jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
45 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 8abc24f4c6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8abc24f4c6'
${ noResults }
ed448goldilocks/test/bench.c

750 lines
21 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "word.h"

  6. 

  7. #include <sys/time.h>

  8. #include <sys/types.h>

  9. #include <stdio.h>

  10. #include <memory.h>

  11. 

  12. #include "field.h"

  13. #include "ec_point.h"

  14. #include "scalarmul.h"

  15. #include "barrett_field.h"

  16. #include "crandom.h"

  17. #include "goldilocks.h"

  18. #include "sha512.h"

  19. 

  20. static __inline__ void

  21. ignore_result ( int result ) {

  22.     (void)result;

  23. }

  24. 

  25. static double now(void) {

  26.   struct timeval tv;

  27.   gettimeofday(&tv, NULL);

  28.   

  29.   return tv.tv_sec + tv.tv_usec/1000000.0;

  30. }

  31. 

  32. static void field_randomize( struct crandom_state_t *crand, struct field_t *a ) {

  33.     crandom_generate(crand, (unsigned char *)a, sizeof(*a));

  34.     field_strong_reduce(a);

  35. }

  36. 

  37. static void q448_randomize( struct crandom_state_t *crand, word_t sk[SCALAR_WORDS] ) {

  38.     crandom_generate(crand, (unsigned char *)sk, SCALAR_BYTES);

  39. }

  40. 

  41. static void field_print( const char *descr, const struct field_t *a ) {

  42.     int j;

  43.     unsigned char ser[FIELD_BYTES];

  44.     field_serialize(ser,a);

  45.     printf("%s = 0x", descr);

  46.     for (j=FIELD_BYTES - 1; j>=0; j--) {

  47.         printf("%02x", ser[j]);

  48.     }

  49.     printf("\n");

  50. }

  51. 

  52. static void __attribute__((unused))

  53. field_print_full (

  54.     const char *descr,

  55.     const struct field_t *a

  56. ) {

  57.     int j;

  58.     printf("%s = 0x", descr);

  59.     for (j=15; j>=0; j--) {

  60.         printf("%02" PRIxWORD "_" PRIxWORD56 " ",

  61.             a->limb[j]>>28, a->limb[j]&((1<<28)-1));

  62.     }

  63.     printf("\n");

  64. }

  65. 

  66. static void q448_print( const char *descr, const word_t secret[SCALAR_WORDS] ) {

  67.     int j;

  68.     printf("%s = 0x", descr);

  69.     for (j=SCALAR_WORDS-1; j>=0; j--) {

  70.         printf(PRIxWORDfull, secret[j]);

  71.     }

  72.     printf("\n");

  73. }

  74. 

  75. #ifndef N_TESTS_BASE

  76. #define N_TESTS_BASE 10000

  77. #endif

  78. 

  79. int main(int argc, char **argv) {

  80.     (void)argc;

  81.     (void)argv;

  82. 

  83.     struct tw_extensible_t ext;

  84.     struct extensible_t exta;

  85.     struct tw_niels_t niels;

  86.     struct tw_pniels_t pniels;

  87.     struct affine_t affine;

  88.     struct montgomery_t mb;

  89.     struct montgomery_aux_t mba;

  90.     struct field_t a,b,c,d;

  91.     

  92.     

  93.     double when;

  94.     int i;

  95. 

  96.     int nbase = N_TESTS_BASE;

  97.     

  98.     /* Bad randomness so we can debug. */

  99.     char initial_seed[32];

  100.     for (i=0; i<32; i++) initial_seed[i] = i;

  101.     struct crandom_state_t crand;

  102.     crandom_init_from_buffer(&crand, initial_seed);

  103.     /* For testing the performance drop from the crandom debuffering change.

  104.         ignore_result(crandom_init_from_file(&crand, "/dev/urandom", 10000, 1));

  105.     */

  106.     

