jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: ed6fdbf3c3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ed6fdbf3c3'
${ noResults }
ed448goldilocks/bench.c

828 lines
23 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include <sys/time.h>

  6. #include <sys/types.h>

  7. #include <stdlib.h>

  8. #include <stdio.h>

  9. #include <memory.h>

  10. 

  11. #include "p448.h"

  12. #include "ec_point.h"

  13. #include "scalarmul.h"

  14. #include "barrett_field.h"

  15. #include "crandom.h"

  16. #include "goldilocks.h"

  17. #include "sha512.h"

  18. 

  19. word_t q448_lo[4] = {

  20.     0xdc873d6d54a7bb0dull,

  21.     0xde933d8d723a70aaull,

  22.     0x3bb124b65129c96full,

  23.     0x000000008335dc16ull

  24. };

  25. 

  26. double now() {

  27.   struct timeval tv;

  28.   gettimeofday(&tv, NULL);

  29.   

  30.   return tv.tv_sec + tv.tv_usec/1000000.0;

  31. }

  32. 

  33. void p448_randomize( struct crandom_state_t *crand, struct p448_t *a ) {

  34.     crandom_generate(crand, (unsigned char *)a, sizeof(*a));

  35.     p448_strong_reduce(a);

  36. }

  37. 

  38. void q448_randomize( struct crandom_state_t *crand, uint64_t sk[7] ) {

  39.     crandom_generate(crand, (unsigned char *)sk, sizeof(uint64_t)*7);

  40. }

  41. 

  42. void p448_print( const char *descr, const struct p448_t *a ) {

  43.     p448_t b;

  44.     p448_copy(&b, a);

  45.     p448_strong_reduce(&b);

  46.     int j;

  47.     printf("%s = 0x", descr);

  48.     for (j=7; j>=0; j--) {

  49.         printf("%014llx", (unsigned long long)b.limb[j]);

  50.     }

  51.     printf("\n");

  52. }

  53. 

  54. void p448_print_full( const char *descr, const struct p448_t *a ) {

  55.     int j;

  56.     printf("%s = 0x", descr);

  57.     for (j=7; j>=0; j--) {

  58.         printf("%02llx_%014llx ", a->limb[j]>>56, (unsigned long long)a->limb[j]&(1ull<<56)-1);

  59.     }

  60.     printf("\n");

  61. }

  62. 

  63. void q448_print( const char *descr, const uint64_t secret[7] ) {

  64.     int j;

  65.     printf("%s = 0x", descr);

  66.     for (j=6; j>=0; j--) {

  67.         printf("%016llx", (unsigned long long)secret[j]);

  68.     }

  69.     printf("\n");

  70. }

  71. 

  72. int main(int argc, char **argv) {

  73.     (void)argc;

  74.     (void)argv;

  75. 

  76.     struct tw_extensible_t ext;

  77.     struct extensible_t exta;

  78.     struct tw_niels_t niels;

  79.     struct tw_pniels_t pniels;

  80.     struct affine_t affine;

  81.     struct montgomery_t mb;

  82.     struct p448_t a,b,c,d;

  83.     

  84.     

  85.     double when;

  86.     int i,j;

  87.     

  88.     /* Bad randomness so we can debug. */

  89.     char initial_seed[32];

  90.     for (i=0; i<32; i++) initial_seed[i] = i;

  91.     struct crandom_state_t crand;

  92.     crandom_init_from_buffer(&crand, initial_seed);

  93.     

  94.     uint64_t sk[7],tk[7];

  95.     q448_randomize(&crand, sk);

  96.     

  97.     when = now();

  98.     for (i=0; i<10000000; i++) {

  99.         p448_mul(&c, &b, &a);

  100.     }

  101.     when = now() - when;

  102.     printf("mul:         %5.1fns\n", when * 1e9 / i);

  103.     

  104.     when = now();

  105.     for (i=0; i<10000000; i++) {

  106.         p448_sqr(&c, &a);

  107.     }

  108.     when = now() - when;

  109.     printf("sqr:         %5.1fns\n", when * 1e9 / i);

  110.     

