jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 1eab9a3a08
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1eab9a3a08'
${ noResults }
ed448goldilocks/test/bench.c

685 lines
19 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "word.h"

  6. 

  7. #include <sys/time.h>

  8. #include <sys/types.h>

  9. #include <stdio.h>

  10. #include <memory.h>

  11. 

  12. #include "p448.h"

  13. #include "ec_point.h"

  14. #include "scalarmul.h"

  15. #include "barrett_field.h"

  16. #include "crandom.h"

  17. #include "goldilocks.h"

  18. #include "sha512.h"

  19. 

  20. double now() {

  21.   struct timeval tv;

  22.   gettimeofday(&tv, NULL);

  23.   

  24.   return tv.tv_sec + tv.tv_usec/1000000.0;

  25. }

  26. 

  27. void p448_randomize( struct crandom_state_t *crand, struct p448_t *a ) {

  28.     crandom_generate(crand, (unsigned char *)a, sizeof(*a));

  29.     p448_strong_reduce(a);

  30. }

  31. 

  32. void q448_randomize( struct crandom_state_t *crand, word_t sk[448/WORD_BITS] ) {

  33.     crandom_generate(crand, (unsigned char *)sk, 448/8);

  34. }

  35. 

  36. void p448_print( const char *descr, const struct p448_t *a ) {

  37.     p448_t b;

  38.     p448_copy(&b, a);

  39.     p448_strong_reduce(&b);

  40.     int j;

  41.     printf("%s = 0x", descr);

  42.     for (j=sizeof(*a)/sizeof(a->limb[0])-1; j>=0; j--) {

  43.         printf(PRIxWORD58, b.limb[j]);

  44.     }

  45.     printf("\n");

  46. }

  47. 

  48. void p448_print_full( const char *descr, const struct p448_t *a ) {

  49.     int j;

  50.     printf("%s = 0x", descr);

  51.     for (j=15; j>=0; j--) {

  52.         printf("%02" PRIxWORD "_" PRIxWORD58 " ",

  53.             a->limb[j]>>28, a->limb[j]&(1<<28)-1);

  54.     }

  55.     printf("\n");

  56. }

  57. 

  58. void q448_print( const char *descr, const word_t secret[448/WORD_BITS] ) {

  59.     int j;

  60.     printf("%s = 0x", descr);

  61.     for (j=448/WORD_BITS-1; j>=0; j--) {

  62.         printf(PRIxWORDfull, secret[j]);

  63.     }

  64.     printf("\n");

  65. }

  66. 

  67. #ifndef N_TESTS_BASE

  68. #define N_TESTS_BASE 10000

  69. #endif

  70. 

  71. int main(int argc, char **argv) {

  72.     (void)argc;

  73.     (void)argv;

  74. 

  75.     struct tw_extensible_t ext;

  76.     struct extensible_t exta;

  77.     struct tw_niels_t niels;

  78.     struct tw_pniels_t pniels;

  79.     struct affine_t affine;

  80.     struct montgomery_t mb;

  81.     struct p448_t a,b,c,d;

  82.     

  83.     

  84.     double when;

  85.     int i;

  86. 

  87.     int nbase = N_TESTS_BASE;

  88.     

  89.     /* Bad randomness so we can debug. */

  90.     char initial_seed[32];

  91.     for (i=0; i<32; i++) initial_seed[i] = i;

  92.     struct crandom_state_t crand;

  93.     crandom_init_from_buffer(&crand, initial_seed);

  94.     

  95.     word_t sk[448/WORD_BITS],tk[448/WORD_BITS];

  96.     q448_randomize(&crand, sk);

  97.     

  98.     when = now();

  99.     for (i=0; i<nbase*1000; i++) {

  100.         p448_mul(&c, &b, &a);

  101.     }

  102.     when = now() - when;

  103.     printf("mul:         %5.1fns\n", when * 1e9 / i);

  104.     

  105.     when = now();

  106.     for (i=0; i<nbase*1000; i++) {

  107.         p448_sqr(&c, &a);

  108.     }

  109.     when = now() - when;

  110.     printf("sqr:         %5.1fns\n", when * 1e9 / i);

  111.     

