jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
352 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: a585d7f148
ed448goldilocks/src/per_curve/decaf.tmpl.hxx

656 lines
23 KiB
Raw Blame History 

  1. /**

  2.  * A group of prime order p, C++ wrapper.

  3.  * 

  4.  * The Decaf library implements cryptographic operations on a an elliptic curve

  5.  * group of prime order p. It accomplishes this by using a twisted Edwards

  6.  * curve (isogenous to $(iso_to)) and wiping out the cofactor.

  7.  * 

  8.  * The formulas are all complete and have no special cases, except that

  9.  * $(c_ns)_decode can fail because not every sequence of bytes is a valid group

  10.  * element.

  11.  * 

  12.  * The formulas contain no data-dependent branches, timing or memory accesses,

  13.  * except for $(c_ns)_base_double_scalarmul_non_secret.

  14.  */

  15. 

  16. /** This code uses posix_memalign. */

  17. #ifndef _XOPEN_SOURCE

  18. #define _XOPEN_SOURCE 600

  19. #endif

  20. #include <stdlib.h>

  21. #include <string.h> /* for memcpy */

  22. 

  23. #include <decaf/decaf_$(gf_bits).h>

  24. #include <decaf/secure_buffer.hxx>

  25. #include <string>

  26. #include <sys/types.h>

  27. #include <limits.h>

  28. 

  29. /** @cond internal */

  30. #if __cplusplus >= 201103L

  31. #define NOEXCEPT noexcept

  32. #else

  33. #define NOEXCEPT throw()

  34. #endif

  35. /** @endcond */

  36. 

  37. namespace decaf {

  38. 

  39. /**

  40.  * $(iso_to)/Decaf instantiation of group.

  41.  */

  42. struct $(cxx_ns) {

  43. 

  44. /** The name of the curve */

  45. static inline const char *name() { return "$(name)"; }

  46. 

  47. /** The curve's cofactor (removed, but useful for testing) */

  48. static const int REMOVED_COFACTOR = $(cofactor);

  49. 

  50. /** Residue class of field modulus: p == this mod 2*(this-1) */

  51. static const int FIELD_MODULUS_TYPE = $([2**i+1 for i in xrange(1,10) if modulus % 2**(i+1) != 1][0]);

  52. 

  53. /** @cond internal */

  54. class Point;

  55. class Precomputed;

  56. /** @endcond */

  57. 

  58. /**

  59.  * A scalar modulo the curve order.

  60.  * Supports the usual arithmetic operations, all in constant time.

  61.  */

  62. class Scalar : public Serializable<Scalar> {

  63. public:

  64.     /** wrapped C type */

  65.     typedef $(c_ns)_scalar_t Wrapped;

  66.     

  67.     /** Size of a serialized element */

  68.     static const size_t SER_BYTES = $(C_NS)_SCALAR_BYTES;

  69. 

  70.     /** access to the underlying scalar object */

  71.     Wrapped s;

  72. 

  73.     /** @cond internal */

  74.     /** Don't initialize. */

  75.     inline Scalar(const NOINIT &) NOEXCEPT {}

  76.     /** @endcond */

  77. 

  78.     /** Set to an unsigned word */

  79.     inline Scalar(uint64_t w) NOEXCEPT { *this = w; }

  80. 

  81.     /** Set to a signed word */

  82.     inline Scalar(int64_t w) NOEXCEPT { *this = w; }

  83. 

  84.     /** Set to an unsigned word */

  85.     inline Scalar(unsigned int w) NOEXCEPT { *this = w; }

  86. 

  87.     /** Set to a signed word */

  88.     inline Scalar(int w) NOEXCEPT { *this = w; }

  89. 

  90.     /** Construct from RNG */

  91.     inline explicit Scalar(Rng &rng) NOEXCEPT {

  92.         FixedArrayBuffer<SER_BYTES + 16> sb(rng);

  93.         *this = sb;

  94.     }

  95. 

  96.     /** Construct from decaf_scalar_t object. */

  97.     inline Scalar(const Wrapped &t = $(c_ns)_scalar_zero) NOEXCEPT { $(c_ns)_scalar_copy(s,t); }

  98. 

