jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
99 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: b274e35d9a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b274e35d9a'
${ noResults }
ed448goldilocks/test/bench.c

823 lines
23 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "word.h"

  6. 

  7. #include <sys/time.h>

  8. #include <sys/types.h>

  9. #include <stdio.h>

  10. #include <memory.h>

  11. 

  12. #include "field.h"

  13. #include "ec_point.h"

  14. #include "scalarmul.h"

  15. #include "barrett_field.h"

  16. #include "crandom.h"

  17. #include "goldilocks.h"

  18. #include "sha512.h"

  19. #include "decaf.h"

  20. #include "shake.h"

  21. 

  22. static __inline__ void

  23. ignore_result ( int result ) {

  24.     (void)result;

  25. }

  26. 

  27. static double now(void) {

  28.   struct timeval tv;

  29.   gettimeofday(&tv, NULL);

  30.   

  31.   return tv.tv_sec + tv.tv_usec/1000000.0;

  32. }

  33. 

  34. static void field_randomize( struct crandom_state_t *crand, field_a_t a ) {

  35.     crandom_generate(crand, (unsigned char *)a, sizeof(*a));

  36.     field_strong_reduce(a);

  37. }

  38. 

  39. static void q448_randomize( struct crandom_state_t *crand, word_t sk[SCALAR_WORDS] ) {

  40.     crandom_generate(crand, (unsigned char *)sk, SCALAR_BYTES);

  41. }

  42. 

  43. static void field_print( const char *descr, const field_a_t a ) {

  44.     int j;

  45.     unsigned char ser[FIELD_BYTES];

  46.     field_serialize(ser,a);

  47.     printf("%s = 0x", descr);

  48.     for (j=FIELD_BYTES - 1; j>=0; j--) {

  49.         printf("%02x", ser[j]);

  50.     }

  51.     printf("\n");

  52. }

  53. 

  54. static void __attribute__((unused))

  55. field_print_full (

  56.     const char *descr,

  57.     const field_a_t a

  58. ) {

  59.     int j;

  60.     printf("%s = 0x", descr);

  61.     for (j=15; j>=0; j--) {

  62.         printf("%02" PRIxWORD "_" PRIxWORD56 " ",

  63.             a->limb[j]>>28, a->limb[j]&((1<<28)-1));

  64.     }

  65.     printf("\n");

  66. }

  67. 

  68. static void q448_print( const char *descr, const word_t secret[SCALAR_WORDS] ) {

  69.     int j;

  70.     printf("%s = 0x", descr);

  71.     for (j=SCALAR_WORDS-1; j>=0; j--) {

  72.         printf(PRIxWORDfull, secret[j]);

  73.     }

  74.     printf("\n");

  75. }

  76. 

  77. #ifndef N_TESTS_BASE

  78. #define N_TESTS_BASE 10000

  79. #endif

  80. 

  81. int main(int argc, char **argv) {

  82.     (void)argc;

  83.     (void)argv;

  84. 

  85.     struct tw_extensible_t ext;

  86.     struct extensible_t exta;

  87.     struct tw_niels_t niels;

  88.     struct tw_pniels_t pniels;

  89.     struct affine_t affine;

  90.     struct montgomery_t mb;

  91.     struct montgomery_aux_t mba;

  92.     field_a_t a,b,c,d;

  93.     

  94.     double when;

  95.     int i;

  96. 

  97.     int nbase = N_TESTS_BASE;

  98.     

  99.     /* Bad randomness so we can debug. */

  100.     char initial_seed[32];

  101.     for (i=0; i<32; i++) initial_seed[i] = i;

  102.     struct crandom_state_t crand;

  103.     crandom_init_from_buffer(&crand, initial_seed);

  104.     /* For testing the performance drop from the crandom debuffering change.

  105.         ignore_result(crandom_init_from_file(&crand, "/dev/urandom", 10000, 1));

  106.     */

  107.     

  108.     word_t sk[SCALAR_WORDS],tk[SCALAR_WORDS];

  109.     q448_randomize(&crand, sk);

  110.     

