jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
41 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: a9e16440a2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a9e16440a2'
${ noResults }
ed448goldilocks/test/bench.c

741 lines
21 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "word.h"

  6. 

  7. #include <sys/time.h>

  8. #include <sys/types.h>

  9. #include <stdio.h>

  10. #include <memory.h>

  11. 

  12. #include "field.h"

  13. #include "ec_point.h"

  14. #include "scalarmul.h"

  15. #include "barrett_field.h"

  16. #include "crandom.h"

  17. #include "goldilocks.h"

  18. #include "sha512.h"

  19. 

  20. static __inline__ void

  21. ignore_result ( int result ) {

  22.     (void)result;

  23. }

  24. 

  25. static double now(void) {

  26.   struct timeval tv;

  27.   gettimeofday(&tv, NULL);

  28.   

  29.   return tv.tv_sec + tv.tv_usec/1000000.0;

  30. }

  31. 

  32. static void field_randomize( struct crandom_state_t *crand, struct field_t *a ) {

  33.     crandom_generate(crand, (unsigned char *)a, sizeof(*a));

  34.     field_strong_reduce(a);

  35. }

  36. 

  37. static void q448_randomize( struct crandom_state_t *crand, word_t sk[SCALAR_WORDS] ) {

  38.     crandom_generate(crand, (unsigned char *)sk, SCALAR_BYTES);

  39. }

  40. 

  41. static void field_print( const char *descr, const struct field_t *a ) {

  42.     int j;

  43.     unsigned char ser[FIELD_BYTES];

  44.     field_serialize(ser,a);

  45.     printf("%s = 0x", descr);

  46.     for (j=FIELD_BYTES - 1; j>=0; j--) {

  47.         printf("%02x", ser[j]);

  48.     }

  49.     printf("\n");

  50. }

  51. 

  52. static void __attribute__((unused))

  53. field_print_full (

  54.     const char *descr,

  55.     const struct field_t *a

  56. ) {

  57.     int j;

  58.     printf("%s = 0x", descr);

  59.     for (j=15; j>=0; j--) {

  60.         printf("%02" PRIxWORD "_" PRIxWORD56 " ",

  61.             a->limb[j]>>28, a->limb[j]&((1<<28)-1));

  62.     }

  63.     printf("\n");

  64. }

  65. 

  66. static void q448_print( const char *descr, const word_t secret[SCALAR_WORDS] ) {

  67.     int j;

  68.     printf("%s = 0x", descr);

  69.     for (j=SCALAR_WORDS-1; j>=0; j--) {

  70.         printf(PRIxWORDfull, secret[j]);

  71.     }

  72.     printf("\n");

  73. }

  74. 

  75. #ifndef N_TESTS_BASE

  76. #define N_TESTS_BASE 10000

  77. #endif

  78. 

  79. int main(int argc, char **argv) {

  80.     (void)argc;

  81.     (void)argv;

  82. 

  83.     struct tw_extensible_t ext;

  84.     struct extensible_t exta;

  85.     struct tw_niels_t niels;

  86.     struct tw_pniels_t pniels;

  87.     struct affine_t affine;

  88.     struct montgomery_t mb;

  89.     struct field_t a,b,c,d;

  90.     

  91.     

  92.     double when;

  93.     int i;

  94. 

  95.     int nbase = N_TESTS_BASE;

  96.     

  97.     /* Bad randomness so we can debug. */

  98.     char initial_seed[32];

  99.     for (i=0; i<32; i++) initial_seed[i] = i;

  100.     struct crandom_state_t crand;

  101.     crandom_init_from_buffer(&crand, initial_seed);

  102.     /* For testing the performance drop from the crandom debuffering change.

  103.         ignore_result(crandom_init_from_file(&crand, "/dev/urandom", 10000, 1));

  104.     */

  105.     

  106.     word_t sk[SCALAR_WORDS],tk[SCALAR_WORDS];

  107.     q448_randomize(&crand, sk);

  108.     

  109.     memset(&a,0,sizeof(a));

  110.     memset(&b,0,sizeof(b));

  111.     memset(&c,0,sizeof(c));

  112.     memset(&d,0,sizeof(d));

  113.     when = now();

  114.     for (i=0; i<nbase*5000; i++) {

  115.         field_mul(&c, &b, &a);

  116.     }

  117.     when = now() - when;

  118.     printf("mul:         %5.1fns\n", when * 1e9 / i);

  119.     

