jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 1d07343067
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1d07343067'
${ noResults }
ed448goldilocks/src/goldilocks.c

577 lines
16 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "config.h"

  6. #include "word.h"

  7. 

  8. #include <errno.h>

  9. 

  10. #if GOLDILOCKS_USE_PTHREAD

  11. #include <pthread.h>

  12. #endif

  13. 

  14. #include "goldilocks.h"

  15. #include "ec_point.h"

  16. #include "scalarmul.h"

  17. #include "barrett_field.h"

  18. #include "crandom.h"

  19. #include "sha512.h"

  20. #include "intrinsics.h"

  21. 

  22. #ifndef GOLDILOCKS_RANDOM_INIT_FILE

  23. #define GOLDILOCKS_RANDOM_INIT_FILE "/dev/urandom"

  24. #endif

  25. 

  26. #ifndef GOLDILOCKS_RANDOM_RESEED_INTERVAL

  27. #define GOLDILOCKS_RANDOM_RESEED_INTERVAL 10000

  28. #endif

  29. 

  30. /* We'll check it ourselves */

  31. #ifndef GOLDILOCKS_RANDOM_RESEEDS_MANDATORY

  32. #define GOLDILOCKS_RANDOM_RESEEDS_MANDATORY 0

  33. #endif

  34. 

  35. #define GOLDI_DIVERSIFY_BYTES 8

  36. 

  37. 

  38. #if FIELD_BYTES <= SHA512_OUTPUT_BYTES

  39. #define FIELD_HASH_BYTES SHA512_OUTPUT_BYTES

  40. #define field_hash_final sha512_final

  41. #else

  42. #define FIELD_HASH_BYTES (SHA512_OUTPUT_BYTES * ((FIELD_BYTES-1)/SHA512_OUTPUT_BYTES + 1))

  43. static inline void field_hash_final (

  44.     struct sha512_ctx_t *ctx,

  45.     unsigned char out[FIELD_HASH_BYTES]

  46. ) {

  47.     /* SHA PRNG I guess? I really should have used SHAKE */

  48.     int i;

  49.     for (i=0; i<= (FIELD_BYTES-1) / SHA512_OUTPUT_BYTES; i++) {

  50.         if (i)

  51.             sha512_update(ctx, &out[(i-1)*SHA512_OUTPUT_BYTES], SHA512_OUTPUT_BYTES);

  52.         sha512_final(ctx, &out[i*SHA512_OUTPUT_BYTES]);

  53.     }

  54. }

  55. #endif

  56. 

  57. 

  58. /* These are just unique identifiers */

  59. static const char *G_INITING = "initializing";

  60. static const char *G_INITED = "initialized";

  61. static const char *G_FAILED = "failed to initialize";

  62. 

  63. struct goldilocks_precomputed_public_key_t {

  64.     struct goldilocks_public_key_t pub;

  65.     struct fixed_base_table_t table;

  66. };

  67. 

  68. /* FUTURE: auto. */

  69. static struct {

  70.     const char * volatile state;

  71. #if GOLDILOCKS_USE_PTHREAD

  72.     pthread_mutex_t mutex;

  73. #endif

  74.     struct tw_niels_t combs[COMB_N << (COMB_T-1)];

  75.     struct fixed_base_table_t fixed_base;

  76.     struct tw_niels_t wnafs[1<<WNAF_PRECMP_BITS];

  77.     struct crandom_state_t rand;

  78. } goldilocks_global;

  79. 

  80. static inline mask_t

  81. goldilocks_check_init(void) {

  82.     if (likely(goldilocks_global.state == G_INITED)) {

  83.         return MASK_SUCCESS;

  84.     } else {

  85.         return MASK_FAILURE;

  86.     }

  87. }

  88. 

  89. int

  90. goldilocks_init (void) {

  91.     const char *res = compare_and_swap(&goldilocks_global.state, NULL, G_INITING);

  92.     if (res == G_INITED) return GOLDI_EALREADYINIT;

  93.     else if (res) {

  94.         return GOLDI_ECORRUPT;

  95.     }

  96. 

  97. #if GOLDILOCKS_USE_PTHREAD

  98.     int ret = pthread_mutex_init(&goldilocks_global.mutex, NULL);

  99.     if (ret) goto fail;

  100. #endif

  101.     

  102.     struct extensible_t ext;

  103.     struct tw_extensible_t text;

  104.     

