jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
30 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: b4ce20d667
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b4ce20d667'
${ noResults }
ed448goldilocks/test/bench.c

733 lines
21 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "word.h"

  6. 

  7. #include <sys/time.h>

  8. #include <sys/types.h>

  9. #include <stdio.h>

  10. #include <memory.h>

  11. 

  12. #include "field.h"

  13. #include "ec_point.h"

  14. #include "scalarmul.h"

  15. #include "barrett_field.h"

  16. #include "crandom.h"

  17. #include "goldilocks.h"

  18. #include "sha512.h"

  19. 

  20. static __inline__ void

  21. ignore_result ( int result ) {

  22.     (void)result;

  23. }

  24. 

  25. static double now(void) {

  26.   struct timeval tv;

  27.   gettimeofday(&tv, NULL);

  28.   

  29.   return tv.tv_sec + tv.tv_usec/1000000.0;

  30. }

  31. 

  32. static void field_randomize( struct crandom_state_t *crand, struct field_t *a ) {

  33.     crandom_generate(crand, (unsigned char *)a, sizeof(*a));

  34.     field_strong_reduce(a);

  35. }

  36. 

  37. static void q448_randomize( struct crandom_state_t *crand, word_t sk[SCALAR_WORDS] ) {

  38.     crandom_generate(crand, (unsigned char *)sk, SCALAR_BYTES);

  39. }

  40. 

  41. static void field_print( const char *descr, const struct field_t *a ) {

  42.     field_t b;

  43.     field_copy(&b, a);

  44.     field_strong_reduce(&b);

  45.     int j;

  46.     printf("%s = 0x", descr);

  47.     for (j=sizeof(*a)/sizeof(a->limb[0])-1; j>=0; j--) {

  48.         printf(PRIxWORD58, b.limb[j]);

  49.     }

  50.     printf("\n");

  51. }

  52. 

  53. static void __attribute__((unused))

  54. field_print_full (

  55.     const char *descr,

  56.     const struct field_t *a

  57. ) {

  58.     int j;

  59.     printf("%s = 0x", descr);

  60.     for (j=15; j>=0; j--) {

  61.         printf("%02" PRIxWORD "_" PRIxWORD58 " ",

  62.             a->limb[j]>>28, a->limb[j]&((1<<28)-1));

  63.     }

  64.     printf("\n");

  65. }

  66. 

  67. static void q448_print( const char *descr, const word_t secret[SCALAR_WORDS] ) {

  68.     int j;

  69.     printf("%s = 0x", descr);

  70.     for (j=SCALAR_WORDS-1; j>=0; j--) {

  71.         printf(PRIxWORDfull, secret[j]);

  72.     }

  73.     printf("\n");

  74. }

  75. 

  76. #ifndef N_TESTS_BASE

  77. #define N_TESTS_BASE 10000

  78. #endif

  79. 

  80. int main(int argc, char **argv) {

  81.     (void)argc;

  82.     (void)argv;

  83. 

  84.     struct tw_extensible_t ext;

  85.     struct extensible_t exta;

  86.     struct tw_niels_t niels;

  87.     struct tw_pniels_t pniels;

  88.     struct affine_t affine;

  89.     struct montgomery_t mb;

  90.     struct field_t a,b,c,d;

  91.     

  92.     

  93.     double when;

  94.     int i;

  95. 

  96.     int nbase = N_TESTS_BASE;

  97.     

  98.     /* Bad randomness so we can debug. */

  99.     char initial_seed[32];

  100.     for (i=0; i<32; i++) initial_seed[i] = i;

  101.     struct crandom_state_t crand;

  102.     crandom_init_from_buffer(&crand, initial_seed);

  103.     /* For testing the performance drop from the crandom debuffering change.

  104.         ignore_result(crandom_init_from_file(&crand, "/dev/urandom", 10000, 1));

  105.     */

  106.     

  107.     word_t sk[SCALAR_WORDS],tk[SCALAR_WORDS];

  108.     q448_randomize(&crand, sk);

  109.     

  110.     when = now();

  111.     for (i=0; i<nbase*5000; i++) {

  112.         field_mul(&c, &b, &a);

  113.     }

  114.     when = now() - when;

  115.     printf("mul:         %5.1fns\n", when * 1e9 / i);

  116.     

