jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
48 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: d383dfe91e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd383dfe91e'
${ noResults }
ed448goldilocks/test/bench.c

744 lines
21 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "word.h"

  6. 

  7. #include <sys/time.h>

  8. #include <sys/types.h>

  9. #include <stdio.h>

  10. #include <memory.h>

  11. 

  12. #include "field.h"

  13. #include "ec_point.h"

  14. #include "scalarmul.h"

  15. #include "barrett_field.h"

  16. #include "crandom.h"

  17. #include "goldilocks.h"

  18. #include "sha512.h"

  19. 

  20. static __inline__ void

  21. ignore_result ( int result ) {

  22.     (void)result;

  23. }

  24. 

  25. static double now(void) {

  26.   struct timeval tv;

  27.   gettimeofday(&tv, NULL);

  28.   

  29.   return tv.tv_sec + tv.tv_usec/1000000.0;

  30. }

  31. 

  32. static void field_randomize( struct crandom_state_t *crand, field_a_t a ) {

  33.     crandom_generate(crand, (unsigned char *)a, sizeof(*a));

  34.     field_strong_reduce(a);

  35. }

  36. 

  37. static void q448_randomize( struct crandom_state_t *crand, word_t sk[SCALAR_WORDS] ) {

  38.     crandom_generate(crand, (unsigned char *)sk, SCALAR_BYTES);

  39. }

  40. 

  41. static void field_print( const char *descr, const field_a_t a ) {

  42.     int j;

  43.     unsigned char ser[FIELD_BYTES];

  44.     field_serialize(ser,a);

  45.     printf("%s = 0x", descr);

  46.     for (j=FIELD_BYTES - 1; j>=0; j--) {

  47.         printf("%02x", ser[j]);

  48.     }

  49.     printf("\n");

  50. }

  51. 

  52. static void __attribute__((unused))

  53. field_print_full (

  54.     const char *descr,

  55.     const field_a_t a

  56. ) {

  57.     int j;

  58.     printf("%s = 0x", descr);

  59.     for (j=15; j>=0; j--) {

  60.         printf("%02" PRIxWORD "_" PRIxWORD56 " ",

  61.             a->limb[j]>>28, a->limb[j]&((1<<28)-1));

  62.     }

  63.     printf("\n");

  64. }

  65. 

  66. static void q448_print( const char *descr, const word_t secret[SCALAR_WORDS] ) {

  67.     int j;

  68.     printf("%s = 0x", descr);

  69.     for (j=SCALAR_WORDS-1; j>=0; j--) {

  70.         printf(PRIxWORDfull, secret[j]);

  71.     }

  72.     printf("\n");

  73. }

  74. 

  75. #ifndef N_TESTS_BASE

  76. #define N_TESTS_BASE 10000

  77. #endif

  78. 

  79. int main(int argc, char **argv) {

  80.     (void)argc;

  81.     (void)argv;

  82. 

  83.     struct tw_extensible_t ext;

  84.     struct extensible_t exta;

  85.     struct tw_niels_t niels;

  86.     struct tw_pniels_t pniels;

  87.     struct affine_t affine;

  88.     struct montgomery_t mb;

  89.     struct montgomery_aux_t mba;

  90.     field_a_t a,b,c,d;

  91.     

  92.     double when;

  93.     int i;

  94. 

  95.     int nbase = N_TESTS_BASE;

  96.     

  97.     /* Bad randomness so we can debug. */

  98.     char initial_seed[32];

  99.     for (i=0; i<32; i++) initial_seed[i] = i;

  100.     struct crandom_state_t crand;

  101.     crandom_init_from_buffer(&crand, initial_seed);

  102.     /* For testing the performance drop from the crandom debuffering change.

  103.         ignore_result(crandom_init_from_file(&crand, "/dev/urandom", 10000, 1));

  104.     */

  105.     

  106.     word_t sk[SCALAR_WORDS],tk[SCALAR_WORDS];

  107.     q448_randomize(&crand, sk);

  108.     

  109.     memset(a,0,sizeof(a));

  110.     memset(b,0,sizeof(b));

  111.     memset(c,0,sizeof(c));

  112.     memset(d,0,sizeof(d));

  113.     when = now();

  114.     for (i=0; i<nbase*5000; i++) {

  115.         field_mul(c, b, a);

  116.     }

  117.     when = now() - when;

  118.     printf("mul:         %5.1fns\n", when * 1e9 / i);

  119.     

