jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 6546660199
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6546660199'
${ noResults }
ed448goldilocks/test/bench.c

732 lines
21 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "word.h"

  6. 

  7. #include <sys/time.h>

  8. #include <sys/types.h>

  9. #include <stdio.h>

  10. #include <memory.h>

  11. 

  12. #include "field.h"

  13. #include "ec_point.h"

  14. #include "scalarmul.h"

  15. #include "barrett_field.h"

  16. #include "crandom.h"

  17. #include "goldilocks.h"

  18. #include "sha512.h"

  19. 

  20. static __inline__ void

  21. ignore_result ( int result ) {

  22.     (void)result;

  23. }

  24. 

  25. static double now(void) {

  26.   struct timeval tv;

  27.   gettimeofday(&tv, NULL);

  28.   

  29.   return tv.tv_sec + tv.tv_usec/1000000.0;

  30. }

  31. 

  32. static void field_randomize( struct crandom_state_t *crand, struct field_t *a ) {

  33.     crandom_generate(crand, (unsigned char *)a, sizeof(*a));

  34.     field_strong_reduce(a);

  35. }

  36. 

  37. static void q448_randomize( struct crandom_state_t *crand, word_t sk[SCALAR_WORDS] ) {

  38.     crandom_generate(crand, (unsigned char *)sk, SCALAR_BYTES);

  39. }

  40. 

  41. static void field_print( const char *descr, const struct field_t *a ) {

  42.     int j;

  43.     unsigned char ser[FIELD_BYTES];

  44.     field_serialize(ser,a);

  45.     printf("%s = 0x", descr);

  46.     for (j=FIELD_BYTES - 1; j>=0; j--) {

  47.         printf("%02x", ser[j]);

  48.     }

  49.     printf("\n");

  50. }

  51. 

  52. static void __attribute__((unused))

  53. field_print_full (

  54.     const char *descr,

  55.     const struct field_t *a

  56. ) {

  57.     int j;

  58.     printf("%s = 0x", descr);

  59.     for (j=15; j>=0; j--) {

  60.         printf("%02" PRIxWORD "_" PRIxWORD56 " ",

  61.             a->limb[j]>>28, a->limb[j]&((1<<28)-1));

  62.     }

  63.     printf("\n");

  64. }

  65. 

  66. static void q448_print( const char *descr, const word_t secret[SCALAR_WORDS] ) {

  67.     int j;

  68.     printf("%s = 0x", descr);

  69.     for (j=SCALAR_WORDS-1; j>=0; j--) {

  70.         printf(PRIxWORDfull, secret[j]);

  71.     }

  72.     printf("\n");

  73. }

  74. 

  75. #ifndef N_TESTS_BASE

  76. #define N_TESTS_BASE 10000

  77. #endif

  78. 

  79. int main(int argc, char **argv) {

  80.     (void)argc;

  81.     (void)argv;

  82. 

  83.     struct tw_extensible_t ext;

  84.     struct extensible_t exta;

  85.     struct tw_niels_t niels;

  86.     struct tw_pniels_t pniels;

  87.     struct affine_t affine;

  88.     struct montgomery_t mb;

  89.     struct field_t a,b,c,d;

  90.     

  91.     

  92.     double when;

  93.     int i;

  94. 

  95.     int nbase = N_TESTS_BASE;

  96.     

  97.     /* Bad randomness so we can debug. */

  98.     char initial_seed[32];

  99.     for (i=0; i<32; i++) initial_seed[i] = i;

  100.     struct crandom_state_t crand;

  101.     crandom_init_from_buffer(&crand, initial_seed);

  102.     /* For testing the performance drop from the crandom debuffering change.

  103.         ignore_result(crandom_init_from_file(&crand, "/dev/urandom", 10000, 1));

  104.     */

  105.     

  106.     word_t sk[SCALAR_WORDS],tk[SCALAR_WORDS];

  107.     q448_randomize(&crand, sk);

  108.     

  109.     when = now();

  110.     for (i=0; i<nbase*5000; i++) {

  111.         field_mul(&c, &b, &a);

  112.     }

  113.     when = now() - when;

  114.     printf("mul:         %5.1fns\n", when * 1e9 / i);

  115.     