  107.     word_t sk[SCALAR_WORDS],tk[SCALAR_WORDS];

  108.     q448_randomize(&crand, sk);

  109.     

  110.     memset(&a,0,sizeof(a));

  111.     memset(&b,0,sizeof(b));

  112.     memset(&c,0,sizeof(c));

  113.     memset(&d,0,sizeof(d));

  114.     when = now();

  115.     for (i=0; i<nbase*5000; i++) {

  116.         field_mul(&c, &b, &a);

  117.     }

  118.     when = now() - when;

  119.     printf("mul:         %5.1fns\n", when * 1e9 / i);

  120.     

  121.     when = now();

  122.     for (i=0; i<nbase*5000; i++) {

  123.         field_sqr(&c, &a);

  124.     }

  125.     when = now() - when;

  126.     printf("sqr:         %5.1fns\n", when * 1e9 / i);

  127.     

  128.     when = now();

  129.     for (i=0; i<nbase*5000; i++) {

  130.         field_mulw(&c, &b, 1234562);

  131.     }

  132.     when = now() - when;

  133.     printf("mulw:        %5.1fns\n", when * 1e9 / i);

  134.     

  135.     when = now();

  136.     for (i=0; i<nbase*500; i++) {

  137.         field_mul(&c, &b, &a);

  138.         field_mul(&a, &b, &c);

  139.     }

  140.     when = now() - when;

  141.     printf("mul dep:     %5.1fns\n", when * 1e9 / i / 2);

  142.     

  143.     when = now();

  144.     for (i=0; i<nbase*10; i++) {

  145.         field_randomize(&crand, &a);

  146.     }

  147.     when = now() - when;

  148.     printf("rand448:     %5.1fns\n", when * 1e9 / i);

  149.     

  150.     struct sha512_ctx_t sha;

  151.     uint8_t hashout[128];

  152.     when = now();

  153.     for (i=0; i<nbase; i++) {

  154.         sha512_init(&sha);

  155.         sha512_final(&sha, hashout);

  156.     }

  157.     when = now() - when;

  158.     printf("sha512 1blk: %5.1fns\n", when * 1e9 / i);

  159.     

  160.     when = now();

  161.     for (i=0; i<nbase; i++) {

  162.         sha512_update(&sha, hashout, 128);

  163.     }

  164.     when = now() - when;

  165.     printf("sha512 blk:  %5.1fns (%0.2f MB/s)\n", when * 1e9 / i, 128*i/when/1e6);

  166.     

  167.     when = now();

  168.     for (i=0; i<nbase; i++) {

  169.         field_isr(&c, &a);

  170.     }

  171.     when = now() - when;

  172.     printf("isr auto:    %5.1fµs\n", when * 1e6 / i);

  173.     

  174.     for (i=0; i<100; i++) {

  175.         field_randomize(&crand, &a);

  176.         field_isr(&d,&a);

  177.         field_sqr(&b,&d);

  178.         field_mul(&c,&b,&a);

  179.         field_sqr(&b,&c);

  180.         field_subw(&b,1);

  181.         field_bias(&b,1);

  182.         if (!field_is_zero(&b)) {

  183.             printf("ISR validation failure!\n");

  184.             field_print("a", &a);

  185.             field_print("s", &d);

  186.         }

  187.     }

  188.     

  189.     when = now();

  190.     for (i=0; i<nbase; i++) {

  191.         elligator_2s_inject(&affine, &a);

  192.     }

  193.     when = now() - when;

  194.     printf("elligator:   %5.1fµs\n", when * 1e6 / i);

  195.     

  196.     for (i=0; i<100; i++) {

  197.         field_randomize(&crand, &a);

  198.         elligator_2s_inject(&affine, &a);

  199.         if (!validate_affine(&affine)) {

  200.             printf("Elligator validation failure!\n");

  201.             field_print("a", &a);

  202.             field_print("x", &affine.x);

  203.             field_print("y", &affine.y);

  204.         }

  205.     }

  206.     

