From 07530b4ce59fafe261e09f2a5e1dc49879a88c58 Mon Sep 17 00:00:00 2001 From: Michael Hamburg Date: Wed, 6 May 2015 16:23:08 -0700 Subject: [PATCH] switch base points to reflect draft-irtf-cfrg-curves-01. base point now computed by gen_tables --- src/decaf.c | 24 ++++++++----------- src/decaf_fast.c | 53 ++++++++---------------------------------- src/decaf_gen_tables.c | 47 +++++++++++++++++++++++++++++++++---- 3 files changed, 63 insertions(+), 61 deletions(-) diff --git a/src/decaf.c b/src/decaf.c index a19a2ad..42b1d98 100644 --- a/src/decaf.c +++ b/src/decaf.c @@ -67,24 +67,20 @@ static const decaf_448_scalar_t decaf_448_scalar_r2 = {{{ static const decaf_word_t DECAF_MONTGOMERY_FACTOR = (decaf_word_t)(0x3bd440fae918bc5ull); -/** base = twist of Goldilocks base point (~,19). */ +#define FIELD_LITERAL(a,b,c,d,e,f,g,h) {{LIMB(a),LIMB(b),LIMB(c),LIMB(d),LIMB(e),LIMB(f),LIMB(g),LIMB(h)}} const decaf_448_point_t decaf_448_point_base = {{ - {{{ LIMB(0xb39a2d57e08c7b),LIMB(0xb38639c75ff281), - LIMB(0x2ec981082b3288),LIMB(0x99fe8607e5237c), - LIMB(0x0e33fbb1fadd1f),LIMB(0xe714f67055eb4a), - LIMB(0xc9ae06d64067dd),LIMB(0xf7be45054760fa) }}}, - {{{ LIMB(0xbd8715f551617f),LIMB(0x8c17fbeca8f5fc), - LIMB(0xaae0eec209c06f),LIMB(0xce41ad80cbe6b8), - LIMB(0xdf360b5c828c00),LIMB(0xaf25b6bbb40e3b), - LIMB(0x8ed37f0ce4ed31),LIMB(0x72a1c3214557b9) }}}, - {{{ 1 }}}, - {{{ LIMB(0x97ca9c8ed8bde9),LIMB(0xf0b780da83304c), - LIMB(0x0d79c0a7729a69),LIMB(0xc18d3f24aebc1c), - LIMB(0x1fbb5389b3fda5),LIMB(0xbb24f674635948), - LIMB(0x723a55709a3983),LIMB(0xe1c0107a823dd4) }}} + {FIELD_LITERAL(0x00fffffffffffffe,0x00ffffffffffffff,0x00ffffffffffffff,0x00ffffffffffffff, + 0x0000000000000003,0x0000000000000000,0x0000000000000000,0x0000000000000000)}, + {FIELD_LITERAL(0x0081e6d37f752992,0x003078ead1c28721,0x00135cfd2394666c,0x0041149c50506061, + 0x0031d30e4f5490b3,0x00902014990dc141,0x0052341b04c1e328,0x0014237853c10a1b)}, + {FIELD_LITERAL(0x00fffffffffffffb,0x00ffffffffffffff,0x00ffffffffffffff,0x00ffffffffffffff, + 0x00fffffffffffffe,0x00ffffffffffffff,0x00ffffffffffffff,0x00ffffffffffffff)}, + {FIELD_LITERAL(0x008f205b70660415,0x00881c60cfd3824f,0x00377a638d08500d,0x008c66d5d4672615, + 0x00e52fa558e08e13,0x0087770ae1b6983d,0x004388f55a0aa7ff,0x00b4d9a785cf1a91)} }}; + struct decaf_448_precomputed_s { decaf_448_point_t p[1]; }; /* FIXME: restore */ diff --git a/src/decaf_fast.c b/src/decaf_fast.c index 41813b9..87d93d8 100644 --- a/src/decaf_fast.c +++ b/src/decaf_fast.c @@ -56,50 +56,17 @@ static const scalar_t sc_p = {{{ SC_LIMB(0xffffffffffffffff), SC_LIMB(0x3fffffffffffffff) }}}; -const scalar_t API_NS(scalar_one) = {{{1}}}, API_NS(scalar_zero) = {{{0}}}; -static const scalar_t sc_r2 = {{{ - SC_LIMB(0xe3539257049b9b60), - SC_LIMB(0x7af32c4bc1b195d9), - SC_LIMB(0x0d66de2388ea1859), - SC_LIMB(0xae17cf725ee4d838), - SC_LIMB(0x1a9cc14ba3c47c44), - SC_LIMB(0x2052bcb7e4d070af), - SC_LIMB(0x3402a939f823b729) -}}}; +const scalar_t API_NS(scalar_one) = {{{1}}}, API_NS(scalar_zero) = {{{0}}}; +extern const scalar_t sc_r2; +extern const decaf_word_t MONTGOMERY_FACTOR; -static const scalar_t sc_r1 = {{{ - SC_LIMB(0x721cf5b5529eec34), - SC_LIMB(0x7a4cf635c8e9c2ab), - SC_LIMB(0xeec492d944a725bf), - SC_LIMB(0x000000020cd77058), - SC_LIMB(0), - SC_LIMB(0), - SC_LIMB(0) -}}}; +/* sqrt(5) = 2phi-1 from the curve spec. Not exported, but used by pregen tool. */ +const unsigned char base_point_ser_for_pregen[SER_BYTES] = { + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,1 +}; -static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)(0x3bd440fae918bc5ull); - -/** base = twist of Goldilocks base point (~,19). */ - -const point_t API_NS(point_base) = {{ - { FIELD_LITERAL( - 0xb39a2d57e08c7b,0xb38639c75ff281, - 0x2ec981082b3288,0x99fe8607e5237c, - 0x0e33fbb1fadd1f,0xe714f67055eb4a, - 0xc9ae06d64067dd,0xf7be45054760fa )}, - { FIELD_LITERAL( - 0xbd8715f551617f,0x8c17fbeca8f5fc, - 0xaae0eec209c06f,0xce41ad80cbe6b8, - 