ed448goldilocks/test/test_scalarmul.c

#include "test.h"

#include <stdio.h>

#include "scalarmul.h"
#include "decaf.h"
#include "ec_point.h"
#include "field.h"
#include "crandom.h"

#define STRIDE 7

/* 0 = succeed, 1 = inval, -1 = fail */
static int
single_scalarmul_compatibility_test (
    const field_a_t base,
    const word_t *scalar,
    int nbits
) {
    struct tw_extensible_t text, work;
    field_a_t mont, ct, vl, vt, sced, decaf_s, decaf_m, decaf_te;
    
    int ret = 0, i;
    mask_t succ, succm;
    
    succ = deserialize_and_twist_approx(&text, base);
    
    succm = montgomery_ladder(mont,base,scalar,nbits,1);
    
    if (succ != succm) {
        youfail();
        printf("    Deserialize_and_twist_approx succ=%d, montgomery_ladder succ=%d\n",
            (int)-succ, (int)-succm);
        printf("    nbits = %d\n", nbits);
        field_print("    base", base);
        scalar_print("    scal", scalar, (nbits+WORD_BITS-1)/WORD_BITS);
        return -1;
    }
    
    if (!succ) {
        return 1;
    }

#if FIELD_BITS == 448
    struct { int n,t,s; } params[] = {{5,5,18},{3,5,30},{4,4,28},{1,2,224}};
#elif FIELD_BITS == 480
    struct { int n,t,s; } params[] = {{5,6,16},{6,5,16},{4,5,24},{4,4,30},{1,2,240}};
#elif FIELD_BITS == 521
    struct { int n,t,s; } params[] = {{5,8,13},{4,5,26},{1,2,(SCALAR_BITS+1)/2}};
#else
    struct { int n,t,s; } params[] = {{5,5,(SCALAR_BITS+24)/25},{1,2,(SCALAR_BITS+1)/2}};
#endif
    const int nparams = sizeof(params)/sizeof(params[0]);
    struct fixed_base_table_t fbt;
    const int nsizes = 6;
    field_a_t fbout[nparams], wout[nsizes];
    memset(&fbt, 0, sizeof(fbt));
    memset(&fbout, 0, sizeof(fbout));
    memset(&wout, 0, sizeof(wout));
        
    /* compute using combs */
    for (i=0; i<nparams; i++) {
        int n=params[i].n, t=params[i].t, s=params[i].s;
        succ = precompute_fixed_base(&fbt, &text, n, t, s, NULL);
        if (!succ) {
            youfail();
            printf("    Failed to precompute_fixed_base(%d,%d,%d)\n", n, t, s);
            continue;
        }
        
        succ = scalarmul_fixed_base(&work, scalar, nbits, &fbt);
        destroy_fixed_base(&fbt);
        if (!succ) {
            youfail();
            printf("    Failed to scalarmul_fixed_base(%d,%d,%d)\n", n, t, s);
            continue;
        }
        
        untwist_and_double_and_serialize(fbout[i], &work);
    }
    
    /* compute using precomp wNAF */
    for (i=0; i<nsizes; i++) {
        tw_niels_a_t pre[1<<i];
        
        succ = precompute_fixed_base_wnaf(pre, &text, i);
        if (!succ) {
            youfail();
            printf("    Failed to precompute_fixed_base_wnaf(%d)\n", i);
            continue;
        }
        
        scalarmul_fixed_base_wnaf_vt(&work, scalar, nbits, (const tw_niels_a_t*)pre, i);
        
        untwist_and_double_and_serialize(wout[i], &work);
    }
    
    mask_t consistent = MASK_SUCCESS;
    
    if (nbits == FIELD_BITS) {
        /* window methods currently only work on FIELD_BITS bits. */
        copy_tw_extensible(&work, &text);
        scalarmul(&work, scalar);
        untwist_and_double_and_serialize(ct, &work);
        
        copy_tw_extensible(&work, &text);
        scalarmul_vlook(&work, scalar);
        untwist_and_double_and_serialize(vl, &work);
        
        copy_tw_extensible(&work, &text);
        scalarmul_vt(&work, scalar, nbits);
        untwist_and_double_and_serialize(vt, &work);
        
