jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
393 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 28086a96d1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '28086a96d1'
${ noResults }
ed448goldilocks/src/GENERATED/c/curve25519/elligator.c

200 lines
5.8 KiB
Raw Blame History 

  1. /**

  2.  * @file curve25519/elligator.c

  3.  * @author Mike Hamburg

  4.  *

  5.  * @copyright

  6.  *   Copyright (c) 2015-2016 Cryptography Research, Inc.  \n

  7.  *   Released under the MIT License.  See LICENSE.txt for license information.

  8.  *

  9.  * @brief Elligator high-level functions.

  10.  *

  11.  * @warning This file was automatically generated in Python.

  12.  * Please do not edit it.

  13.  */

  14. #include "word.h"

  15. #include "field.h"

  16. #include <decaf.h>

  17. 

  18. /* Template stuff */

  19. #define API_NS(_id) decaf_255_##_id

  20. #define point_t API_NS(point_t)

  21. #define IMAGINE_TWIST 1

  22. #define COFACTOR 8

  23. static const int EDWARDS_D = -121665;

  24. /* End of template stuff */

  25. 

  26. extern void API_NS(deisogenize) (

  27.     gf_s *__restrict__ s,

  28.     gf_s *__restrict__ minus_t_over_s,

  29.     const point_t p,

  30.     mask_t toggle_hibit_s,

  31.     mask_t toggle_hibit_t_over_s,

  32.     mask_t toggle_rotation

  33. );

  34. 

  35. void API_NS(point_from_hash_nonuniform) (

  36.     point_t p,

  37.     const unsigned char ser[SER_BYTES]

  38. ) {

  39.     gf r0,r,a,b,c,N,e;

  40.     ignore_result(gf_deserialize(r0,ser,0));

  41.     gf_strong_reduce(r0);

  42.     gf_sqr(a,r0);

  43.     gf_mul_qnr(r,a);

  44. 

  45.     /* Compute D@c := (dr+a-d)(dr-ar-d) with a=1 */

  46.     gf_sub(a,r,ONE);

  47.     gf_mulw(b,a,EDWARDS_D); /* dr-d */

  48.     gf_add(a,b,ONE);

  49.     gf_sub(b,b,r);

  50.     gf_mul(c,a,b);

  51.     

  52.     /* compute N := (r+1)(a-2d) */

  53.     gf_add(a,r,ONE);

  54.     gf_mulw(N,a,1-2*EDWARDS_D);

  55.     

  56.     /* e = +-sqrt(1/ND) or +-r0 * sqrt(qnr/ND) */

  57.     gf_mul(a,c,N);

  58.     mask_t square = gf_isr(b,a);

  59.     gf_cond_sel(c,r0,ONE,square); /* r? = square ? 1 : r0 */

  60.     gf_mul(e,b,c);

  61.     

  62.     /* s@a = +-|N.e| */

  63.     gf_mul(a,N,e);

  64.     gf_cond_neg(a,gf_hibit(a)^square); /* NB this is - what is listen in the paper */

  65.     

  66.     /* t@b = -+ cN(r-1)((a-2d)e)^2 - 1 */

  67.     gf_mulw(c,e,1-2*EDWARDS_D); /* (a-2d)e */

  68.     gf_sqr(b,c);

  69.     gf_sub(e,r,ONE);

  70.     gf_mul(c,b,e);

  71.     gf_mul(b,c,N);

  72.     gf_cond_neg(b,square);

  73.     gf_sub(b,b,ONE);

  74. 

  75.     /* isogenize */

  76. #if IMAGINE_TWIST

  77.     gf_mul(c,a,SQRT_MINUS_ONE);

  78.     gf_copy(a,c);

  79. #endif

  80.     

  81.     gf_sqr(c,a); /* s^2 */

  82.     gf_add(a,a,a); /* 2s */

  83.     gf_add(e,c,ONE);

  84.     gf_mul(p->t,a,e); /* 2s(1+s^2) */

  85.     gf_mul(p->x,a,b); /* 2st */

  86.     gf_sub(a,ONE,c);

  87.     gf_mul(p->y,e,a); /* (1+s^2)(1-s^2) */

  88.     gf_mul(p->z,a,b); /* (1-s^2)t */

  89.     

  90.     assert(API_NS(point_valid)(p));

  91. }

  92. 

  93. void API_NS(point_from_hash_uniform) (

  94.     point_t pt,

  95.     const unsigned char hashed_data[2*SER_BYTES]

  96. ) {

  97.     point_t pt2;

  98.     API_NS(point_from_hash_nonuniform)(pt,hashed_data);

  99.     API_NS(point_from_hash_nonuniform)(pt2,&hashed_data[SER_BYTES]);

  100.     API_NS(point_add)(pt,pt,pt2);

  101. }

  102. 

  103. /* Elligator_onto:

  104.  * Make elligator-inverse onto at the cost of roughly halving the success probability.

