jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
161 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 9bbeb61b1f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9bbeb61b1f'
${ noResults }
ed448goldilocks/test/test_pointops.c

649 lines
20 KiB
Raw Blame History 

  1. #include "test.h"

  2. 

  3. #include <stdio.h>

  4. 

  5. #include "ec_point.h"

  6. #include "decaf.h"

  7. #include "scalarmul.h"

  8. #include "magic.h"

  9. #include "field.h"

  10. #include "crandom.h"

  11. 

  12. 

  13. static void

  14. failprint_ext (

  15.     const struct extensible_t *a

  16. ) {

  17.     field_a_t zi, scaled;

  18.     field_print("    x", a->x);

  19.     field_print("    y", a->y);

  20.     field_print("    z", a->z);

  21.     field_inverse(zi, a->z);

  22.     field_mul(scaled, zi, a->x);

  23.     field_print("    X", scaled);

  24.     field_mul(scaled, zi, a->y);

  25.     field_print("    Y", scaled);

  26.     printf("\n");

  27. }

  28. 

  29. static void

  30. failprint_tw_ext (

  31.     const struct tw_extensible_t *a

  32. ) {

  33.     failprint_ext((const struct extensible_t *)a);

  34. }

  35. 

  36. static mask_t

  37. fail_if_different (

  38.     const struct extensible_t *a,

  39.     const struct extensible_t *b,

  40.     const char *faildescr,

  41.     const char *adescr,

  42.     const char *bdescr

  43. ) {

  44.     mask_t succ = eq_extensible(a, b);

  45.     

  46.     if (!succ) {

  47.         youfail();

  48.         printf("    %s\n", faildescr);

  49.         

  50.         printf("\n    %s:\n", adescr);

  51.         failprint_ext(a);

  52.         

  53.         printf("\n    %s:\n", bdescr);

  54.         failprint_ext(b);

  55.     }

  56.     

  57.     return succ;

  58. }

  59. 

  60. static mask_t

  61. validate_ext(

  62.     const struct extensible_t *ext,

  63.     int evenness,

  64.     const char *description

  65. ) {

  66.     mask_t succ = validate_extensible(ext), succ2;

  67.     const char *error = "Point isn't on the curve.";

  68.     if (evenness > 0) {

  69.         succ2 = is_even_pt(ext);

  70.         if (succ &~ succ2) error = "Point isn't even.";

  71.         succ &= succ2;

  72.     } else if (evenness < 0) {

  73.         succ2 = is_even_pt(ext);

  74.         if (succ &~ succ2) error = "Point is even but shouldn't be.";

  75.         succ &= succ2;

  76.     } /* FUTURE: quadness */

  77.     

  78.     if (~succ) {

  79.         youfail();

  80.         printf("    %s\n", error);

  81.         printf("    %s\n", description);

  82.         failprint_ext(ext);

  83.     }

  84.     

  85.     return succ;

  86. }

  87. 

  88. static mask_t

  89. validate_tw_ext(

  90.     const struct tw_extensible_t *ext,

  91.     int evenness,

  92.     const char *description

  93. ) {

  94.     mask_t succ = validate_tw_extensible(ext), succ2;

  95.     const char *error = "Point isn't on the twisted curve.";

  96.     if (evenness > 0) {

  97.         succ2 = is_even_tw(ext);

  98.         if (succ &~ succ2) error = "Point isn't even.";

  99.         succ &= succ2;

  100.     } else if (evenness < 0) {

  101.         succ2 = is_even_tw(ext);

  102.         if (succ &~ succ2) error = "Point is even but shouldn't be.";

  103.         succ &= succ2;

  104.     } /* FUTURE: quadness */

  105.     

  106.     if (~succ) {

  107.         youfail();

  108.         printf("    %s\n", error);

  109.         printf("    %s\n", description);

  110.         failprint_tw_ext(ext);

  111.     }

  112.     

  113.     return succ;

  114. }

  115. 

