jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
561 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: c3917f27cb
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c3917f27cb'
${ noResults }
ed448goldilocks/test/test_decaf.cxx

842 lines
28 KiB
Raw Blame History 

  1. /**

  2.  * @file test_decaf.cxx

  3.  * @author Mike Hamburg

  4.  *

  5.  * @copyright

  6.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  7.  *   Released under the MIT License.  See LICENSE.txt for license information.

  8.  *

  9.  * @brief C++ tests, because that's easier.

  10.  */

  11. 

  12. #include <decaf.hxx>

  13. #include <decaf/spongerng.hxx>

  14. #include <decaf/eddsa.hxx>

  15. #include <decaf/shake.hxx>

  16. #include <stdio.h>

  17. 

  18. using namespace decaf;

  19. 

  20. static bool passing = true;

  21. static const long NTESTS = 10000;

  22. 

  23. #include "ristretto_vectors.inc.cxx"

  24. 

  25. class Test {

  26. public:

  27.     bool passing_now;

  28.     Test(const char *test) {

  29.         passing_now = true;

  30.         printf("%s...", test);

  31.         if (strlen(test) < 27) printf("%*s",int(27-strlen(test)),"");

  32.         fflush(stdout);

  33.     }

  34.     ~Test() {

  35.         if (std::uncaught_exception()) {

  36.             fail();

  37.             printf("  due to uncaught exception.\n");

  38.         }

  39.         if (passing_now) printf("[PASS]\n");

  40.     }

  41.     void fail() {

  42.         if (!passing_now) return;

  43.         passing_now = passing = false;

  44.         printf("[FAIL]\n");

  45.     }

  46. };

  47. 

  48. static uint64_t leint(const SecureBuffer &xx) {

  49.     uint64_t out = 0;

  50.     for (unsigned int i=0; i<xx.size() && i<sizeof(out); i++) {

  51.         out |= uint64_t(xx[i]) << (8*i);

  52.     }

  53.     return out;

  54. }

  55. 

  56. template<typename Group> struct Tests {

  57. 

  58. typedef typename Group::Scalar Scalar;

  59. typedef typename Group::Point Point;

  60. typedef typename Group::DhLadder DhLadder;

  61. typedef typename Group::Precomputed Precomputed;

  62. 

  63. static void print(const char *name, const Scalar &x) {

  64.     unsigned char buffer[Scalar::SER_BYTES];

  65.     x.serialize_into(buffer);

  66.     printf("  %s = 0x", name);

  67.     for (int i=sizeof(buffer)-1; i>=0; i--) {

  68.         printf("%02x", buffer[i]);

  69.     }

  70.     printf("\n");

  71. }

  72. 

  73. static void hexprint(const char *name, const SecureBuffer &buffer) {

  74.     printf("  %s = 0x", name);

  75.     for (int i=buffer.size()-1; i>=0; i--) {

  76.         printf("%02x", buffer[i]);

  77.     }

  78.     printf("\n");

  79. }

  80. 

  81. static void print(const char *name, const Point &x) {

  82.     unsigned char buffer[Point::SER_BYTES];

  83.     x.serialize_into(buffer);

  84.     printf("  %s = 0x", name);

  85.     for (int i=Point::SER_BYTES-1; i>=0; i--) {

  86.         printf("%02x", buffer[i]);

  87.     }

  88.     printf("\n");

  89. }

  90. 

  91. static bool arith_check(

  92.     Test &test,

  93.     const Scalar &x,

  94.     const Scalar &y,

  95.     const Scalar &z,

  96.     const Scalar &l,

  97.     const Scalar &r,

  98.     const char *name

  99. ) {

  100.     if (l == r) return true;

  101.     test.fail();

  102.     printf("  %s", name);

  103.     print("x", x);

  104.     print("y", y);

  105.     print("z", z);

  106.     print("lhs", l);

  107.     print("rhs", r);

  108.     return false;

  109. }

  110. 

  111. static bool point_check(

  112.     Test &test,

  113.     const Point &p,

  114.     const Point &q,

  115.     const Point &R,

  116.     const Scalar &x,

  117.     const Scalar &y,

  118.     const Point &l,

  119.     const Point &r,

  120.     const char *name

  121. ) {

  122.     bool good = l==r;

  123.     if (!p.validate()) { good = false; printf("  p invalid\n"); }

  124.     if (!q.validate()) { good = false; printf("  q invalid\n"); }

  125.     if (!r.validate()) { good = false; printf("  r invalid\n"); }

  126.     if (!l.validate()) { good = false; printf("  l invalid\n"); }

  127.     if (good) return true;

  128.     

  129.     test.fail();

  130.     printf("  %s", name);

  131.     print("x", x);

  132.     print("y", y);

  133.     print("p", p);

  134.     print("q", q);

  135.     print("r", R);

  136.     print("lhs", r);

  137.     print("rhs", l);

  138.     return false;

  139. }

  140. 