  116.     when = now();

  117.     for (i=0; i<nbase*5000; i++) {

  118.         field_sqr(&c, &a);

  119.     }

  120.     when = now() - when;

  121.     printf("sqr:         %5.1fns\n", when * 1e9 / i);

  122.     

  123.     when = now();

  124.     for (i=0; i<nbase*5000; i++) {

  125.         field_mulw(&c, &b, 1234562);

  126.     }

  127.     when = now() - when;

  128.     printf("mulw:        %5.1fns\n", when * 1e9 / i);

  129.     

  130.     when = now();

  131.     for (i=0; i<nbase*500; i++) {

  132.         field_mul(&c, &b, &a);

  133.         field_mul(&a, &b, &c);

  134.     }

  135.     when = now() - when;

  136.     printf("mul dep:     %5.1fns\n", when * 1e9 / i / 2);

  137.     

  138.     when = now();

  139.     for (i=0; i<nbase*10; i++) {

  140.         field_randomize(&crand, &a);

  141.     }

  142.     when = now() - when;

  143.     printf("rand448:     %5.1fns\n", when * 1e9 / i);

  144.     

  145.     struct sha512_ctx_t sha;

  146.     uint8_t hashout[128];

  147.     when = now();

  148.     for (i=0; i<nbase; i++) {

  149.         sha512_init(&sha);

  150.         sha512_final(&sha, hashout);

  151.     }

  152.     when = now() - when;

  153.     printf("sha512 1blk: %5.1fns\n", when * 1e9 / i);

  154.     

  155.     when = now();

  156.     for (i=0; i<nbase; i++) {

  157.         sha512_update(&sha, hashout, 128);

  158.     }

  159.     when = now() - when;

  160.     printf("sha512 blk:  %5.1fns (%0.2f MB/s)\n", when * 1e9 / i, 128*i/when/1e6);

  161.     

  162.     when = now();

  163.     for (i=0; i<nbase; i++) {

  164.         field_isr(&c, &a);

  165.     }

  166.     when = now() - when;

  167.     printf("isr auto:    %5.1fµs\n", when * 1e6 / i);

  168.     

  169.     for (i=0; i<100; i++) {

  170.         field_randomize(&crand, &a);

  171.         field_isr(&d,&a);

  172.         field_sqr(&b,&d);

  173.         field_mul(&c,&b,&a);

  174.         field_sqr(&b,&c);

  175.         field_subw(&b,1);

  176.         field_bias(&b,1);

  177.         if (!field_is_zero(&b)) {

  178.             printf("ISR validation failure!\n");

  179.             field_print("a", &a);

  180.             field_print("s", &d);

  181.         }

  182.     }

  183.     

  184.     when = now();

  185.     for (i=0; i<nbase; i++) {

  186.         elligator_2s_inject(&affine, &a);

  187.     }

  188.     when = now() - when;

  189.     printf("elligator:   %5.1fµs\n", when * 1e6 / i);

  190.     

  191.     for (i=0; i<100; i++) {

  192.         field_randomize(&crand, &a);

  193.         elligator_2s_inject(&affine, &a);

  194.         if (!validate_affine(&affine)) {

  195.             printf("Elligator validation failure!\n");

  196.             field_print("a", &a);

  197.             field_print("x", &affine.x);

  198.             field_print("y", &affine.y);

  199.         }

  200.     }

  201.     

  202.     when = now();

  203.     for (i=0; i<nbase; i++) {

  204.         deserialize_affine(&affine, &a);

  205.     }

  206.     when = now() - when;

  207.     printf("decompress:  %5.1fµs\n", when * 1e6 / i);

  208.     

  209.     when = now();

  210.     for (i=0; i<nbase; i++) {

  211.         serialize_extensible(&a, &exta);

  212.     }

  213.     when = now() - when;

  214.     printf("compress:    %5.1fµs\n", when * 1e6 / i);

  215.     