  116. static mask_t

  117. fail_if_different_tw (

  118.     const struct tw_extensible_t *a,

  119.     const struct tw_extensible_t *b,

  120.     const char *faildescr,

  121.     const char *adescr,

  122.     const char *bdescr

  123. ) {

  124.     return fail_if_different(

  125.         (const struct extensible_t *)a, (const struct extensible_t *)b,

  126.         faildescr,adescr,bdescr

  127.     );

  128. }

  129. 

  130. static int

  131. add_double_test (

  132.     const struct affine_t *base1,

  133.     const struct affine_t *base2 

  134. ) {

  135.     mask_t succ = MASK_SUCCESS;

  136.     struct extensible_t exb;

  137.     struct tw_extensible_t text1, text2, texta, textb;

  138.     struct tw_extended_t ted1, ted2;

  139.     struct tw_pniels_t pn;

  140.     

  141.     /* Convert to ext */

  142.     convert_affine_to_extensible(&exb, base1);

  143.     succ &= validate_ext(&exb,0,"base1");

  144.     twist_and_double(&text1, &exb);

  145.     succ &= validate_tw_ext(&text1,2,"iso1");

  146.     convert_affine_to_extensible(&exb, base2);

  147.     succ &= validate_ext(&exb,0,"base2");

  148.     twist_and_double(&text2, &exb);

  149.     succ &= validate_tw_ext(&text2,2,"iso2");

  150.     

  151.     /* a + b == b + a? */

  152.     convert_tw_extensible_to_tw_pniels(&pn, &text1);

  153.     copy_tw_extensible(&texta, &text2);

  154.     add_tw_pniels_to_tw_extensible(&texta, &pn);

  155.     

  156.     convert_tw_extensible_to_tw_pniels(&pn, &text2);

  157.     copy_tw_extensible(&textb, &text1);

  158.     add_tw_pniels_to_tw_extensible(&textb, &pn);

  159. 

  160.     decaf_448_point_t ted3;

  161.     convert_tw_extensible_to_tw_extended(&ted1, &text1);

  162.     convert_tw_extensible_to_tw_extended(&ted2, &text2);

  163.     decaf_448_point_add(ted3, (struct decaf_448_point_s*)&ted1, (struct decaf_448_point_s*)&ted2);

  164.     add_tw_extended(&ted1, &ted2);

  165.     convert_tw_extensible_to_tw_extended(&ted2, &textb);

  166.     

  167.     if (~decaf_eq_tw_extended(&ted1, &ted2) | ~decaf_448_point_eq((struct decaf_448_point_s*)&ted1, ted3)) {

  168.         youfail();

  169.         succ = 0;

  170.         printf("    Tw extended simple compat:\n");

  171.         field_print("    x1",ted1.x);

  172.         field_print("    y1",ted1.y);

  173.         field_print("    z1",ted1.z);

  174.         field_print("    t1",ted1.t);

  175.         field_print("    x2",ted2.x);

  176.         field_print("    y2",ted2.y);

  177.         field_print("    z2",ted2.z);

  178.         field_print("    t2",ted2.t);

  179.         struct tw_extended_t *t3 = (struct tw_extended_t *)&ted3;

  180.         field_print("    x3",t3->x);

  181.         field_print("    y3",t3->y);

  182.         field_print("    z3",t3->z);

  183.         field_print("    t3",t3->t);

  184.         

  185.     }

  186.     

  187.     succ &= fail_if_different_tw(&texta,&textb,"Addition commutativity","a+b","b+a");

  188.     

  189.     copy_tw_extensible(&textb, &text2);

  190.     add_tw_pniels_to_tw_extensible(&textb, &pn);

  191.     copy_tw_extensible(&texta, &text2);

  192.     double_tw_extensible(&texta);

  193. 

  194.     succ &= fail_if_different_tw(&texta,&textb,"Doubling test","2b","b+b");

  195.     

  196.     if (~succ) {

  197.         printf("    Bases were:\n");

  198.         field_print("    x1", base1->x);

  199.         field_print("    y1", base1->y);

  200.         field_print("    x2", base2->x);

  201.         field_print("    y2", base2->y);

  202.     }

  203.     

  204.     return succ ? 0 : -1;

  205. }

  206. 