        decaf_448_point_t ed2, ed3;
        struct decaf_448_precomputed_s *dpre;
        int pmret = posix_memalign(
            (void**)&dpre,
            alignof_decaf_448_precomputed_s,
            sizeof_decaf_448_precomputed_s
        );
        if (pmret) return 1;
    	tw_extended_a_t ed;
        convert_tw_extensible_to_tw_extended(ed, &text);
        uint8_t ser4[DECAF_448_SER_BYTES];
        decaf_448_point_encode(ser4, (struct decaf_448_point_s *)ed);
        decaf_448_point_scalarmul(
            ed2,
            (struct decaf_448_point_s *)ed,
            (struct decaf_448_scalar_s *)scalar
        );
        decaf_448_precompute(dpre, (struct decaf_448_point_s *)ed);
        decaf_448_precomputed_scalarmul(
            ed3,
            dpre,
            (struct decaf_448_scalar_s *)scalar
        );
        free(dpre);

        scalarmul_ed(ed, scalar);
        field_copy(work.x, ed->x);
        field_copy(work.y, ed->y);
        field_copy(work.z, ed->z);
        field_copy(work.t, ed->t);
        field_set_ui(work.u, 1);
        untwist_and_double_and_serialize(sced, &work);

        uint8_t ser1[DECAF_448_SER_BYTES], ser2[DECAF_448_SER_BYTES],
            ser3[DECAF_448_SER_BYTES];
        decaf_448_point_encode(ser1, (struct decaf_448_point_s *)ed);
        decaf_448_point_encode(ser2, ed2);
        decaf_448_point_encode(ser3, ed3);
        consistent &= decaf_448_direct_scalarmul(ser4, ser4, (struct decaf_448_scalar_s *)scalar, -1, -1);

        /* check consistency mont vs window */
        consistent &= field_eq(mont, ct);
        consistent &= field_eq(mont, vl);
        consistent &= field_eq(mont, vt);
        consistent &= field_eq(mont, sced);
        consistent &= memcmp(ser1,ser2,sizeof(ser1)) ? 0 : -1;
        consistent &= memcmp(ser1,ser3,sizeof(ser1)) ? 0 : -1;
        consistent &= memcmp(ser1,ser4,sizeof(ser1)) ? 0 : -1;
    }
    
    /* check consistency mont vs combs */
    for (i=0; i<nparams; i++) {
        consistent &= field_eq(mont,fbout[i]);
    }
    
    /* check consistency mont vs wNAF */
    for (i=0; i<nsizes; i++) {
        consistent &= field_eq(mont,wout[i]);
    }

    /* Do decaf */
    copy_tw_extensible(&work,&text);
    double_tw_extensible(&work);
    decaf_serialize_tw_extensible(decaf_s, &work);

    mask_t succ_dm, succ_dta;
    succ_dm  = decaf_montgomery_ladder(decaf_m, decaf_s, scalar, nbits);
    succ_dta = deserialize_and_twist_approx(&work, mont);
    decaf_serialize_tw_extensible(decaf_te, &work);
    
    consistent &= field_eq(decaf_m, decaf_te);
    consistent &= succ_dm & succ_dta;
    
    /* If inconsistent, complain. */
    if (!consistent) {
        youfail();
        printf("    Failed scalarmul consistency test with nbits=%d.\n",nbits);
        field_print("    base", base);
        scalar_print("    scal", scalar, (nbits+WORD_BITS-1)/WORD_BITS);
        field_print("    mont", mont);
        
        for (i=0; i<nparams; i++) {
            printf("    With n=%d, t=%d, s=%d:\n", params[i].n, params[i].t, params[i].s);
            field_print("    out ", fbout[i]);
        }
        
        for (i=0; i<nsizes; i++) {
            printf("    With w=%d:\n",i);
            field_print("    wNAF", wout[i]);
        }
        
    
        if (nbits == FIELD_BITS) {
            field_print("    ct ", ct);
            field_print("    vl ", vl);
            field_print("    vt ", vt);
            field_print("    ed ", sced);
        }
        
        printf("decaf: succ = %d, %d\n", (int)succ_dm, (int)succ_dta);
        field_print("    s0", decaf_s);
        field_print("    dm", decaf_m);
        field_print("    dt", decaf_te);
        
        ret = -1;
    }
    
    return ret;
}

static int
single_linear_combo_test (
    const field_a_t base1,
    const word_t *scalar1,
    int nbits1,
    const field_a_t base2,
    const word_t *scalar2,
    int nbits2
) { 
    struct tw_extensible_t text1, text2, working;
    struct tw_pniels_t pn;
    field_a_t result_comb, result_combo, result_wnaf;
    
    mask_t succ = 
        deserialize_and_twist_approx(&text1, base1)
      & deserialize_and_twist_approx(&text2, base2);
    if (!succ) return 1;
    
    struct fixed_base_table_t t1, t2;
    tw_niels_a_t wnaf[32];
    memset(&t1,0,sizeof(t1));
    memset(&t2,0,sizeof(t2));
    
    succ = precompute_fixed_base(&t1, &text1, 5, 5, 18, NULL); // FIELD_MAGIC
    succ &= precompute_fixed_base(&t2, &text2, 6, 3, 25, NULL); // FIELD_MAGIC
    succ &= precompute_fixed_base_wnaf(wnaf, &text2, 5);
    
    if (!succ) {
        destroy_fixed_base(&t1);
        destroy_fixed_base(&t2);
        return -1;
    }
    
