From 76810700154934435f006236f2605792d1f3425c Mon Sep 17 00:00:00 2001 From: Mike Hamburg Date: Wed, 4 Mar 2015 16:03:17 -0800 Subject: [PATCH] more factoring and bug fixes. Need to put direct_scalarmul in pathological test cases and then simplify it --- src/decaf_crypto.c | 7 +----- src/decaf_fast.c | 55 ++++++++++++++++++++-------------------------- src/include/word.h | 3 +-- 3 files changed, 26 insertions(+), 39 deletions(-) diff --git a/src/decaf_crypto.c b/src/decaf_crypto.c index a569de7..70aebd7 100644 --- a/src/decaf_crypto.c +++ b/src/decaf_crypto.c @@ -57,11 +57,8 @@ decaf_448_shared_secret ( const decaf_448_private_key_t my_privkey, const decaf_448_public_key_t your_pubkey ) { - decaf_448_point_t point; uint8_t ss_ser[DECAF_448_SER_BYTES]; const char *nope = "decaf_448_ss_invalid"; - decaf_bool_t ret = decaf_448_point_decode(point, your_pubkey, DECAF_FALSE); - decaf_448_point_scalarmul(point, point, my_privkey->secret_scalar); unsigned i; /* Lexsort keys. Less will be -1 if mine is less, and 0 otherwise. */ @@ -94,9 +91,7 @@ decaf_448_shared_secret ( } shake256_update(sponge, ss_ser, sizeof(ss_ser)); - /* encode the shared secret but mask with secret key */ - decaf_448_point_encode(ss_ser, point); - + decaf_bool_t ret = decaf_448_direct_scalarmul(ss_ser, your_pubkey, my_privkey->secret_scalar, DECAF_FALSE, DECAF_TRUE); /* If invalid, then replace ... */ for (i=0; i=8 || i==DECAF_448_LIMBS-1) && k>=8) { + ser[k++]=buf; + } + } +} + void decaf_448_point_encode( unsigned char ser[DECAF_448_SER_BYTES], const decaf_448_point_t p ) { /* Can shave off one mul here; not important but makes consistent with paper */ gf a, b, c, d; @@ -389,16 +401,7 @@ void decaf_448_point_encode( unsigned char ser[DECAF_448_SER_BYTES], const decaf gf_mul ( c, b, p->y ); gf_add ( a, a, c ); cond_neg ( a, hibit(a) ); - - gf_canon(a); - int i, k=0, bits=0; - decaf_dword_t buf=0; - for (i=0; i=8 || i==DECAF_448_LIMBS-1) && k>=8) { - ser[k++]=buf; - } - } + gf_encode(ser, a); } /** @@ -834,7 +837,7 @@ decaf_bool_t decaf_448_direct_scalarmul ( gf_cpy ( xd, ONE ); gf_cpy ( zd, ZERO ); - int i,j; + int j; decaf_bool_t pflip = 0; for (j=448-1; j>=0; j--) { /* TODO: DECAF_SCALAR_BITS */ decaf_bool_t flip = -((scalar->limb[j/WORD_BITS]>>(j%WORD_BITS))&1);; @@ -869,10 +872,15 @@ decaf_bool_t decaf_448_direct_scalarmul ( gf_mul(xz_d, xd, zd); gf_mul(xz_a, xa, za); output_zero = gf_eq(xz_d, ZERO); - za_zero = gf_eq(za, ZERO); cond_sel(xz_d, xz_d, ONE, output_zero); /* make xz_d always nonzero */ zcase = output_zero | gf_eq(xz_a, ZERO); + za_zero = gf_eq(za, ZERO); + cond_sel(zs,zs,s0,zcase); /* zs, but s0 in zcase */ + cond_sel(L3,xd,zd,za_zero); + cond_sel(xs,xs,L3,zcase); /* xs, but zq or qq in zcase */ + + /* Curve test in zcase */ gf_cpy(L0,x0); gf_add(L0,L0,ONE); @@ -918,27 +926,12 @@ decaf_bool_t decaf_448_direct_scalarmul ( /* compute the output */ gf_mul(L1,L0,den); + gf_mul(L0,xs,zs); + gf_mul(out,L0,L1); - cond_sel(L2,zs,s0,zcase); /* zs, but s0 in zcase */ - gf_mul(L0,L1,L2); - - cond_sel(L3,xd,zd,za_zero); - cond_sel(L2,xs,L3,zcase); /* xs, but zq or qq in zcase */ - gf_mul(out,L0,L2); - - cond_sel(out,out,ZERO,output_zero); cond_neg(out,hibit(out)); - // - // /* TODO: resubroutineize? */ - gf_canon(out); - int k=0, bits=0; - decaf_dword_t buf=0; - for (i=0; i=8 || i==DECAF_448_LIMBS-1) && k>=8) { - scaled[k++]=buf; - } - } + cond_sel(out,out,ZERO,output_zero);\ + gf_encode(scaled, out); return succ; } diff --git a/src/include/word.h b/src/include/word.h index 6083879..5f40e17 100644 --- a/src/include/word.h +++ b/src/include/word.h @@ -217,8 +217,7 @@ letoh64 (uint64_t x) { return x; } * @param c The char to set it to (probably zero). * @param s The size of the object. */ -#if (defined(__DARWIN_C_LEVEL) \ - || (defined(__STDC_WANT_LIB_EXT1__) && __STDC_WANT_LIB_EXT1__ == 1)) +#if defined(__DARWIN_C_LEVEL) || defined(__STDC_LIB_EXT1__) #define HAS_MEMSET_S #endif