  141. static void test_arithmetic() {

  142.     SpongeRng rng(Block("test_arithmetic"),SpongeRng::DETERMINISTIC);

  143.     

  144.     Test test("Arithmetic");

  145.     Scalar x(0),y(0),z(0);

  146.     arith_check(test,x,y,z,INT_MAX,(decaf_word_t)INT_MAX,"cast from max");

  147.     arith_check(test,x,y,z,INT_MIN,-Scalar(1+(decaf_word_t)INT_MAX),"cast from min");

  148.         

  149.     for (int i=0; i<NTESTS*10 && test.passing_now; i++) {

  150.         size_t sob = i % (2*Group::Scalar::SER_BYTES);

  151.         

  152.         SecureBuffer xx = rng.read(sob), yy = rng.read(sob), zz = rng.read(sob);

  153.         

  154.         Scalar x(xx);

  155.         Scalar y(yy);

  156.         Scalar z(zz);

  157. 

  158.         arith_check(test,x,y,z,x+y,y+x,"commute add");

  159.         arith_check(test,x,y,z,x,x+0,"ident add");

  160.         arith_check(test,x,y,z,x,x-0,"ident sub");

  161.         arith_check(test,x,y,z,x+-x,0,"inverse add");

  162.         arith_check(test,x,y,z,x-x,0,"inverse sub");

  163.         arith_check(test,x,y,z,x-(x+1),-1,"inverse add2");

  164.         arith_check(test,x,y,z,x+(y+z),(x+y)+z,"assoc add");

  165.         arith_check(test,x,y,z,x*(y+z),x*y + x*z,"distributive mul/add");

  166.         arith_check(test,x,y,z,x*(y-z),x*y - x*z,"distributive mul/add");

  167.         arith_check(test,x,y,z,x*(y*z),(x*y)*z,"assoc mul");

  168.         arith_check(test,x,y,z,x*y,y*x,"commute mul");

  169.         arith_check(test,x,y,z,x,x*1,"ident mul");

  170.         arith_check(test,x,y,z,0,x*0,"mul by 0");

  171.         arith_check(test,x,y,z,-x,x*-1,"mul by -1");

  172.         arith_check(test,x,y,z,x+x,x*2,"mul by 2");

  173.         arith_check(test,x,y,z,-(x*y),(-x)*y,"neg prop mul");

  174.         arith_check(test,x,y,z,x*y,(-x)*(-y),"double neg prop mul");

  175.         arith_check(test,x,y,z,-(x+y),(-x)+(-y),"neg prop add");

  176.         arith_check(test,x,y,z,x-y,(x)+(-y),"add neg sub");

  177.         arith_check(test,x,y,z,(-x)-y,-(x+y),"neg add");

  178.         

  179.         if (sob <= 4) {

  180.             uint64_t xi = leint(xx), yi = leint(yy);

  181.             arith_check(test,x,y,z,x,xi,"parse consistency");

  182.             arith_check(test,x,y,z,x+y,xi+yi,"add consistency");

  183.             arith_check(test,x,y,z,x*y,xi*yi,"mul consistency");

  184.         }

  185.         

  186.         if (i%20) continue;

  187.         if (y!=0) arith_check(test,x,y,z,x*y/y,x,"invert");

  188.         try {

  189.             y = x/0;

  190.             test.fail();

  191.             printf("  Inverted zero!");

  192.             print("x", x);

  193.             print("y", y);

  194.         } catch(CryptoException&) {}

  195.     }

  196. }

  197. 

  198. static const Block sqrt_minus_one;

  199. static const Block minus_sqrt_minus_one;

  200. static const Block elli_patho; /* sqrt(1/(u(1-d))) */

  201. 

  202. static void test_elligator() {

  203.     SpongeRng rng(Block("test_elligator"),SpongeRng::DETERMINISTIC);

  204.     Test test("Elligator");

  205.     

  206.     const int NHINTS = 1<<Point::INVERT_ELLIGATOR_WHICH_BITS;

  207.     SecureBuffer *alts[NHINTS];

  208.     bool successes[NHINTS];

  209.     SecureBuffer *alts2[NHINTS];

  210.     bool successes2[NHINTS];

  211. 

  212.     for (unsigned int i=0; i<NTESTS/10 && (i<10 || test.passing_now); i++) {

  213.         size_t len =  (i % (2*Point::HASH_BYTES + 3));

  214.         SecureBuffer b1(len);

  215.         if (i!=Point::HASH_BYTES) rng.read(b1); /* special test case */

  216.         

  217.         /* Pathological cases */

  218.         if (i==1) b1[0] = 1;

  219.         if (i==2 && sqrt_minus_one.size()) b1 = sqrt_minus_one;

  220.         if (i==3 && minus_sqrt_minus_one.size()) b1 = minus_sqrt_minus_one;

  221.         if (i==4 && elli_patho.size()) b1 = elli_patho;

  222.         len = b1.size();

  223.         

  224.         Point s = Point::from_hash(b1), ss=s;

  225.         for (unsigned int j=0; j<(i&3); j++) ss = ss.debugging_torque();

  226.         