  207. static int

  208. single_twisting_test (

  209.     const struct affine_t *base

  210. ) {

  211.     struct extensible_t exb, ext, tmpext;

  212.     struct tw_extensible_t text, text2;

  213.     mask_t succ = MASK_SUCCESS;

  214.     

  215.     convert_affine_to_extensible(&exb, base);

  216.     succ &= validate_ext(&exb,0,"base");

  217.     

  218.     /* check: dual . iso = 4 */

  219.     twist_and_double(&text, &exb);

  220.     succ &= validate_tw_ext(&text,2,"iso");

  221.     untwist_and_double(&ext, &text);

  222.     succ &= validate_ext(&ext,2,"dual.iso");

  223.     

  224.     copy_extensible(&tmpext,&exb);

  225.     double_extensible(&tmpext);

  226.     succ &= validate_ext(&tmpext,1,"2*base");

  227.     

  228.     double_extensible(&tmpext);

  229.     succ &= validate_ext(&tmpext,2,"4*base");

  230.     

  231.     succ &= fail_if_different(&ext,&tmpext,"Isogeny and dual","Dual . iso","4*base");

  232.     

  233.     /* check: twist and serialize */

  234.     test_only_twist(&text, &exb);

  235.     succ &= validate_tw_ext(&text,0,"tot");

  236.     mask_t evt = is_even_tw(&text), evb = is_even_pt(&exb);

  237.     if (evt != evb) {

  238.         youfail();

  239.         printf("    Different evenness from twist base: %d, twist: %d\n", (int)-evt, (int)-evb);

  240.         

  241.         succ = 0;

  242.     } /* FUTURE: quadness */

  243.     

  244.     field_a_t sera,serb;

  245.     untwist_and_double_and_serialize(sera,&text);

  246.     copy_extensible(&tmpext,&exb);

  247.     double_extensible(&tmpext);

  248.     serialize_extensible(serb,&tmpext);

  249.     

  250.     /* check that their (doubled; FUTURE?) serializations are equal */

  251.     if (~field_eq(sera,serb)) {

  252.         youfail();

  253.         printf("    Different serialization from twist + double ()\n");

  254.         field_print("    t", sera);

  255.         field_print("    b", serb);

  256.         succ = 0;

  257.     }

  258.     

  259.     untwist_and_double(&ext, &text);

  260.     succ &= validate_ext(&tmpext,1,"dual.tot");

  261.     

  262.     twist_and_double(&text2, &ext);

  263.     succ &= validate_tw_ext(&text2,2,"iso.dual.tot");

  264. 

  265.     double_tw_extensible(&text);

  266.     succ &= validate_tw_ext(&text,1,"2*tot");

  267. 

  268.     double_tw_extensible(&text);

  269.     succ &= validate_tw_ext(&text,2,"4*tot");

  270.     

  271.     succ &= fail_if_different_tw(&text,&text2,"Dual and isogeny","4*tot","iso.dual.tot");

  272.     

  273.     if (~succ) {

  274.         printf("    Base was:\n");

  275.         field_print("    x", base->x);

  276.         field_print("    y", base->y);

  277.     }

  278.     

  279.     

  280.     return succ ? 0 : -1;

  281. }

  282. 

  283. int test_decaf_evil (void) {

  284.     

  285. #if FIELD_BITS != 448

  286.     printf(" [ UNIMP ] ");

  287.     return 0;

  288. #else

  289. 

  290. #if WORD_BITS==64

  291. #define SC_WORD(x) x##ull

  292. #elif WORD_BITS==32

  293. #define SC_WORD(x) (uint32_t)(x##ull), (x##ull)>>32

  294. #endif

  295. 

