jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
142 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: d675971fee
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd675971fee'
${ noResults }
ed448goldilocks/test/bench.c

781 lines
22 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "word.h"

  6. 

  7. #include <sys/time.h>

  8. #include <sys/types.h>

  9. #include <stdio.h>

  10. #include <memory.h>

  11. 

  12. #include "field.h"

  13. #include "ec_point.h"

  14. #include "scalarmul.h"

  15. #include "barrett_field.h"

  16. #include "crandom.h"

  17. #include "goldilocks.h"

  18. #include "sha512.h"

  19. #include "decaf.h"

  20. #include "decaf_crypto.h"

  21. #include "shake.h"

  22. 

  23. static __inline__ void

  24. ignore_result ( int result ) {

  25.     (void)result;

  26. }

  27. 

  28. static double now(void) {

  29.   struct timeval tv;

  30.   gettimeofday(&tv, NULL);

  31.   

  32.   return tv.tv_sec + tv.tv_usec/1000000.0;

  33. }

  34. 

  35. static void field_randomize( struct crandom_state_t *crand, field_a_t a ) {

  36.     crandom_generate(crand, (unsigned char *)a, sizeof(*a));

  37.     field_strong_reduce(a);

  38. }

  39. 

  40. static void q448_randomize( struct crandom_state_t *crand, word_t sk[SCALAR_WORDS] ) {

  41.     crandom_generate(crand, (unsigned char *)sk, SCALAR_BYTES);

  42. }

  43. 

  44. static void field_print( const char *descr, const field_a_t a ) {

  45.     int j;

  46.     unsigned char ser[FIELD_BYTES];

  47.     field_serialize(ser,a);

  48.     printf("%s = 0x", descr);

  49.     for (j=FIELD_BYTES - 1; j>=0; j--) {

  50.         printf("%02x", ser[j]);

  51.     }

  52.     printf("\n");

  53. }

  54. 

  55. static void __attribute__((unused))

  56. field_print_full (

  57.     const char *descr,

  58.     const field_a_t a

  59. ) {

  60.     int j;

  61.     printf("%s = 0x", descr);

  62.     for (j=15; j>=0; j--) {

  63.         printf("%02" PRIxWORD "_" PRIxWORD56 " ",

  64.             a->limb[j]>>28, a->limb[j]&((1<<28)-1));

  65.     }

  66.     printf("\n");

  67. }

  68. 

  69. #ifndef N_TESTS_BASE

  70. #define N_TESTS_BASE 10000

  71. #endif

  72. 

  73. int main(int argc, char **argv) {

  74.     (void)argc;

  75.     (void)argv;

  76. 

  77.     struct tw_extensible_t ext;

  78.     struct extensible_t exta;

  79.     struct tw_niels_t niels;

  80.     struct tw_pniels_t pniels;

  81.     struct affine_t affine;

  82.     struct montgomery_t mb;

  83.     struct montgomery_aux_t mba;

  84.     field_a_t a,b,c,d;

  85.     

  86.     double when;

  87.     int i;

  88. 

  89.     int nbase = N_TESTS_BASE;

  90.     

  91.     /* Bad randomness so we can debug. */

  92.     char initial_seed[32];

  93.     for (i=0; i<32; i++) initial_seed[i] = i;

  94.     struct crandom_state_t crand;

  95.     crandom_init_from_buffer(&crand, initial_seed);

  96.     /* For testing the performance drop from the crandom debuffering change.

  97.         ignore_result(crandom_init_from_file(&crand, "/dev/urandom", 10000, 1));

  98.     */

  99.     

  100.     word_t sk[SCALAR_WORDS],tk[SCALAR_WORDS];

  101.     q448_randomize(&crand, sk);

  102.     

  103.     memset(a,0,sizeof(a));

  104.     memset(b,0,sizeof(b));

  105.     memset(c,0,sizeof(c));

  106.     memset(d,0,sizeof(d));

  107.     when = now();

  108.     for (i=0; i<nbase*5000; i++) {

  109.         field_mul(c, b, a);

  110.     }

  111.     when = now() - when;

  112.     printf("mul:         %5.1fns\n", when * 1e9 / i);

  113.     