  216.     int goods = 0;

  217.     for (i=0; i<100; i++) {

  218.         field_randomize(&crand, &a);

  219.         mask_t good = deserialize_affine(&affine, &a);

  220.         if (good & !validate_affine(&affine)) {

  221.             printf("Deserialize validation failure!\n");

  222.             field_print("a", &a);

  223.             field_print("x", &affine.x);

  224.             field_print("y", &affine.y);

  225.         } else if (good) {

  226.             goods++;

  227.             convert_affine_to_extensible(&exta,&affine);

  228.             serialize_extensible(&b, &exta);

  229.             field_sub(&c,&b,&a);

  230.             field_bias(&c,2);

  231.             if (!field_is_zero(&c)) {

  232.                 printf("Reserialize validation failure!\n");

  233.                 field_print("a", &a);

  234.                 field_print("x", &affine.x);

  235.                 field_print("y", &affine.y);

  236.                 deserialize_affine(&affine, &b);

  237.                 field_print("b", &b);

  238.                 field_print("x", &affine.x);

  239.                 field_print("y", &affine.y);

  240.                 printf("\n");

  241.             }

  242.         }

  243.     }

  244.     if (goods<i/3) {

  245.         printf("Deserialization validation failure! Deserialized %d/%d points\n", goods, i);

  246.     }

  247.     

  248.     word_t lsk[768/WORD_BITS];

  249.     crandom_generate(&crand, (unsigned char *)lsk, sizeof(lsk));

  250.     

  251.     when = now();

  252.     for (i=0; i<nbase*100; i++) {

  253.         barrett_reduce(lsk,sizeof(lsk)/sizeof(word_t),0,&curve_prime_order);

  254.     }

  255.     when = now() - when;

  256.     printf("barrett red: %5.1fns\n", when * 1e9 / i);

  257.     

  258.     when = now();

  259.     for (i=0; i<nbase*10; i++) {

  260.         barrett_mac(lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,&curve_prime_order);

  261.     }

  262.     when = now() - when;

  263.     printf("barrett mac: %5.1fns\n", when * 1e9 / i);

  264.     

  265.     when = now();

  266.     for (i=0; i<nbase*100; i++) {

  267.         add_tw_niels_to_tw_extensible(&ext, &niels);

  268.     }

  269.     when = now() - when;

  270.     printf("exti+niels:  %5.1fns\n", when * 1e9 / i);

  271.     

  272.     when = now();

  273.     for (i=0; i<nbase*100; i++) {

  274.         add_tw_pniels_to_tw_extensible(&ext, &pniels);

  275.     }

  276.     when = now() - when;

  277.     printf("exti+pniels: %5.1fns\n", when * 1e9 / i);

  278.     

  279.     when = now();

  280.     for (i=0; i<nbase*100; i++) {

  281.         double_tw_extensible(&ext);

  282.     }

  283.     when = now() - when;

  284.     printf("exti dbl:    %5.1fns\n", when * 1e9 / i);

  285.     

  286.     when = now();

  287.     for (i=0; i<nbase*100; i++) {

  288.         untwist_and_double(&exta, &ext);

  289.     }

  290.     when = now() - when;

  291.     printf("i->a isog:   %5.1fns\n", when * 1e9 / i);

  292.     

  293.     when = now();

  294.     for (i=0; i<nbase*100; i++) {

  295.         twist_and_double(&ext, &exta);

  296.     }

  297.     when = now() - when;

  298.     printf("a->i isog:   %5.1fns\n", when * 1e9 / i);

  299.     

  300.     when = now();

  301.     for (i=0; i<nbase*100; i++) {

  302.         montgomery_step(&mb);

  303.     }

  304.     when = now() - when;

  305.     printf("monty step:  %5.1fns\n", when * 1e9 / i);

  306. 	

  307.     when = now();

  308.     for (i=0; i<nbase/10; i++) {

  309.         ignore_result(montgomery_ladder(&a,&b,sk,FIELD_BITS,0));

  310.     }

  311.     when = now() - when;

  312.     printf("full ladder: %5.1fµs\n", when * 1e6 / i);

  313.     

  314.     when = now();

  315.     for (i=0; i<nbase/10; i++) {

  316.         scalarmul(&ext,sk);

  317.     }

  318.     when = now() - when;

  319.     printf("edwards smz: %5.1fµs\n", when * 1e6 / i);

  320.     

  321.     when = now();

  322.     for (i=0; i<nbase/10; i++) {

  323.         scalarmul_vlook(&ext,sk);

  324.     }

  325.     when = now() - when;

  326.     printf("edwards svl: %5.1fµs\n", when * 1e6 / i);

  327.     