  296.     word_t evil_scalars[5][448/WORD_BITS] = {

  297.         {0},

  298.         {SC_WORD(0x2378c292ab5844f3),SC_WORD(0x216cc2728dc58f55),SC_WORD(0xc44edb49aed63690),SC_WORD(0xffffffff7cca23e9),

  299.          SC_WORD(0xffffffffffffffff),SC_WORD(0xffffffffffffffff),SC_WORD(0x3fffffffffffffff)}, /* q */

  300.         {SC_WORD(0xdc873d6d54a7bb0d),SC_WORD(0xde933d8d723a70aa),SC_WORD(0x3bb124b65129c96f),

  301.          SC_WORD(0x335dc16),SC_WORD(0x0),SC_WORD(0x0),SC_WORD(0x4000000000000000)}, /* qtwist */

  302.         {SC_WORD(0x46f1852556b089e6),SC_WORD(0x42d984e51b8b1eaa),SC_WORD(0x889db6935dac6d20),SC_WORD(0xfffffffef99447d3),

  303.          SC_WORD(0xffffffffffffffff),SC_WORD(0xffffffffffffffff),SC_WORD(0x7fffffffffffffff)}, /* 2q */

  304.         {SC_WORD(0xb90e7adaa94f761a),SC_WORD(0xbd267b1ae474e155),SC_WORD(0x7762496ca25392df),SC_WORD(0x66bb82c),

  305.              SC_WORD(0x0),SC_WORD(0x0),SC_WORD(0x8000000000000000)} /* 2*qtwist */

  306.     };

  307.     word_t random_scalar[448/WORD_BITS];

  308.     

  309.     unsigned char evil_inputs[3][56];

  310.     memset(evil_inputs[0],0,56);

  311.     memset(evil_inputs[1],0,56);

  312.     memset(evil_inputs[2],0xff,56);

  313.     evil_inputs[1][0] = 1;

  314.     evil_inputs[2][0] = evil_inputs[2][28] = 0xFE;

  315.     

  316.     unsigned char random_input[56];

  317.     

  318.     

  319.     crandom_state_a_t crand;

  320.     crandom_init_from_buffer(crand, "my evil_decaf random initializer");

  321. 

  322.     int i,j,fails=0;

  323.     int ret = 0;

  324.     for (i=0; i<100; i++) {

  325.         

  326.         crandom_generate(crand, (unsigned char *)random_scalar, sizeof(random_scalar));

  327.         if (i<15) {

  328.             memcpy(random_scalar, evil_scalars[i%5], sizeof(random_scalar));

  329.             if (i%3 == 1) random_scalar[0] ++;

  330.             if (i%3 == 2) random_scalar[0] --;

  331.         }

  332.         

  333.         for (j=0; j<100; j++) {

  334.             crandom_generate(crand, random_input, sizeof(random_input));

  335.             mask_t should = 0, care_should = 0;

  336.             if (j<3) {

  337.                 memcpy(random_input, evil_inputs[j], sizeof(random_input));

  338.                 care_should = -1;

  339.                 should = (j==0) ? -1 : 0;

  340.             } else {

  341.                 random_input[55] &= 0x7F;

  342.             }

  343.             

  344.             field_a_t base, out_m, out_e, out_ed;

  345.             mask_t s_base = field_deserialize(base,random_input);

  346.             

  347.             affine_a_t pt_e;

  348.             tw_affine_a_t pt_te;

  349.             tw_extended_a_t pt_ed;

  350.             // TODO: test don't allow identity

  351.             mask_t s_e  = decaf_deserialize_affine(pt_e,base,-1);

  352.             mask_t s_te = decaf_deserialize_tw_affine(pt_te,base,-1);

  353.             mask_t s_ed = decaf_deserialize_tw_extended(pt_ed,base,-1);

  354.             mask_t s_m  = decaf_montgomery_ladder(out_m, base, random_scalar, 448);

  355.             

  356.             uint8_t ser_di[56];

  357.             mask_t s_di = decaf_448_direct_scalarmul(ser_di,random_input,(struct decaf_448_scalar_s *)random_scalar,-1,-1);

  358.             

  359.             tw_extensible_a_t work;

  360.             convert_tw_affine_to_tw_extensible(work,pt_te);

  361.             scalarmul(work, random_scalar);

  362.             decaf_serialize_tw_extensible(out_e, work);

  363. 

  364.             scalarmul_ed(pt_ed, random_scalar);

  365.             decaf_serialize_tw_extended(out_ed, pt_ed);

  366.             