  105.     /* Sanity check: the base point is on the curve. */

  106.     assert(validate_affine(&goldilocks_base_point));

  107.     

  108.     /* Convert it to twisted Edwards. */

  109.     convert_affine_to_extensible(&ext, &goldilocks_base_point);

  110.     twist_even(&text, &ext);

  111.     

  112.     /* Precompute the tables. */

  113.     mask_t succ;

  114. 

  115.     succ =  precompute_fixed_base(&goldilocks_global.fixed_base, &text,

  116.         COMB_N, COMB_T, COMB_S, goldilocks_global.combs);

  117.     succ &= precompute_fixed_base_wnaf(goldilocks_global.wnafs, &text, WNAF_PRECMP_BITS);

  118.     

  119.     int criff_res = crandom_init_from_file(&goldilocks_global.rand,

  120.         GOLDILOCKS_RANDOM_INIT_FILE,

  121.         GOLDILOCKS_RANDOM_RESEED_INTERVAL,

  122.         GOLDILOCKS_RANDOM_RESEEDS_MANDATORY);

  123.         

  124. #ifdef SUPERCOP_WONT_LET_ME_OPEN_FILES

  125.     if (criff_res == EMFILE) {

  126.         crandom_init_from_buffer(&goldilocks_global.rand, "SUPERCOP won't let me open files");

  127.         criff_res = 0;

  128.     }

  129. #endif

  130.         

  131.     if (succ & !criff_res) {

  132.         if (!bool_compare_and_swap(&goldilocks_global.state, G_INITING, G_INITED)) {

  133.             abort();

  134.         }

  135.         return 0;

  136.     }

  137.     

  138.     /* it failed! fall though... */

  139. 

  140. fail:

  141.     if (!bool_compare_and_swap(&goldilocks_global.state, G_INITING, G_FAILED)) {

  142.         /* ok something is seriously wrong */

  143.         abort();

  144.     }

  145.     return -1;

  146. }

  147. 

  148. int

  149. goldilocks_derive_private_key (

  150.     struct goldilocks_private_key_t *privkey,

  151.     const unsigned char proto[GOLDI_SYMKEY_BYTES]

  152. ) {

  153.     if (!goldilocks_check_init()) {

  154.         return GOLDI_EUNINIT;

  155.     }

  156.     

  157.     memcpy(&privkey->opaque[2*GOLDI_FIELD_BYTES], proto, GOLDI_SYMKEY_BYTES);

  158.     

  159.     unsigned char skb[FIELD_HASH_BYTES];

  160.     word_t sk[GOLDI_FIELD_WORDS];

  161.     assert(sizeof(skb) >= sizeof(sk));

  162.     

  163.     struct sha512_ctx_t ctx;

  164.     struct tw_extensible_t exta;

  165.     struct field_t pk;

  166.     

  167.     sha512_init(&ctx);

  168.     sha512_update(&ctx, (const unsigned char *)"derivepk", GOLDI_DIVERSIFY_BYTES);

  169.     sha512_update(&ctx, proto, GOLDI_SYMKEY_BYTES);

  170.     field_hash_final(&ctx, (unsigned char *)skb);

  171. 

  172.     barrett_deserialize_and_reduce(sk, skb, sizeof(skb), &curve_prime_order);

  173.     barrett_serialize(privkey->opaque, sk, GOLDI_FIELD_BYTES);

  174. 

  175.     scalarmul_fixed_base(&exta, sk, GOLDI_SCALAR_BITS, &goldilocks_global.fixed_base);

  176.     untwist_and_double_and_serialize(&pk, &exta);

  177.     

  178.     field_serialize(&privkey->opaque[GOLDI_FIELD_BYTES], &pk);

  179.     

  180.     return GOLDI_EOK;

  181. }

  182. 

  183. void

  184. goldilocks_underive_private_key (

  185.     unsigned char proto[GOLDI_SYMKEY_BYTES],

  186.     const struct goldilocks_private_key_t *privkey

  187. ) {

  188.     memcpy(proto, &privkey->opaque[2*GOLDI_FIELD_BYTES], GOLDI_SYMKEY_BYTES);

  189. }

  190. 

  191. int

  192. goldilocks_keygen (

  193.     struct goldilocks_private_key_t *privkey,

  194.     struct goldilocks_public_key_t *pubkey

  195. ) {

  196.     if (!goldilocks_check_init()) {

  197.         return GOLDI_EUNINIT;

  198.     }

  199.     