  328.     when = now();

  329.     for (i=0; i<nbase/10; i++) {

  330.         scalarmul(&ext,sk);

  331.         untwist_and_double_and_serialize(&a,&ext);

  332.     }

  333.     when = now() - when;

  334.     printf("edwards smc: %5.1fµs\n", when * 1e6 / i);

  335.     

  336.     when = now();

  337.     for (i=0; i<nbase/10; i++) {

  338.         q448_randomize(&crand, sk);

  339.         scalarmul_vt(&ext,sk,SCALAR_BITS);

  340.     }

  341.     when = now() - when;

  342.     printf("edwards vtm: %5.1fµs\n", when * 1e6 / i);

  343.     

  344.     struct tw_niels_t wnaft[1<<6];

  345.     when = now();

  346.     for (i=0; i<nbase/10; i++) {

  347.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,6));

  348.     }

  349.     when = now() - when;

  350.     printf("wnaf6 pre:   %5.1fµs\n", when * 1e6 / i);

  351.     

  352.     when = now();

  353.     for (i=0; i<nbase/10; i++) {

  354.         q448_randomize(&crand, sk);

  355.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,6);

  356.     }

  357.     when = now() - when;

  358.     printf("edwards vt6: %5.1fµs\n", when * 1e6 / i);

  359.     

  360.     when = now();

  361.     for (i=0; i<nbase/10; i++) {

  362.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,4));

  363.     }

  364.     when = now() - when;

  365.     printf("wnaf4 pre:   %5.1fµs\n", when * 1e6 / i);

  366.     

  367.     when = now();

  368.     for (i=0; i<nbase/10; i++) {

  369.         q448_randomize(&crand, sk);

  370.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,4);

  371.     }

  372.     when = now() - when;

  373.     printf("edwards vt4: %5.1fµs\n", when * 1e6 / i);

  374. 

  375.     when = now();

  376.     for (i=0; i<nbase/10; i++) {

  377.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,5));

  378.     }

  379.     when = now() - when;

  380.     printf("wnaf5 pre:   %5.1fµs\n", when * 1e6 / i);

  381.     

  382.     when = now();

  383.     for (i=0; i<nbase/10; i++) {

  384.         q448_randomize(&crand, sk);

  385.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,5);

  386.     }

  387.     when = now() - when;

  388.     printf("edwards vt5: %5.1fµs\n", when * 1e6 / i);

  389.     

  390.     when = now();

  391.     for (i=0; i<nbase/10; i++) {

  392.         q448_randomize(&crand, sk);

  393.         q448_randomize(&crand, tk);

  394.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,wnaft,5);

  395.     }

  396.     when = now() - when;

  397.     printf("vt vf combo: %5.1fµs\n", when * 1e6 / i);

  398.     

  399.     when = now();

  400.     for (i=0; i<nbase/10; i++) {

  401.         deserialize_affine(&affine, &a);

  402.         convert_affine_to_extensible(&exta,&affine);

  403.         twist_and_double(&ext,&exta);

  404.         scalarmul(&ext,sk);

  405.         untwist_and_double(&exta,&ext);

  406.         serialize_extensible(&b, &exta);

  407.     }

  408.     when = now() - when;

  409.     printf("edwards sm:  %5.1fµs\n", when * 1e6 / i);

  410.     

  411.     struct fixed_base_table_t t_5_5_18, t_3_5_30, t_8_4_14, t_5_3_30, t_15_3_10;

  412. 

  413.     while (1) {

  414.         field_randomize(&crand, &a);

  415.         if (deserialize_affine(&affine, &a)) break;

  416.     }

  417.     convert_affine_to_extensible(&exta,&affine);

  418.     twist_and_double(&ext,&exta);

  419.     when = now();

  420.     for (i=0; i<nbase/10; i++) {

  421.         if (i) destroy_fixed_base(&t_5_5_18);

  422.         ignore_result(precompute_fixed_base(&t_5_5_18, &ext, 5, 5, 18, NULL));

  423.     }

  424.     when = now() - when;

  425.     printf("pre(5,5,18): %5.1fµs\n", when * 1e6 / i);

  426.     