  99.     /** Copy constructor. */

  100.     inline Scalar(const Scalar &x) NOEXCEPT { *this = x; }

  101. 

  102.     /** Construct from arbitrary-length little-endian byte sequence. */

  103.     inline Scalar(const Block &buffer) NOEXCEPT { *this = buffer; }

  104. 

  105.     /** Serializable instance */

  106.     inline size_t serSize() const NOEXCEPT { return SER_BYTES; }

  107. 

  108.     /** Serializable instance */

  109.     inline void serialize_into(unsigned char *buffer) const NOEXCEPT {

  110.         $(c_ns)_scalar_encode(buffer, s);

  111.     }

  112. 

  113.     /** Assignment. */

  114.     inline Scalar& operator=(const Scalar &x) NOEXCEPT { $(c_ns)_scalar_copy(s,x.s); return *this; }

  115. 

  116.     /** Assign from unsigned 64-bit integer. */

  117.     inline Scalar& operator=(uint64_t w) NOEXCEPT { $(c_ns)_scalar_set_unsigned(s,w); return *this; }

  118. 

  119. 

  120.     /** Assign from signed int. */

  121.     inline Scalar& operator=(int64_t w) NOEXCEPT {

  122.         Scalar t(-(uint64_t)INT_MIN);

  123.         $(c_ns)_scalar_set_unsigned(s,(uint64_t)w - (uint64_t)INT_MIN);

  124.         *this -= t;

  125.         return *this;

  126.     }

  127. 

  128.     /** Assign from unsigned int. */

  129.     inline Scalar& operator=(unsigned int w) NOEXCEPT { return *this = (uint64_t)w; }

  130. 

  131.     /** Assign from signed int. */

  132.     inline Scalar& operator=(int w) NOEXCEPT { return *this = (int64_t)w; }

  133. 

  134.     /** Destructor securely zeorizes the scalar. */

  135.     inline ~Scalar() NOEXCEPT { $(c_ns)_scalar_destroy(s); }

  136. 

  137.     /** Assign from arbitrary-length little-endian byte sequence in a Block. */

  138.     inline Scalar &operator=(const Block &bl) NOEXCEPT {

  139.         $(c_ns)_scalar_decode_long(s,bl.data(),bl.size()); return *this;

  140.     }

  141. 

  142.     /**

  143.      * Decode from correct-length little-endian byte sequence.

  144.      * @return DECAF_FAILURE if the scalar is greater than or equal to the group order q.

  145.      */

  146.     static inline decaf_error_t WARN_UNUSED decode (

  147.         Scalar &sc, const FixedBlock<SER_BYTES> buffer

  148.     ) NOEXCEPT {

  149.         return $(c_ns)_scalar_decode(sc.s,buffer.data());

  150.     }

  151. 

  152.     /** Add. */

  153.     inline Scalar operator+ (const Scalar &q) const NOEXCEPT { Scalar r((NOINIT())); $(c_ns)_scalar_add(r.s,s,q.s); return r; }

  154. 

  155.     /** Add to this. */

  156.     inline Scalar &operator+=(const Scalar &q) NOEXCEPT { $(c_ns)_scalar_add(s,s,q.s); return *this; }

  157. 

  158.     /** Subtract. */

  159.     inline Scalar operator- (const Scalar &q) const NOEXCEPT { Scalar r((NOINIT())); $(c_ns)_scalar_sub(r.s,s,q.s); return r; }

  160. 

  161.     /** Subtract from this. */

  162.     inline Scalar &operator-=(const Scalar &q) NOEXCEPT { $(c_ns)_scalar_sub(s,s,q.s); return *this; }

  163. 

  164.     /** Multiply */

  165.     inline Scalar operator* (const Scalar &q) const NOEXCEPT { Scalar r((NOINIT())); $(c_ns)_scalar_mul(r.s,s,q.s); return r; }

  166. 

  167.     /** Multiply into this. */

  168.     inline Scalar &operator*=(const Scalar &q) NOEXCEPT { $(c_ns)_scalar_mul(s,s,q.s); return *this; }

  169. 