  112.     when = now();

  113.     for (i=0; i<nbase*500; i++) {

  114.         p448_mul(&c, &b, &a);

  115.         p448_mul(&a, &b, &c);

  116.     }

  117.     when = now() - when;

  118.     printf("mul dep:     %5.1fns\n", when * 1e9 / i / 2);

  119.     

  120.     when = now();

  121.     for (i=0; i<nbase*1000; i++) {

  122.         p448_mulw(&c, &b, 1234562);

  123.     }

  124.     when = now() - when;

  125.     printf("mulw:        %5.1fns\n", when * 1e9 / i);

  126.     

  127.     when = now();

  128.     for (i=0; i<nbase*10; i++) {

  129.         p448_randomize(&crand, &a);

  130.     }

  131.     when = now() - when;

  132.     printf("rand448:     %5.1fns\n", when * 1e9 / i);

  133.     

  134.     struct sha512_ctx_t sha;

  135.     uint8_t hashout[128];

  136.     when = now();

  137.     for (i=0; i<nbase; i++) {

  138.         sha512_init(&sha);

  139.         sha512_final(&sha, hashout);

  140.     }

  141.     when = now() - when;

  142.     printf("sha512 1blk: %5.1fns\n", when * 1e9 / i);

  143.     

  144.     when = now();

  145.     for (i=0; i<nbase; i++) {

  146.         sha512_update(&sha, hashout, 128);

  147.     }

  148.     when = now() - when;

  149.     printf("sha512 blk:  %5.1fns (%0.2f MB/s)\n", when * 1e9 / i, 128*i/when/1e6);

  150.     

  151.     when = now();

  152.     for (i=0; i<nbase; i++) {

  153.         p448_isr(&c, &a);

  154.     }

  155.     when = now() - when;

  156.     printf("isr auto:    %5.1fµs\n", when * 1e6 / i);

  157.     

  158.     for (i=0; i<100; i++) {

  159.         p448_randomize(&crand, &a);

  160.         p448_isr(&d,&a);

  161.         p448_sqr(&b,&d);

  162.         p448_mul(&c,&b,&a);

  163.         p448_sqr(&b,&c);

  164.         p448_subw(&b,1);

  165.         p448_bias(&b,1);

  166.         if (!p448_is_zero(&b)) {

  167.             printf("ISR validation failure!\n");

  168.             p448_print("a", &a);

  169.             p448_print("s", &d);

  170.         }

  171.     }

  172.     

  173.     when = now();

  174.     for (i=0; i<nbase; i++) {

  175.         elligator_2s_inject(&affine, &a);

  176.     }

  177.     when = now() - when;

  178.     printf("elligator:   %5.1fµs\n", when * 1e6 / i);

  179.     

  180.     for (i=0; i<100; i++) {

  181.         p448_randomize(&crand, &a);

  182.         elligator_2s_inject(&affine, &a);

  183.         if (!validate_affine(&affine)) {

  184.             printf("Elligator validation failure!\n");

  185.             p448_print("a", &a);

  186.             p448_print("x", &affine.x);

  187.             p448_print("y", &affine.y);

  188.         }

  189.     }

  190.     

  191.     when = now();

  192.     for (i=0; i<nbase; i++) {

  193.         deserialize_affine(&affine, &a);

  194.     }

  195.     when = now() - when;

  196.     printf("decompress:  %5.1fµs\n", when * 1e6 / i);

  197.     

  198.     when = now();

  199.     for (i=0; i<nbase; i++) {

  200.         serialize_extensible(&a, &exta);

  201.     }

  202.     when = now() - when;

  203.     printf("compress:    %5.1fµs\n", when * 1e6 / i);

  204.     