  120.     when = now();

  121.     for (i=0; i<nbase*5000; i++) {

  122.         field_sqr(&c, &a);

  123.     }

  124.     when = now() - when;

  125.     printf("sqr:         %5.1fns\n", when * 1e9 / i);

  126.     

  127.     when = now();

  128.     for (i=0; i<nbase*5000; i++) {

  129.         field_mulw(&c, &b, 1234562);

  130.     }

  131.     when = now() - when;

  132.     printf("mulw:        %5.1fns\n", when * 1e9 / i);

  133.     

  134.     when = now();

  135.     for (i=0; i<nbase*500; i++) {

  136.         field_mul(&c, &b, &a);

  137.         field_mul(&a, &b, &c);

  138.     }

  139.     when = now() - when;

  140.     printf("mul dep:     %5.1fns\n", when * 1e9 / i / 2);

  141.     

  142.     when = now();

  143.     for (i=0; i<nbase*10; i++) {

  144.         field_randomize(&crand, &a);

  145.     }

  146.     when = now() - when;

  147.     printf("rand448:     %5.1fns\n", when * 1e9 / i);

  148.     

  149.     struct sha512_ctx_t sha;

  150.     uint8_t hashout[128];

  151.     when = now();

  152.     for (i=0; i<nbase; i++) {

  153.         sha512_init(&sha);

  154.         sha512_final(&sha, hashout);

  155.     }

  156.     when = now() - when;

  157.     printf("sha512 1blk: %5.1fns\n", when * 1e9 / i);

  158.     

  159.     when = now();

  160.     for (i=0; i<nbase; i++) {

  161.         sha512_update(&sha, hashout, 128);

  162.     }

  163.     when = now() - when;

  164.     printf("sha512 blk:  %5.1fns (%0.2f MB/s)\n", when * 1e9 / i, 128*i/when/1e6);

  165.     

  166.     when = now();

  167.     for (i=0; i<nbase; i++) {

  168.         field_isr(&c, &a);

  169.     }

  170.     when = now() - when;

  171.     printf("isr auto:    %5.1fµs\n", when * 1e6 / i);

  172.     

  173.     for (i=0; i<100; i++) {

  174.         field_randomize(&crand, &a);

  175.         field_isr(&d,&a);

  176.         field_sqr(&b,&d);

  177.         field_mul(&c,&b,&a);

  178.         field_sqr(&b,&c);

  179.         field_subw(&b,1);

  180.         field_bias(&b,1);

  181.         if (!field_is_zero(&b)) {

  182.             printf("ISR validation failure!\n");

  183.             field_print("a", &a);

  184.             field_print("s", &d);

  185.         }

  186.     }

  187.     

  188.     when = now();

  189.     for (i=0; i<nbase; i++) {

  190.         elligator_2s_inject(&affine, &a);

  191.     }

  192.     when = now() - when;

  193.     printf("elligator:   %5.1fµs\n", when * 1e6 / i);

  194.     

  195.     for (i=0; i<100; i++) {

  196.         field_randomize(&crand, &a);

  197.         elligator_2s_inject(&affine, &a);

  198.         if (!validate_affine(&affine)) {

  199.             printf("Elligator validation failure!\n");

  200.             field_print("a", &a);

  201.             field_print("x", &affine.x);

  202.             field_print("y", &affine.y);

  203.         }

  204.     }

  205.     

  206.     when = now();

  207.     for (i=0; i<nbase; i++) {

  208.         deserialize_affine(&affine, &a);

  209.     }

  210.     when = now() - when;

  211.     printf("decompress:  %5.1fµs\n", when * 1e6 / i);

  212.     

  213.     convert_affine_to_extensible(&exta, &affine);

  214.     when = now();

  215.     for (i=0; i<nbase; i++) {

  216.         serialize_extensible(&a, &exta);

  217.     }

  218.     when = now() - when;

  219.     printf("compress:    %5.1fµs\n", when * 1e6 / i);

  220.     