  111.     memset(a,0,sizeof(a));

  112.     memset(b,0,sizeof(b));

  113.     memset(c,0,sizeof(c));

  114.     memset(d,0,sizeof(d));

  115.     when = now();

  116.     for (i=0; i<nbase*5000; i++) {

  117.         field_mul(c, b, a);

  118.     }

  119.     when = now() - when;

  120.     printf("mul:         %5.1fns\n", when * 1e9 / i);

  121.     

  122.     when = now();

  123.     for (i=0; i<nbase*5000; i++) {

  124.         field_sqr(c, a);

  125.     }

  126.     when = now() - when;

  127.     printf("sqr:         %5.1fns\n", when * 1e9 / i);

  128.     

  129.     when = now();

  130.     for (i=0; i<nbase*5000; i++) {

  131.         field_mulw(c, b, 1234562);

  132.     }

  133.     when = now() - when;

  134.     printf("mulw:        %5.1fns\n", when * 1e9 / i);

  135.     

  136.     when = now();

  137.     for (i=0; i<nbase*500; i++) {

  138.         field_mul(c, b, a);

  139.         field_mul(a, b, c);

  140.     }

  141.     when = now() - when;

  142.     printf("mul dep:     %5.1fns\n", when * 1e9 / i / 2);

  143.     

  144.     when = now();

  145.     for (i=0; i<nbase*10; i++) {

  146.         field_randomize(&crand, a);

  147.     }

  148.     when = now() - when;

  149.     printf("rand448:     %5.1fns\n", when * 1e9 / i);

  150.     

  151.     sha512_ctx_a_t sha;

  152.     uint8_t hashout[128];

  153.     when = now();

  154.     for (i=0; i<nbase; i++) {

  155.         sha512_init(sha);

  156.         sha512_final(sha, hashout);

  157.     }

  158.     when = now() - when;

  159.     printf("sha512 1blk: %5.1fns\n", when * 1e9 / i);

  160.     

  161.     when = now();

  162.     for (i=0; i<nbase; i++) {

  163.         sha512_update(sha, hashout, 128);

  164.     }

  165.     when = now() - when;

  166.     printf("sha512 blk:  %5.1fns (%0.2f MB/s)\n", when * 1e9 / i, 128*i/when/1e6);

  167.     

  168.     when = now();

  169.     for (i=0; i<nbase; i++) {

  170.         shake256_hash(hashout,128,hashout,128);

  171.     }

  172.     when = now() - when;

  173.     printf("shake  1blk: %5.1fns\n", when * 1e9 / i);

  174.     

  175.     when = now();

  176.     for (i=0; i<nbase; i++) {

  177.         field_isr(c, a);

  178.     }

  179.     when = now() - when;

  180.     printf("isr auto:    %5.1fµs\n", when * 1e6 / i);

  181.     

  182.     for (i=0; i<100; i++) {

  183.         field_randomize(&crand, a);

  184.         field_isr(d,a);

  185.         field_sqr(b,d);

  186.         field_mul(c,b,a);

  187.         field_sqr(b,c);

  188.         field_subw(b,1);

  189.         if (!field_is_zero(b)) {

  190.             printf("ISR validation failure!\n");

  191.             field_print("a", a);

  192.             field_print("s", d);

  193.         }

  194.     }

  195.     

  196.     when = now();

  197.     for (i=0; i<nbase; i++) {

  198.         elligator_2s_inject(&affine, a);

  199.     }

  200.     when = now() - when;

  201.     printf("elligator:   %5.1fµs\n", when * 1e6 / i);

  202.     

  203.     for (i=0; i<100; i++) {

  204.         field_randomize(&crand, a);

  205.         elligator_2s_inject(&affine, a);

  206.         if (!validate_affine(&affine)) {

  207.             printf("Elligator validation failure!\n");

  208.             field_print("a", a);

  209.             field_print("x", affine.x);

  210.             field_print("y", affine.y);

  211.         }

  212.     }

  213.     

  214.     when = now();

  215.     for (i=0; i<nbase; i++) {

  216.         deserialize_affine(&affine, a);

  217.     }

  218.     when = now() - when;

  219.     printf("decompress:  %5.1fµs\n", when * 1e6 / i);

  220.     