  205.     int goods = 0;

  206.     for (i=0; i<100; i++) {

  207.         p448_randomize(&crand, &a);

  208.         mask_t good = deserialize_affine(&affine, &a);

  209.         if (good & !validate_affine(&affine)) {

  210.             printf("Deserialize validation failure!\n");

  211.             p448_print("a", &a);

  212.             p448_print("x", &affine.x);

  213.             p448_print("y", &affine.y);

  214.         } else if (good) {

  215.             goods++;

  216.             convert_affine_to_extensible(&exta,&affine);

  217.             serialize_extensible(&b, &exta);

  218.             p448_sub(&c,&b,&a);

  219.             p448_bias(&c,2);

  220.             if (!p448_is_zero(&c)) {

  221.                 printf("Reserialize validation failure!\n");

  222.                 p448_print("a", &a);

  223.                 p448_print("x", &affine.x);

  224.                 p448_print("y", &affine.y);

  225.                 deserialize_affine(&affine, &b);

  226.                 p448_print("b", &b);

  227.                 p448_print("x", &affine.x);

  228.                 p448_print("y", &affine.y);

  229.                 printf("\n");

  230.             }

  231.         }

  232.     }

  233.     if (goods<i/3) {

  234.         printf("Deserialization validation failure! Deserialized %d/%d points\n", goods, i);

  235.     }

  236.     

  237.     word_t lsk[768/WORD_BITS];

  238.     crandom_generate(&crand, (unsigned char *)lsk, sizeof(lsk));

  239.     

  240.     when = now();

  241.     for (i=0; i<nbase*100; i++) {

  242.         barrett_reduce(lsk,sizeof(lsk)/sizeof(word_t),0,&goldi_q448);

  243.     }

  244.     when = now() - when;

  245.     printf("barrett red: %5.1fns\n", when * 1e9 / i);

  246.     

  247.     when = now();

  248.     for (i=0; i<nbase*10; i++) {

  249.         barrett_mac(lsk,448/WORD_BITS,lsk,448/WORD_BITS,lsk,448/WORD_BITS,&goldi_q448);

  250.     }

  251.     when = now() - when;

  252.     printf("barrett mac: %5.1fns\n", when * 1e9 / i);

  253.     

  254.     when = now();

  255.     for (i=0; i<nbase*100; i++) {

  256.         add_tw_niels_to_tw_extensible(&ext, &niels);

  257.     }

  258.     when = now() - when;

  259.     printf("exti+niels:  %5.1fns\n", when * 1e9 / i);

  260.     

  261.     when = now();

  262.     for (i=0; i<nbase*100; i++) {

  263.         add_tw_pniels_to_tw_extensible(&ext, &pniels);

  264.     }

  265.     when = now() - when;

  266.     printf("exti+pniels: %5.1fns\n", when * 1e9 / i);

  267.     

  268.     when = now();

  269.     for (i=0; i<nbase*100; i++) {

  270.         double_tw_extensible(&ext);

  271.     }

  272.     when = now() - when;

  273.     printf("exti dbl:    %5.1fns\n", when * 1e9 / i);

  274.     

  275.     when = now();

  276.     for (i=0; i<nbase*100; i++) {

  277.         untwist_and_double(&exta, &ext);

  278.     }

  279.     when = now() - when;

  280.     printf("i->a isog:   %5.1fns\n", when * 1e9 / i);

  281.     

  282.     when = now();

  283.     for (i=0; i<nbase*100; i++) {

  284.         twist_and_double(&ext, &exta);

  285.     }

  286.     when = now() - when;

  287.     printf("a->i isog:   %5.1fns\n", when * 1e9 / i);

  288.     

  289.     when = now();

  290.     for (i=0; i<nbase*100; i++) {

  291.         montgomery_step(&mb);

  292.     }

  293.     when = now() - when;

  294.     printf("monty step:  %5.1fns\n", when * 1e9 / i);

  295. 	

  296.     when = now();

  297.     for (i=0; i<nbase/10; i++) {

  298.         (void)montgomery_ladder(&a,&b,sk,448,0);

  299.     }

  300.     when = now() - when;

  301.     printf("full ladder: %5.1fµs\n", when * 1e6 / i);

  302.     

  303.     when = now();

  304.     for (i=0; i<nbase/10; i++) {

  305.         scalarmul(&ext,sk);

  306.     }

  307.     when = now() - when;

  308.     printf("edwards smz: %5.1fµs\n", when * 1e6 / i);

  309.     