  117.     when = now();

  118.     for (i=0; i<nbase*5000; i++) {

  119.         field_sqr(&c, &a);

  120.     }

  121.     when = now() - when;

  122.     printf("sqr:         %5.1fns\n", when * 1e9 / i);

  123.     

  124.     when = now();

  125.     for (i=0; i<nbase*5000; i++) {

  126.         field_mulw(&c, &b, 1234562);

  127.     }

  128.     when = now() - when;

  129.     printf("mulw:        %5.1fns\n", when * 1e9 / i);

  130.     

  131.     when = now();

  132.     for (i=0; i<nbase*500; i++) {

  133.         field_mul(&c, &b, &a);

  134.         field_mul(&a, &b, &c);

  135.     }

  136.     when = now() - when;

  137.     printf("mul dep:     %5.1fns\n", when * 1e9 / i / 2);

  138.     

  139.     when = now();

  140.     for (i=0; i<nbase*10; i++) {

  141.         field_randomize(&crand, &a);

  142.     }

  143.     when = now() - when;

  144.     printf("rand448:     %5.1fns\n", when * 1e9 / i);

  145.     

  146.     struct sha512_ctx_t sha;

  147.     uint8_t hashout[128];

  148.     when = now();

  149.     for (i=0; i<nbase; i++) {

  150.         sha512_init(&sha);

  151.         sha512_final(&sha, hashout);

  152.     }

  153.     when = now() - when;

  154.     printf("sha512 1blk: %5.1fns\n", when * 1e9 / i);

  155.     

  156.     when = now();

  157.     for (i=0; i<nbase; i++) {

  158.         sha512_update(&sha, hashout, 128);

  159.     }

  160.     when = now() - when;

  161.     printf("sha512 blk:  %5.1fns (%0.2f MB/s)\n", when * 1e9 / i, 128*i/when/1e6);

  162.     

  163.     when = now();

  164.     for (i=0; i<nbase; i++) {

  165.         field_isr(&c, &a);

  166.     }

  167.     when = now() - when;

  168.     printf("isr auto:    %5.1fµs\n", when * 1e6 / i);

  169.     

  170.     for (i=0; i<100; i++) {

  171.         field_randomize(&crand, &a);

  172.         field_isr(&d,&a);

  173.         field_sqr(&b,&d);

  174.         field_mul(&c,&b,&a);

  175.         field_sqr(&b,&c);

  176.         field_subw(&b,1);

  177.         field_bias(&b,1);

  178.         if (!field_is_zero(&b)) {

  179.             printf("ISR validation failure!\n");

  180.             field_print("a", &a);

  181.             field_print("s", &d);

  182.         }

  183.     }

  184.     

  185.     when = now();

  186.     for (i=0; i<nbase; i++) {

  187.         elligator_2s_inject(&affine, &a);

  188.     }

  189.     when = now() - when;

  190.     printf("elligator:   %5.1fµs\n", when * 1e6 / i);

  191.     

  192.     for (i=0; i<100; i++) {

  193.         field_randomize(&crand, &a);

  194.         elligator_2s_inject(&affine, &a);

  195.         if (!validate_affine(&affine)) {

  196.             printf("Elligator validation failure!\n");

  197.             field_print("a", &a);

  198.             field_print("x", &affine.x);

  199.             field_print("y", &affine.y);

  200.         }

  201.     }

  202.     

  203.     when = now();

  204.     for (i=0; i<nbase; i++) {

  205.         deserialize_affine(&affine, &a);

  206.     }

  207.     when = now() - when;

  208.     printf("decompress:  %5.1fµs\n", when * 1e6 / i);

  209.     

  210.     when = now();

  211.     for (i=0; i<nbase; i++) {

  212.         serialize_extensible(&a, &exta);

  213.     }

  214.     when = now() - when;

  215.     printf("compress:    %5.1fµs\n", when * 1e6 / i);

  216.     