  114.     when = now();

  115.     for (i=0; i<nbase*5000; i++) {

  116.         field_sqr(c, a);

  117.     }

  118.     when = now() - when;

  119.     printf("sqr:         %5.1fns\n", when * 1e9 / i);

  120.     

  121.     when = now();

  122.     for (i=0; i<nbase*5000; i++) {

  123.         field_mulw(c, b, 1234562);

  124.     }

  125.     when = now() - when;

  126.     printf("mulw:        %5.1fns\n", when * 1e9 / i);

  127.     

  128.     when = now();

  129.     for (i=0; i<nbase*500; i++) {

  130.         field_mul(c, b, a);

  131.         field_mul(a, b, c);

  132.     }

  133.     when = now() - when;

  134.     printf("mul dep:     %5.1fns\n", when * 1e9 / i / 2);

  135.     

  136.     when = now();

  137.     for (i=0; i<nbase*10; i++) {

  138.         field_randomize(&crand, a);

  139.     }

  140.     when = now() - when;

  141.     printf("rand448:     %5.1fns\n", when * 1e9 / i);

  142.     

  143.     sha512_ctx_a_t sha;

  144.     uint8_t hashout[128];

  145.     when = now();

  146.     for (i=0; i<nbase; i++) {

  147.         sha512_init(sha);

  148.         sha512_final(sha, hashout);

  149.     }

  150.     when = now() - when;

  151.     printf("sha512 1blk: %5.1fns\n", when * 1e9 / i);

  152.     

  153.     when = now();

  154.     for (i=0; i<nbase; i++) {

  155.         sha512_update(sha, hashout, 128);

  156.     }

  157.     when = now() - when;

  158.     printf("sha512 blk:  %5.1fns (%0.2f MB/s)\n", when * 1e9 / i, 128*i/when/1e6);

  159.     

  160.     when = now();

  161.     for (i=0; i<nbase; i++) {

  162.         shake256_hash(hashout,128,hashout,128);

  163.     }

  164.     when = now() - when;

  165.     printf("shake  1blk: %5.1fns\n", when * 1e9 / i);

  166.     

  167.     when = now();

  168.     for (i=0; i<nbase; i++) {

  169.         field_isr(c, a);

  170.     }

  171.     when = now() - when;

  172.     printf("isr auto:    %5.1fµs\n", when * 1e6 / i);

  173.     

  174.     for (i=0; i<100; i++) {

  175.         field_randomize(&crand, a);

  176.         field_isr(d,a);

  177.         field_sqr(b,d);

  178.         field_mul(c,b,a);

  179.         field_sqr(b,c);

  180.         field_subw(b,1);

  181.         if (!field_is_zero(b)) {

  182.             printf("ISR validation failure!\n");

  183.             field_print("a", a);

  184.             field_print("s", d);

  185.         }

  186.     }

  187.     

  188.     when = now();

  189.     for (i=0; i<nbase; i++) {

  190.         elligator_2s_inject(&affine, a);

  191.     }

  192.     when = now() - when;

  193.     printf("elligator:   %5.1fµs\n", when * 1e6 / i);

  194.     

  195.     for (i=0; i<100; i++) {

  196.         field_randomize(&crand, a);

  197.         elligator_2s_inject(&affine, a);

  198.         if (!validate_affine(&affine)) {

  199.             printf("Elligator validation failure!\n");

  200.             field_print("a", a);

  201.             field_print("x", affine.x);

  202.             field_print("y", affine.y);

  203.         }

  204.     }

  205.     

  206.     when = now();

  207.     for (i=0; i<nbase; i++) {

  208.         deserialize_affine(&affine, a);

  209.     }

  210.     when = now() - when;

  211.     printf("decompress:  %5.1fµs\n", when * 1e6 / i);

  212.     