  310.     when = now();

  311.     for (i=0; i<nbase/10; i++) {

  312.         scalarmul_vlook(&ext,sk);

  313.         untwist_and_double_and_serialize(&a,&ext);

  314.     }

  315.     when = now() - when;

  316.     printf("edwards svl: %5.1fµs\n", when * 1e6 / i);

  317.     

  318.     when = now();

  319.     for (i=0; i<nbase/10; i++) {

  320.         q448_randomize(&crand, sk);

  321.         scalarmul_vt(&ext,sk);

  322.     }

  323.     when = now() - when;

  324.     printf("edwards vtm: %5.1fµs\n", when * 1e6 / i);

  325.     

  326.     struct tw_niels_t wnaft[1<<6];

  327.     when = now();

  328.     for (i=0; i<nbase/10; i++) {

  329.         (void)precompute_fixed_base_wnaf(wnaft,&ext,6);

  330.     }

  331.     when = now() - when;

  332.     printf("wnaf6 pre:   %5.1fµs\n", when * 1e6 / i);

  333.     

  334.     when = now();

  335.     for (i=0; i<nbase/10; i++) {

  336.         q448_randomize(&crand, sk);

  337.         scalarmul_fixed_base_wnaf_vt(&ext,sk,446,wnaft,6);

  338.     }

  339.     when = now() - when;

  340.     printf("edwards vt6: %5.1fµs\n", when * 1e6 / i);

  341.     

  342.     when = now();

  343.     for (i=0; i<nbase/10; i++) {

  344.         (void)precompute_fixed_base_wnaf(wnaft,&ext,4);

  345.     }

  346.     when = now() - when;

  347.     printf("wnaf4 pre:   %5.1fµs\n", when * 1e6 / i);

  348.     

  349.     when = now();

  350.     for (i=0; i<nbase/10; i++) {

  351.         q448_randomize(&crand, sk);

  352.         scalarmul_fixed_base_wnaf_vt(&ext,sk,446,wnaft,4);

  353.     }

  354.     when = now() - when;

  355.     printf("edwards vt4: %5.1fµs\n", when * 1e6 / i);

  356. 

  357.     when = now();

  358.     for (i=0; i<nbase/10; i++) {

  359.         (void)precompute_fixed_base_wnaf(wnaft,&ext,5);

  360.     }

  361.     when = now() - when;

  362.     printf("wnaf5 pre:   %5.1fµs\n", when * 1e6 / i);

  363.     

  364.     when = now();

  365.     for (i=0; i<nbase/10; i++) {

  366.         q448_randomize(&crand, sk);

  367.         scalarmul_fixed_base_wnaf_vt(&ext,sk,446,wnaft,5);

  368.     }

  369.     when = now() - when;

  370.     printf("edwards vt5: %5.1fµs\n", when * 1e6 / i);

  371.     

  372.     when = now();

  373.     for (i=0; i<nbase/10; i++) {

  374.         q448_randomize(&crand, sk);

  375.         q448_randomize(&crand, tk);

  376.         linear_combo_var_fixed_vt(&ext,sk,448,tk,448,wnaft,5);

  377.     }

  378.     when = now() - when;

  379.     printf("vt vf combo: %5.1fµs\n", when * 1e6 / i);

  380.     

  381.     when = now();

  382.     for (i=0; i<nbase/10; i++) {

  383.         deserialize_affine(&affine, &a);

  384.         convert_affine_to_extensible(&exta,&affine);

  385.         twist_and_double(&ext,&exta);

  386.         scalarmul(&ext,sk);

  387.         untwist_and_double(&exta,&ext);

  388.         serialize_extensible(&b, &exta);

  389.     }

  390.     when = now() - when;

  391.     printf("edwards sm:  %5.1fµs\n", when * 1e6 / i);

  392.     

  393.     struct fixed_base_table_t t_5_5_18, t_3_5_30, t_8_4_14, t_5_3_30, t_15_3_10;

  394. 