    /* use the dedicated wNAF linear combo algorithm */
    copy_tw_extensible(&working, &text1);
    linear_combo_var_fixed_vt(&working, scalar1, nbits1, scalar2, nbits2, (const tw_niels_a_t*)wnaf, 5);
    untwist_and_double_and_serialize(result_wnaf, &working);
    
    /* use the dedicated combs algorithm */
    succ &= linear_combo_combs_vt(&working, scalar1, nbits1, &t1, scalar2, nbits2, &t2);
    untwist_and_double_and_serialize(result_combo, &working);
    
    /* use two combs */
    succ &= scalarmul_fixed_base(&working, scalar1, nbits1, &t1);
    convert_tw_extensible_to_tw_pniels(&pn, &working);
    succ &= scalarmul_fixed_base(&working, scalar2, nbits2, &t2);
    add_tw_pniels_to_tw_extensible(&working, &pn);
    untwist_and_double_and_serialize(result_comb, &working);
    
    mask_t consistent = MASK_SUCCESS;
    consistent &= field_eq(result_combo, result_wnaf);
    consistent &= field_eq(result_comb,  result_wnaf);
    
    if (!succ || !consistent) {
        youfail();
        printf("    Failed linear combo consistency test with nbits=%d,%d.\n",nbits1,nbits2);

        field_print("    base1", base1);
        scalar_print("    scal1", scalar1, (nbits1+WORD_BITS-1)/WORD_BITS);
        field_print("    base2", base2);
        scalar_print("    scal2", scalar2, (nbits1+WORD_BITS-1)/WORD_BITS);
        field_print("    combs", result_comb);
        field_print("    combo", result_combo);
        field_print("    wNAFs", result_wnaf);
        return -1;
    }
    
    destroy_fixed_base(&t1);
    destroy_fixed_base(&t2);
    
    return 0;
}

/* 0 = succeed, 1 = inval, -1 = fail */
static int
single_scalarmul_commutativity_test (
    const field_a_t base,
    const word_t *scalar1,
    int nbits1,
    int ned1,
    const word_t *scalar2,
    int nbits2,
    int ned2
) {
    field_a_t m12, m21, tmp1, tmp2;
    mask_t succ12a = montgomery_ladder(tmp1,base,scalar1,nbits1,ned1);
    mask_t succ12b = montgomery_ladder(m12,tmp1,scalar2,nbits2,ned2);
    
    mask_t succ21a = montgomery_ladder(tmp2,base,scalar2,nbits2,ned2);
    mask_t succ21b = montgomery_ladder(m21,tmp2,scalar1,nbits1,ned1);
    
    mask_t succ12 = succ12a & succ12b, succ21 = succ21a & succ21b;
    
    if (succ12 != succ21) {
        youfail();
        printf("    Failed scalarmul commutativity test with (nbits,ned) = (%d,%d), (%d,%d).\n",
            nbits1,ned1,nbits2,ned2);
        field_print("    base", base);
        field_print("    tmp1", tmp1);
        field_print("    tmp2", tmp2);
        scalar_print("    sca1", scalar1, (nbits1+WORD_BITS-1)/WORD_BITS);
        scalar_print("    sca2", scalar2, (nbits1+WORD_BITS-1)/WORD_BITS);
        printf("    good = ((%d,%d),(%d,%d))\n", (int)-succ12a,
            (int)-succ12b, (int)-succ21a, (int)-succ21b);
        return -1;
    } else if (!succ12) {
        // printf("    (nbits,ned) = (%d,%d), (%d,%d).\n", nbits1,ned1,nbits2,ned2);
        // printf("    succ = (%d,%d), (%d,%d).\n", (int)-succ12a, (int)-succ12b, (int)-succ21a, (int)-succ21b);
        return 1;
    }
    