  200.     unsigned char proto[GOLDI_SYMKEY_BYTES];

  201. 

  202. #if GOLDILOCKS_USE_PTHREAD

  203.     int ml_ret = pthread_mutex_lock(&goldilocks_global.mutex);

  204.     if (ml_ret) return ml_ret;

  205. #endif

  206. 

  207.     int ret = crandom_generate(&goldilocks_global.rand, proto, sizeof(proto));

  208. 

  209. #if GOLDILOCKS_USE_PTHREAD

  210.     ml_ret = pthread_mutex_unlock(&goldilocks_global.mutex);

  211.     if (ml_ret) abort();

  212. #endif

  213.     

  214.     int ret2 = goldilocks_derive_private_key(privkey, proto);

  215.     if (!ret) ret = ret2;

  216.     

  217.     ret2 = goldilocks_private_to_public(pubkey, privkey);

  218.     if (!ret) ret = ret2;

  219.     

  220.     return ret ? GOLDI_ENODICE : GOLDI_EOK;

  221. }

  222. 

  223. int

  224. goldilocks_private_to_public (

  225.     struct goldilocks_public_key_t *pubkey,

  226.     const struct goldilocks_private_key_t *privkey

  227. ) {

  228.     struct field_t pk;

  229.     mask_t msucc = field_deserialize(&pk,&privkey->opaque[GOLDI_FIELD_BYTES]);

  230.     

  231.     if (msucc) {

  232.         field_serialize(pubkey->opaque, &pk);

  233.         return GOLDI_EOK;

  234.     } else {

  235.         return GOLDI_ECORRUPT;

  236.     }

  237. }

  238. 

  239. static int

  240. goldilocks_shared_secret_core (

  241.     uint8_t shared[GOLDI_SHARED_SECRET_BYTES],

  242.     const struct goldilocks_private_key_t *my_privkey,

  243.     const struct goldilocks_public_key_t *your_pubkey,

  244.     const struct goldilocks_precomputed_public_key_t *pre

  245. ) {

  246.     uint8_t gxy[GOLDI_FIELD_BYTES];

  247.     

  248.     /* This function doesn't actually need anything in goldilocks_global,

  249.      * so it doesn't check init.

  250.      */

  251.     

  252.     assert(GOLDI_SHARED_SECRET_BYTES == SHA512_OUTPUT_BYTES);

  253.     

  254.     word_t sk[GOLDI_FIELD_WORDS];

  255.     struct field_t pk;

  256.     

  257.     mask_t succ = field_deserialize(&pk,your_pubkey->opaque), msucc = -1;

  258.     

  259. #ifdef EXPERIMENT_ECDH_STIR_IN_PUBKEYS

  260.     struct field_t sum, prod;

  261.     msucc &= field_deserialize(&sum,&my_privkey->opaque[GOLDI_FIELD_BYTES]);

  262.     field_mul(&prod,&pk,&sum);

  263.     field_add(&sum,&pk,&sum);

  264. #endif

  265.     

  266.     msucc &= barrett_deserialize(sk,my_privkey->opaque,&curve_prime_order);

  267.     

  268. #if GOLDI_IMPLEMENT_PRECOMPUTED_KEYS

  269.     if (pre) {

  270.         struct tw_extensible_t tw;

  271.         succ &= scalarmul_fixed_base(&tw, sk, GOLDI_SCALAR_BITS, &pre->table);

  272.         untwist_and_double_and_serialize(&pk, &tw);

  273.     } else {

  274.         succ &= montgomery_ladder(&pk,&pk,sk,GOLDI_SCALAR_BITS,1);

  275.     }

  276. #else

  277.     (void)pre;

  278.     succ &= montgomery_ladder(&pk,&pk,sk,GOLDI_SCALAR_BITS,1);

  279. #endif

  280.     

  281.     

  282.     field_serialize(gxy,&pk);

  283.     

  284.     /* obliterate records of our failure by adjusting with obliteration key */

  285.     struct sha512_ctx_t ctx;

  286.     sha512_init(&ctx);

  287. 

  288. #ifdef EXPERIMENT_ECDH_OBLITERATE_CT

  289.     uint8_t oblit[GOLDI_DIVERSIFY_BYTES + GOLDI_SYMKEY_BYTES];

  290.     unsigned i;

  291.     for (i=0; i<GOLDI_DIVERSIFY_BYTES; i++) {

  292.         oblit[i] = "noshared"[i] & ~(succ&msucc);

  293.     }

  294.     for (i=0; i<GOLDI_SYMKEY_BYTES; i++) {

  295.         oblit[GOLDI_DIVERSIFY_BYTES+i] = my_privkey->opaque[2*GOLDI_FIELD_BYTES+i] & ~(succ&msucc);

  296.     }

  297.     sha512_update(&ctx, oblit, sizeof(oblit));

  298. #endif

  299.     