  427.     when = now();

  428.     for (i=0; i<nbase/10; i++) {

  429.         if (i) destroy_fixed_base(&t_3_5_30);

  430.         ignore_result(precompute_fixed_base(&t_3_5_30, &ext, 3, 5, 30, NULL));

  431.     }

  432.     when = now() - when;

  433.     printf("pre(3,5,30): %5.1fµs\n", when * 1e6 / i);

  434.     

  435.     when = now();

  436.     for (i=0; i<nbase/10; i++) {

  437.         if (i) destroy_fixed_base(&t_5_3_30);

  438.         ignore_result(precompute_fixed_base(&t_5_3_30, &ext, 5, 3, 30, NULL));

  439.     }

  440.     when = now() - when;

  441.     printf("pre(5,3,30): %5.1fµs\n", when * 1e6 / i);

  442.     

  443.     when = now();

  444.     for (i=0; i<nbase/10; i++) {

  445.         if (i) destroy_fixed_base(&t_15_3_10);

  446.         ignore_result(precompute_fixed_base(&t_15_3_10, &ext, 15, 3, 10, NULL));

  447.     }

  448.     when = now() - when;

  449.     printf("pre(15,3,10):%5.1fµs\n", when * 1e6 / i);

  450.     

  451.     when = now();

  452.     for (i=0; i<nbase/10; i++) {

  453.         if (i) destroy_fixed_base(&t_8_4_14);

  454.         ignore_result(precompute_fixed_base(&t_8_4_14, &ext, 8, 4, 14, NULL));

  455.     }

  456.     when = now() - when;

  457.     printf("pre(8,4,14): %5.1fµs\n", when * 1e6 / i);

  458. 	

  459.     when = now();

  460.     for (i=0; i<nbase; i++) {

  461.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_5_18);

  462.     }

  463.     when = now() - when;

  464.     printf("com(5,5,18): %5.1fµs\n", when * 1e6 / i);

  465.     

  466.     when = now();

  467.     for (i=0; i<nbase; i++) {

  468.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_3_5_30);

  469.     }

  470.     when = now() - when;

  471.     printf("com(3,5,30): %5.1fµs\n", when * 1e6 / i);

  472. 

  473.     when = now();

  474.     for (i=0; i<nbase; i++) {

  475.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_8_4_14);

  476.     }

  477.     when = now() - when;

  478.     printf("com(8,4,14): %5.1fµs\n", when * 1e6 / i);

  479. 

  480.     when = now();

  481.     for (i=0; i<nbase; i++) {

  482.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_3_30);

  483.     }

  484.     when = now() - when;

  485.     printf("com(5,3,30): %5.1fµs\n", when * 1e6 / i);

  486. 

  487.     when = now();

  488.     for (i=0; i<nbase; i++) {

  489.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_15_3_10);

  490.     }

  491.     when = now() - when;

  492.     printf("com(15,3,10):%5.1fµs\n", when * 1e6 / i);

  493.     

  494.     printf("\nGoldilocks:\n");

  495.     

  496.     int res = goldilocks_init();

  497.     assert(!res);

  498.     

  499.     struct goldilocks_public_key_t gpk,hpk;

  500.     struct goldilocks_private_key_t gsk,hsk;

  501.     

  502.     when = now();

  503.     for (i=0; i<nbase; i++) {

  504.         if (i&1) {

  505.             res = goldilocks_keygen(&gsk,&gpk);

  506.         } else {

  507.             res = goldilocks_keygen(&hsk,&hpk);

  508.         }

  509.         assert(!res);

  510.     }

  511.     when = now() - when;

  512.     printf("keygen:      %5.1fµs\n", when * 1e6 / i);

  513.     

  514.     uint8_t ss1[64],ss2[64];

  515.     int gres1=0,gres2=0;

  516.     when = now();

  517.     for (i=0; i<nbase; i++) {

  518.         if (i&1) {

  519.             gres1 = goldilocks_shared_secret(ss1,&gsk,&hpk);

  520.         } else {

  521.             gres2 = goldilocks_shared_secret(ss2,&hsk,&gpk);

  522.         }

  523.     }

  524.     when = now() - when;

  525.     printf("ecdh:        %5.1fµs\n", when * 1e6 / i);

  526.     if (gres1 || gres2 || memcmp(ss1,ss2,64)) {

  527.         printf("[FAIL] %d %d\n",gres1,gres2);

  528.         

