jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
30 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: b4ce20d667
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b4ce20d667'
${ noResults }
ed448goldilocks/test/test_scalarmul.c

397 lines
12 KiB
Raw Blame History 

  1. #include "test.h"

  2. 

  3. #include <stdio.h>

  4. 

  5. #include "scalarmul.h"

  6. #include "ec_point.h"

  7. #include "field.h"

  8. #include "crandom.h"

  9. 

  10. #define STRIDE 7

  11. 

  12. /* 0 = succeed, 1 = inval, -1 = fail */

  13. static int

  14. single_scalarmul_compatibility_test (

  15.     const struct field_t *base,

  16.     const word_t *scalar,

  17.     int nbits

  18. ) {

  19.     struct tw_extensible_t text, work;

  20.     struct field_t mont, ct, vl, vt;

  21.     

  22.     int ret = 0, i;

  23.     mask_t succ, succm;

  24.     

  25.     succ = deserialize_and_twist_approx(&text, &sqrt_d_minus_1, base);

  26.     

  27.     succm = montgomery_ladder(&mont,base,scalar,nbits,1);

  28.     

  29.     if (succ != succm) {

  30.         youfail();

  31.         printf("    Deserialize_and_twist_approx succ=%d, montgomery_ladder succ=%d\n",

  32.             (int)-succ, (int)-succm);

  33.         printf("    nbits = %d\n", nbits);

  34.         field_print("    base", base);

  35.         scalar_print("    scal", scalar, (nbits+WORD_BITS-1)/WORD_BITS);

  36.         return -1;

  37.     }

  38.     

  39.     if (!succ) {

  40.         return 1;

  41.     }

  42.     

  43.     struct { int n,t,s; } params[] = {{5,5,18},{3,5,30},{4,4,28},{1,2,224}}; // FIELD_MAGIC

  44.     const int nparams = sizeof(params)/sizeof(params[0]);

  45.     struct fixed_base_table_t fbt;

  46.     const int nsizes = 6;

  47.     struct field_t fbout[nparams], wout[nsizes];

  48.     memset(&fbt, 0, sizeof(fbt));

  49.     memset(&fbout, 0, sizeof(fbout));

  50.     memset(&wout, 0, sizeof(wout));

  51.         

  52.     /* compute using combs */

  53.     for (i=0; i<nparams; i++) {

  54.         int n=params[i].n, t=params[i].t, s=params[i].s;

  55.         succ = precompute_fixed_base(&fbt, &text, n, t, s, NULL);

  56.         if (!succ) {

  57.             youfail();

  58.             printf("    Failed to precompute_fixed_base(%d,%d,%d)\n", n, t, s);

  59.             continue;

  60.         }

  61.         

  62.         succ = scalarmul_fixed_base(&work, scalar, nbits, &fbt);

  63.         destroy_fixed_base(&fbt);

  64.         if (!succ) {

  65.             youfail();

  66.             printf("    Failed to scalarmul_fixed_base(%d,%d,%d)\n", n, t, s);

  67.             continue;

  68.         }

  69.         

  70.         untwist_and_double_and_serialize(&fbout[i], &work);

  71.     }

  72.     

  73.     /* compute using precomp wNAF */

  74.     for (i=0; i<nsizes; i++) {

  75.         struct tw_niels_t pre[1<<i];

  76.         

  77.         succ = precompute_fixed_base_wnaf(pre, &text, i);

  78.         if (!succ) {

  79.             youfail();

  80.             printf("    Failed to precompute_fixed_base_wnaf(%d)\n", i);

  81.             continue;

  82.         }

  83.         

  84.         scalarmul_fixed_base_wnaf_vt(&work, scalar, nbits, pre, i);

  85.         

  86.         untwist_and_double_and_serialize(&wout[i], &work);

  87.     }

  88.     

  89.     mask_t consistent = MASK_SUCCESS;

  90.     

  91.     if (nbits == FIELD_BITS) {

  92.         /* window methods currently only work on FIELD_BITS bits. */

  93.         copy_tw_extensible(&work, &text);

  94.         scalarmul(&work, scalar);

  95.         untwist_and_double_and_serialize(&ct, &work);

  96.         

  97.         copy_tw_extensible(&work, &text);

  98.         scalarmul_vlook(&work, scalar);

  99.         untwist_and_double_and_serialize(&vl, &work);

  100.         