  221.     convert_affine_to_extensible(&exta, &affine);

  222.     when = now();

  223.     for (i=0; i<nbase; i++) {

  224.         serialize_extensible(a, &exta);

  225.     }

  226.     when = now() - when;

  227.     printf("compress:    %5.1fµs\n", when * 1e6 / i);

  228.     

  229.     int goods = 0;

  230.     for (i=0; i<100; i++) {

  231.         field_randomize(&crand, a);

  232.         mask_t good = deserialize_affine(&affine, a);

  233.         if (good & !validate_affine(&affine)) {

  234.             printf("Deserialize validation failure!\n");

  235.             field_print("a", a);

  236.             field_print("x", affine.x);

  237.             field_print("y", affine.y);

  238.         } else if (good) {

  239.             goods++;

  240.             convert_affine_to_extensible(&exta,&affine);

  241.             serialize_extensible(b, &exta);

  242.             field_sub(c,b,a);

  243.             if (!field_is_zero(c)) {

  244.                 printf("Reserialize validation failure!\n");

  245.                 field_print("a", a);

  246.                 field_print("x", affine.x);

  247.                 field_print("y", affine.y);

  248.                 deserialize_affine(&affine, b);

  249.                 field_print("b", b);

  250.                 field_print("x", affine.x);

  251.                 field_print("y", affine.y);

  252.                 printf("\n");

  253.             }

  254.         }

  255.     }

  256.     if (goods<i/3) {

  257.         printf("Deserialization validation failure! Deserialized %d/%d points\n", goods, i);

  258.     }

  259.     

  260.     word_t lsk[768/WORD_BITS];

  261.     crandom_generate(&crand, (unsigned char *)lsk, sizeof(lsk));

  262.     

  263.     when = now();

  264.     for (i=0; i<nbase*100; i++) {

  265.         barrett_reduce(lsk,sizeof(lsk)/sizeof(word_t),0,&curve_prime_order);

  266.     }

  267.     when = now() - when;

  268.     printf("barrett red: %5.1fns\n", when * 1e9 / i);

  269.     

  270.     when = now();

  271.     for (i=0; i<nbase*10; i++) {

  272.         barrett_mac(lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,&curve_prime_order);

  273.     }

  274.     when = now() - when;

  275.     printf("barrett mac: %5.1fns\n", when * 1e9 / i);

  276.     

  277.     decaf_448_scalar_t asc,bsc,csc;

  278.     memset(asc,0,sizeof(asc));

  279.     memset(bsc,0,sizeof(bsc));

  280.     when = now();

  281.     for (i=0; i<nbase*10; i++) {

  282.         decaf_448_scalar_mul(csc,asc,bsc);

  283.     }

  284.     when = now() - when;

  285.     printf("decaf mulsc: %5.1fns\n", when * 1e9 / i);

  286.     

  287.     memset(&ext,0,sizeof(ext));

  288.     memset(&niels,0,sizeof(niels)); /* avoid assertions in p521 even though this isn't a valid ext or niels */

  289. 

  290.     tw_extended_a_t ed;

  291.     convert_tw_extensible_to_tw_extended(ed,&ext);

  292. 

  293.     when = now();

  294.     for (i=0; i<nbase*100; i++) {

  295.         add_tw_niels_to_tw_extensible(&ext, &niels);

  296.     }

  297.     when = now() - when;

  298.     printf("exti+niels:  %5.1fns\n", when * 1e9 / i);

  299. 

  300.     when = now();

  301.     for (i=0; i<nbase*100; i++) {

  302.         add_tw_extended(ed,ed);

  303.     }

  304.     when = now() - when;

  305.     printf("txt + txt :  %5.1fns\n", when * 1e9 / i);

  306. 

  307.     decaf_448_point_t Da,Db,Dc;

  308.     memset(Da,0,sizeof(Da));

  309.     memset(Db,0,sizeof(Db));

  310.     memset(Dc,0,sizeof(Dc));

  311.     when = now();

  312.     for (i=0; i<nbase*100; i++) {

  313.         decaf_448_point_add(Da,Db,Dc);

  314.     }

  315.     when = now() - when;

  316.     printf("dec + dec:   %5.1fns\n", when * 1e9 / i);

  317.     