  170.     /** Negate */

  171.     inline Scalar operator- () const NOEXCEPT { Scalar r((NOINIT())); $(c_ns)_scalar_sub(r.s,$(c_ns)_scalar_zero,s); return r; }

  172. 

  173.     /** Invert with Fermat's Little Theorem (slow!). If *this == 0,

  174.      * throw CryptoException. */

  175.     inline Scalar inverse() const throw(CryptoException) {

  176.         Scalar r;

  177.         if (DECAF_SUCCESS != $(c_ns)_scalar_invert(r.s,s)) {

  178.             throw CryptoException();

  179.         }

  180.         return r;

  181.     }

  182. 

  183.     /** Invert with Fermat's Little Theorem (slow!). If *this == 0, set r=0

  184.      * and return DECAF_FAILURE. */

  185.     inline decaf_error_t WARN_UNUSED

  186.     inverse_noexcept(Scalar &r) const NOEXCEPT {

  187.         return $(c_ns)_scalar_invert(r.s,s);

  188.     }

  189. 

  190.     /** Divide by inverting q. If q == 0, return 0. */

  191.     inline Scalar operator/ (const Scalar &q) const throw(CryptoException) { return *this * q.inverse(); }

  192. 

  193.     /** Divide by inverting q. If q == 0, return 0. */

  194.     inline Scalar &operator/=(const Scalar &q) throw(CryptoException) { return *this *= q.inverse(); }

  195. 

  196.     /** Return half this scalar.  Much faster than /2. */

  197.     inline Scalar half() const { Scalar out; $(c_ns)_scalar_halve(out.s,s); return out; }

  198. 

  199.     /** Compare in constant time */

  200.     inline bool operator!=(const Scalar &q) const NOEXCEPT { return !(*this == q); }

  201. 

  202.     /** Compare in constant time */

  203.     inline bool operator==(const Scalar &q) const NOEXCEPT { return !!$(c_ns)_scalar_eq(s,q.s); }

  204. 

  205.     /** Scalarmul with scalar on left. */

  206.     inline Point operator* (const Point &q) const NOEXCEPT { return q * (*this); }

  207. 

  208.     /** Scalarmul-precomputed with scalar on left. */

  209.     inline Point operator* (const Precomputed &q) const NOEXCEPT { return q * (*this); }

  210. 

  211.     /** Direct scalar multiplication. */

  212.     inline SecureBuffer direct_scalarmul(

  213.         const Block &in,

  214.         decaf_bool_t allow_identity=DECAF_FALSE,

  215.         decaf_bool_t short_circuit=DECAF_TRUE

  216.     ) const throw(CryptoException);

  217. };

  218. 

  219. /**

  220.  * Element of prime-order group.

  221.  */

  222. class Point : public Serializable<Point> {

  223. public:

  224.     /** wrapped C type */

  225.     typedef $(c_ns)_point_t Wrapped;

  226.     

  227.     /** Size of a serialized element */

  228.     static const size_t SER_BYTES = $(C_NS)_SER_BYTES;

  229. 

  230.     /** Bytes required for hash */

  231.     static const size_t HASH_BYTES = SER_BYTES;

  232. 

  233.     /** Size of a stegged element */

  234.     static const size_t STEG_BYTES = HASH_BYTES * 2;

  235. 

  236.     /** The c-level object. */

  237.     Wrapped p;

  238. 

  239.     /** @cond internal */

  240.     /** Don't initialize. */

  241.     inline Point(const NOINIT &) NOEXCEPT {}

  242.     /** @endcond */

  243. 

  244.     /** Constructor sets to identity by default. */

  245.     inline Point(const Wrapped &q = $(c_ns)_point_identity) NOEXCEPT { $(c_ns)_point_copy(p,q); }

  246. 

  247.     /** Copy constructor. */

  248.     inline Point(const Point &q) NOEXCEPT { *this = q; }

  249. 

  250.     /** Assignment. */

  251.     inline Point& operator=(const Point &q) NOEXCEPT { $(c_ns)_point_copy(p,q.p); return *this; }

  252. 

