jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
514 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 26a7b2a9b7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '26a7b2a9b7'
${ noResults }
ed448goldilocks/src/GENERATED/c/curve25519/elligator.c

205 lines
5.5 KiB
Raw Blame History 

  1. /**

  2.  * @file curve25519/elligator.c

  3.  * @author Mike Hamburg

  4.  *

  5.  * @copyright

  6.  *   Copyright (c) 2015-2016 Cryptography Research, Inc.  \n

  7.  *   Released under the MIT License.  See LICENSE.txt for license information.

  8.  *

  9.  * @brief Elligator high-level functions.

  10.  *

  11.  * @warning This file was automatically generated in Python.

  12.  * Please do not edit it.

  13.  */

  14. #include "word.h"

  15. #include "field.h"

  16. #include <decaf.h>

  17. 

  18. /* Template stuff */

  19. #define API_NS(_id) decaf_255_##_id

  20. #define point_t API_NS(point_t)

  21. #define IMAGINE_TWIST 1

  22. #define COFACTOR 8

  23. static const int EDWARDS_D = -121665;

  24. 

  25. #define RISTRETTO_FACTOR DECAF_255_RISTRETTO_FACTOR

  26. extern const gf RISTRETTO_FACTOR;

  27. 

  28. /* End of template stuff */

  29. extern mask_t API_NS(deisogenize) (

  30.     gf_s *__restrict__ s,

  31.     gf_s *__restrict__ inv_el_sum,

  32.     gf_s *__restrict__ inv_el_m1,

  33.     const point_t p,

  34.     mask_t toggle_hibit_s,

  35.     mask_t toggle_altx,

  36.     mask_t toggle_rotation

  37. );

  38. 

  39. void API_NS(point_from_hash_nonuniform) (

  40.     point_t p,

  41.     const unsigned char ser[SER_BYTES]

  42. ) {

  43.     gf r0,r,a,b,c,N,e;

  44.     const uint8_t mask = (uint8_t)(0xFE<<(6));

  45.     ignore_result(gf_deserialize(r0,ser,0,mask));

  46.     gf_strong_reduce(r0);

  47.     gf_sqr(a,r0);

  48.     gf_mul_qnr(r,a);

  49. 

  50.     /* Compute D@c := (dr+a-d)(dr-ar-d) with a=1 */

  51.     gf_sub(a,r,ONE);

  52.     gf_mulw(b,a,EDWARDS_D); /* dr-d */

  53.     gf_add(a,b,ONE);

  54.     gf_sub(b,b,r);

  55.     gf_mul(c,a,b);

  56.     

  57.     /* compute N := (r+1)(a-2d) */

  58.     gf_add(a,r,ONE);

  59.     gf_mulw(N,a,1-2*EDWARDS_D);

  60.     

  61.     /* e = +-sqrt(1/ND) or +-r0 * sqrt(qnr/ND) */

  62.     gf_mul(a,c,N);

  63.     mask_t square = gf_isr(b,a);

  64.     gf_cond_sel(c,r0,ONE,square); /* r? = square ? 1 : r0 */

  65.     gf_mul(e,b,c);

  66.     

  67.     /* s@a = +-|N.e| */

  68.     gf_mul(a,N,e);

  69.     gf_cond_neg(a,gf_lobit(a) ^ ~square);

  70.     

  71.     /* t@b = -+ cN(r-1)((a-2d)e)^2 - 1 */

  72.     gf_mulw(c,e,1-2*EDWARDS_D); /* (a-2d)e */

  73.     gf_sqr(b,c);

  74.     gf_sub(e,r,ONE);

  75.     gf_mul(c,b,e);

  76.     gf_mul(b,c,N);

  77.     gf_cond_neg(b,square);

  78.     gf_sub(b,b,ONE);

  79. 

  80.     /* isogenize */

  81. #if IMAGINE_TWIST

  82.     gf_mul(c,a,SQRT_MINUS_ONE);

  83.     gf_copy(a,c);

  84. #endif

  85.     

  86.     gf_sqr(c,a); /* s^2 */

  87.     gf_add(a,a,a); /* 2s */

  88.     gf_add(e,c,ONE);

  89.     gf_mul(p->t,a,e); /* 2s(1+s^2) */

  90.     gf_mul(p->x,a,b); /* 2st */

  91.     gf_sub(a,ONE,c);

  92.     gf_mul(p->y,e,a); /* (1+s^2)(1-s^2) */

  93.     gf_mul(p->z,a,b); /* (1-s^2)t */

  94.     

  95.     assert(API_NS(point_valid)(p));

  96. }

  97. 

  98. void API_NS(point_from_hash_uniform) (

  99.     point_t pt,

  100.     const unsigned char hashed_data[2*SER_BYTES]

  101. ) {

  102.     point_t pt2;

  103.     API_NS(point_from_hash_nonuniform)(pt,hashed_data);

  104.     API_NS(point_from_hash_nonuniform)(pt2,&hashed_data[SER_BYTES]);

  105.     API_NS(point_add)(pt,pt,pt2);

  106. }

  107. 

