sk));

  648.         

  649.         mask_t good = affine_deserialize(&affine, &a);

  650.         if (!good) continue;

  651.         

  652.         convert_affine_to_extensible(&exta,&affine);

  653.         p448_isogeny_un_to_tw(&ext,&exta);

  654.         struct tw_extensible_t exu;

  655.         copy_tw_extensible(&exu, &ext);

  656.         

  657.         edwards_scalar_multiply(&ext,sk);

  658.         p448_isogeny_tw_to_un(&exta,&ext);

  659.         extensible_serialize(&b, &exta);

  660. 

  661.         precompute_for_wnaf(wnaft,&exu,5);

  662.         edwards_scalar_multiply_vt_pre(&exu,sk,wnaft,5);

  663.         p448_isogeny_tw_to_un(&exta,&exu);

  664.         extensible_serialize(&c, &exta);

  665.         

  666.         p448_sub(&d,&b,&c);

  667.         p448_bias(&d,2);

  668.         

  669.         if (!p448_is_zero(&d)){

  670.             printf("PreWNAF validation failure %d!\n", ++failures);

  671.             p448_print("a", &a);

  672.             q448_print("s", sk);

  673.             p448_print("c", &c);

  674.             p448_print("b", &b);

  675.             for (j=0; j<1<<5; j++) {

  676.                 printf("WNAFT %d\n", j);

  677.                 p448_print("  a",&wnaft[j].a);

  678.                 p448_print("  b",&wnaft[j].b);

  679.                 p448_print("  c",&wnaft[j].c);

  680.             }

  681.             printf("\n\n");

  682.         } else if (good) {

  683.             successes ++;

  684.         }

  685.     }

  686.     if (successes < i/3) {

  687.         printf("PreWNAF variation: only %d/%d successful.\n", successes, i);

  688.     }

  689.     

  690.     successes = failures = 0;

  691.     for (i=0; i<1000; i++) {

  692.         struct p448_t aa;

  693.         struct tw_extensible_t exu,exv,exw;

  694.         

  695.         mask_t good;

  696.         do {

  697.             p448_randomize(&crand, &a);

  698.             good = affine_deserialize(&affine, &a);

  699.             convert_affine_to_extensible(&exta,&affine);

  700.             p448_isogeny_un_to_tw(&ext,&exta);

  701.         } while (!good);

  702.         do {

  703.             p448_randomize(&crand, &aa);

  704.             good = affine_deserialize(&affine, &aa);

  705.             convert_affine_to_extensible(&exta,&affine);

  706.             p448_isogeny_un_to_tw(&exu,&exta);

  707.         } while (!good);

  708.         p448_randomize(&crand, &aa);

  709.         

  710.         q448_randomize(&crand, sk);

  711. 		if (i==0 || i==2) bzero(&sk, sizeof(sk));

  712.         q448_randomize(&crand, tk);

  713. 		if (i==0 || i==1) bzero(&tk, sizeof(tk));

  714.         

  715.         copy_tw_extensible(&exv, &ext);

  716.         copy_tw_extensible(&exw, &exu);

  717.         edwards_scalar_multiply(&exv,sk);

  718.         edwards_scalar_multiply(&exw,tk);

  719.         convert_tw_extensible_to_tw_pniels(&pniels, &exw);

  720.         p448_tw_extensible_add_pniels(&exv,&pniels);

  721.         p448_isogeny_tw_to_un(&exta,&exv);

  722.         extensible_serialize(&b, &exta);

  723. 

  724.         precompute_for_wnaf(wnaft,&exu,5);

  725.         edwards_combo_var_fixed_vt(&ext,sk,tk,wnaft,5);

  726.         p448_isogeny_tw_to_un(&exta,&exv);

  727.         extensible_serialize(&c, &exta);

  728.         

  729.         p448_sub(&d,&b,&c);

  730.         p448_bias(&d,2);

  731.         

  732.         if (!p448_is_zero(&d)){

  733.             printf("PreWNAF combo validation failure %d!\n", ++failures);

  734.             p448_print("a", &a);

  735.             p448_print("A", &aa);

  736.             q448_print("s", sk);

  737.             q448_print("t", tk);

  738.             p448_print("c", &c);

  739.             p448_print("b", &b);

  740.             printf("\n\n");

  741.         } else if (good) {

  742.             successes ++;

  743.         }

  744.     }

  745.     if (successes < i) {

  746.         printf("PreWNAF combo variation: only %d/%d successful.\n", successes, i);

  747.     }

  748.     

  749.     successes = failures = 0;

  750.     for (i=0; i<1000; i++) {

  751.         p448_randomize(&crand, &a);

  752.         

  753.         q448_randomize(&crand, sk);

  754.         q448_randomize(&crand, tk);

  755.         

  756. 		uint64_t two = 2;

  757.         mask_t good = p448_montgomery_ladder(&b,&a,&two,2,0);

  758. 		p448_montgomery_ladder(&b,&a,sk,448,0);

  759.         p448_montgomery_ladder(&d,&b,tk,448,0);

  760.         p448_montgomery_ladder(&b,&a,tk,448,0);

  761.         p448_montgomery_ladder(&c,&b,sk,448,0);

  762.         

  763.         p448_sub(&b,&c,&d);

  764.         p448_bias(&b,2);

  765.         

  766.         mask_t success = p448_is_zero(&b) | ~good;

  767.         

  768.         if (!success) {

  769.             printf("Ladder validation failure %d!\n", ++failures);

  770.             p448_print("a", &a);

  771.             q448_print("s", sk);

  772.             q448_print("t", tk);

  773.             p448_print("c", &c);

  774.             p448_print("d", &d);

  775.             printf("\n");

  776.         }

  777.     }

  778.     

  779.     return 0;

  780. }