jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
31 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: c6d69dec2e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c6d69dec2e'
${ noResults }
ed448goldilocks/src/include/ec_point.h

553 lines
11 KiB
Raw Blame History 

  1. /**

  2.  * @file ec_point.h

  3.  * @copyright

  4.  *   Copyright (c) 2014 Cryptography Research, Inc.  \n

  5.  *   Released under the MIT License.  See LICENSE.txt for license information.

  6.  * @author Mike Hamburg

  7.  * @warning This file was automatically generated.

  8.  */

  9. 

  10. #ifndef __CC_INCLUDED_EC_POINT_H__

  11. #define __CC_INCLUDED_EC_POINT_H__

  12. 

  13. #include "field.h"

  14. #include "constant_time.h"

  15. 

  16. #ifdef __cplusplus

  17. extern "C" {

  18. #endif

  19. 

  20. /**

  21.  * Affine point on an Edwards curve.

  22.  */

  23. struct affine_t {

  24.     struct field_t x, y;

  25. };

  26. 

  27. /**

  28.  * Affine point on a twisted Edwards curve.

  29.  */

  30. struct tw_affine_t {

  31.     struct field_t x, y;

  32. };

  33. 

  34. /**

  35.  * Montgomery buffer.

  36.  */

  37. struct montgomery_t {

  38.     struct field_t z0, xd, zd, xa, za;

  39. };

  40. 

  41. /**

  42.  * Extensible coordinates for Edwards curves, suitable for

  43.  * accumulators.

  44.  * 

  45.  * Represents the point (x/z, y/z).  The extra coordinates

  46.  * t,u satisfy xy = tuz, allowing for conversion to Extended

  47.  * form by multiplying t and u.

  48.  * 

  49.  * The idea is that you don't have to do this multiplication

  50.  * when doubling the accumulator, because the t-coordinate

  51.  * isn't used there.  At the same time, as long as you only

  52.  * have one point in extensible form, additions don't cost

  53.  * extra.

  54.  * 

  55.  * This is essentially a lazier version of Hisil et al's

  56.  * lookahead trick.  It might be worth considering that trick

  57.  * instead.

  58.  */

  59. struct extensible_t {

  60.     struct field_t x, y, z, t, u;

  61. };

  62. 

  63. /**

  64.  * Extensible coordinates for twisted Edwards curves,

  65.  * suitable for accumulators.

  66.  */

  67. struct tw_extensible_t {

  68.     struct field_t x, y, z, t, u;

  69. };

  70. 

  71. /**

  72.  * Niels coordinates for twisted Edwards curves.

  73.  * 

  74.  * Good for mixed readdition; suitable for fixed tables.

  75.  */

  76. struct tw_niels_t {

  77.     struct field_t a, b, c;

  78. };

  79. 

  80. /**

  81.  * Projective niels coordinates for twisted Edwards curves.

  82.  * 

  83.  * Good for readdition; suitable for temporary tables.

  84.  */

  85. struct tw_pniels_t {

  86.     struct tw_niels_t n;

  87.     struct field_t z;

  88. };

  89. 

  90. 

  91. /**

  92.  * Auto-generated copy method.

  93.  */

  94. static __inline__ void

  95. copy_affine (

  96.     struct affine_t*       a,

  97.     const struct affine_t* ds

  98. ) __attribute__((unused,always_inline));

  99. 

  100. /**

  101.  * Auto-generated copy method.

  102.  */

  103. static __inline__ void

  104. copy_tw_affine (

  105.     struct tw_affine_t*       a,

  106.     const struct tw_affine_t* ds

  107. ) __attribute__((unused,always_inline));

  108. 

  109. /**

  110.  * Auto-generated copy method.

  111.  */

  112. static __inline__ void

  113. copy_montgomery (

  114.     struct montgomery_t*       a,

  115.     const struct montgomery_t* ds

  116. ) __attribute__((unused,always_inline));

  117. 

  118. /**

  119.  * Auto-generated copy method.

  120.  */

  121. static __inline__ void

  122. copy_extensible (

  123.     struct extensible_t*       a,

  124.     const struct extensible_t* ds

  125. ) __attribute__((unused,always_inline));

  126. 

  127. /**

  128.  * Auto-generated copy method.

  129.  */

  130. static __inline__ void

  131. copy_tw_extensible (

  132.     struct tw_extensible_t*       a,

  133.     const struct tw_extensible_t* ds

  134. ) __attribute__((unused,always_inline));

  135. 