  213.     convert_affine_to_extensible(&exta, &affine);

  214.     when = now();

  215.     for (i=0; i<nbase; i++) {

  216.         serialize_extensible(a, &exta);

  217.     }

  218.     when = now() - when;

  219.     printf("compress:    %5.1fµs\n", when * 1e6 / i);

  220.     

  221.     int goods = 0;

  222.     for (i=0; i<100; i++) {

  223.         field_randomize(&crand, a);

  224.         mask_t good = deserialize_affine(&affine, a);

  225.         if (good & !validate_affine(&affine)) {

  226.             printf("Deserialize validation failure!\n");

  227.             field_print("a", a);

  228.             field_print("x", affine.x);

  229.             field_print("y", affine.y);

  230.         } else if (good) {

  231.             goods++;

  232.             convert_affine_to_extensible(&exta,&affine);

  233.             serialize_extensible(b, &exta);

  234.             field_sub(c,b,a);

  235.             if (!field_is_zero(c)) {

  236.                 printf("Reserialize validation failure!\n");

  237.                 field_print("a", a);

  238.                 field_print("x", affine.x);

  239.                 field_print("y", affine.y);

  240.                 deserialize_affine(&affine, b);

  241.                 field_print("b", b);

  242.                 field_print("x", affine.x);

  243.                 field_print("y", affine.y);

  244.                 printf("\n");

  245.             }

  246.         }

  247.     }

  248.     if (goods<i/3) {

  249.         printf("Deserialization validation failure! Deserialized %d/%d points\n", goods, i);

  250.     }

  251.     

  252.     word_t lsk[768/WORD_BITS];

  253.     crandom_generate(&crand, (unsigned char *)lsk, sizeof(lsk));

  254.     

  255.     when = now();

  256.     for (i=0; i<nbase*100; i++) {

  257.         barrett_reduce(lsk,sizeof(lsk)/sizeof(word_t),0,&curve_prime_order);

  258.     }

  259.     when = now() - when;

  260.     printf("barrett red: %5.1fns\n", when * 1e9 / i);

  261.     

  262.     when = now();

  263.     for (i=0; i<nbase*10; i++) {

  264.         barrett_mac(lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,&curve_prime_order);

  265.     }

  266.     when = now() - when;

  267.     printf("barrett mac: %5.1fns\n", when * 1e9 / i);

  268.     

  269.     decaf_448_scalar_t asc,bsc,csc;

  270.     memset(asc,0,sizeof(asc));

  271.     memset(bsc,0,sizeof(bsc));

  272.     when = now();

  273.     for (i=0; i<nbase*10; i++) {

  274.         decaf_448_scalar_mul(csc,asc,bsc);

  275.     }

  276.     when = now() - when;

  277.     printf("decaf mulsc: %5.1fns\n", when * 1e9 / i);

  278.     

  279.     when = now();

  280.     for (i=0; i<nbase/10; i++) {

  281.         decaf_448_scalar_invert(csc,bsc);

  282.     }

  283.     when = now() - when;

  284.     printf("decaf invsc: %5.1fµs\n", when * 1e6 / i);

  285.     

  286.     memset(&ext,0,sizeof(ext));

  287.     memset(&niels,0,sizeof(niels)); /* avoid assertions in p521 even though this isn't a valid ext or niels */

  288. 

  289.     tw_extended_a_t ed;

  290.     convert_tw_extensible_to_tw_extended(ed,&ext);

  291. 

  292.     when = now();

  293.     for (i=0; i<nbase*100; i++) {

  294.         add_tw_niels_to_tw_extensible(&ext, &niels);

  295.     }

  296.     when = now() - when;

  297.     printf("exti+niels:  %5.1fns\n", when * 1e9 / i);

  298. 

  299.     when = now();

  300.     for (i=0; i<nbase*100; i++) {

  301.         add_tw_extended(ed,ed);

  302.     }

  303.     when = now() - when;

  304.     printf("txt + txt :  %5.1fns\n", when * 1e9 / i);

  305. 

