diff --git a/include/decaf.h b/include/decaf.h index 98f0ae8..9eb5e78 100644 --- a/include/decaf.h +++ b/include/decaf.h @@ -12,13 +12,16 @@ * curve (isogenous to Ed448-Goldilocks) and wiping out the cofactor. * * The formulas are all complete and have no special cases, except that - * decaf_decode can fail because not every sequence of bytes is a valid group + * decaf_448_decode can fail because not every sequence of bytes is a valid group * element. * * The formulas contain no data-dependent branches, timing or memory accesses. + * + * This library may support multiple curves eventually. The Ed448-Goldilocks + * specific identifiers are prefixed with DECAF_448 or decaf_448. */ -#ifndef __DECAF_H__ -#define __DECAF_H__ 1 +#ifndef __DECAF_448_H__ +#define __DECAF_448_H__ 1 #include @@ -36,7 +39,7 @@ /* Internal word types */ #if (defined(__ILP64__) || defined(__amd64__) || defined(__x86_64__) || (((__UINT_FAST32_MAX__)>>30)>>30)) \ - && !defined(DECAF_FORCE_32_BIT) + && !defined(DECAF_FORCE_32_BIT) #define DECAF_WORD_BITS 64 typedef uint64_t decaf_word_t, decaf_bool_t; #else @@ -45,26 +48,25 @@ typedef uint32_t decaf_word_t, decaf_bool_t; #endif /** @endcond */ -/* TODO: prefix all these operations and factor to support multiple curves. */ -#define DECAF_LIMBS (512/DECAF_WORD_BITS) -#define DECAF_SCALAR_BITS 446 -#define DECAF_SCALAR_LIMBS (448/DECAF_WORD_BITS) +#define DECAF_448_LIMBS (512/DECAF_WORD_BITS) +#define DECAF_448_SCALAR_BITS 446 +#define DECAF_448_SCALAR_LIMBS (448/DECAF_WORD_BITS) /** Number of bytes in a serialized point. */ -#define DECAF_SER_BYTES 56 +#define DECAF_448_SER_BYTES 56 /** Number of bytes in a serialized scalar. */ -#define DECAF_SCALAR_BYTES 56 +#define DECAF_448_SCALAR_BYTES 56 /** Twisted Edwards (-1,d-1) extended homogeneous coordinates */ -typedef struct decaf_point_s { - decaf_word_t x[DECAF_LIMBS],y[DECAF_LIMBS],z[DECAF_LIMBS],t[DECAF_LIMBS]; -} decaf_point_t[1]; +typedef struct decaf_448_point_s { + decaf_word_t x[DECAF_448_LIMBS],y[DECAF_448_LIMBS],z[DECAF_448_LIMBS],t[DECAF_448_LIMBS]; +} decaf_448_point_t[1]; /** Scalar is stored packed, because we don't need the speed. */ -typedef struct decaf_scalar_s { - decaf_word_t limb[DECAF_SCALAR_LIMBS]; -} decaf_scalar_t[1]; +typedef struct decaf_448_scalar_s { + decaf_word_t limb[DECAF_448_SCALAR_LIMBS]; +} decaf_448_scalar_t[1]; /** DECAF_TRUE = -1 so that DECAF_TRUE & x = x */ static const decaf_bool_t DECAF_TRUE = -(decaf_bool_t)1, DECAF_FALSE = 0; @@ -76,23 +78,23 @@ static const decaf_bool_t DECAF_SUCCESS = -(decaf_bool_t)1 /*DECAF_TRUE*/, /** The prime p, for debugging purposes. * TODO: prevent this scalar from actually being used for non-debugging purposes? */ -const decaf_scalar_t decaf_scalar_p API_VIS; +const decaf_448_scalar_t decaf_448_scalar_p API_VIS; /** A scalar equal to 1. */ -const decaf_scalar_t decaf_scalar_one API_VIS; +const decaf_448_scalar_t decaf_448_scalar_one API_VIS; /** A scalar equal to 0. */ -const decaf_scalar_t decaf_scalar_zero API_VIS; +const decaf_448_scalar_t decaf_448_scalar_zero API_VIS; /** The identity point on the curve. */ -const decaf_point_t decaf_point_identity API_VIS; +const decaf_448_point_t decaf_448_point_identity API_VIS; /** * An arbitrarily chosen base point on the curve. * Equal to Ed448-Goldilocks base point defined by DJB, except of course that * it's on the twist in this case. TODO: choose a base point with nice encoding? */ -const decaf_point_t decaf_point_base API_VIS; +const decaf_448_point_t decaf_448_point_base API_VIS; #ifdef __cplusplus extern "C" { @@ -112,9 +114,9 @@ extern "C" { * @param [in] ser Serialized form of a scalar. * @param [out] out Deserialized form. */ -decaf_bool_t decaf_scalar_decode ( - decaf_scalar_t s, - const unsigned char ser[DECAF_SCALAR_BYTES] +decaf_bool_t decaf_448_scalar_decode ( + decaf_448_scalar_t s, + const unsigned char ser[DECAF_448_SCALAR_BYTES] ) API_VIS NONNULL2; /** @@ -123,9 +125,9 @@ decaf_bool_t decaf_scalar_decode ( * @param [out] ser Serialized form of a scalar. * @param [in] s Deserialized scalar. */ -void decaf_scalar_encode ( - unsigned char ser[DECAF_SCALAR_BYTES], - const decaf_scalar_t s +void