  136. /**

  137.  * Auto-generated copy method.

  138.  */

  139. static __inline__ void

  140. copy_tw_niels (

  141.     struct tw_niels_t*       a,

  142.     const struct tw_niels_t* ds

  143. ) __attribute__((unused,always_inline));

  144. 

  145. /**

  146.  * Auto-generated copy method.

  147.  */

  148. static __inline__ void

  149. copy_tw_pniels (

  150.     struct tw_pniels_t*       a,

  151.     const struct tw_pniels_t* ds

  152. ) __attribute__((unused,always_inline));

  153. 

  154. /**

  155.  * Add two points on a twisted Edwards curve, one in Extensible form

  156.  * and the other in half-Niels form.

  157.  */

  158. void

  159. add_tw_niels_to_tw_extensible (

  160.     struct tw_extensible_t*  d,

  161.     const struct tw_niels_t* e

  162. );

  163. 

  164. /**

  165.  * Add two points on a twisted Edwards curve, one in Extensible form

  166.  * and the other in half-Niels form.

  167.  */

  168. void

  169. sub_tw_niels_from_tw_extensible (

  170.     struct tw_extensible_t*  d,

  171.     const struct tw_niels_t* e

  172. );

  173. 

  174. /**

  175.  * Add two points on a twisted Edwards curve, one in Extensible form

  176.  * and the other in projective Niels form.

  177.  */

  178. void

  179. add_tw_pniels_to_tw_extensible (

  180.     struct tw_extensible_t*   e,

  181.     const struct tw_pniels_t* a

  182. );

  183. 

  184. /**

  185.  * Add two points on a twisted Edwards curve, one in Extensible form

  186.  * and the other in projective Niels form.

  187.  */

  188. void

  189. sub_tw_pniels_from_tw_extensible (

  190.     struct tw_extensible_t*   e,

  191.     const struct tw_pniels_t* a

  192. );

  193. 

  194. /**

  195.  * Double a point on a twisted Edwards curve, in "extensible" coordinates.

  196.  */

  197. void

  198. double_tw_extensible (

  199.     struct tw_extensible_t* a

  200. );

  201. 

  202. /**

  203.  * Double a point on an Edwards curve, in "extensible" coordinates.

  204.  */

  205. void

  206. double_extensible (

  207.     struct extensible_t* a

  208. );

  209. 

  210. /**

  211.  * Double a point, and transfer it to the twisted curve.

  212.  * 

  213.  * That is, apply the 4-isogeny.

  214.  */

  215. void

  216. twist_and_double (

  217.     struct tw_extensible_t*    b,

  218.     const struct extensible_t* a

  219. );

  220. 

  221. /**

  222.  * Double a point, and transfer it to the untwisted curve.

  223.  * 

  224.  * That is, apply the dual isogeny.

  225.  */

  226. void

  227. untwist_and_double (

  228.     struct extensible_t*          b,

  229.     const struct tw_extensible_t* a

  230. );

  231. 

  232. void

  233. convert_tw_affine_to_tw_pniels (

  234.     struct tw_pniels_t*       b,

  235.     const struct tw_affine_t* a

  236. );

  237. 

  238. void

  239. convert_tw_affine_to_tw_extensible (

  240.     struct tw_extensible_t*   b,

  241.     const struct tw_affine_t* a

  242. );

  243. 

  244. void

  245. convert_affine_to_extensible (

  246.     struct extensible_t*   b,

  247.     const struct affine_t* a

  248. );

  249. 

  250. void

  251. convert_tw_extensible_to_tw_pniels (

  252.     struct tw_pniels_t*           b,

  253.     const struct tw_extensible_t* a

  254. );

  255. 

  256. void

  257. convert_tw_pniels_to_tw_extensible (

  258.     struct tw_extensible_t*   e,

  259.     const struct tw_pniels_t* d

  260. );

  261. 

  262. void

  263. convert_tw_niels_to_tw_extensible (

  264.     struct tw_extensible_t*  e,

  265.     const struct tw_niels_t* d

  266. );

  267. 

  268. void

  269. montgomery_step (

  270.     struct montgomery_t* a

  271. );

  272. 

  273. void

  274. deserialize_montgomery (

  275.     struct montgomery_t* a,

  276.     const struct field_t* sbz

  277. );

  278. 