  395.     while (1) {

  396.         p448_randomize(&crand, &a);

  397.         if (deserialize_affine(&affine, &a)) break;

  398.     }

  399.     convert_affine_to_extensible(&exta,&affine);

  400.     twist_and_double(&ext,&exta);

  401.     when = now();

  402.     for (i=0; i<nbase/10; i++) {

  403.         if (i) destroy_fixed_base(&t_5_5_18);

  404.         (void)precompute_fixed_base(&t_5_5_18, &ext, 5, 5, 18, NULL);

  405.     }

  406.     when = now() - when;

  407.     printf("pre(5,5,18): %5.1fµs\n", when * 1e6 / i);

  408.     

  409.     when = now();

  410.     for (i=0; i<nbase/10; i++) {

  411.         if (i) destroy_fixed_base(&t_3_5_30);

  412.         (void)precompute_fixed_base(&t_3_5_30, &ext, 3, 5, 30, NULL);

  413.     }

  414.     when = now() - when;

  415.     printf("pre(3,5,30): %5.1fµs\n", when * 1e6 / i);

  416.     

  417.     when = now();

  418.     for (i=0; i<nbase/10; i++) {

  419.         if (i) destroy_fixed_base(&t_5_3_30);

  420.         (void)precompute_fixed_base(&t_5_3_30, &ext, 5, 3, 30, NULL);

  421.     }

  422.     when = now() - when;

  423.     printf("pre(5,3,30): %5.1fµs\n", when * 1e6 / i);

  424.     

  425.     when = now();

  426.     for (i=0; i<nbase/10; i++) {

  427.         if (i) destroy_fixed_base(&t_15_3_10);

  428.         (void)precompute_fixed_base(&t_15_3_10, &ext, 15, 3, 10, NULL);

  429.     }

  430.     when = now() - when;

  431.     printf("pre(15,3,10): %5.1fµs\n", when * 1e6 / i);

  432.     

  433.     when = now();

  434.     for (i=0; i<nbase/10; i++) {

  435.         if (i) destroy_fixed_base(&t_8_4_14);

  436.         (void)precompute_fixed_base(&t_8_4_14, &ext, 8, 4, 14, NULL);

  437.     }

  438.     when = now() - when;

  439.     printf("pre(8,4,14): %5.1fµs\n", when * 1e6 / i);

  440. 	

  441.     when = now();

  442.     for (i=0; i<nbase; i++) {

  443.         scalarmul_fixed_base(&ext, sk, 448, &t_5_5_18);

  444.     }

  445.     when = now() - when;

  446.     printf("com(5,5,18): %5.1fµs\n", when * 1e6 / i);

  447.     

  448.     when = now();

  449.     for (i=0; i<nbase; i++) {

  450.         scalarmul_fixed_base(&ext, sk, 448, &t_3_5_30);

  451.     }

  452.     when = now() - when;

  453.     printf("com(3,5,30): %5.1fµs\n", when * 1e6 / i);

  454. 

  455.     when = now();

  456.     for (i=0; i<nbase; i++) {

  457.         scalarmul_fixed_base(&ext, sk, 448, &t_8_4_14);

  458.     }

  459.     when = now() - when;

  460.     printf("com(8,4,14): %5.1fµs\n", when * 1e6 / i);

  461. 

  462.     when = now();

  463.     for (i=0; i<nbase; i++) {

  464.         scalarmul_fixed_base(&ext, sk, 448, &t_5_3_30);

  465.     }

  466.     when = now() - when;

  467.     printf("com(5,3,30): %5.1fµs\n", when * 1e6 / i);

  468. 

  469.     when = now();

  470.     for (i=0; i<nbase; i++) {

  471.         scalarmul_fixed_base(&ext, sk, 448, &t_15_3_10);

  472.     }

  473.     when = now() - when;

  474.     printf("com(15,3,10): %5.1fµs\n", when * 1e6 / i);

  475.     

  476.     printf("\nGoldilocks:\n");

  477.     

  478.     int res = goldilocks_init();

  479.     assert(!res);

  480.     

  481.     struct goldilocks_public_key_t gpk,hpk;

  482.     struct goldilocks_private_key_t gsk,hsk;

  483.     