  207.     when = now();

  208.     for (i=0; i<nbase; i++) {

  209.         deserialize_affine(&affine, &a);

  210.     }

  211.     when = now() - when;

  212.     printf("decompress:  %5.1fµs\n", when * 1e6 / i);

  213.     

  214.     convert_affine_to_extensible(&exta, &affine);

  215.     when = now();

  216.     for (i=0; i<nbase; i++) {

  217.         serialize_extensible(&a, &exta);

  218.     }

  219.     when = now() - when;

  220.     printf("compress:    %5.1fµs\n", when * 1e6 / i);

  221.     

  222.     int goods = 0;

  223.     for (i=0; i<100; i++) {

  224.         field_randomize(&crand, &a);

  225.         mask_t good = deserialize_affine(&affine, &a);

  226.         if (good & !validate_affine(&affine)) {

  227.             printf("Deserialize validation failure!\n");

  228.             field_print("a", &a);

  229.             field_print("x", &affine.x);

  230.             field_print("y", &affine.y);

  231.         } else if (good) {

  232.             goods++;

  233.             convert_affine_to_extensible(&exta,&affine);

  234.             serialize_extensible(&b, &exta);

  235.             field_sub(&c,&b,&a);

  236.             field_bias(&c,2);

  237.             if (!field_is_zero(&c)) {

  238.                 printf("Reserialize validation failure!\n");

  239.                 field_print("a", &a);

  240.                 field_print("x", &affine.x);

  241.                 field_print("y", &affine.y);

  242.                 deserialize_affine(&affine, &b);

  243.                 field_print("b", &b);

  244.                 field_print("x", &affine.x);

  245.                 field_print("y", &affine.y);

  246.                 printf("\n");

  247.             }

  248.         }

  249.     }

  250.     if (goods<i/3) {

  251.         printf("Deserialization validation failure! Deserialized %d/%d points\n", goods, i);

  252.     }

  253.     

  254.     word_t lsk[768/WORD_BITS];

  255.     crandom_generate(&crand, (unsigned char *)lsk, sizeof(lsk));

  256.     

  257.     when = now();

  258.     for (i=0; i<nbase*100; i++) {

  259.         barrett_reduce(lsk,sizeof(lsk)/sizeof(word_t),0,&curve_prime_order);

  260.     }

  261.     when = now() - when;

  262.     printf("barrett red: %5.1fns\n", when * 1e9 / i);

  263.     

  264.     when = now();

  265.     for (i=0; i<nbase*10; i++) {

  266.         barrett_mac(lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,lsk,SCALAR_WORDS,&curve_prime_order);

  267.     }

  268.     when = now() - when;

  269.     printf("barrett mac: %5.1fns\n", when * 1e9 / i);

  270.     

  271.     memset(&ext,0,sizeof(ext));

  272.     memset(&niels,0,sizeof(niels)); /* avoid assertions in p521 even though this isn't a valid ext or niels */

  273.     when = now();

  274.     for (i=0; i<nbase*100; i++) {

  275.         add_tw_niels_to_tw_extensible(&ext, &niels);

  276.     }

  277.     when = now() - when;

  278.     printf("exti+niels:  %5.1fns\n", when * 1e9 / i);

  279.     

  280.     convert_tw_extensible_to_tw_pniels(&pniels, &ext);

  281.     when = now();

  282.     for (i=0; i<nbase*100; i++) {

  283.         add_tw_pniels_to_tw_extensible(&ext, &pniels);

  284.     }

  285.     when = now() - when;

  286.     printf("exti+pniels: %5.1fns\n", when * 1e9 / i);

  287.     

  288.     when = now();

  289.     for (i=0; i<nbase*100; i++) {

  290.         double_tw_extensible(&ext);

  291.     }

  292.     when = now() - when;

  293.     printf("exti dbl:    %5.1fns\n", when * 1e9 / i);

  294.     