  101.         copy_tw_extensible(&work, &text);

  102.         scalarmul_vt(&work, scalar, nbits);

  103.         untwist_and_double_and_serialize(&vt, &work);

  104.         

  105.     

  106.         /* check consistency mont vs window */

  107.         consistent &= field_eq(&mont, &ct);

  108.         consistent &= field_eq(&mont, &vl);

  109.         consistent &= field_eq(&mont, &vt);

  110.     }

  111.     

  112.     /* check consistency mont vs combs */

  113.     for (i=0; i<nparams; i++) {

  114.         consistent &= field_eq(&mont,&fbout[i]);

  115.     }

  116.     

  117.     /* check consistency mont vs wNAF */

  118.     for (i=0; i<nsizes; i++) {

  119.         consistent &= field_eq(&mont,&wout[i]);

  120.     }

  121.     

  122.     /* If inconsistent, complain. */

  123.     if (!consistent) {

  124.         youfail();

  125.         printf("    Failed scalarmul consistency test with nbits=%d.\n",nbits);

  126.         field_print("    base", base);

  127.         scalar_print("    scal", scalar, (nbits+WORD_BITS-1)/WORD_BITS);

  128.         field_print("    mont", &mont);

  129.         

  130.         for (i=0; i<nparams; i++) {

  131.             printf("    With n=%d, t=%d, s=%d:\n", params[i].n, params[i].t, params[i].s);

  132.             field_print("    out ", &fbout[i]);

  133.         }

  134.         

  135.         for (i=0; i<nsizes; i++) {

  136.             printf("    With w=%d:\n",i);

  137.             field_print("    wNAF", &wout[i]);

  138.         }

  139.         

  140.     

  141.         if (nbits == FIELD_BITS) {

  142.             field_print("    ct ", &ct);

  143.             field_print("    vl ", &vl);

  144.             field_print("    vt ", &vt);

  145.         }

  146.         

  147.         ret = -1;

  148.     }

  149.     

  150.     return ret;

  151. }

  152. 

  153. static int

  154. single_linear_combo_test (

  155.     const struct field_t *base1,

  156.     const word_t *scalar1,

  157.     int nbits1,

  158.     const struct field_t *base2,

  159.     const word_t *scalar2,

  160.     int nbits2

  161. ) { 

  162.     struct tw_extensible_t text1, text2, working;

  163.     struct tw_pniels_t pn;

  164.     struct field_t result_comb, result_combo, result_wnaf;

  165.     

  166.     mask_t succ = 

  167.         deserialize_and_twist_approx(&text1, &sqrt_d_minus_1, base1)

  168.       & deserialize_and_twist_approx(&text2, &sqrt_d_minus_1, base2);

  169.     if (!succ) return 1;

  170.     

  171.     struct fixed_base_table_t t1, t2;

  172.     struct tw_niels_t wnaf[32];

  173.     memset(&t1,0,sizeof(t1));

  174.     memset(&t2,0,sizeof(t2));

  175.     

  176.     succ = precompute_fixed_base(&t1, &text1, 5, 5, 18, NULL); // FIELD_MAGIC

  177.     succ &= precompute_fixed_base(&t2, &text2, 6, 3, 25, NULL); // FIELD_MAGIC

  178.     succ &= precompute_fixed_base_wnaf(wnaf, &text2, 5);

  179.     

  180.     if (!succ) {

  181.         destroy_fixed_base(&t1);

  182.         destroy_fixed_base(&t2);

  183.         return -1;

  184.     }

  185.     

  186.     /* use the dedicated wNAF linear combo algorithm */

  187.     copy_tw_extensible(&working, &text1);

  188.     linear_combo_var_fixed_vt(&working, scalar1, nbits1, scalar2, nbits2, wnaf, 5);

  189.     untwist_and_double_and_serialize(&result_wnaf, &working);

  190.     

  191.     /* use the dedicated combs algorithm */

  192.     succ &= linear_combo_combs_vt(&working, scalar1, nbits1, &t1, scalar2, nbits2, &t2);

  193.     untwist_and_double_and_serialize(&result_combo, &working);

  194.     

  195.     /* use two combs */

  196.     succ &= scalarmul_fixed_base(&working, scalar1, nbits1, &t1);

  197.     convert_tw_extensible_to_tw_pniels(&pn, &working);

  198.     succ &= scalarmul_fixed_base(&working, scalar2, nbits2, &t2);

  199.     add_tw_pniels_to_tw_extensible(&working, &pn);

  200.     untwist_and_double_and_serialize(&result_comb, &working);

  201.     