  221.     int goods = 0;

  222.     for (i=0; i<100; i++) {

  223.         field_randomize(&crand, &a);

  224.         mask_t good = deserialize_affine(&affine, &a);

  225.         if (good & !validate_affine(&affine)) {

  226.             printf("Deserialize validation failure!\n");

  227.             field_print("a", &a);

  228.             field_print("x", &affine.x);

  229.             field_print("y", &affine.y);

  230.         } else if (good) {

  231.             goods++;

  232.             convert_affine_to_extensible(&exta,&affine);

  233.             serialize_extensible(&b, &exta);

  234.             field_sub(&c,&b,&a);

  235.             field_bias(&c,2);

  236.             if (!field_is_zero(&c)) {

  237.                 printf("Reserialize validation failure!\n");

  238.                 field_print("a", &a);

  239.                 field_print("x", &affine.x);

  240.                 field_print("y", &affine.y);

  241.                 deserialize_affine(&affine, &b);

  242.                 field_print("b", &b);

  243.                 field_print("x", &affine.x);

  244.                 field_print("y", &affine.y);

  245.                 printf("\n");

  246.             }

  247.         }

  248.     }

  249.     if (goods<i/3) {

  250.         printf("Deserialization validation failure! Deserialized %d/%d points\n", goods, i);

  251.     }

  252.     

  253.     word_t lsk[768/WORD_BITS];

  254.     crandom_generate(&crand, (unsigned char *)lsk, sizeof(lsk));

  255.     

  256.     when = now();

  257.     for (i=0; i<nbase*100; i++) {

  258.         barrett_reduce(lsk,sizeof(lsk)/sizeof(word_t),0,&curve_prime_order);

  259.     }

  260.     when = now() - when;

  261.     printf("barrett red: %5.1fns\n", when * 1e9 / i);

  262.     

  263.     when = now();

  264.     for (i=0; i<nbase*10; i++) {

  265.         barrett_mac(lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,&curve_prime_order);

  266.     }

  267.     when = now() - when;

  268.     printf("barrett mac: %5.1fns\n", when * 1e9 / i);

  269.     

  270.     memset(&ext,0,sizeof(ext));

  271.     memset(&niels,0,sizeof(niels)); /* avoid assertions in p521 even though this isn't a valid ext or niels */

  272.     when = now();

  273.     for (i=0; i<nbase*100; i++) {

  274.         add_tw_niels_to_tw_extensible(&ext, &niels);

  275.     }

  276.     when = now() - when;

  277.     printf("exti+niels:  %5.1fns\n", when * 1e9 / i);

  278.     

  279.     convert_tw_extensible_to_tw_pniels(&pniels, &ext);

  280.     when = now();

  281.     for (i=0; i<nbase*100; i++) {

  282.         add_tw_pniels_to_tw_extensible(&ext, &pniels);

  283.     }

  284.     when = now() - when;

  285.     printf("exti+pniels: %5.1fns\n", when * 1e9 / i);

  286.     

  287.     when = now();

  288.     for (i=0; i<nbase*100; i++) {

  289.         double_tw_extensible(&ext);

  290.     }

  291.     when = now() - when;

  292.     printf("exti dbl:    %5.1fns\n", when * 1e9 / i);

  293.     

  294.     when = now();

  295.     for (i=0; i<nbase*100; i++) {

  296.         untwist_and_double(&exta, &ext);

  297.     }

  298.     when = now() - when;

  299.     printf("i->a isog:   %5.1fns\n", when * 1e9 / i);

  300.     

  301.     when = now();

  302.     for (i=0; i<nbase*100; i++) {

  303.         twist_and_double(&ext, &exta);

  304.     }

  305.     when = now() - when;

  306.     printf("a->i isog:   %5.1fns\n", when * 1e9 / i);

  307.     

  308.     memset(&mb,0,sizeof(mb));

  309.     when = now();

  310.     for (i=0; i<nbase*100; i++) {

  311.         montgomery_step(&mb);

  312.     }

  313.     when = now() - when;

  314.     printf("monty step:  %5.1fns\n", when * 1e9 / i);

  315. 	

  316.     when = now();

  317.     for (i=0; i<nbase/10; i++) {

  318.         ignore_result(montgomery_ladder(&a,&b,sk,FIELD_BITS,0));

  319.     }

  320.     when = now() - when;

  321.     printf("full ladder: %5.1fµs\n", when * 1e6 / i);

  322.     

  323.     when = now();

  324.     for (i=0; i<nbase/10; i++) {

  325.         scalarmul(&ext,sk);

  326.     }

  327.     when = now() - when;

  328.     printf("edwards smz: %5.1fµs\n", when * 1e6 / i);

  329.     