  306.     decaf_448_point_t Da,Db,Dc;

  307.     memset(Da,0,sizeof(Da));

  308.     memset(Db,0,sizeof(Db));

  309.     memset(Dc,0,sizeof(Dc));

  310.     when = now();

  311.     for (i=0; i<nbase*100; i++) {

  312.         decaf_448_point_add(Da,Db,Dc);

  313.     }

  314.     when = now() - when;

  315.     printf("dec + dec:   %5.1fns\n", when * 1e9 / i);

  316.     

  317.     convert_tw_extensible_to_tw_pniels(&pniels, &ext);

  318.     when = now();

  319.     for (i=0; i<nbase*100; i++) {

  320.         add_tw_pniels_to_tw_extensible(&ext, &pniels);

  321.     }

  322.     when = now() - when;

  323.     printf("exti+pniels: %5.1fns\n", when * 1e9 / i);

  324.     

  325.     when = now();

  326.     for (i=0; i<nbase*100; i++) {

  327.         double_tw_extensible(&ext);

  328.     }

  329.     when = now() - when;

  330.     printf("exti dbl:    %5.1fns\n", when * 1e9 / i);

  331.     

  332.     when = now();

  333.     for (i=0; i<nbase*100; i++) {

  334.         untwist_and_double(&exta, &ext);

  335.     }

  336.     when = now() - when;

  337.     printf("i->a isog:   %5.1fns\n", when * 1e9 / i);

  338.     

  339.     when = now();

  340.     for (i=0; i<nbase*100; i++) {

  341.         twist_and_double(&ext, &exta);

  342.     }

  343.     when = now() - when;

  344.     printf("a->i isog:   %5.1fns\n", when * 1e9 / i);

  345.     

  346.     memset(&mb,0,sizeof(mb));

  347.     when = now();

  348.     for (i=0; i<nbase*100; i++) {

  349.         montgomery_step(&mb);

  350.     }

  351.     when = now() - when;

  352.     printf("monty step:  %5.1fns\n", when * 1e9 / i);

  353.     

  354.     memset(&mba,0,sizeof(mba));

  355.     when = now();

  356.     for (i=0; i<nbase*100; i++) {

  357.         montgomery_aux_step(&mba);

  358.     }

  359.     when = now() - when;

  360.     printf("monty aux:   %5.1fns\n", when * 1e9 / i);

  361. 	

  362.     when = now();

  363.     for (i=0; i<nbase/10; i++) {

  364.         ignore_result(montgomery_ladder(a,b,sk,FIELD_BITS,0));

  365.     }

  366.     when = now() - when;

  367.     printf("full ladder: %5.1fµs\n", when * 1e6 / i);

  368. 	

  369.     when = now();

  370.     for (i=0; i<nbase/10; i++) {

  371.         ignore_result(decaf_montgomery_ladder(a,b,sk,FIELD_BITS));

  372.     }

  373.     when = now() - when;

  374.     printf("decafladder: %5.1fµs\n", when * 1e6 / i);

  375.    

  376.     when = now();

  377.     for (i=0; i<nbase/10; i++) {

  378.         decaf_448_point_scalarmul(Da,Db,asc);

  379.     }

  380.     when = now() - when;

  381.     printf("decaf slow:  %5.1fµs\n", when * 1e6 / i);

  382.    

  383.     uint8_t enc[DECAF_448_SER_BYTES];

  384.     memset(enc,4,sizeof(enc));

  385.     when = now();

  386.     for (i=0; i<nbase/10; i++) {

  387.         ignore_result(decaf_448_direct_scalarmul(enc,enc,asc,-1,0));

  388.     }

  389.     when = now() - when;

  390.     printf("decaf dir:   %5.1fµs\n", when * 1e6 / i);

  391.    

  392.     when = now();

  393.     for (i=0; i<nbase/10; i++) {

  394.         decaf_448_point_double_scalarmul(Da,Db,bsc,Dc,asc);

  395.     }

  396.     when = now() - when;

  397.     printf("decaf slo2:  %5.1fµs\n", when * 1e6 / i);

  398.    

