|
- #include "test.h"
-
- #include <stdio.h>
-
- #include "ec_point.h"
- #include "decaf.h"
- #include "scalarmul.h"
- #include "magic.h"
- #include "field.h"
- #include "crandom.h"
-
-
- static void
- failprint_ext (
- const struct extensible_t *a
- ) {
- field_a_t zi, scaled;
- field_print(" x", a->x);
- field_print(" y", a->y);
- field_print(" z", a->z);
- field_inverse(zi, a->z);
- field_mul(scaled, zi, a->x);
- field_print(" X", scaled);
- field_mul(scaled, zi, a->y);
- field_print(" Y", scaled);
- printf("\n");
- }
-
- static void
- failprint_tw_ext (
- const struct tw_extensible_t *a
- ) {
- failprint_ext((const struct extensible_t *)a);
- }
-
- static mask_t
- fail_if_different (
- const struct extensible_t *a,
- const struct extensible_t *b,
- const char *faildescr,
- const char *adescr,
- const char *bdescr
- ) {
- mask_t succ = eq_extensible(a, b);
-
- if (!succ) {
- youfail();
- printf(" %s\n", faildescr);
-
- printf("\n %s:\n", adescr);
- failprint_ext(a);
-
- printf("\n %s:\n", bdescr);
- failprint_ext(b);
- }
-
- return succ;
- }
-
- static mask_t
- validate_ext(
- const struct extensible_t *ext,
- int evenness,
- const char *description
- ) {
- mask_t succ = validate_extensible(ext), succ2;
- const char *error = "Point isn't on the curve.";
- if (evenness > 0) {
- succ2 = is_even_pt(ext);
- if (succ &~ succ2) error = "Point isn't even.";
- succ &= succ2;
- } else if (evenness < 0) {
- succ2 = is_even_pt(ext);
- if (succ &~ succ2) error = "Point is even but shouldn't be.";
- succ &= succ2;
- } /* FUTURE: quadness */
-
- if (~succ) {
- youfail();
- printf(" %s\n", error);
- printf(" %s\n", description);
- failprint_ext(ext);
- }
-
- return succ;
- }
-
- static mask_t
- validate_tw_ext(
- const struct tw_extensible_t *ext,
- int evenness,
- const char *description
- ) {
- mask_t succ = validate_tw_extensible(ext), succ2;
- const char *error = "Point isn't on the twisted curve.";
- if (evenness > 0) {
- succ2 = is_even_tw(ext);
- if (succ &~ succ2) error = "Point isn't even.";
- succ &= succ2;
- } else if (evenness < 0) {
- succ2 = is_even_tw(ext);
- if (succ &~ succ2) error = "Point is even but shouldn't be.";
- succ &= succ2;
- } /* FUTURE: quadness */
-
- if (~succ) {
- youfail();
- printf(" %s\n", error);
- printf(" %s\n", description);
- failprint_tw_ext(ext);
- }
-
- return succ;
- }
-
- static mask_t
- fail_if_different_tw (
- const struct tw_extensible_t *a,
- const struct tw_extensible_t *b,
- const char *faildescr,
- const char *adescr,
- const char *bdescr
- ) {
- return fail_if_different(
- (const struct extensible_t *)a, (const struct extensible_t *)b,
- faildescr,adescr,bdescr
- );
- }
-
- static int
- add_double_test (
- const struct affine_t *base1,
- const struct affine_t *base2
- ) {
- mask_t succ = MASK_SUCCESS;
- struct extensible_t exb;
- struct tw_extensible_t text1, text2, texta, textb;