  295.     when = now();

  296.     for (i=0; i<nbase*100; i++) {

  297.         untwist_and_double(&exta, &ext);

  298.     }

  299.     when = now() - when;

  300.     printf("i->a isog:   %5.1fns\n", when * 1e9 / i);

  301.     

  302.     when = now();

  303.     for (i=0; i<nbase*100; i++) {

  304.         twist_and_double(&ext, &exta);

  305.     }

  306.     when = now() - when;

  307.     printf("a->i isog:   %5.1fns\n", when * 1e9 / i);

  308.     

  309.     memset(&mb,0,sizeof(mb));

  310.     when = now();

  311.     for (i=0; i<nbase*100; i++) {

  312.         montgomery_step(&mb);

  313.     }

  314.     when = now() - when;

  315.     printf("monty step:  %5.1fns\n", when * 1e9 / i);

  316.     

  317.     memset(&mba,0,sizeof(mba));

  318.     when = now();

  319.     for (i=0; i<nbase*100; i++) {

  320.         montgomery_aux_step(&mba);

  321.     }

  322.     when = now() - when;

  323.     printf("monty aux:   %5.1fns\n", when * 1e9 / i);

  324. 	

  325.     when = now();

  326.     for (i=0; i<nbase/10; i++) {

  327.         ignore_result(montgomery_ladder(&a,&b,sk,FIELD_BITS,0));

  328.     }

  329.     when = now() - when;

  330.     printf("full ladder: %5.1fµs\n", when * 1e6 / i);

  331.     

  332.     when = now();

  333.     for (i=0; i<nbase/10; i++) {

  334.         scalarmul(&ext,sk);

  335.     }

  336.     when = now() - when;

  337.     printf("edwards smz: %5.1fµs\n", when * 1e6 / i);

  338.     

  339.     when = now();

  340.     for (i=0; i<nbase/10; i++) {

  341.         scalarmul_vlook(&ext,sk);

  342.     }

  343.     when = now() - when;

  344.     printf("edwards svl: %5.1fµs\n", when * 1e6 / i);

  345.     

  346.     when = now();

  347.     for (i=0; i<nbase/10; i++) {

  348.         scalarmul(&ext,sk);

  349.         untwist_and_double_and_serialize(&a,&ext);

  350.     }

  351.     when = now() - when;

  352.     printf("edwards smc: %5.1fµs\n", when * 1e6 / i);

  353.     

  354.     when = now();

  355.     for (i=0; i<nbase/10; i++) {

  356.         q448_randomize(&crand, sk);

  357.         scalarmul_vt(&ext,sk,SCALAR_BITS);

  358.     }

  359.     when = now() - when;

  360.     printf("edwards vtm: %5.1fµs\n", when * 1e6 / i);

  361.     

  362.     struct tw_niels_t wnaft[1<<6];

  363.     when = now();

  364.     for (i=0; i<nbase/10; i++) {

  365.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,6));

  366.     }

  367.     when = now() - when;

  368.     printf("wnaf6 pre:   %5.1fµs\n", when * 1e6 / i);

  369.     

  370.     when = now();

  371.     for (i=0; i<nbase/10; i++) {

  372.         q448_randomize(&crand, sk);

  373.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,6);

  374.     }

  375.     when = now() - when;

  376.     printf("edwards vt6: %5.1fµs\n", when * 1e6 / i);

  377.     

  378.     when = now();

  379.     for (i=0; i<nbase/10; i++) {

  380.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,4));

  381.     }

  382.     when = now() - when;

  383.     printf("wnaf4 pre:   %5.1fµs\n", when * 1e6 / i);

  384.     

  385.     when = now();

  386.     for (i=0; i<nbase/10; i++) {

  387.         q448_randomize(&crand, sk);

  388.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,4);

  389.     }

  390.     when = now() - when;

  391.     printf("edwards vt4: %5.1fµs\n", when * 1e6 / i);

  392. 