  399.     when = now();

  400.     for (i=0; i<nbase/10; i++) {

  401.         decaf_448_precomputed_scalarmul(Da,decaf_448_precomputed_base,bsc);

  402.     }

  403.     when = now() - when;

  404.     printf("decaf pres:  %5.1fµs\n", when * 1e6 / i);

  405. 

  406.     when = now();

  407.     for (i=0; i<nbase/10; i++) {

  408.         scalarmul(&ext,sk);

  409.     }

  410.     when = now() - when;

  411.     printf("edwards smz: %5.1fµs\n", when * 1e6 / i);

  412.     

  413.     when = now();

  414.     for (i=0; i<nbase/10; i++) {

  415.         scalarmul_vlook(&ext,sk);

  416.     }

  417.     when = now() - when;

  418.     printf("edwards svl: %5.1fµs\n", when * 1e6 / i);

  419.     

  420.     when = now();

  421.     for (i=0; i<nbase/10; i++) {

  422.         scalarmul_ed(ed,sk);

  423.     }

  424.     when = now() - when;

  425.     printf("edwards txt: %5.1fµs\n", when * 1e6 / i);

  426.     

  427.     field_set_ui(a,0);

  428.     when = now();

  429.     for (i=0; i<nbase/10; i++) {

  430. 	ignore_result(decaf_deserialize_tw_extended(ed,a,-1));

  431.         scalarmul_ed(ed,sk);

  432. 	decaf_serialize_tw_extended(a,ed);

  433.     }

  434.     when = now() - when;

  435.     printf("simple ECDH: %5.1fµs\n", when * 1e6 / i);

  436.     

  437.     when = now();

  438.     for (i=0; i<nbase/10; i++) {

  439.         scalarmul(&ext,sk);

  440.         untwist_and_double_and_serialize(a,&ext);

  441.     }

  442.     when = now() - when;

  443.     printf("edwards smc: %5.1fµs\n", when * 1e6 / i);

  444.     

  445.     when = now();

  446.     for (i=0; i<nbase/10; i++) {

  447.         q448_randomize(&crand, sk);

  448.         scalarmul_vt(&ext,sk,SCALAR_BITS);

  449.     }

  450.     when = now() - when;

  451.     printf("edwards vtm: %5.1fµs\n", when * 1e6 / i);

  452.     

  453.     tw_niels_a_t wnaft[1<<6];

  454.     when = now();

  455.     for (i=0; i<nbase/10; i++) {

  456.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,6));

  457.     }

  458.     when = now() - when;

  459.     printf("wnaf6 pre:   %5.1fµs\n", when * 1e6 / i);

  460.     

  461.     when = now();

  462.     for (i=0; i<nbase/10; i++) {

  463.         q448_randomize(&crand, sk);

  464.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,(const tw_niels_a_t*)wnaft,6);

  465.     }

  466.     when = now() - when;

  467.     printf("edwards vt6: %5.1fµs\n", when * 1e6 / i);

  468.     

  469.     when = now();

  470.     for (i=0; i<nbase/10; i++) {

  471.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,4));

  472.     }

  473.     when = now() - when;

  474.     printf("wnaf4 pre:   %5.1fµs\n", when * 1e6 / i);

  475.     

  476.     when = now();

  477.     for (i=0; i<nbase/10; i++) {

  478.         q448_randomize(&crand, sk);

  479.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,(const tw_niels_a_t*)wnaft,4);

  480.     }

  481.     when = now() - when;

  482.     printf("edwards vt4: %5.1fµs\n", when * 1e6 / i);

  483. 

  484.     when = now();

  485.     for (i=0; i<nbase/10; i++) {

  486.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,5));

  487.     }

  488.     when = now() - when;

  489.     printf("wnaf5 pre:   %5.1fµs\n", when * 1e6 / i);

  490.     

  491.     when = now();

  492.     for (i=0; i<nbase/10; i++) {

  493.         q448_randomize(&crand, sk);

  494.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,(const tw_niels_a_t*)wnaft,5);

  495.     }

  496.     when = now() - when;

  497.     printf("edwards vt5: %5.1fµs\n", when * 1e6 / i);

  498.     