  227.         ss = ss.debugging_pscale(rng);

  228.         

  229.         bool good = false;

  230.         for (int j=0; j<NHINTS; j++) {

  231.             alts[j] = new SecureBuffer(len);

  232.             alts2[j] = new SecureBuffer(len);

  233. 

  234.             if (len > Point::HASH_BYTES)

  235.                 memcpy(&(*alts[j])[Point::HASH_BYTES], &b1[Point::HASH_BYTES], len-Point::HASH_BYTES);

  236.             

  237.             if (len > Point::HASH_BYTES)

  238.                 memcpy(&(*alts2[j])[Point::HASH_BYTES], &b1[Point::HASH_BYTES], len-Point::HASH_BYTES);

  239.             

  240.             successes[j]  = decaf_successful( s.invert_elligator(*alts[j], j));

  241.             successes2[j] = decaf_successful(ss.invert_elligator(*alts2[j],j));

  242.             

  243.             if (successes[j] != successes2[j]

  244.                 || (successes[j] && successes2[j] && *alts[j] != *alts2[j])

  245.             ) {

  246.                 test.fail();

  247.                 printf("   Unscalable Elligator inversion: i=%d, hint=%d, s=%d,%d\n",i,j,

  248.                     -int(successes[j]),-int(successes2[j]));

  249.                 hexprint("x",b1);

  250.                 hexprint("X",*alts[j]);

  251.                 hexprint("X",*alts2[j]);

  252.             }

  253.            

  254.             if (successes[j]) {

  255.                 good = good || (b1 == *alts[j]);

  256.                 for (int k=0; k<j; k++) {

  257.                     if (successes[k] && *alts[j] == *alts[k]) {

  258.                         test.fail();

  259.                         printf("   Duplicate Elligator inversion: i=%d, hints=%d, %d\n",i,j,k);

  260.                         hexprint("x",b1);

  261.                         hexprint("X",*alts[j]);

  262.                     }

  263.                 }

  264.                 if (s != Point::from_hash(*alts[j])) {

  265.                     test.fail();

  266.                     printf("   Fail Elligator inversion round-trip: i=%d, hint=%d %s\n",i,j,

  267.                         (s==-Point::from_hash(*alts[j])) ? "[output was -input]": "");

  268.                     hexprint("x",b1);

  269.                     hexprint("X",*alts[j]);

  270.                 }

  271.             }

  272.         }

  273.         

  274.         if (!good) {

  275.             test.fail();

  276.             printf("   %s Elligator inversion: i=%d\n",good ? "Passed" : "Failed", i);

  277.             hexprint("B", b1);

  278.             for (int j=0; j<NHINTS; j++) {

  279.                 printf("  %d: %s%s", j, successes[j] ? "succ" : "fail\n", (successes[j] && *alts[j] == b1) ? " [x]" : "");

  280.                 if (successes[j]) {

  281.                     hexprint("b", *alts[j]);

  282.                 }

  283.             }

  284.             printf("\n");

  285.         }

  286.         

  287.         for (int j=0; j<NHINTS; j++) {

  288.             delete alts[j];

  289.             alts[j] = NULL;

  290.             delete alts2[j];

  291.             alts2[j] = NULL;

  292.         }

  293.         

  294.         Point t(rng);

  295.         SecureBuffer bsteg = t.steg_encode(rng);

  296.         if (bsteg[Point::STEG_BYTES-1] == 0 && bsteg[Point::STEG_BYTES-2] == 0 && bsteg[Point::STEG_BYTES-3] == 0) {

  297.             test.fail();

  298.             printf("    Steg is nonuniform (probability of false failure = 2^-24)\n");

  299.             hexprint("    steg buffer:", bsteg);

  300.         }

  301.         point_check(test,t,t,t,0,0,t,Point::from_hash(bsteg),"steg round-trip");

  302.         

  303.         FixedArrayBuffer<Point::HASH_BYTES> b3(rng), b4(b3);

  304.         t = Point::from_hash(b3);

  305.         for (unsigned j=0; j<256; j+=2<<((Group::bits()-1)%8)) {

  306.             b4[Point::HASH_BYTES-1] = b3[Point::HASH_BYTES-1] ^ j;

  307.             Point u = Point::from_hash(b4);

  308.             point_check(test,t,t,t,0,0,t,u,"elligator twiddle high bits");

  309.         }

  310.     }

  311. }

  312. 

  313. static void test_ec() {

  314.     SpongeRng rng(Block("test_ec"),SpongeRng::DETERMINISTIC);

  315.     

  316.     Test test("EC");

  317. 

  318.     Point id = Point::identity(), base = Point::base();

  319.     point_check(test,id,id,id,0,0,Point::from_hash(""),id,"fh0");

  320.     

  321.     unsigned char enc[Point::SER_BYTES] = {0};

  322.     

  323.     if (Group::FIELD_MODULUS_TYPE == 3) {

  324.         /* When p == 3 mod 4, the QNR is -1, so u*1^2 = -1 also produces the

  325.          * identity.