  202.     mask_t consistent = MASK_SUCCESS;

  203.     consistent &= field_eq(&result_combo, &result_wnaf);

  204.     consistent &= field_eq(&result_comb,  &result_wnaf);

  205.     

  206.     if (!succ || !consistent) {

  207.         youfail();

  208.         printf("    Failed linear combo consistency test with nbits=%d,%d.\n",nbits1,nbits2);

  209. 

  210.         field_print("    base1", base1);

  211.         scalar_print("    scal1", scalar1, (nbits1+WORD_BITS-1)/WORD_BITS);

  212.         field_print("    base2", base2);

  213.         scalar_print("    scal2", scalar2, (nbits1+WORD_BITS-1)/WORD_BITS);

  214.         field_print("    combs", &result_comb);

  215.         field_print("    combo", &result_combo);

  216.         field_print("    wNAFs", &result_wnaf);

  217.         return -1;

  218.     }

  219.     

  220.     destroy_fixed_base(&t1);

  221.     destroy_fixed_base(&t2);

  222.     

  223.     return 0;

  224. }

  225. 

  226. /* 0 = succeed, 1 = inval, -1 = fail */

  227. static int

  228. single_scalarmul_commutativity_test (

  229.     const struct field_t *base,

  230.     const word_t *scalar1,

  231.     int nbits1,

  232.     int ned1,

  233.     const word_t *scalar2,

  234.     int nbits2,

  235.     int ned2

  236. ) {

  237.     struct field_t m12, m21, tmp1, tmp2;

  238.     mask_t succ12a = montgomery_ladder(&tmp1,base,scalar1,nbits1,ned1);

  239.     mask_t succ12b = montgomery_ladder(&m12,&tmp1,scalar2,nbits2,ned2);

  240.     

  241.     mask_t succ21a = montgomery_ladder(&tmp2,base,scalar2,nbits2,ned2);

  242.     mask_t succ21b = montgomery_ladder(&m21,&tmp2,scalar1,nbits1,ned1);

  243.     

  244.     mask_t succ12 = succ12a & succ12b, succ21 = succ21a & succ21b;

  245.     

  246.     if (succ12 != succ21) {

  247.         youfail();

  248.         printf("    Failed scalarmul commutativity test with (nbits,ned) = (%d,%d), (%d,%d).\n",

  249.             nbits1,ned1,nbits2,ned2);

  250.         field_print("    base", base);

  251.         field_print("    tmp1", &tmp1);

  252.         field_print("    tmp2", &tmp2);

  253.         scalar_print("    sca1", scalar1, (nbits1+WORD_BITS-1)/WORD_BITS);

  254.         scalar_print("    sca2", scalar2, (nbits1+WORD_BITS-1)/WORD_BITS);

  255.         printf("    good = ((%d,%d),(%d,%d))\n", (int)-succ12a,

  256.             (int)-succ12b, (int)-succ21a, (int)-succ21b);

  257.         return -1;

  258.     } else if (!succ12) {

  259.         // printf("    (nbits,ned) = (%d,%d), (%d,%d).\n", nbits1,ned1,nbits2,ned2);

  260.         // printf("    succ = (%d,%d), (%d,%d).\n", (int)-succ12a, (int)-succ12b, (int)-succ21a, (int)-succ21b);

  261.         return 1;

  262.     }

  263.     

  264.     mask_t consistent = field_eq(&m12,&m21);

  265.     if (consistent) {

  266.         return 0;

  267.     } else {

  268.         youfail();

  269.         printf("    Failed scalarmul commutativity test with (nbits,ned) = (%d,%d), (%d,%d).\n",

  270.             nbits1,ned1,nbits2,ned2);

  271.         field_print("    base", base);

  272.         scalar_print("    sca1", scalar1, (nbits1+WORD_BITS-1)/WORD_BITS);

  273.         scalar_print("    sca2", scalar2, (nbits1+WORD_BITS-1)/WORD_BITS);

  274.         field_print("    m12 ", &m12);

  275.         field_print("    m21 ", &m21);

  276.         return -1;

  277.     }

  278. }

  279. 

  280. int test_scalarmul_commutativity (void) {

  281.     int i,j,k,got;

  282.     

  283.     struct crandom_state_t crand;

  284.     crandom_init_from_buffer(&crand, "scalarmul_commutativity_test RNG");

  285.     