  499.     when = now();

  500.     for (i=0; i<nbase/10; i++) {

  501.         q448_randomize(&crand, sk);

  502.         q448_randomize(&crand, tk);

  503.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,(const tw_niels_a_t*)wnaft,5);

  504.     }

  505.     when = now() - when;

  506.     printf("vt vf combo: %5.1fµs\n", when * 1e6 / i);

  507.     

  508.     when = now();

  509.     for (i=0; i<nbase/10; i++) {

  510.         deserialize_affine(&affine, a);

  511.         convert_affine_to_extensible(&exta,&affine);

  512.         twist_and_double(&ext,&exta);

  513.         scalarmul(&ext,sk);

  514.         untwist_and_double(&exta,&ext);

  515.         serialize_extensible(b, &exta);

  516.     }

  517.     when = now() - when;

  518.     printf("edwards sm:  %5.1fµs\n", when * 1e6 / i);

  519.     

  520.     struct fixed_base_table_t t_5_5_18, t_3_5_30, t_8_4_14, t_5_3_30, t_15_3_10;

  521. 

  522.     while (1) {

  523.         field_randomize(&crand, a);

  524.         if (deserialize_affine(&affine, a)) break;

  525.     }

  526.     convert_affine_to_extensible(&exta,&affine);

  527.     twist_and_double(&ext,&exta);

  528.     when = now();

  529.     for (i=0; i<nbase/10; i++) {

  530.         if (i) destroy_fixed_base(&t_5_5_18);

  531.         ignore_result(precompute_fixed_base(&t_5_5_18, &ext, 5, 5, 18, NULL));

  532.     }

  533.     when = now() - when;

  534.     printf("pre(5,5,18): %5.1fµs\n", when * 1e6 / i);

  535.     

  536.     when = now();

  537.     for (i=0; i<nbase/10; i++) {

  538.         if (i) destroy_fixed_base(&t_3_5_30);

  539.         ignore_result(precompute_fixed_base(&t_3_5_30, &ext, 3, 5, 30, NULL));

  540.     }

  541.     when = now() - when;

  542.     printf("pre(3,5,30): %5.1fµs\n", when * 1e6 / i);

  543.     

  544.     when = now();

  545.     for (i=0; i<nbase/10; i++) {

  546.         if (i) destroy_fixed_base(&t_5_3_30);

  547.         ignore_result(precompute_fixed_base(&t_5_3_30, &ext, 5, 3, 30, NULL));

  548.     }

  549.     when = now() - when;

  550.     printf("pre(5,3,30): %5.1fµs\n", when * 1e6 / i);

  551.     

  552.     when = now();

  553.     for (i=0; i<nbase/10; i++) {

  554.         if (i) destroy_fixed_base(&t_15_3_10);

  555.         ignore_result(precompute_fixed_base(&t_15_3_10, &ext, 15, 3, 10, NULL));

  556.     }

  557.     when = now() - when;

  558.     printf("pre(15,3,10):%5.1fµs\n", when * 1e6 / i);

  559.     

  560.     when = now();

  561.     for (i=0; i<nbase/10; i++) {

  562.         if (i) destroy_fixed_base(&t_8_4_14);

  563.         ignore_result(precompute_fixed_base(&t_8_4_14, &ext, 8, 4, 14, NULL));

  564.     }

  565.     when = now() - when;

  566.     printf("pre(8,4,14): %5.1fµs\n", when * 1e6 / i);

  567. 	

  568.     when = now();

  569.     for (i=0; i<nbase; i++) {

  570.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_5_18);

  571.     }

  572.     when = now() - when;

  573.     printf("com(5,5,18): %5.1fµs\n", when * 1e6 / i);

  574.     

  575.     when = now();

  576.     for (i=0; i<nbase; i++) {

  577.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_3_5_30);

  578.     }

  579.     when = now() - when;

  580.     printf("com(3,5,30): %5.1fµs\n", when * 1e6 / i);

  581. 

  582.     when = now();

  583.     for (i=0; i<nbase; i++) {

  584.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_8_4_14);

  585.     }

  586.     when = now() - when;

  587.     printf("com(8,4,14): %5.1fµs\n", when * 1e6 / i);

  588. 