  393.     when = now();

  394.     for (i=0; i<nbase/10; i++) {

  395.         ignore_result(precompute_fixed_base_wnaf(wnaft,&ext,5));

  396.     }

  397.     when = now() - when;

  398.     printf("wnaf5 pre:   %5.1fµs\n", when * 1e6 / i);

  399.     

  400.     when = now();

  401.     for (i=0; i<nbase/10; i++) {

  402.         q448_randomize(&crand, sk);

  403.         scalarmul_fixed_base_wnaf_vt(&ext,sk,SCALAR_BITS,wnaft,5);

  404.     }

  405.     when = now() - when;

  406.     printf("edwards vt5: %5.1fµs\n", when * 1e6 / i);

  407.     

  408.     when = now();

  409.     for (i=0; i<nbase/10; i++) {

  410.         q448_randomize(&crand, sk);

  411.         q448_randomize(&crand, tk);

  412.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,wnaft,5);

  413.     }

  414.     when = now() - when;

  415.     printf("vt vf combo: %5.1fµs\n", when * 1e6 / i);

  416.     

  417.     when = now();

  418.     for (i=0; i<nbase/10; i++) {

  419.         deserialize_affine(&affine, &a);

  420.         convert_affine_to_extensible(&exta,&affine);

  421.         twist_and_double(&ext,&exta);

  422.         scalarmul(&ext,sk);

  423.         untwist_and_double(&exta,&ext);

  424.         serialize_extensible(&b, &exta);

  425.     }

  426.     when = now() - when;

  427.     printf("edwards sm:  %5.1fµs\n", when * 1e6 / i);

  428.     

  429.     struct fixed_base_table_t t_5_5_18, t_3_5_30, t_8_4_14, t_5_3_30, t_15_3_10;

  430. 

  431.     while (1) {

  432.         field_randomize(&crand, &a);

  433.         if (deserialize_affine(&affine, &a)) break;

  434.     }

  435.     convert_affine_to_extensible(&exta,&affine);

  436.     twist_and_double(&ext,&exta);

  437.     when = now();

  438.     for (i=0; i<nbase/10; i++) {

  439.         if (i) destroy_fixed_base(&t_5_5_18);

  440.         ignore_result(precompute_fixed_base(&t_5_5_18, &ext, 5, 5, 18, NULL));

  441.     }

  442.     when = now() - when;

  443.     printf("pre(5,5,18): %5.1fµs\n", when * 1e6 / i);

  444.     

  445.     when = now();

  446.     for (i=0; i<nbase/10; i++) {

  447.         if (i) destroy_fixed_base(&t_3_5_30);

  448.         ignore_result(precompute_fixed_base(&t_3_5_30, &ext, 3, 5, 30, NULL));

  449.     }

  450.     when = now() - when;

  451.     printf("pre(3,5,30): %5.1fµs\n", when * 1e6 / i);

  452.     

  453.     when = now();

  454.     for (i=0; i<nbase/10; i++) {

  455.         if (i) destroy_fixed_base(&t_5_3_30);

  456.         ignore_result(precompute_fixed_base(&t_5_3_30, &ext, 5, 3, 30, NULL));

  457.     }

  458.     when = now() - when;

  459.     printf("pre(5,3,30): %5.1fµs\n", when * 1e6 / i);

  460.     

  461.     when = now();

  462.     for (i=0; i<nbase/10; i++) {

  463.         if (i) destroy_fixed_base(&t_15_3_10);

  464.         ignore_result(precompute_fixed_base(&t_15_3_10, &ext, 15, 3, 10, NULL));

  465.     }

  466.     when = now() - when;

  467.     printf("pre(15,3,10):%5.1fµs\n", when * 1e6 / i);

  468.     