  279. mask_t

  280. serialize_montgomery (

  281.     struct field_t*             b,

  282.     const struct montgomery_t* a,

  283.     const struct field_t*       sbz

  284. );

  285. 

  286. /**

  287.  * Serialize a point on an Edwards curve.

  288.  * 

  289.  * The serialized form would be sqrt((z-y)/(z+y)) with sign of xz.

  290.  * 

  291.  * It would be on 4y^2/(1-d) = x^3 + 2(1+d)/(1-d) * x^2 + x.

  292.  * 

  293.  * But 4/(1-d) isn't square, so we need to twist it:

  294.  * 

  295.  * -x is on 4y^2/(d-1) = x^3 + 2(d+1)/(d-1) * x^2 + x

  296.  */

  297. void

  298. serialize_extensible (

  299.     struct field_t*             b,

  300.     const struct extensible_t* a

  301. );

  302. 

  303. /**

  304.  * 

  305.  */

  306. void

  307. untwist_and_double_and_serialize (

  308.     struct field_t*                b,

  309.     const struct tw_extensible_t* a

  310. );

  311. 

  312. /**

  313.  * Expensive transfer from untwisted to twisted.  Roughly equivalent to halve and isogeny.

  314.  * Correctly transfers point of order 2.

  315.  * 

  316.  * Can't have x=+1 (it's not even).  There is code to fix the exception that would otherwise

  317.  * occur at (0,1).

  318.  * 

  319.  * Input point must be even.

  320.  */

  321. void

  322. twist_even (

  323.     struct tw_extensible_t*    b,

  324.     const struct extensible_t* a

  325. );

  326. 

  327. /**

  328.  * Expensive transfer from untwisted to twisted.  Roughly equivalent to halve and isogeny.

  329.  * 

  330.  * This function is for testing purposes only, because it can return odd points on the

  331.  * twist.  This can cause exceptions in the point addition formula.  What's more, this

  332.  * function should be able to return points of order 4, which are at infinity.

  333.  * 

  334.  * This function probably doesn't properly handle special cases, such as the point at

  335.  * infinity (FUTURE).

  336.  * 

  337.  * This function probably isn't a homomorphism, in that it probably doesn't consistently

  338.  * handle adjustments by the point of order 2 when the input is odd.    (FUTURE)

  339.  */

  340. void

  341. test_only_twist (

  342.     struct tw_extensible_t*    b,

  343.     const struct extensible_t* a

  344. );

  345. 

  346. mask_t

  347. field_is_square (

  348.     const struct field_t* x

  349. );

  350. 

  351. mask_t

  352. is_even_pt (

  353.     const struct extensible_t* a

  354. );

  355. 

  356. mask_t

  357. is_even_tw (

  358.     const struct tw_extensible_t* a

  359. );

  360. 

  361. /**

  362.  * Deserialize a point to an untwisted affine curve.

  363.  */

  364. mask_t

  365. deserialize_affine (

  366.     struct affine_t*     a,

  367.     const struct field_t* sz

  368. );

  369. 

  370. /**

  371.  * Deserialize a point and transfer it to the twist.

  372.  * 

  373.  * Not guaranteed to preserve the 4-torsion component.

  374.  * 

  375.  * Refuses to deserialize +-1, which are the points of order 2.

  376.  */

  377. mask_t

  378. deserialize_and_twist_approx (

  379.     struct tw_extensible_t* a,

  380.     const struct field_t*    sdm1,

  381.     const struct field_t*    sz

  382. );

  383. 

  384. void

  385. set_identity_extensible (

  386.     struct extensible_t* a

  387. );

  388. 

  389. void

  390. set_identity_tw_extensible (

  391.     struct tw_extensible_t* a

  392. );

  393. 

  394. void

  395. set_identity_affine (

  396.     struct affine_t* a

  397. );

  398. 

  399. mask_t

  400. eq_affine (

  401.     const struct affine_t* a,

  402.     const struct affine_t* b

  403. );

  404. 

  405. mask_t

  406. eq_extensible (

  407.     const struct extensible_t* a,

  408.     const struct extensible_t* b

  409. );

  410. 

  411. mask_t

  412. eq_tw_extensible (

  413.     const struct tw_extensible_t* a,

  414.     const struct tw_extensible_t* b

  415. );

  416. 

  417. void

  418. elligator_2s_inject (

  419.     struct affine_t*     a,

  420.     const struct field_t* r

  421. );

  422. 

