jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: d4085b9606
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd4085b9606'
${ noResults }
ed448goldilocks/test/bench.c

726 lines
20 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "word.h"

  6. 

  7. #include <sys/time.h>

  8. #include <sys/types.h>

  9. #include <stdio.h>

  10. #include <memory.h>

  11. 

  12. #include "p448.h"

  13. #include "ec_point.h"

  14. #include "scalarmul.h"

  15. #include "barrett_field.h"

  16. #include "crandom.h"

  17. #include "goldilocks.h"

  18. #include "sha512.h"

  19. 

  20. static __inline__ void

  21. ignore_result ( int result ) {

  22.     (void)result;

  23. }

  24. 

  25. static double now() {

  26.   struct timeval tv;

  27.   gettimeofday(&tv, NULL);

  28.   

  29.   return tv.tv_sec + tv.tv_usec/1000000.0;

  30. }

  31. 

  32. static void p448_randomize( struct crandom_state_t *crand, struct p448_t *a ) {

  33.     crandom_generate(crand, (unsigned char *)a, sizeof(*a));

  34.     p448_strong_reduce(a);

  35. }

  36. 

  37. static void q448_randomize( struct crandom_state_t *crand, word_t sk[448/WORD_BITS] ) {

  38.     crandom_generate(crand, (unsigned char *)sk, 448/8);

  39. }

  40. 

  41. static void p448_print( const char *descr, const struct p448_t *a ) {

  42.     p448_t b;

  43.     p448_copy(&b, a);

  44.     p448_strong_reduce(&b);

  45.     int j;

  46.     printf("%s = 0x", descr);

  47.     for (j=sizeof(*a)/sizeof(a->limb[0])-1; j>=0; j--) {

  48.         printf(PRIxWORD58, b.limb[j]);

  49.     }

  50.     printf("\n");

  51. }

  52. 

  53. static void __attribute__((unused))

  54. p448_print_full (

  55.     const char *descr,

  56.     const struct p448_t *a

  57. ) {

  58.     int j;

  59.     printf("%s = 0x", descr);

  60.     for (j=15; j>=0; j--) {

  61.         printf("%02" PRIxWORD "_" PRIxWORD58 " ",

  62.             a->limb[j]>>28, a->limb[j]&((1<<28)-1));

  63.     }

  64.     printf("\n");

  65. }

  66. 

  67. static void q448_print( const char *descr, const word_t secret[448/WORD_BITS] ) {

  68.     int j;

  69.     printf("%s = 0x", descr);

  70.     for (j=448/WORD_BITS-1; j>=0; j--) {

  71.         printf(PRIxWORDfull, secret[j]);

  72.     }

  73.     printf("\n");

  74. }

  75. 

  76. #ifndef N_TESTS_BASE

  77. #define N_TESTS_BASE 10000

  78. #endif

  79. 

  80. int main(int argc, char **argv) {

  81.     (void)argc;

  82.     (void)argv;

  83. 

  84.     struct tw_extensible_t ext;

  85.     struct extensible_t exta;

  86.     struct tw_niels_t niels;

  87.     struct tw_pniels_t pniels;

  88.     struct affine_t affine;

  89.     struct montgomery_t mb;

  90.     struct p448_t a,b,c,d;

  91.     

  92.     

  93.     double when;

  94.     int i;

  95. 

  96.     int nbase = N_TESTS_BASE;

  97.     

  98.     /* Bad randomness so we can debug. */

  99.     char initial_seed[32];

  100.     for (i=0; i<32; i++) initial_seed[i] = i;

  101.     struct crandom_state_t crand;

  102.     crandom_init_from_buffer(&crand, initial_seed);

  103.     

  104.     word_t sk[448/WORD_BITS],tk[448/WORD_BITS];

  105.     q448_randomize(&crand, sk);

  106.     

  107.     when = now();

  108.     for (i=0; i<nbase*1000; i++) {

  109.         p448_mul(&c, &b, &a);

  110.     }

  111.     when = now() - when;

  112.     printf("mul:         %5.1fns\n", when * 1e9 / i);

  113.     

  114.     when = now();

  115.     for (i=0; i<nbase*1000; i++) {

  116.         p448_sqr(&c, &a);

  117.     }

  118.     when = now() - when;

  119.     printf("sqr:         %5.1fns\n", when * 1e9 / i);

  120.     