  120.     when = now();

  121.     for (i=0; i<nbase*5000; i++) {

  122.         field_sqr(c, a);

  123.     }

  124.     when = now() - when;

  125.     printf("sqr:         %5.1fns\n", when * 1e9 / i);

  126.     

  127.     when = now();

  128.     for (i=0; i<nbase*5000; i++) {

  129.         field_mulw(c, b, 1234562);

  130.     }

  131.     when = now() - when;

  132.     printf("mulw:        %5.1fns\n", when * 1e9 / i);

  133.     

  134.     when = now();

  135.     for (i=0; i<nbase*500; i++) {

  136.         field_mul(c, b, a);

  137.         field_mul(a, b, c);

  138.     }

  139.     when = now() - when;

  140.     printf("mul dep:     %5.1fns\n", when * 1e9 / i / 2);

  141.     

  142.     when = now();

  143.     for (i=0; i<nbase*10; i++) {

  144.         field_randomize(&crand, a);

  145.     }

  146.     when = now() - when;

  147.     printf("rand448:     %5.1fns\n", when * 1e9 / i);

  148.     

  149.     struct sha512_ctx_t sha;

  150.     uint8_t hashout[128];

  151.     when = now();

  152.     for (i=0; i<nbase; i++) {

  153.         sha512_init(&sha);

  154.         sha512_final(&sha, hashout);

  155.     }

  156.     when = now() - when;

  157.     printf("sha512 1blk: %5.1fns\n", when * 1e9 / i);

  158.     

  159.     when = now();

  160.     for (i=0; i<nbase; i++) {

  161.         sha512_update(&sha, hashout, 128);

  162.     }

  163.     when = now() - when;

  164.     printf("sha512 blk:  %5.1fns (%0.2f MB/s)\n", when * 1e9 / i, 128*i/when/1e6);

  165.     

  166.     when = now();

  167.     for (i=0; i<nbase; i++) {

  168.         field_isr(c, a);

  169.     }

  170.     when = now() - when;

  171.     printf("isr auto:    %5.1fµs\n", when * 1e6 / i);

  172.     

  173.     for (i=0; i<100; i++) {

  174.         field_randomize(&crand, a);

  175.         field_isr(d,a);

  176.         field_sqr(b,d);

  177.         field_mul(c,b,a);

  178.         field_sqr(b,c);

  179.         field_subw(b,1);

  180.         if (!field_is_zero(b)) {

  181.             printf("ISR validation failure!\n");

  182.             field_print("a", a);

  183.             field_print("s", d);

  184.         }

  185.     }

  186.     

  187.     when = now();

  188.     for (i=0; i<nbase; i++) {

  189.         elligator_2s_inject(&affine, a);

  190.     }

  191.     when = now() - when;

  192.     printf("elligator:   %5.1fµs\n", when * 1e6 / i);

  193.     

  194.     for (i=0; i<100; i++) {

  195.         field_randomize(&crand, a);

  196.         elligator_2s_inject(&affine, a);

  197.         if (!validate_affine(&affine)) {

  198.             printf("Elligator validation failure!\n");

  199.             field_print("a", a);

  200.             field_print("x", affine.x);

  201.             field_print("y", affine.y);

  202.         }

  203.     }

  204.     

  205.     when = now();

  206.     for (i=0; i<nbase; i++) {

  207.         deserialize_affine(&affine, a);

  208.     }

  209.     when = now() - when;

  210.     printf("decompress:  %5.1fµs\n", when * 1e6 / i);

  211.     

  212.     convert_affine_to_extensible(&exta, &affine);

  213.     when = now();

  214.     for (i=0; i<nbase; i++) {

  215.         serialize_extensible(a, &exta);

  216.     }

  217.     when = now() - when;

  218.     printf("compress:    %5.1fµs\n", when * 1e6 / i);

  219.     