  253.     /** Destructor securely zeorizes the point. */

  254.     inline ~Point() NOEXCEPT { $(c_ns)_point_destroy(p); }

  255. 

  256.     /** Construct from RNG */

  257.     inline explicit Point(Rng &rng, bool uniform = true) NOEXCEPT {

  258.         if (uniform) {

  259.             FixedArrayBuffer<2*HASH_BYTES> b(rng);

  260.             set_to_hash(b);

  261.         } else {

  262.             FixedArrayBuffer<HASH_BYTES> b(rng);

  263.             set_to_hash(b);

  264.         }

  265.     }

  266. 

  267.    /**

  268.     * Initialize from a fixed-length byte string.

  269.     * The all-zero string maps to the identity.

  270.     *

  271.     * @throw CryptoException the string was the wrong length, or wasn't the encoding of a point,

  272.     * or was the identity and allow_identity was DECAF_FALSE.

  273.     */

  274.     inline explicit Point(const FixedBlock<SER_BYTES> &buffer, decaf_bool_t allow_identity=DECAF_TRUE)

  275.         throw(CryptoException) {

  276.         if (DECAF_SUCCESS != decode(*this,buffer,allow_identity)) {

  277.             throw CryptoException();

  278.         }

  279.     }

  280. 

  281.     /**

  282.      * Initialize from C++ fixed-length byte string.

  283.      * The all-zero string maps to the identity.

  284.      *

  285.      * @retval DECAF_SUCCESS the string was successfully decoded.

  286.      * @return DECAF_FAILURE the string was the wrong length, or wasn't the encoding of a point,

  287.      * or was the identity and allow_identity was DECAF_FALSE. Contents of the buffer are undefined.

  288.      */

  289.     static inline decaf_error_t WARN_UNUSED decode (

  290.         Point &p, const FixedBlock<SER_BYTES> &buffer, decaf_bool_t allow_identity=DECAF_TRUE

  291.     ) NOEXCEPT {

  292.         return $(c_ns)_point_decode(p.p,buffer.data(),allow_identity);

  293.     }

  294. 

  295.     /**

  296.      * Map uniformly to the curve from a hash buffer.

  297.      * The empty or all-zero string maps to the identity, as does the string "\\x01".

  298.      * If the buffer is shorter than 2*HASH_BYTES, well, it won't be as uniform,

  299.      * but the buffer will be zero-padded on the right.

  300.      */

  301.     static inline Point from_hash ( const Block &s ) NOEXCEPT {

  302.         Point p((NOINIT())); p.set_to_hash(s); return p;

  303.     }

  304. 

  305.     /**

  306.      * Map to the curve from a hash buffer.

  307.      * The empty or all-zero string maps to the identity, as does the string "\\x01".

  308.      * If the buffer is shorter than 2*HASH_BYTES, well, it won't be as uniform,

  309.      * but the buffer will be zero-padded on the right.

  310.      */

  311.     inline void set_to_hash( const Block &s ) NOEXCEPT {

  312.         if (s.size() < HASH_BYTES) {

  313.             SecureBuffer b(HASH_BYTES);

  314.             memcpy(b.data(), s.data(), s.size());

  315.             $(c_ns)_point_from_hash_nonuniform(p,b.data());

  316.         } else if (s.size() == HASH_BYTES) {

  317.             $(c_ns)_point_from_hash_nonuniform(p,s.data());

  318.         } else if (s.size() < 2*HASH_BYTES) {

  319.             SecureBuffer b(2*HASH_BYTES);

  320.             memcpy(b.data(), s.data(), s.size());

  321.             $(c_ns)_point_from_hash_uniform(p,b.data());

  322.         } else {

  323.             $(c_ns)_point_from_hash_uniform(p,s.data());

  324.         }

  325.     }

  326. 

  327.     /**

  328.      * Encode to string. The identity encodes to the all-zero string.

  329.      */

  330.     inline operator SecureBuffer() const {

  331.         SecureBuffer buffer(SER_BYTES);

  332.         $(c_ns)_point_encode(buffer.data(), p);

  333.         return buffer;

  334.     }

  335. 