  121.     when = now();

  122.     for (i=0; i<nbase*500; i++) {

  123.         p448_mul(&c, &b, &a);

  124.         p448_mul(&a, &b, &c);

  125.     }

  126.     when = now() - when;

  127.     printf("mul dep:     %5.1fns\n", when * 1e9 / i / 2);

  128.     

  129.     when = now();

  130.     for (i=0; i<nbase*1000; i++) {

  131.         p448_mulw(&c, &b, 1234562);

  132.     }

  133.     when = now() - when;

  134.     printf("mulw:        %5.1fns\n", when * 1e9 / i);

  135.     

  136.     when = now();

  137.     for (i=0; i<nbase*10; i++) {

  138.         p448_randomize(&crand, &a);

  139.     }

  140.     when = now() - when;

  141.     printf("rand448:     %5.1fns\n", when * 1e9 / i);

  142.     

  143.     struct sha512_ctx_t sha;

  144.     uint8_t hashout[128];

  145.     when = now();

  146.     for (i=0; i<nbase; i++) {

  147.         sha512_init(&sha);

  148.         sha512_final(&sha, hashout);

  149.     }

  150.     when = now() - when;

  151.     printf("sha512 1blk: %5.1fns\n", when * 1e9 / i);

  152.     

  153.     when = now();

  154.     for (i=0; i<nbase; i++) {

  155.         sha512_update(&sha, hashout, 128);

  156.     }

  157.     when = now() - when;

  158.     printf("sha512 blk:  %5.1fns (%0.2f MB/s)\n", when * 1e9 / i, 128*i/when/1e6);

  159.     

  160.     when = now();

  161.     for (i=0; i<nbase; i++) {

  162.         p448_isr(&c, &a);

  163.     }

  164.     when = now() - when;

  165.     printf("isr auto:    %5.1fµs\n", when * 1e6 / i);

  166.     

  167.     for (i=0; i<100; i++) {

  168.         p448_randomize(&crand, &a);

  169.         p448_isr(&d,&a);

  170.         p448_sqr(&b,&d);

  171.         p448_mul(&c,&b,&a);

  172.         p448_sqr(&b,&c);

  173.         p448_subw(&b,1);

  174.         p448_bias(&b,1);

  175.         if (!p448_is_zero(&b)) {

  176.             printf("ISR validation failure!\n");

  177.             p448_print("a", &a);

  178.             p448_print("s", &d);

  179.         }

  180.     }

  181.     

  182.     when = now();

  183.     for (i=0; i<nbase; i++) {

  184.         elligator_2s_inject(&affine, &a);

  185.     }

  186.     when = now() - when;

  187.     printf("elligator:   %5.1fµs\n", when * 1e6 / i);

  188.     

  189.     for (i=0; i<100; i++) {

  190.         p448_randomize(&crand, &a);

  191.         elligator_2s_inject(&affine, &a);

  192.         if (!validate_affine(&affine)) {

  193.             printf("Elligator validation failure!\n");

  194.             p448_print("a", &a);

  195.             p448_print("x", &affine.x);

  196.             p448_print("y", &affine.y);

  197.         }

  198.     }

  199.     

  200.     when = now();

  201.     for (i=0; i<nbase; i++) {

  202.         deserialize_affine(&affine, &a);

  203.     }

  204.     when = now() - when;

  205.     printf("decompress:  %5.1fµs\n", when * 1e6 / i);

  206.     

  207.     when = now();

  208.     for (i=0; i<nbase; i++) {

  209.         serialize_extensible(&a, &exta);

  210.     }

  211.     when = now() - when;

  212.     printf("compress:    %5.1fµs\n", when * 1e6 / i);

  213.     

