jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
60 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 4f27b22a1d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4f27b22a1d'
${ noResults }
ed448goldilocks/test/test_pointops.c

435 lines
12 KiB
Raw Blame History 

  1. #include "test.h"

  2. 

  3. #include <stdio.h>

  4. 

  5. #include "ec_point.h"

  6. #include "scalarmul.h"

  7. #include "magic.h"

  8. #include "field.h"

  9. #include "crandom.h"

  10. 

  11. 

  12. static void

  13. failprint_ext (

  14.     const struct extensible_t *a

  15. ) {

  16.     field_a_t zi, scaled;

  17.     field_print("    x", a->x);

  18.     field_print("    y", a->y);

  19.     field_print("    z", a->z);

  20.     field_inverse(zi, a->z);

  21.     field_mul(scaled, zi, a->x);

  22.     field_print("    X", scaled);

  23.     field_mul(scaled, zi, a->y);

  24.     field_print("    Y", scaled);

  25.     printf("\n");

  26. }

  27. 

  28. static void

  29. failprint_tw_ext (

  30.     const struct tw_extensible_t *a

  31. ) {

  32.     failprint_ext((const struct extensible_t *)a);

  33. }

  34. 

  35. static mask_t

  36. fail_if_different (

  37.     const struct extensible_t *a,

  38.     const struct extensible_t *b,

  39.     const char *faildescr,

  40.     const char *adescr,

  41.     const char *bdescr

  42. ) {

  43.     mask_t succ = eq_extensible(a, b);

  44.     

  45.     if (!succ) {

  46.         youfail();

  47.         printf("    %s\n", faildescr);

  48.         

  49.         printf("\n    %s:\n", adescr);

  50.         failprint_ext(a);

  51.         

  52.         printf("\n    %s:\n", bdescr);

  53.         failprint_ext(b);

  54.     }

  55.     

  56.     return succ;

  57. }

  58. 

  59. static mask_t

  60. validate_ext(

  61.     const struct extensible_t *ext,

  62.     int evenness,

  63.     const char *description

  64. ) {

  65.     mask_t succ = validate_extensible(ext), succ2;

  66.     const char *error = "Point isn't on the curve.";

  67.     if (evenness > 0) {

  68.         succ2 = is_even_pt(ext);

  69.         if (succ &~ succ2) error = "Point isn't even.";

  70.         succ &= succ2;

  71.     } else if (evenness < 0) {

  72.         succ2 = is_even_pt(ext);

  73.         if (succ &~ succ2) error = "Point is even but shouldn't be.";

  74.         succ &= succ2;

  75.     } /* FUTURE: quadness */

  76.     

  77.     if (~succ) {

  78.         youfail();

  79.         printf("    %s\n", error);

  80.         printf("    %s\n", description);

  81.         failprint_ext(ext);

  82.     }

  83.     

  84.     return succ;

  85. }

  86. 

  87. static mask_t

  88. validate_tw_ext(

  89.     const struct tw_extensible_t *ext,

  90.     int evenness,

  91.     const char *description

  92. ) {

  93.     mask_t succ = validate_tw_extensible(ext), succ2;

  94.     const char *error = "Point isn't on the twisted curve.";

  95.     if (evenness > 0) {

  96.         succ2 = is_even_tw(ext);

  97.         if (succ &~ succ2) error = "Point isn't even.";

  98.         succ &= succ2;

  99.     } else if (evenness < 0) {

  100.         succ2 = is_even_tw(ext);

  101.         if (succ &~ succ2) error = "Point is even but shouldn't be.";

  102.         succ &= succ2;

  103.     } /* FUTURE: quadness */

  104.     

  105.     if (~succ) {

  106.         youfail();

  107.         printf("    %s\n", error);

  108.         printf("    %s\n", description);

  109.         failprint_tw_ext(ext);

  110.     }

  111.     

  112.     return succ;

  113. }

  114. 

  115. static mask_t

  116. fail_if_different_tw (

  117.     const struct tw_extensible_t *a,

  118.     const struct tw_extensible_t *b,

  119.     const char *faildescr,

  120.     const char *adescr,

  121.     const char *bdescr

  122. ) {

  123.     return fail_if_different(

  124.         (const struct extensible_t *)a, (const struct extensible_t *)b,

  125.         faildescr,adescr,bdescr

  126.     );

  127. }

  128. 