  318.     convert_tw_extensible_to_tw_pniels(&pniels, &ext);

  319.     when = now();

  320.     for (i=0; i<nbase*100; i++) {

  321.         add_tw_pniels_to_tw_extensible(&ext, &pniels);

  322.     }

  323.     when = now() - when;

  324.     printf("exti+pniels: %5.1fns\n", when * 1e9 / i);

  325.     

  326.     when = now();

  327.     for (i=0; i<nbase*100; i++) {

  328.         double_tw_extensible(&ext);

  329.     }

  330.     when = now() - when;

  331.     printf("exti dbl:    %5.1fns\n", when * 1e9 / i);

  332.     

  333.     when = now();

  334.     for (i=0; i<nbase*100; i++) {

  335.         untwist_and_double(&exta, &ext);

  336.     }

  337.     when = now() - when;

  338.     printf("i->a isog:   %5.1fns\n", when * 1e9 / i);

  339.     

  340.     when = now();

  341.     for (i=0; i<nbase*100; i++) {

  342.         twist_and_double(&ext, &exta);

  343.     }

  344.     when = now() - when;

  345.     printf("a->i isog:   %5.1fns\n", when * 1e9 / i);

  346.     

  347.     memset(&mb,0,sizeof(mb));

  348.     when = now();

  349.     for (i=0; i<nbase*100; i++) {

  350.         montgomery_step(&mb);

  351.     }

  352.     when = now() - when;

  353.     printf("monty step:  %5.1fns\n", when * 1e9 / i);

  354.     

  355.     memset(&mba,0,sizeof(mba));

  356.     when = now();

  357.     for (i=0; i<nbase*100; i++) {

  358.         montgomery_aux_step(&mba);

  359.     }

  360.     when = now() - when;

  361.     printf("monty aux:   %5.1fns\n", when * 1e9 / i);

  362. 	

  363.     when = now();

  364.     for (i=0; i<nbase/10; i++) {

  365.         ignore_result(montgomery_ladder(a,b,sk,FIELD_BITS,0));

  366.     }

  367.     when = now() - when;

  368.     printf("full ladder: %5.1fµs\n", when * 1e6 / i);

  369. 	

  370.     when = now();

  371.     for (i=0; i<nbase/10; i++) {

  372.         ignore_result(decaf_montgomery_ladder(a,b,sk,FIELD_BITS));

  373.     }

  374.     when = now() - when;

  375.     printf("decafladder: %5.1fµs\n", when * 1e6 / i);

  376.    

  377.     when = now();

  378.     for (i=0; i<nbase/10; i++) {

  379.         decaf_448_point_scalarmul(Da,Db,asc);

  380.     }

  381.     when = now() - when;

  382.     printf("decaf slow:  %5.1fµs\n", when * 1e6 / i);

  383.    

  384.     when = now();

  385.     for (i=0; i<nbase/10; i++) {

  386.         decaf_448_point_double_scalarmul(Da,Db,bsc,Dc,asc);

  387.     }

  388.     when = now() - when;

  389.     printf("decaf slo2:  %5.1fµs\n", when * 1e6 / i);

  390. 

  391.     when = now();

  392.     for (i=0; i<nbase/10; i++) {

  393.         scalarmul(&ext,sk);

  394.     }

  395.     when = now() - when;

  396.     printf("edwards smz: %5.1fµs\n", when * 1e6 / i);

  397.     

  398.     when = now();

  399.     for (i=0; i<nbase/10; i++) {

  400.         scalarmul_vlook(&ext,sk);

  401.     }

  402.     when = now() - when;

  403.     printf("edwards svl: %5.1fµs\n", when * 1e6 / i);

  404.     

  405.     when = now();

  406.     for (i=0; i<nbase/10; i++) {

  407.         scalarmul_ed(ed,sk);

  408.     }

  409.     when = now() - when;

  410.     printf("edwards txt: %5.1fµs\n", when * 1e6 / i);

  411.     

  412.     field_set_ui(a,0);

  413.     when = now();

  414.     for (i=0; i<nbase/10; i++) {

  415. 	ignore_result(decaf_deserialize_tw_extended(ed,a,-1));

  416.         scalarmul_ed(ed,sk);

  417. 	decaf_serialize_tw_extended(a,ed);

  418.     }

  419.     when = now() - when;

  420.     printf("simple ECDH: %5.1fµs\n", when * 1e6 / i);

  421.     