  220.     int goods = 0;

  221.     for (i=0; i<100; i++) {

  222.         field_randomize(&crand, a);

  223.         mask_t good = deserialize_affine(&affine, a);

  224.         if (good & !validate_affine(&affine)) {

  225.             printf("Deserialize validation failure!\n");

  226.             field_print("a", a);

  227.             field_print("x", affine.x);

  228.             field_print("y", affine.y);

  229.         } else if (good) {

  230.             goods++;

  231.             convert_affine_to_extensible(&exta,&affine);

  232.             serialize_extensible(b, &exta);

  233.             field_sub(c,b,a);

  234.             if (!field_is_zero(c)) {

  235.                 printf("Reserialize validation failure!\n");

  236.                 field_print("a", a);

  237.                 field_print("x", affine.x);

  238.                 field_print("y", affine.y);

  239.                 deserialize_affine(&affine, b);

  240.                 field_print("b", b);

  241.                 field_print("x", affine.x);

  242.                 field_print("y", affine.y);

  243.                 printf("\n");

  244.             }

  245.         }

  246.     }

  247.     if (goods<i/3) {

  248.         printf("Deserialization validation failure! Deserialized %d/%d points\n", goods, i);

  249.     }

  250.     

  251.     word_t lsk[768/WORD_BITS];

  252.     crandom_generate(&crand, (unsigned char *)lsk, sizeof(lsk));

  253.     

  254.     when = now();

  255.     for (i=0; i<nbase*100; i++) {

  256.         barrett_reduce(lsk,sizeof(lsk)/sizeof(word_t),0,&curve_prime_order);

  257.     }

  258.     when = now() - when;

  259.     printf("barrett red: %5.1fns\n", when * 1e9 / i);

  260.     

  261.     when = now();

  262.     for (i=0; i<nbase*10; i++) {

  263.         barrett_mac(lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,&curve_prime_order);

  264.     }

  265.     when = now() - when;

  266.     printf("barrett mac: %5.1fns\n", when * 1e9 / i);

  267.     

  268.     memset(&ext,0,sizeof(ext));

  269.     memset(&niels,0,sizeof(niels)); /* avoid assertions in p521 even though this isn't a valid ext or niels */

  270.     when = now();

  271.     for (i=0; i<nbase*100; i++) {

  272.         add_tw_niels_to_tw_extensible(&ext, &niels);

  273.     }

  274.     when = now() - when;

  275.     printf("exti+niels:  %5.1fns\n", when * 1e9 / i);

  276.     

  277.     convert_tw_extensible_to_tw_pniels(&pniels, &ext);

  278.     when = now();

  279.     for (i=0; i<nbase*100; i++) {

  280.         add_tw_pniels_to_tw_extensible(&ext, &pniels);

  281.     }

  282.     when = now() - when;

  283.     printf("exti+pniels: %5.1fns\n", when * 1e9 / i);

  284.     

  285.     when = now();

  286.     for (i=0; i<nbase*100; i++) {

  287.         double_tw_extensible(&ext);

  288.     }

  289.     when = now() - when;

  290.     printf("exti dbl:    %5.1fns\n", when * 1e9 / i);

  291.     

  292.     when = now();

  293.     for (i=0; i<nbase*100; i++) {

  294.         untwist_and_double(&exta, &ext);

  295.     }

  296.     when = now() - when;

  297.     printf("i->a isog:   %5.1fns\n", when * 1e9 / i);

  298.     

  299.     when = now();

  300.     for (i=0; i<nbase*100; i++) {

  301.         twist_and_double(&ext, &exta);

  302.     }

  303.     when = now() - when;

  304.     printf("a->i isog:   %5.1fns\n", when * 1e9 / i);

  305.     

  306.     memset(&mb,0,sizeof(mb));

  307.     when = now();

  308.     for (i=0; i<nbase*100; i++) {

  309.         montgomery_step(&mb);

  310.     }

  311.     when = now() - when;

  312.     printf("monty step:  %5.1fns\n", when * 1e9 / i);

  313.     

  314.     memset(&mba,0,sizeof(mba));

  315.     when = now();

  316.     for (i=0; i<nbase*100; i++) {

  317.         montgomery_aux_step(&mba);

  318.     }

  319.     when = now() - when;

  320.     printf("monty aux:   %5.1fns\n", when * 1e9 / i);

  321. 	

  322.     when = now();

  323.     for (i=0; i<nbase/10; i++) {

  324.         ignore_result(montgomery_ladder(a,b,sk,FIELD_BITS,0));

  325.     }

  326.     when = now() - when;

  327.     printf("full ladder: %5.1fµs\n", when * 1e6 / i);

  328.     