  336.     /** Serializable instance */

  337.     inline size_t serSize() const NOEXCEPT { return SER_BYTES; }

  338. 

  339.     /** Serializable instance */

  340.     inline void serialize_into(unsigned char *buffer) const NOEXCEPT {

  341.         $(c_ns)_point_encode(buffer, p);

  342.     }

  343. 

  344.     /** Point add. */

  345.     inline Point operator+ (const Point &q) const NOEXCEPT { Point r((NOINIT())); $(c_ns)_point_add(r.p,p,q.p); return r; }

  346. 

  347.     /** Point add. */

  348.     inline Point &operator+=(const Point &q) NOEXCEPT { $(c_ns)_point_add(p,p,q.p); return *this; }

  349. 

  350.     /** Point subtract. */

  351.     inline Point operator- (const Point &q) const NOEXCEPT { Point r((NOINIT())); $(c_ns)_point_sub(r.p,p,q.p); return r; }

  352. 

  353.     /** Point subtract. */

  354.     inline Point &operator-=(const Point &q) NOEXCEPT { $(c_ns)_point_sub(p,p,q.p); return *this; }

  355. 

  356.     /** Point negate. */

  357.     inline Point operator- () const NOEXCEPT { Point r((NOINIT())); $(c_ns)_point_negate(r.p,p); return r; }

  358. 

  359.     /** Double the point out of place. */

  360.     inline Point times_two () const NOEXCEPT { Point r((NOINIT())); $(c_ns)_point_double(r.p,p); return r; }

  361. 

  362.     /** Double the point in place. */

  363.     inline Point &double_in_place() NOEXCEPT { $(c_ns)_point_double(p,p); return *this; }

  364. 

  365.     /** Constant-time compare. */

  366.     inline bool operator!=(const Point &q) const NOEXCEPT { return ! $(c_ns)_point_eq(p,q.p); }

  367. 

  368.     /** Constant-time compare. */

  369.     inline bool operator==(const Point &q) const NOEXCEPT { return !!$(c_ns)_point_eq(p,q.p); }

  370. 

  371.     /** Scalar multiply. */

  372.     inline Point operator* (const Scalar &s) const NOEXCEPT { Point r((NOINIT())); $(c_ns)_point_scalarmul(r.p,p,s.s); return r; }

  373. 

  374.     /** Scalar multiply in place. */

  375.     inline Point &operator*=(const Scalar &s) NOEXCEPT { $(c_ns)_point_scalarmul(p,p,s.s); return *this; }

  376. 

  377.     /** Multiply by s.inverse(). If s=0, maps to the identity. */

  378.     inline Point operator/ (const Scalar &s) const throw(CryptoException) { return (*this) * s.inverse(); }

  379. 

  380.     /** Multiply by s.inverse(). If s=0, maps to the identity. */

  381.     inline Point &operator/=(const Scalar &s) throw(CryptoException) { return (*this) *= s.inverse(); }

  382. 

  383.     /** Validate / sanity check */

  384.     inline bool validate() const NOEXCEPT { return $(c_ns)_point_valid(p); }

  385. 

  386.     /** Double-scalar multiply, equivalent to q*qs + r*rs but faster. */

  387.     static inline Point double_scalarmul (

  388.         const Point &q, const Scalar &qs, const Point &r, const Scalar &rs

  389.     ) NOEXCEPT {

  390.         Point p((NOINIT())); $(c_ns)_point_double_scalarmul(p.p,q.p,qs.s,r.p,rs.s); return p;

  391.     }

  392. 

  393.     /** Dual-scalar multiply, equivalent to this*r1, this*r2 but faster. */

  394.     inline void dual_scalarmul (

  395.         Point &q1, Point &q2, const Scalar &r1, const Scalar &r2

  396.     ) const NOEXCEPT {

  397.         $(c_ns)_point_dual_scalarmul(q1.p,q2.p,p,r1.s,r2.s);

  398.     }

  399. 

  400.     /**

  401.      * Double-scalar multiply, equivalent to q*qs + r*rs but faster.

  402.      * For those who like their scalars before the point.