  214.     int goods = 0;

  215.     for (i=0; i<100; i++) {

  216.         p448_randomize(&crand, &a);

  217.         mask_t good = deserialize_affine(&affine, &a);

  218.         if (good & !validate_affine(&affine)) {

  219.             printf("Deserialize validation failure!\n");

  220.             p448_print("a", &a);

  221.             p448_print("x", &affine.x);

  222.             p448_print("y", &affine.y);

  223.         } else if (good) {

  224.             goods++;

  225.             convert_affine_to_extensible(&exta,&affine);

  226.             serialize_extensible(&b, &exta);

  227.             p448_sub(&c,&b,&a);

  228.             p448_bias(&c,2);

  229.             if (!p448_is_zero(&c)) {

  230.                 printf("Reserialize validation failure!\n");

  231.                 p448_print("a", &a);

  232.                 p448_print("x", &affine.x);

  233.                 p448_print("y", &affine.y);

  234.                 deserialize_affine(&affine, &b);

  235.                 p448_print("b", &b);

  236.                 p448_print("x", &affine.x);

  237.                 p448_print("y", &affine.y);

  238.                 printf("\n");

  239.             }

  240.         }

  241.     }

  242.     if (goods<i/3) {

  243.         printf("Deserialization validation failure! Deserialized %d/%d points\n", goods, i);

  244.     }

  245.     

  246.     word_t lsk[768/WORD_BITS];

  247.     crandom_generate(&crand, (unsigned char *)lsk, sizeof(lsk));

  248.     

  249.     when = now();

  250.     for (i=0; i<nbase*100; i++) {

  251.         barrett_reduce(lsk,sizeof(lsk)/sizeof(word_t),0,&goldi_q448);

  252.     }

  253.     when = now() - when;

  254.     printf("barrett red: %5.1fns\n", when * 1e9 / i);

  255.     

  256.     when = now();

  257.     for (i=0; i<nbase*10; i++) {

  258.         barrett_mac(lsk,448/WORD_BITS,lsk,448/WORD_BITS,lsk,448/WORD_BITS,&goldi_q448);

  259.     }

  260.     when = now() - when;

  261.     printf("barrett mac: %5.1fns\n", when * 1e9 / i);

  262.     

  263.     when = now();

  264.     for (i=0; i<nbase*100; i++) {

  265.         add_tw_niels_to_tw_extensible(&ext, &niels);

  266.     }

  267.     when = now() - when;

  268.     printf("exti+niels:  %5.1fns\n", when * 1e9 / i);

  269.     

  270.     when = now();

  271.     for (i=0; i<nbase*100; i++) {

  272.         add_tw_pniels_to_tw_extensible(&ext, &pniels);

  273.     }

  274.     when = now() - when;

  275.     printf("exti+pniels: %5.1fns\n", when * 1e9 / i);

  276.     

  277.     when = now();

  278.     for (i=0; i<nbase*100; i++) {

  279.         double_tw_extensible(&ext);

  280.     }

  281.     when = now() - when;

  282.     printf("exti dbl:    %5.1fns\n", when * 1e9 / i);

  283.     

  284.     when = now();

  285.     for (i=0; i<nbase*100; i++) {

  286.         untwist_and_double(&exta, &ext);

  287.     }

  288.     when = now() - when;

  289.     printf("i->a isog:   %5.1fns\n", when * 1e9 / i);

  290.     

  291.     when = now();

  292.     for (i=0; i<nbase*100; i++) {

  293.         twist_and_double(&ext, &exta);

  294.     }

  295.     when = now() - when;

  296.     printf("a->i isog:   %5.1fns\n", when * 1e9 / i);

  297.     

  298.     when = now();

  299.     for (i=0; i<nbase*100; i++) {

  300.         montgomery_step(&mb);

  301.     }

  302.     when = now() - when;

  303.     printf("monty step:  %5.1fns\n", when * 1e9 / i);

  304. 	

  305.     when = now();

  306.     for (i=0; i<nbase/10; i++) {

  307.         ignore_result(montgomery_ladder(&a,&b,sk,448,0));

  308.     }

  309.     when = now() - when;

  310.     printf("full ladder: %5.1fµs\n", when * 1e6 / i);

  311.     

  312.     when = now();

  313.     for (i=0; i<nbase/10; i++) {

  314.         scalarmul(&ext,sk);

  315.     }

  316.     when = now() - when;

  317.     printf("edwards smz: %5.1fµs\n", when * 1e6 / i);

  318.     

  319.     when = now();

  320.     for (i=0; i<nbase/10; i++) {

  321.         scalarmul_vlook(&ext,sk);

  322.     }

  323.     when = now() - when;

  324.     printf("edwards svl: %5.1fµs\n", when * 1e6 / i);

  325.     