  329.     when = now();

  330.     for (i=0; i<nbase/10; i++) {

  331.         scalarmul(&ext,sk);

  332.     }

  333.     when = now() - when;

  334.     printf("edwards smz: %5.1fµs\n", when * 1e6 / i);

  335.     

  336.     when = now();

  337.     for (i=0; i<nbase/10; i++) {

  338.         scalarmul_vlook(&ext,sk);

  339.     }

  340.     when = now() - when;

  341.     printf("edwards svl: %5.1fµs\n", when * 1e6 / i);

  342.     

  343.     when = now();

  344.     for (i=0; i<nbase/10; i++) {

  345.         scalarmul(&ext,sk);

  346.         untwist_and_double_and_serialize(a,&ext);

  347.     }

  348.     when = now() - when;

  349.     printf("edwards smc: %5.1fµs\n", when * 1e6 / i);

  350.     

  351.     when = now();

  352.     for (i=0; i<nbase/10; i++) {

  353.         q448_randomize(&crand, sk);

  354.         scalarmul_vt(&ext,sk,SCALAR_BITS);

  355.     }

  356.     when = now() - when;

  357.     printf("edwards vtm: %5.1fµs\n", when * 1e6 / i);

  358.     

  359.     struct tw_niels_t wnaft[1<<6];

  360.     when = now();

  361.     for (i=0; i<nbase/10; i++) {

  362.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,6));

  363.     }

  364.     when = now() - when;

  365.     printf("wnaf6 pre:   %5.1fµs\n", when * 1e6 / i);

  366.     

  367.     when = now();

  368.     for (i=0; i<nbase/10; i++) {

  369.         q448_randomize(&crand, sk);

  370.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,6);

  371.     }

  372.     when = now() - when;

  373.     printf("edwards vt6: %5.1fµs\n", when * 1e6 / i);

  374.     

  375.     when = now();

  376.     for (i=0; i<nbase/10; i++) {

  377.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,4));

  378.     }

  379.     when = now() - when;

  380.     printf("wnaf4 pre:   %5.1fµs\n", when * 1e6 / i);

  381.     

  382.     when = now();

  383.     for (i=0; i<nbase/10; i++) {

  384.         q448_randomize(&crand, sk);

  385.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,4);

  386.     }

  387.     when = now() - when;

  388.     printf("edwards vt4: %5.1fµs\n", when * 1e6 / i);

  389. 

  390.     when = now();

  391.     for (i=0; i<nbase/10; i++) {

  392.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,5));

  393.     }

  394.     when = now() - when;

  395.     printf("wnaf5 pre:   %5.1fµs\n", when * 1e6 / i);

  396.     

  397.     when = now();

  398.     for (i=0; i<nbase/10; i++) {

  399.         q448_randomize(&crand, sk);

  400.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,5);

  401.     }

  402.     when = now() - when;

  403.     printf("edwards vt5: %5.1fµs\n", when * 1e6 / i);

  404.     

  405.     when = now();

  406.     for (i=0; i<nbase/10; i++) {

  407.         q448_randomize(&crand, sk);

  408.         q448_randomize(&crand, tk);

  409.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,wnaft,5);

  410.     }

  411.     when = now() - when;

  412.     printf("vt vf combo: %5.1fµs\n", when * 1e6 / i);

  413.     

  414.     when = now();

  415.     for (i=0; i<nbase/10; i++) {

  416.         deserialize_affine(&affine, a);

  417.         convert_affine_to_extensible(&exta,&affine);

  418.         twist_and_double(&ext,&exta);

  419.         scalarmul(&ext,sk);

  420.         untwist_and_double(&exta,&ext);

  421.         serialize_extensible(b, &exta);

  422.     }

  423.     when = now() - when;

  424.     printf("edwards sm:  %5.1fµs\n", when * 1e6 / i);

  425.     

  426.     struct fixed_base_table_t t_5_5_18, t_3_5_30, t_8_4_14, t_5_3_30, t_15_3_10;

  427. 