  330.     when = now();

  331.     for (i=0; i<nbase/10; i++) {

  332.         scalarmul_vlook(&ext,sk);

  333.     }

  334.     when = now() - when;

  335.     printf("edwards svl: %5.1fµs\n", when * 1e6 / i);

  336.     

  337.     when = now();

  338.     for (i=0; i<nbase/10; i++) {

  339.         scalarmul(&ext,sk);

  340.         untwist_and_double_and_serialize(&a,&ext);

  341.     }

  342.     when = now() - when;

  343.     printf("edwards smc: %5.1fµs\n", when * 1e6 / i);

  344.     

  345.     when = now();

  346.     for (i=0; i<nbase/10; i++) {

  347.         q448_randomize(&crand, sk);

  348.         scalarmul_vt(&ext,sk,SCALAR_BITS);

  349.     }

  350.     when = now() - when;

  351.     printf("edwards vtm: %5.1fµs\n", when * 1e6 / i);

  352.     

  353.     struct tw_niels_t wnaft[1<<6];

  354.     when = now();

  355.     for (i=0; i<nbase/10; i++) {

  356.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,6));

  357.     }

  358.     when = now() - when;

  359.     printf("wnaf6 pre:   %5.1fµs\n", when * 1e6 / i);

  360.     

  361.     when = now();

  362.     for (i=0; i<nbase/10; i++) {

  363.         q448_randomize(&crand, sk);

  364.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,6);

  365.     }

  366.     when = now() - when;

  367.     printf("edwards vt6: %5.1fµs\n", when * 1e6 / i);

  368.     

  369.     when = now();

  370.     for (i=0; i<nbase/10; i++) {

  371.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,4));

  372.     }

  373.     when = now() - when;

  374.     printf("wnaf4 pre:   %5.1fµs\n", when * 1e6 / i);

  375.     

  376.     when = now();

  377.     for (i=0; i<nbase/10; i++) {

  378.         q448_randomize(&crand, sk);

  379.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,4);

  380.     }

  381.     when = now() - when;

  382.     printf("edwards vt4: %5.1fµs\n", when * 1e6 / i);

  383. 

  384.     when = now();

  385.     for (i=0; i<nbase/10; i++) {

  386.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,5));

  387.     }

  388.     when = now() - when;

  389.     printf("wnaf5 pre:   %5.1fµs\n", when * 1e6 / i);

  390.     

  391.     when = now();

  392.     for (i=0; i<nbase/10; i++) {

  393.         q448_randomize(&crand, sk);

  394.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,5);

  395.     }

  396.     when = now() - when;

  397.     printf("edwards vt5: %5.1fµs\n", when * 1e6 / i);

  398.     

  399.     when = now();

  400.     for (i=0; i<nbase/10; i++) {

  401.         q448_randomize(&crand, sk);

  402.         q448_randomize(&crand, tk);

  403.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,wnaft,5);

  404.     }

  405.     when = now() - when;

  406.     printf("vt vf combo: %5.1fµs\n", when * 1e6 / i);

  407.     

  408.     when = now();

  409.     for (i=0; i<nbase/10; i++) {

  410.         deserialize_affine(&affine, &a);

  411.         convert_affine_to_extensible(&exta,&affine);

  412.         twist_and_double(&ext,&exta);

  413.         scalarmul(&ext,sk);

  414.         untwist_and_double(&exta,&ext);

  415.         serialize_extensible(&b, &exta);

  416.     }

  417.     when = now() - when;

  418.     printf("edwards sm:  %5.1fµs\n", when * 1e6 / i);

  419.     

  420.     struct fixed_base_table_t t_5_5_18, t_3_5_30, t_8_4_14, t_5_3_30, t_15_3_10;

  421. 

  422.     while (1) {

  423.         field_randomize(&crand, &a);

  424.         if (deserialize_affine(&affine, &a)) break;

  425.     }

  426.     convert_affine_to_extensible(&exta,&affine);

  427.     twist_and_double(&ext,&exta);

  428.     when = now();

  429.     for (i=0; i<nbase/10; i++) {

  430.         if (i) destroy_fixed_base(&t_5_5_18);

  431.         ignore_result(precompute_fixed_base(&t_5_5_18, &ext, 5, 5, 18, NULL));

  432.     }

  433.     when = now() - when;

  434.     printf("pre(5,5,18): %5.1fµs\n", when * 1e6 / i);

  435.     