decaf_448_scalar_encode ( + unsigned char ser[DECAF_448_SCALAR_BYTES], + const decaf_448_scalar_t s ) API_VIS NONNULL2; /** @@ -134,10 +136,10 @@ void decaf_scalar_encode ( * @param [in] b Another scalar. * @param [out] out a+b. */ -void decaf_scalar_add ( - decaf_scalar_t out, - const decaf_scalar_t a, - const decaf_scalar_t b +void decaf_448_scalar_add ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a, + const decaf_448_scalar_t b ) API_VIS NONNULL3; /** @@ -147,9 +149,9 @@ void decaf_scalar_add ( * @retval DECAF_TRUE The scalars are equal. * @retval DECAF_FALSE The scalars are not equal. */ -decaf_bool_t decaf_scalar_eq ( - const decaf_scalar_t a, - const decaf_scalar_t b +decaf_bool_t decaf_448_scalar_eq ( + const decaf_448_scalar_t a, + const decaf_448_scalar_t b ) API_VIS WARN_UNUSED NONNULL2; /** @@ -158,10 +160,10 @@ decaf_bool_t decaf_scalar_eq ( * @param [in] b Another scalar. * @param [out] out a-b. */ -void decaf_scalar_sub ( - decaf_scalar_t out, - const decaf_scalar_t a, - const decaf_scalar_t b +void decaf_448_scalar_sub ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a, + const decaf_448_scalar_t b ) API_VIS NONNULL3; /** @@ -170,10 +172,10 @@ void decaf_scalar_sub ( * @param [in] b Another scalar. * @param [out] out a*b. */ -void decaf_scalar_mul ( - decaf_scalar_t out, - const decaf_scalar_t a, - const decaf_scalar_t b +void decaf_448_scalar_mul ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a, + const decaf_448_scalar_t b ) API_VIS NONNULL3; /** @@ -182,9 +184,9 @@ void decaf_scalar_mul ( * @param [in] a A scalar. * @param [out] out Will become a copy of a. */ -void decaf_scalar_copy ( - decaf_scalar_t out, - const decaf_scalar_t a +void decaf_448_scalar_copy ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a ) API_VIS NONNULL2; /** @@ -193,9 +195,9 @@ void decaf_scalar_copy ( * @param [out] ser The byte representation of the point. * @param [in] pt The point to encode. */ -void decaf_point_encode ( - uint8_t ser[DECAF_SER_BYTES], - const decaf_point_t pt +void decaf_448_point_encode ( + uint8_t ser[DECAF_448_SER_BYTES], + const decaf_448_point_t pt ) API_VIS NONNULL2; /** @@ -211,9 +213,9 @@ void decaf_point_encode ( * @retval DECAF_FAILURE The decoding didn't succeed, because * ser does not represent a point. */ -decaf_bool_t decaf_point_decode ( - decaf_point_t pt, - const uint8_t ser[DECAF_SER_BYTES], +decaf_bool_t decaf_448_point_decode ( + decaf_448_point_t pt, + const uint8_t ser[DECAF_448_SER_BYTES], decaf_bool_t allow_identity ) API_VIS WARN_UNUSED NONNULL2; @@ -224,9 +226,9 @@ decaf_bool_t decaf_point_decode ( * @param [out] a A copy of the point. * @param [in] b Any point. */ -void decaf_point_copy ( - decaf_point_t a, - const decaf_point_t b +void decaf_448_point_copy ( + decaf_448_point_t a, + const decaf_448_point_t b ) API_VIS NONNULL2; /** @@ -238,9 +240,9 @@ void decaf_point_copy ( * @retval DECAF_TRUE The points are equal. * @retval DECAF_FALSE The points are not equal. */ -decaf_bool_t decaf_point_eq ( - const decaf_point_t a, - const decaf_point_t b +decaf_bool_t decaf_448_point_eq ( + const decaf_448_point_t a, + const decaf_448_point_t b ) API_VIS WARN_UNUSED NONNULL2; /** @@ -252,22 +254,22 @@ decaf_bool_t decaf_point_eq ( * @param [in] a An addend. * @param [in] b An addend. */ -void decaf_point_add ( - decaf_point_t sum, - const decaf_point_t a, - const decaf_point_t b +void decaf_448_point_add ( + decaf_448_point_t sum, + const decaf_448_point_t a, + const decaf_448_point_t b ) API_VIS NONNULL3; /** * @brief Double a point. Equivalent to - * decaf_point_add(two_a,a,a), but potentially faster. + * decaf_448_point_add(two_a,a,a), but potentially faster. * * @param [out] sum The sum a+a. * @param [in] a A point. */ -void decaf_point_double ( - decaf_point_t two_a, - const decaf_point_t a +void decaf_448_point_double ( + decaf_448_point_t two_a, + const decaf_448_point_t a ) API_VIS NONNULL2; /** @@ -279,10 +281,10 @@ void decaf_point_double ( * @param [in] a The minuend. * @param [in] b The subtrahend. */ -void decaf_point_sub ( - decaf_point_t diff, - const decaf_point_t a, - const decaf_point_t b +void decaf_448_point_sub ( + decaf_448_point_t