  428.     while (1) {

  429.         field_randomize(&crand, a);

  430.         if (deserialize_affine(&affine, a)) break;

  431.     }

  432.     convert_affine_to_extensible(&exta,&affine);

  433.     twist_and_double(&ext,&exta);

  434.     when = now();

  435.     for (i=0; i<nbase/10; i++) {

  436.         if (i) destroy_fixed_base(&t_5_5_18);

  437.         ignore_result(precompute_fixed_base(&t_5_5_18, &ext, 5, 5, 18, NULL));

  438.     }

  439.     when = now() - when;

  440.     printf("pre(5,5,18): %5.1fµs\n", when * 1e6 / i);

  441.     

  442.     when = now();

  443.     for (i=0; i<nbase/10; i++) {

  444.         if (i) destroy_fixed_base(&t_3_5_30);

  445.         ignore_result(precompute_fixed_base(&t_3_5_30, &ext, 3, 5, 30, NULL));

  446.     }

  447.     when = now() - when;

  448.     printf("pre(3,5,30): %5.1fµs\n", when * 1e6 / i);

  449.     

  450.     when = now();

  451.     for (i=0; i<nbase/10; i++) {

  452.         if (i) destroy_fixed_base(&t_5_3_30);

  453.         ignore_result(precompute_fixed_base(&t_5_3_30, &ext, 5, 3, 30, NULL));

  454.     }

  455.     when = now() - when;

  456.     printf("pre(5,3,30): %5.1fµs\n", when * 1e6 / i);

  457.     

  458.     when = now();

  459.     for (i=0; i<nbase/10; i++) {

  460.         if (i) destroy_fixed_base(&t_15_3_10);

  461.         ignore_result(precompute_fixed_base(&t_15_3_10, &ext, 15, 3, 10, NULL));

  462.     }

  463.     when = now() - when;

  464.     printf("pre(15,3,10):%5.1fµs\n", when * 1e6 / i);

  465.     

  466.     when = now();

  467.     for (i=0; i<nbase/10; i++) {

  468.         if (i) destroy_fixed_base(&t_8_4_14);

  469.         ignore_result(precompute_fixed_base(&t_8_4_14, &ext, 8, 4, 14, NULL));

  470.     }

  471.     when = now() - when;

  472.     printf("pre(8,4,14): %5.1fµs\n", when * 1e6 / i);

  473. 	

  474.     when = now();

  475.     for (i=0; i<nbase; i++) {

  476.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_5_18);

  477.     }

  478.     when = now() - when;

  479.     printf("com(5,5,18): %5.1fµs\n", when * 1e6 / i);

  480.     

  481.     when = now();

  482.     for (i=0; i<nbase; i++) {

  483.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_3_5_30);

  484.     }

  485.     when = now() - when;

  486.     printf("com(3,5,30): %5.1fµs\n", when * 1e6 / i);

  487. 

  488.     when = now();

  489.     for (i=0; i<nbase; i++) {

  490.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_8_4_14);

  491.     }

  492.     when = now() - when;

  493.     printf("com(8,4,14): %5.1fµs\n", when * 1e6 / i);

  494. 

  495.     when = now();

  496.     for (i=0; i<nbase; i++) {

  497.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_3_30);

  498.     }

  499.     when = now() - when;

  500.     printf("com(5,3,30): %5.1fµs\n", when * 1e6 / i);

  501. 

  502.     when = now();

  503.     for (i=0; i<nbase; i++) {

  504.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_15_3_10);

  505.     }

  506.     when = now() - when;

  507.     printf("com(15,3,10):%5.1fµs\n", when * 1e6 / i);

  508.     

  509.     printf("\nGoldilocks:\n");

  510.     

  511.     int res = goldilocks_init();

  512.     assert(!res);

  513.     

  514.     struct goldilocks_public_key_t gpk,hpk;

  515.     struct goldilocks_private_key_t gsk,hsk;

  516.     

  517.     when = now();

  518.     for (i=0; i<nbase; i++) {

  519.         if (i&1) {

  520.             res = goldilocks_keygen(&gsk,&gpk);

  521.         } else {

  522.             res = goldilocks_keygen(&hsk,&hpk);

  523.         }

  524.         assert(!res);

  525.     }

  526.     when = now() - when;

  527.     printf("keygen:      %5.1fµs\n", when * 1e6 / i);

  528.     