  469.     when = now();

  470.     for (i=0; i<nbase/10; i++) {

  471.         if (i) destroy_fixed_base(&t_8_4_14);

  472.         ignore_result(precompute_fixed_base(&t_8_4_14, &ext, 8, 4, 14, NULL));

  473.     }

  474.     when = now() - when;

  475.     printf("pre(8,4,14): %5.1fµs\n", when * 1e6 / i);

  476. 	

  477.     when = now();

  478.     for (i=0; i<nbase; i++) {

  479.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_5_18);

  480.     }

  481.     when = now() - when;

  482.     printf("com(5,5,18): %5.1fµs\n", when * 1e6 / i);

  483.     

  484.     when = now();

  485.     for (i=0; i<nbase; i++) {

  486.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_3_5_30);

  487.     }

  488.     when = now() - when;

  489.     printf("com(3,5,30): %5.1fµs\n", when * 1e6 / i);

  490. 

  491.     when = now();

  492.     for (i=0; i<nbase; i++) {

  493.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_8_4_14);

  494.     }

  495.     when = now() - when;

  496.     printf("com(8,4,14): %5.1fµs\n", when * 1e6 / i);

  497. 

  498.     when = now();

  499.     for (i=0; i<nbase; i++) {

  500.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_5_3_30);

  501.     }

  502.     when = now() - when;

  503.     printf("com(5,3,30): %5.1fµs\n", when * 1e6 / i);

  504. 

  505.     when = now();

  506.     for (i=0; i<nbase; i++) {

  507.         scalarmul_fixed_base(&ext, sk, FIELD_BITS, &t_15_3_10);

  508.     }

  509.     when = now() - when;

  510.     printf("com(15,3,10):%5.1fµs\n", when * 1e6 / i);

  511.     

  512.     printf("\nGoldilocks:\n");

  513.     

  514.     int res = goldilocks_init();

  515.     assert(!res);

  516.     

  517.     struct goldilocks_public_key_t gpk,hpk;

  518.     struct goldilocks_private_key_t gsk,hsk;

  519.     

  520.     when = now();

  521.     for (i=0; i<nbase; i++) {

  522.         if (i&1) {

  523.             res = goldilocks_keygen(&gsk,&gpk);

  524.         } else {

  525.             res = goldilocks_keygen(&hsk,&hpk);

  526.         }

  527.         assert(!res);

  528.     }

  529.     when = now() - when;

  530.     printf("keygen:      %5.1fµs\n", when * 1e6 / i);

  531.     

  532.     uint8_t ss1[64],ss2[64];

  533.     int gres1=0,gres2=0;

  534.     when = now();

  535.     for (i=0; i<nbase; i++) {

  536.         if (i&1) {

  537.             gres1 = goldilocks_shared_secret(ss1,&gsk,&hpk);

  538.         } else {

  539.             gres2 = goldilocks_shared_secret(ss2,&hsk,&gpk);

  540.         }

  541.     }

  542.     when = now() - when;

  543.     printf("ecdh:        %5.1fµs\n", when * 1e6 / i);

  544.     if (gres1 || gres2 || memcmp(ss1,ss2,64)) {

  545.         printf("[FAIL] %d %d\n",gres1,gres2);

  546.         

  547.         printf("sk1 = ");

  548.         for (i=0; i<SCALAR_BYTES; i++) {

  549.             printf("%02x", gsk.opaque[i]);

  550.         }

  551.         printf("\nsk2 = ");

  552.         for (i=0; i<SCALAR_BYTES; i++) {

  553.             printf("%02x", hsk.opaque[i]);

  554.         }

  555.         printf("\nss1 = ");

  556.         for (i=0; i<64; i++) {

  557.             printf("%02x", ss1[i]);

  558.         }

  559.         printf("\nss2 = ");

  560.         for (i=0; i<64; i++) {

  561.             printf("%02x", ss2[i]);

  562.         }

  563.         printf("\n");

  564.     }

  565.     