    mask_t consistent = field_eq(m12,m21);
    if (consistent) {
        return 0;
    } else {
        youfail();
        printf("    Failed scalarmul commutativity test with (nbits,ned) = (%d,%d), (%d,%d).\n",
            nbits1,ned1,nbits2,ned2);
        field_print("    base", base);
        scalar_print("    sca1", scalar1, (nbits1+WORD_BITS-1)/WORD_BITS);
        scalar_print("    sca2", scalar2, (nbits1+WORD_BITS-1)/WORD_BITS);
        field_print("    m12 ", m12);
        field_print("    m21 ", m21);
        return -1;
    }
}

static void crandom_generate_f(struct crandom_state_t *crand, uint8_t *scalar, int n) {
    crandom_generate(crand, scalar, n);
    int i;
    for (i = FIELD_BYTES; i<n; i++) {
        scalar[i] = 0;
    }
#if (FIELD_BITS % 8)
    if (n >= FIELD_BYTES) {
        scalar[FIELD_BYTES-1] &= (1<<(FIELD_BITS%8)) - 1;
    }
#endif
}

int test_scalarmul_commutativity (void) {
    int i,j,k,got;
    
    struct crandom_state_t crand;
    crandom_init_from_buffer(&crand, "scalarmul_commutativity_test RNG");
    
    for (i=0; i<=FIELD_BITS; i+=STRIDE) {
        for (j=0; j<=FIELD_BITS; j+=STRIDE) {
            got = 0;
            
            for (k=0; k<128 && !got; k++) {
                uint8_t ser[FIELD_BYTES];
                word_t scalar1[SCALAR_WORDS], scalar2[SCALAR_WORDS];
                crandom_generate_f(&crand, ser, sizeof(ser));
                crandom_generate(&crand, (uint8_t *)scalar1, sizeof(scalar1));
                crandom_generate(&crand, (uint8_t *)scalar2, sizeof(scalar2));
            
                field_t base;
                mask_t succ = field_deserialize(&base, ser);
                if (!succ) continue;
            
                int ret = single_scalarmul_commutativity_test (&base, scalar1, i, i%3, scalar2, j, j%3);
                got = !ret;
                if (ret == -1) return -1;
            }

            if (!got) {
                youfail();
                printf("    Unlikely: rejected 128 scalars in a row.\n");
                return -1;
            }
            
        }
    }
    
    return 0;
}

int test_linear_combo (void) {
    int i,j,k,got;
    
    struct crandom_state_t crand;
    crandom_init_from_buffer(&crand, "scalarmul_linear_combos_test RNG");
    
    for (i=0; i<=FIELD_BITS; i+=STRIDE) {
        for (j=0; j<=FIELD_BITS; j+=STRIDE) {
            got = 0;
            
            for (k=0; k<128 && !got; k++) {
                uint8_t ser[FIELD_BYTES];
                word_t scalar1[SCALAR_WORDS], scalar2[SCALAR_WORDS];
                crandom_generate(&crand, (uint8_t *)scalar1, sizeof(scalar1));
                crandom_generate(&crand, (uint8_t *)scalar2, sizeof(scalar2));
            
                field_t base1;
                crandom_generate_f(&crand, ser, sizeof(ser));
                mask_t succ = field_deserialize(&base1, ser);
                if (!succ) continue;
                
                field_t base2;
                crandom_generate(&crand, ser, sizeof(ser));
                succ = field_deserialize(&base2, ser);
                if (!succ) continue;
            
                int ret = single_linear_combo_test (&base1, scalar1, i, &base2, scalar2, j);
                got = !ret;
                if (ret == -1) return -1;
            }

            if (!got) {
                youfail();
                printf("    Unlikely: rejected 128 scalars in a row.\n");
                return -1;
            }
            
        }
    }
    
    return 0;
}

int test_scalarmul_compatibility (void) {
    int i,j,k,got;
    
    struct crandom_state_t crand;
    crandom_init_from_buffer(&crand, "scalarmul_compatibility_test RNG");
    
    for (i=0; i<=FIELD_BITS; i+=STRIDE) {
        for (j=0; j<=20; j++) {
            got = 0;
            
            for (k=0; k<128 && !got; k++) {
                uint8_t ser[FIELD_BYTES];
                word_t scalar[SCALAR_WORDS];
                crandom_generate_f(&crand, ser, sizeof(ser));
                crandom_generate(&crand, (uint8_t *)scalar, sizeof(scalar));
            
                field_t base;
                mask_t succ = field_deserialize(&base, ser);
                if (!succ) continue;
            
                int ret = single_scalarmul_compatibility_test (&base, scalar, i);
                got = !ret;
                if (ret == -1) return -1;
            }

            if (!got) {
                youfail();
                printf("    Unlikely: rejected 128 scalars in a row.\n");
                return -1;
            }
            
        }
    }
    
    return 0;
}