  422.     when = now();

  423.     for (i=0; i<nbase/10; i++) {

  424.         scalarmul(&ext,sk);

  425.         untwist_and_double_and_serialize(a,&ext);

  426.     }

  427.     when = now() - when;

  428.     printf("edwards smc: %5.1fµs\n", when * 1e6 / i);

  429.     

  430.     when = now();

  431.     for (i=0; i<nbase/10; i++) {

  432.         q448_randomize(&crand, sk);

  433.         scalarmul_vt(&ext,sk,SCALAR_BITS);

  434.     }

  435.     when = now() - when;

  436.     printf("edwards vtm: %5.1fµs\n", when * 1e6 / i);

  437.     

  438.     tw_niels_a_t wnaft[1<<6];

  439.     when = now();

  440.     for (i=0; i<nbase/10; i++) {

  441.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,6));

  442.     }

  443.     when = now() - when;

  444.     printf("wnaf6 pre:   %5.1fµs\n", when * 1e6 / i);

  445.     

  446.     when = now();

  447.     for (i=0; i<nbase/10; i++) {

  448.         q448_randomize(&crand, sk);

  449.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,(const tw_niels_a_t*)wnaft,6);

  450.     }

  451.     when = now() - when;

  452.     printf("edwards vt6: %5.1fµs\n", when * 1e6 / i);

  453.     

  454.     when = now();

  455.     for (i=0; i<nbase/10; i++) {

  456.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,4));

  457.     }

  458.     when = now() - when;

  459.     printf("wnaf4 pre:   %5.1fµs\n", when * 1e6 / i);

  460.     

  461.     when = now();

  462.     for (i=0; i<nbase/10; i++) {

  463.         q448_randomize(&crand, sk);

  464.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,(const tw_niels_a_t*)wnaft,4);

  465.     }

  466.     when = now() - when;

  467.     printf("edwards vt4: %5.1fµs\n", when * 1e6 / i);

  468. 

  469.     when = now();

  470.     for (i=0; i<nbase/10; i++) {

  471.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,5));

  472.     }

  473.     when = now() - when;

  474.     printf("wnaf5 pre:   %5.1fµs\n", when * 1e6 / i);

  475.     

  476.     when = now();

  477.     for (i=0; i<nbase/10; i++) {

  478.         q448_randomize(&crand, sk);

  479.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,(const tw_niels_a_t*)wnaft,5);

  480.     }

  481.     when = now() - when;

  482.     printf("edwards vt5: %5.1fµs\n", when * 1e6 / i);

  483.     

  484.     when = now();

  485.     for (i=0; i<nbase/10; i++) {

  486.         q448_randomize(&crand, sk);

  487.         q448_randomize(&crand, tk);

  488.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,(const tw_niels_a_t*)wnaft,5);

  489.     }

  490.     when = now() - when;

  491.     printf("vt vf combo: %5.1fµs\n", when * 1e6 / i);

  492.     

  493.     when = now();

  494.     for (i=0; i<nbase/10; i++) {

  495.         deserialize_affine(&affine, a);

  496.         convert_affine_to_extensible(&exta,&affine);

  497.         twist_and_double(&ext,&exta);

  498.         scalarmul(&ext,sk);

  499.         untwist_and_double(&exta,&ext);

  500.         serialize_extensible(b, &exta);

  501.     }

  502.     when = now() - when;

  503.     printf("edwards sm:  %5.1fµs\n", when * 1e6 / i);

  504.     

  505.     struct fixed_base_table_t t_5_5_18, t_3_5_30, t_8_4_14, t_5_3_30, t_15_3_10;

  506. 

  507.     while (1) {

  508.         field_randomize(&crand, a);

  509.         if (deserialize_affine(&affine, a)) break;

  510.     }

  511.     convert_affine_to_extensible(&exta,&affine);

  512.     twist_and_double(&ext,&exta);

  513.     when = now();

  514.     for (i=0; i<nbase/10; i++) {

  515.         if (i) destroy_fixed_base(&t_5_5_18);

  516.         ignore_result(precompute_fixed_base(&t_5_5_18, &ext, 5, 5, 18, NULL));

  517.     }

  518.     when = now() - when;

  519.     printf("pre(5,5,18): %5.1fµs\n", when * 1e6 / i);

  520.     