  129. static int

  130. add_double_test (

  131.     const struct affine_t *base1,

  132.     const struct affine_t *base2 

  133. ) {

  134.     mask_t succ = MASK_SUCCESS;

  135.     struct extensible_t exb;

  136.     struct tw_extensible_t text1, text2, texta, textb;

  137.     struct tw_pniels_t pn;

  138.     

  139.     /* Convert to ext */

  140.     convert_affine_to_extensible(&exb, base1);

  141.     succ &= validate_ext(&exb,0,"base1");

  142.     twist_and_double(&text1, &exb);

  143.     succ &= validate_tw_ext(&text1,2,"iso1");

  144.     convert_affine_to_extensible(&exb, base2);

  145.     succ &= validate_ext(&exb,0,"base2");

  146.     twist_and_double(&text2, &exb);

  147.     succ &= validate_tw_ext(&text2,2,"iso2");

  148.     

  149.     /* a + b == b + a? */

  150.     convert_tw_extensible_to_tw_pniels(&pn, &text1);

  151.     copy_tw_extensible(&texta, &text2);

  152.     add_tw_pniels_to_tw_extensible(&texta, &pn);

  153.     

  154.     convert_tw_extensible_to_tw_pniels(&pn, &text2);

  155.     copy_tw_extensible(&textb, &text1);

  156.     add_tw_pniels_to_tw_extensible(&textb, &pn);

  157.     

  158.     succ &= fail_if_different_tw(&texta,&textb,"Addition commutativity","a+b","b+a");

  159.     

  160.     copy_tw_extensible(&textb, &text2);

  161.     add_tw_pniels_to_tw_extensible(&textb, &pn);

  162.     copy_tw_extensible(&texta, &text2);

  163.     double_tw_extensible(&texta);

  164.     

  165.     succ &= fail_if_different_tw(&texta,&textb,"Doubling test","2b","b+b");

  166.     

  167.     if (~succ) {

  168.         printf("    Bases were:\n");

  169.         field_print("    x1", base1->x);

  170.         field_print("    y1", base1->y);

  171.         field_print("    x2", base2->x);

  172.         field_print("    y2", base2->y);

  173.     }

  174.     

  175.     return succ ? 0 : -1;

  176. }

  177. 

  178. static int

  179. single_twisting_test (

  180.     const struct affine_t *base

  181. ) {

  182.     struct extensible_t exb, ext, tmpext;

  183.     struct tw_extensible_t text, text2;

  184.     mask_t succ = MASK_SUCCESS;

  185.     

  186.     convert_affine_to_extensible(&exb, base);

  187.     succ &= validate_ext(&exb,0,"base");

  188.     

  189.     /* check: dual . iso = 4 */

  190.     twist_and_double(&text, &exb);

  191.     succ &= validate_tw_ext(&text,2,"iso");

  192.     untwist_and_double(&ext, &text);

  193.     succ &= validate_ext(&ext,2,"dual.iso");

  194.     

  195.     copy_extensible(&tmpext,&exb);

  196.     double_extensible(&tmpext);

  197.     succ &= validate_ext(&tmpext,1,"2*base");

  198.     

  199.     double_extensible(&tmpext);

  200.     succ &= validate_ext(&tmpext,2,"4*base");

  201.     

  202.     succ &= fail_if_different(&ext,&tmpext,"Isogeny and dual","Dual . iso","4*base");

  203.     

  204.     /* check: twist and serialize */

  205.     test_only_twist(&text, &exb);

  206.     succ &= validate_tw_ext(&text,0,"tot");

  207.     mask_t evt = is_even_tw(&text), evb = is_even_pt(&exb);

  208.     if (evt != evb) {

  209.         youfail();

  210.         printf("    Different evenness from twist base: %d, twist: %d\n", (int)-evt, (int)-evb);

  211.         

  212.         succ = 0;

  213.     } /* FUTURE: quadness */

  214.     

  215.     field_a_t sera,serb;

  216.     untwist_and_double_and_serialize(sera,&text);

  217.     copy_extensible(&tmpext,&exb);

  218.     double_extensible(&tmpext);

  219.     serialize_extensible(serb,&tmpext);

  220.     