  367.             uint8_t ser_de[56], ser_ed[56];

  368.             decaf_448_point_t pt_dec, pt_dec2;

  369.             memcpy(pt_dec, pt_ed, sizeof(pt_dec));

  370.             decaf_448_point_encode(ser_de, pt_dec);

  371.             mask_t succ_dec = decaf_448_point_decode(pt_dec2, ser_de, -1);

  372.             field_serialize(ser_ed, out_ed);

  373.             

  374.             decaf_448_point_t p,q,m;

  375.             uint8_t oo_base_ser[56], n_base_ser[56];

  376.             field_a_t oo_base,tmp,tmp2;

  377.             field_isr(tmp,base);

  378.             field_sqr(tmp2,tmp); // 1/+-s_base

  379.             field_sqr(tmp,tmp2); // = 1/s_base^2

  380.             field_mul(oo_base,tmp,base); // = 1/s_base

  381.             field_serialize(oo_base_ser,oo_base);

  382.             field_neg(tmp,base);

  383.             field_serialize(n_base_ser,tmp); // = -base

  384.             decaf_448_point_from_hash_nonuniform (p,random_input);

  385.             decaf_448_point_from_hash_nonuniform (q,oo_base_ser);

  386.             decaf_448_point_from_hash_nonuniform (m,n_base_ser);

  387.             mask_t succ_nur = decaf_448_point_valid(p);

  388.             succ_nur &= decaf_448_point_valid(q);

  389.             succ_nur &= decaf_448_point_valid(m);

  390.             

  391.             mask_t eq_neg, eq_pos;

  392.             eq_neg = decaf_448_point_eq(m,p);

  393.             decaf_448_point_add(m,p,q);

  394.             eq_pos = decaf_448_point_eq(m,decaf_448_point_identity);

  395.             

  396.             if ((care_should && should != s_m)

  397.                 || ~s_base || s_e != s_te || s_m != s_te || s_ed != s_te || s_di != s_te

  398.                 || (s_te && ~field_eq(out_e,out_m))

  399.                 || (s_ed && ~field_eq(out_e,out_ed))

  400.                 || memcmp(ser_de, ser_ed, 56)

  401.                 || (s_te && memcmp(ser_di, ser_ed, 56))

  402.                 || (s_e & ~succ_dec)

  403.                 || (s_e & ~decaf_448_point_eq(pt_dec, pt_dec2)

  404.                 || (s_e & ~decaf_448_point_valid(pt_dec))

  405.                 || (succ_dec & ~decaf_448_point_valid(pt_dec2))

  406.                 || ~succ_nur

  407.                 || ~eq_neg

  408.                 || ~eq_pos)

  409.             ) {

  410.                 youfail();

  411.                 field_print("    base", base);

  412.                 scalar_print("    scal", random_scalar, (448+WORD_BITS-1)/WORD_BITS);

  413.                 field_print("    oute", out_e);

  414.                 field_print("    outE", out_ed);

  415.                 field_print("    outm", out_m);

  416.                 printf("    succ: m=%d, e=%d, t=%d, di=%d, b=%d, T=%d, D=%d, nur=%d, e+=%d, e-=%d, should=%d[%d]\n",

  417.                     -(int)s_m,-(int)s_e,-(int)s_te,-(int)s_di,-(int)s_base,-(int)s_ed,-(int)succ_dec,

  418.                     -(int)succ_nur, -(int)eq_neg, -(int)eq_pos,

  419.                     -(int)should,-(int)care_should

  420.                 );

  421.                 ret = -1;

  422.                 fails++;

  423.             }

  424.         }

  425.     }

  426.     if (fails) {

  427.         printf("    Failed %d trials\n", fails);

  428.     }

  429.     return ret;

  430. #endif

  431. }

  432. 

  433. int test_decaf (void) {

  434.     struct affine_t base;

  435.     struct tw_affine_t tw_base;

  436.     field_a_t serf;

  437.     

  438.     struct crandom_state_t crand;

  439.     crandom_init_from_buffer(&crand, "my test_decaf random initializer");

  440.     

  441.     int i, hits = 0, fails = 0;

  442.     