  111.     when = now();

  112.     for (i=0; i<5000000; i++) {

  113.         p448_mul(&c, &b, &a);

  114.         p448_mul(&a, &b, &c);

  115.     }

  116.     when = now() - when;

  117.     printf("mul dep:     %5.1fns\n", when * 1e9 / i / 2);

  118.     

  119.     when = now();

  120.     for (i=0; i<10000000; i++) {

  121.         p448_mulw(&c, &b, 1234562);

  122.     }

  123.     when = now() - when;

  124.     printf("mulw:        %5.1fns\n", when * 1e9 / i);

  125.     

  126.     when = now();

  127.     for (i=0; i<100000; i++) {

  128.         p448_randomize(&crand, &a);

  129.     }

  130.     when = now() - when;

  131.     printf("rand448:     %5.1fns\n", when * 1e9 / i);

  132.     

  133.     struct sha512_ctx_t sha;

  134.     uint8_t hashout[128];

  135.     when = now();

  136.     for (i=0; i<10000; i++) {

  137.         sha512_init(&sha);

  138.         sha512_final(&sha, hashout);

  139.     }

  140.     when = now() - when;

  141.     printf("sha512 1blk: %5.1fns\n", when * 1e9 / i);

  142.     

  143.     when = now();

  144.     for (i=0; i<10000; i++) {

  145.         sha512_update(&sha, hashout, 128);

  146.     }

  147.     when = now() - when;

  148.     printf("sha512 blk:  %5.1fns (%0.2f MB/s)\n", when * 1e9 / i, 128*i/when/1e6);

  149.     

  150.     when = now();

  151.     for (i=0; i<10000; i++) {

  152.         p448_isr(&c, &a);

  153.     }

  154.     when = now() - when;

  155.     printf("isr auto:    %5.1fµs\n", when * 1e6 / i);

  156.     

  157.     for (i=0; i<100; i++) {

  158.         p448_randomize(&crand, &a);

  159.         p448_isr(&d,&a);

  160.         p448_sqr(&b,&d);

  161.         p448_mul(&c,&b,&a);

  162.         p448_sqr(&b,&c);

  163.         p448_subw(&b,1);

  164.         p448_bias(&b,1);

  165.         if (!p448_is_zero(&b)) {

  166.             printf("ISR validation failure!\n");

  167.             p448_print("a", &a);

  168.             p448_print("s", &d);

  169.         }

  170.     }

  171.     

  172.     when = now();

  173.     for (i=0; i<10000; i++) {

  174.         elligator_2s_inject(&affine, &a);

  175.     }

  176.     when = now() - when;

  177.     printf("elligator:   %5.1fµs\n", when * 1e6 / i);

  178.     

  179.     for (i=0; i<100; i++) {

  180.         p448_randomize(&crand, &a);

  181.         elligator_2s_inject(&affine, &a);

  182.         if (!validate_affine(&affine)) {

  183.             printf("Elligator validation failure!\n");

  184.             p448_print("a", &a);

  185.             p448_print("x", &affine.x);

  186.             p448_print("y", &affine.y);

  187.         }

  188.     }

  189.     

  190.     when = now();

  191.     for (i=0; i<10000; i++) {

  192.         deserialize_affine(&affine, &a);

  193.     }

  194.     when = now() - when;

  195.     printf("decompress:  %5.1fµs\n", when * 1e6 / i);

  196.     

  197.     when = now();

  198.     for (i=0; i<10000; i++) {

  199.         serialize_extensible(&a, &exta);

  200.     }

  201.     when = now() - when;

  202.     printf("compress:    %5.1fµs\n", when * 1e6 / i);

  203.     

  204.     int goods = 0;

  205.     for (i=0; i<100; i++) {

  206.         p448_randomize(&crand, &a);

  207.         mask_t good = deserialize_affine(&affine, &a);

  208.         if (good & !validate_affine(&affine)) {

  209.             printf("Deserialize validation failure!\n");

  210.             p448_print("a", &a);

  211.             p448_print("x", &affine.x);

  212.             p448_print("y", &affine.y);

  213.         } else if (good) {

  214.             goods++;

  215.             convert_affine_to_extensible(&exta,&affine);

  216.             serialize_extensible(&b, &exta);

  217.             p448_sub(&c,&b,&a);

  218.             p448_bias(&c,2);