  326.          */

  327.         point_check(test,id,id,id,0,0,Point::from_hash("\x01"),id,"fh1");

  328.     }

  329.     

  330.     point_check(test,id,id,id,0,0,Point(FixedBlock<sizeof(enc)>(enc)),id,"decode [0]");

  331.     try {

  332.         enc[0] = 1;

  333.         Point f((FixedBlock<sizeof(enc)>(enc)));

  334.         test.fail();

  335.         printf("    Allowed deserialize of [1]: %d", f==id);

  336.     } catch (CryptoException&) {

  337.         /* ok */

  338.     }

  339.     

  340.     if (sqrt_minus_one.size()) {

  341.         try {

  342.             Point f(sqrt_minus_one);

  343.             test.fail();

  344.             printf("    Allowed deserialize of [i]: %d", f==id);

  345.         } catch (CryptoException&) {

  346.             /* ok */

  347.         }

  348.     }

  349.     

  350.     if (minus_sqrt_minus_one.size()) {

  351.         try {

  352.             Point f(minus_sqrt_minus_one);

  353.             test.fail();

  354.             printf("    Allowed deserialize of [-i]: %d", f==id);

  355.         } catch (CryptoException&) {

  356.             /* ok */

  357.         }

  358.     }

  359.     

  360.     for (int i=0; i<NTESTS && test.passing_now; i++) {

  361.         Scalar x(rng);

  362.         Scalar y(rng);

  363.         Point p(rng);

  364.         Point q(rng);

  365.         

  366.         Point d1, d2;

  367.         

  368.         SecureBuffer buffer(2*Point::HASH_BYTES);

  369.         rng.read(buffer);

  370.         Point r = Point::from_hash(buffer);

  371.         

  372.         try {

  373.             point_check(test,p,q,r,0,0,p,Point(p.serialize()),"round-trip");

  374.         } catch (CryptoException&) {

  375.             test.fail();

  376.             printf("    Round-trip raised CryptoException!\n");

  377.         }

  378.         Point pp = p.debugging_torque().debugging_pscale(rng);

  379.         if (!memeq(pp.serialize(),p.serialize())) {

  380.             test.fail();

  381.             printf("    Fail torque seq test\n");

  382.         }

  383.         if (!memeq((p-pp).serialize(),id.serialize())) {

  384.             test.fail();

  385.             printf("    Fail torque id test\n");

  386.         }

  387.         if (!memeq((p-p).serialize(),id.serialize())) {

  388.             test.fail();

  389.             printf("    Fail id test\n");

  390.         }

  391.         point_check(test,p,q,r,0,0,p,pp,"torque eq");

  392.         point_check(test,p,q,r,0,0,p+q,q+p,"commute add");

  393.         point_check(test,p,q,r,0,0,(p-q)+q,p,"correct sub");

  394.         point_check(test,p,q,r,0,0,p+(q+r),(p+q)+r,"assoc add");

  395.         point_check(test,p,q,r,0,0,p.times_two(),p+p,"dbl add");

  396.         

  397.         if (i%10) continue;

  398.         point_check(test,p,q,r,0,0,p.times_two(),p*Scalar(2),"add times two");

  399.         point_check(test,p,q,r,x,0,x*(p+q),x*p+x*q,"distr mul");

  400.         point_check(test,p,q,r,x,y,(x*y)*p,x*(y*p),"assoc mul");

  401.         point_check(test,p,q,r,x,y,x*p+y*q,Point::double_scalarmul(x,p,y,q),"double mul");

  402.         

  403.         p.dual_scalarmul(d1,d2,x,y);

  404.         point_check(test,p,q,r,x,y,x*p,d1,"dual mul 1");

  405.         point_check(test,p,q,r,x,y,y*p,d2,"dual mul 2");

  406.         

  407.         point_check(test,base,q,r,x,y,x*base+y*q,q.non_secret_combo_with_base(y,x),"ds vt mul");

  408.         point_check(test,p,q,r,x,0,Precomputed(p)*x,p*x,"precomp mul");

  409.         point_check(test,p,q,r,0,0,r,

  410.             Point::from_hash(Buffer(buffer).slice(0,Point::HASH_BYTES))

  411.             + Point::from_hash(Buffer(buffer).slice(Point::HASH_BYTES,Point::HASH_BYTES)),

  412.             "unih = hash+add"

  413.         );

  414.         

  415.         try {

  416.             point_check(test,p,q,r,x,0,Point(x.direct_scalarmul(p.serialize())),x*p,"direct mul");

  417.         } catch (CryptoException&) {

  418.             printf("    Direct mul raised CryptoException!\n");

  419.             test.fail();

  420.         }

  421.         