  521.     when = now();

  522.     for (i=0; i<nbase/10; i++) {

  523.         if (i) destroy_fixed_base(&t_3_5_30);

  524.         ignore_result(precompute_fixed_base(&t_3_5_30, &ext, 3, 5, 30, NULL));

  525.     }

  526.     when = now() - when;

  527.     printf("pre(3,5,30): %5.1fµs\n", when * 1e6 / i);

  528.     

  529.     when = now();

  530.     for (i=0; i<nbase/10; i++) {

  531.         if (i) destroy_fixed_base(&t_5_3_30);

  532.         ignore_result(precompute_fixed_base(&t_5_3_30, &ext, 5, 3, 30, NULL));

  533.     }

  534.     when = now() - when;

  535.     printf("pre(5,3,30): %5.1fµs\n", when * 1e6 / i);

  536.     

  537.     when = now();

  538.     for (i=0; i<nbase/10; i++) {

  539.         if (i) destroy_fixed_base(&t_15_3_10);

  540.         ignore_result(precompute_fixed_base(&t_15_3_10, &ext, 15, 3, 10, NULL));

  541.     }

  542.     when = now() - when;

  543.     printf("pre(15,3,10):%5.1fµs\n", when * 1e6 / i);

  544.     

  545.     when = now();

  546.     for (i=0; i<nbase/10; i++) {

  547.         if (i) destroy_fixed_base(&t_8_4_14);

  548.         ignore_result(precompute_fixed_base(&t_8_4_14, &ext, 8, 4, 14, NULL));

  549.     }

  550.     when = now() - when;

  551.     printf("pre(8,4,14): %5.1fµs\n", when * 1e6 / i);

  552. 	

  553.     when = now();

  554.     for (i=0; i<nbase; i++) {

  555.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_5_18);

  556.     }

  557.     when = now() - when;

  558.     printf("com(5,5,18): %5.1fµs\n", when * 1e6 / i);

  559.     

  560.     when = now();

  561.     for (i=0; i<nbase; i++) {

  562.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_3_5_30);

  563.     }

  564.     when = now() - when;

  565.     printf("com(3,5,30): %5.1fµs\n", when * 1e6 / i);

  566. 

  567.     when = now();

  568.     for (i=0; i<nbase; i++) {

  569.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_8_4_14);

  570.     }

  571.     when = now() - when;

  572.     printf("com(8,4,14): %5.1fµs\n", when * 1e6 / i);

  573. 

  574.     when = now();

  575.     for (i=0; i<nbase; i++) {

  576.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_3_30);

  577.     }

  578.     when = now() - when;

  579.     printf("com(5,3,30): %5.1fµs\n", when * 1e6 / i);

  580. 

  581.     when = now();

  582.     for (i=0; i<nbase; i++) {

  583.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_15_3_10);

  584.     }

  585.     when = now() - when;

  586.     printf("com(15,3,10):%5.1fµs\n", when * 1e6 / i);

  587.     

  588.     printf("\nGoldilocks:\n");

  589.     

  590.     int res = goldilocks_init();

  591.     assert(!res);

  592.     

  593.     struct goldilocks_public_key_t gpk,hpk;

  594.     struct goldilocks_private_key_t gsk,hsk;

  595.     

  596.     when = now();

  597.     for (i=0; i<nbase; i++) {

  598.         if (i&1) {

  599.             res = goldilocks_keygen(&gsk,&gpk);

  600.         } else {

  601.             res = goldilocks_keygen(&hsk,&hpk);

  602.         }

  603.         assert(!res);

  604.     }

  605.     when = now() - when;

  606.     printf("keygen:      %5.1fµs\n", when * 1e6 / i);

  607.     

  608.     uint8_t ss1[64],ss2[64];

  609.     int gres1=0,gres2=0;

  610.     when = now();

  611.     for (i=0; i<nbase; i++) {

  612.         if (i&1) {

  613.             gres1 = goldilocks_shared_secret(ss1,&gsk,&hpk);

  614.         } else {

  615.             gres2 = goldilocks_shared_secret(ss2,&hsk,&gpk);

  616.         }

  617.     }

  618.     when = now() - when;

  619.     printf("ecdh:        %5.1fµs\n", when * 1e6 / i);

  620.     if (gres1 || gres2 || memcmp(ss1,ss2,64)) {

  621.         printf("[FAIL] %d %d\n",gres1,gres2);

  622.         