  436.     when = now();

  437.     for (i=0; i<nbase/10; i++) {

  438.         if (i) destroy_fixed_base(&t_3_5_30);

  439.         ignore_result(precompute_fixed_base(&t_3_5_30, &ext, 3, 5, 30, NULL));

  440.     }

  441.     when = now() - when;

  442.     printf("pre(3,5,30): %5.1fµs\n", when * 1e6 / i);

  443.     

  444.     when = now();

  445.     for (i=0; i<nbase/10; i++) {

  446.         if (i) destroy_fixed_base(&t_5_3_30);

  447.         ignore_result(precompute_fixed_base(&t_5_3_30, &ext, 5, 3, 30, NULL));

  448.     }

  449.     when = now() - when;

  450.     printf("pre(5,3,30): %5.1fµs\n", when * 1e6 / i);

  451.     

  452.     when = now();

  453.     for (i=0; i<nbase/10; i++) {

  454.         if (i) destroy_fixed_base(&t_15_3_10);

  455.         ignore_result(precompute_fixed_base(&t_15_3_10, &ext, 15, 3, 10, NULL));

  456.     }

  457.     when = now() - when;

  458.     printf("pre(15,3,10):%5.1fµs\n", when * 1e6 / i);

  459.     

  460.     when = now();

  461.     for (i=0; i<nbase/10; i++) {

  462.         if (i) destroy_fixed_base(&t_8_4_14);

  463.         ignore_result(precompute_fixed_base(&t_8_4_14, &ext, 8, 4, 14, NULL));

  464.     }

  465.     when = now() - when;

  466.     printf("pre(8,4,14): %5.1fµs\n", when * 1e6 / i);

  467. 	

  468.     when = now();

  469.     for (i=0; i<nbase; i++) {

  470.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_5_18);

  471.     }

  472.     when = now() - when;

  473.     printf("com(5,5,18): %5.1fµs\n", when * 1e6 / i);

  474.     

  475.     when = now();

  476.     for (i=0; i<nbase; i++) {

  477.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_3_5_30);

  478.     }

  479.     when = now() - when;

  480.     printf("com(3,5,30): %5.1fµs\n", when * 1e6 / i);

  481. 

  482.     when = now();

  483.     for (i=0; i<nbase; i++) {

  484.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_8_4_14);

  485.     }

  486.     when = now() - when;

  487.     printf("com(8,4,14): %5.1fµs\n", when * 1e6 / i);

  488. 

  489.     when = now();

  490.     for (i=0; i<nbase; i++) {

  491.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_3_30);

  492.     }

  493.     when = now() - when;

  494.     printf("com(5,3,30): %5.1fµs\n", when * 1e6 / i);

  495. 

  496.     when = now();

  497.     for (i=0; i<nbase; i++) {

  498.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_15_3_10);

  499.     }

  500.     when = now() - when;

  501.     printf("com(15,3,10):%5.1fµs\n", when * 1e6 / i);

  502.     

  503.     printf("\nGoldilocks:\n");

  504.     

  505.     int res = goldilocks_init();

  506.     assert(!res);

  507.     

  508.     struct goldilocks_public_key_t gpk,hpk;

  509.     struct goldilocks_private_key_t gsk,hsk;

  510.     

  511.     when = now();

  512.     for (i=0; i<nbase; i++) {

  513.         if (i&1) {

  514.             res = goldilocks_keygen(&gsk,&gpk);

  515.         } else {

  516.             res = goldilocks_keygen(&hsk,&hpk);

  517.         }

  518.         assert(!res);

  519.     }

  520.     when = now() - when;

  521.     printf("keygen:      %5.1fµs\n", when * 1e6 / i);

  522.     

  523.     uint8_t ss1[64],ss2[64];

  524.     int gres1=0,gres2=0;

  525.     when = now();

  526.     for (i=0; i<nbase; i++) {

  527.         if (i&1) {

  528.             gres1 = goldilocks_shared_secret(ss1,&gsk,&hpk);

  529.         } else {

  530.             gres2 = goldilocks_shared_secret(ss2,&hsk,&gpk);

  531.         }

  532.     }

  533.     when = now() - when;

  534.     printf("ecdh:        %5.1fµs\n", when * 1e6 / i);

  535.     if (gres1 || gres2 || memcmp(ss1,ss2,64)) {

  536.         printf("[FAIL] %d %d\n",gres1,gres2);

  537.         