  422.         q=p;

  423.         for (int j=1; j<Group::REMOVED_COFACTOR; j<<=1) q = q.times_two();

  424.         decaf_error_t error = r.decode_like_eddsa_and_mul_by_ratio_noexcept(

  425.             p.mul_by_ratio_and_encode_like_eddsa()

  426.         );

  427.         if (error != DECAF_SUCCESS) {

  428.             test.fail();

  429.             printf("    Decode like EdDSA failed.");

  430.         }

  431.         point_check(test,-q,q,r,i,0,q,r,"Encode like EdDSA round-trip");

  432.         

  433.     }

  434. }

  435. 

  436. static const uint8_t rfc7748_1[DhLadder::PUBLIC_BYTES];

  437. static const uint8_t rfc7748_1000[DhLadder::PUBLIC_BYTES];

  438. static const uint8_t rfc7748_1000000[DhLadder::PUBLIC_BYTES];

  439. 

  440. static void test_cfrg_crypto() {

  441.     Test test("CFRG crypto");

  442.     SpongeRng rng(Block("test_cfrg_crypto"),SpongeRng::DETERMINISTIC);

  443.     

  444.     {

  445.         FixedArrayBuffer<DhLadder::PUBLIC_BYTES> base, out;

  446.         FixedArrayBuffer<DhLadder::PRIVATE_BYTES> s1(rng);

  447.         decaf_error_t e = DhLadder::shared_secret_noexcept(out,base,s1);

  448.         if (e != DECAF_FAILURE) {

  449.             test.fail();

  450.             printf("    Multiply by 0 didn't give an error\n");

  451.         }

  452.         if (!out.contents_equal(base)) {

  453.             test.fail();

  454.             printf("    Multiply by 0 didn't give 0\n");

  455.         }

  456.     }

  457.     

  458.     

  459.     

  460.     for (int i=0; i<NTESTS && test.passing_now; i++) {

  461.         

  462.         FixedArrayBuffer<DhLadder::PUBLIC_BYTES> base(rng);

  463.         FixedArrayBuffer<DhLadder::PRIVATE_BYTES> s1(rng), s2(rng);

  464.         

  465.         SecureBuffer p1  = DhLadder::shared_secret(base,s1);

  466.         SecureBuffer p2  = DhLadder::shared_secret(base,s2);

  467.         SecureBuffer ss1 = DhLadder::shared_secret(p2,s1);

  468.         SecureBuffer ss2 = DhLadder::shared_secret(p1,s2);

  469. 

  470.         if (!memeq(ss1,ss2)) {

  471.             test.fail();

  472.             printf("    Shared secrets disagree on iteration %d.\n",i);

  473.         }

  474.         

  475.         p1 = DhLadder::shared_secret(DhLadder::base_point(),s1);

  476.         p2 = DhLadder::derive_public_key(s1);

  477.         if (!memeq(p1,p2)) {

  478.             test.fail();

  479.             printf("    Public keys disagree on iteration %d.\n    Ladder public key: ",i);

  480.             for (unsigned j=0; j<s1.size(); j++) { printf("%02x",p1[j]); }

  481.             printf("\n    Derive public key: ");

  482.             for (unsigned j=0; j<s1.size(); j++) { printf("%02x",p2[j]); }

  483.             printf("\n");

  484.         }

  485.     }

  486. }

  487. 

  488. static const bool eddsa_prehashed[];

  489. static const Block eddsa_sk[], eddsa_pk[], eddsa_message[], eddsa_context[], eddsa_sig[];

  490. static const bool eddsa_verify_should_succeed[];

  491. 

  492. static void test_cfrg_vectors() {

  493.     Test test("CFRG test vectors");

  494.     SecureBuffer k = DhLadder::base_point();

  495.     SecureBuffer u = DhLadder::base_point();

  496.     

  497.     int the_ntests = (NTESTS < 1000000) ? 1000 : 1000000;

  498.     

  499.     /* EdDSA */

  500.     for (unsigned int t=0; t<sizeof(eddsa_sk)/sizeof(eddsa_sk[0]); t++) {

  501.         

  502.         if (eddsa_sk[t].size()) {

  503.             typename EdDSA<Group>::PrivateKey priv(eddsa_sk[t]);

  504.             SecureBuffer eddsa_pk2 = priv.pub().serialize();

  505.             if (!memeq(SecureBuffer(eddsa_pk[t]), eddsa_pk2)) {

  506.                 test.fail();

  507.                 printf("    EdDSA PK vectors #%d disagree.", t);

  508.                 printf("\n    Correct:   ");

  509.                 for (unsigned i=0; i<eddsa_pk[t].size(); i++) printf("%02x", eddsa_pk[t][i]);

  510.                 printf("\n    Incorrect: ");

  511. 

  512.                 for (unsigned i=0; i<eddsa_pk2.size(); i++) printf("%02x", eddsa_pk2[i]);

  513.                 printf("\n");

  514.             }

  515.             SecureBuffer sig;

  516.         

  517.             if (eddsa_prehashed[t]) {

  518.                 typename EdDSA<Group>::PrivateKeyPh priv2(eddsa_sk[t]); 

  519.                 sig = priv2.sign_with_prehash(eddsa_message[t],eddsa_context[t]);

  520.             } else {

  521.                 sig = priv.sign(eddsa_message[t],eddsa_context[t]);

  522.             }

  523. 