  326.     when = now();

  327.     for (i=0; i<nbase/10; i++) {

  328.         scalarmul(&ext,sk);

  329.         untwist_and_double_and_serialize(&a,&ext);

  330.     }

  331.     when = now() - when;

  332.     printf("edwards smc: %5.1fµs\n", when * 1e6 / i);

  333.     

  334.     when = now();

  335.     for (i=0; i<nbase/10; i++) {

  336.         q448_randomize(&crand, sk);

  337.         scalarmul_vt(&ext,sk);

  338.     }

  339.     when = now() - when;

  340.     printf("edwards vtm: %5.1fµs\n", when * 1e6 / i);

  341.     

  342.     struct tw_niels_t wnaft[1<<6];

  343.     when = now();

  344.     for (i=0; i<nbase/10; i++) {

  345.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,6));

  346.     }

  347.     when = now() - when;

  348.     printf("wnaf6 pre:   %5.1fµs\n", when * 1e6 / i);

  349.     

  350.     when = now();

  351.     for (i=0; i<nbase/10; i++) {

  352.         q448_randomize(&crand, sk);

  353.         scalarmul_fixed_base_wnaf_vt(&ext,sk,446,wnaft,6);

  354.     }

  355.     when = now() - when;

  356.     printf("edwards vt6: %5.1fµs\n", when * 1e6 / i);

  357.     

  358.     when = now();

  359.     for (i=0; i<nbase/10; i++) {

  360.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,4));

  361.     }

  362.     when = now() - when;

  363.     printf("wnaf4 pre:   %5.1fµs\n", when * 1e6 / i);

  364.     

  365.     when = now();

  366.     for (i=0; i<nbase/10; i++) {

  367.         q448_randomize(&crand, sk);

  368.         scalarmul_fixed_base_wnaf_vt(&ext,sk,446,wnaft,4);

  369.     }

  370.     when = now() - when;

  371.     printf("edwards vt4: %5.1fµs\n", when * 1e6 / i);

  372. 

  373.     when = now();

  374.     for (i=0; i<nbase/10; i++) {

  375.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,5));

  376.     }

  377.     when = now() - when;

  378.     printf("wnaf5 pre:   %5.1fµs\n", when * 1e6 / i);

  379.     

  380.     when = now();

  381.     for (i=0; i<nbase/10; i++) {

  382.         q448_randomize(&crand, sk);

  383.         scalarmul_fixed_base_wnaf_vt(&ext,sk,446,wnaft,5);

  384.     }

  385.     when = now() - when;

  386.     printf("edwards vt5: %5.1fµs\n", when * 1e6 / i);

  387.     

  388.     when = now();

  389.     for (i=0; i<nbase/10; i++) {

  390.         q448_randomize(&crand, sk);

  391.         q448_randomize(&crand, tk);

  392.         linear_combo_var_fixed_vt(&ext,sk,448,tk,448,wnaft,5);

  393.     }

  394.     when = now() - when;

  395.     printf("vt vf combo: %5.1fµs\n", when * 1e6 / i);

  396.     

  397.     when = now();

  398.     for (i=0; i<nbase/10; i++) {

  399.         deserialize_affine(&affine, &a);

  400.         convert_affine_to_extensible(&exta,&affine);

  401.         twist_and_double(&ext,&exta);

  402.         scalarmul(&ext,sk);

  403.         untwist_and_double(&exta,&ext);

  404.         serialize_extensible(&b, &exta);

  405.     }

  406.     when = now() - when;

  407.     printf("edwards sm:  %5.1fµs\n", when * 1e6 / i);

  408.     

  409.     struct fixed_base_table_t t_5_5_18, t_3_5_30, t_8_4_14, t_5_3_30, t_15_3_10;

  410. 

  411.     while (1) {

  412.         p448_randomize(&crand, &a);

  413.         if (deserialize_affine(&affine, &a)) break;

  414.     }

  415.     convert_affine_to_extensible(&exta,&affine);

  416.     twist_and_double(&ext,&exta);

  417.     when = now();

  418.     for (i=0; i<nbase/10; i++) {

  419.         if (i) destroy_fixed_base(&t_5_5_18);

  420.         ignore_result(precompute_fixed_base(&t_5_5_18, &ext, 5, 5, 18, NULL));

  421.     }

  422.     when = now() - when;

  423.     printf("pre(5,5,18): %5.1fµs\n", when * 1e6 / i);

  424.     