  623.         printf("sk1 = ");

  624.         for (i=0; i<SCALAR_BYTES; i++) {

  625.             printf("%02x", gsk.opaque[i]);

  626.         }

  627.         printf("\nsk2 = ");

  628.         for (i=0; i<SCALAR_BYTES; i++) {

  629.             printf("%02x", hsk.opaque[i]);

  630.         }

  631.         printf("\nss1 = ");

  632.         for (i=0; i<64; i++) {

  633.             printf("%02x", ss1[i]);

  634.         }

  635.         printf("\nss2 = ");

  636.         for (i=0; i<64; i++) {

  637.             printf("%02x", ss2[i]);

  638.         }

  639.         printf("\n");

  640.     }

  641.     

  642.     uint8_t sout[FIELD_BYTES*2];

  643.     const char *message = "hello world";

  644.     size_t message_len = strlen(message);

  645.     when = now();

  646.     for (i=0; i<nbase; i++) {

  647.         res = goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  648.         (void)res;

  649.         assert(!res);

  650.     }

  651.     when = now() - when;

  652.     printf("sign:        %5.1fµs\n", when * 1e6 / i);

  653.     

  654.     when = now();

  655.     for (i=0; i<nbase; i++) {

  656.         int ver = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  657.         (void)ver;

  658.         assert(!ver);

  659.     }

  660.     when = now() - when;

  661.     printf("verify:      %5.1fµs\n", when * 1e6 / i);

  662.     

  663.     struct goldilocks_precomputed_public_key_t *pre = NULL;

  664.     when = now();

  665.     for (i=0; i<nbase; i++) {

  666.         goldilocks_destroy_precomputed_public_key(pre);

  667.         pre = goldilocks_precompute_public_key(&gpk);

  668.     }

  669.     when = now() - when;

  670.     printf("precompute:  %5.1fµs\n", when * 1e6 / i);

  671.     

  672.     when = now();

  673.     for (i=0; i<nbase; i++) {

  674.         int ver = goldilocks_verify_precomputed(sout,(const unsigned char *)message,message_len,pre);

  675.         (void)ver;

  676.         assert(!ver);

  677.     }

  678.     when = now() - when;

  679.     printf("verify pre:  %5.1fµs\n", when * 1e6 / i);

  680.     

  681.     when = now();

  682.     for (i=0; i<nbase; i++) {

  683.         int ret = goldilocks_shared_secret_precomputed(ss1,&gsk,pre);

  684.         (void)ret;

  685.         assert(!ret);

  686.     }

  687.     when = now() - when;

  688.     printf("ecdh pre:    %5.1fµs\n", when * 1e6 / i);

  689.     

  690.     printf("\nTesting...\n");

  691.     

  692.     

  693.     int failures=0, successes = 0;

  694.     for (i=0; i<nbase/10; i++) {

  695.         ignore_result(goldilocks_keygen(&gsk,&gpk));

  696.         goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  697.         res = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  698.         if (res) failures++;

  699.     }

  700.     if (failures) {

  701.         printf("FAIL %d/%d signature checks!\n", failures, i);

  702.     }

  703.     

  704.     failures=0; successes = 0;

  705.     for (i=0; i<nbase/10; i++) {

  706.         field_randomize(&crand, a);

  707. 		word_t two = 2;

  708.         mask_t good = montgomery_ladder(b,a,&two,2,0);

  709. 		if (!good) continue;

  710. 		

  711. 		word_t x,y;

  712.         crandom_generate(&crand, (unsigned char *)&x, sizeof(x));

  713.         crandom_generate(&crand, (unsigned char *)&y, sizeof(y));

  714.         x = (hword_t)x;

  715.         y = (hword_t)y;

  716.         word_t z=x*y;

  717.         

  718.     	ignore_result(montgomery_ladder(b,a,&x,WORD_BITS,0));

  719.         ignore_result(montgomery_ladder(c,b,&y,WORD_BITS,0));

  720.         ignore_result(montgomery_ladder(b,a,&z,WORD_BITS,0));

  721.         