  484.     when = now();

  485.     for (i=0; i<nbase; i++) {

  486.         if (i&1) {

  487.             res = goldilocks_keygen(&gsk,&gpk);

  488.         } else {

  489.             res = goldilocks_keygen(&hsk,&hpk);

  490.         }

  491.         assert(!res);

  492.     }

  493.     when = now() - when;

  494.     printf("keygen:      %5.1fµs\n", when * 1e6 / i);

  495.     

  496.     uint8_t ss1[64],ss2[64];

  497.     int gres1,gres2;

  498.     when = now();

  499.     for (i=0; i<nbase; i++) {

  500.         if (i&1) {

  501.             gres1 = goldilocks_shared_secret(ss1,&gsk,&hpk);

  502.         } else {

  503.             gres2 = goldilocks_shared_secret(ss2,&hsk,&gpk);

  504.         }

  505.     }

  506.     when = now() - when;

  507.     printf("ecdh:        %5.1fµs\n", when * 1e6 / i);

  508.     if (gres1 || gres2 || memcmp(ss1,ss2,64)) {

  509.         printf("[FAIL] %d %d\n",gres1,gres2);

  510.         

  511.         printf("sk1 = ");

  512.         for (i=0; i<56; i++) {

  513.             printf("%02x", gsk.opaque[i]);

  514.         }

  515.         printf("\nsk2 = ");

  516.         for (i=0; i<56; i++) {

  517.             printf("%02x", hsk.opaque[i]);

  518.         }

  519.         printf("\nss1 = ");

  520.         for (i=0; i<56; i++) {

  521.             printf("%02x", ss1[i]);

  522.         }

  523.         printf("\nss2 = ");

  524.         for (i=0; i<56; i++) {

  525.             printf("%02x", ss2[i]);

  526.         }

  527.         printf("\n");

  528.     }

  529.     

  530.     uint8_t sout[56*2];

  531.     const char *message = "hello world";

  532.     size_t message_len = strlen(message);

  533.     when = now();

  534.     for (i=0; i<nbase; i++) {

  535.         res = goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  536.         assert(!res);

  537.     }

  538.     when = now() - when;

  539.     printf("sign:        %5.1fµs\n", when * 1e6 / i);

  540.     

  541.     when = now();

  542.     for (i=0; i<nbase; i++) {

  543.         res = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  544.         (void)res;

  545.     }

  546.     when = now() - when;

  547.     printf("verify:      %5.1fµs\n", when * 1e6 / i);

  548.     

  549.     printf("\nTesting...\n");

  550.     

  551.     

  552.     int failures=0, successes = 0;

  553.     for (i=0; i<nbase/10; i++) {

  554.         (void)goldilocks_keygen(&gsk,&gpk);

  555.         goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  556.         res = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  557.         if (res) failures++;

  558.     }

  559.     if (failures) {

  560.         printf("FAIL %d/%d signature checks!\n", failures, i);

  561.     }

  562.     

  563.     failures=0; successes = 0;

  564.     for (i=0; i<nbase/10; i++) {

  565.         p448_randomize(&crand, &a);

  566. 		word_t two = 2;

  567.         mask_t good = montgomery_ladder(&b,&a,&two,2,0);

  568. 		if (!good) continue;

  569. 		

  570. 		word_t x,y;

  571.         crandom_generate(&crand, (unsigned char *)&x, sizeof(x));

  572.         crandom_generate(&crand, (unsigned char *)&y, sizeof(y));

  573.         x = (hword_t)x;

  574.         y = (hword_t)y;

  575.         word_t z=x*y;

  576.         

  577. 	(void)montgomery_ladder(&b,&a,&x,WORD_BITS,0);

  578.         (void)montgomery_ladder(&c,&b,&y,WORD_BITS,0);

  579.         (void)montgomery_ladder(&b,&a,&z,WORD_BITS,0);

  580.         

  581.         p448_sub(&d,&b,&c);

  582.         p448_bias(&d,2);

  583. 		if (!p448_is_zero(&d)) {

  584.             printf("Odd ladder validation failure %d!\n", ++failures);

  585.             p448_print("a", &a);

  586.             printf("x=%"PRIxWORD", y=%"PRIxWORD", z=%"PRIxWORD"\n", x,y,z);

  587.             p448_print("c", &c);

  588.             p448_print("b", &b);

  589. 			printf("\n");

  590. 		}

  591. 	}

  592.     