  219.             if (!p448_is_zero(&c)) {

  220.                 printf("Reserialize validation failure!\n");

  221.                 p448_print("a", &a);

  222.                 p448_print("x", &affine.x);

  223.                 p448_print("y", &affine.y);

  224.                 deserialize_affine(&affine, &b);

  225.                 p448_print("b", &b);

  226.                 p448_print("x", &affine.x);

  227.                 p448_print("y", &affine.y);

  228.                 printf("\n");

  229.             }

  230.         }

  231.     }

  232.     if (goods<i/3) {

  233.         printf("Deserialization validation failure! Deserialized %d/%d points\n", goods, i);

  234.     }

  235.     

  236.     uint64_t lsk[12];

  237.     for (i=0;i<10; i++) {

  238.         for (j=11; j>=0; j--) {

  239.             lsk[j] = random();

  240.             lsk[j] = lsk[j]<<22 ^ random();

  241.             lsk[j] = lsk[j]<<22 ^ random();

  242.         }

  243.     }

  244.     

  245.     when = now();

  246.     for (i=0; i<1000000; i++) {

  247.         barrett_reduce(lsk,12,0,q448_lo,7,4,62);

  248.     }

  249.     when = now() - when;

  250.     printf("barrett red: %5.1fns\n", when * 1e9 / i);

  251.     // 

  252.     // when = now();

  253.     // for (i=0; i<100000; i++) {

  254.     //     barrett_mac(lsk,7,lsk,7,lsk,7,q448_lo,7,4,62);

  255.     // }

  256.     // when = now() - when;

  257.     // printf("barrett mac: %5.1fns\n", when * 1e9 / i);

  258.     

  259.     when = now();

  260.     for (i=0; i<1000000; i++) {

  261.         add_tw_niels_to_tw_extensible(&ext, &niels);

  262.     }

  263.     when = now() - when;

  264.     printf("exti+niels:  %5.1fns\n", when * 1e9 / i);

  265.     

  266.     when = now();

  267.     for (i=0; i<1000000; i++) {

  268.         add_tw_pniels_to_tw_extensible(&ext, &pniels);

  269.     }

  270.     when = now() - when;

  271.     printf("exti+pniels: %5.1fns\n", when * 1e9 / i);

  272.     

  273.     when = now();

  274.     for (i=0; i<1000000; i++) {

  275.         double_tw_extensible(&ext);

  276.     }

  277.     when = now() - when;

  278.     printf("exti dbl:    %5.1fns\n", when * 1e9 / i);

  279.     

  280.     when = now();

  281.     for (i=0; i<1000000; i++) {

  282.         untwist_and_double(&exta, &ext);

  283.     }

  284.     when = now() - when;

  285.     printf("i->a isog:   %5.1fns\n", when * 1e9 / i);

  286.     

  287.     when = now();

  288.     for (i=0; i<1000000; i++) {

  289.         twist_and_double(&ext, &exta);

  290.     }

  291.     when = now() - when;

  292.     printf("a->i isog:   %5.1fns\n", when * 1e9 / i);

  293.     

  294.     when = now();

  295.     for (i=0; i<1000000; i++) {

  296.         montgomery_step(&mb);

  297.     }

  298.     when = now() - when;

  299.     printf("monty step:  %5.1fns\n", when * 1e9 / i);

  300. 	

  301.     when = now();

  302.     for (i=0; i<1000; i++) {

  303.         p448_montgomery_ladder(&a,&b,sk,448,0);

  304.     }

  305.     when = now() - when;

  306.     printf("full ladder: %5.1fµs\n", when * 1e6 / i);

  307.     

  308.     when = now();

  309.     for (i=0; i<1000; i++) {

  310.         edwards_scalar_multiply(&ext,sk);

  311.     }

  312.     when = now() - when;

  313.     printf("edwards smz: %5.1fµs\n", when * 1e6 / i);

  314.     

  315.     when = now();

  316.     for (i=0; i<1000; i++) {

  317.         edwards_scalar_multiply_vlook(&ext,sk);

  318.         untwist_and_double_and_serialize(&a,&ext);

  319.     }

  320.     when = now() - when;

  321.     printf("edwards svl: %5.1fµs\n", when * 1e6 / i);

  322.     