  108. /* Elligator_onto:

  109.  * Make elligator-inverse onto at the cost of roughly halving the success probability.

  110.  * Currently no effect for curves with field size 1 bit mod 8 (where the top bit

  111.  * is chopped off).  FUTURE MAGIC: automatic at least for brainpool-style curves; support

  112.  * log p == 1 mod 8 brainpool curves maybe?

  113.  */

  114. #define MAX(A,B) (((A)>(B)) ? (A) : (B))

  115. 

  116. decaf_error_t

  117. API_NS(invert_elligator_nonuniform) (

  118.     unsigned char recovered_hash[SER_BYTES],

  119.     const point_t p,

  120.     uint32_t hint_

  121. ) {

  122.     mask_t hint = hint_;

  123.     mask_t sgn_s = -(hint & 1),

  124.         sgn_altx = -(hint>>1 & 1),

  125.         sgn_r0 = -(hint>>2 & 1),

  126.         /* FUTURE MAGIC: eventually if there's a curve which needs sgn_ed_T but not sgn_r0,

  127.          * change this mask extraction.

  128.          */

  129.         sgn_ed_T = -(hint>>3 & 1);

  130.     gf a,b,c;

  131.     API_NS(deisogenize)(a,b,c,p,sgn_s,sgn_altx,sgn_ed_T);

  132.     

  133.     mask_t is_identity = gf_eq(p->t,ZERO);

  134. #if COFACTOR==4

  135.     gf_cond_sel(b,b,ONE,is_identity & sgn_altx);

  136.     gf_cond_sel(c,c,ONE,is_identity & sgn_s &~ sgn_altx);

  137. #elif IMAGINE_TWIST

  138.     /* Terrible, terrible special casing due to lots of 0/0 is deisogenize

  139.      * Basically we need to generate -D and +- i*RISTRETTO_FACTOR

  140.      */

  141.     gf_mul_i(a,RISTRETTO_FACTOR);

  142.     gf_cond_sel(b,b,ONE,is_identity);

  143.     gf_cond_neg(a,sgn_altx);

  144.     gf_cond_sel(c,c,a,is_identity & sgn_ed_T);

  145.     gf_cond_sel(c,c,ZERO,is_identity & ~sgn_ed_T);

  146.     gf_mulw(a,ONE,-EDWARDS_D);

  147.     gf_cond_sel(c,c,a,is_identity & ~sgn_ed_T &~ sgn_altx);

  148. #else

  149. #error "Different special-casing goes here!"

  150. #endif

  151.     

  152. #if IMAGINE_TWIST

  153.     gf_mulw(a,b,-EDWARDS_D);

  154. #else

  155.     gf_mulw(a,b,EDWARDS_D-1);

  156. #endif

  157.     gf_add(b,a,b);

  158.     gf_sub(a,a,c);

  159.     gf_add(b,b,c);

  160.     gf_cond_swap(a,b,sgn_s);

  161.     gf_mul_qnr(c,b);

  162.     gf_mul(b,c,a);

  163.     mask_t succ = gf_isr(c,b);

  164.     succ |= gf_eq(b,ZERO);

  165.     gf_mul(b,c,a);

  166.     

  167. #if 255 == 8*SER_BYTES + 1 /* p521. */

  168. #error "this won't work because it needs to adjust high bit, not low bit"

  169.     sgn_r0 = 0;

  170. #endif

  171.     

  172.     gf_cond_neg(b, sgn_r0^gf_lobit(b));

  173.     /* Eliminate duplicate values for identity ... */

  174.     succ &= ~(gf_eq(b,ZERO) & (sgn_r0 | sgn_s));

  175.     // #if COFACTOR == 8

  176.     //     succ &= ~(is_identity & sgn_ed_T); /* NB: there are no preimages of rotated identity. */

  177.     // #endif

  178.     

  179.     #if 255 == 8*SER_BYTES + 1 /* p521 */

  180.         gf_serialize(recovered_hash,b,0);

  181.     #else

  182.         gf_serialize(recovered_hash,b,1);

  183.     #endif

  184. #if 7

  185.     #if COFACTOR==8

  186.         recovered_hash[SER_BYTES-1] ^= (hint>>4)<<7;

  187.     #else

  188.         recovered_hash[SER_BYTES-1] ^= (hint>>3)<<7;

  189.     #endif

  190. #endif

  191.     return decaf_succeed_if(mask_to_bool(succ));

  192. }

  193. 

  194. decaf_error_t

  195. API_NS(invert_elligator_uniform) (

  196.     unsigned char partial_hash[2*SER_BYTES],

  197.     const point_t p,

  198.     uint32_t hint

  199. ) {

  200.     point_t pt2;

  201.     API_NS(point_from_hash_nonuniform)(pt2,&partial_hash[SER_BYTES]);

  202.     API_NS(point_sub)(pt2,p,pt2);

  203.     return API_NS(invert_elligator_nonuniform)(partial_hash,pt2,hint);

  204. }