  300. #ifdef EXPERIMENT_ECDH_STIR_IN_PUBKEYS

  301.     /* stir in the sum and product of the pubkeys. */

  302.     uint8_t a_pk[GOLDI_FIELD_BYTES];

  303.     field_serialize(a_pk, &sum);

  304.     sha512_update(&ctx, a_pk, GOLDI_FIELD_BYTES);

  305.     field_serialize(a_pk, &prod);

  306.     sha512_update(&ctx, a_pk, GOLDI_FIELD_BYTES);

  307. #endif

  308.        

  309.     /* stir in the shared key and finish */

  310.     sha512_update(&ctx, gxy, GOLDI_FIELD_BYTES);

  311.     sha512_final(&ctx, shared);

  312.     

  313.     return (GOLDI_ECORRUPT & ~msucc)

  314.         | (GOLDI_EINVAL & msucc &~ succ)

  315.         | (GOLDI_EOK & msucc & succ);

  316. }

  317. 

  318. int

  319. goldilocks_shared_secret (

  320.     uint8_t shared[GOLDI_SHARED_SECRET_BYTES],

  321.     const struct goldilocks_private_key_t *my_privkey,

  322.     const struct goldilocks_public_key_t *your_pubkey

  323. ) {

  324.     return goldilocks_shared_secret_core(

  325.         shared,

  326.         my_privkey,

  327.         your_pubkey,

  328.         NULL

  329.     );

  330. }

  331. 

  332. #if GOLDI_IMPLEMENT_SIGNATURES

  333. static void

  334. goldilocks_derive_challenge(

  335.     word_t challenge[GOLDI_FIELD_WORDS],

  336.     const unsigned char pubkey[GOLDI_FIELD_BYTES],

  337.     const unsigned char gnonce[GOLDI_FIELD_BYTES],

  338.     const unsigned char *message,

  339.     uint64_t message_len

  340. ) {

  341.     /* challenge = H(pk, [nonceG], message). */

  342.     unsigned char sha_out[FIELD_HASH_BYTES];

  343.     struct sha512_ctx_t ctx;

  344.     sha512_init(&ctx);

  345.     sha512_update(&ctx, pubkey, GOLDI_FIELD_BYTES);

  346.     sha512_update(&ctx, gnonce, GOLDI_FIELD_BYTES);

  347.     sha512_update(&ctx, message, message_len);

  348.     field_hash_final(&ctx, sha_out);

  349.     barrett_deserialize_and_reduce(challenge, sha_out, sizeof(sha_out), &curve_prime_order);

  350. }

  351. 

  352. int

  353. goldilocks_sign (

  354.     uint8_t signature_out[GOLDI_SIGNATURE_BYTES],

  355.     const uint8_t *message,

  356.     uint64_t message_len,

  357.     const struct goldilocks_private_key_t *privkey

  358. ) {

  359.     if (!goldilocks_check_init()) {

  360.         return GOLDI_EUNINIT;

  361.     }

  362.     

  363.     /* challenge = H(pk, [nonceG], message). */

  364.     word_t skw[GOLDI_FIELD_WORDS];

  365.     mask_t succ = barrett_deserialize(skw,privkey->opaque,&curve_prime_order);

  366.     if (!succ) {

  367.         really_memset(skw,0,sizeof(skw));

  368.         return GOLDI_ECORRUPT;

  369.     }

  370.         

  371.     /* Derive a nonce.  TODO: use HMAC. FUTURE: factor. */

  372.     unsigned char sha_out[FIELD_HASH_BYTES];

  373.     word_t tk[GOLDI_FIELD_WORDS];

  374.     struct sha512_ctx_t ctx;

  375.     sha512_init(&ctx);

  376.     sha512_update(&ctx, (const unsigned char *)"signonce", 8);

  377.     sha512_update(&ctx, &privkey->opaque[2*GOLDI_FIELD_BYTES], GOLDI_SYMKEY_BYTES);

  378.     sha512_update(&ctx, message, message_len);

  379.     sha512_update(&ctx, &privkey->opaque[2*GOLDI_FIELD_BYTES], GOLDI_SYMKEY_BYTES);

  380.     field_hash_final(&ctx, sha_out);

  381.     barrett_deserialize_and_reduce(tk, sha_out, sizeof(sha_out), &curve_prime_order);

  382.     