  323.     when = now();

  324.     for (i=0; i<1000; i++) {

  325.         q448_randomize(&crand, sk);

  326.         edwards_scalar_multiply_vt(&ext,sk);

  327.     }

  328.     when = now() - when;

  329.     printf("edwards vtm: %5.1fµs\n", when * 1e6 / i);

  330.     

  331.     struct tw_niels_t wnaft[1<<6];

  332.     when = now();

  333.     for (i=0; i<1000; i++) {

  334.         precompute_for_wnaf(wnaft,&ext,6);

  335.     }

  336.     when = now() - when;

  337.     printf("wnaf6 pre:   %5.1fµs\n", when * 1e6 / i);

  338.     

  339.     when = now();

  340.     for (i=0; i<1000; i++) {

  341.         q448_randomize(&crand, sk);

  342.         edwards_scalar_multiply_vt_pre(&ext,sk,wnaft,6);

  343.     }

  344.     when = now() - when;

  345.     printf("edwards vt6: %5.1fµs\n", when * 1e6 / i);

  346.     

  347.     when = now();

  348.     for (i=0; i<1000; i++) {

  349.         precompute_for_wnaf(wnaft,&ext,4);

  350.     }

  351.     when = now() - when;

  352.     printf("wnaf4 pre:   %5.1fµs\n", when * 1e6 / i);

  353.     

  354.     when = now();

  355.     for (i=0; i<1000; i++) {

  356.         q448_randomize(&crand, sk);

  357.         edwards_scalar_multiply_vt_pre(&ext,sk,wnaft,4);

  358.     }

  359.     when = now() - when;

  360.     printf("edwards vt4: %5.1fµs\n", when * 1e6 / i);

  361. 

  362.     when = now();

  363.     for (i=0; i<1000; i++) {

  364.         precompute_for_wnaf(wnaft,&ext,5);

  365.     }

  366.     when = now() - when;

  367.     printf("wnaf5 pre:   %5.1fµs\n", when * 1e6 / i);

  368.     

  369.     when = now();

  370.     for (i=0; i<1000; i++) {

  371.         q448_randomize(&crand, sk);

  372.         edwards_scalar_multiply_vt_pre(&ext,sk,wnaft,5);

  373.     }

  374.     when = now() - when;

  375.     printf("edwards vt5: %5.1fµs\n", when * 1e6 / i);

  376.     

  377.     when = now();

  378.     for (i=0; i<1000; i++) {

  379.         q448_randomize(&crand, sk);

  380.         q448_randomize(&crand, tk);

  381.         edwards_combo_var_fixed_vt(&ext,sk,tk,wnaft,5);

  382.     }

  383.     when = now() - when;

  384.     printf("vt vf combo: %5.1fµs\n", when * 1e6 / i);

  385.     

  386.     when = now();

  387.     for (i=0; i<1000; i++) {

  388.         deserialize_affine(&affine, &a);

  389.         convert_affine_to_extensible(&exta,&affine);

  390.         twist_and_double(&ext,&exta);

  391.         edwards_scalar_multiply(&ext,sk);

  392.         untwist_and_double(&exta,&ext);

  393.         serialize_extensible(&b, &exta);

  394.     }

  395.     when = now() - when;

  396.     printf("edwards sm:  %5.1fµs\n", when * 1e6 / i);

  397.     

  398.     struct tw_niels_t table[80] __attribute__((aligned(32)));

  399. 

  400.     while (1) {

  401.         p448_randomize(&crand, &a);

  402.         if (deserialize_affine(&affine, &a)) break;

  403.     }

  404.     convert_affine_to_extensible(&exta,&affine);

  405.     twist_and_double(&ext,&exta);

  406.     when = now();

  407.     for (i=0; i<1000; i++) {

  408.         precompute_for_combs(table, &ext, 5, 5, 18);

  409.     }

  410.     when = now() - when;

  411.     printf("pre(5,5,18): %5.1fµs\n", when * 1e6 / i);

  412. 	

  413.     when = now();

  414.     for (i=0; i<10000; i++) {

  415.         edwards_comb(&ext, sk, table, 5, 5, 18);

  416.     }

  417.     when = now() - when;

  418.     printf("com(5,5,18): %5.1fµs\n", when * 1e6 / i);

  419.     