  221.     /* check that their (doubled; FUTURE?) serializations are equal */

  222.     if (~field_eq(sera,serb)) {

  223.         youfail();

  224.         printf("    Different serialization from twist + double ()\n");

  225.         field_print("    t", sera);

  226.         field_print("    b", serb);

  227.         succ = 0;

  228.     }

  229.     

  230.     untwist_and_double(&ext, &text);

  231.     succ &= validate_ext(&tmpext,1,"dual.tot");

  232.     

  233.     twist_and_double(&text2, &ext);

  234.     succ &= validate_tw_ext(&text2,2,"iso.dual.tot");

  235. 

  236.     double_tw_extensible(&text);

  237.     succ &= validate_tw_ext(&text,1,"2*tot");

  238. 

  239.     double_tw_extensible(&text);

  240.     succ &= validate_tw_ext(&text,2,"4*tot");

  241.     

  242.     succ &= fail_if_different_tw(&text,&text2,"Dual and isogeny","4*tot","iso.dual.tot");

  243.     

  244.     if (~succ) {

  245.         printf("    Base was:\n");

  246.         field_print("    x", base->x);

  247.         field_print("    y", base->y);

  248.     }

  249.     

  250.     

  251.     return succ ? 0 : -1;

  252. }

  253. 

  254. int test_decaf (void) {

  255.     struct affine_t base;

  256.     struct tw_affine_t tw_base;

  257.     field_a_t serf;

  258.     

  259.     struct crandom_state_t crand;

  260.     crandom_init_from_buffer(&crand, "my test_decaf random initializer");

  261.     

  262.     int i, hits = 0, fails = 0;

  263.     for (i=0; i<1000; i++) {

  264.         uint8_t ser[FIELD_BYTES];

  265.         

  266.         int j;

  267.         

  268.         mask_t succ = 0;

  269.         for (j=0; j<128 && !succ; j++) {

  270.             crandom_generate(&crand, ser, sizeof(ser));

  271.             #if (FIELD_BITS % 8)

  272.                 ser[FIELD_BYTES-1] &= (1<<(FIELD_BITS%8)) - 1;

  273.             #endif

  274.             ser[0] &= ~1;

  275. 

  276.             succ = field_deserialize(serf, ser);

  277.             if (!succ) {

  278.                 youfail();

  279.                 printf("   Unlikely: fail at field_deserialize\n");

  280.                 return -1;

  281.             }

  282.         

  283.             succ &= decaf_deserialize_affine(&base, serf, 0);

  284.         }

  285.         if (!succ) {

  286.             youfail();

  287.             printf("Unlikely: fail 128 desers\n");

  288.             return -1;

  289.         }

  290.         

  291.         hits++;

  292.         field_a_t serf2;

  293.         struct extensible_t ext;

  294.         convert_affine_to_extensible(&ext, &base);

  295.         decaf_serialize_extensible(serf2, &ext);

  296.         

  297.         if (~validate_affine(&base)) {

  298.             youfail();

  299.             printf("Invalid decaf deser:\n");

  300.             field_print("    s", serf);

  301.             field_print("    x", base.x);

  302.             field_print("    y", base.y);

  303.             fails ++;

  304.         } else if (~field_eq(serf, serf2)) {

  305.             youfail();

  306.             printf("Fail round-trip through decaf ser:\n");

  307.             field_print("    s", serf);

  308.             field_print("    x", base.x);

  309.             field_print("    y", base.y);

  310.             printf("    deser is %s\n", validate_affine(&base) ? "valid" : "invalid");

  311.             field_print("    S", serf2);

  312.             fails ++;

  313.         } else if (~is_even_pt(&ext)) {

  314.             youfail();

  315.             printf("Decaf deser isn't even:\n");

  316.             field_print("    s", serf);

  317.             field_print("    x", base.x);

  318.             field_print("    y", base.y);

  319.             fails ++;

  320.         }

  321.         

  322.         succ = decaf_deserialize_tw_affine(&tw_base, serf, 0);

  323.         struct tw_extensible_t tw_ext, tw_ext2;

  324.         convert_tw_affine_to_tw_extensible(&tw_ext, &tw_base);

  325.         decaf_serialize_tw_extensible(serf2, &tw_ext);

  326.         