diff, + const decaf_448_point_t a, + const decaf_448_point_t b ) API_VIS NONNULL3; /** @@ -292,17 +294,17 @@ void decaf_point_sub ( * @param [in] base The point to be scaled. * @param [in] scalar The scalar to multiply by. */ -void decaf_point_scalarmul ( - decaf_point_t scaled, - const decaf_point_t base, - const decaf_scalar_t scalar +void decaf_448_point_scalarmul ( + decaf_448_point_t scaled, + const decaf_448_point_t base, + const decaf_448_scalar_t scalar ) API_VIS NONNULL3; /** * @brief Multiply two base points by two scalars: * scaled = scalar1*base1 + scalar2*base2. * - * Equivalent to two calls to decaf_point_scalarmul, but may be + * Equivalent to two calls to decaf_448_point_scalarmul, but may be * faster. * * @param [out] scaled The scaled point base*scalar @@ -312,12 +314,12 @@ void decaf_point_scalarmul ( * @param [in] scalar2 A second scalar to multiply by. * @TODO: test */ -void decaf_point_double_scalarmul ( - decaf_point_t combo, - const decaf_point_t base1, - const decaf_scalar_t scalar1, - const decaf_point_t base2, - const decaf_scalar_t scalar2 +void decaf_448_point_double_scalarmul ( + decaf_448_point_t combo, + const decaf_448_point_t base1, + const decaf_448_scalar_t scalar1, + const decaf_448_point_t base2, + const decaf_448_scalar_t scalar2 ) API_VIS NONNULL5; /** @@ -327,8 +329,8 @@ void decaf_point_double_scalarmul ( * @retval DECAF_TRUE The point is valid. * @retval DECAF_FALSE The point is invalid. */ -decaf_bool_t decaf_point_valid ( - const decaf_point_t toTest +decaf_bool_t decaf_448_point_valid ( + const decaf_448_point_t toTest ) API_VIS WARN_UNUSED NONNULL1; /** @@ -336,7 +338,7 @@ decaf_bool_t decaf_point_valid ( * * Call this function with the output of a hash to make a hash to the curve. * - * This function runs Elligator2 on the decaf Jacobi quartic model. It then + * This function runs Elligator2 on the decaf_448 Jacobi quartic model. It then * uses the isogeny to put the result in twisted Edwards form. As a result, * it is safe (cannot produce points of order 4), and would be compatible with * hypothetical other implementations of Decaf using a Montgomery or untwisted @@ -358,22 +360,22 @@ decaf_bool_t decaf_point_valid ( * @param [in] hashed_data Output of some hash function. * @param [out] pt The data hashed to the curve. */ -void decaf_point_from_hash_nonuniform ( - decaf_point_t pt, - const unsigned char hashed_data[DECAF_SER_BYTES] +void decaf_448_point_from_hash_nonuniform ( + decaf_448_point_t pt, + const unsigned char hashed_data[DECAF_448_SER_BYTES] ) API_VIS NONNULL2; /** * @brief Indifferentiable hash function encoding to curve. * - * Equivalent to calling decaf_point_from_hash_nonuniform twice and adding. + * Equivalent to calling decaf_448_point_from_hash_nonuniform twice and adding. * * @param [in] hashed_data Output of some hash function. * @param [out] pt The data hashed to the curve. */ -void decaf_point_from_hash_uniform ( - decaf_point_t pt, - const unsigned char hashed_data[2*DECAF_SER_BYTES] +void decaf_448_point_from_hash_uniform ( + decaf_448_point_t pt, + const unsigned char hashed_data[2*DECAF_448_SER_BYTES] ) API_VIS NONNULL2; /* TODO: functions to invert point_from_hash?? */ @@ -389,4 +391,4 @@ void decaf_point_from_hash_uniform ( }; /* extern "C" */ #endif -#endif /* __DECAF_H__ */ +#endif /* __DECAF_448_H__ */ diff --git a/src/decaf.c b/src/decaf.c index 4c16420..0574186 100644 --- a/src/decaf.c +++ b/src/decaf.c @@ -31,7 +31,7 @@ typedef int64_t decaf_sdword_t; static const int QUADRATIC_NONRESIDUE = -1; #define sv static void -typedef decaf_word_t gf[DECAF_LIMBS]; +typedef decaf_word_t gf[DECAF_448_LIMBS]; static const gf ZERO = {0}, ONE = {1}, TWO = {2}; #define LMASK ((((decaf_word_t)1)<> LBITS; - accum[DECAF_LIMBS-2] &= LMASK; - accum[DECAF_LIMBS/2] += accum[DECAF_LIMBS-1] >> LBITS; + accum[DECAF_448_LIMBS-1] += accum[DECAF_448_LIMBS-2] >> LBITS; + accum[DECAF_448_LIMBS-2] &= LMASK; + accum[DECAF_448_LIMBS/2] += accum[DECAF_448_LIMBS-1] >> LBITS; FOR_LIMB(j,{ - accum[j] += accum[(j-1)%DECAF_LIMBS] >> LBITS; - accum[(j-1)%DECAF_LIMBS] &= LMASK; + accum[j] += accum[(j-1)%DECAF_448_LIMBS] >> LBITS; + accum[(j-1)%DECAF_448_LIMBS] &= LMASK; }); FOR_LIMB(j, c[j] = accum[j] ); } @@ -148,10 +148,10 @@ sv gf_isqrt(gf y, const gf x) { /** Weak reduce mod p. */ sv gf_reduce(gf x) { - x[DECAF_LIMBS/2] += x[DECAF_LIMBS-1] >> LBITS; + x[DECAF_448_LIMBS/2] += x[DECAF_448_LIMBS-1] >> LBITS; FOR_LIMB(j,{ - x[j] += x[(j-1)%DECAF_LIMBS] >> LBITS; - x[(j-1)%DECAF_LIMBS] &= LMASK; + x[j] += x[(j-1)%DECAF_448_LIMBS] >> LBITS; + x[(j-1)%DECAF_448_LIMBS] &= LMASK; }); } @@ -246,10 +246,10 @@ static decaf_word_t hibit(const gf x) { } /* a = use_c ? c : b */ -sv decaf_cond_sel ( - decaf_point_t a, - const decaf_point_t b, - const decaf_point_t c, +sv decaf_448_cond_sel ( + decaf_448_point_t a, + const decaf_448_point_t b, + const decaf_448_point_t c, decaf_bool_t use_c ) { cond_sel(a->x, b->x, c->x, use_c); @@ -261,16 +261,16 @@ sv decaf_cond_sel ( /** {extra,accum} - sub +? p * Must have extra <= 1 */ -sv decaf_subx( - decaf_scalar_t out, - const decaf_word_t accum[DECAF_SCALAR_LIMBS], - const decaf_scalar_t sub, - const decaf_scalar_t p, +sv decaf_448_subx( + decaf_448_scalar_t out, + const decaf_word_t accum[DECAF_448_SCALAR_LIMBS], + const decaf_448_scalar_t sub, + const decaf_448_scalar_t p, decaf_word_t extra ) { decaf_sdword_t chain = 0; unsigned int i; - for (i=0; ilimb[i]; out->limb[i] = chain; chain >>= WBITS; @@ -278,30 +278,30 @@ sv decaf_subx( decaf_bool_t borrow = chain+extra; /* = 0 or -1 */ chain = 0; - for (i=0; ilimb[i]) + (p->limb[i] & borrow); out->limb[i] = chain; chain >>= WBITS; } } -sv decaf_montmul ( - decaf_scalar_t out, - const decaf_scalar_t a, - const decaf_scalar_t b, - const decaf_scalar_t p, +sv decaf_448_montmul ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a, + const decaf_448_scalar_t b, + const decaf_448_scalar_t p, decaf_word_t montgomery_factor ) { unsigned int i,j; - decaf_word_t accum[DECAF_SCALAR_LIMBS+1] = {0}; + decaf_word_t accum[DECAF_448_SCALAR_LIMBS+1] = {0}; decaf_word_t hi_carry = 0; - for (i=0; ilimb[i]; const decaf_word_t *mier = b->limb; decaf_dword_t chain = 0; - for (j=0; j>= WBITS; @@ -311,7 +311,7 @@ sv decaf_montmul ( mand = accum[0] * montgomery_factor; chain = 0; mier = p->limb; - for (j=0; j>= WBITS; @@ -322,58 +322,58 @@ sv decaf_montmul ( hi_carry = chain >> WBITS; } - decaf_subx(out, accum, p, p, hi_carry); + decaf_448_subx(out, accum, p, p, hi_carry); } -void decaf_scalar_mul ( - decaf_scalar_t out, - const decaf_scalar_t a, - const decaf_scalar_t b +void decaf_448_scalar_mul ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a, + const decaf_448_scalar_t b ) { - decaf_montmul(out,a,b,decaf_scalar_p,DECAF_MONTGOMERY_FACTOR); - decaf_montmul(out,out,decaf_scalar_r2,decaf_scalar_p,DECAF_MONTGOMERY_FACTOR); + decaf_448_montmul(out,a,b,decaf_448_scalar_p,DECAF_MONTGOMERY_FACTOR); + decaf_448_montmul(out,out,decaf_448_scalar_r2,decaf_448_scalar_p,DECAF_MONTGOMERY_FACTOR); } -void decaf_scalar_sub ( - decaf_scalar_t out, - const decaf_scalar_t a, - const decaf_scalar_t b +void decaf_448_scalar_sub ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a, + const decaf_448_scalar_t b ) { - decaf_subx(out, a->limb, b, decaf_scalar_p, 0); + decaf_448_subx(out, a->limb, b, decaf_448_scalar_p, 0); } -void decaf_scalar_add ( - decaf_scalar_t out, - const decaf_scalar_t a, - const decaf_scalar_t b +void decaf_448_scalar_add ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a, + const decaf_448_scalar_t b ) { decaf_dword_t chain = 0; unsigned int i; - for (i=0; ilimb[i]) + b->limb[i]; out->limb[i] = chain; chain >>= WBITS; } - decaf_subx(out, out->limb, decaf_scalar_p, decaf_scalar_p, chain); + decaf_448_subx(out, out->limb, decaf_448_scalar_p, decaf_448_scalar_p, chain); } -void decaf_scalar_copy ( - decaf_scalar_t out, - const decaf_scalar_t a +void decaf_448_scalar_copy ( + decaf_448_scalar_t out, + const decaf_448_scalar_t a ) { unsigned int i; - for (i=0; ilimb[i] = a->limb[i]; } } -decaf_bool_t decaf_scalar_eq ( - const decaf_scalar_t a, - const decaf_scalar_t b +decaf_bool_t decaf_448_scalar_eq ( + const decaf_448_scalar_t a, + const decaf_448_scalar_t b ) { decaf_word_t diff = 0; unsigned int i; - for (i=0; ilimb[i] ^ b->limb[i]; } return (((decaf_dword_t)diff)-1)>>WBITS; @@ -382,9 +382,9 @@ decaf_bool_t decaf_scalar_eq ( /* *** API begins here *** */ /** identity = (0,1) */ -const decaf_point_t decaf_point_identity = {{{0},{1},{1},{0}}}; +const decaf_448_point_t decaf_448_point_identity = {{{0},{1},{1},{0}}}; -void decaf_point_encode( unsigned char ser[DECAF_SER_BYTES], const decaf_point_t p ) { +void decaf_448_point_encode( unsigned char ser[DECAF_448_SER_BYTES], const decaf_448_point_t p ) { /* Can shave off one mul here; not important but makes consistent with paper */ gf a, b, c, d; gf_mlw ( a, p->y, 1-EDWARDS_D ); @@ -409,9 +409,9 @@ void decaf_point_encode( unsigned char ser[DECAF_SER_BYTES], const decaf_point_t gf_canon(a); int i, k=0, bits=0; decaf_dword_t buf=0; - for (i=0; i=8 || i==DECAF_LIMBS-1) && k>=8) { + for (bits += LBITS; (bits>=8 || i==DECAF_448_LIMBS-1) && k>=8) { ser[k++]=buf; } } @@ -420,12 +420,12 @@ void decaf_point_encode( unsigned char ser[DECAF_SER_BYTES], const decaf_point_t /** * Deserialize a bool, return TRUE if < p. */ -static decaf_bool_t gf_deser(gf s, const unsigned char ser[DECAF_SER_BYTES]) { +static decaf_bool_t gf_deser(gf s, const unsigned char ser[DECAF_448_SER_BYTES]) { unsigned int i, k=0, bits=0; decaf_dword_t buf=0; - for (i=0; i=LBITS || i==DECAF_SER_BYTES-1) && k>=LBITS) { + for (bits += 8; (bits>=LBITS || i==DECAF_448_SER_BYTES-1) && k>=LBITS) { s[k++] = buf & LMASK; } } @@ -436,10 +436,10 @@ static decaf_bool_t gf_deser(gf s, const unsigned char ser[DECAF_SER_BYTES]) { } /* Constant-time add or subtract */ -sv decaf_point_add_sub ( - decaf_point_t p, - const decaf_point_t q, - const decaf_point_t r, +sv decaf_448_point_add_sub ( + decaf_448_point_t p, + const decaf_448_point_t q, + const decaf_448_point_t r, decaf_bool_t do_sub ) { /* Twisted Edward formulas, complete when 4-torsion isn't involved */ @@ -466,9 +466,9 @@ sv decaf_point_add_sub ( gf_mul ( p->t, b, c ); } -decaf_bool_t decaf_point_decode ( - decaf_point_t p, - const unsigned char ser[DECAF_SER_BYTES], +decaf_bool_t decaf_448_point_decode ( + decaf_448_point_t p, + const unsigned char ser[DECAF_448_SER_BYTES], decaf_bool_t allow_identity ) { gf s, a, b, c, d, e; @@ -499,22 +499,22 @@ decaf_bool_t decaf_point_decode ( return succ; } -void decaf_point_sub(decaf_point_t a, const decaf_point_t b, const decaf_point_t c) { - decaf_point_add_sub(a,b,c,-1); +void decaf_448_point_sub(decaf_448_point_t a, const decaf_448_point_t b, const decaf_448_point_t c) { + decaf_448_point_add_sub(a,b,c,-1); } -void decaf_point_add(decaf_point_t a, const decaf_point_t b, const decaf_point_t c) { - decaf_point_add_sub(a,b,c,0); +void decaf_448_point_add(decaf_448_point_t a, const decaf_448_point_t b, const decaf_448_point_t c) { + decaf_448_point_add_sub(a,b,c,0); } /* No dedicated point double yet (PERF) */ -void decaf_point_double(decaf_point_t a, const decaf_point_t b) { - decaf_point_add(a,b,b); +void decaf_448_point_double(decaf_448_point_t a, const decaf_448_point_t b) { + decaf_448_point_add(a,b,b); } -void decaf_point_copy ( - decaf_point_t a, - const decaf_point_t b +void decaf_448_point_copy ( + decaf_448_point_t a, + const decaf_448_point_t b ) { gf_cpy(a->x, b->x); gf_cpy(a->y, b->y); @@ -522,12 +522,12 @@ void decaf_point_copy ( gf_cpy(a->t, b->t); } -decaf_bool_t decaf_scalar_decode( - decaf_scalar_t s, - const unsigned char ser[DECAF_SER_BYTES] +decaf_bool_t decaf_448_scalar_decode( + decaf_448_scalar_t s, + const unsigned char ser[DECAF_448_SER_BYTES] ) { unsigned int i,j,k=0; - for (i=0; ilimb[i] - decaf_scalar_p->limb[i]) >> WBITS; + for (i=0; ilimb[i] - decaf_448_scalar_p->limb[i]) >> WBITS; } - decaf_scalar_mul(s,s,decaf_scalar_one); /* ham-handed reduce */ + decaf_448_scalar_mul(s,s,decaf_448_scalar_one); /* ham-handed reduce */ return accum; } -void decaf_scalar_encode( - unsigned char ser[DECAF_SER_BYTES], - const decaf_scalar_t s +void decaf_448_scalar_encode( + unsigned char ser[DECAF_448_SER_BYTES], + const decaf_448_scalar_t s ) { unsigned int i,j,k=0; - for (i=0; ilimb[i] >> (8*j); } } } -void decaf_point_scalarmul ( - decaf_point_t a, - const decaf_point_t b, - const decaf_scalar_t scalar +void decaf_448_point_scalarmul ( + decaf_448_point_t a, + const