  403.      */

  404.     static inline Point double_scalarmul (

  405.         const Scalar &qs, const Point &q, const Scalar &rs, const Point &r

  406.     ) NOEXCEPT {

  407.         return double_scalarmul(q,qs,r,rs);

  408.     }

  409. 

  410.     /**

  411.      * Double-scalar multiply: this point by the first scalar and base by the second scalar.

  412.      * @warning This function takes variable time, and may leak the scalars (or points, but currently

  413.      * it doesn't).

  414.      */

  415.     inline Point non_secret_combo_with_base(const Scalar &s, const Scalar &s_base) NOEXCEPT {

  416.         Point r((NOINIT())); $(c_ns)_base_double_scalarmul_non_secret(r.p,s_base.s,p,s.s); return r;

  417.     }

  418. 

  419.     /** Return a point equal to *this, whose internal data is rotated by a torsion element. */

  420.     inline Point debugging_torque() const NOEXCEPT {

  421.         Point q;

  422.         $(c_ns)_point_debugging_torque(q.p,p);

  423.         return q;

  424.     }

  425. 

  426.     /** Return a point equal to *this, whose internal data has a modified representation. */

  427.     inline Point debugging_pscale(const FixedBlock<SER_BYTES> factor) const NOEXCEPT {

  428.         Point q;

  429.         $(c_ns)_point_debugging_pscale(q.p,p,factor.data());

  430.         return q;

  431.     }

  432. 

  433.     /** Return a point equal to *this, whose internal data has a randomized representation. */

  434.     inline Point debugging_pscale(Rng &r) const NOEXCEPT {

  435.         FixedArrayBuffer<SER_BYTES> sb(r);

  436.         return debugging_pscale(sb);

  437.     }

  438. 

  439.     /**

  440.      * Modify buffer so that Point::from_hash(Buffer) == *this, and return DECAF_SUCCESS;

  441.      * or leave buf unmodified and return DECAF_FAILURE.

  442.      */

  443.     inline decaf_error_t invert_elligator (

  444.         Buffer buf, uint16_t hint

  445.     ) const NOEXCEPT {

  446.         unsigned char buf2[2*HASH_BYTES];

  447.         memset(buf2,0,sizeof(buf2));

  448.         memcpy(buf2,buf.data(),(buf.size() > 2*HASH_BYTES) ? 2*HASH_BYTES : buf.size());

  449.         decaf_bool_t ret;

  450.         if (buf.size() > HASH_BYTES) {

  451.             ret = decaf_successful($(c_ns)_invert_elligator_uniform(buf2, p, hint));

  452.         } else {

  453.             ret = decaf_successful($(c_ns)_invert_elligator_nonuniform(buf2, p, hint));

  454.         }

  455.         if (buf.size() < HASH_BYTES) {

  456.             ret &= decaf_memeq(&buf2[buf.size()], &buf2[HASH_BYTES], HASH_BYTES - buf.size());

  457.         }

  458.         for (size_t i=0; i<buf.size() && i<HASH_BYTES; i++) {

  459.             buf[i] = (buf[i] & ~ret) | (buf2[i] &ret);

  460.         }

  461.         decaf_bzero(buf2,sizeof(buf2));

  462.         return decaf_succeed_if(ret);

  463.     }

  464. 

  465.     /** Steganographically encode this */

  466.     inline SecureBuffer steg_encode(Rng &rng, size_t size=STEG_BYTES) const throw(std::bad_alloc, LengthException) {

  467.         if (size <= HASH_BYTES + 4 || size > 2*HASH_BYTES) throw LengthException();

  468.         SecureBuffer out(STEG_BYTES);

  469.         decaf_error_t done;

  470.         do {

  471.             rng.read(Buffer(out).slice(HASH_BYTES-1,STEG_BYTES-HASH_BYTES+1));

  472.             done = invert_elligator(out, out[HASH_BYTES-1]);

  473.         } while (!decaf_successful(done));

  474.         return out;

  475.     }

  476. 

  477.     /** Return the base point */

  478.     static inline const Point base() NOEXCEPT { return Point($(c_ns)_point_base); }

  479. 