  589.     when = now();

  590.     for (i=0; i<nbase; i++) {

  591.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_3_30);

  592.     }

  593.     when = now() - when;

  594.     printf("com(5,3,30): %5.1fµs\n", when * 1e6 / i);

  595. 

  596.     when = now();

  597.     for (i=0; i<nbase; i++) {

  598.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_15_3_10);

  599.     }

  600.     when = now() - when;

  601.     printf("com(15,3,10):%5.1fµs\n", when * 1e6 / i);

  602.     

  603.     printf("\nGoldilocks:\n");

  604.     

  605.     int res = goldilocks_init();

  606.     assert(!res);

  607.     

  608.     struct goldilocks_public_key_t gpk,hpk;

  609.     struct goldilocks_private_key_t gsk,hsk;

  610.     

  611.     when = now();

  612.     for (i=0; i<nbase; i++) {

  613.         if (i&1) {

  614.             res = goldilocks_keygen(&gsk,&gpk);

  615.         } else {

  616.             res = goldilocks_keygen(&hsk,&hpk);

  617.         }

  618.         assert(!res);

  619.     }

  620.     when = now() - when;

  621.     printf("keygen:      %5.1fµs\n", when * 1e6 / i);

  622.     

  623.     uint8_t ss1[64],ss2[64];

  624.     int gres1=0,gres2=0;

  625.     when = now();

  626.     for (i=0; i<nbase; i++) {

  627.         if (i&1) {

  628.             gres1 = goldilocks_shared_secret(ss1,&gsk,&hpk);

  629.         } else {

  630.             gres2 = goldilocks_shared_secret(ss2,&hsk,&gpk);

  631.         }

  632.     }

  633.     when = now() - when;

  634.     printf("ecdh:        %5.1fµs\n", when * 1e6 / i);

  635.     if (gres1 || gres2 || memcmp(ss1,ss2,64)) {

  636.         printf("[FAIL] %d %d\n",gres1,gres2);

  637.         

  638.         printf("sk1 = ");

  639.         for (i=0; i<SCALAR_BYTES; i++) {

  640.             printf("%02x", gsk.opaque[i]);

  641.         }

  642.         printf("\nsk2 = ");

  643.         for (i=0; i<SCALAR_BYTES; i++) {

  644.             printf("%02x", hsk.opaque[i]);

  645.         }

  646.         printf("\nss1 = ");

  647.         for (i=0; i<64; i++) {

  648.             printf("%02x", ss1[i]);

  649.         }

  650.         printf("\nss2 = ");

  651.         for (i=0; i<64; i++) {

  652.             printf("%02x", ss2[i]);

  653.         }

  654.         printf("\n");

  655.     }

  656.     

  657.     uint8_t sout[FIELD_BYTES*2];

  658.     const char *message = "hello world";

  659.     size_t message_len = strlen(message);

  660.     when = now();

  661.     for (i=0; i<nbase; i++) {

  662.         res = goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  663.         (void)res;

  664.         assert(!res);

  665.     }

  666.     when = now() - when;

  667.     printf("sign:        %5.1fµs\n", when * 1e6 / i);

  668.     

  669.     when = now();

  670.     for (i=0; i<nbase; i++) {

  671.         int ver = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  672.         (void)ver;

  673.         assert(!ver);

  674.     }

  675.     when = now() - when;

  676.     printf("verify:      %5.1fµs\n", when * 1e6 / i);

  677.     

  678.     struct goldilocks_precomputed_public_key_t *pre = NULL;

  679.     when = now();

  680.     for (i=0; i<nbase; i++) {

  681.         goldilocks_destroy_precomputed_public_key(pre);

  682.         pre = goldilocks_precompute_public_key(&gpk);

  683.     }

  684.     when = now() - when;

  685.     printf("precompute:  %5.1fµs\n", when * 1e6 / i);

  686.     