  420.     when = now();

  421.     for (i=0; i<10000; i++) {

  422.         edwards_comb(&ext, sk, table, 3, 5, 30);

  423.     }

  424.     when = now() - when;

  425.     printf("com(3,5,30): %5.1fµs\n", when * 1e6 / i);

  426. 

  427.     when = now();

  428.     for (i=0; i<10000; i++) {

  429.         edwards_comb(&ext, sk, table, 8, 4, 14);

  430.     }

  431.     when = now() - when;

  432.     printf("com(4,4,28): %5.1fµs\n", when * 1e6 / i);

  433.     

  434.     when = now();

  435.     for (i=0; i<10000; i++) {

  436.         q448_randomize(&crand, sk);

  437.         edwards_comb(&ext, sk, table, 5, 5, 18);

  438.         untwist_and_double(&exta,&ext);

  439.         serialize_extensible(&b, &exta);

  440.     }

  441.     when = now() - when;

  442.     printf("keygen:      %5.1fµs\n", when * 1e6 / i);

  443.     

  444.     printf("\nGoldilocks:\n");

  445.     

  446.     int res = goldilocks_init();

  447.     assert(!res);

  448.     

  449.     struct goldilocks_public_key_t gpk,hpk;

  450.     struct goldilocks_private_key_t gsk,hsk;

  451.     

  452.     when = now();

  453.     for (i=0; i<10000; i++) {

  454.         if (i&1) {

  455.             res = goldilocks_keygen(&gsk,&gpk);

  456.         } else {

  457.             res = goldilocks_keygen(&hsk,&hpk);

  458.         }

  459.         assert(!res);

  460.     }

  461.     when = now() - when;

  462.     printf("keygen:      %5.1fµs\n", when * 1e6 / i);

  463.     

  464.     uint8_t ss1[64],ss2[64];

  465.     int gres1,gres2;

  466.     when = now();

  467.     for (i=0; i<10000; i++) {

  468.         if (i&1) {

  469.             gres1 = goldilocks_shared_secret(ss1,&gsk,&hpk);

  470.         } else {

  471.             gres2 = goldilocks_shared_secret(ss2,&hsk,&gpk);

  472.         }

  473.     }

  474.     when = now() - when;

  475.     printf("ecdh:        %5.1fµs\n", when * 1e6 / i);

  476.     if (gres1 || gres2 || memcmp(ss1,ss2,64)) {

  477.         printf("[FAIL] %d %d\n",gres1,gres2);

  478.         

  479.         printf("ss1 = ");

  480.         for (i=0; i<56; i++) {

  481.             printf("%02x", ss1[i]);

  482.         }

  483.         printf("\nss2 = ");

  484.         for (i=0; i<56; i++) {

  485.             printf("%02x", ss2[i]);

  486.         }

  487.         printf("\n");

  488.     }

  489.     

  490.     uint8_t sout[56*2];

  491.     const char *message = "hello world";

  492.     uint64_t message_len = strlen(message);

  493.     when = now();

  494.     for (i=0; i<10000; i++) {

  495.         res = goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  496.         assert(!res);

  497.     }

  498.     when = now() - when;

  499.     printf("sign:        %5.1fµs\n", when * 1e6 / i);

  500.     

  501.     when = now();

  502.     for (i=0; i<10000; i++) {

  503.         res = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  504.     }

  505.     when = now() - when;

  506.     printf("verify:      %5.1fµs\n", when * 1e6 / i);

  507.     

  508.     printf("\nTesting...\n");

  509.     

  510.     

  511.     int failures=0, successes = 0;

  512.     for (i=0; i<1000; i++) {

  513.         (void)goldilocks_keygen(&gsk,&gpk);

  514.         goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  515.         res = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  516.         if (res) failures++;

  517.     }

  518.     if (failures) {

  519.         printf("FAIL %d/%d signature checks!\n", failures, i);

  520.     }

  521.     

  522.     failures=0; successes = 0;

  523.     for (i=0; i<1000; i++) {

  524.         p448_randomize(&crand, &a);

  525. 		uint64_t two = 2;

  526.         mask_t good = p448_montgomery_ladder(&b,&a,&two,2,0);

  527. 		if (!good) continue;

  528. 		