  722.         field_sub(d,b,c);

  723. 		if (!field_is_zero(d)) {

  724.             printf("Odd ladder validation failure %d!\n", ++failures);

  725.             field_print("a", a);

  726.             printf("x=%"PRIxWORD", y=%"PRIxWORD", z=%"PRIxWORD"\n", x,y,z);

  727.             field_print("c", c);

  728.             field_print("b", b);

  729. 			printf("\n");

  730. 		}

  731. 	}

  732.     

  733.     failures = 0;

  734.     for (i=0; i<nbase/10; i++) {

  735.         mask_t good;

  736.         do {

  737.             field_randomize(&crand, a);

  738.             good = deserialize_affine(&affine, a);

  739.         } while (!good);

  740.         

  741.         convert_affine_to_extensible(&exta,&affine);

  742.         twist_and_double(&ext,&exta);

  743.         untwist_and_double(&exta,&ext);

  744.         serialize_extensible(b, &exta);

  745.         untwist_and_double_and_serialize(c, &ext);

  746.         

  747.         field_sub(d,b,c);

  748.         

  749.         if (good && !field_is_zero(d)){

  750.             printf("Iso+serial validation failure %d!\n", ++failures);

  751.             field_print("a", a);

  752.             field_print("b", b);

  753.             field_print("c", c);

  754.             printf("\n");

  755.         } else if (good) {

  756.             successes ++;

  757.         }

  758.     }

  759.     if (successes < i/3) {

  760.         printf("Iso+serial variation: only %d/%d successful.\n", successes, i);

  761.     }

  762.     

  763.     successes = failures = 0;

  764.     for (i=0; i<nbase/10; i++) {

  765.         field_a_t aa;

  766.         struct tw_extensible_t exu,exv,exw;

  767.         

  768.         mask_t good;

  769.         do {

  770.             field_randomize(&crand, a);

  771.             good = deserialize_affine(&affine, a);

  772.             convert_affine_to_extensible(&exta,&affine);

  773.             twist_and_double(&ext,&exta);

  774.         } while (!good);

  775.         do {

  776.             field_randomize(&crand, aa);

  777.             good = deserialize_affine(&affine, aa);

  778.             convert_affine_to_extensible(&exta,&affine);

  779.             twist_and_double(&exu,&exta);

  780.         } while (!good);

  781.         field_randomize(&crand, aa);

  782.         

  783.         q448_randomize(&crand, sk);

  784. 		if (i==0 || i==2) memset(&sk, 0, sizeof(sk));

  785.         q448_randomize(&crand, tk);

  786. 		if (i==0 || i==1) memset(&tk, 0, sizeof(tk));

  787.         

  788.         copy_tw_extensible(&exv, &ext);

  789.         copy_tw_extensible(&exw, &exu);

  790.         scalarmul(&exv,sk);

  791.         scalarmul(&exw,tk);

  792.         convert_tw_extensible_to_tw_pniels(&pniels, &exw);

  793.         add_tw_pniels_to_tw_extensible(&exv,&pniels);

  794.         untwist_and_double(&exta,&exv);

  795.         serialize_extensible(b, &exta);

  796. 

  797.         ignore_result(precompute_fixed_base_wnaf(wnaft,&exu,5));

  798.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,(const tw_niels_a_t*)wnaft,5);

  799.         untwist_and_double(&exta,&exv);

  800.         serialize_extensible(c, &exta);

  801.         

  802.         field_sub(d,b,c);

  803.         

  804.         if (!field_is_zero(d)){

  805.             printf("PreWNAF combo validation failure %d!\n", ++failures);

  806.             field_print("a", a);

  807.             field_print("A", aa);

  808.             q448_print("s", sk);

  809.             q448_print("t", tk);

  810.             field_print("c", c);

  811.             field_print("b", b);

  812.             printf("\n\n");

  813.         } else if (good) {

  814.             successes ++;

  815.         }

  816.     }

  817.     if (successes < i) {

  818.         printf("PreWNAF combo variation: only %d/%d successful.\n", successes, i);

  819.     }

  820.     

  821.     return 0;

  822. }