  566.     uint8_t sout[FIELD_BYTES*2];

  567.     const char *message = "hello world";

  568.     size_t message_len = strlen(message);

  569.     when = now();

  570.     for (i=0; i<nbase; i++) {

  571.         res = goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  572.         (void)res;

  573.         assert(!res);

  574.     }

  575.     when = now() - when;

  576.     printf("sign:        %5.1fµs\n", when * 1e6 / i);

  577.     

  578.     when = now();

  579.     for (i=0; i<nbase; i++) {

  580.         int ver = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  581.         (void)ver;

  582.         assert(!ver);

  583.     }

  584.     when = now() - when;

  585.     printf("verify:      %5.1fµs\n", when * 1e6 / i);

  586.     

  587.     struct goldilocks_precomputed_public_key_t *pre = NULL;

  588.     when = now();

  589.     for (i=0; i<nbase; i++) {

  590.         goldilocks_destroy_precomputed_public_key(pre);

  591.         pre = goldilocks_precompute_public_key(&gpk);

  592.     }

  593.     when = now() - when;

  594.     printf("precompute:  %5.1fµs\n", when * 1e6 / i);

  595.     

  596.     when = now();

  597.     for (i=0; i<nbase; i++) {

  598.         int ver = goldilocks_verify_precomputed(sout,(const unsigned char *)message,message_len,pre);

  599.         (void)ver;

  600.         assert(!ver);

  601.     }

  602.     when = now() - when;

  603.     printf("verify pre:  %5.1fµs\n", when * 1e6 / i);

  604.     

  605.     when = now();

  606.     for (i=0; i<nbase; i++) {

  607.         int ret = goldilocks_shared_secret_precomputed(ss1,&gsk,pre);

  608.         (void)ret;

  609.         assert(!ret);

  610.     }

  611.     when = now() - when;

  612.     printf("ecdh pre:    %5.1fµs\n", when * 1e6 / i);

  613.     

  614.     printf("\nTesting...\n");

  615.     

  616.     

  617.     int failures=0, successes = 0;

  618.     for (i=0; i<nbase/10; i++) {

  619.         ignore_result(goldilocks_keygen(&gsk,&gpk));

  620.         goldilocks_sign(sout,(const unsigned char *)message,message_len,&gsk);

  621.         res = goldilocks_verify(sout,(const unsigned char *)message,message_len,&gpk);

  622.         if (res) failures++;

  623.     }

  624.     if (failures) {

  625.         printf("FAIL %d/%d signature checks!\n", failures, i);

  626.     }

  627.     

  628.     failures=0; successes = 0;

  629.     for (i=0; i<nbase/10; i++) {

  630.         field_randomize(&crand, &a);

  631. 		word_t two = 2;

  632.         mask_t good = montgomery_ladder(&b,&a,&two,2,0);

  633. 		if (!good) continue;

  634. 		

  635. 		word_t x,y;

  636.         crandom_generate(&crand, (unsigned char *)&x, sizeof(x));

  637.         crandom_generate(&crand, (unsigned char *)&y, sizeof(y));

  638.         x = (hword_t)x;

  639.         y = (hword_t)y;

  640.         word_t z=x*y;

  641.         

  642.     	ignore_result(montgomery_ladder(&b,&a,&x,WORD_BITS,0));

  643.         ignore_result(montgomery_ladder(&c,&b,&y,WORD_BITS,0));

  644.         ignore_result(montgomery_ladder(&b,&a,&z,WORD_BITS,0));

  645.         

  646.         field_sub(&d,&b,&c);

  647.         field_bias(&d,2);

  648. 		if (!field_is_zero(&d)) {

  649.             printf("Odd ladder validation failure %d!\n", ++failures);

  650.             field_print("a", &a);

  651.             printf("x=%"PRIxWORD", y=%"PRIxWORD", z=%"PRIxWORD"\n", x,y,z);

  652.             field_print("c", &c);

  653.             field_print("b", &b);

  654. 			printf("\n");

  655. 		}

  656. 	}

  657.     