  217.     int goods = 0;

  218.     for (i=0; i<100; i++) {

  219.         field_randomize(&crand, &a);

  220.         mask_t good = deserialize_affine(&affine, &a);

  221.         if (good & !validate_affine(&affine)) {

  222.             printf("Deserialize validation failure!\n");

  223.             field_print("a", &a);

  224.             field_print("x", &affine.x);

  225.             field_print("y", &affine.y);

  226.         } else if (good) {

  227.             goods++;

  228.             convert_affine_to_extensible(&exta,&affine);

  229.             serialize_extensible(&b, &exta);

  230.             field_sub(&c,&b,&a);

  231.             field_bias(&c,2);

  232.             if (!field_is_zero(&c)) {

  233.                 printf("Reserialize validation failure!\n");

  234.                 field_print("a", &a);

  235.                 field_print("x", &affine.x);

  236.                 field_print("y", &affine.y);

  237.                 deserialize_affine(&affine, &b);

  238.                 field_print("b", &b);

  239.                 field_print("x", &affine.x);

  240.                 field_print("y", &affine.y);

  241.                 printf("\n");

  242.             }

  243.         }

  244.     }

  245.     if (goods<i/3) {

  246.         printf("Deserialization validation failure! Deserialized %d/%d points\n", goods, i);

  247.     }

  248.     

  249.     word_t lsk[768/WORD_BITS];

  250.     crandom_generate(&crand, (unsigned char *)lsk, sizeof(lsk));

  251.     

  252.     when = now();

  253.     for (i=0; i<nbase*100; i++) {

  254.         barrett_reduce(lsk,sizeof(lsk)/sizeof(word_t),0,&curve_prime_order);

  255.     }

  256.     when = now() - when;

  257.     printf("barrett red: %5.1fns\n", when * 1e9 / i);

  258.     

  259.     when = now();

  260.     for (i=0; i<nbase*10; i++) {

  261.         barrett_mac(lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,&curve_prime_order);

  262.     }

  263.     when = now() - when;

  264.     printf("barrett mac: %5.1fns\n", when * 1e9 / i);

  265.     

  266.     when = now();

  267.     for (i=0; i<nbase*100; i++) {

  268.         add_tw_niels_to_tw_extensible(&ext, &niels);

  269.     }

  270.     when = now() - when;

  271.     printf("exti+niels:  %5.1fns\n", when * 1e9 / i);

  272.     

  273.     when = now();

  274.     for (i=0; i<nbase*100; i++) {

  275.         add_tw_pniels_to_tw_extensible(&ext, &pniels);

  276.     }

  277.     when = now() - when;

  278.     printf("exti+pniels: %5.1fns\n", when * 1e9 / i);

  279.     

  280.     when = now();

  281.     for (i=0; i<nbase*100; i++) {

  282.         double_tw_extensible(&ext);

  283.     }

  284.     when = now() - when;

  285.     printf("exti dbl:    %5.1fns\n", when * 1e9 / i);

  286.     

  287.     when = now();

  288.     for (i=0; i<nbase*100; i++) {

  289.         untwist_and_double(&exta, &ext);

  290.     }

  291.     when = now() - when;

  292.     printf("i->a isog:   %5.1fns\n", when * 1e9 / i);

  293.     

  294.     when = now();

  295.     for (i=0; i<nbase*100; i++) {

  296.         twist_and_double(&ext, &exta);

  297.     }

  298.     when = now() - when;

  299.     printf("a->i isog:   %5.1fns\n", when * 1e9 / i);

  300.     

  301.     when = now();

  302.     for (i=0; i<nbase*100; i++) {

  303.         montgomery_step(&mb);

  304.     }

  305.     when = now() - when;

  306.     printf("monty step:  %5.1fns\n", when * 1e9 / i);

  307. 	

  308.     when = now();

  309.     for (i=0; i<nbase/10; i++) {

  310.         ignore_result(montgomery_ladder(&a,&b,sk,FIELD_BITS,0));

  311.     }

  312.     when = now() - when;

  313.     printf("full ladder: %5.1fµs\n", when * 1e6 / i);

  314.     

  315.     when = now();

  316.     for (i=0; i<nbase/10; i++) {

  317.         scalarmul(&ext,sk);

  318.     }

  319.     when = now() - when;

  320.     printf("edwards smz: %5.1fµs\n", when * 1e6 / i);

  321.     

  322.     when = now();

  323.     for (i=0; i<nbase/10; i++) {

  324.         scalarmul_vlook(&ext,sk);

  325.     }

  326.     when = now() - when;

  327.     printf("edwards svl: %5.1fµs\n", when * 1e6 / i);

  328.     