0xdf360b5c828c00,0xaf25b6bbb40e3b, - 0x8ed37f0ce4ed31,0x72a1c3214557b9 )}, - {{{ 1 }}}, - { FIELD_LITERAL( - 0x97ca9c8ed8bde9,0xf0b780da83304c, - 0x0d79c0a7729a69,0xc18d3f24aebc1c, - 0x1fbb5389b3fda5,0xbb24f674635948, - 0x723a55709a3983,0xe1c0107a823dd4 )} -}}; +extern const point_t API_NS(point_base); /* Projective Niels coordinates */ typedef struct { gf a, b, c; } niels_s, niels_t[1]; @@ -651,7 +618,7 @@ decaf_bool_t API_NS(scalar_decode)( accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS; } - sc_montmul(s,s,sc_r1); /* ham-handed reduce */ + API_NS(scalar_mul)(s,s,API_NS(scalar_one)); /* ham-handed reduce */ return accum; } @@ -706,7 +673,7 @@ void API_NS(scalar_decode_long)( if (ser_len == sizeof(scalar_t)) { assert(i==0); /* ham-handed reduce */ - sc_montmul(s,t1,sc_r1); + API_NS(scalar_mul)(s,t1,API_NS(scalar_one)); API_NS(scalar_destroy)(t1); return; } diff --git a/src/decaf_gen_tables.c b/src/decaf_gen_tables.c index d8e2399..0ae5707 100644 --- a/src/decaf_gen_tables.c +++ b/src/decaf_gen_tables.c @@ -22,6 +22,11 @@ const field_t API_NS(precomputed_base_as_fe)[1]; const API_NS(scalar_t) API_NS(precomputed_scalarmul_adjustment); const API_NS(scalar_t) API_NS(point_scalarmul_adjustment); +const API_NS(scalar_t) sc_r2 = {{{0}}}; +const decaf_word_t MONTGOMERY_FACTOR = 0; +const unsigned char base_point_ser_for_pregen[DECAF_448_SER_BYTES]; + +const API_NS(point_t) API_NS(point_base); struct niels_s; const field_t *API_NS(precomputed_wnaf_as_fe); @@ -32,6 +37,7 @@ void API_NS(precompute_wnafs) ( const API_NS(point_t) base ); +/* TODO: use SC_LIMB? */ static void scalar_print(const char *name, const API_NS(scalar_t) sc) { printf("const API_NS(scalar_t) %s = {{{\n", name); unsigned i; @@ -68,17 +74,21 @@ static void field_print(const field_t *f) { int main(int argc, char **argv) { (void)argc; (void)argv; + API_NS(point_t) real_point_base; + int ret = API_NS(point_decode)(real_point_base,base_point_ser_for_pregen,0); + if (!ret) return 1; + API_NS(precomputed_s) *pre; - int ret = posix_memalign((void**)&pre, API_NS2(alignof,precomputed_s), API_NS2(sizeof,precomputed_s)); + ret = posix_memalign((void**)&pre, API_NS2(alignof,precomputed_s), API_NS2(sizeof,precomputed_s)); if (ret || !pre) return 1; - API_NS(precompute)(pre, API_NS(point_base)); + API_NS(precompute)(pre, real_point_base); struct niels_s *preWnaf; ret = posix_memalign((void**)&preWnaf, API_NS2(alignof,precomputed_s), API_NS2(sizeof,precomputed_wnafs)); if (ret || !preWnaf) return 1; - API_NS(precompute_wnafs)(preWnaf, API_NS(point_base)); + API_NS(precompute_wnafs)(preWnaf, real_point_base); - const field_t *output = (const field_t *)pre; + const field_t *output; unsigned i; printf("/** @warning: this file was automatically generated. */\n"); @@ -86,6 +96,18 @@ int main(int argc, char **argv) { printf("#include \"decaf.h\"\n\n"); printf("#define API_NS(_id) decaf_448_##_id\n"); printf("#define API_NS2(_pref,_id) _pref##_decaf_448_##_id\n"); + + output = (const field_t *)real_point_base; + printf("const API_NS(point_t) API_NS(point_base) = {{\n"); + for (i=0; i < sizeof(API_NS(point_t)); i+=sizeof(field_t)) { + if (i) printf(",\n "); + printf("{"); + field_print(output++); + printf("}"); + } + printf("\n}};\n"); + + output = (const field_t *)pre; printf("const field_t API_NS(precomputed_base_as_fe)[%d]\n", (int)(API_NS2(sizeof,precomputed_s) / sizeof(field_t))); printf("__attribute__((aligned(%d),visibility(\"hidden\"))) = {\n ", (int)API_NS2(alignof,precomputed_s)); @@ -123,5 +145,22 @@ int main(int argc, char **argv) { API_NS(scalar_sub)(smadj, smadj, API_NS(scalar_one)); scalar_print("API_NS(point_scalarmul_adjustment)", smadj); + API_NS(scalar_copy)(smadj,API_NS(scalar_one)); + for (i=0; ilimb[0]+1; +#if DECAF_WORD_BITS == 32 + plo |= ((unsigned long long)smadj->limb[1]) << 32; +#endif + for (i=0; i<6; i++) { + w *= w*plo + 2; + } + printf("const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x%016llxull;\n\n", w); + return 0; }