  529.         printf("sk1 = ");

  530.         for (i=0; i<SCALAR_BYTES; i++) {

  531.             printf("%02x", gsk.opaque[i]);

  532.         }

  533.         printf("\nsk2 = ");

  534.         for (i=0; i<SCALAR_BYTES; i++) {

  535.             printf("%02x", hsk.opaque[i]);

  536.         }

  537.         printf("\nss1 = ");

  538.         for (i=0; i<64; i++) {

  539.             printf("%02x", ss1[i]);

  540.         }

  541.         printf("\nss2 = ");

  542.         for (i=0; i<64; i++) {

  543.             printf("%02x", ss2[i]);

  544.         }

  545.         printf("\n");

  546.     }

  547.     

  548.     uint8_t sout[FIELD_BYTES*2];

  549.     const char *message = "hello world";

  550.     size_t message_len = strlen(message);

  551.     when = now();

  552.     for (i=0; i<nbase; i++) {

  553.         res = goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  554.         (void)res;

  555.         assert(!res);

  556.     }

  557.     when = now() - when;

  558.     printf("sign:        %5.1fµs\n", when * 1e6 / i);

  559.     

  560.     when = now();

  561.     for (i=0; i<nbase; i++) {

  562.         int ver = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  563.         (void)ver;

  564.         assert(!ver);

  565.     }

  566.     when = now() - when;

  567.     printf("verify:      %5.1fµs\n", when * 1e6 / i);

  568.     

  569.     struct goldilocks_precomputed_public_key_t *pre = NULL;

  570.     when = now();

  571.     for (i=0; i<nbase; i++) {

  572.         goldilocks_destroy_precomputed_public_key(pre);

  573.         pre = goldilocks_precompute_public_key(&gpk);

  574.     }

  575.     when = now() - when;

  576.     printf("precompute:  %5.1fµs\n", when * 1e6 / i);

  577.     

  578.     when = now();

  579.     for (i=0; i<nbase; i++) {

  580.         int ver = goldilocks_verify_precomputed(sout,(const unsigned char *)message,message_len,pre);

  581.         (void)ver;

  582.         assert(!ver);

  583.     }

  584.     when = now() - when;

  585.     printf("verify pre:  %5.1fµs\n", when * 1e6 / i);

  586.     

  587.     when = now();

  588.     for (i=0; i<nbase; i++) {

  589.         int ret = goldilocks_shared_secret_precomputed(ss1,&gsk,pre);

  590.         (void)ret;

  591.         assert(!ret);

  592.     }

  593.     when = now() - when;

  594.     printf("ecdh pre:    %5.1fµs\n", when * 1e6 / i);

  595.     

  596.     printf("\nTesting...\n");

  597.     

  598.     

  599.     int failures=0, successes = 0;

  600.     for (i=0; i<nbase/10; i++) {

  601.         ignore_result(goldilocks_keygen(&gsk,&gpk));

  602.         goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  603.         res = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  604.         if (res) failures++;

  605.     }

  606.     if (failures) {

  607.         printf("FAIL %d/%d signature checks!\n", failures, i);

  608.     }

  609.     

  610.     failures=0; successes = 0;

  611.     for (i=0; i<nbase/10; i++) {

  612.         field_randomize(&crand, &a);

  613. 		word_t two = 2;

  614.         mask_t good = montgomery_ladder(&b,&a,&two,2,0);

  615. 		if (!good) continue;

  616. 		

  617. 		word_t x,y;

  618.         crandom_generate(&crand, (unsigned char *)&x, sizeof(x));

  619.         crandom_generate(&crand, (unsigned char *)&y, sizeof(y));

  620.         x = (hword_t)x;

  621.         y = (hword_t)y;

  622.         word_t z=x*y;

  623.         

  624.     	ignore_result(montgomery_ladder(&b,&a,&x,WORD_BITS,0));

  625.         ignore_result(montgomery_ladder(&c,&b,&y,WORD_BITS,0));

  626.         ignore_result(montgomery_ladder(&b,&a,&z,WORD_BITS,0));

  627.         