  329.     when = now();

  330.     for (i=0; i<nbase/10; i++) {

  331.         scalarmul(&ext,sk);

  332.         untwist_and_double_and_serialize(&a,&ext);

  333.     }

  334.     when = now() - when;

  335.     printf("edwards smc: %5.1fµs\n", when * 1e6 / i);

  336.     

  337.     when = now();

  338.     for (i=0; i<nbase/10; i++) {

  339.         q448_randomize(&crand, sk);

  340.         scalarmul_vt(&ext,sk,SCALAR_BITS);

  341.     }

  342.     when = now() - when;

  343.     printf("edwards vtm: %5.1fµs\n", when * 1e6 / i);

  344.     

  345.     struct tw_niels_t wnaft[1<<6];

  346.     when = now();

  347.     for (i=0; i<nbase/10; i++) {

  348.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,6));

  349.     }

  350.     when = now() - when;

  351.     printf("wnaf6 pre:   %5.1fµs\n", when * 1e6 / i);

  352.     

  353.     when = now();

  354.     for (i=0; i<nbase/10; i++) {

  355.         q448_randomize(&crand, sk);

  356.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,6);

  357.     }

  358.     when = now() - when;

  359.     printf("edwards vt6: %5.1fµs\n", when * 1e6 / i);

  360.     

  361.     when = now();

  362.     for (i=0; i<nbase/10; i++) {

  363.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,4));

  364.     }

  365.     when = now() - when;

  366.     printf("wnaf4 pre:   %5.1fµs\n", when * 1e6 / i);

  367.     

  368.     when = now();

  369.     for (i=0; i<nbase/10; i++) {

  370.         q448_randomize(&crand, sk);

  371.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,4);

  372.     }

  373.     when = now() - when;

  374.     printf("edwards vt4: %5.1fµs\n", when * 1e6 / i);

  375. 

  376.     when = now();

  377.     for (i=0; i<nbase/10; i++) {

  378.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,5));

  379.     }

  380.     when = now() - when;

  381.     printf("wnaf5 pre:   %5.1fµs\n", when * 1e6 / i);

  382.     

  383.     when = now();

  384.     for (i=0; i<nbase/10; i++) {

  385.         q448_randomize(&crand, sk);

  386.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,5);

  387.     }

  388.     when = now() - when;

  389.     printf("edwards vt5: %5.1fµs\n", when * 1e6 / i);

  390.     

  391.     when = now();

  392.     for (i=0; i<nbase/10; i++) {

  393.         q448_randomize(&crand, sk);

  394.         q448_randomize(&crand, tk);

  395.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,wnaft,5);

  396.     }

  397.     when = now() - when;

  398.     printf("vt vf combo: %5.1fµs\n", when * 1e6 / i);

  399.     

  400.     when = now();

  401.     for (i=0; i<nbase/10; i++) {

  402.         deserialize_affine(&affine, &a);

  403.         convert_affine_to_extensible(&exta,&affine);

  404.         twist_and_double(&ext,&exta);

  405.         scalarmul(&ext,sk);

  406.         untwist_and_double(&exta,&ext);

  407.         serialize_extensible(&b, &exta);

  408.     }

  409.     when = now() - when;

  410.     printf("edwards sm:  %5.1fµs\n", when * 1e6 / i);

  411.     

  412.     struct fixed_base_table_t t_5_5_18, t_3_5_30, t_8_4_14, t_5_3_30, t_15_3_10;

  413. 

  414.     while (1) {

  415.         field_randomize(&crand, &a);

  416.         if (deserialize_affine(&affine, &a)) break;

  417.     }

  418.     convert_affine_to_extensible(&exta,&affine);

  419.     twist_and_double(&ext,&exta);

  420.     when = now();

  421.     for (i=0; i<nbase/10; i++) {

  422.         if (i) destroy_fixed_base(&t_5_5_18);

  423.         ignore_result(precompute_fixed_base(&t_5_5_18, &ext, 5, 5, 18, NULL));

  424.     }

  425.     when = now() - when;

  426.     printf("pre(5,5,18): %5.1fµs\n", when * 1e6 / i);

  427.     

