jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
552 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 7f3aa8a420
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7f3aa8a420'
${ noResults }
ed448goldilocks/src/per_curve/elligator.tmpl.c

190 lines
5.3 KiB
Raw Blame History 

  1. /** @brief Elligator high-level functions. */

  2. 

  3. #include "word.h"

  4. #include "field.h"

  5. #include <decaf.h>

  6. 

  7. /* Template stuff */

  8. #define API_NS(_id) $(c_ns)_##_id

  9. #define point_t API_NS(point_t)

  10. #define IMAGINE_TWIST $(imagine_twist)

  11. #define COFACTOR $(cofactor)

  12. static const int EDWARDS_D = $(d);

  13. 

  14. #define RISTRETTO_FACTOR $(C_NS)_RISTRETTO_FACTOR

  15. extern const gf RISTRETTO_FACTOR;

  16. 

  17. /* End of template stuff */

  18. extern mask_t API_NS(deisogenize) (

  19.     gf_s *__restrict__ s,

  20.     gf_s *__restrict__ inv_el_sum,

  21.     gf_s *__restrict__ inv_el_m1,

  22.     const point_t p,

  23.     mask_t toggle_hibit_s,

  24.     mask_t toggle_altx,

  25.     mask_t toggle_rotation

  26. );

  27. 

  28. void API_NS(point_from_hash_nonuniform) (

  29.     point_t p,

  30.     const unsigned char ser[SER_BYTES]

  31. ) {

  32.     gf r0,r,a,b,c,N,e;

  33.     const uint8_t mask = (uint8_t)(0xFE<<($((gf_bits-1)%8)));

  34.     ignore_result(gf_deserialize(r0,ser,mask));

  35.     gf_strong_reduce(r0);

  36.     gf_sqr(a,r0);

  37.     gf_mul_qnr(r,a);

  38. 

  39.     /* Compute D@c := (dr+a-d)(dr-ar-d) with a=1 */

  40.     gf_sub(a,r,ONE);

  41.     gf_mulw(b,a,EDWARDS_D); /* dr-d */

  42.     gf_add(a,b,ONE);

  43.     gf_sub(b,b,r);

  44.     gf_mul(c,a,b);

  45.     

  46.     /* compute N := (r+1)(a-2d) */

  47.     gf_add(a,r,ONE);

  48.     gf_mulw(N,a,1-2*EDWARDS_D);

  49.     

  50.     /* e = +-sqrt(1/ND) or +-r0 * sqrt(qnr/ND) */

  51.     gf_mul(a,c,N);

  52.     mask_t square = gf_isr(b,a);

  53.     gf_cond_sel(c,r0,ONE,square); /* r? = square ? 1 : r0 */

  54.     gf_mul(e,b,c);

  55.     

  56.     /* s@a = +-|N.e| */

  57.     gf_mul(a,N,e);

  58.     gf_cond_neg(a,gf_lobit(a) ^ ~square);

  59.     

  60.     /* t@b = -+ cN(r-1)((a-2d)e)^2 - 1 */

  61.     gf_mulw(c,e,1-2*EDWARDS_D); /* (a-2d)e */

  62.     gf_sqr(b,c);

  63.     gf_sub(e,r,ONE);

  64.     gf_mul(c,b,e);

  65.     gf_mul(b,c,N);

  66.     gf_cond_neg(b,square);

  67.     gf_sub(b,b,ONE);

  68. 

  69.     /* isogenize */

  70. #if IMAGINE_TWIST

  71.     gf_mul(c,a,SQRT_MINUS_ONE);

  72.     gf_copy(a,c);

  73. #endif

  74.     

  75.     gf_sqr(c,a); /* s^2 */

  76.     gf_add(a,a,a); /* 2s */

  77.     gf_add(e,c,ONE);

  78.     gf_mul(p->t,a,e); /* 2s(1+s^2) */

  79.     gf_mul(p->x,a,b); /* 2st */

  80.     gf_sub(a,ONE,c);

  81.     gf_mul(p->y,e,a); /* (1+s^2)(1-s^2) */

  82.     gf_mul(p->z,a,b); /* (1-s^2)t */

  83.     

  84.     assert(API_NS(point_valid)(p));

  85. }

  86. 

  87. void API_NS(point_from_hash_uniform) (

  88.     point_t pt,

  89.     const unsigned char hashed_data[2*SER_BYTES]

  90. ) {

  91.     point_t pt2;

  92.     API_NS(point_from_hash_nonuniform)(pt,hashed_data);

  93.     API_NS(point_from_hash_nonuniform)(pt2,&hashed_data[SER_BYTES]);

  94.     API_NS(point_add)(pt,pt,pt2);

  95. }

  96. 

  97. /* Elligator_onto:

  98.  * Make elligator-inverse onto at the cost of roughly halving the success probability.