  286.     for (i=0; i<=FIELD_BITS; i+=STRIDE) {

  287.         for (j=0; j<=FIELD_BITS; j+=STRIDE) {

  288.             got = 0;

  289.             

  290.             for (k=0; k<128 && !got; k++) {

  291.                 uint8_t ser[FIELD_BYTES];

  292.                 word_t scalar1[SCALAR_WORDS], scalar2[SCALAR_WORDS];

  293.                 crandom_generate(&crand, ser, sizeof(ser));

  294.                 crandom_generate(&crand, (uint8_t *)scalar1, sizeof(scalar1));

  295.                 crandom_generate(&crand, (uint8_t *)scalar2, sizeof(scalar2));

  296.             

  297.                 field_t base;

  298.                 mask_t succ = field_deserialize(&base, ser);

  299.                 if (!succ) continue;

  300.             

  301.                 int ret = single_scalarmul_commutativity_test (&base, scalar1, i, i%3, scalar2, j, j%3);

  302.                 got = !ret;

  303.                 if (ret == -1) return -1;

  304.             }

  305. 

  306.             if (!got) {

  307.                 youfail();

  308.                 printf("    Unlikely: rejected 128 scalars in a row.\n");

  309.                 return -1;

  310.             }

  311.             

  312.         }

  313.     }

  314.     

  315.     return 0;

  316. }

  317. 

  318. int test_linear_combo (void) {

  319.     int i,j,k,got;

  320.     

  321.     struct crandom_state_t crand;

  322.     crandom_init_from_buffer(&crand, "scalarmul_linear_combos_test RNG");

  323.     

  324.     for (i=0; i<=FIELD_BITS; i+=STRIDE) {

  325.         for (j=0; j<=FIELD_BITS; j+=STRIDE) {

  326.             got = 0;

  327.             

  328.             for (k=0; k<128 && !got; k++) {

  329.                 uint8_t ser[FIELD_BYTES];

  330.                 word_t scalar1[SCALAR_WORDS], scalar2[SCALAR_WORDS];

  331.                 crandom_generate(&crand, (uint8_t *)scalar1, sizeof(scalar1));

  332.                 crandom_generate(&crand, (uint8_t *)scalar2, sizeof(scalar2));

  333.             

  334.                 field_t base1;

  335.                 crandom_generate(&crand, ser, sizeof(ser));

  336.                 mask_t succ = field_deserialize(&base1, ser);

  337.                 if (!succ) continue;

  338.                 

  339.                 field_t base2;

  340.                 crandom_generate(&crand, ser, sizeof(ser));

  341.                 succ = field_deserialize(&base2, ser);

  342.                 if (!succ) continue;

  343.             

  344.                 int ret = single_linear_combo_test (&base1, scalar1, i, &base2, scalar2, j);

  345.                 got = !ret;

  346.                 if (ret == -1) return -1;

  347.             }

  348. 

  349.             if (!got) {

  350.                 youfail();

  351.                 printf("    Unlikely: rejected 128 scalars in a row.\n");

  352.                 return -1;

  353.             }

  354.             

  355.         }

  356.     }

  357.     

  358.     return 0;

  359. }

  360. 

  361. int test_scalarmul_compatibility (void) {

  362.     int i,j,k,got;

  363.     

  364.     struct crandom_state_t crand;

  365.     crandom_init_from_buffer(&crand, "scalarmul_compatibility_test RNG");

  366.     

  367.     for (i=0; i<=FIELD_BITS; i+=STRIDE) {

  368.         for (j=0; j<=20; j++) {

  369.             got = 0;

  370.             

  371.             for (k=0; k<128 && !got; k++) {

  372.                 uint8_t ser[FIELD_BYTES];

  373.                 word_t scalar[SCALAR_WORDS];

  374.                 crandom_generate(&crand, ser, sizeof(ser));

  375.                 crandom_generate(&crand, (uint8_t *)scalar, sizeof(scalar));

  376.             

  377.                 field_t base;

  378.                 mask_t succ = field_deserialize(&base, ser);

  379.                 if (!succ) continue;

  380.             

  381.                 int ret = single_scalarmul_compatibility_test (&base, scalar, i);

  382.                 got = !ret;

  383.                 if (ret == -1) return -1;

  384.             }

  385. 

  386.             if (!got) {

  387.                 youfail();

  388.                 printf("    Unlikely: rejected 128 scalars in a row.\n");

  389.                 return -1;

  390.             }

  391.             

  392.         }

  393.     }

  394.     

  395.     return 0;

  396. }