decaf_448_point_t b, + const decaf_448_scalar_t scalar ) { /* w=2 signed window uses about 1.5 adds per bit. * I figured a few extra lines was worth the 25% speedup. */ - decaf_point_t w,b3,tmp; - decaf_point_double(w,b); + decaf_448_point_t w,b3,tmp; + decaf_448_point_double(w,b); /* b3 = b*3 */ - decaf_point_add(b3,w,b); + decaf_448_point_add(b3,w,b); int i; - for (i=DECAF_SCALAR_BITS &~ 1; i>0; i-=2) { + for (i=DECAF_448_SCALAR_BITS &~ 1; i>0; i-=2) { decaf_word_t bits = scalar->limb[i/WBITS]>>(i%WBITS); - decaf_cond_sel(tmp,b,b3,((bits^(bits>>1))&1)-1); - decaf_point_double(w,w); - decaf_point_add_sub(w,w,tmp,((bits>>1)&1)-1); - decaf_point_double(w,w); + decaf_448_cond_sel(tmp,b,b3,((bits^(bits>>1))&1)-1); + decaf_448_point_double(w,w); + decaf_448_point_add_sub(w,w,tmp,((bits>>1)&1)-1); + decaf_448_point_double(w,w); } - decaf_point_add_sub(w,w,b,((scalar->limb[0]>>1)&1)-1); + decaf_448_point_add_sub(w,w,b,((scalar->limb[0]>>1)&1)-1); /* low bit is special because fo signed window */ - decaf_cond_sel(tmp,b,decaf_point_identity,-(scalar->limb[0]&1)); - decaf_point_sub(a,w,tmp); + decaf_448_cond_sel(tmp,b,decaf_448_point_identity,-(scalar->limb[0]&1)); + decaf_448_point_sub(a,w,tmp); } -void decaf_point_double_scalarmul ( - decaf_point_t a, - const decaf_point_t b, - const decaf_scalar_t scalarb, - const decaf_point_t c, - const decaf_scalar_t scalarc +void decaf_448_point_double_scalarmul ( + decaf_448_point_t a, + const decaf_448_point_t b, + const decaf_448_scalar_t scalarb, + const decaf_448_point_t c, + const decaf_448_scalar_t scalarc ) { /* w=2 signed window uses about 1.5 adds per bit. * I figured a few extra lines was worth the 25% speedup. * NB: if adapting this function to scalarmul by a * possibly-odd number of unmasked bits, may need to mask. */ - decaf_point_t w,b3,c3,tmp; - decaf_point_double(w,b); - decaf_point_double(tmp,c); + decaf_448_point_t w,b3,c3,tmp; + decaf_448_point_double(w,b); + decaf_448_point_double(tmp,c); /* b3 = b*3 */ - decaf_point_add(b3,w,b); - decaf_point_add(c3,tmp,c); - decaf_point_add(w,w,tmp); + decaf_448_point_add(b3,w,b); + decaf_448_point_add(c3,tmp,c); + decaf_448_point_add(w,w,tmp); int i; - for (i=DECAF_SCALAR_BITS &~ 1; i>0; i-=2) { - decaf_point_double(w,w); + for (i=DECAF_448_SCALAR_BITS &~ 1; i>0; i-=2) { + decaf_448_point_double(w,w); decaf_word_t bits = scalarb->limb[i/WBITS]>>(i%WBITS); - decaf_cond_sel(tmp,b,b3,((bits^(bits>>1))&1)-1); - decaf_point_add_sub(w,w,tmp,((bits>>1)&1)-1); + decaf_448_cond_sel(tmp,b,b3,((bits^(bits>>1))&1)-1); + decaf_448_point_add_sub(w,w,tmp,((bits>>1)&1)-1); bits = scalarc->limb[i/WBITS]>>(i%WBITS); - decaf_cond_sel(tmp,c,c3,((bits^(bits>>1))&1)-1); - decaf_point_add_sub(w,w,tmp,((bits>>1)&1)-1); - decaf_point_double(w,w); + decaf_448_cond_sel(tmp,c,c3,((bits^(bits>>1))&1)-1); + decaf_448_point_add_sub(w,w,tmp,((bits>>1)&1)-1); + decaf_448_point_double(w,w); } - decaf_point_add_sub(w,w,b,((scalarb->limb[0]>>1)&1)-1); - decaf_point_add_sub(w,w,c,((scalarc->limb[0]>>1)&1)-1); + decaf_448_point_add_sub(w,w,b,((scalarb->limb[0]>>1)&1)-1); + decaf_448_point_add_sub(w,w,c,((scalarc->limb[0]>>1)&1)-1); /* low bit is special because of signed window */ - decaf_cond_sel(tmp,b,decaf_point_identity,-(scalarb->limb[0]&1)); - decaf_point_sub(w,w,tmp); - decaf_cond_sel(tmp,c,decaf_point_identity,-(scalarc->limb[0]&1)); - decaf_point_sub(a,w,tmp); + decaf_448_cond_sel(tmp,b,decaf_448_point_identity,-(scalarb->limb[0]&1)); + decaf_448_point_sub(w,w,tmp); + decaf_448_cond_sel(tmp,c,decaf_448_point_identity,-(scalarc->limb[0]&1)); + decaf_448_point_sub(a,w,tmp); } -decaf_bool_t decaf_point_eq ( const decaf_point_t p, const decaf_point_t q ) { +decaf_bool_t decaf_448_point_eq ( const decaf_448_point_t p, const decaf_448_point_t q ) { /* equality mod 2-torsion compares x/y */ gf a, b; gf_mul ( a, p->y, q->x ); @@ -630,9 +630,9 @@ decaf_bool_t decaf_point_eq ( const decaf_point_t p, const decaf_point_t q ) { return gf_eq(a,b); } -void decaf_point_from_hash_nonuniform ( - decaf_point_t p, - const unsigned char ser[DECAF_SER_BYTES] +void decaf_448_point_from_hash_nonuniform ( + decaf_448_point_t p, + const unsigned char