  99.  * Currently no effect for curves with field size 1 bit mod 8 (where the top bit

  100.  * is chopped off).  FUTURE MAGIC: automatic at least for brainpool-style curves; support

  101.  * log p == 1 mod 8 brainpool curves maybe?

  102.  */

  103. #define MAX(A,B) (((A)>(B)) ? (A) : (B))

  104. 

  105. decaf_error_t

  106. API_NS(invert_elligator_nonuniform) (

  107.     unsigned char recovered_hash[SER_BYTES],

  108.     const point_t p,

  109.     uint32_t hint_

  110. ) {

  111.     mask_t hint = hint_;

  112.     mask_t sgn_s = ~((1 - (hint & 1))*DECAF_MASK_ALL_SET), /* expand hint bit 0 to the whole mask without branching */

  113.         sgn_altx = ~((1 - (hint>>1 & 1))*DECAF_MASK_ALL_SET),

  114.         sgn_r0 = ~((1 - (hint>>2 & 1))*DECAF_MASK_ALL_SET),

  115.         /* FUTURE MAGIC: eventually if there's a curve which needs sgn_ed_T but not sgn_r0,

  116.          * change this mask extraction.

  117.          */

  118.         sgn_ed_T = ~((1 - (hint>>3 & 1))*DECAF_MASK_ALL_SET);

  119.     gf a,b,c;

  120.     API_NS(deisogenize)(a,b,c,p,sgn_s,sgn_altx,sgn_ed_T);

  121.     

  122.     mask_t is_identity = gf_eq(p->t,ZERO);

  123. #if COFACTOR==4

  124.     gf_cond_sel(b,b,ONE,is_identity & sgn_altx);

  125.     gf_cond_sel(c,c,ONE,is_identity & sgn_s &~ sgn_altx);

  126. #elif IMAGINE_TWIST

  127.     /* Terrible, terrible special casing due to lots of 0/0 is deisogenize

  128.      * Basically we need to generate -D and +- i*RISTRETTO_FACTOR

  129.      */

  130.     gf_mul_i(a,RISTRETTO_FACTOR);

  131.     gf_cond_sel(b,b,ONE,is_identity);

  132.     gf_cond_neg(a,sgn_altx);

  133.     gf_cond_sel(c,c,a,is_identity & sgn_ed_T);

  134.     gf_cond_sel(c,c,ZERO,is_identity & ~sgn_ed_T);

  135.     gf_mulw(a,ONE,-EDWARDS_D);

  136.     gf_cond_sel(c,c,a,is_identity & ~sgn_ed_T &~ sgn_altx);

  137. #else

  138. #error "Different special-casing goes here!"

  139. #endif

  140.     

  141. #if IMAGINE_TWIST

  142.     gf_mulw(a,b,-EDWARDS_D);

  143. #else

  144.     gf_mulw(a,b,EDWARDS_D-1);

  145. #endif

  146.     gf_add(b,a,b);

  147.     gf_sub(a,a,c);

  148.     gf_add(b,b,c);

  149.     gf_cond_swap(a,b,sgn_s);

  150.     gf_mul_qnr(c,b);

  151.     gf_mul(b,c,a);

  152.     mask_t succ = gf_isr(c,b);

  153.     succ |= gf_eq(b,ZERO);

  154.     gf_mul(b,c,a);

  155.     

  156. #if $(gf_bits) == 8*SER_BYTES + 1 /* p521. */

  157. #error "this won't work because it needs to adjust high bit, not low bit"

  158.     sgn_r0 = 0;

  159. #endif

  160.     

  161.     gf_cond_neg(b, sgn_r0^gf_lobit(b));

  162.     /* Eliminate duplicate values for identity ... */

  163.     succ &= ~(gf_eq(b,ZERO) & (sgn_r0 | sgn_s));

  164.     // #if COFACTOR == 8

  165.     //     succ &= ~(is_identity & sgn_ed_T); /* NB: there are no preimages of rotated identity. */

  166.     // #endif

  167.     

  168.     gf_serialize(recovered_hash,b);

  169. #if $(gf_bits%8)

  170.     #if COFACTOR==8

  171.         recovered_hash[SER_BYTES-1] ^= (hint>>4)<<$(gf_bits%8);

  172.     #else

  173.         recovered_hash[SER_BYTES-1] ^= (hint>>3)<<$(gf_bits%8);

  174.     #endif

  175. #endif

  176.     return decaf_succeed_if(mask_to_bool(succ));

  177. }

  178. 

  179. decaf_error_t

  180. API_NS(invert_elligator_uniform) (

  181.     unsigned char partial_hash[2*SER_BYTES],

  182.     const point_t p,

  183.     uint32_t hint

  184. ) {

  185.     point_t pt2;

  186.     API_NS(point_from_hash_nonuniform)(pt2,&partial_hash[SER_BYTES]);

  187.     API_NS(point_sub)(pt2,p,pt2);

  188.     return API_NS(invert_elligator_nonuniform)(partial_hash,pt2,hint);

  189. }