- struct tw_extended_t ted1, ted2;
- struct tw_pniels_t pn;
-
- /* Convert to ext */
- convert_affine_to_extensible(&exb, base1);
- succ &= validate_ext(&exb,0,"base1");
- twist_and_double(&text1, &exb);
- succ &= validate_tw_ext(&text1,2,"iso1");
- convert_affine_to_extensible(&exb, base2);
- succ &= validate_ext(&exb,0,"base2");
- twist_and_double(&text2, &exb);
- succ &= validate_tw_ext(&text2,2,"iso2");
-
- /* a + b == b + a? */
- convert_tw_extensible_to_tw_pniels(&pn, &text1);
- copy_tw_extensible(&texta, &text2);
- add_tw_pniels_to_tw_extensible(&texta, &pn);
-
- convert_tw_extensible_to_tw_pniels(&pn, &text2);
- copy_tw_extensible(&textb, &text1);
- add_tw_pniels_to_tw_extensible(&textb, &pn);
-
- decaf_448_point_t ted3;
- convert_tw_extensible_to_tw_extended(&ted1, &text1);
- convert_tw_extensible_to_tw_extended(&ted2, &text2);
- decaf_448_point_add(ted3, (struct decaf_448_point_s*)&ted1, (struct decaf_448_point_s*)&ted2);
- add_tw_extended(&ted1, &ted2);
- convert_tw_extensible_to_tw_extended(&ted2, &textb);
-
- if (~decaf_eq_tw_extended(&ted1, &ted2) | ~decaf_448_point_eq((struct decaf_448_point_s*)&ted1, ted3)) {
- youfail();
- succ = 0;
- printf(" Tw extended simple compat:\n");
- field_print(" x1",ted1.x);
- field_print(" y1",ted1.y);
- field_print(" z1",ted1.z);
- field_print(" t1",ted1.t);
- field_print(" x2",ted2.x);
- field_print(" y2",ted2.y);
- field_print(" z2",ted2.z);
- field_print(" t2",ted2.t);
- struct tw_extended_t *t3 = (struct tw_extended_t *)&ted3;
- field_print(" x3",t3->x);
- field_print(" y3",t3->y);
- field_print(" z3",t3->z);
- field_print(" t3",t3->t);
-
- }
-
- succ &= fail_if_different_tw(&texta,&textb,"Addition commutativity","a+b","b+a");
-
- copy_tw_extensible(&textb, &text2);
- add_tw_pniels_to_tw_extensible(&textb, &pn);
- copy_tw_extensible(&texta, &text2);
- double_tw_extensible(&texta);
-
- succ &= fail_if_different_tw(&texta,&textb,"Doubling test","2b","b+b");
-
- if (~succ) {
- printf(" Bases were:\n");
- field_print(" x1", base1->x);
- field_print(" y1", base1->y);
- field_print(" x2", base2->x);
- field_print(" y2", base2->y);
- }
-
- return succ ? 0 : -1;
- }
-
- static int
- single_twisting_test (
- const struct affine_t *base
- ) {
- struct extensible_t exb, ext, tmpext;
- struct tw_extensible_t text, text2;
- mask_t succ = MASK_SUCCESS;
-
- convert_affine_to_extensible(&exb, base);
- succ &= validate_ext(&exb,0,"base");
-
- /* check: dual . iso = 4 */
- twist_and_double(&text, &exb);
- succ &= validate_tw_ext(&text,2,"iso");
- untwist_and_double(&ext, &text);
- succ &= validate_ext(&ext,2,"dual.iso");
-
- copy_extensible(&tmpext,&exb);
- double_extensible(&tmpext);
- succ &= validate_ext(&tmpext,1,"2*base");
-
- double_extensible(&tmpext);
- succ &= validate_ext(&tmpext,2,"4*base");
-
- succ &= fail_if_different(&ext,&tmpext,"Isogeny and dual","Dual . iso","4*base");