  529.     uint8_t ss1[64],ss2[64];

  530.     int gres1=0,gres2=0;

  531.     when = now();

  532.     for (i=0; i<nbase; i++) {

  533.         if (i&1) {

  534.             gres1 = goldilocks_shared_secret(ss1,&gsk,&hpk);

  535.         } else {

  536.             gres2 = goldilocks_shared_secret(ss2,&hsk,&gpk);

  537.         }

  538.     }

  539.     when = now() - when;

  540.     printf("ecdh:        %5.1fµs\n", when * 1e6 / i);

  541.     if (gres1 || gres2 || memcmp(ss1,ss2,64)) {

  542.         printf("[FAIL] %d %d\n",gres1,gres2);

  543.         

  544.         printf("sk1 = ");

  545.         for (i=0; i<SCALAR_BYTES; i++) {

  546.             printf("%02x", gsk.opaque[i]);

  547.         }

  548.         printf("\nsk2 = ");

  549.         for (i=0; i<SCALAR_BYTES; i++) {

  550.             printf("%02x", hsk.opaque[i]);

  551.         }

  552.         printf("\nss1 = ");

  553.         for (i=0; i<64; i++) {

  554.             printf("%02x", ss1[i]);

  555.         }

  556.         printf("\nss2 = ");

  557.         for (i=0; i<64; i++) {

  558.             printf("%02x", ss2[i]);

  559.         }

  560.         printf("\n");

  561.     }

  562.     

  563.     uint8_t sout[FIELD_BYTES*2];

  564.     const char *message = "hello world";

  565.     size_t message_len = strlen(message);

  566.     when = now();

  567.     for (i=0; i<nbase; i++) {

  568.         res = goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  569.         (void)res;

  570.         assert(!res);

  571.     }

  572.     when = now() - when;

  573.     printf("sign:        %5.1fµs\n", when * 1e6 / i);

  574.     

  575.     when = now();

  576.     for (i=0; i<nbase; i++) {

  577.         int ver = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  578.         (void)ver;

  579.         assert(!ver);

  580.     }

  581.     when = now() - when;

  582.     printf("verify:      %5.1fµs\n", when * 1e6 / i);

  583.     

  584.     struct goldilocks_precomputed_public_key_t *pre = NULL;

  585.     when = now();

  586.     for (i=0; i<nbase; i++) {

  587.         goldilocks_destroy_precomputed_public_key(pre);

  588.         pre = goldilocks_precompute_public_key(&gpk);

  589.     }

  590.     when = now() - when;

  591.     printf("precompute:  %5.1fµs\n", when * 1e6 / i);

  592.     

  593.     when = now();

  594.     for (i=0; i<nbase; i++) {

  595.         int ver = goldilocks_verify_precomputed(sout,(const unsigned char *)message,message_len,pre);

  596.         (void)ver;

  597.         assert(!ver);

  598.     }

  599.     when = now() - when;

  600.     printf("verify pre:  %5.1fµs\n", when * 1e6 / i);

  601.     

  602.     when = now();

  603.     for (i=0; i<nbase; i++) {

  604.         int ret = goldilocks_shared_secret_precomputed(ss1,&gsk,pre);

  605.         (void)ret;

  606.         assert(!ret);

  607.     }

  608.     when = now() - when;

  609.     printf("ecdh pre:    %5.1fµs\n", when * 1e6 / i);

  610.     

  611.     printf("\nTesting...\n");

  612.     

  613.     

  614.     int failures=0, successes = 0;

  615.     for (i=0; i<nbase/10; i++) {

  616.         ignore_result(goldilocks_keygen(&gsk,&gpk));

  617.         goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  618.         res = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  619.         if (res) failures++;

  620.     }

  621.     if (failures) {

  622.         printf("FAIL %d/%d signature checks!\n", failures, i);

  623.     }

  624.     

  625.     failures=0; successes = 0;

  626.     for (i=0; i<nbase/10; i++) {

  627.         field_randomize(&crand, a);

  628. 		word_t two = 2;

  629.         mask_t good = montgomery_ladder(b,a,&two,2,0);

  630. 		if (!good) continue;

  631. 		

  632. 		word_t x,y;

  633.         crandom_generate(&crand, (unsigned char *)&x, sizeof(x));

  634.         crandom_generate(&crand, (unsigned char *)&y, sizeof(y));

  635.         x = (hword_t)x;

  636.         y = (hword_t)y;

  637.         word_t z=x*y;

  638.         