  687.     when = now();

  688.     for (i=0; i<nbase; i++) {

  689.         int ver = goldilocks_verify_precomputed(sout,(const unsigned char *)message,message_len,pre);

  690.         (void)ver;

  691.         assert(!ver);

  692.     }

  693.     when = now() - when;

  694.     printf("verify pre:  %5.1fµs\n", when * 1e6 / i);

  695.     

  696.     when = now();

  697.     for (i=0; i<nbase; i++) {

  698.         int ret = goldilocks_shared_secret_precomputed(ss1,&gsk,pre);

  699.         (void)ret;

  700.         assert(!ret);

  701.     }

  702.     when = now() - when;

  703.     printf("ecdh pre:    %5.1fµs\n", when * 1e6 / i);

  704.     

  705.     printf("\nDecaf slow:\n");

  706.     

  707.     decaf_448_symmetric_key_t sym[2] = {{0},{1}};

  708.     decaf_448_private_key_t dpriv[2];

  709.     decaf_448_public_key_t dpub[2];

  710.     

  711.     unsigned char dshared[2][32];

  712.     

  713.     when = now();

  714.     for (i=0; i<nbase; i++) {

  715.         decaf_448_derive_private_key(dpriv[i&1], sym[i&1]);

  716.     }

  717.     when = now() - when;

  718.     printf("derive priv: %5.1fµs\n", when * 1e6 / i);

  719.     

  720.     decaf_448_private_to_public(dpub[0], dpriv[0]);

  721.     decaf_448_private_to_public(dpub[1], dpriv[1]);

  722.     

  723.     when = now();

  724.     for (i=0; i<nbase; i++) {

  725.         decaf_bool_t ret = decaf_448_shared_secret(dshared[i&1], 32, dpriv[i&1], dpub[(i+1)&1]);

  726.         if (ret != DECAF_SUCCESS) {

  727.             printf("BUG: shared secret returns failure on %d.\n", i);

  728.             break;

  729.         }

  730.     }

  731.     when = now() - when;

  732.     printf("ecdh:        %5.1fµs\n", when * 1e6 / i);

  733.     

  734.     if (memcmp(dshared[0], dshared[1], 32)) {

  735.         printf("BUG: mismatched shared secrets\n");

  736.     }

  737.     

  738.     decaf_448_signature_t dsig;

  739.     const char *dmessage = "hello world";

  740.     const char *dnessage = "Jello world";

  741.     when = now();

  742.     for (i=0; i<nbase; i++) {

  743.         decaf_448_sign(dsig, dpriv[0], (const unsigned char *)dmessage, 11);

  744.     }

  745.     when = now() - when;

  746.     printf("sign:        %5.1fµs\n", when * 1e6 / i);

  747.     

  748.     if (memcmp(dshared[0], dshared[1], 32)) {

  749.         printf("BUG: mismatched shared secrets\n");

  750.     }

  751.     

  752.     when = now();

  753.     for (i=0; i<nbase; i++) {

  754.         decaf_bool_t ret = decaf_448_verify(dsig, dpub[0],

  755.             (const unsigned char *)((i&1) ? dmessage : dnessage), 11);

  756.         if ((i&1) && ~ret) {

  757.             printf("BUG: verify failed\n");

  758.             break;

  759.         } else if (!(i&1) && ret) {

  760.             printf("BUG: unverify succeeded\n");

  761.             break;

  762.         }

  763.     }

  764.     when = now() - when;

  765.     printf("verify:      %5.1fµs\n", when * 1e6 / i);

  766.     

  767.     decaf_448_precomputed_s *dpre;

  768.     ignore_result(posix_memalign((void**)&dpre,

  769.         alignof_decaf_448_precomputed_s, sizeof_decaf_448_precomputed_s));

  770.     assert(dpre);

  771.     when = now();

  772.     for (i=0; i<nbase; i++) {

  773.         decaf_448_precompute(dpre, Da);

  774.     }

  775.     when = now() - when;

  776.     printf("pre:         %5.1fµs\n", when * 1e6 / i);

  777.     free(dpre);

  778.     

  779.     return 0;

  780. }