  327.         twist_even(&tw_ext2, &ext);

  328. 

  329.         if (~succ | ~validate_tw_extensible(&tw_ext)) {

  330.             youfail();

  331.             printf("Invalid decaf tw deser:\n");

  332.             field_print("    s", serf);

  333.             field_print("    x", tw_base.x);

  334.             field_print("    y", tw_base.y);

  335.             fails ++;

  336.         } else if (~field_eq(serf, serf2)) {

  337.             youfail();

  338.             printf("Fail round-trip through decaf ser:\n");

  339.             field_print("    s", serf);

  340.             field_print("    x", tw_base.x);

  341.             field_print("    y", tw_base.y);

  342.             printf("    tw deser is %s\n", validate_tw_extensible(&tw_ext) ? "valid" : "invalid");

  343.             field_print("    S", serf2);

  344.             fails ++;

  345.         } else if (~is_even_tw(&tw_ext)) {

  346.             youfail();

  347.             printf("Decaf tw deser isn't even:\n");

  348.             field_print("    s", serf);

  349.             field_print("    x", tw_base.x);

  350.             field_print("    y", tw_base.y);

  351.             fails ++;

  352.         } else if (~decaf_eq_tw_extensible(&tw_ext,&tw_ext2)) {

  353.             youfail();

  354.             printf("Decaf tw doesn't equal ext:\n");

  355.             field_print("    s",  serf);

  356.             field_print("    x1", base.x);

  357.             field_print("    y1", base.y);

  358.             field_print("    x2", tw_base.x);

  359.             field_print("    y2", tw_base.y);

  360.             field_print("    X2", tw_ext2.x);

  361.             field_print("    Y2", tw_ext2.y);

  362.             fails ++;

  363.         }

  364.         

  365.         word_t scalar = i;

  366.         mask_t res = montgomery_ladder_decaf(serf2,serf,&scalar,i,0);

  367.         // youfail();

  368.         // printf("Decaf Montgomery ladder i=%d res=%d\n", i, (int)res);

  369.         // field_print("    s", serf);

  370.         // field_print("    o", serf2);

  371.         // printf("\n");

  372.         (void)res;

  373.     }

  374.     if (hits < 1000) {

  375.         youfail();

  376.         printf("   Fail: only %d successes in decaf_deser\n", hits);

  377.         return -1;

  378.     } else if (fails) {

  379.         return -1;

  380.     } else {

  381.         return 0;

  382.     }

  383. }

  384. 

  385. int test_pointops (void) {

  386.     struct affine_t base, pbase;

  387.     field_a_t serf;

  388.     

  389.     struct crandom_state_t crand;

  390.     crandom_init_from_buffer(&crand, "test_pointops random initializer");

  391.     

  392.     struct extensible_t ext_base;

  393.     if (!validate_affine(goldilocks_base_point)) {

  394.         youfail();

  395.         printf("  Base point isn't on the curve.\n");

  396.         return -1;

  397.     }

  398.     convert_affine_to_extensible(&ext_base, goldilocks_base_point);

  399.     if (!validate_ext(&ext_base, 2, "base")) return -1;

  400.     

  401.     int i, ret;

  402.     for (i=0; i<1000; i++) {

  403.         uint8_t ser[FIELD_BYTES];

  404.         crandom_generate(&crand, ser, sizeof(ser));

  405. 

  406. 

  407.         #if (FIELD_BITS % 8)

  408.             ser[FIELD_BYTES-1] &= (1<<(FIELD_BITS%8)) - 1;

  409.         #endif

  410.         

  411.         /* TODO: we need a field generate, which can return random or pathological. */

  412.         mask_t succ = field_deserialize(serf, ser);

  413.         if (!succ) {

  414.             youfail();

  415.             printf("   Unlikely: fail at field_deserialize\n");

  416.             return -1;

  417.         }

  418.         

  419.         if (i) {

  420.             copy_affine(&pbase, &base);

  421.         }

  422.         elligator_2s_inject(&base, serf);

  423.         

  424.         if (i) {

  425.             ret = add_double_test(&base, &pbase);

  426.             if (ret) return ret;

  427.         }

  428.         

  429.         ret = single_twisting_test(&base);

  430.         if (ret) return ret;

  431.     }

  432.     

  433.     return 0;

  434. }