jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 25697caf5c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '25697caf5c'
${ noResults }
ed448goldilocks/goldilocks.c

169 lines
4.1 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. #include "goldilocks.h"

  5. #include "ec_point.h"

  6. #include "scalarmul.h"

  7. #include "barrett_field.h"

  8. #include "crandom.h"

  9. 

  10. #ifndef GOLDILOCKS_RANDOM_INIT_FILE

  11. #define GOLDILOCKS_RANDOM_INIT_FILE "/dev/urandom"

  12. #endif

  13. 

  14. #ifndef GOLDILOCKS_RANDOM_RESEED_INTERVAL

  15. #define GOLDILOCKS_RANDOM_RESEED_INTERVAL 10000

  16. #endif

  17. 

  18. /* We'll check it ourselves */

  19. #ifndef GOLDILOCKS_RANDOM_RESEEDS_MANDATORY

  20. #define GOLDILOCKS_RANDOM_RESEEDS_MANDATORY 0

  21. #endif

  22. 

  23. /* TODO: word size; precompute */

  24. const struct affine_t goldilocks_base_point = {

  25.     {{ 0xf0de840aed939full, 0xc170033f4ba0c7ull, 0xf3932d94c63d96ull, 0x9cecfa96147eaaull,

  26.        0x5f065c3c59d070ull, 0x3a6a26adf73324ull, 0x1b4faff4609845ull, 0x297ea0ea2692ffull

  27.     }},

  28.     {{ 19, 0, 0, 0, 0, 0, 0, 0 }}

  29. };

  30. 

  31. // FIXME: threading

  32. // TODO: autogen instead of init

  33. struct {

  34.     struct tw_niels_t combs[80];

  35.     struct tw_niels_t wnafs[32];

  36.     struct crandom_state_t rand;

  37. } goldilocks_global;

  38. 

  39. int

  40. goldilocks_init() {

  41.     struct extensible_t ext;

  42.     struct tw_extensible_t text;

  43.     

  44.     /* Sanity check: the base point is on the curve. */

  45.     assert(p448_affine_validate(&goldilocks_base_point));

  46.     

  47.     /* Convert it to twisted Edwards. */

  48.     convert_affine_to_extensible(&ext, &goldilocks_base_point);

  49.     p448_isogeny_un_to_tw(&text, &ext);

  50.     

  51.     /* Precompute the tables. */

  52.     precompute_for_combs(goldilocks_global.combs, &text, 5, 5, 18);

  53.     precompute_for_wnaf(goldilocks_global.wnafs, &text, 5);

  54.     

  55.     return crandom_init_from_file(&goldilocks_global.rand,

  56.         GOLDILOCKS_RANDOM_INIT_FILE,

  57.         GOLDILOCKS_RANDOM_RESEED_INTERVAL,

  58.         GOLDILOCKS_RANDOM_RESEEDS_MANDATORY);

  59. }

  60. 

  61. // TODO: move to a better place

  62. // TODO: word size

  63. void

  64. p448_serialize(uint8_t *serial, const struct p448_t *x) {

  65.     int i,j;

  66.     p448_t red;

  67.     p448_copy(&red, x);

  68.     p448_strong_reduce(&red);

  69.     for (i=0; i<8; i++) {

  70.         for (j=0; j<7; j++) {

  71.             serial[7*i+j] = red.limb[i];

  72.             red.limb[i] >>= 8;

  73.         }

  74.         assert(red.limb[i] == 0);

  75.     }

  76. }

  77. 

  78. void

  79. q448_serialize(uint8_t *serial, const word_t x[7]) {

  80.     int i,j;

  81.     for (i=0; i<7; i++) {

  82.         for (j=0; j<8; j++) {

  83.             serial[8*i+j] = x[i]>>(8*j);

  84.         }

  85.     }

  86. }

  87. 

  88. mask_t

  89. q448_deserialize(word_t x[7], const uint8_t serial[56]) {

  90.     int i,j;

  91.     for (i=0; i<7; i++) {

  92.         word_t out = 0;

  93.         for (j=0; j<8; j++) {

  94.             out |= ((word_t)serial[8*i+j])<<(8*j);

  95.         }

  96.         x[i] = out;

  97.     }

  98.     // TODO: check for reduction

  99.     return MASK_SUCCESS;

  100. }

  101. 

  102. mask_t

  103. p448_deserialize(p448_t *x, const uint8_t serial[56]) {

  104.     int i,j;

  105.     for (i=0; i<8; i++) {

  106.         word_t out = 0;

  107.         for (j=0; j<7; j++) {

  108.             out |= ((word_t)serial[7*i+j])<<(8*j);

  109.         }

  110.         x->limb[i] = out;

  111.     }

  112.     // TODO: check for reduction

  113.     return MASK_SUCCESS;

  114. }

  115. 

  116. static word_t

  117. q448_lo[4] = {

  118.     0xdc873d6d54a7bb0dull,

  119.     0xde933d8d723a70aaull,

  120.     0x3bb124b65129c96full,

  121.     0x000000008335dc16ull

  122. };

  123. 

  124. int

  125. goldilocks_keygen(

  126.     uint8_t private[56],

  127.     uint8_t public[56]

  128. ) {

  129.     // TODO: check for init.  Also maybe take CRANDOM object?  API...

  130.     word_t sk[448*2/WORD_BITS];

  131.     

  132.     struct tw_extensible_t exta;

  133.     struct p448_t pk;

  134.     

  135.     int ret = crandom_generate(&goldilocks_global.rand, (unsigned char *)sk, sizeof(sk));

  136.     barrett_reduce(sk,sizeof(sk)/sizeof(sk[0]),0,q448_lo,7,4,62); // TODO word size

  137.     q448_serialize(private, sk);

  138.     

  139.     edwards_comb(&exta, sk, goldilocks_global.combs, 5, 5, 18);

  140.     isogeny_and_serialize(&pk, &exta);

  141.     p448_serialize(public, &pk);

  142.     

  143.     return ret;

  144. }

  145. 

  146. int

  147. goldilocks_shared_secret(

  148.     uint8_t shared[56],

  149.     const uint8_t private[56],

  150.     const uint8_t public[56]

  151. ) {

  152.     // TODO: SHA

  153.     word_t sk[448/WORD_BITS];

  154.     struct p448_t pk;

  155.     

  156.     mask_t succ = p448_deserialize(&pk,public);

  157.     succ &= q448_deserialize(sk,private);

  158.     succ &= p448_montgomery_ladder(&pk,&pk,sk,446,2);

  159.     

  160.     p448_serialize(shared,&pk);

  161.     // TODO: hash

  162.     

  163.     if (succ) {

  164.         return 0;

  165.     } else {

  166.         return -1;

  167.     }

  168. }