  529. 		uint64_t x = rand(), y=rand(), z=x*y;

  530. 		p448_montgomery_ladder(&b,&a,&x,64,0);

  531.         p448_montgomery_ladder(&c,&b,&y,64,0);

  532.         p448_montgomery_ladder(&b,&a,&z,64,0);

  533.         

  534.         p448_sub(&d,&b,&c);

  535.         p448_bias(&d,2);

  536. 		if (!p448_is_zero(&d)) {

  537.             printf("Odd ladder validation failure %d!\n", ++failures);

  538.             p448_print("a", &a);

  539.             printf("x=%llx, y=%llx, z=%llx\n", x,y,z);

  540.             p448_print("c", &c);

  541.             p448_print("b", &b);

  542. 			printf("\n");

  543. 		}

  544. 	}

  545.     

  546.     failures = 0;

  547.     for (i=0; i<1000; i++) {

  548.         mask_t good;

  549.         do {

  550.             p448_randomize(&crand, &a);

  551.             good = deserialize_affine(&affine, &a);

  552.         } while (!good);

  553.         

  554.         convert_affine_to_extensible(&exta,&affine);

  555.         twist_and_double(&ext,&exta);

  556.         untwist_and_double(&exta,&ext);

  557.         serialize_extensible(&b, &exta);

  558.         untwist_and_double_and_serialize(&c, &ext);

  559.         

  560.         p448_sub(&d,&b,&c);

  561.         p448_bias(&d,2);

  562.         

  563.         if (good && !p448_is_zero(&d)){

  564.             printf("Iso+serial validation failure %d!\n", ++failures);

  565.             p448_print("a", &a);

  566.             p448_print("b", &b);

  567.             p448_print("c", &c);

  568.             printf("\n");

  569.         } else if (good) {

  570.             successes ++;

  571.         }

  572.     }

  573.     if (successes < i/3) {

  574.         printf("Iso+serial variation: only %d/%d successful.\n", successes, i);

  575.     }

  576.         

  577.     failures = 0;

  578.     uint64_t four = 4;

  579.     for (i=0; i<1000; i++) {

  580.         p448_randomize(&crand, &a);

  581.         q448_randomize(&crand, sk);

  582.         

  583.         mask_t good = p448_montgomery_ladder(&b,&a,&four,3,0);

  584.         good &= p448_montgomery_ladder(&c,&b,sk,448,0);

  585.         

  586.         mask_t goodb = deserialize_affine(&affine, &a);

  587.         convert_affine_to_extensible(&exta,&affine);

  588.         twist_and_double(&ext,&exta);

  589.         edwards_scalar_multiply(&ext,sk);

  590.         untwist_and_double(&exta,&ext);

  591.         serialize_extensible(&b, &exta);

  592.         

  593.         p448_sub(&d,&b,&c);

  594.         p448_bias(&d,2);

  595.         

  596.         if (good != goodb) {

  597.             printf("Compatibility validation failure %d: good: %d != %d\n", ++failures, (int)(-good), (int)(-goodb));

  598.         } else if (good && !p448_is_zero(&d)){

  599.             printf("Compatibility validation failure %d!\n", ++failures);

  600.             p448_print("a", &a);

  601.             q448_print("s", sk);

  602.             p448_print("c", &c);

  603.             p448_print("b", &b);

  604.             printf("\n");

  605.         } else if (good) {

  606.             successes ++;

  607.         }

  608.     }

  609.     if (successes < i/3) {

  610.         printf("Compatibility variation: only %d/%d successful.\n", successes, i);

  611.     }

  612.         

  613.     successes = failures = 0;

  614.     for (i=0; i<1000; i++) {

  615.         p448_randomize(&crand, &a);

  616.         q448_randomize(&crand, sk);

  617. 		if (!i) bzero(&sk, sizeof(sk));

  618.         

  619.         mask_t good = p448_montgomery_ladder(&b,&a,&four,3,0);

  620.         good &= p448_montgomery_ladder(&c,&b,sk,448,0);

  621.         if (!good) continue;

  622.         

  623.         deserialize_affine(&affine, &a);

  624.         convert_affine_to_extensible(&exta,&affine);

  625.         twist_and_double(&ext,&exta);

  626.         