  524.             if (!memeq(SecureBuffer(eddsa_sig[t]),sig)) {

  525.                 test.fail();

  526.                 printf("    EdDSA sig vectors #%d disagree.", t);

  527.                 printf("\n    Correct:   ");

  528.                 for (unsigned i=0; i<eddsa_sig[t].size(); i++) printf("%02x", eddsa_sig[t][i]);

  529.                 printf("\n    Incorrect: ");

  530. 

  531.                 for (unsigned i=0; i<sig.size(); i++) printf("%02x", sig[i]);

  532.                 printf("\n");

  533.             }

  534.         }

  535.         

  536.         bool verified;

  537.         try {

  538.             typename EdDSA<Group>::PublicKey pub(eddsa_pk[t]);

  539.             if (eddsa_prehashed[t]) {

  540.                 pub.verify_with_prehash(eddsa_sig[t], eddsa_message[t], eddsa_context[t]);

  541.             } else {

  542.                 pub.verify(eddsa_sig[t], eddsa_message[t], eddsa_context[t]);

  543.             }

  544.             verified = true;

  545.         } catch(CryptoException&) {

  546.             verified = false;

  547.         }

  548. 

  549.         if (verified != eddsa_verify_should_succeed[t]) {

  550.             test.fail();

  551.             printf("    EdDSA Verify vector #%d disagree: verify %s but should %s\n",

  552.                 t, verified ? "passed" : "failed",

  553.                 eddsa_verify_should_succeed[t] ? "pass" : "fail");

  554.         }

  555.     }

  556.     

  557.     /* X25519/X448 */

  558.     for (int i=0; i<the_ntests && test.passing_now; i++) {

  559.         SecureBuffer n = DhLadder::shared_secret(u,k);

  560.         u = k; k = n;

  561.         if (i==1-1) {

  562.             if (!memeq(k,SecureBuffer(FixedBlock<DhLadder::PUBLIC_BYTES>(rfc7748_1)))) {

  563.                 test.fail();

  564.                 printf("    Test vectors disagree at 1.");

  565.             }

  566.         } else if (i==1000-1) {

  567.             if (!memeq(k,SecureBuffer(FixedBlock<DhLadder::PUBLIC_BYTES>(rfc7748_1000)))) {

  568.                 test.fail();

  569.                 printf("    Test vectors disagree at 1000.");

  570.             }

  571.         } else if (i==1000000-1) {

  572.             if (!memeq(k,SecureBuffer(FixedBlock<DhLadder::PUBLIC_BYTES>(rfc7748_1000000)))) {

  573.                 test.fail();

  574.                 printf("    Test vectors disagree at 1000000.");

  575.             }

  576.         }

  577.     }

  578. }

  579. 

  580. static void test_eddsa() {

  581.     Test test("EdDSA");

  582.     SpongeRng rng(Block("test_eddsa"),SpongeRng::DETERMINISTIC);

  583.     

  584.     int lg_scalar = Group::bits();

  585.     for (int cof = Group::REMOVED_COFACTOR; cof>1; cof>>=1) {

  586.         lg_scalar--;

  587.     }

  588.     typename Group::Scalar more_than_size = 1;

  589.     for (int i=0; i<lg_scalar; i++) more_than_size *= 2;

  590.     

  591.     for (int i=0; i<NTESTS && test.passing_now; i++) {

  592.         typename EdDSA<Group>::PrivateKey priv(rng);

  593.         typename EdDSA<Group>::PublicKey pub(priv);

  594.         

  595.         SecureBuffer message(i);

  596.         rng.read(message);

  597.         

  598.         SecureBuffer context(i%256);

  599.         rng.read(context);

  600.         

  601.         SecureBuffer sig = priv.sign(message,context); 

  602.         

  603.         try {

  604.             pub.verify(sig,message,context); 

  605.         } catch(CryptoException&) {

  606.             test.fail();

  607.             printf("    Signature validation failed on sig %d\n", i);

  608.         }

  609.         

  610.         try {

  611.             sig[(i/8) % sig.size()] ^= 1<<(i%8);

  612.             pub.verify(sig,message,context);

  613.             test.fail();

  614.             printf("    Signature validation passed incorrectly on corrupted sig %d\n", i);

  615.         } catch(CryptoException&) {}

  616.         sig[(i/8) % sig.size()] ^= 1<<(i%8);

  617.         

  618.         try {

  619.             const int size = EdDSA<Group>::PublicKey::SER_BYTES;

  620.             uint8_t ser[size];

  621.             pub.serialize_into(ser);

  622.             ser[(i/8) % size] ^= 1<<(i%8);

  623.             typename EdDSA<Group>::PublicKey pub2((FixedBlock<size>(ser)));

  624.             pub2.verify(sig,message,context);

  625.             test.fail();

  626.             printf("    Signature validation passed incorrectly on corrupted pubkey %d\n", i);

  627.         } catch(CryptoException&) {}

  628. 