  428.     when = now();

  429.     for (i=0; i<nbase/10; i++) {

  430.         if (i) destroy_fixed_base(&t_3_5_30);

  431.         ignore_result(precompute_fixed_base(&t_3_5_30, &ext, 3, 5, 30, NULL));

  432.     }

  433.     when = now() - when;

  434.     printf("pre(3,5,30): %5.1fµs\n", when * 1e6 / i);

  435.     

  436.     when = now();

  437.     for (i=0; i<nbase/10; i++) {

  438.         if (i) destroy_fixed_base(&t_5_3_30);

  439.         ignore_result(precompute_fixed_base(&t_5_3_30, &ext, 5, 3, 30, NULL));

  440.     }

  441.     when = now() - when;

  442.     printf("pre(5,3,30): %5.1fµs\n", when * 1e6 / i);

  443.     

  444.     when = now();

  445.     for (i=0; i<nbase/10; i++) {

  446.         if (i) destroy_fixed_base(&t_15_3_10);

  447.         ignore_result(precompute_fixed_base(&t_15_3_10, &ext, 15, 3, 10, NULL));

  448.     }

  449.     when = now() - when;

  450.     printf("pre(15,3,10):%5.1fµs\n", when * 1e6 / i);

  451.     

  452.     when = now();

  453.     for (i=0; i<nbase/10; i++) {

  454.         if (i) destroy_fixed_base(&t_8_4_14);

  455.         ignore_result(precompute_fixed_base(&t_8_4_14, &ext, 8, 4, 14, NULL));

  456.     }

  457.     when = now() - when;

  458.     printf("pre(8,4,14): %5.1fµs\n", when * 1e6 / i);

  459. 	

  460.     when = now();

  461.     for (i=0; i<nbase; i++) {

  462.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_5_18);

  463.     }

  464.     when = now() - when;

  465.     printf("com(5,5,18): %5.1fµs\n", when * 1e6 / i);

  466.     

  467.     when = now();

  468.     for (i=0; i<nbase; i++) {

  469.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_3_5_30);

  470.     }

  471.     when = now() - when;

  472.     printf("com(3,5,30): %5.1fµs\n", when * 1e6 / i);

  473. 

  474.     when = now();

  475.     for (i=0; i<nbase; i++) {

  476.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_8_4_14);

  477.     }

  478.     when = now() - when;

  479.     printf("com(8,4,14): %5.1fµs\n", when * 1e6 / i);

  480. 

  481.     when = now();

  482.     for (i=0; i<nbase; i++) {

  483.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_3_30);

  484.     }

  485.     when = now() - when;

  486.     printf("com(5,3,30): %5.1fµs\n", when * 1e6 / i);

  487. 

  488.     when = now();

  489.     for (i=0; i<nbase; i++) {

  490.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_15_3_10);

  491.     }

  492.     when = now() - when;

  493.     printf("com(15,3,10):%5.1fµs\n", when * 1e6 / i);

  494.     

  495.     printf("\nGoldilocks:\n");

  496.     

  497.     int res = goldilocks_init();

  498.     assert(!res);

  499.     

  500.     struct goldilocks_public_key_t gpk,hpk;

  501.     struct goldilocks_private_key_t gsk,hsk;

  502.     

  503.     when = now();

  504.     for (i=0; i<nbase; i++) {

  505.         if (i&1) {

  506.             res = goldilocks_keygen(&gsk,&gpk);

  507.         } else {

  508.             res = goldilocks_keygen(&hsk,&hpk);

  509.         }

  510.         assert(!res);

  511.     }

  512.     when = now() - when;

  513.     printf("keygen:      %5.1fµs\n", when * 1e6 / i);

  514.     

  515.     uint8_t ss1[64],ss2[64];

  516.     int gres1=0,gres2=0;

  517.     when = now();

  518.     for (i=0; i<nbase; i++) {

  519.         if (i&1) {

  520.             gres1 = goldilocks_shared_secret(ss1,&gsk,&hpk);

  521.         } else {

  522.             gres2 = goldilocks_shared_secret(ss2,&hsk,&gpk);

  523.         }

  524.     }

  525.     when = now() - when;

  526.     printf("ecdh:        %5.1fµs\n", when * 1e6 / i);

  527.     if (gres1 || gres2 || memcmp(ss1,ss2,64)) {

  528.         printf("[FAIL] %d %d\n",gres1,gres2);

  529.         