  480.     /** Return the identity point */

  481.     static inline const Point identity() NOEXCEPT { return Point($(c_ns)_point_identity); }

  482. };

  483. 

  484. /**

  485.  * Precomputed table of points.

  486.  * Minor difficulties arise here because the decaf API doesn't expose, as a constant, how big such an object is.

  487.  * Therefore we have to call malloc() or friends, but that's probably for the best, because you don't want to

  488.  * stack-allocate a 15kiB object anyway.

  489.  */

  490. 

  491. /** @cond internal */

  492. typedef $(c_ns)_precomputed_s Precomputed_U;

  493. /** @endcond */

  494. class Precomputed

  495.     /** @cond internal */

  496.     : protected OwnedOrUnowned<Precomputed,Precomputed_U>

  497.     /** @endcond */

  498. {

  499. public:

  500. 

  501.     /** Destructor securely zeorizes the memory. */

  502.     inline ~Precomputed() NOEXCEPT { clear(); }

  503. 

  504.     /**

  505.      * Initialize from underlying type, declared as a reference to prevent

  506.      * it from being called with 0, thereby breaking override.

  507.      *

  508.      * The underlying object must remain valid throughout the lifetime of this one.

  509.      *

  510.      * By default, initializes to the table for the base point.

  511.      *

  512.      * @warning The empty initializer makes this equal to base, unlike the empty

  513.      * initializer for points which makes this equal to the identity.

  514.      */

  515.     inline Precomputed (

  516.         const Precomputed_U &yours = *defaultValue()

  517.     ) NOEXCEPT : OwnedOrUnowned<Precomputed,Precomputed_U>(yours) {}

  518. 

  519. 

  520. #if __cplusplus >= 201103L

  521.     /** Move-assign operator */

  522.     inline Precomputed &operator=(Precomputed &&it) NOEXCEPT {

  523.         OwnedOrUnowned<Precomputed,Precomputed_U>::operator= (it);

  524.         return *this;

  525.     }

  526. 

  527.     /** Move constructor */

  528.     inline Precomputed(Precomputed &&it) NOEXCEPT : OwnedOrUnowned<Precomputed,Precomputed_U>() {

  529.         *this = it;

  530.     }

  531. 

  532.     /** Undelete copy operator */

  533.     inline Precomputed &operator=(const Precomputed &it) NOEXCEPT {

  534.         OwnedOrUnowned<Precomputed,Precomputed_U>::operator= (it);

  535.         return *this;

  536.     }

  537. #endif

  538. 

  539.     /**

  540.      * Initilaize from point. Must allocate memory, and may throw.

  541.      */

  542.     inline Precomputed &operator=(const Point &it) throw(std::bad_alloc) {

  543.         alloc();

  544.         $(c_ns)_precompute(ours.mine,it.p);

  545.         return *this;

  546.     }

  547. 

  548.     /**

  549.      * Copy constructor.

  550.      */

  551.     inline Precomputed(const Precomputed &it) throw(std::bad_alloc)

  552.         : OwnedOrUnowned<Precomputed,Precomputed_U>() { *this = it; }

  553. 

  554.     /**

  555.      * Constructor which initializes from point.

  556.      */

  557.     inline explicit Precomputed(const Point &it) throw(std::bad_alloc)

  558.         : OwnedOrUnowned<Precomputed,Precomputed_U>() { *this = it; }

  559. 

  560.     /** Fixed base scalarmul. */

  561.     inline Point operator* (const Scalar &s) const NOEXCEPT { Point r; $(c_ns)_precomputed_scalarmul(r.p,get(),s.s); return r; }

  562. 

  563.     /** Multiply by s.inverse(). If s=0, maps to the identity. */

  564.     inline Point operator/ (const Scalar &s) const throw(CryptoException) { return (*this) * s.inverse(); }

  565. 

  566.     /** Return the table for the base point. */

  567.     static inline const Precomputed base() NOEXCEPT { return Precomputed(); }

  568. 