  443.     if (~decaf_448_point_valid(decaf_448_point_base)) {

  444.         youfail();

  445.         printf("   Decaf base point invalid\n");

  446.         fails++;

  447.     }

  448.     

  449.     if (~decaf_448_point_valid(decaf_448_point_identity)) {

  450.         youfail();

  451.         printf("   Decaf identity point invalid\n");

  452.         fails++;

  453.     }

  454.     

  455.     

  456.     for (i=0; i<1000; i++) {

  457.         uint8_t ser[FIELD_BYTES];

  458.         

  459.         int j;

  460.         

  461.         mask_t succ = 0;

  462.         for (j=0; j<128 && !succ; j++) {

  463.             crandom_generate(&crand, ser, sizeof(ser));

  464.             ser[FIELD_BYTES-1] &= (1<<((FIELD_BITS-1)%8)) - 1;

  465. 

  466.             succ = field_deserialize(serf, ser);

  467.             if (!succ) {

  468.                 youfail();

  469.                 printf("   Unlikely: fail at field_deserialize\n");

  470.                 return -1;

  471.             }

  472.         

  473.             succ &= decaf_deserialize_affine(&base, serf, 0);

  474.         }

  475.         if (!succ) {

  476.             youfail();

  477.             printf("Unlikely: fail 128 desers\n");

  478.             return -1;

  479.         }

  480.         

  481.         hits++;

  482.         field_a_t serf2;

  483.         struct extensible_t ext;

  484.         convert_affine_to_extensible(&ext, &base);

  485.         decaf_serialize_extensible(serf2, &ext);

  486.         

  487.         if (~validate_affine(&base)) {

  488.             youfail();

  489.             printf("Invalid decaf deser:\n");

  490.             field_print("    s", serf);

  491.             field_print("    x", base.x);

  492.             field_print("    y", base.y);

  493.             fails ++;

  494.         } else if (~field_eq(serf, serf2)) {

  495.             youfail();

  496.             printf("Fail round-trip through decaf ser:\n");

  497.             field_print("    s", serf);

  498.             field_print("    x", base.x);

  499.             field_print("    y", base.y);

  500.             printf("    deser is %s\n", validate_affine(&base) ? "valid" : "invalid");

  501.             field_print("    S", serf2);

  502.             fails ++;

  503.         } else if (~is_even_pt(&ext)) {

  504.             youfail();

  505.             printf("Decaf deser isn't even:\n");

  506.             field_print("    s", serf);

  507.             field_print("    x", base.x);

  508.             field_print("    y", base.y);

  509.             fails ++;

  510.         }

  511.         

  512.         succ = decaf_deserialize_tw_affine(&tw_base, serf, 0);

  513.         struct tw_extensible_t tw_ext, tw_ext2;

  514.         convert_tw_affine_to_tw_extensible(&tw_ext, &tw_base);

  515.         decaf_serialize_tw_extensible(serf2, &tw_ext);

  516.         

  517.         twist_even(&tw_ext2, &ext);

  518. 

  519.         if (~succ | ~validate_tw_extensible(&tw_ext)) {

  520.             youfail();

  521.             printf("Invalid decaf tw deser:\n");

  522.             field_print("    s", serf);

  523.             field_print("    x", tw_base.x);

  524.             field_print("    y", tw_base.y);

  525.             fails ++;

  526.         } else if (~field_eq(serf, serf2)) {

  527.             youfail();

  528.             printf("Fail round-trip through decaf ser:\n");

  529.             field_print("    s", serf);

  530.             field_print("    x", tw_base.x);

  531.             field_print("    y", tw_base.y);

  532.             printf("    tw deser is %s\n", validate_tw_extensible(&tw_ext) ? "valid" : "invalid");

  533.             field_print("    S", serf2);

  534.             fails ++;

  535.         } else if (~is_even_tw(&tw_ext)) {

  536.             youfail();

  537.             printf("Decaf tw deser isn't even:\n");

  538.             field_print("    s", serf);

  539.             field_print("    x", tw_base.x);

  540.             field_print("    y", tw_base.y);

  541.             fails ++;

  542.         } else if (~decaf_eq_tw_extensible(&tw_ext,&tw_ext2)) {

  543.             youfail();

  544.             printf("Decaf tw doesn't equal ext:\n");

  545.             field_print("    s",  serf);

  546.             field_print("    x1", base.x);

  547.             field_print("    y1", base.y);

  548.             field_print("    x2", tw_base.x);

  549.             field_print("    y2", tw_base.y);

  550.             field_print("    X2", tw_ext2.x);

  551.             field_print("    Y2", tw_ext2.y);

  552.             fails ++;

  553.         }

  554. 