  593.     failures = 0;

  594.     for (i=0; i<nbase/10; i++) {

  595.         mask_t good;

  596.         do {

  597.             p448_randomize(&crand, &a);

  598.             good = deserialize_affine(&affine, &a);

  599.         } while (!good);

  600.         

  601.         convert_affine_to_extensible(&exta,&affine);

  602.         twist_and_double(&ext,&exta);

  603.         untwist_and_double(&exta,&ext);

  604.         serialize_extensible(&b, &exta);

  605.         untwist_and_double_and_serialize(&c, &ext);

  606.         

  607.         p448_sub(&d,&b,&c);

  608.         p448_bias(&d,2);

  609.         

  610.         if (good && !p448_is_zero(&d)){

  611.             printf("Iso+serial validation failure %d!\n", ++failures);

  612.             p448_print("a", &a);

  613.             p448_print("b", &b);

  614.             p448_print("c", &c);

  615.             printf("\n");

  616.         } else if (good) {

  617.             successes ++;

  618.         }

  619.     }

  620.     if (successes < i/3) {

  621.         printf("Iso+serial variation: only %d/%d successful.\n", successes, i);

  622.     }

  623.     

  624.     successes = failures = 0;

  625.     for (i=0; i<nbase/10; i++) {

  626.         struct p448_t aa;

  627.         struct tw_extensible_t exu,exv,exw;

  628.         

  629.         mask_t good;

  630.         do {

  631.             p448_randomize(&crand, &a);

  632.             good = deserialize_affine(&affine, &a);

  633.             convert_affine_to_extensible(&exta,&affine);

  634.             twist_and_double(&ext,&exta);

  635.         } while (!good);

  636.         do {

  637.             p448_randomize(&crand, &aa);

  638.             good = deserialize_affine(&affine, &aa);

  639.             convert_affine_to_extensible(&exta,&affine);

  640.             twist_and_double(&exu,&exta);

  641.         } while (!good);

  642.         p448_randomize(&crand, &aa);

  643.         

  644.         q448_randomize(&crand, sk);

  645. 		if (i==0 || i==2) memset(&sk, 0, sizeof(sk));

  646.         q448_randomize(&crand, tk);

  647. 		if (i==0 || i==1) memset(&tk, 0, sizeof(tk));

  648.         

  649.         copy_tw_extensible(&exv, &ext);

  650.         copy_tw_extensible(&exw, &exu);

  651.         scalarmul(&exv,sk);

  652.         scalarmul(&exw,tk);

  653.         convert_tw_extensible_to_tw_pniels(&pniels, &exw);

  654.         add_tw_pniels_to_tw_extensible(&exv,&pniels);

  655.         untwist_and_double(&exta,&exv);

  656.         serialize_extensible(&b, &exta);

  657. 

  658.         (void)precompute_fixed_base_wnaf(wnaft,&exu,5);

  659.         linear_combo_var_fixed_vt(&ext,sk,448,tk,448,wnaft,5);

  660.         untwist_and_double(&exta,&exv);

  661.         serialize_extensible(&c, &exta);

  662.         

  663.         p448_sub(&d,&b,&c);

  664.         p448_bias(&d,2);

  665.         

  666.         if (!p448_is_zero(&d)){

  667.             printf("PreWNAF combo validation failure %d!\n", ++failures);

  668.             p448_print("a", &a);

  669.             p448_print("A", &aa);

  670.             q448_print("s", sk);

  671.             q448_print("t", tk);

  672.             p448_print("c", &c);

  673.             p448_print("b", &b);

  674.             printf("\n\n");

  675.         } else if (good) {

  676.             successes ++;

  677.         }

  678.     }

  679.     if (successes < i) {

  680.         printf("PreWNAF combo variation: only %d/%d successful.\n", successes, i);

  681.     }

  682.     

  683.     return 0;

  684. }