  538.         printf("sk1 = ");

  539.         for (i=0; i<SCALAR_BYTES; i++) {

  540.             printf("%02x", gsk.opaque[i]);

  541.         }

  542.         printf("\nsk2 = ");

  543.         for (i=0; i<SCALAR_BYTES; i++) {

  544.             printf("%02x", hsk.opaque[i]);

  545.         }

  546.         printf("\nss1 = ");

  547.         for (i=0; i<64; i++) {

  548.             printf("%02x", ss1[i]);

  549.         }

  550.         printf("\nss2 = ");

  551.         for (i=0; i<64; i++) {

  552.             printf("%02x", ss2[i]);

  553.         }

  554.         printf("\n");

  555.     }

  556.     

  557.     uint8_t sout[FIELD_BYTES*2];

  558.     const char *message = "hello world";

  559.     size_t message_len = strlen(message);

  560.     when = now();

  561.     for (i=0; i<nbase; i++) {

  562.         res = goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  563.         (void)res;

  564.         assert(!res);

  565.     }

  566.     when = now() - when;

  567.     printf("sign:        %5.1fµs\n", when * 1e6 / i);

  568.     

  569.     when = now();

  570.     for (i=0; i<nbase; i++) {

  571.         int ver = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  572.         (void)ver;

  573.         assert(!ver);

  574.     }

  575.     when = now() - when;

  576.     printf("verify:      %5.1fµs\n", when * 1e6 / i);

  577.     

  578.     struct goldilocks_precomputed_public_key_t *pre = NULL;

  579.     when = now();

  580.     for (i=0; i<nbase; i++) {

  581.         goldilocks_destroy_precomputed_public_key(pre);

  582.         pre = goldilocks_precompute_public_key(&gpk);

  583.     }

  584.     when = now() - when;

  585.     printf("precompute:  %5.1fµs\n", when * 1e6 / i);

  586.     

  587.     when = now();

  588.     for (i=0; i<nbase; i++) {

  589.         int ver = goldilocks_verify_precomputed(sout,(const unsigned char *)message,message_len,pre);

  590.         (void)ver;

  591.         assert(!ver);

  592.     }

  593.     when = now() - when;

  594.     printf("verify pre:  %5.1fµs\n", when * 1e6 / i);

  595.     

  596.     when = now();

  597.     for (i=0; i<nbase; i++) {

  598.         int ret = goldilocks_shared_secret_precomputed(ss1,&gsk,pre);

  599.         (void)ret;

  600.         assert(!ret);

  601.     }

  602.     when = now() - when;

  603.     printf("ecdh pre:    %5.1fµs\n", when * 1e6 / i);

  604.     

  605.     printf("\nTesting...\n");

  606.     

  607.     

  608.     int failures=0, successes = 0;

  609.     for (i=0; i<nbase/10; i++) {

  610.         ignore_result(goldilocks_keygen(&gsk,&gpk));

  611.         goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  612.         res = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  613.         if (res) failures++;

  614.     }

  615.     if (failures) {

  616.         printf("FAIL %d/%d signature checks!\n", failures, i);

  617.     }

  618.     

  619.     failures=0; successes = 0;

  620.     for (i=0; i<nbase/10; i++) {

  621.         field_randomize(&crand, &a);

  622. 		word_t two = 2;

  623.         mask_t good = montgomery_ladder(&b,&a,&two,2,0);

  624. 		if (!good) continue;

  625. 		

  626. 		word_t x,y;

  627.         crandom_generate(&crand, (unsigned char *)&x, sizeof(x));

  628.         crandom_generate(&crand, (unsigned char *)&y, sizeof(y));

  629.         x = (hword_t)x;

  630.         y = (hword_t)y;

  631.         word_t z=x*y;

  632.         

  633.     	ignore_result(montgomery_ladder(&b,&a,&x,WORD_BITS,0));

  634.         ignore_result(montgomery_ladder(&c,&b,&y,WORD_BITS,0));

  635.         ignore_result(montgomery_ladder(&b,&a,&z,WORD_BITS,0));

  636.         