  555.         tw_extended_a_t ed;

  556.         succ = decaf_deserialize_tw_extended(ed, serf, 0);

  557.         decaf_serialize_tw_extended(serf2, ed);

  558. 

  559.         if (~succ) {

  560.             youfail();

  561.             printf("Invalid decaf ed deser:\n");

  562.             field_print("    s", serf);

  563.             fails ++;

  564.         } else if (~field_eq(serf, serf2)) {

  565.             youfail();

  566.             printf("Fail round-trip through decaf ser:\n");

  567.             field_print("    s", serf);

  568.             field_print("    x", ed->x);

  569.             field_print("    y", ed->y);

  570.             field_print("    z", ed->z);

  571.             field_print("    t", ed->t);

  572.             printf("    tw deser is %s\n", validate_tw_extensible(&tw_ext) ? "valid" : "invalid");

  573.             field_print("    S", serf2);

  574.             fails ++;

  575.         }

  576. 

  577.         word_t scalar = 1;

  578.         mask_t res = decaf_montgomery_ladder(serf2,serf,&scalar,1+(i%31));

  579.         if (~res | ~field_eq(serf2,serf)) {

  580.             youfail();

  581.             printf("Decaf Montgomery ladder i=%d res=%d\n", 1+(i%31), (int)res);

  582.             field_print("    s", serf);

  583.             field_print("    o", serf2);

  584.             printf("\n");

  585.         }

  586.     }

  587.     if (hits < 1000) {

  588.         youfail();

  589.         printf("   Fail: only %d successes in decaf_deser\n", hits);

  590.         return -1;

  591.     } else if (fails) {

  592.         printf("  %d fails\n", fails);

  593.         return -1;

  594.     } else {

  595.         return 0;

  596.     }

  597. }

  598. 

  599. int test_pointops (void) {

  600.     struct affine_t base, pbase;

  601.     field_a_t serf;

  602.     

  603.     struct crandom_state_t crand;

  604.     crandom_init_from_buffer(&crand, "test_pointops random initializer");

  605.     

  606.     struct extensible_t ext_base;

  607.     if (!validate_affine(goldilocks_base_point)) {

  608.         youfail();

  609.         printf("  Base point isn't on the curve.\n");

  610.         return -1;

  611.     }

  612.     convert_affine_to_extensible(&ext_base, goldilocks_base_point);

  613.     if (!validate_ext(&ext_base, 2, "base")) return -1;

  614.     

  615.     int i, ret;

  616.     for (i=0; i<1000; i++) {

  617.         uint8_t ser[FIELD_BYTES];

  618.         crandom_generate(&crand, ser, sizeof(ser));

  619. 

  620. 

  621.         #if (FIELD_BITS % 8)

  622.             ser[FIELD_BYTES-1] &= (1<<(FIELD_BITS%8)) - 1;

  623.         #endif

  624.         

  625.         /* TODO: we need a field generate, which can return random or pathological. */

  626.         mask_t succ = field_deserialize(serf, ser);

  627.         if (!succ) {

  628.             youfail();

  629.             printf("   Unlikely: fail at field_deserialize\n");

  630.             return -1;

  631.         }

  632.         

  633.         if (i) {

  634.             copy_affine(&pbase, &base);

  635.         }

  636.         elligator_2s_inject(&base, serf);

  637.         

  638.         if (i) {

  639.             ret = add_double_test(&base, &pbase);

  640.             if (ret) return ret;

  641.         }

  642.         

  643.         ret = single_twisting_test(&base);

  644.         if (ret) return ret;

  645.     }

  646.     

  647.     return 0;

  648. }