  530.         printf("sk1 = ");

  531.         for (i=0; i<SCALAR_BYTES; i++) {

  532.             printf("%02x", gsk.opaque[i]);

  533.         }

  534.         printf("\nsk2 = ");

  535.         for (i=0; i<SCALAR_BYTES; i++) {

  536.             printf("%02x", hsk.opaque[i]);

  537.         }

  538.         printf("\nss1 = ");

  539.         for (i=0; i<FIELD_BYTES; i++) {

  540.             printf("%02x", ss1[i]);

  541.         }

  542.         printf("\nss2 = ");

  543.         for (i=0; i<FIELD_BYTES; i++) {

  544.             printf("%02x", ss2[i]);

  545.         }

  546.         printf("\n");

  547.     }

  548.     

  549.     uint8_t sout[FIELD_BYTES*2];

  550.     const char *message = "hello world";

  551.     size_t message_len = strlen(message);

  552.     when = now();

  553.     for (i=0; i<nbase; i++) {

  554.         res = goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  555.         (void)res;

  556.         assert(!res);

  557.     }

  558.     when = now() - when;

  559.     printf("sign:        %5.1fµs\n", when * 1e6 / i);

  560.     

  561.     when = now();

  562.     for (i=0; i<nbase; i++) {

  563.         int ver = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  564.         (void)ver;

  565.         assert(!ver);

  566.     }

  567.     when = now() - when;

  568.     printf("verify:      %5.1fµs\n", when * 1e6 / i);

  569.     

  570.     struct goldilocks_precomputed_public_key_t *pre = NULL;

  571.     when = now();

  572.     for (i=0; i<nbase; i++) {

  573.         goldilocks_destroy_precomputed_public_key(pre);

  574.         pre = goldilocks_precompute_public_key(&gpk);

  575.     }

  576.     when = now() - when;

  577.     printf("precompute:  %5.1fµs\n", when * 1e6 / i);

  578.     

  579.     when = now();

  580.     for (i=0; i<nbase; i++) {

  581.         int ver = goldilocks_verify_precomputed(sout,(const unsigned char *)message,message_len,pre);

  582.         (void)ver;

  583.         assert(!ver);

  584.     }

  585.     when = now() - when;

  586.     printf("verify pre:  %5.1fµs\n", when * 1e6 / i);

  587.     

  588.     when = now();

  589.     for (i=0; i<nbase; i++) {

  590.         int ret = goldilocks_shared_secret_precomputed(ss1,&gsk,pre);

  591.         (void)ret;

  592.         assert(!ret);

  593.     }

  594.     when = now() - when;

  595.     printf("ecdh pre:    %5.1fµs\n", when * 1e6 / i);

  596.     

  597.     printf("\nTesting...\n");

  598.     

  599.     

  600.     int failures=0, successes = 0;

  601.     for (i=0; i<nbase/10; i++) {

  602.         ignore_result(goldilocks_keygen(&gsk,&gpk));

  603.         goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  604.         res = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  605.         if (res) failures++;

  606.     }

  607.     if (failures) {

  608.         printf("FAIL %d/%d signature checks!\n", failures, i);

  609.     }

  610.     

  611.     failures=0; successes = 0;

  612.     for (i=0; i<nbase/10; i++) {

  613.         field_randomize(&crand, &a);

  614. 		word_t two = 2;

  615.         mask_t good = montgomery_ladder(&b,&a,&two,2,0);

  616. 		if (!good) continue;

  617. 		

  618. 		word_t x,y;

  619.         crandom_generate(&crand, (unsigned char *)&x, sizeof(x));

  620.         crandom_generate(&crand, (unsigned char *)&y, sizeof(y));

  621.         x = (hword_t)x;

  622.         y = (hword_t)y;

  623.         word_t z=x*y;

  624.         

  625.     	ignore_result(montgomery_ladder(&b,&a,&x,WORD_BITS,0));

  626.         ignore_result(montgomery_ladder(&c,&b,&y,WORD_BITS,0));

  627.         ignore_result(montgomery_ladder(&b,&a,&z,WORD_BITS,0));

  628.         