  658.     failures = 0;

  659.     for (i=0; i<nbase/10; i++) {

  660.         mask_t good;

  661.         do {

  662.             field_randomize(&crand, &a);

  663.             good = deserialize_affine(&affine, &a);

  664.         } while (!good);

  665.         

  666.         convert_affine_to_extensible(&exta,&affine);

  667.         twist_and_double(&ext,&exta);

  668.         untwist_and_double(&exta,&ext);

  669.         serialize_extensible(&b, &exta);

  670.         untwist_and_double_and_serialize(&c, &ext);

  671.         

  672.         field_sub(&d,&b,&c);

  673.         field_bias(&d,2);

  674.         

  675.         if (good && !field_is_zero(&d)){

  676.             printf("Iso+serial validation failure %d!\n", ++failures);

  677.             field_print("a", &a);

  678.             field_print("b", &b);

  679.             field_print("c", &c);

  680.             printf("\n");

  681.         } else if (good) {

  682.             successes ++;

  683.         }

  684.     }

  685.     if (successes < i/3) {

  686.         printf("Iso+serial variation: only %d/%d successful.\n", successes, i);

  687.     }

  688.     

  689.     successes = failures = 0;

  690.     for (i=0; i<nbase/10; i++) {

  691.         struct field_t aa;

  692.         struct tw_extensible_t exu,exv,exw;

  693.         

  694.         mask_t good;

  695.         do {

  696.             field_randomize(&crand, &a);

  697.             good = deserialize_affine(&affine, &a);

  698.             convert_affine_to_extensible(&exta,&affine);

  699.             twist_and_double(&ext,&exta);

  700.         } while (!good);

  701.         do {

  702.             field_randomize(&crand, &aa);

  703.             good = deserialize_affine(&affine, &aa);

  704.             convert_affine_to_extensible(&exta,&affine);

  705.             twist_and_double(&exu,&exta);

  706.         } while (!good);

  707.         field_randomize(&crand, &aa);

  708.         

  709.         q448_randomize(&crand, sk);

  710. 		if (i==0 || i==2) memset(&sk, 0, sizeof(sk));

  711.         q448_randomize(&crand, tk);

  712. 		if (i==0 || i==1) memset(&tk, 0, sizeof(tk));

  713.         

  714.         copy_tw_extensible(&exv, &ext);

  715.         copy_tw_extensible(&exw, &exu);

  716.         scalarmul(&exv,sk);

  717.         scalarmul(&exw,tk);

  718.         convert_tw_extensible_to_tw_pniels(&pniels, &exw);

  719.         add_tw_pniels_to_tw_extensible(&exv,&pniels);

  720.         untwist_and_double(&exta,&exv);

  721.         serialize_extensible(&b, &exta);

  722. 

  723.         ignore_result(precompute_fixed_base_wnaf(wnaft,&exu,5));

  724.         linear_combo_var_fixed_vt(&ext,sk,FIELD_BITS,tk,FIELD_BITS,wnaft,5);

  725.         untwist_and_double(&exta,&exv);

  726.         serialize_extensible(&c, &exta);

  727.         

  728.         field_sub(&d,&b,&c);

  729.         field_bias(&d,2);

  730.         

  731.         if (!field_is_zero(&d)){

  732.             printf("PreWNAF combo validation failure %d!\n", ++failures);

  733.             field_print("a", &a);

  734.             field_print("A", &aa);

  735.             q448_print("s", sk);

  736.             q448_print("t", tk);

  737.             field_print("c", &c);

  738.             field_print("b", &b);

  739.             printf("\n\n");

  740.         } else if (good) {

  741.             successes ++;

  742.         }

  743.     }

  744.     if (successes < i) {

  745.         printf("PreWNAF combo variation: only %d/%d successful.\n", successes, i);

  746.     }

  747.     

  748.     return 0;

  749. }