  639.     	ignore_result(montgomery_ladder(b,a,&x,WORD_BITS,0));

  640.         ignore_result(montgomery_ladder(c,b,&y,WORD_BITS,0));

  641.         ignore_result(montgomery_ladder(b,a,&z,WORD_BITS,0));

  642.         

  643.         field_sub(d,b,c);

  644. 		if (!field_is_zero(d)) {

  645.             printf("Odd ladder validation failure %d!\n", ++failures);

  646.             field_print("a", a);

  647.             printf("x=%"PRIxWORD", y=%"PRIxWORD", z=%"PRIxWORD"\n", x,y,z);

  648.             field_print("c", c);

  649.             field_print("b", b);

  650. 			printf("\n");

  651. 		}

  652. 	}

  653.     

  654.     failures = 0;

  655.     for (i=0; i<nbase/10; i++) {

  656.         mask_t good;

  657.         do {

  658.             field_randomize(&crand, a);

  659.             good = deserialize_affine(&affine, a);

  660.         } while (!good);

  661.         

  662.         convert_affine_to_extensible(&exta,&affine);

  663.         twist_and_double(&ext,&exta);

  664.         untwist_and_double(&exta,&ext);

  665.         serialize_extensible(b, &exta);

  666.         untwist_and_double_and_serialize(c, &ext);

  667.         

  668.         field_sub(d,b,c);

  669.         

  670.         if (good && !field_is_zero(d)){

  671.             printf("Iso+serial validation failure %d!\n", ++failures);

  672.             field_print("a", a);

  673.             field_print("b", b);

  674.             field_print("c", c);

  675.             printf("\n");

  676.         } else if (good) {

  677.             successes ++;

  678.         }

  679.     }

  680.     if (successes < i/3) {

  681.         printf("Iso+serial variation: only %d/%d successful.\n", successes, i);

  682.     }

  683.     

  684.     successes = failures = 0;

  685.     for (i=0; i<nbase/10; i++) {

  686.         field_a_t aa;

  687.         struct tw_extensible_t exu,exv,exw;

  688.         

  689.         mask_t good;

  690.         do {

  691.             field_randomize(&crand, a);

  692.             good = deserialize_affine(&affine, a);

  693.             convert_affine_to_extensible(&exta,&affine);

  694.             twist_and_double(&ext,&exta);

  695.         } while (!good);

  696.         do {

  697.             field_randomize(&crand, aa);

  698.             good = deserialize_affine(&affine, aa);

  699.             convert_affine_to_extensible(&exta,&affine);

  700.             twist_and_double(&exu,&exta);

  701.         } while (!good);

  702.         field_randomize(&crand, aa);

  703.         

  704.         q448_randomize(&crand, sk);

  705. 		if (i==0 || i==2) memset(&sk, 0, sizeof(sk));

  706.         q448_randomize(&crand, tk);

  707. 		if (i==0 || i==1) memset(&tk, 0, sizeof(tk));

  708.         

  709.         copy_tw_extensible(&exv, &ext);

  710.         copy_tw_extensible(&exw, &exu);

  711.         scalarmul(&exv,sk);

  712.         scalarmul(&exw,tk);

  713.         convert_tw_extensible_to_tw_pniels(&pniels, &exw);

  714.         add_tw_pniels_to_tw_extensible(&exv,&pniels);

  715.         untwist_and_double(&exta,&exv);

  716.         serialize_extensible(b, &exta);

  717. 

  718.         ignore_result(precompute_fixed_base_wnaf(wnaft,&exu,5));

  719.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,wnaft,5);

  720.         untwist_and_double(&exta,&exv);

  721.         serialize_extensible(c, &exta);

  722.         

  723.         field_sub(d,b,c);

  724.         

  725.         if (!field_is_zero(d)){

  726.             printf("PreWNAF combo validation failure %d!\n", ++failures);

  727.             field_print("a", a);

  728.             field_print("A", aa);

  729.             q448_print("s", sk);

  730.             q448_print("t", tk);

  731.             field_print("c", c);

  732.             field_print("b", b);

  733.             printf("\n\n");

  734.         } else if (good) {

  735.             successes ++;

  736.         }

  737.     }

  738.     if (successes < i) {

  739.         printf("PreWNAF combo variation: only %d/%d successful.\n", successes, i);

  740.     }

  741.     

  742.     return 0;

  743. }