  569. public:

  570.     /** @cond internal */

  571.     friend class OwnedOrUnowned<Precomputed,Precomputed_U>;

  572.     static inline size_t size() NOEXCEPT { return $(c_ns)_sizeof_precomputed_s; }

  573.     static inline size_t alignment() NOEXCEPT { return $(c_ns)_alignof_precomputed_s; }

  574.     static inline const Precomputed_U * defaultValue() NOEXCEPT { return $(c_ns)_precomputed_base; }

  575.     /** @endcond */

  576. };

  577. 

  578. struct DhLadder {

  579. public:

  580.     /** Bytes in an X$(gf_shortname) public key. */

  581.     static const size_t PUBLIC_BYTES = X$(gf_shortname)_PUBLIC_BYTES;

  582. 

  583.     /** Bytes in an X$(gf_shortname) private key. */

  584.     static const size_t PRIVATE_BYTES = X$(gf_shortname)_PRIVATE_BYTES;

  585. 

  586.     /** Base point for a scalar multiplication. */

  587.     static const FixedBlock<PUBLIC_BYTES> base_point() NOEXCEPT {

  588.         return FixedBlock<PUBLIC_BYTES>($(c_ns)_x_base_point);

  589.     }

  590. 

  591.     /** Generate and return a shared secret with public key.  */

  592.     static inline SecureBuffer shared_secret(

  593.         const FixedBlock<PUBLIC_BYTES> &pk,

  594.         const FixedBlock<PRIVATE_BYTES> &scalar

  595.     ) throw(std::bad_alloc,CryptoException) {

  596.         SecureBuffer out(PUBLIC_BYTES);

  597.         if (DECAF_SUCCESS != $(c_ns)_x_direct_scalarmul(out.data(), pk.data(), scalar.data())) {

  598.             throw CryptoException();

  599.         }

  600.         return out;

  601.     }

  602. 

  603.     /** Generate and return a shared secret with public key, noexcept version.  */

  604.     static inline decaf_error_t WARN_UNUSED

  605.     shared_secret_noexcept (

  606.         FixedBuffer<PUBLIC_BYTES> &out,

  607.         const FixedBlock<PUBLIC_BYTES> &pk,

  608.         const FixedBlock<PRIVATE_BYTES> &scalar

  609.     ) NOEXCEPT {

  610.        return $(c_ns)_x_direct_scalarmul(out.data(), pk.data(), scalar.data());

  611.     }

  612. 

  613.     /** Generate and return a public key; equivalent to shared_secret(base_point(),scalar)

  614.      * but possibly faster.

  615.      */

  616.     static inline SecureBuffer generate_key(

  617.         const FixedBlock<PRIVATE_BYTES> &scalar

  618.     ) throw(std::bad_alloc) {

  619.         SecureBuffer out(PUBLIC_BYTES);

  620.         $(c_ns)_x_base_scalarmul(out.data(), scalar.data());

  621.         return out;

  622.     }

  623. 

  624.     /** Generate and return a public key into a fixed buffer;

  625.      * equivalent to shared_secret(base_point(),scalar) but possibly faster.

  626.      */

  627.     static inline void

  628.     generate_key_noexcept (

  629.         FixedBuffer<PUBLIC_BYTES> &out,

  630.         const FixedBlock<PRIVATE_BYTES> &scalar

  631.     ) NOEXCEPT {

  632.         $(c_ns)_x_base_scalarmul(out.data(), scalar.data());

  633.     }

  634. };

  635. 

  636. }; /* struct $(cxx_ns) */

  637. 

  638. /** @cond internal */

  639. inline SecureBuffer $(cxx_ns)::Scalar::direct_scalarmul (

  640.     const Block &in,

  641.     decaf_bool_t allow_identity,

  642.     decaf_bool_t short_circuit

  643. ) const throw(CryptoException) {

  644.     SecureBuffer out($(cxx_ns)::Point::SER_BYTES);

  645.     if (DECAF_SUCCESS !=

  646.         $(c_ns)_direct_scalarmul(out.data(), in.data(), s, allow_identity, short_circuit)

  647.     ) {

  648.         throw CryptoException();

  649.     }

  650.     return out;

  651. }

  652. /** @endcond */

  653. 

  654. #undef NOEXCEPT

  655. } /* namespace decaf */