  627.         precompute_for_combs(table, &ext, 5, 5, 18);

  628.         edwards_comb(&ext, sk, table, 5, 5, 18);

  629.         untwist_and_double(&exta,&ext);

  630.         serialize_extensible(&b, &exta);

  631.         

  632.         p448_sub(&d,&b,&c);

  633.         p448_bias(&d,2);

  634.         

  635.         if (!p448_is_zero(&d)){

  636.             printf("Comb validation failure %d!\n", ++failures);

  637.             p448_print("a", &a);

  638.             q448_print("s", sk);

  639.             p448_print("c", &c);

  640.             p448_print("b", &b);

  641.             printf("\n");

  642.         } else if (good) {

  643.             successes ++;

  644.         }

  645.     }

  646.     if (successes < i/3) {

  647.         printf("Comb variation: only %d/%d successful.\n", successes, i);

  648.     }

  649.         

  650.     successes = failures = 0;

  651.     for (i=0; i<1000; i++) {

  652.         p448_randomize(&crand, &a);

  653.         q448_randomize(&crand, sk);

  654. 		if (!i) bzero(&sk, sizeof(sk));

  655.         

  656.         mask_t good = deserialize_affine(&affine, &a);

  657.         if (!good) continue;

  658.         

  659.         convert_affine_to_extensible(&exta,&affine);

  660.         twist_and_double(&ext,&exta);

  661.         struct tw_extensible_t exu;

  662.         copy_tw_extensible(&exu, &ext);

  663.         

  664.         edwards_scalar_multiply(&ext,sk);

  665.         untwist_and_double(&exta,&ext);

  666.         serialize_extensible(&b, &exta);

  667.         

  668.         edwards_scalar_multiply_vt(&exu,sk);

  669.         untwist_and_double(&exta,&exu);

  670.         serialize_extensible(&c, &exta);

  671.         

  672.         p448_sub(&d,&b,&c);

  673.         p448_bias(&d,2);

  674.         

  675.         if (!p448_is_zero(&d)){

  676.             printf("WNAF validation failure %d!\n", ++failures);

  677.             p448_print("a", &a);

  678.             q448_print("s", sk);

  679.             p448_print("c", &c);

  680.             p448_print("b", &b);

  681.             printf("\n");

  682.         } else if (good) {

  683.             successes ++;

  684.         }

  685.     }

  686.     if (successes < i/3) {

  687.         printf("WNAF variation: only %d/%d successful.\n", successes, i);

  688.     }

  689.         

  690.     successes = failures = 0;

  691.     for (i=0; i<1000; i++) {

  692.         p448_randomize(&crand, &a);

  693.         q448_randomize(&crand, sk);

  694. 		if (!i) bzero(&sk, sizeof(sk));

  695.         

  696.         mask_t good = deserialize_affine(&affine, &a);

  697.         if (!good) continue;

  698.         

  699.         convert_affine_to_extensible(&exta,&affine);

  700.         twist_and_double(&ext,&exta);

  701.         struct tw_extensible_t exu;

  702.         copy_tw_extensible(&exu, &ext);

  703.         

  704.         edwards_scalar_multiply(&ext,sk);

  705.         untwist_and_double(&exta,&ext);

  706.         serialize_extensible(&b, &exta);

  707. 

  708.         precompute_for_wnaf(wnaft,&exu,5);

  709.         edwards_scalar_multiply_vt_pre(&exu,sk,wnaft,5);

  710.         untwist_and_double(&exta,&exu);

  711.         serialize_extensible(&c, &exta);

  712.         

  713.         p448_sub(&d,&b,&c);

  714.         p448_bias(&d,2);

  715.         

  716.         if (!p448_is_zero(&d)){

  717.             printf("PreWNAF validation failure %d!\n", ++failures);

  718.             p448_print("a", &a);

  719.             q448_print("s", sk);

  720.             p448_print("c", &c);

  721.             p448_print("b", &b);

  722.             for (j=0; j<1<<5; j++) {

  723.                 printf("WNAFT %d\n", j);

  724.                 p448_print("  a",&wnaft[j].a);

  725.                 p448_print("  b",&wnaft[j].b);

  726.                 p448_print("  c",&wnaft[j].c);

  727.             }

  728.             printf("\n\n");

  729.         } else if (good) {

  730.             successes ++;

  731.         }

  732.     }

  733.     if (successes < i/3) {

  734.         printf("PreWNAF variation: only %d/%d successful.\n", successes, i);

  735.     }

  736.     