-
- /* check: twist and serialize */
- test_only_twist(&text, &exb);
- succ &= validate_tw_ext(&text,0,"tot");
- mask_t evt = is_even_tw(&text), evb = is_even_pt(&exb);
- if (evt != evb) {
- youfail();
- printf(" Different evenness from twist base: %d, twist: %d\n", (int)-evt, (int)-evb);
-
- succ = 0;
- } /* FUTURE: quadness */
-
- field_a_t sera,serb;
- untwist_and_double_and_serialize(sera,&text);
- copy_extensible(&tmpext,&exb);
- double_extensible(&tmpext);
- serialize_extensible(serb,&tmpext);
-
- /* check that their (doubled; FUTURE?) serializations are equal */
- if (~field_eq(sera,serb)) {
- youfail();
- printf(" Different serialization from twist + double ()\n");
- field_print(" t", sera);
- field_print(" b", serb);
- succ = 0;
- }
-
- untwist_and_double(&ext, &text);
- succ &= validate_ext(&tmpext,1,"dual.tot");
-
- twist_and_double(&text2, &ext);
- succ &= validate_tw_ext(&text2,2,"iso.dual.tot");
-
- double_tw_extensible(&text);
- succ &= validate_tw_ext(&text,1,"2*tot");
-
- double_tw_extensible(&text);
- succ &= validate_tw_ext(&text,2,"4*tot");
-
- succ &= fail_if_different_tw(&text,&text2,"Dual and isogeny","4*tot","iso.dual.tot");
-
- if (~succ) {
- printf(" Base was:\n");
- field_print(" x", base->x);
- field_print(" y", base->y);
- }
-
-
- return succ ? 0 : -1;
- }
-
- int test_decaf_evil (void) {
-
- #if FIELD_BITS != 448
- printf(" [ UNIMP ] ");
- return 0;
- #else
-
- #if WORD_BITS==64
- #define SC_WORD(x) x##ull
- #elif WORD_BITS==32
- #define SC_WORD(x) (uint32_t)(x##ull), (x##ull)>>32
- #endif
-
- word_t evil_scalars[5][448/WORD_BITS] = {
- {0},
- {SC_WORD(0x2378c292ab5844f3),SC_WORD(0x216cc2728dc58f55),SC_WORD(0xc44edb49aed63690),SC_WORD(0xffffffff7cca23e9),
- SC_WORD(0xffffffffffffffff),SC_WORD(0xffffffffffffffff),SC_WORD(0x3fffffffffffffff)}, /* q */
- {SC_WORD(0xdc873d6d54a7bb0d),SC_WORD(0xde933d8d723a70aa),SC_WORD(0x3bb124b65129c96f),
- SC_WORD(0x335dc16),SC_WORD(0x0),SC_WORD(0x0),SC_WORD(0x4000000000000000)}, /* qtwist */
- {SC_WORD(0x46f1852556b089e6),SC_WORD(0x42d984e51b8b1eaa),SC_WORD(0x889db6935dac6d20),SC_WORD(0xfffffffef99447d3),
- SC_WORD(0xffffffffffffffff),SC_WORD(0xffffffffffffffff),SC_WORD(0x7fffffffffffffff)}, /* 2q */
- {SC_WORD(0xb90e7adaa94f761a),SC_WORD(0xbd267b1ae474e155),SC_WORD(0x7762496ca25392df),SC_WORD(0x66bb82c),
- SC_WORD(0x0),SC_WORD(0x0),SC_WORD(0x8000000000000000)} /* 2*qtwist */
- };
- word_t random_scalar[448/WORD_BITS];
-
- unsigned char evil_inputs[3][56];
- memset(evil_inputs[0],0,56);
- memset(evil_inputs[1],0,56);
- memset(evil_inputs[2],0xff,56);
- evil_inputs[1][0] = 1;
- evil_inputs[2][0] = evil_inputs[2][28] = 0xFE;
-
- unsigned char random_input[56];
-
-
- crandom_state_a_t crand;
- crandom_init_from_buffer(crand, "my evil_decaf random initializer");
-
- int i,j,fails=0;
- int ret = 0;
- for (i=0; i<100; i++) {
-