  423. mask_t

  424. validate_affine (

  425.     const struct affine_t* a

  426. );

  427. 

  428. /**

  429.  * Check the invariants for struct tw_extensible_t.

  430.  * NOTE: This function was automatically generated

  431.  * with no regard for speed.

  432.  */

  433. mask_t

  434. validate_tw_extensible (

  435.     const struct tw_extensible_t* ext

  436. );

  437. 

  438. /**

  439.  * Check the invariants for struct extensible_t.

  440.  * NOTE: This function was automatically generated

  441.  * with no regard for speed.

  442.  */

  443. mask_t

  444. validate_extensible (

  445.     const struct extensible_t* ext

  446. );

  447. 

  448. /**

  449.  * If doNegate, then negate a twisted niels point.

  450.  */

  451. static __inline__ void

  452. __attribute__((unused))

  453. cond_negate_tw_niels (

  454.     struct tw_niels_t *n,

  455.     mask_t doNegate

  456. ) {

  457.     constant_time_cond_swap(&n->a, &n->b, sizeof(n->a), doNegate);

  458.     field_cond_neg(&n->c, doNegate);

  459. }

  460. 

  461. /**

  462.  * If doNegate, then negate a twisted projective niels point.

  463.  */

  464. static __inline__ void

  465. __attribute__((unused))

  466. cond_negate_tw_pniels (

  467.     struct tw_pniels_t *n,

  468.     mask_t doNegate

  469. ) {

  470.     cond_negate_tw_niels(&n->n, doNegate);

  471. }

  472. 

  473. void

  474. copy_affine (

  475.     struct affine_t*       a,

  476.     const struct affine_t* ds

  477. ) {

  478.     field_copy ( &a->x, &ds->x );

  479.     field_copy ( &a->y, &ds->y );

  480. }

  481. 

  482. void

  483. copy_tw_affine (

  484.     struct tw_affine_t*       a,

  485.     const struct tw_affine_t* ds

  486. ) {

  487.     field_copy ( &a->x, &ds->x );

  488.     field_copy ( &a->y, &ds->y );

  489. }

  490. 

  491. void

  492. copy_montgomery (

  493.     struct montgomery_t*       a,

  494.     const struct montgomery_t* ds

  495. ) {

  496.     field_copy ( &a->z0, &ds->z0 );

  497.     field_copy ( &a->xd, &ds->xd );

  498.     field_copy ( &a->zd, &ds->zd );

  499.     field_copy ( &a->xa, &ds->xa );

  500.     field_copy ( &a->za, &ds->za );

  501. }

  502. 

  503. void

  504. copy_extensible (

  505.     struct extensible_t*       a,

  506.     const struct extensible_t* ds

  507. ) {

  508.     field_copy ( &a->x, &ds->x );

  509.     field_copy ( &a->y, &ds->y );

  510.     field_copy ( &a->z, &ds->z );

  511.     field_copy ( &a->t, &ds->t );

  512.     field_copy ( &a->u, &ds->u );

  513. }

  514. 

  515. void

  516. copy_tw_extensible (

  517.     struct tw_extensible_t*       a,

  518.     const struct tw_extensible_t* ds

  519. ) {

  520.     field_copy ( &a->x, &ds->x );

  521.     field_copy ( &a->y, &ds->y );

  522.     field_copy ( &a->z, &ds->z );

  523.     field_copy ( &a->t, &ds->t );

  524.     field_copy ( &a->u, &ds->u );

  525. }

  526. 

  527. void

  528. copy_tw_niels (

  529.     struct tw_niels_t*       a,

  530.     const struct tw_niels_t* ds

  531. ) {

  532.     field_copy ( &a->a, &ds->a );

  533.     field_copy ( &a->b, &ds->b );

  534.     field_copy ( &a->c, &ds->c );

  535. }

  536. 

  537. void

  538. copy_tw_pniels (

  539.     struct tw_pniels_t*       a,

  540.     const struct tw_pniels_t* ds

  541. ) {

  542.     copy_tw_niels( &a->n, &ds->n );

  543.     field_copy ( &a->z, &ds->z );

  544. }

  545. 

  546. 

  547. 

  548. #ifdef __cplusplus

  549. }; /* extern "C" */

  550. #endif

  551. 

  552. #endif /* __CC_INCLUDED_EC_POINT_H__ */