ser[DECAF_448_SER_BYTES] ) { gf r,urr,a,b,c,dee,e,ur2_d,udr2_1; (void)gf_deser(r,ser); @@ -670,18 +670,18 @@ void decaf_point_from_hash_nonuniform ( gf_mul(p->t,b,e); } -void decaf_point_from_hash_uniform ( - decaf_point_t pt, - const unsigned char hashed_data[2*DECAF_SER_BYTES] +void decaf_448_point_from_hash_uniform ( + decaf_448_point_t pt, + const unsigned char hashed_data[2*DECAF_448_SER_BYTES] ) { - decaf_point_t pt2; - decaf_point_from_hash_nonuniform(pt,hashed_data); - decaf_point_from_hash_nonuniform(pt2,&hashed_data[DECAF_SER_BYTES]); - decaf_point_add(pt,pt,pt2); + decaf_448_point_t pt2; + decaf_448_point_from_hash_nonuniform(pt,hashed_data); + decaf_448_point_from_hash_nonuniform(pt2,&hashed_data[DECAF_448_SER_BYTES]); + decaf_448_point_add(pt,pt,pt2); } -decaf_bool_t decaf_point_valid ( - const decaf_point_t p +decaf_bool_t decaf_448_point_valid ( + const decaf_448_point_t p ) { gf a,b,c; gf_mul(a,p->x,p->y); diff --git a/test/bench.c b/test/bench.c index 1b4c273..75b79e1 100644 --- a/test/bench.c +++ b/test/bench.c @@ -266,12 +266,12 @@ int main(int argc, char **argv) { when = now() - when; printf("barrett mac: %5.1fns\n", when * 1e9 / i); - decaf_scalar_t asc,bsc,csc; + decaf_448_scalar_t asc,bsc,csc; memset(asc,0,sizeof(asc)); memset(bsc,0,sizeof(bsc)); when = now(); for (i=0; i=0; j--) { + for (j=DECAF_448_SCALAR_LIMBS-1; j>=0; j--) { printf(PRIxWORDfull, scalar->limb[j]); } printf("\n"); @@ -35,24 +35,24 @@ static mask_t mpz_to_field ( } static mask_t mpz_to_scalar ( - decaf_scalar_t out, + decaf_448_scalar_t out, const mpz_t in ) { - uint8_t ser[DECAF_SCALAR_BYTES]; + uint8_t ser[DECAF_448_SCALAR_BYTES]; mpz_t modded; memset(ser,0,sizeof(ser)); mpz_init(modded); mpz_mod(modded, in, mp_scalar_field); mpz_export(ser, NULL, -1, 1, -1, 0, modded); - mask_t succ = decaf_scalar_decode(out, ser); + mask_t succ = decaf_448_scalar_decode(out, ser); return succ; } static mask_t scalar_assert_eq_gmp( const char *descr, - const decaf_scalar_t a, - const decaf_scalar_t b, - const decaf_scalar_t x, + const decaf_448_scalar_t a, + const decaf_448_scalar_t b, + const decaf_448_scalar_t x, const mpz_t ma, const mpz_t mb, const mpz_t y @@ -62,7 +62,7 @@ static mask_t scalar_assert_eq_gmp( memset(yser,0,sizeof(yser)); - decaf_scalar_encode(xser, x); + decaf_448_scalar_encode(xser, x); mpz_init(modded); mpz_mod(modded, y, mp_scalar_field); @@ -71,9 +71,9 @@ static mask_t scalar_assert_eq_gmp( if (memcmp(xser,yser,FIELD_BYTES)) { youfail(); printf(" Failed arithmetic test %s\n", descr); - decaf_scalar_print(" a", a); - decaf_scalar_print(" b", b); - decaf_scalar_print(" decaf", x); + decaf_448_scalar_print(" a", a); + decaf_448_scalar_print(" b", b); + decaf_448_scalar_print(" decaf_448", x); // printf(" gmpa = 0x"); int j; @@ -217,22 +217,22 @@ static mask_t test_scalar ( const mpz_t x, const mpz_t y ) { - decaf_scalar_t xx,yy,tt; + decaf_448_scalar_t xx,yy,tt; mpz_t t; mask_t succ = MASK_SUCCESS; succ = mpz_to_scalar(xx,x); succ &= mpz_to_scalar(yy,y); mpz_init(t); - decaf_scalar_add(tt,xx,yy); + decaf_448_scalar_add(tt,xx,yy); mpz_add(t,x,y); succ &= scalar_assert_eq_gmp("scalar add",xx,yy,tt,x,y,t); - decaf_scalar_sub(tt,xx,yy); + decaf_448_scalar_sub(tt,xx,yy); mpz_sub(t,x,y); succ &= scalar_assert_eq_gmp("scalar sub",xx,yy,tt,x,y,t); - decaf_scalar_mul(tt,xx,yy); + decaf_448_scalar_mul(tt,xx,yy); mpz_mul(t,x,y); succ &= scalar_assert_eq_gmp("scalar mul",xx,yy,tt,x,y,t); @@ -322,7 +322,7 @@ int test_arithmetic (void) { mpz_init(mp_field); mpz_import(mp_field, FIELD_BYTES, -1, 1, -1, 0, FIELD_MODULUS); - mpz_import(mp_scalar_field, DECAF_SCALAR_LIMBS, -1, sizeof(decaf_word_t), -1, 0, decaf_scalar_p); + mpz_import(mp_scalar_field, DECAF_448_SCALAR_LIMBS, -1, sizeof(decaf_word_t), -1, 0, decaf_448_scalar_p); mpz_t x,y; mpz_init(x); diff --git a/test/test_pointops.c b/test/test_pointops.c index 257ff5b..8f6b7a8 100644 --- a/test/test_pointops.c +++ b/test/test_pointops.c @@ -157,14 +157,14 @@ add_double_test ( copy_tw_extensible(&textb, &text1); add_tw_pniels_to_tw_extensible(&textb, &pn); - decaf_point_t ted3; + decaf_448_point_t ted3; convert_tw_extensible_to_tw_extended(&ted1, &text1); convert_tw_extensible_to_tw_extended(&ted2, &text2); - decaf_point_add(ted3, (struct