  628.         field_sub(&d,&b,&c);

  629.         field_bias(&d,2);

  630. 		if (!field_is_zero(&d)) {

  631.             printf("Odd ladder validation failure %d!\n", ++failures);

  632.             field_print("a", &a);

  633.             printf("x=%"PRIxWORD", y=%"PRIxWORD", z=%"PRIxWORD"\n", x,y,z);

  634.             field_print("c", &c);

  635.             field_print("b", &b);

  636. 			printf("\n");

  637. 		}

  638. 	}

  639.     

  640.     failures = 0;

  641.     for (i=0; i<nbase/10; i++) {

  642.         mask_t good;

  643.         do {

  644.             field_randomize(&crand, &a);

  645.             good = deserialize_affine(&affine, &a);

  646.         } while (!good);

  647.         

  648.         convert_affine_to_extensible(&exta,&affine);

  649.         twist_and_double(&ext,&exta);

  650.         untwist_and_double(&exta,&ext);

  651.         serialize_extensible(&b, &exta);

  652.         untwist_and_double_and_serialize(&c, &ext);

  653.         

  654.         field_sub(&d,&b,&c);

  655.         field_bias(&d,2);

  656.         

  657.         if (good && !field_is_zero(&d)){

  658.             printf("Iso+serial validation failure %d!\n", ++failures);

  659.             field_print("a", &a);

  660.             field_print("b", &b);

  661.             field_print("c", &c);

  662.             printf("\n");

  663.         } else if (good) {

  664.             successes ++;

  665.         }

  666.     }

  667.     if (successes < i/3) {

  668.         printf("Iso+serial variation: only %d/%d successful.\n", successes, i);

  669.     }

  670.     

  671.     successes = failures = 0;

  672.     for (i=0; i<nbase/10; i++) {

  673.         struct field_t aa;

  674.         struct tw_extensible_t exu,exv,exw;

  675.         

  676.         mask_t good;

  677.         do {

  678.             field_randomize(&crand, &a);

  679.             good = deserialize_affine(&affine, &a);

  680.             convert_affine_to_extensible(&exta,&affine);

  681.             twist_and_double(&ext,&exta);

  682.         } while (!good);

  683.         do {

  684.             field_randomize(&crand, &aa);

  685.             good = deserialize_affine(&affine, &aa);

  686.             convert_affine_to_extensible(&exta,&affine);

  687.             twist_and_double(&exu,&exta);

  688.         } while (!good);

  689.         field_randomize(&crand, &aa);

  690.         

  691.         q448_randomize(&crand, sk);

  692. 		if (i==0 || i==2) memset(&sk, 0, sizeof(sk));

  693.         q448_randomize(&crand, tk);

  694. 		if (i==0 || i==1) memset(&tk, 0, sizeof(tk));

  695.         

  696.         copy_tw_extensible(&exv, &ext);

  697.         copy_tw_extensible(&exw, &exu);

  698.         scalarmul(&exv,sk);

  699.         scalarmul(&exw,tk);

  700.         convert_tw_extensible_to_tw_pniels(&pniels, &exw);

  701.         add_tw_pniels_to_tw_extensible(&exv,&pniels);

  702.         untwist_and_double(&exta,&exv);

  703.         serialize_extensible(&b, &exta);

  704. 

  705.         ignore_result(precompute_fixed_base_wnaf(wnaft,&exu,5));

  706.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,wnaft,5);

  707.         untwist_and_double(&exta,&exv);

  708.         serialize_extensible(&c, &exta);

  709.         

  710.         field_sub(&d,&b,&c);

  711.         field_bias(&d,2);

  712.         

  713.         if (!field_is_zero(&d)){

  714.             printf("PreWNAF combo validation failure %d!\n", ++failures);

  715.             field_print("a", &a);

  716.             field_print("A", &aa);

  717.             q448_print("s", sk);

  718.             q448_print("t", tk);

  719.             field_print("c", &c);

  720.             field_print("b", &b);

  721.             printf("\n\n");

  722.         } else if (good) {

  723.             successes ++;

  724.         }

  725.     }

  726.     if (successes < i) {

  727.         printf("PreWNAF combo variation: only %d/%d successful.\n", successes, i);

  728.     }

  729.     

  730.     return 0;

  731. }