- crandom_generate(crand, (unsigned char *)random_scalar, sizeof(random_scalar));
- if (i<15) {
- memcpy(random_scalar, evil_scalars[i%5], sizeof(random_scalar));
- if (i%3 == 1) random_scalar[0] ++;
- if (i%3 == 2) random_scalar[0] --;
- }
-
- for (j=0; j<100; j++) {
- crandom_generate(crand, random_input, sizeof(random_input));
- mask_t should = 0, care_should = 0;
- if (j<3) {
- memcpy(random_input, evil_inputs[j], sizeof(random_input));
- care_should = -1;
- should = (j==0) ? -1 : 0;
- } else {
- random_input[55] &= 0x7F;
- }
-
- field_a_t base, out_m, out_e, out_ed;
- mask_t s_base = field_deserialize(base,random_input);
-
- affine_a_t pt_e;
- tw_affine_a_t pt_te;
- tw_extended_a_t pt_ed;
- // TODO: test don't allow identity
- mask_t s_e = decaf_deserialize_affine(pt_e,base,-1);
- mask_t s_te = decaf_deserialize_tw_affine(pt_te,base,-1);
- mask_t s_ed = decaf_deserialize_tw_extended(pt_ed,base,-1);
- mask_t s_m = decaf_montgomery_ladder(out_m, base, random_scalar, 448);
-
- tw_extensible_a_t work;
- convert_tw_affine_to_tw_extensible(work,pt_te);
- scalarmul(work, random_scalar);
- decaf_serialize_tw_extensible(out_e, work);
-
- scalarmul_ed(pt_ed, random_scalar);
- decaf_serialize_tw_extended(out_ed, pt_ed);
-
- uint8_t ser_de[56], ser_ed[56];
- decaf_448_point_t pt_dec, pt_dec2;
- memcpy(pt_dec, pt_ed, sizeof(pt_dec));
- decaf_448_point_encode(ser_de, pt_dec);
- mask_t succ_dec = decaf_448_point_decode(pt_dec2, ser_de, -1);
- field_serialize(ser_ed, out_ed);
-
- decaf_448_point_t p,q,m;
- uint8_t oo_base_ser[56], n_base_ser[56];
- field_a_t oo_base,tmp,tmp2;
- field_isr(tmp,base);
- field_sqr(tmp2,tmp); // 1/+-s_base
- field_sqr(tmp,tmp2); // = 1/s_base^2
- field_mul(oo_base,tmp,base); // = 1/s_base
- field_serialize(oo_base_ser,oo_base);
- field_neg(tmp,base);
- field_serialize(n_base_ser,tmp); // = -base
- decaf_448_point_from_hash_nonuniform (p,random_input);
- decaf_448_point_from_hash_nonuniform (q,oo_base_ser);
- decaf_448_point_from_hash_nonuniform (m,n_base_ser);
- mask_t succ_nur = decaf_448_point_valid(p);
- succ_nur &= decaf_448_point_valid(q);
- succ_nur &= decaf_448_point_valid(m);
-
- mask_t eq_neg, eq_pos;
- eq_neg = decaf_448_point_eq(m,p);
- decaf_448_point_add(m,p,q);
- eq_pos = decaf_448_point_eq(m,decaf_448_point_identity);
-
- if ((care_should && should != s_m)
- || ~s_base || s_e != s_te || s_m != s_te || s_ed != s_te
- || (s_te && ~field_eq(out_e,out_m))
- || (s_ed && ~field_eq(out_e,out_ed))
- || memcmp(ser_de, ser_ed, 56)
- || (s_e & ~succ_dec)
- || (s_e & ~decaf_448_point_eq(pt_dec, pt_dec2)
- || (s_e & ~decaf_448_point_valid(pt_dec))
- || (succ_dec & ~decaf_448_point_valid(pt_dec2))
- || ~succ_nur
- || ~eq_neg
- || ~eq_pos)
- ) {
- youfail();
- field_print(" base", base);
- scalar_print(" scal", random_scalar, (448+WORD_BITS-1)/WORD_BITS);
- field_print(" oute", out_e);
- field_print(" outE", out_ed);
- field_print(" outm", out_m);