  105.  * Currently no effect for curves with field size 1 bit mod 8 (where the top bit

  106.  * is chopped off).  FUTURE MAGIC: automatic at least for brainpool-style curves; support

  107.  * log p == 1 mod 8 brainpool curves maybe?

  108.  */

  109. #define MAX(A,B) (((A)>(B)) ? (A) : (B))

  110. #define PKP_MASK ((1<<(MAX(8*SER_BYTES + 0 - 255,0)))-1)

  111. #if PKP_MASK != 0

  112. static UNUSED mask_t plus_k_p (

  113.     uint8_t x[SER_BYTES],

  114.     uint32_t factor_

  115. ) {

  116.     uint32_t carry = 0;

  117.     uint64_t factor = factor_;

  118.     const uint8_t p[SER_BYTES] = { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f };

  119.     for (unsigned int i=0; i<SER_BYTES; i++) {

  120.         uint64_t tmp = carry + p[i] * factor + x[i];

  121.         /* tmp <= 2^32-1 + (2^32-1)*(2^8-1) + (2^8-1) = 2^40-1 */

  122.         x[i] = tmp; carry = tmp>>8;

  123.     }

  124.     return word_is_zero(carry);

  125. }

  126. #endif

  127. 

  128. decaf_error_t

  129. API_NS(invert_elligator_nonuniform) (

  130.     unsigned char recovered_hash[SER_BYTES],

  131.     const point_t p,

  132.     uint32_t hint_

  133. ) {

  134.     mask_t hint = hint_;

  135.     mask_t sgn_s = -(hint & 1),

  136.         sgn_t_over_s = -(hint>>1 & 1),

  137.         sgn_r0 = -(hint>>2 & 1),

  138.         /* FUTURE MAGIC: eventually if there's a curve which needs sgn_ed_T but not sgn_r0,

  139.          * change this mask extraction.

  140.          */

  141.         sgn_ed_T = -(hint>>3 & 1);

  142.     gf a, b, c, d;

  143.     API_NS(deisogenize)(a,c,p,sgn_s,sgn_t_over_s,sgn_ed_T);

  144.     

  145. #if 255 == 8*SER_BYTES + 1 /* p521. */

  146.     sgn_r0 = 0;

  147. #endif

  148.     

  149.     /* ok, a = s; c = -t/s */

  150.     gf_mul(b,c,a);

  151.     gf_sub(b,ONE,b); /* t+1 */

  152.     gf_sqr(c,a); /* s^2 */

  153.     mask_t is_identity = gf_eq(p->t,ZERO);

  154. 

  155.     /* identity adjustments */

  156.     /* in case of identity, currently c=0, t=0, b=1, will encode to 1 */

  157.     /* if hint is 0, -> 0 */

  158.     /* if hint is to neg t/s, then go to infinity, effectively set s to 1 */

  159.     gf_cond_sel(c,c,ONE,is_identity & sgn_t_over_s);

  160.     gf_cond_sel(b,b,ZERO,is_identity & ~sgn_t_over_s & ~sgn_s);

  161.         

  162.     gf_mulw(d,c,2*EDWARDS_D-1); /* $d = (2d-a)s^2 */

  163.     gf_add(a,b,d); /* num? */

  164.     gf_sub(d,d,b); /* den? */

  165.     gf_mul(b,a,d); /* n*d */

  166.     gf_cond_sel(a,d,a,sgn_s);

  167.     gf_mul_qnr(d,b);

  168.     mask_t succ = gf_isr(c,d)|gf_eq(d,ZERO);

  169.     gf_mul(b,a,c);

  170.     gf_cond_neg(b, sgn_r0^gf_hibit(b));

  171.     

  172.     succ &= ~(gf_eq(b,ZERO) & sgn_r0);

  173.     #if COFACTOR == 8

  174.         succ &= ~(is_identity & sgn_ed_T); /* NB: there are no preimages of rotated identity. */

  175.     #endif

  176.     

  177.     #if 255 == 8*SER_BYTES + 1 /* p521 */

  178.         gf_serialize(recovered_hash,b,0);

  179.     #else

  180.         gf_serialize(recovered_hash,b,1);

  181.         #if PKP_MASK != 0

  182.             /* Add a multiple of p to make the result either almost-onto or completely onto. */

  183.             succ &= plus_k_p(recovered_hash, (hint >> ((COFACTOR==8)?4:3)) & PKP_MASK);

  184.         #endif

  185.     #endif

  186.     return decaf_succeed_if(mask_to_bool(succ));

  187. }

  188. 

  189. decaf_error_t

  190. API_NS(invert_elligator_uniform) (

  191.     unsigned char partial_hash[2*SER_BYTES],

  192.     const point_t p,

  193.     uint32_t hint

  194. ) {

  195.     point_t pt2;

  196.     API_NS(point_from_hash_nonuniform)(pt2,&partial_hash[SER_BYTES]);

  197.     API_NS(point_sub)(pt2,p,pt2);

  198.     return API_NS(invert_elligator_nonuniform)(partial_hash,pt2,hint);

  199. }