  629.         field_sub(&d,&b,&c);

  630.         field_bias(&d,2);

  631. 		if (!field_is_zero(&d)) {

  632.             printf("Odd ladder validation failure %d!\n", ++failures);

  633.             field_print("a", &a);

  634.             printf("x=%"PRIxWORD", y=%"PRIxWORD", z=%"PRIxWORD"\n", x,y,z);

  635.             field_print("c", &c);

  636.             field_print("b", &b);

  637. 			printf("\n");

  638. 		}

  639. 	}

  640.     

  641.     failures = 0;

  642.     for (i=0; i<nbase/10; i++) {

  643.         mask_t good;

  644.         do {

  645.             field_randomize(&crand, &a);

  646.             good = deserialize_affine(&affine, &a);

  647.         } while (!good);

  648.         

  649.         convert_affine_to_extensible(&exta,&affine);

  650.         twist_and_double(&ext,&exta);

  651.         untwist_and_double(&exta,&ext);

  652.         serialize_extensible(&b, &exta);

  653.         untwist_and_double_and_serialize(&c, &ext);

  654.         

  655.         field_sub(&d,&b,&c);

  656.         field_bias(&d,2);

  657.         

  658.         if (good && !field_is_zero(&d)){

  659.             printf("Iso+serial validation failure %d!\n", ++failures);

  660.             field_print("a", &a);

  661.             field_print("b", &b);

  662.             field_print("c", &c);

  663.             printf("\n");

  664.         } else if (good) {

  665.             successes ++;

  666.         }

  667.     }

  668.     if (successes < i/3) {

  669.         printf("Iso+serial variation: only %d/%d successful.\n", successes, i);

  670.     }

  671.     

  672.     successes = failures = 0;

  673.     for (i=0; i<nbase/10; i++) {

  674.         struct field_t aa;

  675.         struct tw_extensible_t exu,exv,exw;

  676.         

  677.         mask_t good;

  678.         do {

  679.             field_randomize(&crand, &a);

  680.             good = deserialize_affine(&affine, &a);

  681.             convert_affine_to_extensible(&exta,&affine);

  682.             twist_and_double(&ext,&exta);

  683.         } while (!good);

  684.         do {

  685.             field_randomize(&crand, &aa);

  686.             good = deserialize_affine(&affine, &aa);

  687.             convert_affine_to_extensible(&exta,&affine);

  688.             twist_and_double(&exu,&exta);

  689.         } while (!good);

  690.         field_randomize(&crand, &aa);

  691.         

  692.         q448_randomize(&crand, sk);

  693. 		if (i==0 || i==2) memset(&sk, 0, sizeof(sk));

  694.         q448_randomize(&crand, tk);

  695. 		if (i==0 || i==1) memset(&tk, 0, sizeof(tk));

  696.         

  697.         copy_tw_extensible(&exv, &ext);

  698.         copy_tw_extensible(&exw, &exu);

  699.         scalarmul(&exv,sk);

  700.         scalarmul(&exw,tk);

  701.         convert_tw_extensible_to_tw_pniels(&pniels, &exw);

  702.         add_tw_pniels_to_tw_extensible(&exv,&pniels);

  703.         untwist_and_double(&exta,&exv);

  704.         serialize_extensible(&b, &exta);

  705. 

  706.         ignore_result(precompute_fixed_base_wnaf(wnaft,&exu,5));

  707.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,wnaft,5);

  708.         untwist_and_double(&exta,&exv);

  709.         serialize_extensible(&c, &exta);

  710.         

  711.         field_sub(&d,&b,&c);

  712.         field_bias(&d,2);

  713.         

  714.         if (!field_is_zero(&d)){

  715.             printf("PreWNAF combo validation failure %d!\n", ++failures);

  716.             field_print("a", &a);

  717.             field_print("A", &aa);

  718.             q448_print("s", sk);

  719.             q448_print("t", tk);

  720.             field_print("c", &c);

  721.             field_print("b", &b);

  722.             printf("\n\n");

  723.         } else if (good) {

  724.             successes ++;

  725.         }

  726.     }

  727.     if (successes < i) {

  728.         printf("PreWNAF combo variation: only %d/%d successful.\n", successes, i);

  729.     }

  730.     

  731.     return 0;

  732. }