  629.         if (message.size() > 0) {

  630.             try {

  631.                 message[(i/8) % message.size()] ^= 1<<(i%8);

  632.                 pub.verify(sig,message,context);

  633.                 test.fail();

  634.                 printf("    Signature validation passed incorrectly on corrupted message %d\n", i);

  635.             } catch(CryptoException&) {}

  636.             message[(i/8) % message.size()] ^= 1<<(i%8);

  637.         }

  638. 

  639.         if (context.size() > 0) {

  640.             try {

  641.                 context[(i/8) % context.size()] ^= 1<<(i%8);

  642.                 pub.verify(sig,message,context);

  643.                 test.fail();

  644.                 printf("    Signature validation passed incorrectly on corrupted message %d\n", i);

  645.             } catch(CryptoException&) {}

  646.             context[(i/8) % context.size()] ^= 1<<(i%8);

  647.         }

  648.         

  649.         // Construct sig which is numerically equal but improper

  650.         const int scalarbytes = Group::Scalar::SER_BYTES;

  651.         uint8_t *scalarpart = &sig[EdDSA<Group>::PublicKey::SER_BYTES];

  652.         typename Group::Scalar sig_r = FixedBlock<scalarbytes>(scalarpart);

  653.         memcpy(scalarpart, (-sig_r).serialize().data(), scalarbytes);

  654.         try {

  655.             pub.verify(sig,message,context);

  656.             test.fail();

  657.             printf("    Signature validation passed incorrectly on negated sig %d\n", i);

  658.         } catch(CryptoException&) {}

  659.         

  660.         

  661.         sig_r -= more_than_size;

  662.         memcpy(scalarpart, sig_r.serialize().data(), scalarbytes);

  663.         scalarpart[scalarbytes-1] += 1<<(lg_scalar%8);

  664.         try {

  665.             pub.verify(sig,message,context);

  666.             test.fail();

  667.             printf("    Signature validation passed incorrectly on improper sig %d\n", i);

  668.         } catch(CryptoException&) {}

  669.         

  670.         

  671.         /* Test encode_like and torque */

  672.         Point p(rng);

  673.         SecureBuffer p1 = p.mul_by_ratio_and_encode_like_eddsa();

  674.         SecureBuffer p2 = p.debugging_torque().mul_by_ratio_and_encode_like_eddsa();

  675.         if (!memeq(p1,p2)) {

  676.             test.fail();

  677.             printf("    Torque and encode like EdDSA failed\n");

  678.         }

  679.         SecureBuffer p3 = p.mul_by_ratio_and_encode_like_ladder();

  680.         SecureBuffer p4 = p.debugging_torque().mul_by_ratio_and_encode_like_ladder();

  681.         if (!memeq(p3,p4)) {

  682.             test.fail();

  683.             printf("    Torque and encode like ladder failed\n");

  684.         }

  685.     }

  686. }

  687. 

  688. /* Thanks Johan Pascal */

  689. static void test_convert_eddsa_to_x() {

  690.     Test test("ECDH using EdDSA keys");

  691.     SpongeRng rng(Block("test_x_on_eddsa_key"),SpongeRng::DETERMINISTIC);

  692. 

  693.     for (int i=0; i<NTESTS && test.passing_now; i++) {

  694.         /* generate 2 pairs of EdDSA keys */

  695.         typename EdDSA<Group>::PrivateKey alice_priv(rng);

  696.         typename EdDSA<Group>::PublicKey alice_pub(alice_priv);

  697.         typename EdDSA<Group>::PrivateKey bob_priv(rng);

  698.         typename EdDSA<Group>::PublicKey bob_pub(bob_priv);

  699. 

  700.         /* convert them to ECDH format

  701.          * check public key value by computing it from direct conversion and regeneration from converted private)

  702.          */

  703.         SecureBuffer alice_priv_x = alice_priv.convert_to_x();

  704.         SecureBuffer alice_pub_x_conversion = alice_pub.convert_to_x();

  705.         SecureBuffer alice_pub_x_generated  = DhLadder::derive_public_key(alice_priv_x);

  706.         if (!memeq(alice_pub_x_conversion, alice_pub_x_generated)) {

  707.             test.fail();

  708.             printf("    Ed2X Public key conversion and regeneration from converted private key differs.\n");

  709.         }

  710.         SecureBuffer bob_priv_x = bob_priv.convert_to_x();

  711.         SecureBuffer bob_pub_x_conversion = bob_pub.convert_to_x();

  712.         SecureBuffer bob_pub_x_generated  = DhLadder::derive_public_key(bob_priv_x);

  713.         if (!memeq(bob_pub_x_conversion, bob_pub_x_generated)) {

  714.             test.fail();

  715.             printf("    Ed2X Public key conversion and regeneration from converted private key differs.\n");

  716.         }

  717. 