  425.     when = now();

  426.     for (i=0; i<nbase/10; i++) {

  427.         if (i) destroy_fixed_base(&t_3_5_30);

  428.         ignore_result(precompute_fixed_base(&t_3_5_30, &ext, 3, 5, 30, NULL));

  429.     }

  430.     when = now() - when;

  431.     printf("pre(3,5,30): %5.1fµs\n", when * 1e6 / i);

  432.     

  433.     when = now();

  434.     for (i=0; i<nbase/10; i++) {

  435.         if (i) destroy_fixed_base(&t_5_3_30);

  436.         ignore_result(precompute_fixed_base(&t_5_3_30, &ext, 5, 3, 30, NULL));

  437.     }

  438.     when = now() - when;

  439.     printf("pre(5,3,30): %5.1fµs\n", when * 1e6 / i);

  440.     

  441.     when = now();

  442.     for (i=0; i<nbase/10; i++) {

  443.         if (i) destroy_fixed_base(&t_15_3_10);

  444.         ignore_result(precompute_fixed_base(&t_15_3_10, &ext, 15, 3, 10, NULL));

  445.     }

  446.     when = now() - when;

  447.     printf("pre(15,3,10):%5.1fµs\n", when * 1e6 / i);

  448.     

  449.     when = now();

  450.     for (i=0; i<nbase/10; i++) {

  451.         if (i) destroy_fixed_base(&t_8_4_14);

  452.         ignore_result(precompute_fixed_base(&t_8_4_14, &ext, 8, 4, 14, NULL));

  453.     }

  454.     when = now() - when;

  455.     printf("pre(8,4,14): %5.1fµs\n", when * 1e6 / i);

  456. 	

  457.     when = now();

  458.     for (i=0; i<nbase; i++) {

  459.         scalarmul_fixed_base(&ext, sk, 448, &t_5_5_18);

  460.     }

  461.     when = now() - when;

  462.     printf("com(5,5,18): %5.1fµs\n", when * 1e6 / i);

  463.     

  464.     when = now();

  465.     for (i=0; i<nbase; i++) {

  466.         scalarmul_fixed_base(&ext, sk, 448, &t_3_5_30);

  467.     }

  468.     when = now() - when;

  469.     printf("com(3,5,30): %5.1fµs\n", when * 1e6 / i);

  470. 

  471.     when = now();

  472.     for (i=0; i<nbase; i++) {

  473.         scalarmul_fixed_base(&ext, sk, 448, &t_8_4_14);

  474.     }

  475.     when = now() - when;

  476.     printf("com(8,4,14): %5.1fµs\n", when * 1e6 / i);

  477. 

  478.     when = now();

  479.     for (i=0; i<nbase; i++) {

  480.         scalarmul_fixed_base(&ext, sk, 448, &t_5_3_30);

  481.     }

  482.     when = now() - when;

  483.     printf("com(5,3,30): %5.1fµs\n", when * 1e6 / i);

  484. 

  485.     when = now();

  486.     for (i=0; i<nbase; i++) {

  487.         scalarmul_fixed_base(&ext, sk, 448, &t_15_3_10);

  488.     }

  489.     when = now() - when;

  490.     printf("com(15,3,10):%5.1fµs\n", when * 1e6 / i);

  491.     

  492.     printf("\nGoldilocks:\n");

  493.     

  494.     int res = goldilocks_init();

  495.     assert(!res);

  496.     

  497.     struct goldilocks_public_key_t gpk,hpk;

  498.     struct goldilocks_private_key_t gsk,hsk;

  499.     

  500.     when = now();

  501.     for (i=0; i<nbase; i++) {

  502.         if (i&1) {

  503.             res = goldilocks_keygen(&gsk,&gpk);

  504.         } else {

  505.             res = goldilocks_keygen(&hsk,&hpk);

  506.         }

  507.         assert(!res);

  508.     }

  509.     when = now() - when;

  510.     printf("keygen:      %5.1fµs\n", when * 1e6 / i);

  511.     

  512.     uint8_t ss1[64],ss2[64];

  513.     int gres1=0,gres2=0;

  514.     when = now();

  515.     for (i=0; i<nbase; i++) {

  516.         if (i&1) {

  517.             gres1 = goldilocks_shared_secret(ss1,&gsk,&hpk);

  518.         } else {

  519.             gres2 = goldilocks_shared_secret(ss2,&hsk,&gpk);

  520.         }

  521.     }

  522.     when = now() - when;

  523.     printf("ecdh:        %5.1fµs\n", when * 1e6 / i);

  524.     if (gres1 || gres2 || memcmp(ss1,ss2,64)) {

  525.         printf("[FAIL] %d %d\n",gres1,gres2);

  526.         