  637.         field_sub(&d,&b,&c);

  638.         field_bias(&d,2);

  639. 		if (!field_is_zero(&d)) {

  640.             printf("Odd ladder validation failure %d!\n", ++failures);

  641.             field_print("a", &a);

  642.             printf("x=%"PRIxWORD", y=%"PRIxWORD", z=%"PRIxWORD"\n", x,y,z);

  643.             field_print("c", &c);

  644.             field_print("b", &b);

  645. 			printf("\n");

  646. 		}

  647. 	}

  648.     

  649.     failures = 0;

  650.     for (i=0; i<nbase/10; i++) {

  651.         mask_t good;

  652.         do {

  653.             field_randomize(&crand, &a);

  654.             good = deserialize_affine(&affine, &a);

  655.         } while (!good);

  656.         

  657.         convert_affine_to_extensible(&exta,&affine);

  658.         twist_and_double(&ext,&exta);

  659.         untwist_and_double(&exta,&ext);

  660.         serialize_extensible(&b, &exta);

  661.         untwist_and_double_and_serialize(&c, &ext);

  662.         

  663.         field_sub(&d,&b,&c);

  664.         field_bias(&d,2);

  665.         

  666.         if (good && !field_is_zero(&d)){

  667.             printf("Iso+serial validation failure %d!\n", ++failures);

  668.             field_print("a", &a);

  669.             field_print("b", &b);

  670.             field_print("c", &c);

  671.             printf("\n");

  672.         } else if (good) {

  673.             successes ++;

  674.         }

  675.     }

  676.     if (successes < i/3) {

  677.         printf("Iso+serial variation: only %d/%d successful.\n", successes, i);

  678.     }

  679.     

  680.     successes = failures = 0;

  681.     for (i=0; i<nbase/10; i++) {

  682.         struct field_t aa;

  683.         struct tw_extensible_t exu,exv,exw;

  684.         

  685.         mask_t good;

  686.         do {

  687.             field_randomize(&crand, &a);

  688.             good = deserialize_affine(&affine, &a);

  689.             convert_affine_to_extensible(&exta,&affine);

  690.             twist_and_double(&ext,&exta);

  691.         } while (!good);

  692.         do {

  693.             field_randomize(&crand, &aa);

  694.             good = deserialize_affine(&affine, &aa);

  695.             convert_affine_to_extensible(&exta,&affine);

  696.             twist_and_double(&exu,&exta);

  697.         } while (!good);

  698.         field_randomize(&crand, &aa);

  699.         

  700.         q448_randomize(&crand, sk);

  701. 		if (i==0 || i==2) memset(&sk, 0, sizeof(sk));

  702.         q448_randomize(&crand, tk);

  703. 		if (i==0 || i==1) memset(&tk, 0, sizeof(tk));

  704.         

  705.         copy_tw_extensible(&exv, &ext);

  706.         copy_tw_extensible(&exw, &exu);

  707.         scalarmul(&exv,sk);

  708.         scalarmul(&exw,tk);

  709.         convert_tw_extensible_to_tw_pniels(&pniels, &exw);

  710.         add_tw_pniels_to_tw_extensible(&exv,&pniels);

  711.         untwist_and_double(&exta,&exv);

  712.         serialize_extensible(&b, &exta);

  713. 

  714.         ignore_result(precompute_fixed_base_wnaf(wnaft,&exu,5));

  715.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,wnaft,5);

  716.         untwist_and_double(&exta,&exv);

  717.         serialize_extensible(&c, &exta);

  718.         

  719.         field_sub(&d,&b,&c);

  720.         field_bias(&d,2);

  721.         

  722.         if (!field_is_zero(&d)){

  723.             printf("PreWNAF combo validation failure %d!\n", ++failures);

  724.             field_print("a", &a);

  725.             field_print("A", &aa);

  726.             q448_print("s", sk);

  727.             q448_print("t", tk);

  728.             field_print("c", &c);

  729.             field_print("b", &b);

  730.             printf("\n\n");

  731.         } else if (good) {

  732.             successes ++;

  733.         }

  734.     }

  735.     if (successes < i) {

  736.         printf("PreWNAF combo variation: only %d/%d successful.\n", successes, i);

  737.     }

  738.     

  739.     return 0;

  740. }