  718.         /* compute shared secrets and check they match */

  719.         SecureBuffer alice_shared = DhLadder::shared_secret(bob_pub_x_conversion, alice_priv_x);

  720.         SecureBuffer bob_shared   = DhLadder::shared_secret(alice_pub_x_conversion, bob_priv_x);

  721. 

  722.         if (!memeq(alice_shared, bob_shared)) {

  723.             test.fail();

  724.             printf("    ECDH shared secret mismatch.\n");

  725.         }

  726.     }

  727. }

  728. 

  729. static void test_dalek_vectors() {

  730.     Test test("Test vectors from Dalek");

  731.     Point p = Point::base(), q;

  732.     for (unsigned i=0; i<base_multiples<Group>::count; i++) {

  733.         if (!decaf_memeq(q.serialize().data(),base_multiples<Group>::values[i],Point::SER_BYTES)) {

  734.             test.fail();

  735.             printf("    Failed test vector for %d * base point.\n", i);

  736.         }

  737.         q += p;

  738.     }

  739.     for (unsigned i=0; i<elligator_examples<Group>::count; i++) {

  740.         Point r = Point::from_hash(FixedBlock<Point::HASH_BYTES>(elligator_examples<Group>::inputs[i]));

  741.         Point s = Point(FixedBlock<Point::SER_BYTES>(elligator_examples<Group>::outputs[i]));

  742.         point_check(test,r,r,r,0,0,r,s,"elligator test vector");

  743.     }

  744. }

  745. 

  746. static void run() {

  747.     printf("Testing %s:\n",Group::name());

  748.     test_arithmetic();

  749.     test_elligator();

  750.     test_ec();

  751.     test_eddsa();

  752.     test_convert_eddsa_to_x();

  753.     test_cfrg_crypto();

  754.     test_cfrg_vectors();

  755.     test_dalek_vectors();

  756.     printf("\n");

  757. }

  758. 

  759. }; /* template<GroupId GROUP> struct Tests */

  760. 

  761. template<typename T>

  762. static void test_xof() {

  763.     /* TODO: more testing of XOFs */

  764.     Test test("XOF");

  765.     SpongeRng rng(Block("test_xof"),SpongeRng::DETERMINISTIC);

  766.     

  767.     FixedArrayBuffer<1024> a,b,c;

  768.     rng.read(c);

  769.     

  770.     T s1, s2;

  771.     unsigned i;

  772.     for (i=0; i<c.size(); i++) s1.update(c.slice(i,1));

  773.     s2.update(c);

  774.     

  775.     for (i=0; i<a.size(); i++) s1.output(a.slice(i,1));

  776.     s2.output(b);

  777.     

  778.     if (!a.contents_equal(b)) {

  779.         test.fail();

  780.         printf("    Buffers aren't equal!\n");

  781.     }

  782. }

  783. 

  784. static void test_rng() {

  785.     Test test("RNG");

  786.     SpongeRng rng_d1(Block("test_rng"),SpongeRng::DETERMINISTIC);

  787.     SpongeRng rng_d2(Block("test_rng"),SpongeRng::DETERMINISTIC);

  788.     SpongeRng rng_d3(Block("best_rng"),SpongeRng::DETERMINISTIC);

  789.     SpongeRng rng_n1;

  790.     SpongeRng rng_n2;

  791.     SecureBuffer s1,s2,s3;

  792.     

  793.     for (int i=0; i<5; i++) {

  794.         s1 = rng_d1.read(16<<i);

  795.         s2 = rng_d2.read(16<<i);

  796.         s3 = rng_d3.read(16<<i);

  797.         if (s1 != s2) {

  798.             test.fail();

  799.             printf("  Deterministic RNG didn't match!\n");

  800.         }

  801.         if (s1 == s3) {

  802.             test.fail();

  803.             printf("  Deterministic matched with different data!\n");

  804.         }

  805.         

  806.         rng_d1.stir("hello");

  807.         rng_d2.stir("hello");

  808.         rng_d3.stir("hello");

  809.         

  810.         

  811.         s1 = rng_n1.read(16<<i);

  812.         s2 = rng_n2.read(16<<i);

  813.         if (s1 == s2) {

  814.             test.fail();

  815.             printf("  Nondeterministic RNG matched!\n");

  816.         }

  817.     }

  818.     

  819.     

  820.     rng_d1.stir("hello");

  821.     rng_d2.stir("jello");

  822.     s1 = rng_d1.read(16);

  823.     s2 = rng_d2.read(16);

  824.     if (s1 == s2) {

  825.         test.fail();

  826.         printf("  Deterministic matched with different data!\n");

  827.     }

  828. }

  829. 

  830. #include "vectors.inc.cxx"

  831. 

  832. int main(int argc, char **argv) {

  833.     (void) argc; (void) argv;

  834.     test_rng();

  835.     test_xof<SHAKE<128> >();

  836.     test_xof<SHAKE<256> >();

  837.     printf("\n");

  838.     run_for_all_curves<Tests>();

  839.     if (passing) printf("Passed all tests.\n");

  840.     return passing ? 0 : 1;

  841. }