- printf(" succ: m=%d, e=%d, t=%d, b=%d, T=%d, D=%d, nur=%d, e+=%d, e-=%d, should=%d[%d]\n",
- -(int)s_m,-(int)s_e,-(int)s_te,-(int)s_base,-(int)s_ed,-(int)succ_dec,
- -(int)succ_nur, -(int)eq_neg, -(int)eq_pos,
- -(int)should,-(int)care_should
- );
- ret = -1;
- fails++;
- }
- }
- }
- if (fails) {
- printf(" Failed %d trials\n", fails);
- }
- return ret;
- #endif
- }
-
- int test_decaf (void) {
- struct affine_t base;
- struct tw_affine_t tw_base;
- field_a_t serf;
-
- struct crandom_state_t crand;
- crandom_init_from_buffer(&crand, "my test_decaf random initializer");
-
- int i, hits = 0, fails = 0;
-
- if (~decaf_448_point_valid(decaf_448_point_base)) {
- youfail();
- printf(" Decaf base point invalid\n");
- fails++;
- }
-
- if (~decaf_448_point_valid(decaf_448_point_identity)) {
- youfail();
- printf(" Decaf identity point invalid\n");
- fails++;
- }
-
-
- for (i=0; i<1000; i++) {
- uint8_t ser[FIELD_BYTES];
-
- int j;
-
- mask_t succ = 0;
- for (j=0; j<128 && !succ; j++) {
- crandom_generate(&crand, ser, sizeof(ser));
- ser[FIELD_BYTES-1] &= (1<<((FIELD_BITS-1)%8)) - 1;
-
- succ = field_deserialize(serf, ser);
- if (!succ) {
- youfail();
- printf(" Unlikely: fail at field_deserialize\n");
- return -1;
- }
-
- succ &= decaf_deserialize_affine(&base, serf, 0);
- }
- if (!succ) {
- youfail();
- printf("Unlikely: fail 128 desers\n");
- return -1;
- }
-
- hits++;
- field_a_t serf2;
- struct extensible_t ext;
- convert_affine_to_extensible(&ext, &base);
- decaf_serialize_extensible(serf2, &ext);
-
- if (~validate_affine(&base)) {
- youfail();
- printf("Invalid decaf deser:\n");
- field_print(" s", serf);
- field_print(" x", base.x);
- field_print(" y", base.y);
- fails ++;
- } else if (~field_eq(serf, serf2)) {
- youfail();
- printf("Fail round-trip through decaf ser:\n");
- field_print(" s", serf);
- field_print(" x", base.x);
- field_print(" y", base.y);
- printf(" deser is %s\n", validate_affine(&base) ? "valid" : "invalid");
- field_print(" S", serf2);
- fails ++;
- } else if (~is_even_pt(&ext)) {
- youfail();
- printf("Decaf deser isn't even:\n");
- field_print(" s", serf);
- field_print(" x", base.x);
- field_print(" y", base.y);
- fails ++;
- }
-
- succ = decaf_deserialize_tw_affine(&tw_base, serf, 0);
- struct tw_extensible_t tw_ext, tw_ext2;
- convert_tw_affine_to_tw_extensible(&tw_ext, &tw_base);
- decaf_serialize_tw_extensible(serf2, &tw_ext);
-
- twist_even(&tw_ext2, &ext);
-
- if (~succ | ~validate_tw_extensible(&tw_ext)) {
- youfail();
- printf("Invalid decaf tw deser:\n");
- field_print(" s", serf);
- field_print(" x", tw_base.x);
- field_print(" y", tw_base.y);
- fails ++;
- } else if (~field_eq(serf, serf2)) {
- youfail();
- printf("Fail round-trip through decaf ser:\n");
- field_print(" s", serf);
- field_print(" x", tw_base.x);
- field_print(" y", tw_base.y);