decaf_point_s*)&ted1, (struct decaf_point_s*)&ted2); + decaf_448_point_add(ted3, (struct decaf_448_point_s*)&ted1, (struct decaf_448_point_s*)&ted2); add_tw_extended(&ted1, &ted2); convert_tw_extensible_to_tw_extended(&ted2, &textb); - if (~decaf_eq_tw_extended(&ted1, &ted2) | ~decaf_point_eq((struct decaf_point_s*)&ted1, ted3)) { + if (~decaf_eq_tw_extended(&ted1, &ted2) | ~decaf_448_point_eq((struct decaf_448_point_s*)&ted1, ted3)) { youfail(); succ = 0; printf(" Tw extended simple compat:\n"); @@ -362,13 +362,13 @@ int test_decaf_evil (void) { decaf_serialize_tw_extended(out_ed, pt_ed); uint8_t ser_de[56], ser_ed[56]; - decaf_point_t pt_dec, pt_dec2; + decaf_448_point_t pt_dec, pt_dec2; memcpy(pt_dec, pt_ed, sizeof(pt_dec)); - decaf_point_encode(ser_de, pt_dec); - mask_t succ_dec = decaf_point_decode(pt_dec2, ser_de, -1); + decaf_448_point_encode(ser_de, pt_dec); + mask_t succ_dec = decaf_448_point_decode(pt_dec2, ser_de, -1); field_serialize(ser_ed, out_ed); - decaf_point_t p,q,m; + decaf_448_point_t p,q,m; uint8_t oo_base_ser[56], n_base_ser[56]; field_a_t oo_base,tmp,tmp2; field_isr(tmp,base); @@ -378,17 +378,17 @@ int test_decaf_evil (void) { field_serialize(oo_base_ser,oo_base); field_neg(tmp,base); field_serialize(n_base_ser,tmp); // = -base - decaf_point_from_hash_nonuniform (p,random_input); - decaf_point_from_hash_nonuniform (q,oo_base_ser); - decaf_point_from_hash_nonuniform (m,n_base_ser); - mask_t succ_nur = decaf_point_valid(p); - succ_nur &= decaf_point_valid(q); - succ_nur &= decaf_point_valid(m); + decaf_448_point_from_hash_nonuniform (p,random_input); + decaf_448_point_from_hash_nonuniform (q,oo_base_ser); + decaf_448_point_from_hash_nonuniform (m,n_base_ser); + mask_t succ_nur = decaf_448_point_valid(p); + succ_nur &= decaf_448_point_valid(q); + succ_nur &= decaf_448_point_valid(m); mask_t eq_neg, eq_pos; - eq_neg = decaf_point_eq(m,p); - decaf_point_add(m,p,q); - eq_pos = decaf_point_eq(m,decaf_point_identity); + eq_neg = decaf_448_point_eq(m,p); + decaf_448_point_add(m,p,q); + eq_pos = decaf_448_point_eq(m,decaf_448_point_identity); if ((care_should && should != s_m) || ~s_base || s_e != s_te || s_m != s_te || s_ed != s_te @@ -396,9 +396,9 @@ int test_decaf_evil (void) { || (s_ed && ~field_eq(out_e,out_ed)) || memcmp(ser_de, ser_ed, 56) || (s_e & ~succ_dec) - || (s_e & ~decaf_point_eq(pt_dec, pt_dec2) - || (s_e & ~decaf_point_valid(pt_dec)) - || (succ_dec & ~decaf_point_valid(pt_dec2)) + || (s_e & ~decaf_448_point_eq(pt_dec, pt_dec2) + || (s_e & ~decaf_448_point_valid(pt_dec)) + || (succ_dec & ~decaf_448_point_valid(pt_dec2)) || ~succ_nur || ~eq_neg || ~eq_pos) @@ -436,13 +436,13 @@ int test_decaf (void) { int i, hits = 0, fails = 0; - if (~decaf_point_valid(decaf_point_base)) { + if (~decaf_448_point_valid(decaf_448_point_base)) { youfail(); printf(" Decaf base point invalid\n"); fails++; } - if (~decaf_point_valid(decaf_point_identity)) { + if (~decaf_448_point_valid(decaf_448_point_identity)) { youfail(); printf(" Decaf identity point invalid\n"); fails++; diff --git a/test/test_scalarmul.c b/test/test_scalarmul.c index 04f8f3e..79266e4 100644 --- a/test/test_scalarmul.c +++ b/test/test_scalarmul.c @@ -111,10 +111,10 @@ single_scalarmul_compatibility_test ( scalarmul_vt(&work, scalar, nbits); untwist_and_double_and_serialize(vt, &work); - decaf_point_t ed2; + decaf_448_point_t ed2; tw_extended_a_t ed; convert_tw_extensible_to_tw_extended(ed, &text); - decaf_point_scalarmul(ed2, (struct decaf_point_s *)ed, (struct decaf_scalar_s *)scalar); + decaf_448_point_scalarmul(ed2, (struct decaf_448_point_s *)ed, (struct decaf_448_scalar_s *)scalar); scalarmul_ed(ed, scalar); field_copy(work.x, ed->x); @@ -125,8 +125,8 @@ single_scalarmul_compatibility_test ( untwist_and_double_and_serialize(sced, &work); uint8_t ser1[(FIELD_BITS+6)/8], ser2[(FIELD_BITS+6)/8]; - decaf_point_encode(ser1, (struct decaf_point_s *)ed); - decaf_point_encode(ser2, ed2); + decaf_448_point_encode(ser1, (struct decaf_448_point_s *)ed); + decaf_448_point_encode(ser2, ed2); /* check consistency mont vs window */ consistent &= field_eq(mont, ct);