  737.     successes = failures = 0;

  738.     for (i=0; i<1000; i++) {

  739.         struct p448_t aa;

  740.         struct tw_extensible_t exu,exv,exw;

  741.         

  742.         mask_t good;

  743.         do {

  744.             p448_randomize(&crand, &a);

  745.             good = deserialize_affine(&affine, &a);

  746.             convert_affine_to_extensible(&exta,&affine);

  747.             twist_and_double(&ext,&exta);

  748.         } while (!good);

  749.         do {

  750.             p448_randomize(&crand, &aa);

  751.             good = deserialize_affine(&affine, &aa);

  752.             convert_affine_to_extensible(&exta,&affine);

  753.             twist_and_double(&exu,&exta);

  754.         } while (!good);

  755.         p448_randomize(&crand, &aa);

  756.         

  757.         q448_randomize(&crand, sk);

  758. 		if (i==0 || i==2) bzero(&sk, sizeof(sk));

  759.         q448_randomize(&crand, tk);

  760. 		if (i==0 || i==1) bzero(&tk, sizeof(tk));

  761.         

  762.         copy_tw_extensible(&exv, &ext);

  763.         copy_tw_extensible(&exw, &exu);

  764.         edwards_scalar_multiply(&exv,sk);

  765.         edwards_scalar_multiply(&exw,tk);

  766.         convert_tw_extensible_to_tw_pniels(&pniels, &exw);

  767.         add_tw_pniels_to_tw_extensible(&exv,&pniels);

  768.         untwist_and_double(&exta,&exv);

  769.         serialize_extensible(&b, &exta);

  770. 

  771.         precompute_for_wnaf(wnaft,&exu,5);

  772.         edwards_combo_var_fixed_vt(&ext,sk,tk,wnaft,5);

  773.         untwist_and_double(&exta,&exv);

  774.         serialize_extensible(&c, &exta);

  775.         

  776.         p448_sub(&d,&b,&c);

  777.         p448_bias(&d,2);

  778.         

  779.         if (!p448_is_zero(&d)){

  780.             printf("PreWNAF combo validation failure %d!\n", ++failures);

  781.             p448_print("a", &a);

  782.             p448_print("A", &aa);

  783.             q448_print("s", sk);

  784.             q448_print("t", tk);

  785.             p448_print("c", &c);

  786.             p448_print("b", &b);

  787.             printf("\n\n");

  788.         } else if (good) {

  789.             successes ++;

  790.         }

  791.     }

  792.     if (successes < i) {

  793.         printf("PreWNAF combo variation: only %d/%d successful.\n", successes, i);

  794.     }

  795.     

  796.     successes = failures = 0;

  797.     for (i=0; i<1000; i++) {

  798.         p448_randomize(&crand, &a);

  799.         

  800.         q448_randomize(&crand, sk);

  801.         q448_randomize(&crand, tk);

  802.         

  803. 		uint64_t two = 2;

  804.         mask_t good = p448_montgomery_ladder(&b,&a,&two,2,0);

  805. 		p448_montgomery_ladder(&b,&a,sk,448,0);

  806.         p448_montgomery_ladder(&d,&b,tk,448,0);

  807.         p448_montgomery_ladder(&b,&a,tk,448,0);

  808.         p448_montgomery_ladder(&c,&b,sk,448,0);

  809.         

  810.         p448_sub(&b,&c,&d);

  811.         p448_bias(&b,2);

  812.         

  813.         mask_t success = p448_is_zero(&b) | ~good;

  814.         

  815.         if (!success) {

  816.             printf("Ladder validation failure %d!\n", ++failures);

  817.             p448_print("a", &a);

  818.             q448_print("s", sk);

  819.             q448_print("t", tk);

  820.             p448_print("c", &c);

  821.             p448_print("d", &d);

  822.             printf("\n");

  823.         }

  824.     }

  825.     

  826.     return 0;

  827. }