- printf(" tw deser is %s\n", validate_tw_extensible(&tw_ext) ? "valid" : "invalid");
- field_print(" S", serf2);
- fails ++;
- } else if (~is_even_tw(&tw_ext)) {
- youfail();
- printf("Decaf tw deser isn't even:\n");
- field_print(" s", serf);
- field_print(" x", tw_base.x);
- field_print(" y", tw_base.y);
- fails ++;
- } else if (~decaf_eq_tw_extensible(&tw_ext,&tw_ext2)) {
- youfail();
- printf("Decaf tw doesn't equal ext:\n");
- field_print(" s", serf);
- field_print(" x1", base.x);
- field_print(" y1", base.y);
- field_print(" x2", tw_base.x);
- field_print(" y2", tw_base.y);
- field_print(" X2", tw_ext2.x);
- field_print(" Y2", tw_ext2.y);
- fails ++;
- }
-
- tw_extended_a_t ed;
- succ = decaf_deserialize_tw_extended(ed, serf, 0);
- decaf_serialize_tw_extended(serf2, ed);
-
- if (~succ) {
- youfail();
- printf("Invalid decaf ed deser:\n");
- field_print(" s", serf);
- fails ++;
- } else if (~field_eq(serf, serf2)) {
- youfail();
- printf("Fail round-trip through decaf ser:\n");
- field_print(" s", serf);
- field_print(" x", ed->x);
- field_print(" y", ed->y);
- field_print(" z", ed->z);
- field_print(" t", ed->t);
- printf(" tw deser is %s\n", validate_tw_extensible(&tw_ext) ? "valid" : "invalid");
- field_print(" S", serf2);
- fails ++;
- }
-
- word_t scalar = 1;
- mask_t res = decaf_montgomery_ladder(serf2,serf,&scalar,1+(i%31));
- if (~res | ~field_eq(serf2,serf)) {
- youfail();
- printf("Decaf Montgomery ladder i=%d res=%d\n", 1+(i%31), (int)res);
- field_print(" s", serf);
- field_print(" o", serf2);
- printf("\n");
- }
- }
- if (hits < 1000) {
- youfail();
- printf(" Fail: only %d successes in decaf_deser\n", hits);
- return -1;
- } else if (fails) {
- printf(" %d fails\n", fails);
- return -1;
- } else {
- return 0;
- }
- }
-
- int test_pointops (void) {
- struct affine_t base, pbase;
- field_a_t serf;
-
- struct crandom_state_t crand;
- crandom_init_from_buffer(&crand, "test_pointops random initializer");
-
- struct extensible_t ext_base;
- if (!validate_affine(goldilocks_base_point)) {
- youfail();
- printf(" Base point isn't on the curve.\n");
- return -1;
- }
- convert_affine_to_extensible(&ext_base, goldilocks_base_point);
- if (!validate_ext(&ext_base, 2, "base")) return -1;
-
- int i, ret;
- for (i=0; i<1000; i++) {
- uint8_t ser[FIELD_BYTES];
- crandom_generate(&crand, ser, sizeof(ser));
-
-
- #if (FIELD_BITS % 8)
- ser[FIELD_BYTES-1] &= (1<<(FIELD_BITS%8)) - 1;
- #endif
-
- /* TODO: we need a field generate, which can return random or pathological. */
- mask_t succ = field_deserialize(serf, ser);
- if (!succ) {
- youfail();
- printf(" Unlikely: fail at field_deserialize\n");
- return -1;
- }
-
- if (i) {
- copy_affine(&pbase, &base);
- }
- elligator_2s_inject(&base, serf);
-
- if (i) {
- ret = add_double_test(&base, &pbase);
- if (ret) return ret;
- }
-
- ret = single_twisting_test(&base);
- if (ret) return ret;
- }
-
- return 0;
- }
|