  527.         printf("sk1 = ");

  528.         for (i=0; i<56; i++) {

  529.             printf("%02x", gsk.opaque[i]);

  530.         }

  531.         printf("\nsk2 = ");

  532.         for (i=0; i<56; i++) {

  533.             printf("%02x", hsk.opaque[i]);

  534.         }

  535.         printf("\nss1 = ");

  536.         for (i=0; i<56; i++) {

  537.             printf("%02x", ss1[i]);

  538.         }

  539.         printf("\nss2 = ");

  540.         for (i=0; i<56; i++) {

  541.             printf("%02x", ss2[i]);

  542.         }

  543.         printf("\n");

  544.     }

  545.     

  546.     uint8_t sout[56*2];

  547.     const char *message = "hello world";

  548.     size_t message_len = strlen(message);

  549.     when = now();

  550.     for (i=0; i<nbase; i++) {

  551.         res = goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  552.         assert(!res);

  553.     }

  554.     when = now() - when;

  555.     printf("sign:        %5.1fµs\n", when * 1e6 / i);

  556.     

  557.     when = now();

  558.     for (i=0; i<nbase; i++) {

  559.         int ver = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  560.         assert(!ver);

  561.     }

  562.     when = now() - when;

  563.     printf("verify:      %5.1fµs\n", when * 1e6 / i);

  564.     

  565.     struct goldilocks_precomputed_public_key_t *pre = NULL;

  566.     when = now();

  567.     for (i=0; i<nbase; i++) {

  568.         goldilocks_destroy_precomputed_public_key(pre);

  569.         pre = goldilocks_precompute_public_key(&gpk);

  570.     }

  571.     when = now() - when;

  572.     printf("precompute:  %5.1fµs\n", when * 1e6 / i);

  573.     

  574.     when = now();

  575.     for (i=0; i<nbase; i++) {

  576.         int ver = goldilocks_verify_precomputed(sout,(const unsigned char *)message,message_len,pre);

  577.         assert(!ver);

  578.     }

  579.     when = now() - when;

  580.     printf("verify pre:  %5.1fµs\n", when * 1e6 / i);

  581.     

  582.     when = now();

  583.     for (i=0; i<nbase; i++) {

  584.         int ret = goldilocks_shared_secret_precomputed(ss1,&gsk,pre);

  585.         assert(!ret);

  586.     }

  587.     when = now() - when;

  588.     printf("ecdh pre:    %5.1fµs\n", when * 1e6 / i);

  589.     

  590.     printf("\nTesting...\n");

  591.     

  592.     

  593.     int failures=0, successes = 0;

  594.     for (i=0; i<nbase/10; i++) {

  595.         ignore_result(goldilocks_keygen(&gsk,&gpk));

  596.         goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  597.         res = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  598.         if (res) failures++;

  599.     }

  600.     if (failures) {

  601.         printf("FAIL %d/%d signature checks!\n", failures, i);

  602.     }

  603.     

  604.     failures=0; successes = 0;

  605.     for (i=0; i<nbase/10; i++) {

  606.         p448_randomize(&crand, &a);

  607. 		word_t two = 2;

  608.         mask_t good = montgomery_ladder(&b,&a,&two,2,0);

  609. 		if (!good) continue;

  610. 		

  611. 		word_t x,y;

  612.         crandom_generate(&crand, (unsigned char *)&x, sizeof(x));

  613.         crandom_generate(&crand, (unsigned char *)&y, sizeof(y));

  614.         x = (hword_t)x;

  615.         y = (hword_t)y;

  616.         word_t z=x*y;

  617.         

  618.     	ignore_result(montgomery_ladder(&b,&a,&x,WORD_BITS,0));

  619.         ignore_result(montgomery_ladder(&c,&b,&y,WORD_BITS,0));

  620.         ignore_result(montgomery_ladder(&b,&a,&z,WORD_BITS,0));

  621.         