  383.     /* 4[nonce]G */

  384.     uint8_t signature_tmp[GOLDI_FIELD_BYTES];

  385.     struct tw_extensible_t exta;

  386.     struct field_t gsk;

  387.     scalarmul_fixed_base(&exta, tk, GOLDI_SCALAR_BITS, &goldilocks_global.fixed_base);

  388.     double_tw_extensible(&exta);

  389.     untwist_and_double_and_serialize(&gsk, &exta);

  390.     field_serialize(signature_tmp, &gsk);

  391.     

  392.     word_t challenge[GOLDI_FIELD_WORDS];

  393.     goldilocks_derive_challenge (

  394.         challenge,

  395.         &privkey->opaque[GOLDI_FIELD_BYTES],

  396.         signature_tmp,

  397.         message,

  398.         message_len

  399.     );

  400.     

  401.     /* reduce challenge and sub. */

  402.     barrett_negate(challenge,GOLDI_FIELD_WORDS,&curve_prime_order);

  403. 

  404.     barrett_mac(

  405.         tk,GOLDI_FIELD_WORDS,

  406.         challenge,GOLDI_FIELD_WORDS,

  407.         skw,GOLDI_FIELD_WORDS,

  408.         &curve_prime_order

  409.     );

  410.         

  411.     word_t carry = add_nr_ext_packed(tk,tk,GOLDI_FIELD_WORDS,tk,GOLDI_FIELD_WORDS,-1);

  412.     barrett_reduce(tk,GOLDI_FIELD_WORDS,carry,&curve_prime_order);

  413.         

  414.     memcpy(signature_out, signature_tmp, GOLDI_FIELD_BYTES);

  415.     barrett_serialize(signature_out+GOLDI_FIELD_BYTES, tk, GOLDI_FIELD_BYTES);

  416.     really_memset((unsigned char *)tk,0,sizeof(tk));

  417.     really_memset((unsigned char *)skw,0,sizeof(skw));

  418.     really_memset((unsigned char *)challenge,0,sizeof(challenge));

  419.     

  420.     /* response = 2(nonce_secret - sk*challenge)

  421.      * Nonce = 8[nonce_secret]*G

  422.      * PK = 2[sk]*G, except doubled (TODO)

  423.      * so [2] ( [response]G + 2[challenge]PK ) = Nonce

  424.      */

  425.     

  426.     return 0;

  427. }

  428. 

  429. int

  430. goldilocks_verify (

  431.     const uint8_t signature[GOLDI_SIGNATURE_BYTES],

  432.     const uint8_t *message,

  433.     uint64_t message_len,

  434.     const struct goldilocks_public_key_t *pubkey

  435. ) {

  436.     if (!goldilocks_check_init()) {

  437.         return GOLDI_EUNINIT;

  438.     }

  439.     

  440.     struct field_t pk;

  441.     word_t s[GOLDI_FIELD_WORDS];

  442.     

  443.     mask_t succ = field_deserialize(&pk,pubkey->opaque);

  444.     if (!succ) return GOLDI_EINVAL;

  445.     

  446.     succ = barrett_deserialize(s, &signature[GOLDI_FIELD_BYTES], &curve_prime_order);

  447.     if (!succ) return GOLDI_EINVAL;

  448.     

  449.     word_t challenge[GOLDI_FIELD_WORDS];

  450.     goldilocks_derive_challenge(challenge, pubkey->opaque, signature, message, message_len);

  451.     

  452.     struct field_t eph;

  453.     struct tw_extensible_t pk_text;

  454.     

  455.     /* deserialize [nonce]G */

  456.     succ = field_deserialize(&eph, signature);

  457.     if (!succ) return GOLDI_EINVAL;

  458.     

  459.     succ = deserialize_and_twist_approx(&pk_text, &sqrt_d_minus_1, &pk);

  460.     if (!succ) return GOLDI_EINVAL;

  461.     

  462.     linear_combo_var_fixed_vt( &pk_text,

  463.         challenge, GOLDI_SCALAR_BITS,

  464.         s, GOLDI_SCALAR_BITS,

  465.         goldilocks_global.wnafs, WNAF_PRECMP_BITS );

  466.     

  467.     untwist_and_double_and_serialize( &pk, &pk_text );

  468. 

  469.     succ = field_eq(&eph, &pk);

  470.     return succ ? 0 : GOLDI_EINVAL;

  471. }

  472. #endif

  473. 

  474. #if GOLDI_IMPLEMENT_PRECOMPUTED_KEYS

  475. 

  476. struct goldilocks_precomputed_public_key_t *

  477. goldilocks_precompute_public_key (

  478.     const struct goldilocks_public_key_t *pub    

  479. ) {

  480.     struct goldilocks_precomputed_public_key_t *precom;

  481.     precom = (struct goldilocks_precomputed_public_key_t *)

  482.         malloc(sizeof(*precom));

  483.     

  484.     if (!precom) return NULL;

  485.     

  486.     struct tw_extensible_t pk_text;

  487.     

  488.     struct field_t pk;

  489.     mask_t succ = field_deserialize(&pk, pub->opaque);

  490.     if (!succ) {

  491.         free(precom);

  492.         return NULL;

  493.     }

  494.     

  495.     succ = deserialize_and_twist_approx(&pk_text, &sqrt_d_minus_1, &pk);

  496.     if (!succ) {

  497.         free(precom);

  498.         return NULL;

  499.     }

  500. 

  501.     succ =  precompute_fixed_base(&precom->table, &pk_text,

  502.         COMB_N, COMB_T, COMB_S, NULL);

  503.     if (!succ) {

  504.         free(precom);

  505.         return NULL;

  506.     }

  507.     

  508.     memcpy(&precom->pub,pub,sizeof(*pub));

  509.     

  510.     return precom;

  511. }

  512. 

  513. void

  514. goldilocks_destroy_precomputed_public_key (

  515.     struct goldilocks_precomputed_public_key_t *precom

  516. ) {

  517.     if (!precom) return;

  518.     destroy_fixed_base(&precom->table);

  519.     really_memset(&precom->pub.opaque, 0, sizeof(precom->pub));

  520.     free(precom);

  521. }

  522. 

  523. int

  524. goldilocks_verify_precomputed (

  525.     const uint8_t signature[GOLDI_SIGNATURE_BYTES],

  526.     const uint8_t *message,

  527.     uint64_t message_len,

  528.     const struct goldilocks_precomputed_public_key_t *pubkey

  529. ) {

  530.     if (!goldilocks_check_init()) {

  531.         return GOLDI_EUNINIT;

  532.     }

  533. 

  534.     word_t s[GOLDI_FIELD_WORDS];

  535.     mask_t succ = barrett_deserialize(s, &signature[GOLDI_FIELD_BYTES], &curve_prime_order);

  536.     if (!succ) return GOLDI_EINVAL;

  537.     

  538.     word_t challenge[GOLDI_FIELD_WORDS];

  539.     goldilocks_derive_challenge(challenge, pubkey->pub.opaque, signature, message, message_len);

  540.     

  541.     struct field_t eph, pk;

  542.     struct tw_extensible_t pk_text;

  543.     

  544.     /* deserialize [nonce]G */

  545.     succ = field_deserialize(&eph, signature);

  546.     if (!succ) return GOLDI_EINVAL;

  547.         

  548.     succ = linear_combo_combs_vt (

  549.         &pk_text,

  550.         challenge, GOLDI_SCALAR_BITS, &pubkey->table,

  551.         s, GOLDI_SCALAR_BITS, &goldilocks_global.fixed_base

  552.     );

  553.     if (!succ) return GOLDI_EINVAL;

  554.     

  555.     untwist_and_double_and_serialize( &pk, &pk_text );

  556. 

  557.     succ = field_eq(&eph, &pk);

  558.     return succ ? 0 : GOLDI_EINVAL;

  559. }

  560. 

  561. int

  562. goldilocks_shared_secret_precomputed (

  563.     uint8_t shared[GOLDI_SHARED_SECRET_BYTES],

  564.     const struct goldilocks_private_key_t *my_privkey,

  565.     const struct goldilocks_precomputed_public_key_t *your_pubkey

  566. ) {

  567.     return goldilocks_shared_secret_core(

  568.         shared,

  569.         my_privkey,

  570.         &your_pubkey->pub,

  571.         your_pubkey

  572.     );

  573. }

  574. 

  575. #endif /* GOLDI_IMPLEMENT_PRECOMPUTED_KEYS */