  622.         p448_sub(&d,&b,&c);

  623.         p448_bias(&d,2);

  624. 		if (!p448_is_zero(&d)) {

  625.             printf("Odd ladder validation failure %d!\n", ++failures);

  626.             p448_print("a", &a);

  627.             printf("x=%"PRIxWORD", y=%"PRIxWORD", z=%"PRIxWORD"\n", x,y,z);

  628.             p448_print("c", &c);

  629.             p448_print("b", &b);

  630. 			printf("\n");

  631. 		}

  632. 	}

  633.     

  634.     failures = 0;

  635.     for (i=0; i<nbase/10; i++) {

  636.         mask_t good;

  637.         do {

  638.             p448_randomize(&crand, &a);

  639.             good = deserialize_affine(&affine, &a);

  640.         } while (!good);

  641.         

  642.         convert_affine_to_extensible(&exta,&affine);

  643.         twist_and_double(&ext,&exta);

  644.         untwist_and_double(&exta,&ext);

  645.         serialize_extensible(&b, &exta);

  646.         untwist_and_double_and_serialize(&c, &ext);

  647.         

  648.         p448_sub(&d,&b,&c);

  649.         p448_bias(&d,2);

  650.         

  651.         if (good && !p448_is_zero(&d)){

  652.             printf("Iso+serial validation failure %d!\n", ++failures);

  653.             p448_print("a", &a);

  654.             p448_print("b", &b);

  655.             p448_print("c", &c);

  656.             printf("\n");

  657.         } else if (good) {

  658.             successes ++;

  659.         }

  660.     }

  661.     if (successes < i/3) {

  662.         printf("Iso+serial variation: only %d/%d successful.\n", successes, i);

  663.     }

  664.     

  665.     successes = failures = 0;

  666.     for (i=0; i<nbase/10; i++) {

  667.         struct p448_t aa;

  668.         struct tw_extensible_t exu,exv,exw;

  669.         

  670.         mask_t good;

  671.         do {

  672.             p448_randomize(&crand, &a);

  673.             good = deserialize_affine(&affine, &a);

  674.             convert_affine_to_extensible(&exta,&affine);

  675.             twist_and_double(&ext,&exta);

  676.         } while (!good);

  677.         do {

  678.             p448_randomize(&crand, &aa);

  679.             good = deserialize_affine(&affine, &aa);

  680.             convert_affine_to_extensible(&exta,&affine);

  681.             twist_and_double(&exu,&exta);

  682.         } while (!good);

  683.         p448_randomize(&crand, &aa);

  684.         

  685.         q448_randomize(&crand, sk);

  686. 		if (i==0 || i==2) memset(&sk, 0, sizeof(sk));

  687.         q448_randomize(&crand, tk);

  688. 		if (i==0 || i==1) memset(&tk, 0, sizeof(tk));

  689.         

  690.         copy_tw_extensible(&exv, &ext);

  691.         copy_tw_extensible(&exw, &exu);

  692.         scalarmul(&exv,sk);

  693.         scalarmul(&exw,tk);

  694.         convert_tw_extensible_to_tw_pniels(&pniels, &exw);

  695.         add_tw_pniels_to_tw_extensible(&exv,&pniels);

  696.         untwist_and_double(&exta,&exv);

  697.         serialize_extensible(&b, &exta);

  698. 

  699.         ignore_result(precompute_fixed_base_wnaf(wnaft,&exu,5));

  700.         linear_combo_var_fixed_vt(&ext,sk,448,tk,448,wnaft,5);

  701.         untwist_and_double(&exta,&exv);

  702.         serialize_extensible(&c, &exta);

  703.         

  704.         p448_sub(&d,&b,&c);

  705.         p448_bias(&d,2);

  706.         

  707.         if (!p448_is_zero(&d)){

  708.             printf("PreWNAF combo validation failure %d!\n", ++failures);

  709.             p448_print("a", &a);

  710.             p448_print("A", &aa);

  711.             q448_print("s", sk);

  712.             q448_print("t", tk);

  713.             p448_print("c", &c);

  714.             p448_print("b", &b);

  715.             printf("\n\n");

  716.         } else if (good) {

  717.             successes ++;

  718.         }

  719.     }

  720.     if (successes < i) {

  721.         printf("PreWNAF combo variation: only %d/%d successful.\n", successes, i);

  722.     }

  723.     

  724.     return 0;

  725. }